The Never Ending Story: How to Remediate Recurring EQR Findings

Monitoring and Remediation: Turning Engagement Deficiencies Into System Improvement

Tue, 28 Apr 2026 20:51:16 GMT

In our work with firms, we have seen a clear shift in how monitoring and remediation are viewed under modern quality management frameworks. They are no longer treated as retrospective compliance exercises. Instead, engagement deficiencies are increasingly used as meaningful inputs into an ongoing, risk-based system designed to identify issues early, address them thoughtfully, and reduce the likelihood of recurrence.

Regulatory messaging reinforces this evolution. Oversight bodies are signaling a shift in focus from isolated engagement outcomes and more on whether firms have a system of quality management that consistently detects quality risks, responds appropriately, and demonstrates that remediation is working in practice.

Based on our experience, while individual engagement deficiencies remain important, the more critical question is becoming how firms analyze, respond to, and learn from those issues over time.

Engagement Deficiencies Are Signals, Not Endpoints

Engagement deficiencies can surface through many channels, including pre-issuance reviews, internal inspections, post-issuance reviews, peer reviews, and regulatory inspections. Regardless of source, firms benefit most when these findings are evaluated through a consistent quality management lens.

In practice, we encourage firms to look beyond whether a single engagement fell short . The more meaningful consideration is whether the deficiency points to potential weaknesses in governance, methodology, training, supervision, resourcing, or monitoring activities.

We often observe that when issues are quickly labeled as engagement-specific, without assessing whether they reflect broader quality risks, valuable insight is lost. Modern quality management frameworks are designed to use these signals to strengthen the system, not simply close individual findings.

What Effective Monitoring and Remediation Looks Like in Practice

Firms that navigate this environment effectively tend to apply a disciplined and repeatable approach when deficiencies are identified. Based on our experience supporting firms across a range of practice areas, several elements consistently make a difference:

Assess whether the issue may be systemic

Recurring observations across engagements, service lines, or time periods often indicate system-level risk. Similar documentation gaps, inconsistent application of methodology, or supervision challenges rarely arise in isolation.

Perform meaningful root cause analysis

Effective root cause analysis typically moves beyond surface explanations. Firms benefit from evaluating whether policies and procedures were designed appropriately, implemented as intended, and supported by sufficient training, time, and resources.

Design remediation that directly responds to the quality risk

Remediation is most effective when it is clearly linked to the underlying risk. Depending on the circumstances, this may include enhancements to methodology, targeted training, revised review requirements, or changes to engagement acceptance, staffing, or oversight processes.

Validate remediation through timely monitoring

Implementing corrective actions is only part of the process. In our experience, firms are most successful when they also confirm that remediation operates as intended. Follow-up monitoring performed early enough to prevent recurrence is a critical component of this step.

Failure to validate remediation remains one of the most common and consequential weaknesses we observe across firms.

Case Study: When Remediation Is Not Validated

In one situation we encountered, a firm identified engagement deficiencies through post-issuance reviews. The issues mirrored observations that had previously been noted during peer review and were communicated as having been addressed by the group responsible for report issuance.

However, responsibility for validation was not clearly assigned, and no follow-up procedures were performed to evaluate whether the revised processes were effective. Subsequent post-issuance reviews, triggered by an organizational change, revealed that similar and additional deficiencies had re-emerged.

From a quality management perspective, this was not an engagement execution failure. It reflected a breakdown in monitoring and remediation. The firm had information indicating quality risk but did not adjust its monitoring activities to confirm that remediation was working.

Viewed through a system lens, this represents a system-level deficiency rather than an isolated engagement issue.

Quality Management Applies Across All Engagement Types

Modern quality management frameworks apply across a firm’s assurance and attestation practice, including private company audits, public company audits, SOC engagements, nonprofit audits, and other services.

Deficiencies identified in any practice area may signal broader weaknesses in:

Governance and leadership
Methodology and training
Monitoring activities
Remediation processes

In our experience, firms struggle to maintain an effective system of quality management when certain practices are treated as exempt from system-level evaluation.

Key Takeaways

Engagement deficiencies are inputs into the system, not endpoints.
Recurring issues often indicate systemic quality risk.
Remediation should be validated, not assumed.
Monitoring activities should evolve as risks emerge.
Quality management applies across all engagement types.

Firms that treat monitoring and remediation as a continuous feedback loop, rather than a periodic exercise, are typically better positioned to improve engagement quality and respond to evolving regulatory expectations.

Looking for an independent perspective on whether engagement deficiencies have been fully addressed?

Based on our experience working with firms across assurance and attestation practices, Johnson Global Advisory supports clients by performing independent reviews, validating remediation efforts, and strengthening monitoring processes.

If you would like support refining policies, training, workflows, or documentation standards, or would benefit from an objective assessment ahead of regulatory, peer, or internal inspections, contact your JGA audit quality advisor to discuss your needs.

What Regulators Expect to See When AI Is Used

Tue, 28 Apr 2026 20:25:38 GMT

Artificial intelligence (“AI”) is no longer experimental in public company audits. From risk assessment and scoping decisions to population testing, anomaly detection, and documentation support, AI enabled tools are increasingly embedded in audit execution and workflow. As use expands, the auditor’s core obligations do not shift to the technology, they remain with the engagement team. If AI is used to inform judgments, influence the nature, timing, or extent of procedures, or summarize and interpret information, auditors must still demonstrate that they obtained sufficient appropriate audit evidence and applied professional skepticism throughout. In practice, auditors must understand what the tool is doing, confirm that inputs are complete and accurate, and evaluate whether the outputs are reliable and fit for purpose in the specific audit context.

While the auditing standard devoted solely to AI have not been issued, our experience is that inspectors have been increasingly direct—through staff publications, questions from inspectors in the field, and public remarks—about what they expect to see when AI is used. The expectations are grounded in existing standards and longstanding inspection focus areas: audit evidence, supervision and review, professional skepticism, and firm quality control (now quality management). In other words, AI does not create a “new” audit; it amplifies the need to show your work. Firms that treat AI as a “shortcut”, rely on outputs that cannot be explained or reproduced, or fail to govern and document how tools were selected, configured, and monitored are inviting new risks to support their audit conclusions. Conversely, firms that can clearly articulate the purpose of the tool, how it aligns to audit objectives, how inputs and outputs were validated, and how experienced personnel supervised and challenged the results will be far better positioned during inspection.

The table below summarizes what inspectors typically expect to see documented when AI is used in a public company audit. Firms can use these themes to evaluate whether their engagement documentation tells a complete story that an experienced auditor (and an inspector) can follow from objective, to procedure, to results, to conclusion.

JGA Key Takeaways :

The PCAOB has been clear: today there is no separate “AI standard”—and no relaxation of expectations. Existing auditing standards already apply, particularly those governing audit evidence, and inspectors are using them to assess AI enabled audits. This is the way we see it:

As a foundational principle, humans remain accountable for the audit. AI may assist, accelerate, or enhance procedures—but responsibility for conclusions rests squarely with the engagement team and engagement partner.
AI should be governed much like other critical audit infrastructure—embedded within the firm’s system of quality management rather than operating on the margins. Firms that embed AI within strong quality management, supervision, and documentation practices will be far better positioned to withstand inspection scrutiny.
Merely retaining AI outputs is not enough. Engagement teams must show how they challenged the results and why they found them reasonable. The engagement file must clearly show how the auditor evaluated and corroborated those results. AI outputs that cannot be explained or reproduced are unlikely to withstand inspection scrutiny. Demonstrating reliable inputs and validation of outputs is critical here.
Work performed with AI is subject to the same supervision and review expectations as traditional audit work. We expect inspection issues to arise when engagement files include AI outputs but little evidence of reviewer challenge or follow through.
Inspection risk arises when documentation suggests reliance on AI without evidence of human evaluation, challenge, and decision making.

Final Thoughts

If a regulator cannot see the work, the judgment, or the evaluation in the file, they will likely conclude the work did not occur, even if it did. This is why documentation is not an administrative afterthought—it is the proof of execution, skepticism, and compliance under auditing standards. Solid documentation is especially critical with the speed of evolving AI and how firms utilize these technologies in conducting audits. Key considerations include clearly documenting why an AI tool was used, which audit objective or assertion it supports, what data inputs and assumptions were used, and what outputs were generated and relied upon. Just as important, engagement files must show how auditors validated, evaluated, challenged, and corroborated AI outputs, including evidence of professional skepticism, supervision, and partner involvement. AI does not create audit evidence on its own—auditors do—and inspectors will expect documentation that makes AI assisted work transparent, explainable, and defensible. In practice, this requires firms to address AI risks both firm‑wide—through governance, validation, and monitoring—and within each audit engagement—through careful risk assessment, evaluation of AI‑enabled audit evidence, and inspection‑ready documentation.

Ultimately, AI in auditing is a complex quality issue that cuts across firm-wide quality management and individual audit engagements. Its effective use depends on strong firm‑wide governance and equally rigorous engagement‑level judgment, making it a critical area of focus for firms committed to sustaining audit quality. Contact your JGA audit quality expert today to schedule a consultation to assess if your firm’s reliance on AI is inspection-ready.

At Johnson Global Advisory , we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

For more information, please contact your JGA audit quality expert .

Audit Documentation: From Low-Hanging Fruit to Load-Bearing Standard

Mon, 30 Mar 2026 15:37:36 GMT

In a previous article, Back to Basics: Audit Documentation Failures Have Become Dangerous Low Hanging Fruit , we highlighted how audit documentation had quietly re-emerged as a source of regulatory risk after years of relative deprioritization.

While PCAOB Auditing Standard 1215, Audit Documentation (AS 1215), has historically been cited less frequently than other standards, our direct experience from recent inspection activity, enforcement actions, and internal inspection results, demonstrate that documentation failures are increasingly treated as indicators of deeper execution, supervision, and quality management breakdowns.

In today’s environment, audit documentation is no longer merely a record of work performed. It is the primary evidence inspectors rely on to evaluate whether an engagement was properly planned, executed, and supported at the time the auditor’s report was issued. What has been low-hanging fruit now requires firms to close these gaps and transform them into a load-bearing foundation for audit quality.

From Rare Enforcement to Systemic Inspection Risk

AS 1215 establishes clear requirements regarding what must be documented, when documentation must be completed, and how engagement files must be assembled and retained. As discussed in our prior article, failures to comply with these requirements were historically viewed as technical or secondary issues, often resulting in inspection comments rather than enforcement action.

That distinction is no longer meaningful.

Recent enforcement actions involving backdating, improper (both intentionally, and inadvertent) modification of workpapers, and failure to timely assemble a complete audit file reflect an evolving regulatory view. Documentation failures do not simply violate procedural requirements; they call into question the credibility of the audit opinion itself.

More importantly, beyond enforcement, documentation deficiencies are increasingly cited as core inspection findings. Inspectors are challenging situations where engagement teams assert that work was performed but cannot demonstrate that work within the archived file. In these cases, the absence of timely, complete, and clear documentation is no longer treated as a formality. It is treated as evidence that the engagement may not have been properly executed, supervised, or supported in accordance with PCAOB standards.

This represents a fundamental shift. Documentation is no longer “low-hanging fruit.” It is a systemic inspection risk that cuts across execution, supervision, and firm-level quality management.

From Misconduct to Execution Failures

Pervasive documentation failures that do not involve intentional misconduct but still result in non-compliance are increasingly observed.

For example, reviewer signoffs occurring near the documentation completion date, rather than contemporaneously with the performance of audit procedures, raise questions about whether effective supervision occurred during the audit or was deferred to meeting archiving deadlines.

Similarly, engagement teams may assert that key judgments can be explained verbally, even when those judgments are not clearly documented in the audit file. In today’s environment, the distinction between “we can explain it” and “it is clearly documented” is critical. If procedures, judgments, and conclusions are not evident in the documentation itself, inspectors increasingly conclude that the work was not performed in accordance with PCAOB standards.

The issue is not whether the engagement team can explain what they did after the fact. The issue is whether the archived documentation allows an experienced auditor, with no prior connection to the engagement, to understand the procedures performed, evidence obtained, and conclusions reached at the time of the auditor’s report.

When documentation fails to reach that standard, inspectors are increasingly concluding that the audit itself was not properly executed, regardless of intent.

This reflects an important shift. Documentation failures are no longer viewed primarily as misconduct. They are viewed as symptoms of execution breakdowns, including delayed supervision, compressed review cycles, and audit workflows that defer documentation until the end of the engagement.

As a result, AS 1215 has become a direct proxy for how audits are actually performed in practice.

How the 14-Day Documentation Completion Requirement Changes the Risk Profile

The execution risks are further amplified by the PCAOB’s shortened documentation completion timeline.

Recent amendments to AS 1215 reduce the timeframe to assemble a complete and final audit file from 45 days to 14 days after the report release date. While this change may appear procedural, its implications are operational.

Under this accelerated timeline, engagement teams no longer have a meaningful post-issuance window to resolve review notes, complete documentation, or finalize supervisory evidence. What were once viewed as “clean-up” activities are now more likely to result in timing violations and non-compliance.

This shift places increased emphasis on:

Contemporaneous documentation
Real-time supervision
Realistic workload and staffing models

Audit Documentation as a Cornerstone of Audit Quality

Audit documentation has long been described as low-hanging fruit in the inspection process. That characterization no longer reflects its role in today’s regulatory environment.

Documentation now serves as the primary lens through which regulators assess whether an engagement was properly executed, supervised, and supported.

With shortened timelines, expanded quality management expectations, and increased regulatory scrutiny, firms can no longer treat documentation as a downstream activity. It must be embedded into how engagements are planned, staffed, reviewed, and completed.

In an environment where inspection conclusions are driven by what is, and what is not, in the audit file, strong documentation is not merely defensive. It is foundational to audit quality.

For more information, please contact your JGA audit quality expert .

Accounting Firm Acquisitions: Why Due Diligence and Integration Determine Long-Term Success

Mon, 30 Mar 2026 15:30:16 GMT

Mergers and acquisitions within the accounting firm industry continue to accelerate, driven by succession planning needs, technology investment, talent constraints, geographic expansion, and the pursuit of new service lines. The pace and volume of transactions is being fueled, in large part, by private equity investment in the accounting firm space. Yet as deal activity accelerates, so does a critical reality: the long term success of an acquisition is determined well before the transaction closes—and long after the announcement is made.

Experience across the profession shows that insufficient due diligence and poorly executed post acquisition integration are the most common sources of value erosion in accounting firm transactions.

What the Regulator is saying and How JGA sees it

At the AICPA December 2025 conference on Current SEC and PCAOB Developments, common topics were the presence of private equity in the accounting firm space and the opportunities and challenges that come with this investment.

As it relates to private equity, then-acting PCAOB Chair George Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.”

At JGA, we expect the PCAOB to increase its inspection focus on a firm’s system of quality management. To the extent that acquisitions present quality risks to a firm, we expect increased attention from the PCAOB in terms of how firms are managing these risks.

Due Diligence: Looking Beyond the Numbers

Financial performance, partner buy ins, and deal structure naturally receive significant attention during an acquisition. However, professional services firms—particularly those providing audit and assurance services—certain of the greatest risks often reside outside the financial statements.

Effective accounting firm due diligence must assess not only what the target firm has earned, but how it has earned it—and whether that performance is sustainable. This includes gaining a deep understanding of:

Audit quality history, including inspection and peer review results,
Independence, ethics, and regulatory compliance practices,
Industries served, industry concentration and related expertise,
Client concentration, retention trends, and engagement risk profiles,
Partner governance, compensation alignment, and succession readiness,
Technology platforms, data security, and scalability, and
Firm culture, leadership dynamics, and decision making processes.

When these areas are not rigorously evaluated, issues frequently surface after the transaction closing—when remediation is more disruptive, more expensive, and far more visible to regulators, clients, and staff.

The Risks of Inadequate Due Diligence

Inadequate diligence often leads to unanticipated post transaction challenges, including:

Regulatory findings related to legacy engagements,
Independence violations requiring retroactive remediation,
Client attrition driven by service disruption or cultural misalignment,
Talent loss stemming from unclear expectations or compensation inequities, and
Technology incompatibilities that impair efficiency and data integrity.

Deficiencies inherited through acquisition can affect inspection outcomes, firm reputation, and overall audit quality long after the transaction closes.

Integration: Where Value Is Created—or Lost

Even when due diligence is performed thoughtfully, post acquisition integration remains the most common point of failure. Integration is often underestimated, treated as an operational exercise rather than a strategic initiative requiring sustained leadership attention.

Successful integration goes far beyond combining systems or standardizing branding. It requires deliberate alignment across how the firm operates, governs itself, and delivers quality—particularly in areas such as:

Audit methodology and documentation standards
Quality management systems and monitoring processes
Partner roles, authority, and accountability
Talent development, evaluation, and retention
Communication with clients, regulators, and staff

Absent a structured integration plan, firms risk operating as a collection of semi independent practices rather than a cohesive organization. This fragmentation can undermine consistency, weaken accountability, and complicate regulatory compliance.

A Strategic Imperative in a Changing Profession

As consolidation continues and regulatory scrutiny intensifies, rigorous due diligence and disciplined integration are no longer optional. They are essential to managing risk, sustaining quality, and realizing the full value of a transaction.

For accounting firm leaders, the message is clear: growth through acquisition can be a powerful strategy—but only when supported by a comprehensive understanding of what is being acquired and a deliberate plan for how the combined firm will operate as one.

Firms that treat diligence and integration as leadership imperatives—rather than transactional steps—are better positioned to protect audit quality, retain talent, and preserve client trust while achieving growth objectives.

JGA’s Role Guiding Firms through these Opportunities

For firms seeking to grow through acquisition without sacrificing quality, control, or visibility, JGA is a solution. JGA is uniquely qualified with deep experience working with accounting firms on quality management, governance, and operational transformation. We have proven due-diligence tools built that are designed to be practical, adaptable, and immediately usable—while also supporting long term consistency as firms pursue multiple acquisitions over time.

Ready to get started or need help refining your acquisition activities? Contact your JGA audit quality expert today to schedule a consultation and ensure acquisition activities are tailored to your firm’s needs.

JGA to Sponsor ALI's Accountants' Liability 2026 Conference

Tue, 24 Feb 2026 21:47:14 GMT

WASHINGTON, D.C.: — Johnson Global Advisory (JGA) is proud to sponsor the ALI’s Accountants’ Liability 2026 conference hosted by the American Law Institute (ALI). The two‑day program will take place May 14–15, 2026, in Washington, D.C., with a live webcast option available for remote attendees. This annual conference is a premier forum for accounting firm leaders, in‑house counsel, litigators, and regulators to examine the evolving landscape of accountants’ liability, enforcement priorities, and risk management. The 2026 program will explore how recent regulatory, litigation, and technological developments are reshaping the profession and what firms can do to proactively respond.

“We are pleased to once again sponsor the ALI Accountants’ Liability Conference,” said Jackson Johnson, President of Johnson Global Advisory. “This event consistently brings together leading regulators, practitioners, and risk professionals to discuss the most pressing liability and oversight issues facing accounting firms today. We value the opportunity to engage with participants and contribute to these important conversations.”

The program will feature nationally recognized panels of practitioners, general counsel, industry professionals, and government officials. Planned discussions will address current and emerging challenges facing accounting firms, including:

Regulatory and enforcement priorities impacting the accounting profession
Recent trends in accounting‑related litigation
PCAOB and SEC perspectives on audits, inspections, and gatekeeper liability
The impact of AI, cryptocurrency, and emerging technologies on audit quality and firm risk
Best practices for navigating an evolving and uncertain regulatory environment

OR, for webcast attendance, use the code " JOHNSON " to save $125 off the tuition. Click here to register.

To learn more about how Johnson Global partners with in-house and outside counsel to support public accounting firms, we invite you to explore our latest brochure. This resource outlines our approach to independent monitoring and consulting, including how we assist firms in navigating PCAOB and SEC investigations, implementing quality control improvements, and responding to regulatory findings. Download the brochure below to see how our experienced team can help your firm meet today’s compliance challenges and build a stronger foundation for the future.

Get a copy of our brochure here .

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Joe Lynch, JGA Shareholder, to Present in AICPA & CIMA Quality Management Webcast Series

Tue, 24 Feb 2026 16:39:24 GMT

We’re pleased to share that Joe Lynch , JGA Shareholder, will be presenting in a series of AICPA & CIMA webcasts focused on practical considerations for Quality Management. These sessions are designed to provide guidance in your QM journey. They support key elements such as engagement quality reviews, root cause analysis, and ongoing monitoring and remediation.

Session 1 — Quality Management: Engagement Quality Reviews

What you’ll learn: Practical considerations for your firm's responsibilities for engagement quality reviews and the reviewers requirements when executing engagement quality reviews under the updated quality management standards, including how to make EQRs scalable and effective. Register for this session here .

Session 2 — Quality Management: Performing a Root Cause Analysis

What you’ll learn: How root cause analysis supports remediation by identifying underlying drivers of the findings and deficiencies; supporting the design of corrective actions that prevent recurrence. Register for this session here .

Session 3 — Quality Management: My System is Set Up — Now What?

What you’ll learn: Post-implementation requirements of SQMS No. 1, which include monitoring activities, evaluating findings and deficiencies, remediation, and the annual evaluation process—so your system stays responsive and effective. Register for this session here .

These sessions are included with a current Webcast Pass.

Joe Lynch, JGA Shareholder, to Provide Insights on Changes to Engagement Quality Review Requirements

Tue, 20 Jan 2026 19:51:27 GMT

JGA is pleased to announce that Joe Lynch , JGA Shareholder, will be a featured guest on the upcoming AICPA & CIMA A&A Focus live webcast on February 4, 2026.

Joe has been invited to join the program to provide insights on changes to engagement quality review requirements. This appearance offers a valuable opportunity for viewers to gain practical, real-time guidance on effective EQR practices—an increasingly critical component of audit quality and compliance under the evolving professional standards landscape.

Click here for m ore information about the program and registration details.

At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

For more information, please contact your JGA audit quality expert .

Quality Management in 2026: Considerations to Successfully Adapt to a Transforming Environment

Tue, 20 Jan 2026 19:32:05 GMT

Introduction

The accounting firm industry experienced a ground-breaking transaction in August of 2021 when TowerBrook acquired EisnerAmper, which marked the first private equity (“PE”) transaction of a large-scale accounting firm. This transaction was structured using an alternative practice structure (“APS”).

Historically, licensing and independence rules have barred non-CPAs from owning accounting firms. Through an APS, a PE firm may invest in the non-attest entity with service lines such as tax advisory and consulting. The CPA partners retain control over the attest functions, which preserves regulatory compliance. While the APS model has been in existence since the 1990s, this August 2021 transaction brought new attention to this structure. What has followed is an extraordinary volume of deal activity.

Per the CPA Trendlines (“CPAT”) Cornerstone report posted on November 18, 2025, CPAT has tracked over 115 PE-related transactions from 2020 to 2025, with over 80 transactions in 2025. While PE in the accounting firm space is no longer news, the pace and volume of transactions is certainly news-worthy.

Impact of PE Investment

The impact of PE investment on the accounting firm space is unprecedented. The APS has enabled PE to fuel billions of capital investment. PE-backed firms provide immediate payouts to partners at appealing valuations while providing access to capital to these firms for merger and acquisition growth, technology investments, and other priorities. Well-capitalized firms now have an improved ability to invest in technological capabilities, attract experienced talent to be more competitive for college graduates, and improve their market position.

With new technologies, routine tasks are being automated such as data entry, tie-outs and controls testing, resulting in less time needed to perform certain audit procedures.

What the regulators are saying

PCAOB

Acting PCAOB Chair George Botic described that both transformative technologies (e.g., artificial intelligence or “AI”) and the continuing expansion of private equity investments in accounting firms are two developments that bring opportunities and challenges. Mr. Botic noted that while AI has enhanced risk assessment, reduced manual processes and made it possible to efficiently analyze entire populations of data (which can reduce the risk of missing irregularities or unusual patterns), that overreliance on AI may ultimately threaten auditors’ exercise of professional skepticism and judgment. As it relates to private equity, Mr. Botic noted that while these investments have the potential to enhance audit quality by increasing firm capacity and modernizing audit tools with advanced technologies, the presence of private equity presents a risk that firms shift incentives to prioritize profitability over audit quality. Mr. Botic stated, “Both AI and private equity investments in accounting firms carry the potential to truly reshape the profession. Yet these opportunities come with clear challenges to ensure that overreliance on AI and the pressures of private equity do not jeopardize audit quality.”

SEC

SEC Chair Atkins discussed in his remarks that he would like the PCAOB to modify its inspections process to place more reliance on the system of quality management and that inspection of certain engagements would inform the PCAOB if the firm’s system of quality management is effective. He also expressed a view that accountability for audit quality should move upward to firm leadership.

How is a firm’s system of quality management (“SQM”) impacted?

Today’s transforming environment has far-reaching impacts on a firm’s SQM. This publication will focus on risk assessment, governance and leadership, ethics and independence, resources, engagement performance, and monitoring and remediation.

 Conclusion

The APS comes with structural complexity that challenges the design and operation of effective systems of quality management. Key risks include independence impairments, fragmented governance, and inconsistent risk monitoring. When an APS is coupled with PE investment, use of transformative technologies, profit prioritization and pressure may be added to the mix of risks at play.

The regulators have weighed in on the importance of these topics. We advise firms to carefully assess these issues to ensure they implement robust governance frameworks, establish clear accountability, and enhance monitoring protocols to mitigate these risks.

Ready to get started or need help refining your approach? Contact your JGA audit quality expert today to schedule a consultation and ensure implementation is tailored to your firm’s needs.

Year in Review: Here are the Top 10 Actionable Insights of 2025

Tue, 30 Dec 2025 19:43:08 GMT

As we wrap up an incredible year, we’re showcasing the insights that sparked the most conversations and drove the most impact.

Here are the Top 10 Actionable Insights from 2025:

Enhancing Audit Evidence: PCAOB Expectations and What We Are Seeing in Practice

Mon, 24 Nov 2025 18:33:10 GMT

As companies increasingly rely on cloud platforms, external data providers, and integrated third-party systems, the boundary between “internal” and “external” information has blurred. Audit evidence today may originate outside the company, but often arrives through the company, transformed, mapped, merged, or embedded within systems before it reaches the auditor.

In response to this evolving landscape, the PCAOB amended AS 1105, Audit Evidence, effective for audits of fiscal years beginning on or after December 15, 2025. Central to these amendments is AS 1105.10A, which introduces a principle-based, risk-scalable framework for evaluating the reliability of electronic information provided by the company.

At JGA, we view this development as a natural response to the data ecosystems shaping today’s financial reporting. We also see it rapidly becoming a recurring area of focus by global audit regulators, particularly when the information supports significant risks, revenue, fraud procedures, or management estimates.

This article summarizes key themes from the PCAOB’s Board Policy Statement on Evaluating External Electronic Information (issued September 2025) paired with practical observations from JGA’s inspection support and methodology enhancement work with firms across the profession.

Why External Electronic Information is a Growing Focus Area

Across industries, external platforms now drive core financial and operational processes: payment processors, logistics platforms, third-party fulfillment solutions, subscription systems, industry data services, and more. Although such information originates from outside the company, it is often:

Received, stored, or routed through company systems
Transformed within spreadsheets or EUCs
Merged with internally generated data
Exported in formats that allow modification
Provided to auditors without a traceable chain to the original source.

Our direct experience working with our clients shows that PCAOB inspection teams consistently emphasize that external does not inherently mean reliable. The auditor must understand how the information was obtained, how it was handled, and whether there was a reasonable possibility that it could have been modified before reaching the auditor.

Understanding AS 1105.10A

The Board Policy Statement highlights two foundational expectations:

1. Auditors should understand the source and flow of the information.

Inspection teams frequently question whether the engagement team understood:

The true originating source of the data
How the company received it (e.g., automated feed vs. manual upload)
Whether the information is editable or configurable
Whether it passed through multiple systems or spreadsheets
How it is used in controls, substantive testing, or significant estimates

In JGA’s experience, inspection findings often arise from situations where teams relied on a “system-generated” or “externally sourced” report without fully understanding where it came from or whether it could have been changed.

2. Auditors should address the risk of modification.

The standard allows for two broad approaches, testing the information itself or relying on controls, depending on the assessed risk. The standard is intentionally flexible, but this flexibility requires well-supported judgments, especially for information affecting significant accounts or fraud risks.

The PCAOB also acknowledged scenarios where separate testing may not be required (e.g., direct-to-auditor feeds or read-only API transfers) but emphasized that this exception applies only when the risk of modification is no more than remote.

What We Observe in PCAOB Inspections

Through JGA’s transformation activities with firms, we continue to see consistent challenges in the following areas:

Reliance on information provided by the company without evaluating whether transformed, filtered, or merged with other data sets.
Use of external or industry data in analytics without understanding the methods, assumptions, or relevance to the issuer.
External information embedded in significant estimates or complex models without evaluating management’s process for compiling that information.
System-generated or external journal entry listings used in fraud procedures without establishing completeness and reliability.

In each of these situations, inspection teams focus on whether engagement teams understood how the information was obtained, how it was processed, and whether there was a reasonable possibility of modification before it reached the auditor.

Emerging PCAOB Expectations

Although the standard is principles-based, several expectations are now appearing consistently in inspections:

Reliability cannot be presumed, external information must be evaluated just like any other audit evidence.
Understanding the company’s process for receiving and handling external information is foundational.
Judgments about whether separate testing is required must be risk-responsive and well-supported.
Documentation should clearly articulate the source of the information, the company’s process, and the basis for concluding the information was reliable.

These expectations are shaping how firms need to think about IPE testing, data flows, and the role of technology within the audit.

Areas Where Firms Often Seek Assistance

Across our methodology enhancement and inspection support work, firms consistently ask for help in:

Identifying when information is “external electronic information provided by the company”.
Determining whether reliance on management’s process is appropriate.
Navigating situations where data passes through multiple systems or spreadsheets.
Evaluating third-party or industry data used in analytics.
Assessing effects on significant risks, especially revenue and fraud.
Aligning documentation practices with PCAOB expectations.

Many firms have strong processes for testing IPE, but other nuances of the standards require an additional layer of consideration that is still evolving in practice.

Looking Ahead

As companies build increasingly automated and interconnected systems, auditors must deepen their understanding of those environments to obtain sufficient appropriate evidence. Firms that proactively adapt their methodologies and train engagement teams will be better positioned for both compliance and audit quality.

At JGA , we help firms interpret emerging regulatory requirements, strengthen methodologies, and enhance the use of technology and data in the audit. Ultimately, ensure compliance and consistency get to our ultimate goal of helping firms grow and scale responsibly. To learn how we can help your firm navigate these expectations and #AmplifyQuality, visit www.johnson-global.com, or contact a member of your JGA client service team.

The Never-Ending Story: How to Remediate Recurring EQR Findings – Part Deux

Tue, 28 Oct 2025 21:03:14 GMT

In September 2022, we wrote an article discussing the struggle that firms were experiencing at that time in remediating Quality Control (QC) criticisms as it relates to their Engagement Quality Review (EQR) process. This struggle seemingly continues today, as, so far in 2025, the PCAOB has publicly re-released previously issued inspection reports for 32 registered firms, and in 19 of those reports, EQR was a QC criticism that was released to the public as these firms had failed to satisfactorily remediate their EQR QC criticism¹. This means that firms continue to struggle to identify and effectively implement remedial actions to the satisfaction of the PCAOB that demonstrate that they have successfully remediated their non-compliance with AS 1220, Engagement Quality Review . So why are firms still failing to remediate this QC criticism?

As we stated previously, having worked with engagement teams and looking at the nuanced and sometimes detailed nature of some of the PCAOB Part I findings, attributing the audit issue to a deficient EQR review can sometimes feel like the regulator is being overly exigent. In fact, in its adopting release to the EQR standard , the Board stated that it “…has been sensitive to commenters' concerns and agrees that the EQR should not become, in effect, a second audit.” This is a difficult concept for EQRs to balance though, as engagement teams often ask us, “As EQR am I required to review every test of design and operating effectiveness for internal controls related to every significant risk? Which substantive workpapers in significant risk audit areas should I review and to what level of detail?” Though not explicitly required in AS 1220, implicitly by the very nature of the EQR attribution, the PCAOB is inherently creating an expectation of a detailed EQR review. After all, AS 1220.09 does require the EQR to “review documentation.”

When the PCAOB evaluates a firm’s Rule 4009 remediation response, they pay particular attention to recurring deficiencies. If the same deficiency is long-standing or occurs in subsequent reports, remediation efforts undertaken must be incremental in each remediation submission so as to address the recurring deficiency. Said otherwise, a firm cannot deliver the same training year after year and expect it to drive change; it must change its approach to remediate the recurring deficiencies. We have numerous clients telling us that this is the second or third inspection report that includes an EQR QC criticism. They often ask us, “This time, what can we do that is incremental that we haven’t already done?”

Remediation Considerations

The new quality control standards (QC 1000, ISQM 1 and SQMS1) require firms to perform root cause analyses for audit deficiencies. In doing so, firms should identify the real root cause behind why EQRs are failing to identify audit deficiencies and then design specific remedial actions to address these root causes. So, remedial action should be in response to the actual root cause of the EQR deficiency – i.e., what is the ultimate root cause of EQR’s not identifying the Part I deficiencies at the time of their review?

The following are typical actions that we see firms undertake:

a. Training as an Action

For many firms, they start out the remedial process by providing training to audit professionals that specifically address the requirements of AS 1220. Some firms attempt this by sourcing online training from the marketplace. If this is the first time your firm has received a Part II EQR criticism, then this action might be effective. However, training designed to remediate quality control deficiencies must be specific to the facts and circumstances of your issue(s). Oftentimes though, when the EQR criticism is long-standing or repetitive, training alone is not sufficient.

Key takeaway : Consider developing more robust training that specifically addresses nuances of firm findings and walk through examples of EQR reviews.

b. EQR Sign-off Checklist as an Action

Another common remedial action is for firms to make enhancements to their methodology, including their EQR sign-off checklist . Most firms subscribe to audit software programs already which have a basic EQR checklist that calls out the requirements under AS 1220. Modification to the EQR checklist and/or creation of addendums that specifically focus on the issues or concerns can be a meaningful improvement and can add rigor to the review process.

Key takeaway : Firms should determine whether they need to modify their EQR sign-off checklist and/or create addendums to include specific bullets and questions addressing firm audit deficiencies, specifically calling it out to the EQR’s attention.

c. EQR mentoring/coaching program as an Action

Many firms have already implemented the previous two actions, and they may continue to see deficiencies in the QC criticism. The PCAOB is expecting firms to do more to ensure quality audits. As we have worked with firms on remediation, we recommend firms consider an EQR mentoring/coaching program . When designed and implemented properly – and timely – we believe this action to be important to a successful remediation of QC deficiencies around the EQR function.

Key takeaway : Consider designing and implementing an EQR coaching or mentoring program, paying close attention to key elements important for effective remediation criteria.

Other Considerations

Given that global audit regulators have raised the bar in expectations on recurring findings – specifically on the EQR process – we cannot stress enough the importance of beginning the remediation process early . Engage the PCAOB in a dialogue immediately once your 12-month remediation period begins, to discuss the planned remedial actions and get feedback on the sufficiency of those actions. Pay particular attention to understanding what is considered timely implementation. Do not underestimate the amount of time it will take to fully implement remedial actions.

Key takeaway : Engage the PCAOB early in the remediation process to seek feedback on the sufficiency of the remedial actions (perhaps even before the final report has been issued).

EQR as last line of defense

Another important point is that EQRs are essentially the last line of defense with regard to audit quality. Said differently, audit quality starts with the audit engagement team and the firm’s entire QC system (training, methodology, tools, etc.) that enables and supports audit engagement teams to perform quality audits. Firms must also consider the remedial actions that also address the PCAOB’s Part I audit deficiency(ies). The EQR QC criticism, while linked to its own standard, is really just the review of the audit work performed under all the other audit standards (e.g., AS 2501, AS 1301, etc.). It is a collective effort, and the EQR as well as the entire engagement team should be considered when remediating all QC criticisms identified in firm inspection reports. It may feel like a never-ending story and perhaps regulators are being overly rigorous, but the reality is this issue is not going away, so firms need to consider what incremental actions they can take to truly ensure EQRs perform quality reviews.

¹ Part I of a PCAOB inspection report contains audit deficiencies; this part is made public when the report is initially published. Part II contains the firm’s QC criticism(s); and this part is not initially released to the public. The firm has one year from the date the report is published to remediate the QC criticism(s). If the remediation is satisfactory to the Board, then Part II is kept private. However, if the firm fails to satisfactorily remediate the QC criticism, the QC criticism in Part II is then released to the public.

From Planning to Practice: 10 Steps to Build Your Firm’s Quality Management System

Tue, 30 Sep 2025 18:30:16 GMT

With the effective date for SQMS 1 and QC 1000 fast approaching, firms of all sizes—especially small and sole practitioners—must take action to implement a system of quality management (SQM) that meets the new standards. The good news? You don’t have to start from scratch. Despite QC 1000’s implementation date deferral, the AICPA’s date hasn’t changed, and the international standards are already effective. It’s important to maintain momentum on the efforts toward implementation of all applicable standards for your firm.

This article outlines 10 practical steps to help firms build their SQM. Each step includes actionable guidance and considerations for firms with limited resources, and ties into JGA’s broader thought leadership on quality management, risk assessment, and system evaluation.

The 10 Steps to Build Your SQM

Step 1: Establish a Project Team

Form a team with the right mix of quality expertise and operational insight. For small firms, this may mean involving a manager who can grow into a leadership role or setting aside dedicated time as a sole practitioner.

Recommended actions to consider:

Identify internal champions with interest or experience in quality.
Schedule recurring project meetings to maintain momentum.
Join a peer group for support and shared learning.

Step 2: Understanding and Awareness

Document your firm’s business strategy, service offerings, and operational conditions. This step helps identify factors that may impact quality—such as remote work, new industries, or staff turnover.

Recommended actions to consider:

Conduct a strategy review with firm leadership.
List recent changes in firm structure or engagement types.
Use these insights to inform your risk assessment.

Step 3: Assign Responsibilities

Define who is accountable for the SQM. The new standards require clear delineation of ultimate and operational responsibility, including oversight of independence and monitoring.

Recommended actions to consider:

Assign roles based on existing responsibilities.
Clarify delegation boundaries for managing partners.
Document responsibilities in your quality manual.

Step 4: Establish a Risk Assessment Function

Design a process to identify and assess quality risks. This includes understanding conditions or events that could impact quality objectives.

Recommended actions to consider:

Create a risk assessment policy tailored to your firm.
Use relatable examples to demystify risk factors.
Leverage AICPA practice aids for structure and templates.

Step 5: Perform the Initial Risk Assessment

Conduct brainstorming sessions by component and document risks using the AICPA Risk Assessment Template. Include both formal and informal responses.

Recommended actions to consider:

Use the AICPA risk library to identify common risks.
Tailor risks to your firm’s size and services.
Include existing responses—even if informal—for evaluation.

Step 6: Finalize the Gap Analysis

Evaluate where your current responses fall short. This may include undocumented policies or areas where responses don’t fully address the risk.

Recommended actions to consider:

Identify gaps in governance, ethics, and technology.
Determine which informal practices need formalization.
Prioritize gaps based on risk severity and regulatory impact.

Step 7: Implement Responses to Address the Gaps

Develop policies and procedures to close gaps. Responses must be documented and operational.

Recommended actions to consider:

Draft policies that reflect your firm’s values and risks.
Link procedures to specific quality objectives.
Use existing documentation as a starting point.

Step 8: Update Your Monitoring Process

Move beyond peer review prep—monitoring should be continuous and system-wide.

Recommended actions to consider:

Assign monitoring responsibilities across the team.
Incorporate testing of responses into internal inspections.
Use dashboards or checklists to track progress.

Step 9: Formalize Root Cause and Remediation Procedures

Investigate deficiencies and document why they occurred. This step is essential for both system and engagement-level reviews.

Recommended actions to consider:

Conduct interviews to understand root causes.
Use findings to improve policies and training.
Apply remediation even if your firm only undergoes engagement reviews.

Step 10: Initial Test of Design and Implementation

Review documentation and walk through processes to ensure your system is operational and testable.

Recommended actions to consider:

Validate that each component is supported by evidence.
Simulate a peer review to test your system.
Confirm that objectives, risks, and responses align.

Conclusion

Implementing a system of quality management is not just a compliance exercise—it’s an opportunity to strengthen your firm’s foundation for audit quality, risk management, and long-term success. Whether you’re a sole practitioner or a small firm with a few partners, these 10 steps offer a scalable roadmap to meet the new standards.

Ready to get started or need help refining your approach? Contact your JGA audit expert today to schedule a consultation and ensure your implementation is tailored to your firm’s needs.

Clearing the Roadblocks: Auditing Estimates with Confidence in Small Firms

Tue, 30 Sep 2025 15:53:33 GMT

Introduction

Auditing accounting estimates has long been one of the most judgment-intensive and inspection-prone areas of the audit. For smaller firms, the challenge is even greater due to limited resources and evolving regulatory expectations. At JGA , we’ve worked closely with firms navigating these complexities and have identified three critical areas where auditors can strengthen their approach and reduce risk.

What’s Recurring and What’s New: Insights from PCAOB’s Latest Audit Focus

The PCAOB’s recent Audit Focus¹ underscores persistent deficiencies in how auditors evaluate accounting estimates. Common issues include failure to identify significant assumptions, reliance on inquiry or simple recalculations, and inadequate testing beyond vouching to internal or external data. These recurring gaps continue to surface in inspections of smaller firms. What’s new is a sharper emphasis on critical accounting estimates—those with high uncertainty and material impact. Auditors are now expected to understand how management analyzes the sensitivity of assumptions to other likely outcomes and to incorporate that understanding into their evaluation of bias and reasonableness. Additionally, the PCAOB highlights good practices such as updating internal guidance, enhancing EQR partner reviews, and aligning audit programs with the standards.

Key Takeaways and Our Recommended Action Items

1. Evaluate the Reasonableness of Significant Assumptions

What the PCAOB said:

The PCAOB continues to observe recurring deficiencies in how auditors evaluate significant assumptions used in accounting estimates. Common issues include failing to identify key assumptions, relying solely on inquiry or recalculations, and not assessing whether assumptions are consistent with external factors like market conditions or industry trends. Auditors are expected to evaluate assumptions both individually and in combination, and to consider management’s intent and ability to carry out specific actions when assumptions are forward-looking².

JGA’s reaction:

In our article “Like Making Concrete out of Jell-O”², we described the inherent difficulty of auditing estimates that are subjective, uncertain, and often based on future projections. We emphasized that auditors must go beyond surface-level validation and challenge management’s assumptions with rigor. In “An Update for Unprecedented Times”³, we noted that economic volatility has made assumption testing even more complex, requiring auditors to evaluate whether recurring assumptions still hold in today’s environment.

JGA’s recommendation:

Firms should implement structured assumption testing protocols that go beyond vouching. Use external data sources to validate assumptions and ensure that engagement teams document how each assumption was evaluated. Partner and EQR reviews should include a step to confirm that all significant assumptions were tested for reasonableness and consistency.

2. Develop Independent Expectations and Use Reliable Data

What the PCAOB said:

AS 2501 outlines three approaches to testing estimates, including developing an independent expectation. The PCAOB stresses that auditors must have a reasonable basis for their own assumptions and methods and must evaluate the relevance and reliability of third-party data. This is especially important when using unobservable inputs or when substituting auditor assumptions for those used by management².

JGA’s reaction:

We’ve consistently advocated independent modeling as a way to reduce bias and improve audit quality. In our earlier articles, we highlighted how auditors can use historical data, peer comparisons, and macroeconomic indicators to build independent expectations. In “An Update for Unprecedented Times”³, we emphasized that auditors must reassess models and assumptions that were previously considered reliable, especially in light of post-pandemic economic shifts.

JGA’s recommendation:

Firms should train engagement teams to build independent expectations using validated data sources. When using third-party data, document the evaluation of reliability per AS 1105. Consider integrating external audit methodology tools that support independent modeling and provide templates for documenting assumptions and methods.

3. Strengthen Audit Methodology and Engagement Oversight

What the PCAOB said:

The PCAOB highlights good practices from firms that have updated their internal guidance, audit programs, and review checklists. These updates include scoping exercises for identifying estimates subject to AS 2501, requiring EQR partners to review all significant inputs, and linking risk assessments to audit responses. These practices are especially important for smaller firms that may lack centralized oversight².

JGA’s reaction:

We’ve seen firsthand how firms that invest in methodology updates experience fewer inspection findings. In “Like Making Concrete out of Jell-O”², we discussed how subjective estimates—like goodwill impairments or startup valuations—require more than just technical compliance. In “An Update for Unprecedented Times”³, we noted that firms must adapt their methodologies to reflect new economic realities and ensure that recurring assumptions are still valid.

JGA’s recommendation:

Firms should revise their audit programs to include scoping for all types of estimates, not just those flagged as significant risks. Partner and EQR checklists should be updated to ensure comprehensive review of estimate testing. Risk assessment documentation should clearly link identified risks to specific audit responses, with traceable evidence.

Conclusion

Firms should assess their current audit programs and consider enhancements aligned with AS 2501. JGA offers tailored consultations to help firms implement best practices and prepare for inspections. Contact us today to schedule a review or download our latest audit quality resources.

Auditing estimates doesn’t have to feel like “making concrete out of Jell-O.” With a disciplined approach to assumptions, independent analysis, and robust methodology, firms can deliver high-quality audits that stand up to regulatory scrutiny. JGA is here to help you lead with confidence.

For more information, reach out to your JGA audit quality expert .

Sources

¹PCAOB’s new publication Audit Focus- Auditing Accounting Estimates | PCAOB

²See our full article Auditing Estimates: Like Making Concrete out of Jell-O

³See our full article Auditing Estimates: An Update for Unprecedented Times

PCAOB Technology Innovation Alliance Working Group Report Focuses on Emerging Audit Technologies

Fri, 05 Sep 2025 21:53:13 GMT

The PCAOB’s Technology Innovation Alliance (TIA) Working Group released a report on using AI, data analytics, and digital signatures to improve audit quality and investor protection. It recommends standardizing documentation, adopting responsible AI, and fostering innovation.

Joe Lynch , JGA Shareholder, contributed insights as a stakeholder in the TIA roundtables and panels.

Timely Quality Management: Joe Lynch, JGA Managing Director, Insights Featured in Journal of Accountancy

Mon, 18 Aug 2025 20:04:26 GMT

Learn how to build your firm’s quality management system on time with actionable insights from Joe Lynch , Managing Director at JGA, as featured in the Journal of Accountancy . This article outlines eight strategic steps to ensure effective and timely implementation of quality management practices for your business.

Déjà Vu or Deeper Trouble? What the 2024 PCAOB Broker-Dealer Report Tells Us About Audit Quality

Fri, 08 Aug 2025 15:14:54 GMT

If you feel like you’ve read this story before, you’re not alone. For the third year in a row, the PCAOB’s annual report on broker-dealer audits paints a familiar picture: high deficiency rates, recurring issues in revenue testing, and quality control systems that continue to fall short. The 2024 report marks more than a decade of inspections under the interim program - and yet, many of the same red flags remain.

At JGA , we’ve tracked and provided our insights on these annual reports closely for the last several years¹. While we always take the PCAOB’s findings seriously, we also know that behind every statistic is a firm doing its best to navigate complex standards, resource constraints, and evolving expectations. That’s why Jackson Johnson , JGA President & Founding Shareholder, sat down with Tanieke Samuel , JGA Director, to unpack this year’s latest BD report - not just to highlight some noteworthy findings, but to translate them into practical guidance for firms working hard to get it right.

Revenue Testing: A Familiar Story with New Implications

Jackson Johnson (JJ) : The PCAOB flagged revenue testing as a recurring issue again this year - 48% of audits had deficiencies in this area. That’s consistent with 2023, but still a big jump from 34% in 2022. And the deficiencies weren’t limited to one revenue stream - they spanned commissions, advisory fees, 12b-1 fees, and more. Why do you think this continues to be such a challenge?

Tanieke Samuel (TS) : ASC 606 isn’t new. The PCAOB isn’t moving the goalposts. What we’re seeing is that firms are still struggling to test revenue accurately - across all sources. In many cases, they’re not getting a solid understanding of how revenue is generated, and that’s where the breakdown starts. Whether it’s commissions, trailing fees, or advisory income, you have to understand the components and tailor your testing accordingly. And don’t overlook presentation and disclosure - if you’re lumping everything under ‘commissions’ without disaggregating or explaining the sources, that’s a red flag.

Audit Committee Communications: A Missed Opportunity

JJ : One of the more surprising findings this year was the uptick in deficiencies related to audit committee communications. The PCAOB cited failures to communicate the overall audit strategy, use of specialists, significant risks like related parties, and even uncorrected misstatements. These seem like foundational elements. What’s going wrong?

TS : These aren’t gray areas. The standards are clear. But I think some firms are treating these communications as a formality - just rolling forward last year’s template. That’s risky. Audit committee communications should be a strategic touchpoint. You need to clearly explain your audit strategy, surface the right risks, and give the committee what they need to fulfill their oversight role. If you’re using specialists or identifying related party risks, those need to be part of the conversation - not an afterthought.

JJ : This reminds me of recent Actionable Insights we issued earlier this year , where we encouraged firms to move beyond the standard AS 1301 checklist and use the PCAOB’s Spotlight as a conversation starter. Audit committees want more than compliance - they want clarity, prioritization, and meaningful dialogue. When firms treat these communications as a strategic opportunity, they not only meet the standard - they build trust and demonstrate value. Agree?

TS : Absolutely. I’ve seen audit committees respond really well when firms take the time to prepare thoughtfully - bringing key issues to the forefront, previewing the discussion in advance, and even holding deep dives on emerging topics. It’s not just about what you say - it’s about how you engage. That’s what makes the difference.

Journal Entry Testing: Still a Blind Spot

JJ : Journal entry testing continues to be a pain point. The PCAOB noted that firms often fail to test the completeness of the population or apply meaningful fraud risk criteria. In some cases, teams just scan the listing and move on. Why is this still happening?

TS : Some firms think that because they’ve tested certain entries substantively elsewhere, they don’t need to do more. But that misses the point of journal entry testing as a fraud detection tool. You have to start by asking: What fraud risks are relevant to this client? Then design your testing around those risks. Don’t just look for a keyword - think about what would actually raise a red flag in this environment. And document your rationale. That’s what separates a thoughtful procedure from a perfunctory one.

JJ : Are you seeing this as a broker-dealer-specific issue, or is it just as prevalent in issuer audits?

TS : It’s definitely broader.

JJ : Across issuers and BD inspections, we’ve seen comment forms where teams selected journal entries based on high-dollar thresholds or year-end timing but didn’t tie those selections back to the fraud risk discussion. In one case, the team documented their criteria but didn’t evaluate whether the entries actually addressed the override risk they had identified. In another, the team selected entries from a non-representative population and didn’t test completeness. What specifically in BD-only firms are you seeing?

TS : In BD-only firms, especially smaller ones, the journal entry population might be smaller, which can give a false sense of simplicity. That can lead to shortcuts - like scanning instead of testing. In issuer audits, the volume and complexity might be higher, but the same root issue shows up: teams not linking their procedures back to the fraud risk assessment. Whether it’s a BD or an issuer, the key is to critically evaluate your criteria and make sure your testing is responsive to the risks you’ve identified.

QC 1000: Turning Insight Into Action

JJ : With QC 1000 going into effect at the end of the year, firms have a real opportunity to use the PCAOB’s findings as a risk assessment tool. But it’s not just about checking a compliance box - it’s about using these findings to inform a more thoughtful, iterative approach to quality. For example, we’ve emphasized the importance of root cause analysis (RCA) as a foundation for risk assessment.

TS : Exactly. I emphasize to clients that RCA helps firms move beyond surface-level fixes and identify systemic issues that may be contributing to recurring deficiencies. When firms use PCAOB findings as inputs into their RCA process, they’re not just reacting - they’re proactively identifying where their system might be vulnerable. RCA helps connect the dots between what went wrong and why it happened, which is essential for designing controls that actually work. It’s not just about fixing the symptom - it’s about addressing the underlying condition.

JJ : As firms read this report and try to make sense of how to incorporate it into their QC 1000 implementation, how should they approach this?

TS : I would say incorporating the observations from this report and reflecting the applicability to your own practice is the concept of continuous improvement. This is a foundational concept of QC 1000. Implementation is about more than policies - it’s about culture . It’s about how you learn from what’s happening in the field and apply it to how you manage risk across the firm. When risk assessment becomes a living process - not a one-time exercise - firms are better positioned to adapt, improve, and ultimately deliver higher-quality audits. That’s the mindset shift we’re encouraging.

¹See our Actionable Insights on the PCAOB’s annual broker-dealer inspection reports from each year by entering “broker-dealer” on the search bar of the JGA Advisor page on our website.

At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

For more information, reach out to your JGA audit quality expert .

Rethinking Engagement Acceptance: Why “Yes” Isn’t Always the Right Answer

jjohnson@jgacpa.com (Jackson Johnson) — Wed, 30 Jul 2025 15:15:33 GMT

Introduction

In today’s regulatory climate, audit firms must take a fresh look at how they evaluate engagement acceptance and client continuance. The stakes have never been higher. With the PCAOB’s newly adopted QC 1000 standard and the AICPA’s SQMS 1 framework now in effect , firms are expected to demonstrate a more rigorous, risk-based approach to quality control—starting with the very first decision: "Should we take this engagement?"

The PCAOB recently released a new Audit Focus: Engagement Acceptance on this topic (Audit Focus). At the same time, we’ve been speaking, writing, and helping firms improve their process in this area. On the steps of PCAOB’s recent and timely guidance, this article explores the evolving risk landscape and offers practical guidance for firms to strengthen their engagement acceptance protocols in line with new regulatory expectations and JGA’s quality management insights.

The New Risk Landscape: What QC 1000 and SQMS 1 Require

The PCAOB’s QC 1000 standard introduces a scalable, risk-based framework that applies to all firms performing PCAOB engagements. It emphasizes that engagement acceptance is not just a procedural checkpoint, it’s a critical quality control decision that must reflect the firm’s risk profile, independence safeguards, and capacity to deliver a high-quality audit.

Key risks highlighted in QC 1000 include:

Independence and ethics violations: Firms must have systems to identify and escalate potential conflicts, including automated tracking of financial interests.
Monitoring of in-process engagements: Firms are expected to assess quality risks before and during engagements, not just after the fact.
Scalability and oversight: Larger firms face enhanced requirements, including external oversight and formal complaint tracking mechanisms.

Similarly, SQMS 1 requires firms to design and implement a system of quality management that includes robust procedures for engagement acceptance and continuance. These procedures must consider:

integrity and reputation of the client
firm competence and resources
ethical and legal requirements, and
risks to audit quality and compliance.

Issues arising from poor or inconsistent client or engagement acceptance policies and procedures isn’t new, but is being looked at in new ways by firms and their regulators with the:

decrease in public company auditors qualified or going to market on conducting public company audits
increasing number of firms that have been stripped of their privilege to conduct public company audits, and
movement of companies to different auditors (think BF Borgers as the most egregious example, but your typical attrition in the most common case).

The PCAOB, AICPA, and other regulators around the world, will take these business risks and apply them in a new lens in their inspection, peer review, and enforcement processes as they look at how firms have identified and addressed risks when implementing their QC system when it comes to client acceptance.

Improving Communications: Predecessor Auditors & Audit Committees

Recent PCAOB inspection findings and the Audit Focus document emphasize that engagement acceptance decisions are under increasing scrutiny. Deficiencies in areas like AS 1301 (Communications with Audit Committees) and AS 2610 (Successor Auditor Communications) often stem from weak or incomplete risk assessments at the outset of the engagement.

Firms must be prepared to engage in transparent, candid conversations with audit committees, especially when the going gets tough. Whether it’s disclosing an unanticipated CAM , identifying a material weakness in internal control , or explaining a shift in audit scope, the ability to communicate openly and credibly is a hallmark of audit quality.

Similarly, in our article on audit committees , we emphasized that audit committees are becoming more sophisticated and assertive. They expect auditors to be proactive, risk-aware, and ready to explain their judgments—not just their procedures. The Audit Focus does a great job of asking questions for firms to consider in assessing the quality of both management and the AC.

As part of your engagement acceptance process, assess not only the technical risks of the engagement, but also the firm’s ability to maintain transparency and trust with the audit committee. Ask:

Will we be able to have frank conversations with this client’s governance team?
Are we prepared to deliver difficult messages if needed?
Do we have the right people and protocols in place to support those conversations

Internal Inspections: Engagement Acceptance as a Root Cause

The Audit Focus also highlights how engagement acceptance decisions can directly impact audit quality and inspection outcomes. We encourage firms to examine their internal inspection programs to see how/whether outcomes can inform or rise to potential root causes targeting the firm’s engagement/client acceptance process. For example, a risk-based selection for the annual internal inspection process should include certain jobs tied specifically to new client and new engagements:

Source : https://www.jgacpa.com/internal-inspections-part-ii-the-integral-inputs-to-implementation

Whether it’s inadequate documentation, misaligned staffing, overlooked independence risks, or some other red flag, these issues frequently trace back to the initial decision to accept the engagement.

Use your internal inspection findings to inform and refine your engagement acceptance protocols. Ask:

Are we seeing repeat issues tied to certain types of clients or engagements?
Do our acceptance decisions reflect the lessons learned from past inspections?
Are we using inspection data (specifically for our firm, or more broadly across firms) to proactively flag risky engagements before they begin?

Successor Auditor Considerations: Don’t Inherit Risk Blindly

The Audit Focus emphasis on AS 2610 reminds firms that engagement acceptance must include a thorough evaluation of predecessor auditor relationships. Flaws or findings in this process should have a direct impact on the merits of the client acceptance process. As we have seen through a recent case, Firms can inherit significant risk when taking on clients with a troubled audit history.

Whether the predecessor auditor was subject to enforcement , had unresolved disagreements, or failed to document key judgments, these risks must be surfaced and evaluated before acceptance.

We encourage firms to strengthen successor auditor protocols by:

conducting structured interviews with predecessor firms
reviewing regulatory history and inspection findings, and
documenting all known risks and how they will be addressed.

Conclusion

Engagement acceptance is no longer a routine administrative step—it’s a strategic decision that can make or break audit quality. With QC 1000 and SQMS 1 raising the bar, firms must adopt a more thoughtful, risk-aware approach. JGA is here to help you navigate this shift, with tools, training, and insights that support smarter engagement decisions and stronger quality management systems.

At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

For more information, please contact your JGA audit quality expert .

Innovative Solutions for QC 1000, SQMS 1, & ISQM 1: Quality Management tools in the Marketplace

jjohnson@jgacpa.com (Jackson Johnson) — Tue, 15 Jul 2025 23:41:51 GMT

Introduction

As explored in previous JGA Advisor articles, the implementation of quality management standards such as ISQM 1, SQMS 1, and QC 1000 has reshaped how audit firms approach compliance, risk, and continuous improvement. These standards demand a proactive, risk-based, and firm-wide system of quality management (SoQM) that is both scalable and adaptable to local jurisdictions.

We have seen through our work with firms that a tech solution is just part of the equation. Of course, having the right human capital with the capacity, drive, skills, and leadership to influence implementation across so many functions of the firm is critical. Also, understanding a baseline of risks and controls – beyond the minimum explained in the standards – will go a long way for smoother implementation. We recommend taking a look at the AICPA Practice Aid and many other AICPA resources for firms embarking on their implementation journey.

While the standards themselves are rigorous, the complexity of implementation—especially across multiple jurisdictions—has led many firms to look to ways to document their system with reliable workflows in a database or other system. What we have seen is that – at a minimum – an excel solution, especially coupled with other tools like smart sheets, is the easiest entry point for a tech solution for implementation. Other more advanced tools not only streamline compliance but also enhance documentation, accountability, and real-time monitoring. In this article, we explore how three platforms—Inflo, Caseware, and QMCore—are helping firms meet these challenges and elevate their quality management systems.

Why Software Matters for Quality Management

Successfully implementing a SoQM under ISQM 1, SQMS 1, QC 1000, or other jurisdictional standards requires more than policies and procedures—it requires leadership, training, communication, and a culture of quality. But most importantly, it requires technology.

Software platforms like QMCore, Inflo, and Caseware offer firms the ability to:

Assign and track ownership of quality tasks across the firm, ensuring accountability, and transparency.
Streamline risk assessment, monitoring, and remediation, which are core to all modern quality management standards.
Provide real-time reporting and dashboards that allow leadership to monitor compliance and identify deficiencies early.
Adapt to evolving regulatory requirements across jurisdictions, including CSQM 1 (Canada), SSQM 1 (Singapore), ASQM 1 (Australia), and PES 3 (South Africa).
Educate and enable staff through embedded guidance, links to standards, and intuitive workflows.

For firms evaluating whether to adopt software, the key considerations should include: scalability, jurisdictional adaptability, ease of implementation, audit trail integrity, and the ability to evolve with regulatory changes. We strongly suggest taking a look at our previous guidance on adoption of software audit tools as well. There are other applications being developed for the market as well.

Inflo: A Centralized Platform for Quality Management Oversight

Inflo’s Quality Management solution is designed to help firms implement and maintain a System of Quality Management (SoQM) that aligns with ISQM 1 and other global standards. Unlike traditional tools that focus solely on audit execution, Inflo’s platform provides a centralized environment for managing the entire quality lifecycle—from risk assessment to monitoring and remediation.

Key Features of Inflo’s Quality Management Platform:

Centralized Oversight: Inflo consolidates all quality management activities into a single platform, giving firm leadership real-time visibility into the status of quality objectives, risks, and responses.
Customizable Risk Assessment: Firms can tailor their risk identification and assessment processes to reflect their unique service lines, geographies, and regulatory environments.
Automated Monitoring & Remediation: Inflo streamlines the tracking of deficiencies and corrective actions, ensuring that issues are addressed promptly and transparently.
Evidence of Compliance: The platform maintains a complete audit trail of all quality management activities, supporting both internal reviews and external inspections.
Scalable Across Jurisdictions: Inflo’s solution is adaptable to various regulatory frameworks, making it suitable for firms operating in multiple countries or under different standard-setting bodies.

By integrating quality management into a digital workflow, Inflo helps firms move beyond static documentation and toward a dynamic, data-driven approach to compliance and continuous improvement.

Caseware: Integrated Methodology and Real-Time Collaboration

Caseware’s cloud-based platform, particularly through its Dynamic Audit Solution (DAS), offers a comprehensive approach to quality management. Built in collaboration with CPA.com and the AICPA, Caseware provides:

End-to-End Audit Workflow: Integrating methodology, workpapers, and execution tools in a single environment.
Real-Time Collaboration: Enabling teams to work simultaneously on engagements, improving efficiency and reducing version control issues.
Data-Driven Risk Assessment: Supporting a risk-focused audit approach aligned with ISQM 1 and SQMS 1.

Caseware is especially effective for firms embedding quality management into daily audit operations while maintaining compliance with evolving standards.

QMCore (FinReg): Purpose-Built for Global Quality Management Standards

QMCore, developed by FinReg, is a purpose-built platform designed to help firms implement and maintain a System of Quality Management (SoQM) in compliance with ISQM 1, SQMS 1, QC 1000, and their global counterparts. It is powered by the FinReg GRC platform and has received technology accreditation from the ICAEW.

Key Benefits of QMCore:

Comprehensive Coverage: Seamlessly integrates all eight components of ISQM 1 and SQMS 1, including governance, risk assessment, monitoring, and remediation
Task Ownership and Accountability: Allows firms to assign responsibilities clearly and track progress with ease
Monitoring & Remediation: Embedded tools provide high visibility into deficiencies and corrective actions, with real-time dashboards and drill-down analytics
Jurisdictional Flexibility: Adaptable to regional standards such as CSQM 1, SSQM 1, ASQM 1, and PES 3
Audit Trail Integrity: Tracks all inputs and changes, ensuring transparency and defensibility; and
User Enablement: Educates staff on the standards, enables them to act, and evidences compliance through structured workflows and embedded guidance.

QMCore is securely hosted on AWS and accessed via the internet, making it easy to implement and scale across firms of varying sizes and geographies.

Conclusion

The shift to modern quality management standards is not just a compliance exercise—it’s an opportunity to enhance audit quality, improve operational efficiency, and build a culture of continuous improvement. Software platforms like Inflo, Caseware, and QMCore are proving essential in helping firms navigate this transformation. Other players may be entering the market, and we encourage a discussion to understand the latest and compare benefits and what’s best for your firm.

At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®.

For more information, please contact your JGA audit quality expert .

Navigating AI Governance: JGA Authors Governance & Compliance Chapter of the Accounting AI Playbook

jjohnson@jgacpa.com (Jackson Johnson) — Mon, 30 Jun 2025 21:17:48 GMT

This is an exert of the AI Accounting Playbook .

Building Trust in AI Accounting

As accounting firms adopt AI tools in audits, they face new questions about reliability, transparency, and compliance. Regulators like the PCAOB have made clear that if AI outputs can’t be explained or reproduced, they could violate existing standards. Yet formal guidance on AI use in audits remains limited, leaving firms unsure about how to move forward.

Some firms have responded by limiting AI to non-public clients, but this caution also presents a chance to lead. Firms that build strong AI governance practices now can stay ahead of future regulation and establish trust in their use of AI. This chapter covers key compliance barriers, governance best practices, and steps to create a trusted control environment.

Key Compliance Barriers

Accountants face several key compliance barriers when using AI, particularly as regulators such as the PCAOB, AICPA, and SEC increase their scrutiny.

Explainability

One major challenge is explainability. Many AI models, especially machine learning and generative AI, don’t clearly show how they reach conclusions. This is a problem for auditors who need to support their findings.

This lack of clarity makes it harder to meet audit evidence requirements, which must be sufficient, appropriate, and easy to understand, as outlined in PCAOB standard AS 1105.

Poor Documentation

Poor documentation is another major issue. This includes inadequate records of data inputs and outputs, training data, model logic, and controls over changes.

Such deficiencies may violate documentation and risk assessment requirements, as seen when audit teams use AI for journal entry testing without documenting the rationale for flagged entries or threshold settings.

Data Privacy

Data privacy becomes a concern as firms use AI to handle large amounts of sensitive financial and personal information. This can lead to violations of laws like GDPR and CCPA, especially when client data is processed in cloud or third-party systems.

Firms often struggle to maintain consistent policies for data classification, encryption, and access. Auditor independence may also be at risk if AI tools are built by a firm’s advisory armor are deeply integrated with a client’s systems. For instance, if both the firm and client use the same predictive AI tool for forecasting, it could lead to a self-review threat.

AI Skills Gap

A skills gap and overreliance on AI further complicate compliance. Many auditors lack the training needed to critically evaluate AI outputs or to recognize when human judgment should override algorithmic conclusions.

This can lead to audit failures, such as misinterpreting a false negative from an AI-driven risk assessment as a clean result.

Validation and Testing

Testing and validating AI tools is another challenge, especially for tools that keep learning over time. Firms need to test tools when they’re first used and then on a regular basis, just like they do when relying on third-party service providers.

But this is hard to do if the AI vendor doesn’t offer enough detail about how the tool works or the controls in place.

Change Management

Managing updates and changes to AI models is a concern. If a tool is updated or retrained without documentation, it can lead to inconsistent results.

For example, a model may flag different transactions in different quarters without any clear reason why. Many firms also lack a formal AI governance plan tied to their quality management systems, which causes inconsistent control practices and unclear responsibilities.

Lack of Guidance

Regulators have been slow to issue formal guidance on how AI should be integrated into the audit process, leaving many firms in a state of uncertainty.

The good news is that momentum is building. PCAOB Board Member Christina Ho has publicly emphasized the transformative potential of AI in auditing, particularly in automating routine tasks such as cross-referencing data, extracting key contract terms, and documenting interviews. She has advocated for the PCAOB to evolve its standards to promote responsible AI use, calling for transparency, bias mitigation, and auditability in AI tools.

Similarly, the International Auditing and Assurance Standards Board (IAASB) has demonstrated its commitment to supporting firms by releasing its Technology Position, which is a strategic framework that outlines how the board will adapt auditing standards to align with emerging technologies, including AI.

Until these guardrails are firmly in place, firms should proactively develop internal AI frameworks modeled on established control standards. COBIT can support firms in assessing and governing AI systems, including data and system integrity. COSO can be applied to evaluate AI governance, model risk, and internal control implications, particularly when AI impacts financial reporting or ICFR. NIST provides guidance to help firms build trustworthy AI systems and establish appropriate cyber security and governance protocols.

Best Practices for Governance

To use AI confidently and compliantly in accounting, especially in regulated environments like audit and assurance, firms should implement strong governance practices that align with both regulatory expectations and ethical standards.

1. Test AI Internally Before Use In Engagements

Before you bring AI into your audits, you’ll need to put it through its paces. The starting point is an internal review and certification process, ideally led by your firm’s risk or national office. They should evaluate the AI tool’s design, logic, and controls, and may require your vendor to share documentation, control reports, and allow independent testing.

A great way to do this is by running the AI on historical data from past audits with known results. That helps confirm whether the AI delivers the same conclusions auditors already reached.

Scenario analysis is another smart move. Challenge the AI with tricky edge cases like known fraud or anomalies. This can expose blind spots or bias in the model.

Be sure to maintain a complete audit trail of how the tool was tested and what controls were in place. If any issues pop up during testing, document and resolve them.

And before you roll it out firm-wide, get an independent review of the tool. Think of it like a second set of eyes, similar to a concurring partner review. Only once your firm is fully confident in the tool should it be used in your accounting processes.

2. Develop AI Governance Policies

Strong policies lay the foundation for responsible AI use. These should outline your standards for data inputs, risk reviews, decision-making responsibilities, and transparency.

Deloitte recommends a universal governance policy that applies to all AI technologies across the firm. This policy should define acceptable (and prohibited) use cases, require approval for new AI tools, and establish review intervals.

Ethical usage also needs to be a priority. That means clear guidelines around privacy, bias, and legal compliance — with transparency as a core value. Internally and externally, stakeholders should understand when and how AI is being used in order to build trust in AI usage.

To oversee this, consider forming a dedicated AI GRC (Governance, Risk, Compliance) team. Roles might include a Chief AI Risk Officer, Data Protection Manager, AI Project Manager, and an AI Governance Committee.

Need help building your framework? Look to proven models like NIST AI RMF and ISO 42001. COSO’s recent guide Realize the Full Potential of AI shows how to extend COSO’s ERM framework to AI, and it’s a great place to start.

3. Implement Data Quality Controls

AI tools are only as reliable as the data they process. The old adage “garbage in, garbage out” underscores the importance of data quality in AI-driven accounting. To minimize the risk of inaccurate or biased AI outputs, firms should implement data validation, cleansing, and standardization processes. High-quality data improves AI performance and supports more reliable audit conclusions.

Protecting sensitive data is also crucial. Firms should limit access to confidential information using role-based access controls (RBAC) and multi-factor authentication (MFA). Audit logs tracking data access provide an added layer of oversight, helping firms monitor and secure critical information.

Data lifecycle management is equally important. Retention and deletion policies should be in place to ensure outdated data does not become a liability. While GDPR is an EU regulation, it sets a high standard for data management and serves as a strong benchmark for firms looking to enhance their data governance practices

AI Governance and Compliance Checklist

Use this checklist to guide your firm’s efforts in implementing sound AI governance and compliance practices.

Governance & Oversight

Have you designated an AI Governance Officer or committee to oversee AI tools and compliance?
Is there a formal AI governance policy that aligns with industry standards like NIST, COSO, and ISO?
Are AI use cases approved by firm leadership before deployment?

AI Inventory & Documentation

Have you created and maintained a complete inventory of all AI tools in use, including purpose, data sources, and vendor details?
Is there a process for documenting model logic, data inputs, outputs, and changes?
Are your AI systems mapped to specific regulatory requirements (e.g., PCAOB, SEC, AICPA)?

Explainability & Transparency

Can your AI tools provide clear, explainable outputs that meet audit evidence standards?
Are you documenting how AI tools reach their conclusions to support audit transparency?
Are engagement teams aware of the limitations and appropriate uses of AI tools?

Data Privacy & Security

Are data inputs for AI tools classified by sensitivity and protected by strong access controls?
Have you implemented encryption, role-based access (RBAC), and audit logs for AI data?
Are vendor data protection practices verified before use in client engagements?

Bias & Fairness Checks

Are you regularly testing AI tools for bias or unfair outcomes?
Are you adjusting models or their use if bias is detected?
Are you following emerging best practices for bias mitigation and fairness in AI?

Validation & Testing

Are AI tools tested on historical data before deployment?
Are you performing scenario analyses with edge cases to identify potential weaknesses?
Are you documenting all testing procedures and results for audit trails?

Change Management

Is there a formal process for reviewing and approving AI model changes?
Are you documenting all changes to AI models, including rationale and expected impact?
Are engagement teams informed of significant AI model updates that could affect results?

Regulatory Alignment

Have you mapped AI usage to relevant standards (e.g., PCAOB AS 1105, AICPA Code of Conduct)?
Are you maintaining documentation to demonstrate AI compliance to regulators?
Are you tracking regulatory developments to update your AI practices as needed?

Ongoing Training & Review

Are staff regularly trained on AI governance policies and best practices?
Are you conducting periodic reviews of AI use and compliance?
Are you updating your governance approach as AI technology and regulations evolve?

This checklist can be incorporated into your firm's quality control program, supporting the responsible use of AI tools and alignment with U.S. regulatory expectations.

Chapter Summary

As AI becomes more integrated into accounting, firms must navigate regulatory complexities to ensure compliance and reliability. This chapter delves into key governance challenges, including regulatory uncertainty, explainability, and data privacy risks. It outlines best practices for AI implementation, such as internal testing, developing governance policies, and implementing data quality controls. Through a real-world case study and structured methodology for building a control environment for AI tools, readers will gain a comprehensive roadmap for establishing a compliant AI framework that fosters trust and strengthens audit integrity.

This is an exert of the AI Accounting Playbook .

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

JGA Makes First Contribution to The Daughters of The American Revolution

Wed, 28 May 2025 21:10:02 GMT

WASHINGTON, D.C.: Johnson Global is proud to announce our first charitable contribution in support of the daughters of the American Revolution (DAR) —a historic nonprofit organization founded in 1890 and dedicated to historic preservation, education, and patriotism. With over 130 years of tradition and more than one million members since its founding, the DAR continues to make a meaningful impact through local, national, and global initiatives.

"We are honored to support an organization whose enduring mission aligns with our values and commitment to community" said Jackson Johnson, JGA President. "This partnership marks a significant milestone for Johnson Global Advisory as we expand our philanthropic efforts and invest in organizations creating lasting, positive change".

"Thank you JGA for this impactful donation will allow our chapter to continue our mission" said Jill Mathieu, Regent of DAR.

To explore more about the impact of DAR, visit: www.dar.org/discover

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Joe Lynch to speak at 40th Midyear SEC Reporting & FASB Forum

Wed, 28 May 2025 20:45:15 GMT

Johnson Global Advisory ("JGA") is proud to announce that Joe Lynch, Shareholder and Managing Director, will be speaking on a panel at the 40th Midyear SEC Reporting & FASB Forum . Joe will deliver the PCAOB update on June 6, with attendance available both in person and virtually.

This panel will summarize the activities of the PCAOB including:

• Understand the current regulatory landscape and emerging issues under new SEC leadership
• Summarize rulemaking from the FASB’s technical agenda, including segment reporting and disaggregation of income statement expenses
• Anticipate accounting and reporting issues incurred with income taxes, including ASU 2023-09 “Improvements to Income Tax Disclosures”
• Identify changes from the FASB on accounting for financial instruments
• Prepare for disclosure requirements on ESG and climate change, including the EU’s Corporate Sustainability Reporting Directive (CSRD), the requirements of California’s ESG disclosures legislation and the status of the SEC final rule
• Recall recent developments and the most frequent comment areas in the SEC review process

Click here to register and learn more.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

QC 1000 Implementation: Key Themes and Guidance from the PCAOB Workshop

Wed, 28 May 2025 18:51:31 GMT

On May 13th, 2025, the PCAOB held a QC 1000 workshop in Washington, DC, providing critical insights into the upcoming quality control standard. With the effective date of December 15th, 2025 , firms must proactively identify and manage quality risks by setting quality objectives, assessing risks, and implementing responses.

Examples and case studies with breakout groups played a crucial role to help firms understand and apply each stage of the implementation process, from risk assessment to monitoring and remediation.

Many attendees are still early in their understanding of the standard, highlighting the need for clear guidance and support. In a live poll, a significant portion of the workshop attendees indicated they have not yet started implementation.

The inspection approach of QC 1000 has not been finalized. As such, they did not take any questions regarding how this would be inspected in its formative years. However, we did read between the lines from a different question around audit documentation, that it’s possible they may select components on a test basis during an inspection.

Background of the Standard

The QC 1000 standard emphasizes the integration of eight components: the risk assessment process, governance and leadership, ethics and independence, acceptance and continuance of engagements, engagement performance, resources, information & communication, and monitoring and remediation process.

For more background information on QC 1000, please see these JGA resources:

Key Topics from the Workshop

Key terms such as applicable professional and legal requirements (APLR), firm personnel, other participants, and third-party providers were defined to clarify roles and responsibilities within the firm's QC system. The workshop included a walkthrough of Appendix A2 of the standard.

The firm’s system must consider the APLRs that are applicable to the firm, which is unique to each firm. APLR is defined in the standard as:

Professional standards, as defined in PCAOB Rule 1001(p)(vi);
Rules of the PCAOB that are not professional standards; and
To the extent related to the obligations and responsibilities of accountants or auditors in the conduct of engagements or in relation to the QC system, rules of the SEC, other provisions of U.S. federal securities law, ethics laws and regulations, and other applicable statutory, regulatory, and other legal requirements.

It is important to be able to clearly identify the type of resource in your QC 1000 implementation journey. Paragraph .05 also discusses the terms firm personnel, other participants and third-party providers. These are defined in Appendix A.5 (firm personnel), A.7 (other participants) and A.13 (third -party providers).

1. Firm personnel include: EQR (inside the firm), Staff at shared service centers, secondees and leased staff, specialists employed by the firm.

2. Other participants include other auditors, EQR (outside the firm), internal auditors of the client that provide direct assistance to the auditors, specialists engaged by the firm, Networks, and external QC function.

3. Third-party providers include audit software providers, system security vendor, audit methodology provider, confirmation intermediary, pricing services, and broker-dealer monitoring systems.

There are four distinct roles and responsibilities as described in paragraphs .11 -.17 of the QC standard. The first two roles are the certifiers of the Firm’s QC results: 1. The principal executive officer and 2. Individual responsible for the operational responsibility and accountability for the QC system as a whole. The principal executive officer (PEO) is ultimately responsible for the design, implementation, operation, and evaluation of the firm’s QC system. Only firm personnel are permitted to fill the roles required by QC 1000 .

JGA Insights:

1. Not all “participants” of a firm’s structure must be included in a firm's quality control policies and procedures, which is especially important for shared service centers and outsourced staffing arrangements. These roles must be clearly defined and applied as the different levels of participants within an organization are considered differently by the standard.

2. PCAOB-registered firms of all sizes – regardless of whether the firm currently audits issuers – must adhere to these components, ensuring consistency with international quality control frameworks.

3. While it was expressed in the session by PCAOB Staff that firms are not expected to reengineer their process (e.g. more than 1 set of QC documentation), firms may need to align or “top-up” their processes with multiple standards to ensure comprehensive compliance. Keep in mind here that the top-up may not just be for QC 1000. In fact, a system in compliance with QC 1000 may need top-up considerations for SQMS 1 and/or ISQM 1.

Risk Assessment Principles

There were several examples and case studies to go through among table groups during the session. These activities helped illustrate the importance of getting risk assessment right, since this drives what the firm focuses on for an effective system. When it comes to implementing QC 1000, there are some key takeaways from the risk assessment process that can really guide firms in the right direction.

JGA Insights: Here are a few important points to keep in mind as you work through identifying and assessing quality risks

1. The QC 1000 standard does not prescribe a specific method for identifying and assessing quality risks. This gives firms flexibility but also places responsibility on each firm individually based on their circumstances. It’s more work upfront from a “cookie-cutter” approach but ensures the design of a process that fits a firm’s unique context.

2. Quality risks should not be viewed as the opposite of quality objectives . Instead, they are factors that could potentially hinder the achievement of those objectives.

3. The threshold of “reasonable possibility of occurring” applies to all risks, including risks of intentional misconduct by firm personnel and other participants. This means that firms must consider the likelihood of risks occurring and their potential impact on the quality objectives. The PCAOB staff shared during the workshop that the concept of reasonably possible follows the same definition as used in FASB ASC Topic 450 on Contingencies.

Ethics and Independence Considerations

The QC 1000 standard does not alter existing ethics and independence requirements under PCAOB or SEC standards. Firms must continue to comply with those as currently written.

Compared to other standards like ISQM 1 and SQMS 1, QC 1000 is more stringent in certain areas. For example, it requires:

1. Creating and maintaining a restricted entity list;

2. Periodic review of the list to ensure accuracy;

3. Appropriate certifications related to independence; and

4. Audit committee approvals where applicable.

Register for the next workshop and get going on implementation

To gain a deeper understanding of the QC 1000 standard and its implementation, we strongly encourage you to attend the PCAOB Smaller Firm Workshop on June 17, 2025, in Irving, Texas. This in-person-only session will provide valuable insights and practical guidance for firms navigating the new quality control standard. Register now to secure your spot.

As always, reach out to your JGA Expert with any questions.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Joe Lynch, JGA Managing Director to Speak at AICPA® & CIMA® ENGAGE 25+

Fri, 25 Apr 2025 15:42:42 GMT

WASHINGTON, D.C.: Johnson Global is pleased to announce that Joe Lynch, JGA Managing Director will speak at the AICPA® & CIMA® ENGAGE+ 25 on May 15, 2025, and will be attending the full conference on June 9–12, 2025, at the ARIA Resort & Casino in Las Vegas, NV and live online. This CPE-eligible event is the premier annual event for accounting and finance professionals, bringing together thousands of peers, experts, and industry leaders for top-tier learning, networking, and career growth opportunities.

Register by May 1, 2025, to take advantage of Early Bird rates— $1,995 for members ( regularly $2,095 ) and $2,445 for nonmembers ( regularly $2,545 ).

*PCPS, Tax and PFP section members and CITP®, PFS™, CGMA® credential holders save an additional $150 . Discount reflected in section member/credential pricing during checkout. Register Today !

About Johnson Global Advisory

Visit www.johnson-global.com to learn more about Johnson Global.

JGA to Sponsor 2025 ALI-CLE Accountants' Liability Conference

Fri, 21 Mar 2025 18:21:07 GMT

WASHINGTON, D.C.: Johnson Global Advisory (JGA) is proud to sponsor the Accountants' Liability Conference hosted by ALI-CLE. This two-day event will take place in Washington, D.C. and virtually on June 2nd and 3rd. This is an excellent opportunity to gain valuable insights into a wide range of critical issues. The 2025 conference will focus on audits and oversight, providing essential guidance to help you navigate the evolving landscape of regulatory compliance and better protect your firm and clients.

“We are pleased to sponsor this conference for the last several years. This event brings together top law firms, internal counsel, and risk experts for dynamic discussions on trending topics such as accounting liability and other important issues affecting the profession,” said Jackson Johnson, JGA President. “I look forward to personally engaging with participants, presenters, and stakeholders at this conference.”

This year’s program is still being finalized but planned topics include:

Recent Trends in Accounting Litigation

Living in a post- Jarkesy world

The future of enforcement

PCAOB inspection program update

SEC perspectives on gatekeeper liability

AI and emerging technologies in the accounting industry

Accounting firms entering the legal space

International firm considerations

Alternative practice structures and AICPA independence rules

OR, for webcast attendance, use the code " JOHNSON " to save $125 off the tuition. Click here to register.

About Johnson Global Advisory

Visit www.johnson-global.com to learn more about Johnson Global.

JGA Makes Third Annual Contribution to The Boys & Girls Club of Greater Kansas City

Fri, 21 Mar 2025 18:21:05 GMT

WASHINGTON, D.C.: Johnson Global Advisory (JGA) makes third annual contribution to the Boys & Girls Club of Greater Kansas City. The 29th Annual Kids Night Out is scheduled for Saturday, April 26, 2025, and promises to be an unforgettable evening, bringing together over 1,500 guests to support the children served by Boys & Girls Clubs of Greater Kansas City.

“We’re thrilled to continue our support for the Boys & Girls Club of Greater Kansas City. This marks our third year backing this chapter, and I know that many of our JGA employees have personally benefited from the programs the Boys & Girls Clubs offer nationwide,” said Jackson Johnson, JGA President.

“Kids Night Out is Boys & Girls Clubs of Greater Kansas City’s biggest fundraiser each year– and all dollars raised stay right here in Kansas City”, said Andy Burczyk, Board Member and Chair of Kids Night Out. “This organization is doing extraordinary things, and it is because we as a community invest in their impact.”

For over 100 years, Boys & Girls Clubs of Greater Kansas City has provided a safe, supportive environment for youth. Serving over 8,000 kids and teens annually across 11 locations, the organization helps young people achieve their full potential through programs that promote academic success, healthy lifestyles, and character development. Through mentoring and leadership training, they equip members with the skills needed for success now and in the

To learn more information on the Boys & Girls Club of Greater Kansas City and their work with the youth, please visit www.bgc-gkc.org .

About Johnson Global Advisory

JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, as well as JGA professionals, are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

Visit www.johnson-global.com to learn more about Johnson Global.

Johnson Global Advisory Supports Sustainable Harvest International

Fri, 21 Mar 2025 18:20:59 GMT

WASHINGTON, D.C.: Johnson Global Advisory (JGA) is proud to provide a financial contribution to Sustainable Harvest International (“SHI”). SHI is a nonprofit helping Central American farmers adopt sustainable farming practices for over 27 years. Their mission is to address the destruction of tropical forests caused by slash-and-burn farming and logging. SHI’s mission benefits both current and future generations by equipping farmers with the knowledge to farm sustainably.

“We’re proud to partner with Sustainable Harvest International in their important work,” said Jackson Johnson, JGA President. “This collaboration helps drive lasting, positive changes and by backing such vital organizations, we stay true to our mission of giving back and making a real difference. JGA’s philanthropic efforts focus on supporting organizations that are important to our people. I appreciate Vernon sharing his experience as a board member and we are grateful to work with him to amplify this organization.”

Vernon Johnson, JGA Director, is a Board Member and Treasurer for SHI. He is actively involved in this organization. "My nonprofit work has helped me maintain perspective in both life and at work,” said Vernon. “It’s taught me to stay calm during challenges and focus on the bigger picture. This experience has improved my relationships and made me more resilient in stressful situations. My advice to busy professionals is to step back, appreciate the simple things, and not sweat the small stuff—being thankful and present can make a big difference."

To learn more about SHI, visit www.sustainableharvest.org/donate .

About Johnson Global Advisory 

JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff and JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

Visit www.johnson-global.com to learn more about Johnson Global. 

ISQM 1, SQMS 1: Influencing the Firm on the Benefits Beyond Compliance (Part II)

Wed, 26 Feb 2025 00:18:15 GMT

The implementation of the System of Quality Management (SQM) is not just a compliance requirement but an opportunity to drive significant business value. By aligning firm-wide goals, improving internal processes, and optimizing controls, firms can streamline their operations, reduce inefficiencies, and improve overall performance. The process also provides an opportunity for firms to gain valuable insights through key metrics, enabling data-driven decisions which provide strategic business insights, enhances audit quality, and promotes employee retention.

In addition, early adopters who focus on the business value from the outset see improvements that reach across different practices within the firm, making the SQM implementation a strategic investment that benefits the whole firm long-term.

We have seen that our work in this area results in meaningful improvements to the way the business of audit and assurance is conducted, and many of these improvements will have benefits that reach across other practices of the firm. This is part II of a series on the benefits of SQM implementation. This article builds on our insights from 2022 in Part I of this series .

Compliance as a Driver

Compliance is the main driver of the new System of Quality Management (for all standard-setters, referred to as “SQM”) standards issued by the IAASB, AICPA, and the PCAOB. There is no disputing that. However, for the early adopters, what we are finding is immense business value that come out of this process; more so if you start the process with business value in mind. Our ability to anticipate the benefits of executing ISQM 1 years ago is a key strength. Some firms have already implemented ISQM 1 at some level (partial adoption for group audits, for example). For SQMS 1 and QC 1000, since firms are all in various stages preparing for the December 15, 2025, go-live date, now is the time to lay out the strategic value drivers from this compliance exercise.

Related: See a breakdown of the various implementation dates here .

SQM implementation requires firms to take a closer look at their internal process; every process that touches the value chain of getting an audit done.

To demonstrate how this requirement goes beyond the confines of the “audit practice”, consider these examples:

Employee onboarding, training, and retention;
Software tools and technology used to monitor internal aspects like independence;
Tools used by engagement teams, for example, to test 100 percent of smart contracts or select journal entries to examine for fraud;
Archiving of binders on time, and in compliance with audit documentation requirements; or
Monitoring programs that identify and fix deficiencies in both audit performance and the underlying functions supporting the audit.

Getting Buy-In, Aligning Goals, and Engaging Personnel

We have seen firm quality leaders struggling to get the buy-in needed from stakeholders across the business (IT, HR, Tax, Advisory) for effective SQM implementation. And we have heard leadership from firms around the world ask:

“What’s in it for us?”

“All this investment just for a compliance exercise?”

“Why do I need to be involved in something the audit group has to do?”

But the best question we’ve heard is:

“How can the system of quality management implementation improve our business?”

When everyone is working toward the same objectives and goals, implementation becomes a cohesive and streamlined process. It’s important to have goals that are aligned throughout the organization, with them tailored to the component and roles within those areas. This includes:

Getting the invested support from the partnership board down to process owners;
Having goals that are specific and measurable (e.g. documenting the current process and eventually operating controls consistently and timely);
Aligning the firm’s tone-at-the-top helps get everyone in sync; and
Reinforcing management’s responsibility to establish a culture of quality and its importance in all the services performed by the firm.

Management should:

Lay out the long-term benefits of improved business performance, reduced risks, more timely and accurate data created which leads to insightful decisions;
Emphasize the benefits of overall reduced costs related to non-compliance with network, firm, peer review, and regulators requirements; and
Evaluate the potential for lower costs of insurance upon implementation and overtime.

Understanding Current Processes

Conducting interviews, gathering data, and documenting the processes within the firm’s system of quality management allows visibility of how these processes currently work (or don’t work). When SQM implementation project leaders invite personnel involved in a process together into one room and facilitates an open discussion, a clear picture of how each process really works materializes, and this strengthens cross-functional teaming. For instance, these meetings often result in the realization that two (or more) people are doing the same tasks (inefficiency) or discovering that no one is performing an important review check (gap).

Formalizing and Optimizing Processes

Once the current process is understood (“As-Is”) and with the right people in the room, the identification of areas where procedures can be more uniform, streamlined or simplified emerges. We often find that processes can be improved without adding more controls. This optimization effort incorporates standardization and normalization across the firm’s services and business functions providing benefit beyond the compliance exercise of the audit practice.

Gaining Business Insights

A sound system of quality management will bring new business insights and transparency to make confident decisions with reliable data. The optimization process will identify the key information used in the system of quality management (a similar concept to the work auditors performs with their companies as described here). This information provides new insights to help process owners and firm leaders make decisions. A firm can develop key quality metrics that are used to measure and improve the operation of the firm and audit quality which results in a modernized competitive firm. When a firm establishes a system to monitor the SQM environment, these insights allow for timely monitoring which enables leaders to quickly make decisions that address anomalies or negative trends as they arise.

Getting Started Early

Getting started early begins with:

Firm leadership embracing the need for a consistent and well-monitored SQM to improve the business;
Aligning objectives and goals for all firm personnel based on their role within the SQM;
Disseminating to all firm personnel the importance of how their role contributes to the SQM; and
Incentivizing all firm personnel to commit to their SQM objectives and goals which contributes to the benefits of these modern practices that lead to competitiveness.

While compliance may be the hand forcing you forward, the upside to this “exercise” is that undoubtedly you will be a stronger, more efficient firm when executed correctly. We see firms that begin with such a mindset have more success internally and in the marketplace.

Conclusion

The journey of implementing a quality management system is transformative. Beyond compliance, it reveals deep insights and benefits, positioning firms at an advantage in our profession.

For more information, reach out to your JGA audit quality expert.

Jackson Johnson , JGA President and Founder, is a seasoned expert in audit quality and technical accounting matters. With nearly six years of experience at the PCAOB, he has worked with small and medium-sized accounting firms globally, focusing on firm quality control and ICFR audits. Jackson advises firms in PCAOB and SEC investigations related to cryptocurrency audits and has served on the Enforcement Advisory Committee of the California Board of Accountancy. Before his tenure at the PCAOB, he worked with public and private clients at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong. Jackson is also a frequent speaker on quality control and enforcement issues in the accounting industry.

Joe Lynch , JGA Managing Director and Shareholder, and a member of the AICPA Quality Management Implementation Task Force. Joe works with mid-market public accounting firms worldwide to implement quality management programs that integrate technology and process to improve the delivery of audits. Joe spent more than six years as an Inspection Leader at the PCAOB, he conducted inspections of quality control and global issuer audits at large firms in the US as well as foreign affiliate firms, focusing on examining quality control and the design and implementation of audit work. Joe also has experience supporting financial service industry audit teams at a Big Four firm. In addition, his experience includes active-duty service in the US Air Force and supporting companies with IT strategic initiatives such as designing the IT framework for technology departments as well as leading implementations of ERPs and systems.

PCAOB Withdraws Firm & Engagement Metrics Rule from SEC Approval Process

Tue, 25 Feb 2025 22:05:24 GMT

The Public Company Accounting Oversight Board (PCAOB) recently decided to withdraw proposed rules that would have required registered firms to report a significant new set of firms and engagement metrics. It was also set to mandate that large accounting firms submit financial statements to the U.S. Regulator, as part of a wider effort to enhance oversight. This decision came after criticisms from a variety of stakeholders from both the PCAOB and SEC comment process. For example, the American Institute of CPAs (AICPA) expressed concerns that these requirements could harm U.S. capital markets and negatively impact small and midsized audit firms, potentially driving them out of the public company auditing practice. The PCAOB's decision to withdraw the rules was seen as a positive move by the AICPA, which had urged the Securities and Exchange Commission (SEC) to refrain from approving the rules due to the significant challenges they posed.

JGA commented to the SEC on the proposal; you can read our position on the proposal here .

Johnson Global Advisory Releases Updated 2025 Guide to Help PCAOB-Registered Firms Navigate the Inspection Process

Fri, 17 Jan 2025 23:08:02 GMT

WASHINGTON, D.C.: Johnson Global Advisory (JGA) has published a new third edition guide examining the key considerations faced by public company auditors during their PCAOB inspections. Drawing experience as audit and audit regulation experts and advisors to firms worldwide on all aspects of audit quality improvement, the JGA team has authored NAVIGATING PCAOB INSPECTIONS: Understanding the Inspection Process from Start to Finish.

The 36-page guide includes:

A roadmap through the entire PCAOB inspection and remediation process,
Actions to apply and implement continuous audit quality improvement,
Best practices to reduce regulatory risks, and
Lessons learned from JGA’s work with small and large firms worldwide.

“The inspection and remediation processes are grueling on auditors. We see the struggle every day with our clients,” said Jackson Johnson, JGA President. “That is why I am excited to launch this guide and continue our work relieving the burden on firms of all sizes while maximizing the opportunities to improve audit quality throughout every area of the audit process. Readers can expect to gain a greater command of the inspection process and give engagement teams the confidence they need to effectively interact with regulators.”

Printed copies are available upon request. A download is available on JGA’s website at https://www.jgacpa.com/navigatingpcaobinspections .

About Johnson Global Advisory

JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.johnson-global.com to learn more about Johnson Global.

###

Firm and Engagement Metrics: Getting a Head Start

Fri, 20 Dec 2024 18:05:32 GMT

Firm and Engagement Metrics: Getting a Head Start

*** Please see the updated information on the PCAOB Firm & Engagement metrics Rule change. Click here .

Introduction

As regulatory requirements in the accounting profession continue to evolve, accounting firms are facing new challenges in ensuring compliance with quality management standards. One of the most significant changes comes with the adoption of the PCAOB’s QC 1000 and the associated Firm and Engagement Metrics requirements , which aim to increase transparency and accountability within the auditing process. These new requirements are set to provide critical data on a firm’s operations and other factors that can inform audit quality, including partner involvement, workload distribution, and other factors.

In this article, we’ll explore the challenges and opportunities firms face as they begin collecting the information necessary for firm and engagement metrics. We’ll also provide actionable steps that, in concert with implementation of QC 1000 / ISQM 1 / SQMS 1, firms can take to ensure they’re ready for compliance, with a focus on the key areas highlighted in recent industry discussions.

1. Quality Management Implementation: Bridging Internal and External Requirements

Key Insights:

A major challenge shared by our clients was the distinction between internal quality management (QM) processes and external regulatory requirements. Firms are finding it difficult to ensure that the information they provide to regulators will be complete and accurate. The requirement to report accurate and non-misleading information to external parties under QC 1000 , such as firm and engagement level metrics necessitates a shift in how firms view and manage data internally.

Action Items for Firms:

Ensure Data Accuracy : Firms must evaluate their quality management system to ensure they are designed to meet the requirements for accurate and non-misleading information. This is crucial as QC 1000 requires firms to communicate data to external parties that is accurate and complete.
Implement Data Tracking Systems : Develop systems to track and report data, ensuring that the information provided to external parties, including regulators aligns with quality management objectives. This may require new systems or modifications to existing systems.
Evaluate Communication Processes : Firms should focus on improving or implementing communication processes to ensure that all external communications, especially those with regulators, meet the high standards of accuracy and clarity mandated by QC 1000.

2. Comparability of Metrics Among Accounting Firms

Key Insights:

The introduction of standardized firm and engagement metrics is designed to increase comparability and accountability across accounting firms. This allows regulators, investors, and stakeholders to evaluate firms based on consistent data. However, there are concerns about how these metrics might influence firm selection by audit committees and whether these metrics alone tell the full picture to accurately represent audit quality.

Action Items for Firms:

Adopt Standardized Metrics : Firms should ensure that their reported metrics align with the prescriptive guidelines outlined in the adopted Firm and Engagement Metrics Rule. This includes applying the defined roles in a consistent manner (such as engagement partners and managers) and calculating metrics consistently across all engagements.
Prepare for External Scrutiny : Be aware that these metrics may not only be scrutinized by regulators but also by audit committees and investors. Firms should ensure that they are accurately capturing and reporting their metrics to avoid misrepresentations.
Monitor AI Usage in Audits : Consider how AI tools may impact workload calculations and the measurement of audit hours. As AI becomes more prevalent in auditing , firms may need to report on the extent of its use, which could influence workload metrics.

3. Potential Implications of Reporting Metrics

Key Insights:

While firm and engagement-level metrics can provide valuable insights, there are potential risks to firms that are likely to emerge. These include the possibility that the metrics may inadvertently point to root causes of issues in the inspection process, particularly regarding workload and capacity challenges. Additionally, these metrics – coupled with inspection report findings - may influence how audit committees select firms, potentially providing a skewed representation of audit quality.

Action Items for Firms:

Use Metrics Internally for Root Cause Analysis : Firms should utilize firm and engagement level metrics as reported, when performing internal root cause analysis , identifying potential problems in workload distribution or staffing levels before they escalate.
Evaluate the Impact on Firm Selection : Be mindful of how these metrics might affect firm selection. Firms should aim to demonstrate the full context behind their metrics to avoid misinterpretations that could impact their reputation.
Balance Metrics with Qualitative Insights : Firms should complement quantitative metrics with qualitative insights, ensuring a comprehensive picture of their audit quality is presented to external stakeholders.

4. Engaging Stakeholders in the Use of Metrics

Key Insights:

One concern we have heard was the uncertain use of metrics by investors and other stakeholders. While the objective of the PCAOB in the rule-setting process was for investors and audit committees to analyze these metrics, it’s unclear how much weight they will place on the data in making decisions about firms’ audit quality. In the planning process, firms can take charge and shape stakeholder use and effectiveness of the use of firm and engagement metrics shared publicly.

Action Items for Firms:

Engage with the Investor Community : To better understand how investors will use the metrics, firms should engage more actively with the investor community. This could include attending shareholder meetings and investor calls to gain insights into what data investors prioritize when evaluating audit quality.
Increase Transparency in Reporting : Firms should be transparent in explaining the context and methodology behind their metrics, helping the clients, audit committees and other stakeholders understand the full context to make informed decisions.
Ensure Data Relevance : Firms should ask their clients whether the data currently being reported is sufficient, and whether additional data points might be necessary to better assess audit quality and reliability.

5. Getting Started with QC 1000 and Firm Metrics

Key Insights:

As firms begin implementing QC 1000 and collecting firm and engagement level metrics , they face the challenge of ensuring their existing systems are capable of tracking and reporting the required data. Many firms may need to redesign or enhance their internal controls to capture the necessary information accurately.

Action Items for Firms:

Align QC 1000 with Firm and Engagement Level Metrics Reporting : Firms should carefully review QC 1000’s requirements and align them with the firm and engagement level reporting requirements. Focus on the information and communication component, ensuring that data is collected and reported accurately and consistently.
Evaluate Current Systems : Firms should assess whether their current systems are capable of tracking metrics such as workload and audit hours. If systems are lacking, firms should plan to either redesign or implement new controls to capture this data accurately.
Implement Real-Time Monitoring : Firms should adopt real-time monitoring tools that allow them to proactively manage workload issues and other potential risks. This ensures that data is captured and analyzed continuously, improving overall quality management.
Be Agile and Proactive : QC 1000 requires firms to monitor metrics and adapt to emerging issues. Firms should adopt an agile approach to quality management, ensuring that metrics are not just reported at the end of the period but are actively managed throughout the year.

Conclusion: Preparing for the Future of Quality Management and Firm Metrics

The new QC 1000 and firm and engagement level metrics requirements can represent a significant shift in how accounting firms track, report, and manage audit quality. By adopting these standards, firms can improve transparency, enhance accountability, and demonstrate their commitment to high-quality audits. However, the implementation of these new requirements will require careful planning and investment in both systems and processes.

Firms that act now to align their systems with QC 1000, engage with stakeholders, and monitor their metrics in real-time will be better positioned to meet regulatory expectations and enhance their market reputation. As the industry moves towards more data-driven decision-making, firms that prioritize accuracy, transparency, and continuous improvement will be the leaders in delivering quality audits.

For more information, please contact your JGA audit quality expert .

Key Takeaways from the 2024 AICPA SEC/PCAOB Conference: What It Means for Your Firm

Wed, 18 Dec 2024 18:48:04 GMT

Key Takeaways from the 2024 AICPA SEC/PCAOB Conference: What It Means for Your Firm

In December 2024, the AICPA SEC/PCAOB Conference in Washington D.C. brought together leaders from the SEC, FASB, and PCAOB to discuss critical developments in the accounting profession. The conference focused on fostering audit quality, improving the resilience of capital markets, and addressing ethical challenges. Below are the key takeaways from the conference speeches most relevant to you, including insights from Paul Munter, SEC Chief Accountant, Erica Williams, PCAOB Chair, Christina Ho, PCAOB Board Member, and Mark Uyeda, SEC Commissioner, and what these developments mean for the accounting firm clients we serve.

1. Munter’s Remarks on Upholding Independence

Key Points:

In his speech, Paul Munter, SEC Chief Accountant, emphasized the importance of maintaining auditor independence to preserve market integrity. Munter stressed that independence should be seen as a core professional standard, not just a compliance requirement, and urged auditors to foster a culture of skepticism and integrity. He called on auditors to ensure they challenge management when necessary to detect fraud and ensure accurate financial reporting.

What This Means for Firms:

The points are reminders to keep independence and objectivity at the forefront of engagement teams, despite the new technical complexities (e.g. PE deals), and general lowering our guard around these obligations: ways to continue to demonstrate this important across the firm system of QC are:

1. Reinforcing independence policies and ensure continuous training and monitoring;

2. Encouraging a skeptical mindset within audit teams to prevent ethical lapses;

3. Ensuring firm-wide commitment to independence, especially in long-term client relationships or where conflicts may arise.

2. PCAOB Chair Williams on Improvements in Deficiency Rates, and new standards

Key Points:

PCAOB Chair Erica Williams shared significant positive news, highlighting improvements in the aggregate deficiency rate at the largest audit firms. She attributed this progress to the firms’ increased efforts to enhance audit quality, including better risk assessment procedures and heightened transparency in reporting. Williams emphasized the importance of maintaining this momentum in order to build trust and credibility in the profession and the capital markets.

Williams also discussed the newly adopted QC 1000 , the quality control standard that mandates firms to have comprehensive quality control systems to ensure that they meet PCAOB and SEC standards. She noted that this standard is designed to provide reasonable assurance that audit firms have the necessary controls in place to perform high-quality audits consistently. Additionally, she emphasized the critical role of the SEC in passing firm engagement metrics , which will help ensure that audit firms are held accountable for the quality of their engagements and provide investors with more detailed insight into firms’ performance.

What This Means for Firms:

Implement QC 1000 : Firms should begin preparing for the adoption of QC 1000 by reviewing and strengthening their own quality control systems. Ensure that these systems are robust enough to guarantee compliance with PCAOB and SEC standards and can provide reasonable assurance of consistent audit quality.

Focus on Firm Engagement Metrics : If the SEC passes firm engagement metrics, firms will need to ensure they have clear, accurate data on their engagements, performance, and quality measures. Preparing now for these metrics will help firms stay ahead of the regulatory curve and demonstrate their commitment to transparency and high-quality audits.

Enhance Risk Management and Quality Control : Firms should continue refining their risk-based audit approaches, focusing on stronger internal controls, and implementing transparent reporting practices. Continuous improvement will ensure the firm stays in line with both regulatory expectations and industry best practices.

3. PCAOB Board Member Christina Ho on Collaboration to Advance Audit Quality and Market Resiliency

Key Points:

In her speech, Christina Ho, Board Member of the PCAOB, stressed the need for genuine collaboration among regulators, auditors, and firms to advance audit quality and improve the resiliency of capital markets. This collaboration is essential to address emerging challenges, such as increasing regulatory expectations and the complexities of global markets. Ho highlighted that this collective effort is crucial to maintaining strong, transparent financial reporting and ensuring that audits remain effective and reliable, particularly as financial markets evolve.

What This Means for Firms:

Engage with regulators : Actively participate in consultations and industry forums to stay ahead of regulatory trends.

Foster collaboration : Encourage open communication between audit teams, clients, and audit committees to ensure alignment on regulatory expectations.

Adapt to global market changes : Firms must remain agile and ready to respond to the shifting dynamics of both domestic and international markets, ensuring that their audit processes remain resilient and effective.

4. SEC Commissioner Mark Uyeda on Crypto, and PCAOB’s Future

Key Points:

In his keynote, SEC Commissioner Mark Uyeda discussed the SEC's evolving role in the accounting and auditing of cryptocurrencies, noting that crypto is currently being accounted for and audited through enforcement activities. He stressed the need for greater clarity in crypto accounting and auditing standards. Uyeda also discussed the future of the PCAOB, stating that "all options are on the table."

What This Means for firms:

Crypto Accounting and Auditing : Firms need to stay abreast of emerging standards and enforcement actions in crypto accounting. As regulations evolve, firms must be prepared to adapt their auditing and reporting practices accordingly. Take a look at positions from other regulators or standard setters (e.g. CPAB), to inform what sufficient procedures looks like.

PCAOB’s Future : The potential restructuring of the PCAOB may affect how audits are overseen in the future. Firms should monitor developments closely and assess the impact on their operations and regulatory compliance, and firm strategy.

5. Ethical Considerations and Audit Quality

Throughout the conference, both SEC and PCAOB leaders emphasized the need for ethical leadership in the accounting profession. Lapses in ethics, whether intentional or inadvertent, can severely undermine trust in auditors and in financial markets. The speeches underscored the responsibility of firm leaders to uphold high ethical standards and ensure that these values are embedded in their teams’ daily practices.

What This Means for Firms:

Promote ethical leadership across all levels of the firm, ensuring that ethical considerations are integrated into every stage of the audit process.

Invest in ongoing ethics training to reinforce the importance of upholding integrity and objectivity.

Implement early detection mechanisms for identifying potential ethical lapses, ensuring timely corrective action.

Conclusion: Positioning Your Firm for Success

The 2024 AICPA SEC/PCAOB Conference provided crucial insights into the current and future landscape of the accounting profession. By focusing on audit quality, independence, collaboration, and ethical leadership, firms can not only meet regulatory requirements but also strengthen their reputations as trusted professionals in the marketplace.

For JGA’s clients, the key takeaway is that maintaining robust quality control systems, engaging in ongoing dialogue with regulators, and staying ahead of emerging trends such as crypto accounting are critical strategies for ensuring continued success in a dynamic regulatory environment.

For more information, reach out to your JGA audit quality expert.

Johnson Global Advisory Establishes Strategic Leadership Council and Appoints Three Council Members

Tue, 26 Nov 2024 00:12:57 GMT

WASHINGTON, D.C., November 26, 2024 - Johnson Global Advisory (JGA) is announcing the formation of its Strategic Leadership Council (SLC) , an initiative aimed at bolstering the firm's strategic direction and reinforcing its commitment to industry-leading advisory services. The Council, composed of executives from diverse sectors within the audit quality stakeholder ecosystem, will provide insights into the JGA leadership on industry trends, strategic decision-making, and growth opportunities. Kathleen M. Hamm, Greg Jonas, and Dave Sullivan are the first appointees to the SLC.

Kathleen M. Hamm has an extensive background in financial regulation, control infrastructures, and risk management, particularly relating to fintech and cybersecurity. Her previous role as a Board Member of the Public Company Accounting Oversight Board (PCAOB) highlights her leadership in regulatory transformation and strategic policy development. "Joining JGA’s Strategic Leadership Council allows me to leverage my experience to further the Firm's mission in these transformative times," remarked Hamm.

Greg Jonas is an independent consultant on auditing and business reporting matters. He served as Director of the Division of Research and Analysis at the PCAOB from 2012-2016. In addition to roles as a financial analyst at Morgan Stanley and Moody’s Investors Service, Greg spent 23 years at Arthur Andersen, serving in various roles supporting its global audit practice. “JGA serves a vital role in improving audit quality for the benefit of auditing firms and investors. I look forward to contributing to the firm’s success.”

Dave Sullivan, a seasoned executive known for his strategic insight in audit quality and risk management, has over 35 years of experience from Deloitte. His leadership in global audit quality initiatives make him a pivotal addition to the council. "I look forward to collaborating with my fellow council members to propel JGA to new heights," stated Sullivan.

The SLC will meet quarterly, advising JGA’s leadership team on critical business opportunities and challenges, ensuring the Firm remains at the forefront of industry innovation and strategic excellence. The first meeting of the SLC was held on Friday November 1, 2024, at JGA's Washington D.C. office.

“I am proud to welcome Kathleen, Greg, and Dave to our new Strategic Leadership Council,” said Jackson Johnson, JGA President and Founding Shareholder. “Their collective expertise will be instrumental in guiding our strategic initiatives and ensuring that JGA continues to set high standards our clients expect in this sector.”

About Johnson Global Advisory

JGA partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB staff, JGA professionals are enthusiastic and practical in their support to firms in their audit quality journey. We accelerate opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Joe Lynch to speak at 40th Annual SEC Reporting & FASB Forum

Thu, 21 Nov 2024 18:09:57 GMT

Johnson Global Advisory (“JGA”) is pleased to announce Joe Lynch, Shareholder and Managing Director, will speak on a panel at the 40th Annual SEC Reporting & FASB Forum.

This panel will summarize the activities of the PCAOB including:

Gain insight on the amendment to PCAOB Rule 3502 Governing Contributory Liability
Understand the amendments addressing aspects of audit procedures that involve technology-assisted analysis of information in electronic form
Recite new requirements for lead auditor’s use of other auditors
Enumerate the new requirements of QC 1000, “A Firm’s System of Quality Control”
Recall the guidance of the new auditing standard “General Responsibilities of the Auditor in Conducting an Audit”
Anticipate the New Standard, “The Auditor’s Use of Confirmation”
Learn about the proposal to replace existing auditing standard related to an auditor’s use of substantive analytical procedures
Understand the PCAOB’s proposals on public reporting of standardized firm and engagement metrics and the PCAOB framework for collecting information from audit firms
Anticipate the Proposed New Standard on Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations
Gain insight on the PCAOB’s 2024 Inspection Priorities
Learn about other Standard-Setting and Research Projects

Click here to register and learn more

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.

Enhancing Auditor Independence: Key Themes from PCAOB Recent Spotlight

Thu, 03 Oct 2024 22:52:53 GMT

In September 2024, the PCAOB released a spotlight on auditor independence, highlighting critical observations from inspections (the “Spotlight”). As we react to these findings at JGA, we emphasize the importance of understanding these key themes and translating them into actionable solutions for our clients.

1. Audit Committee Pre-Approval of Services

A persistent issue remains regarding the pre-approval of audit and non-audit services by audit committees. Too often, we see audit teams commence work prior to the date necessary engagement letters signed by the audit committee. This practice not only undermines compliance but also risks auditor independence.

Actionable Insight: To mitigate this risk, firms should ensure that no work begins until the audit committee has pre-approved the engagement. Implementing an all-inclusive engagement letter that details all services—including consent and comfort letters, as well as quarterly reviews —will streamline the process and enhance compliance.

2. Independence Representations and Compliance Testing

The Spotlight indicates an increase in the issuance of comment forms related to independence representations, particularly concerning personal independence compliance testing. A notable concern is the cutoff risk for new hires; for instance, if an independence representation is conducted annually in June, a new hire added in September may not be confirmed as independent.

Actionable Insight: Firms should adopt a more frequent compliance representation and testing schedule—ideally quarterly or semi-annually—and ensure that new hires are included in these independence confirmations. This practice can help maintain independence throughout the audit engagement. Another best practice is to obtain independence representation from each new hire prior to commencing any work. Sometimes, we observe engagement partners stumble to respond on how they ensure all team members are independent of the issuer. Some firms require documenting individual team members independence reaffirmations within the issuer audit file while other firms rely on firm wide independence reaffirmations. In latter case, JGA recommends engagement partners should document that they checked that i) each team members’ independence representations had no exceptions and properly filed in the firm wide repository and ii) restricted list include this issuer.

3. Monitoring Restricted Entity Lists

The spotlight highlights that smaller firms often circulate their restricted entity lists annually, which can lead to cutoff risks with new clients. This underscores the importance of continuous updates to the restricted list.

Actionable Insight: Firms should verify independence based on an updated restricted entity list at the time of any new client engagement. Regular updates and confirmations of independence for new clients are essential to mitigate risks. Also, best practice is to obtain independence representations for each prospective audit client during client acceptance procedures. This practice along with new hire practice mentioned above would substantially bridge the gap between periodic firm wide independence reconfirmation processes.

4. Independence Policies

The Spotlight notes that many smaller firms lack detailed written policies for monitoring independence. This gap can lead to inconsistencies in compliance and potential independence violations.

Actionable Insight: JGA recommends that all firms, especially smaller ones, develop comprehensive written policies that detail how they monitor independence. This should include procedures for individual engagement independence certifications, ensuring all engagement team members have signed off on the firm-wide independence representation. The policy should outline regular independence testing procedures, including the nature, timing, frequency, and scope of these tests. This should encompass self-assessments of investment portfolio reviews for all partners, as well as independent testing of these reviews by an external consultant or HR personnel, including a sample of other audit staff. Policy should also provide guidance to all personnel on what to do in case of self-identified independence violations. Sometimes in attempt to self-cure the violation personnel may unintentionally exacerbate the issue. So, emphasize on promptly reporting independence violations over trying to self-cure them is very important.

5. Indemnification Clauses

Indemnification clauses were particularly noted in foreign firms’ engagements, which can complicate compliance with U.S. requirements. It is crucial for firms to avoid creating conflicting terms across different engagement letters.

Actionable Insight: Firms should use separate engagement letter templates for public company audits that strictly adhere to U.S. requirements. If an audit involves local statutory purposes, maintaining the most restrictive requirements across all engagements for the same client is advisable to ensure compliance. We note that most of the time it is not practicable to separate number of hours spent on local statutory audit while doing PCAOB audit. So, we strongly advise to remove any language that may be construed as indemnification of auditor liability from all engagements with SEC issuer audit clients.

6. Inclusion of Contractors in Independence Monitoring

The oversight of contractors in the audit process can lead to lapses in independence compliance. The Spotlight suggests that many firms may not fully account for these individuals.

Actionable Insight: Firms must obtain annual independence representations from all contractors before they commence work. Such independence representations should cover all period the contractors perform their work. This proactive measure will help ensure that independence is maintained throughout the audit process.

Conclusion

This spotlight on auditor independence serves as a crucial reminder of the ongoing challenges and the need for vigilance in compliance. At JGA, we are committed to bridging the gap between regulatory expectations and practical solutions. By implementing these actionable insights, firms can enhance their quality control systems, ensure compliance with respective standards and rules, and ultimately foster greater investor confidence.

For personalized guidance on how to address these issues in your practice, reach out to your JGA Audit Quality Expert, or contact:

Jackson Johnson, CPA

President & Founding Shareholder

jjohnson@jgacpa.com

Farkhod Ikramov, CPA

Director

fikramov@jgacpa.com

QC 1000: JGA's Reaction and Implications for Our Clients

Wed, 18 Sep 2024 01:19:53 GMT

The SEC’s recent approval of PCAOB’s QC 1000 standard marks a significant shift for accounting firms. QC 1000 aims to enhance the quality control (QC) systems of registered firms, with scalability based on firm size and complexity. The response from the industry, including our team at JGA, highlights both the challenges and opportunities that this change will present. This Alert outlines JGA's reaction to QC 1000 and discusses what it means for our clients.

JGA commented on the proposal; you can read our position on the proposal here .

During the SEC Open Commission Meeting on September 9, 2024, several notable points were raised regarding QC 1000. JGA’s review of the meeting and our team’s subsequent discussions focused on key risks with this change, such as the implementation challenges and effort, but also noted some positives regarding the potential for improved audit quality and opportunities to improve processes and managements insights.

Our Main Takeaways

Implementation Challenges

QC 1000 requires all registered firms to design a system for compliance, even if they do not perform audits of issuers or broker-dealers. This is a significant concern, as firms may need to design systems for hypothetical scenarios, leading to confusion and unnecessary costs. Around 60% of firms will need to design frameworks they may not use.

The standard imposes a higher level of rigor compared to existing QC standards, and firms may face difficulties aligning their systems with the new prescriptive requirements. Hester Peirce, one of the SEC Commissioners, cited these challenges as reasons for her opposition, echoing concerns from many smaller firms.

Considerations Regarding Effort

The design-only requirement (without immediate operational implementation) introduces additional costs for firms, particularly in smaller firms or those that do not handle issuer audits. Paul Munter, SEC’s Chief Accountant, acknowledged that firms could face increased costs, particularly those related to additional personnel, training, and system design.

Scalability and Continuous Improvement

On the positive side, JGA sees QC 1000 as a framework that, while complex, offers scalability based on firm size. This presents an opportunity for firms to improve audit quality continuously, which is likely to enhance their standing in the marketplace.

While some firms might not feel immediate benefits, especially those focusing on non-issuer audits, the overall emphasis on audit quality in capital markets aligns with the long-term interests of many firms.

Confidentiality Concerns

The content of the new QC forms required under QC 1000 may raise concerns about confidentiality. While some protections are in place, firms must remain cautious about the sensitivity of the information included in these forms.

What This Means for Our Clients

For our clients—primarily accounting firms that must adopt QC 1000—the implications are multifaceted.

Increased Compliance Burden: Clients will need to overhaul or redesign their QC systems, which will incur both time and financial investments. The 60% of firms that Commissioner Peirce mentioned, which are only hypothetically impacted by the standard, must still dedicate resources to comply, even if their actual use of QC 1000 remains limited.
Cost of Implementation: Smaller firms will likely face disproportionately high costs as they align their systems with QC 1000's rigorous requirements. JGA recommends that clients assess their current QC systems and consider phased approaches to implementation where feasible. Partnering with external consultants or firms with QC expertise may help mitigate some of these costs.
Training and Education Needs: Significant training will be necessary to ensure that teams understand and comply with QC 1000’s requirements. JGA encourages clients to begin training key personnel now, particularly those involved in quality control and compliance, to ensure a smooth transition.
Scalability and Competitive Advantage: For firms able to navigate the transition successfully, there is the potential for a competitive advantage in the market. The emphasis on continuous improvement in audit quality could position firms as leaders in audit services, attracting clients who prioritize regulatory compliance and high-quality audits.
Future Regulatory Scrutiny: The new standard may invite closer scrutiny from regulatory bodies like the PCAOB, particularly as it relates to the design of QC systems. Firms should expect more frequent inspections, and the robustness of their QC systems may become a key focus.
Client Communication: JGA advises that firms begin communicating with their clients about the upcoming changes and the steps they are taking to ensure compliance. Transparency in this process will help maintain trust and demonstrate proactive management of regulatory changes.

Conclusion

QC 1000 represents both a challenge and an opportunity for our clients in the accounting sector. While the increased costs and implementation challenges are concerning, the scalability and focus on audit quality could yield long-term benefits. JGA recommends that firms take a strategic, proactive approach to compliance, balancing the immediate burdens with the potential to improve service quality and client satisfaction. As the landscape evolves, we will continue to monitor developments and provide guidance to ensure our clients remain compliant and competitive in this changing regulatory environment.

Please reach out to your JGA audit quality expert, or contact:

Joe Lynch, CPA, CITP

Managing Director & Shareholder

jlynch@jgacpa.com

PCAOB Broker-Dealer Inspection Report Shares Results of 2023 Inspections and Good Practices to Address Audit Scenarios

Wed, 14 Aug 2024 13:50:38 GMT

On July 25, 2024, the PCAOB released the Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers (PCAOB Release No. 2024-009) which provides (i) information about its 2023 inspections approach, (ii) a summary of the 2023 inspections observations, (iii) a description of good practices that may be effective to address those scenarios; and (iv) reminders for firms of the requirements of certain PCAOB standards.

The PCAOB observed higher deficiency rates in examination, review, and audit engagements, which it described as a cause for significant concern .
The PCAOB report overall noted at least one deficiency was observed in 70% of the 103 audit engagements reviewed, which marked an increase from the 58% deficiency rate observed in 2022. As has been the trend we've seen over the last couple of years, when supporting clients going through inspection.

We, at JGA, have seen the rigor of the inspection process increase, particularly in the areas of revenue, journal entry testing and increasingly, audit committee communications and independence-related matters.

The PCAOB’s report outlined an increase in the deficiency rate that was primarily driven by the increase in the number of inspections performed of firms that have not been previously inspected and the increase in the deficiency rate in audit engagements observed at the largest audit firms reviewed.

From our perspective, firms that have not been previously inspected are typically smaller practitioners and they may not be aware or prepared for the rigor of an inspection.

The PCAOB identified an increase in the deficiency rate in examination engagements of compliance reports. Some deficiencies noted, among others, were around the lack of obtaining a sufficient understanding of the financial responsibility rules and planning the examination engagement by obtaining a sufficient understanding of broker-dealer processes.

We have observed this statement expressed over the years and it is the root cause of many inspection findings. We have also seen this issue surface when providing in-flight reviews of audits for our clients. When we see this issue in our practice monitoring engagements, we encourage firms to provide their audit professionals with training around identifying, evaluating and testing relevant controls at their clients.

The PCAOB report outlines that revenue deficiencies increased to 48% from 34% in 2022. As seen in previous years, as it relates to the audits of broker-dealer financial statements, the PCAOB noted the highest deficiency rate around firms’ responses to the risk of material misstatement for revenue. The PCAOB identified deficiencies around testing the accuracy of the amount of revenue recorded, including accuracy of inputs that determine revenue, across all revenue sources indicated in the annual report.

Our clients have the most success in avoiding these issues by spending the time up front during the risk assessment process and performing detailed walkthroughs of the revenue cycle.

The annual report also identified various other areas of deficiencies noted in the 2023 inspection cycle. One area to note is that for the first time, auditor independence was presented separately in the report and the PCAOB noted instances of deficiencies around non-compliance with PCAOB Rule 3526. This could be an indication of the increased focus by the PCAOB on independence-related matters. The PCAOB also observed an increase in deficiencies related to auditor communications with audit committees. Additionally, the report highlighted deficiencies identified around the monitoring of firms’ accounting and audit practice and indicated that some firms did not perform annual internal inspections. Through our work, we’ve noticed a direct correlation between inspection deficiency rates, and a loosely defined or poorly defined internal inspection program. As the expectations haven’t changed around this, we encourage firms to take a look at their internal inspection programs to ensure they specifically cover BD audits and have tailored procedures specific to the risks in a BD audit.

Similar to previous reports, for certain areas, the PCAOB has also provided good practices and reminders as illustrative examples that firms may find effective in addressing various scenarios. These include, but were not limited to, good practices related to evaluating service organization reports and the scope of services covered and reliance on evidence in SOC 1 reports. JGA has provided objective, independent feedback to firms, in real-time as engagement teams perform audit procedures around SOC 1 report evaluation and reliance. In addition, we have found that in-depth training sessions to firms on how to evaluate reports on service organization controls have ensured that all engagement team understand the risks around SOC 1 evaluation, especially in areas related to significant risks and what regulators are looking for in an adequate evaluation.

We encourage firms to thoroughly read the annual report and explore ways in which the good practices outlined in the report can be used in their audits going forward.

PCAOB Observations and JGA's Perspective on GenAI

Wed, 31 Jul 2024 16:39:31 GMT

The recent PCAOB spotlight on the integration of GenAI into audits and financial reporting highlights several key observations. GenAI integration is primarily in the early stages, with larger global network firms leading in deployment, mainly for administrative tasks and research activities. There is significant ongoing investment in GenAI tools, often through third-party partnerships, to assist in summarizing accounting policies and performing risk assessments. Data privacy and security are also major concerns, with some firms implementing safeguards to protect confidential information.

The PCAOB emphasizes that human involvement remains crucial, with GenAI augmenting but not replacing human auditors. Supervision and review processes ensure accountability for GenAI-assisted work. However, risks related to the reliability of GenAI outputs, and the auditability of source data are noted, with firms developing specific instructions to improve consistency and accuracy. Among preparers, GenAI is used to draft internal documents and assist in repetitive processes, with human supervision ensuring the accuracy and reliability of these outputs.

At JGA, our perspective based on our interactions with our clients aligns with the PCAOB's observations while offering critical insights.

We have heard from our peers and concur that the current use of GenAI enhances efficiency in tasks such as data extraction, document review, workflow automation, and compliance monitoring.

JGA supports the investment in GenAI, highlighting the use of machine learning to predict areas where engagement teams are likely to encounter issues based on historical data allowing for quality control measures. Expert systems are also being utilized to suggest whether to accept a new client based on similar cases and outcomes from other engagements.

Emphasizing the need for specific controls, JGA concurs with the importance of data privacy and security to ensure data integrity, address biases, and ensure accuracy. Additionally, as firms prepare to implement the new QM standards into their QC process, it is important that firms recognize that the use of GenAI should be included in its risk assessment evaluation.

While supporting the crucial role of human judgment, we agree with the importance of careful supervision of AI outputs to maintain high audit quality and compliance with regulatory requirements.

Acknowledging the risks associated with GenAI, we encourage firms to implement transparent and explainable AI models to mitigate biases and inaccuracies. Ultimately, auditors should continue to evaluate and conclude on the relevance and reliability of data used in the conduct of the audit.

Finally, we agree that GenAI should not be seen as a tool that minimizes or removes the auditor's responsibility for providing reasonable assurance on financial statements. GenAI should not be seen as a tool that minimizes or takes away the responsibilities of the partner signing the audit opinion - at the end of the day, the engagement partner still has the ultimate responsibility that the audit opinion provides reasonable assurance that the financial statements are fairly presented.

In conclusion, JGA underlines a cautious yet optimistic approach to integrating GenAI in audits, emphasizing robust controls, human oversight, and continuous investment to enhance audit quality and compliance. The extent and use of GenAI is going to continue to grow all around the globe in every industry and profession. And this is true for the auditing profession as well. Leadership of firms must continue to embrace the continued use of GenAI but do so making sure they are identifying and evaluating risks related to the use of GenAI. 

For further insights on using technology in your audits, read our recent JGA Advisor article on JGA Team Perspectives: System of Quality Management – Using Technology in Your Practice and Audits . Also, feel free to reach out to us with questions at any time. 

JGA Team Perspectives: Failure to Prepare is Preparing to Fail

Wed, 17 Jul 2024 14:44:36 GMT

The PCAOB continues to emphasize the importance of quality control (QC) systems and intends to continue to focus on this area in its future inspections. Proposed PCAOB quality control standard QC 1000, A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms , would replace current PCAOB quality control standards in their entirety.

QC 1000 would require registered firms to implement and operate QC systems to execute policies and procedures developed to address quality risks, monitor operation of the policies and procedures, and take remedial actions when the policies and procedures are not operating effectively. It includes a requirement for firms to perform root cause analysis (RCA) of all quality control deficiencies and design and implement timely remediation actions. Firms should consider both internal and external inspection findings as part of monitoring.

In addition, the IAASB and AICPA have adopted quality management standards, so firms are required to implement new processes to ensure their internal quality controls comply with the new requirements. Jung Lee, JGA Director, works with audit firms worldwide to improve their audit quality and navigate audit and QC regulatory requirements.

“In general, the number of comments and enforcement actions from the PCAOB have increased significantly in the last three years, and this trend is not only at the PCAOB, but also other local audit regulators worldwide. Audit deficiencies are costly, time-consuming, and will increase regulatory scrutiny in future inspections,” Lee said. “There has been a general uptick in the level of enforcement activity, and regulators point to QC failures in the monitoring process as a contributing factor.”

In April 2024, the PCAOB Staff issued a Spotlight: Root Cause Analysis—An Effective Practice to Drive Audit Quality . The PCAOB notes that RCA has been shown to be an effective practice to drive audit quality; rather than simply detecting and remediating audit deficiencies, by “focusing more on assessing underlying root causes of a deficiency…the deficiency can be effectively addressed and ultimately eliminated.”

“The Spotlight shares observations from PCAOB inspections and how firms’ RCA has helped them address repeat or persistent inspection findings,” Lee stated. See more in JGA’s Alert, PCAOB Staff Report Shares Observations on How Root Cause Analysis Can Drive Audit Quality .”

Continued Preparedness Planning

With respect to their system of quality management, firms need to prepare to initially adopt QC standards and then must continue to evaluate them to remain in compliance year-after-year.

The steps a firm should take are cyclical, starting with initial risk assessment and gap analysis, RCA and remediation, annual evaluation and testing of the SQM, and ongoing monitoring. Practice monitoring, a component of SQM – which includes pre/post issuance reviews -- ensures that a firm’s system of quality control provides reasonable assurance that the firm and its personnel comply with professional standards and the reports issued by the firm are appropriate.

“We work with firms on remediation after PCAOB inspections and pre-issuance reviews,” said Jackson Johnson, JGA President and Shareholder. “In post inspection services, we assist firms with root cause analysis of identified audit deficiencies. RCA is the underpinning of a sound QC system, and proper root cause analysis helps ensure that deficiencies are remedied.”

Remediation After Inspection

Frequent areas of concern noted in RCA (the first step in remediation) include lack of proper firm methodology and training, technical knowledge and competence, personnel management, engagement considerations, and supervision and review (including due care). There are often multiple root causes contributing to one deficiency, so it is important for firms to continue to dig in and ask “why.” Remediation of all identified deficiencies will likely require firms to create new QC processes.

Root cause of inspection deficiencies often relates to training. “The PCAOB normally recommends a very tailored, precise training related to the area of audit deficiency noted,” Lee said. “An example is the need for a specific training on testing for proof of delivery as part of performance obligations, but firms often offer a general training on revenue recognition under ASC 606. We can help clients obtain customized, tailored training solutions, both internal and external to the firm.”

To supplement training, JGA has found that practice aids and templates help firms to ensure audit quality. “An example of a practice aid is a template for journal entry testing with considerations noted in AS 2401, paragraph 61, addressing issues auditors should watch out for when reviewing the criteria used for identifying journal entries as part of fraud procedures. We can review the methodology included in client-prepared templates or create them for clients. The PCAOB asks for templates as a form of remediation of deficiencies,” Lee said.

“We help firms with practice monitoring including pre- or post-issuance reviews,” Lee added. “This way, someone outside of the firm’s engagement team or National Office can monitor the performance at both the firm SQC and engagement levels.”

Pre-issuance Reviews

Having an objective review of an audit before the audit opinion is signed and the audit report is issued (sometimes called an “in-flight review”) is a preventative control that allows firms to get ahead of deficiencies before an inappropriate opinion is issued.

“Nothing is more important than a good quality audit, and we work with firms in lock step to help them prevent or minimize deficiencies,” Johnson said. “In this way, there is a more immediate impact on audit quality, because firms can make changes in real time during the current audit rather than waiting until the next audit to see if the issue is fixed.”

“We are effectively performing real-time inspections and identifying deficiencies the PCAOB may find. JGA staff were former leaders of PCAOB inspection teams, so we look at audit engagements the same way the PCAOB staff does,” Lee adds.

Crucial areas the PCAOB focuses on are planning, audit procedures, and completion. JGA walks with firms in each of these and considers what can go wrong in each.

“An example of in-flight for accounts receivable will entail how the firm selected the items to confirm, including the use of sampling and whether it was a stratified sample. In addition, we look at frequent areas of PCAOB findings, including revenue recognition and accounting estimates,” Lee said.

“We help firms apply both a preventative and detective approach to identify and remediate their audit quality concerns, which helps them gain insight into their system of quality control and how they perform their audit engagements,” Johnson said. “This not only helps them navigate the requirements of the new quality control standards but also will help them with the PCAOB inspection process and regulatory compliance overall.”

SEC Extends Deadline for Comments on QC 1000 to July 16, 2024

Wed, 03 Jul 2024 15:49:59 GMT

Updated 7.3.2024

The SEC recently announced that it is extending the deadline for comments on QC 1000 to July 16, 2024 . JGA provided comments to the PCAOB on the proposed QC 1000 standard. To read our comments please click here . The PCAOB proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, is available here . The new standard is available for viewing here .

Previous updates on QC 1000

5.13.2024

On May 13, 2024 the PCAOB held an Open Board Meeting - PCAOB to Consider Adopting New Standards on General Responsibilities of the Auditor in Conducting an Audit, Quality Control . The PCAOB considered adopting a new auditing standard – AS 1000, General Responsibilities of the Auditor in Conducting an Audit as well as QC 1000, A Firm’s System of Quality Control. JGA provided comments to the PCAOB on the proposed QC 1000 standard. To read our comments please click here . The PCAOB proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, is available here . The new standard is available for viewing here .

PCAOB Updates

Broker-Dealer Inspections Update: A Review and Impact of PCAOB’s Latest Inspection Program Report

Mon, 20 May 2024 21:28:13 GMT

The PCAOB released its first ever Spotlight related to audits of broker-dealers on January 31, 2024 - Insights Into the PCAOB’s Interim Inspection Program Related to Audits of Broker-Dealers. The Spotlight provided new insights and more context than the PCAOB’s typical annual reports on the broker-dealer inspection program results. What does this mean for your firm?

Johnson Global Advisory hosted a webinar presented by JGA Directors Don Melody and Tanieke Samuel, who took a deep dive into the PCAOB spotlight and provided their analysis of the issues raised by the PCAOB, as well as some key takeaways for auditors to improve the quality of their broker-dealer audits.

Key Takeaways

The program provides a high-level overview of the PCAOB’s latest spotlight focusing on broker-dealer inspection reports. This webinar provides additional insights and key takeaways for best practices and quality control to readily apply. The objectives of this session include the following and also increases your technical competence in the following areas:

• Broker-Dealer program and industry

• Impact of standardized audit programs

• Impact of low-cost providers and auditor changes

No CPE is available for the replay of this program.

To register for this replay please click here . After registering you will receive a confirmation email that includes information about how to access the replay.

JGA Welcomes Stephanie Mickens as a Director

Mon, 20 May 2024 21:05:54 GMT

Johnson Global Advisory (JGA) is pleased to announce Stephanie Mickens as a Director, focused on IT audit quality advisory. With more than 15 years of audit, IT integration, and audit quality compliance and regulatory experience, Stephanie’s skillset compliments JGA’s existing IT audit quality advisory services available to clients. She will work closely with Mark Whittenberg, CISA, and JGA Director, to advise on all things IT audit, including inspection services, audit quality assessment and improvement, implementation and monitoring activities. This addition strengthens JGA’s expertise when the use of technology drives business impact, and ways for auditors to implement technology continue to expand.

“ I am thrilled to be able to bring my passion for audit quality into this new chapter at JGA ,” said Stephanie. “ We know that the use of technology – and now artificial intelligence – in the audit is not going away. It can seem intimidating, but our goal for clients is to embrace the change and go about utilizing technology the right way, with the help of people such as our JGA team who can share that knowledge. ”

During the span of her career, Stephanie spent nearly five years as an Inspections Specialist at the Public Company Accounting Oversight Board (PCAOB) where she was one of a niche team of Information Systems Auditors. In this role, Stephanie supported audits of public companies performed by the Big Four network firms globally. Prior to her role with the PCAOB, Stephanie worked with PricewaterhouseCoopers LLP (PwC) for eight years as a Manager in the Risk Assurance practice, where she provided services related to the performance of assessments of internal control over financial reporting (ICFR) as part of Sarbanes Oxley 404 requirements for public companies.

More recently, Stephanie was the IT Risk Assurance Lead at a national financial services company, where she led the execution of the IT ICFR program, including the company’s IT SOX scoping and risk assessment. Stephanie also served eight years at PwC Atlanta, leading and performing Information Technology General Controls testing for PCAOB audits, and leading SOC 1 and SOC 2 engagements. She has served in numerous leadership roles for the National Association of Black Accountants, Inc. (NABA).

“ I’m so pleased that Stephanie has chosen to use JGA as a platform to reach firms worldwide and share her passion for audit quality, ” said Jackson Johnson. “ Her strong IT audit skills will complement the rest of our IT audit quality advisory experts to bring a stronger focus on how technology is driving improvements at all firms — large and small ”.

The addition of Stephanie increases JGA’s professional services team to include fourteen former PCAOB staff, with a cumulative 156 years of service at the PCAOB and SEC, and more than 144 years of experience auditing public companies.

Stephanie is based in the Atlanta, Georgia, area and received her Master of Accountancy at Georgia Southern University. To learn more about Stephanie and the full JGA team, read here.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Case Study – Example Successor Auditor Considerations: When the Predecessor Auditor is Charged with a Regulatory Enforcement Order

Wed, 15 May 2024 21:30:31 GMT

On May 3, 2024, the SEC charged audit firm BF Borgers CPA PC and Benjamin F. Borgers (collectively, “Borgers”) with fraud affecting more than 1,500 SEC filings. According to the SEC’s Order , of the 369 BF Borgers clients whose public filings from January 2021 through June 2023 incorporated BF Borgers’ audits and reviews, at least 75% of the filings incorporated BF Borgers’s audits and reviews did not comply with PCAOB standards.

Because a significant number of issuers have been impacted by the Order, the SEC’s Division of Corporation Finance released a statement on the topic (the “CF Release”). According to the CF Release, issuers that have engaged Borgers to audit or review financial information to be included in any Exchange Act filings to be made on or after the date of the Order will need to engage a new qualified, independent, PCAOB-registered public accountant. Further, the CF Release provides that:

Form 10-K and Form 20-F filings on or after the date of the Order may not include audit reports from Borgers; and
Form 10-Q filings on or after the date of the Order may not present financial information reviewed by BF Borgers.

Accordingly, affected entities will be required to engage a new qualified, independent, PCAOB-registered public accountant to perform the current annual audit and quarterly reviews, as well as perform re-audits and rereviews of all relevant impacted periods. The CF Release also stated that “Exchange Act reports that were filed before the date of the Order do not necessarily need to be amended solely because of the Commission’s entry of the Order. However, issuers should consider whether their filings may need to be amended to address any reporting deficiencies arising from the BF Borgers engagement.”

This document provides some helpful information for auditors who are considering or have recently accepted an audit engagement with an affected entity. Specifically, it discusses topics such as interim reviews, client acceptance and communications with the predecessor auditor.

Interim Reviews

The successor auditor may conduct the review of the current year interim financial information and the rereview of the prior year corresponding interim period, provided the firm also simultaneously proceeds with the annual audit and reaudits of the latest year (or years, depending on the client’s filing situation, i.e. based on the number of comparative periods presented).

Auditors can find the requirements relating to reviews of quarterly financial statements in AS 4105 , Reviews of Interim Financial Information . According to that standard, an auditor may conduct a review of the interim financial information of an SEC registrant if the entity's latest annual financial statements have been or are being audited . (AS 4105.05)

Because successor auditors will begin the reaudit of the prior year financial statements immediately following their engagement, auditors are permitted to proceed with the review of the clients’ quarterly financial statements for inclusion in the company’s Form 10-Q filing with the SEC.

There are certain specific requirements auditors should be aware of when conducting initial reviews of interim financial statements relating to obtaining knowledge about internal controls and communicating with the predecessor auditor. Those requirements can be found at AS 4105.12 and .13. We encourage auditors to read and understand the requirements of AS 4105 before committing to engaging new clients.

Client Acceptance

As indicated in the CF Release, any prior period financial statements that had previously been audited by Borgers will need to be reaudited by the newly engaged auditor for inclusion in the issuers next Form 10-K or Form 20-F. Prior to starting an initial audit, the successor auditor will also be required to perform procedures regarding acceptance of the client relationship and the specific audit engagement; and communicate with the predecessor auditor as described in AS 2101.18.

It is advisable that any firm should follow their client acceptance procedures with rigor. Prior to acceptance, firms should read the SEC Order carefully and consider the variety of risks involved with each prospective client, especially the heightened risk that a material misstatement may exist on prior year financial statements.

Firms will also need to extend their acceptance procedures to cover all periods subject to reaudit. A few special considerations to highlight:

Determine the auditing procedures necessary (and the ability) to obtain sufficient appropriate audit evidence regarding opening balances and consider the obstacles that may be involved.
Perform background checks of management and the board of directors and understand the reasons for departures and changes from the date of the opening balances (and possibly beyond) to the present.
Review all SEC comment letters and responses for all periods under audit and reaudit.
For perspective clients with inventory, special consideration will need to be given as to how to obtain appropriate audit evidence because of the inability to perform physical inventory observation procedures in the prior periods.
Inquire about the prospective clients’ books, records, internal controls and IT systems to understand the ability to obtain reliable information timely for all periods under audit.
Assess whether the firm has the skills, knowledge and experience to take on a new client, and if the firm is considering taking on multiple issuers, whether they have the internal resources to perform the audits with the appropriate level of audit quality.

Communications with the Predecessor Auditor

PCAOB standards at AS 2610 require the successor auditor to communicate with and make a variety of inquiries with the predecessor auditor prior to accepting the engagement and that acceptance cannot be final until the communications received from the predecessor have been evaluated. Inquiry of the predecessor auditor is a necessary procedure because the predecessor auditor may be able to provide information that will assist the successor auditor in determining whether to accept the engagement. In addition, the successor auditor should request and review the working papers of the predecessor auditor for all periods that will be subject to reaudit. When possible misstatements are discovered during the audits or reaudits, the successor auditor will also be required to communicate with the predecessor auditor.

According to PCAOB standards, in an initial review of interim financial information the auditor should perform procedures that will enable him or her to obtain sufficient knowledge of the entity’s business and its internal control. The standard goes on to describe steps the auditor should take, which includes making certain inquiries of the predecessor auditor and reviewing the predecessor auditors’ workpapers (including both the audit and quarterly review workpapers). The standard also states that, “if the predecessor accountant does not respond to the successor accountant's inquiries or does not allow the successor accountant to review the predecessor accountant's documentation, the successor accountant should use alternative procedures to obtain knowledge of the matters discussed in [that] paragraph.”

Given the number of affected entities described in the Order, it is unclear whether Borgers will reply to successor auditor inquiries and how timely the responses will be. Thus, auditors considering accepting these engagements will need to be prepared to perform alternate procedures to address the possible gaps during the acceptance process.

In summary, even though the facts and circumstances described in this SEC Order are unique, successor auditors are still required to perform the PCAOB standards’ requirements as described above.

JGA Learning at Work Week

Fri, 10 May 2024 20:06:16 GMT

Johnson Global Advisory (“JGA”) is proud to participate in the world-wide Learning at Work Week May 13th-19th. This annual event supports building learning cultures in workplaces. It aims to put a spotlight on the importance and benefits of continual learning and development.

JGA actively supports “learning power” (the theme for this year Learning at Work Week) for our external clients and we’ve been working on some exciting opportunities to learn internally through growing, engaging and connecting opportunities as a team as well.

Johnson Global is committed to amplifying quality in the profession. For more information about our training services click here.

Open Board Meeting: PCAOB to Consider Adopting New Standards on General Responsibilities of the Auditor in Conducting an Audit, Quality Control

Fri, 10 May 2024 15:10:35 GMT

Updated 5.13.2024

PCAOB Updates

PCAOB Publishes Spotlight Related to Root Cause Analysis

Thu, 02 May 2024 14:57:55 GMT

PCAOB Publishes Spotlight Related to Root Cause Analysis

In April 2024, the PCAOB released a Spotlight Root Cause Analysis – An Effective Practice to Drive Audit Quality which continues the Board’s goal of sharing its observations from its inspection and remediation activities, but this time related to Root Cause Analysis (RCA). RCA should not be a new concept to audit firms. In 2020, we published RCA: Seems like EVERYBODY is talking about Root Cause Analysis , where we shared the importance of performing an effective RCA to be able to understand what are the underlying causes of deficiencies which occur at your firm.

We wanted to highlight a few important aspects coming through in this April 2024 Spotlight.

The Spotlight rightly stated that RCA should be a multifaceted approach . There are a number of different tools, techniques, processes, and philosophies that firms can undertake to perform a RCA. In addition, there may not always only be one factor that is causing a deficiency – it could be a variety of factors such as lack of technical competence, failure of resource allocation at firm level, etc.

The Spotlight also identified characteristics of a well-designed RCA process , which are important to highlight as follows:

Have a dedicated team with RCA experience perform the RCA as they are more objective and have the requisite background. In helping our clients with RCA, we find by bringing in our objectivity, our PCAOB standards experience coupled with our RCA experience, engagement teams are more willing to be open and honest with their opinions of where they see potential root causes that resulted in deficiencies.

Firms use a variety of methods and techniques to gather data which include review of workpapers, interviews with engagement teams immediately after the deficiencies are identified, and review of engagement metrics. All this information combined paints an informative picture of what caused the deficiencies.

Firms should not only focus on looking at engagements that had negative quality outcomes, but also focus on looking at engagements which had positive outcomes arising from inspections or the firm’s internal monitoring. By identifying what worked well with some engagement teams, firms can then use that information to drive change with other engagement teams.

Lastly, firms should be aware that the task of identifying root causes and implementing a new action to remediate this deficiency does not mean that the job is done. Firms should monitor these remedial actions to determine whether the actions that they undertook are in fact solving the problem.

In conclusion, there is no time like the present to strengthen your RCA process . Remediating deficiencies (by providing training, developing new tools and templates, changing processes, etc.) is a time consuming and costly undertaking…you want to make sure that the action you are investing in, is actually going to remedy the problem. In addition, the PCAOB’s standard setting agenda includes a proposal for the new quality control standard that, if adopted, would require firms to perform RCA of its control deficiencies. Our recommendation is to start implementing your RCA process now so that you can refine and modify your RCA process.

Allinial Global Executive Team Conference

Tue, 02 Apr 2024 18:59:34 GMT

Johnson Global Advisory (“JGA”) is pleased to sponsor the Allinial Global Executive Team Conference 2024. This four-day event will be from

May 19–22 at The Westin Kierland Resort & Spa in Scottsdale, AZ.

This premier event for firm management, strategy and growth, and leadership, with a focus on Driving Success and Accelerating Possibilities through collaboration, knowledge sharing, and networking.

PROGRAM HIGHLIGHTS

A keynote session entitled The Time to Win - Grow Your Firm by Exceeding Clients’ Need for Speed by Hall of Fame speaker and New York Times best-selling author Jay Baer
Inspiring sessions focused on how firms can evolve their internal operations and management to facilitate a seamless client experience through lean processes and innovative approaches to talent and technology
Half-day virtual programs on Monday, May 20 and Tuesday, May 21

To learn more and register click here.

About Johnson Global

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.

JGA Team Perspectives: Navigating the PCAOB Inspection Process

Wed, 27 Mar 2024 19:35:09 GMT

Editor's note: This article is part of a series to highlight the unique experience that JGA professionals possess and deliver to our clients.

As busy season winds down, it is an opportune time to reflect on challenges in ensuring audit quality and preparing for a successful outcome to the PCAOB inspections process. There are a myriad of obstacles to audit quality such as time constraints and the complexities of client engagements. Amidst these demands, audit quality remains the utmost priority.

Geoff Dingle an author of JGA’s guide, Navigating PCAOB Inspections, Second Edition shares his insights on how firms can effectively prepare for the entire process.

The Purpose

Registered firms that issue at least one public company audit opinion are subject to inspection at least every three years. Every inspection is different based on the firm, its clients, and PCAOB priorities, but the overall process is the same. It is a long process that takes planning and coordination, and this guide addresses the main phases and pain points.

“Through our work at JGA, supporting firms on PCAOB inspections, we are able to witness first-hand the struggles that some firms encounter as they work through the inspection process with the regulator. Although some of this information is available on the PCAOB’s website, we have been able to consolidate our own experiences having supported over 100 firms during their inspections. JGA has a team of alumni from the regulator that have led inspection teams and quality management initiatives, with over 139 years of combined experience at the PCAOB and SEC,” says Dingle.

The Process

The inspection process often takes more than two years (sometimes as long as four years) from initial notification of an inspection to the final remediation determination. It can take weeks to months to issue comment forms after the inspection week. Report finalization is getting faster but it can still take more than six months to issue an inspection report to a firm. If there are few issues, the PCAOB can respond quickly, but with multiple findings the process oftentimes takes longer. After report issuance Firms have 12 months to remediate Part II findings and provide these remedial plans to the PCAOB for evaluation.

Pre-Inspection

The PCAOB provides the dates for its intended inspection week. The notification letter includes the period being inspected, questions, and requested documentation about the firm and its clients. There are not many pain points at this stage, but there is typically a four-week deadline to respond. The PCAOB contacts the firm two to three weeks before the inspection starts with the names of the issuers selected for inspection and requests specific information and access to the workpapers for these audits.

“We always recommend that firms hold internal meetings to assign responsibilities between the engagement teams and the national office and plan for the inspection. Prep week - the week before the inspection, can be stressful. We suggest that engagement teams go back through their audit files to re-familiarize themselves with the workings of the audit file,” Geoff continues .

Key Points About The Process

Before COVID, inspections were conducted in-person. Now the majority of the inspections are performed virtually. “With the engagement team and the inspection team not being in the same room, we have observed inefficiencies in getting matters resolved because of the need to coordinate firm personnel and inspection personnel, across various time zones, locations, and schedules,” he mentions.

During the inspection week, the PCAOB provides detailed questions to the engagement team regarding the audit file. It’s a mix between written questions sent to the firm and asked questions during meetings. All questions are answered in subsequent meetings. With the remote process, meetings are scheduled to address and answer these questions. “Our own experience is that if a particular line of questions continued for the week (i.e. the engagement team’s response is not satisfying the inspector), then chances are there will probably be an issue that will result in a comment form,” Geoff adds. Be ready for multiple layers of questions on the same subject by providing details based in the working papers and show a deep understanding of the audit.

Inspection issues are usually riskier areas involving judgements. Audit documentation should “tell the story” of how auditors came to their conclusions, not just what the conclusion was. Audit documentation should describe in detail what considerations were made by the engagement team in coming to their judgment (i.e. how any contradictory evidence was addressed; why the engagement team went with one model over another, etc.). If judgments are not well documented, the PCAOB has no alternative but to conclude that sufficient procedures were not performed.

Comment Forms

A few weeks after fieldwork is completed, the inspection team provides comment forms that include a summary of the deficiency and the facts related to the issue. Firms have 10 business days to respond.

The Inspection Report

Part I inspection findings are in the report’s public portion. Part I.A deficiencies indicate the firm had not supported its opinion on the financial statements, ICFR, or both. Part I.B findings are compliance issues which do not specifically compromise the audit opinion. Part II findings are related to the firm’s system of quality control and are in the report’s nonpublic section and these are not shared with the public. Firms have 12 months to remediate Part II findings before they can become public if the PCAOB concludes that the firm did not adequately remediate.

Frequent Part I.A findings in an integrated audit relate to testing controls, testing estimates, and use of service auditor reports. Part I.B findings may result in enforcement cases and include incorrect opinion language, independence breaches, audit committee communication issues, and incomplete or late filing of Form AP.

Responding to Findings in Part II of the Inspection Report

Ultimately, the firm has 12 months to communicate to the PCAOB how it plans to remediate quality control findings. Geoff provides his insights on the importance of root cause analysis, “In our experience, firms do not do a great job of root cause analysis to identify the remedial action needed for deficiencies because they do not dig deep enough. We review comment forms and related workpapers to understand why the PCAOB issued the comment, and then we interview the engagement teams about root causes, to understand whether the issue was related to areas like staffing, partner workload, supervision and review, technical competence, audit methodology, or firm tools. In fact, firms will soon be compelled to do a rigorous root cause analysis as the proposed quality control standard (QC 1000) requires root cause analysis.” A proactive approach to remediation, specifically quality control findings allows for firms to make corrective actions based on their root cause evaluation and provide time to see the updates work their way through the firm’s audit cycle. Showing examples of the new process goes a long way. See our contribution to Journal Of Accountancy, Quality Management Standards: How to Perform a Root Cause Analysis .

“We advise firms to address Part II remediation findings early. If they wait until they receive the report to start remediation, another inspection could start, and a repeat finding could result.” PCAOB guidance details five relevant criteria they use to conclude on the sufficiency of remedial actions. Every firm’s quality control processes are different, so we work with clients to apply the guidance to their own remedial actions and avoid repeat criticisms,” Geoff mentions.

In conclusion, the PCAOB has made it clear both through its speeches and its enforcement actions that they will be tougher on enforcing regulation and audit quality. Firms need to plan in advance to make sure the inspection process is as issue-free as it can be. That starts with making sure audits are completed in accordance with the PCAOB auditing standards, not when you get notified of an inspection. Firms should enhance their practice monitoring by engaging firms like JGA to perform in-flight reviews while the audit is happening. In that way, quality is achieved prior to the signing of the audit opinion.

Interested in learning more about the PCAOB inspections process and how to prepare? Navigating PCAOB Inspections, Second Edition is a roadmap for firm management and engagement teams through the entire PCAOB inspection and remediation process, to help prepare for inspections and implement continuous audit quality improvements.

Geoff Dingle, JGA Managing Director, Shareholder

With more than 20 years of experience in the accounting and auditing industry, Geoffrey Dingle works with public accounting firms to help them achieve the highest level of audit quality. Geoff brings a diverse set of experiences to JGA. As an Associate Director for almost 10 years, in the Division of Registrations and Inspections at the PCAOB, he conducted inspections of quality control and issuer audits. In addition, he played a senior role in planning, executing and reporting on the annual inspections of Global Network Firms, including, but not limited to, quality control procedures, review of comment forms, development of the inspection report criticisms and quality control themes, and evaluation and review of Firm root cause analysis and remedial actions. To learn more about Geoff and the JGA Team visit the Meet Our Team page.

JGA Team Perspectives: Navigating the PCAOB Enforcement Landscape

Thu, 29 Feb 2024 22:22:32 GMT

Editor's note: This article is the first in a series to highlight the unique experience that JGA professionals possess and deliver to our clients.

What is top of mind for the Public Company Accounting Oversight Board (PCAOB)?

The PCAOB has made it clear that it intends to carry out an aggressive inspection program to identify and correct the high rate of audit quality deficiencies it continues to find and refer matters to its Division of Enforcement and Investigations (“DEI”).

“ As a consultant, I work with audit firms to establish or enhance their policies and procedures so they deliver audit services at the highest quality level and hopefully avoid regulatory scrutiny from the PCAOB and SEC .”

When an auditor or firm has become subject to a PCAOB or SEC investigation, JGA can assist in a number of ways including in their responses to informal document requests, Accounting Board Demands, and subpoenas for workpapers, emails, and other documents. Our consultants also perform workpaper review, provide case assessments and strategy guidance, assist with witness preparation, and help in preparing white papers, Statements of Position, and Wells responses. We also serve as expert witnesses by providing expert reports and expert testimony.

Johnson Global professionals consult firms on timely remedial and corrective actions and other activities to obtain PCAOB extraordinary cooperation credit to substantially reduce or eliminate monetary penalties and sanctions. Once there is a PCAOB enforcement inquiry, before a case is brought, we review audit workpapers and documents and evaluate the firm’s quality control system to identify the potential violations, assess the significance of the violations, provide a root cause analysis, and propose remedial solutions.

Existing or new clients include individuals and firms who have received a letter from DEI or the SEC’s Enforcement Division announcing an informal inquiry, or that a formal order of investigation has been initiated. “Our vast network, includes attorneys that I know from doing forensic accounting for so many years.” As needed, we assist firms in obtaining counsel with experience working with the PCAOB and SEC, if they do not have one. We work with counsel closely in these matters for counsel to provide legal advice and correspond with the regulator directly on behalf of the firm.

Recent Trends

PCAOB Reporting - Form AP and Form 3 Compliance

We have seen an increase in the number of PCAOB enforcement actions related to PCAOB Form AP (Auditor Reporting of Certain Audit Participants) and PCAOB Form 3 (Special Events). The general requirement for Form AP is to file it within 35 days from the date the firm’s audit report is first included in a Form 10-K or 20-F filed with the SEC. For Form 3, the form must be filed within 30 days after the event. Firms are not filing these on time, commonly because they are not aware of the requirements or forget to file. Once the audit is over, attention can get diverted from Form AP. Form 3 is particularly burdensome because there are 18 specified events to report and monitoring these can be a challenge. Also, these forms may not be filled out correctly.

For Form AP, it is easy for the PCAOB to determine whether a firm has timely filed it by comparing SEC filings to the Form AP filing, and the inspections group will routinely do that. It is harder for the Board to identify Form 3 compliance issues because their special events are unique to each firm, but we see instances of that occurring and enforcement matters as a result.

When compliance failures occur, we have observed that the DEI will send a letter to the firm with a draft order that will propose a settlement, without even discussing the matter with the firm. We discuss the options with the client and client’s counsel, including the costs associated with litigation, so they can decide. Most clients do not challenge the Board and agree to the censure and fine, which can be $5,000 or more per violation, along with the requirement for a self-review and self-certification of the firm’s quality control policies and procedures relating to PCAOB reporting. The consequences of any compliance failure on these forms can be harsh, even though it was just a mistake.

Form compliance is an area where we can help firms to make process changes and put policies and procedures in place to timely file and avoid a repeat failure. We recommend annual training on PCAOB reporting and the implementation of an annual certification process for Form 3 events. For Form AP, we help firms institute tracking and monitoring controls by the designated head of quality. For example, we designed a Form AP tracker that includes the relevant required information for all the firm’s PCAOB clients, along with the estimated filing dates and calendar reminders so there is a process to monitor engagement teams to proactively follow up. We also developed a Form 3 checklist that includes the trigger events and can be used at monthly meetings or by email requiring affirmative responses, so firms are able to proactively identify the events that require a filing.

Communications with Audit Committees

This is an area where the PCAOB is using sweeps, presumably from information gathered at the audit inspection level. Participation of other auditors in the audit must be communicated to the audit committee, but the PCAOB has noted failures to communicate which firms and individuals were involved and what they did.

Another common problem area in audit committee communications is the lack of required preapproval of non-audit and audit related services. Firms may need training to understand the requirements, along with additional quality control policies and procedures. There should be audit program steps in the tools firms use that apply to audit committee communication in PCAOB audits, not those under AICPA or international standards, because the rules are not the same.

The PCAOB continues to bring cases in this area, even if it is for one single violation of this PCAOB standard. There is an apparent zero tolerance policy at the PCAOB for violations of this nature.

Engagement Quality Review

EQR is a hot area now. Firms may not have done one at all, or the quality is not there - either on the front end for risk identification and planning, or at the back end when the audit is done. Our firm has developed and provides an EQR mentoring program , which is a collegial one on one approach to help firms get better, and it includes retraining as partners rotate on engagements.

Documentation

There are a number of inspection findings relating to AS 1215, Audit Documentation, including firms adding, backdating, or altering workpapers after the report release date. There is a process under the standard for adding documents that includes documenting who made the change, when, and why. We advise firms that have documentation issues to follow the standard because it is not advisable to make it look like a workpaper was always there when it was not.

Quality Controls

The PCAOB is very focused on this area. When the PCAOB finds a number of violations, firms should consider whether they have quality control issues, including whether there is a strong ‘tone at the top’ related to audit quality. Most PCAOB enforcement actions issued in 2023 either cited a QC failure or required the firm to enhance its QC system as part of the sanction.

It can be challenging for firms, especially those with fewer than ten or so PCAOB clients, to determine how much financial and personnel resources to commit to the firm’s system of quality control. The notion of scalability seems to have gone by the wayside resulting in a high fixed cost for entering the PCAOB audit market and maintaining a presence in that space. Some firms are hesitant to invest in compliance measures because of the high costs, but better quality likely will lead to getting more clients and the potential for less trouble down the line.

There is a new PCAOB auditing standard on quality control coming soon, and it includes a requirement that assigns individual responsibility and accountability for the QC system. There is awareness, but we are encouraging our clients to get ready for this now. We offer quality control review services and can serve as a quality control confidant, especially for small firms that do not have a QC leader.

PCAOB Inspections of China and Hong Kong Firms

Last year, the PCAOB published inspection reports of PCAOB-registered firms in China and Hong Kong and announced enforcement actions and a record high level of penalties as a result of violations of PCAOB rules and U.S. securities laws. These included auditors cheating on ethics and other internal examinations, and extensive quality control deficiencies.

By 2023, the PCAOB will have inspected up to 99 percent of these firms’ audits. Inspection reports are expected to come out in April 2024 showing more of the same deficiencies. The 2024 PCAOB budget includes resources to continue inspections in this region. U.S. firms should look at these inspection results and enforcement cases to be aware of what the PCAOB found and is continuing to look for.

Conclusion

PCAOB Chair Williams and the current board continue to deliver a tough message about audit deficiencies and enforcement. The PCAOB is filing enforcement cases not only against firms that pose potential danger for not doing anything right but also for compliance failures, including those relating to PCAOB reporting. Auditors need to invest in audit quality and keep on top of changes in audit standards to avoid PCAOB scrutiny and potential sanctions.

More Opportunities to Improve: The PCAOB’s Latest Report on Broker-Dealer Audit Quality

Thu, 29 Feb 2024 22:22:30 GMT

On January 31, 2024, the PCAOB Staff (the “Staff”) released its first ever Spotlight, Insights Into the PCAOB’s Interim Inspection Program Related to Audits of Broker-Dealers . I commend the Staff for this Spotlight. It provides new insights and more context than their typical annual reports on the broker-dealer inspection program results.

To provide some brief background, the broker-dealer inspection Program was created as result of the Dodd-Frank Act, which was enacted into law in 2010. Inspections started in 2011, and the revised Securities Exchange Act Rule 17a-5 was effective in 2013. The most recent Annual Report published in August 2023 reported a 58% deficiency rate for broker-dealer firm inspections conducted in 2022, and stated that the rate was, “unacceptably high.” That compares to a 40% deficiency rate for issuer firm inspections in 2022, so the difference is considerable. See our September 2023 article that talks about the report - Broker Dealer Reruns: Haven’t I Seen This Before? (jgacpa.com)

Auditors have, understandably so, argued that they need more guidance from the PCAOB to correct these deficiencies. It looks like the Staff has heard the pleas based on this Spotlight. Here are a few of the key observations by the staff in the report, and our recommendations for firms.

PCAOB Finding: Insufficient Understanding of the Broker-Dealer Industry

“In addition, broker-dealer specific training for auditors is not widely available. Typically, only larger audit firms offer in-house training and have acquired extensive broker-dealer audit experience that is shared with audit firm personnel. While there are a few vendors who offer quality training, course offerings are limited throughout the year.”

The point is that the broker-dealer industry is specialized; you can’t simply be a good auditor and conduct a quality broker-dealer audit without obtaining the requisite understanding of the rules and regulations. For example, the auditor of a broker-dealer also provides an opinion on the supplemental information (e.g. Net Capital Computation, Reserve Formula Computation, etc.), and evaluates whether the supplemental information, including its form and content, is presented in conformity with 17 C.F.R. §240.17a-5 . That involves determining whether the broker-dealer's net capital computation is complete and accurate. Net capital includes assets that are “allowable” or “non-allowable” in the computation. And sometimes an otherwise allowable asset per Rule 15c3-1 may actually be non-allowable if, for example, there isn’t a particular clause in a clearing agreement. And sometimes an asset that is otherwise non-allowable per Rule 15c3-1 can be allowable if certain other conditions are met. The nuances exist in various SEC interpretations released over the last 50 or so years.

These nuances are difficult enough for audit professionals with decades of broker-dealer audit experience. If engagement teams don’t gain that specialized knowledge, they won’t know what they don’t know, and will not be set up for success.

We continue to see opportunities for engagement teams to have more BD-specific experience on the team. Training is one way to raise the bar, but that leads to the next problem – there simply isn’t a lot of high-quality broker-dealer audit training out there!

While providing broker-dealer audit training to our clients, we have found that general training is often not sufficient to meet their needs and/or remediate PCAOB findings. For example, a general training on auditing a common broker-dealer that claims a (k)(2)(ii) exemption and introduces customer transactions to a clearing broker-dealer, will not help an engagement team audit a broker-dealer that specializes in mergers and acquisitions.

As the Staff also emphasizes in the Spotlight, there is also an overreliance on standardized audit programs. We don’t look at these topics separately. We work with auditors to tailor their audit programs to the types of broker-dealers they audit and train their engagement staff to apply the programs to the facts and circumstances of their audits.

PCAOB Finding: Overreliance on Standardized Audit Programs

Inspectors found that standardized audit programs “may not be all encompassing, may reflect only certain criteria in the standards, and may be limited in the scope of procedures to be completed…these programs typically must be tailored to reflect the nature of the broker-dealer’s business operations, internal controls, and financial reporting and attestation risks.”

In my time as a PCAOB Inspection Leader, I saw this time and time again. Audit firms subscribe to “off-the-shelf” audit methodology providers and rely on the audit programs they provide. Engagement teams follow the programs, fill them out completely, and still, they don’t conduct sufficient procedures. How can that be?

Said differently, the audit programs are a good resource and a great foundation, but they are a guide and simply cannot account for every risk in the audits of your client portfolio. That holds true for any audit, but especially so for unique, complex broker-dealer industry audits. The audit programs are not a substitute for understanding the complexities of the broker-dealer industry (see above regarding the need for industry-specific training). In our work performing practice monitoring reviews for BD audits, we have seen cases where methodology doesn’t get down to the level necessary to force the understanding and documentation of a robust workflow to identify the risks at the assertion level necessary to sufficiently design test procedures.

Based on our work with firms, the best path to success is to start with the standardized programs and then tailor them to the types of broker-dealers they audit. For example, if a firm audits broker-dealers that are involved in contractual revenue streams, such as the private placement of securities, we add in steps to address the key elements of revenue recognition within those transactions, such as obtaining evidence of the closing of the transaction, reviewing the contracts for possible claw backs, etc. These are specific considerations that are unlikely to be covered by a standardized audit program.

PCAOB Finding: Low-Cost Providers and the Pace of Auditor Changes

The staff reported that about a third of all broker-dealer audits have budgets of 40 hours or less and fees of $10,000 or less.

These small audits, we believe are the root cause of many audit deficiencies. In the Spotlight, they said everything that is possible without saying it. Take into consideration these points mentioned above :

the need for high-quality, broker-dealer industry specific training
the need to go beyond the standard audit programs
the need to conduct a rigorous risk assessment process that includes obtaining a sufficient understanding of the broker-dealer’s operations
revenue transaction cycles
related controls that will enable auditors to tailor their planned audit procedures more effectively

Now do all of these points in 40 hours or less and collect $10,000. You can start to see why this doesn’t work. Conducting quality audits under that model is not sustainable, especially when the PCAOB levied a record amount of fines in 2023. Auditors would be wise to consider whether retaining a $10,000 audit client under these circumstances is worth the risk of being sanctioned and fined considerably higher dollar amounts.

The Spotlight also highlights that about a third of broker-dealers audited by firms inspected during 2022 changed audit firms in the last three years. There are a variety of reasons for changing auditors, but in my experience, cost is the most common reason. Many of the low-cost providers that did not conduct audits in accordance with PCAOB Standards have been sanctioned and shut down by the PCAOB. But there are still some out there.

My advice is to enhance your client acceptance and continuance process. The Staff touches on this in the Spotlight as well. Determine whether your firm has the expertise and tools to complete the audit in accordance with the standards. Specifically, when assessing the skills of the potential engagement team personnel, in my previous roles as SEC examiner and PCAOB inspector, I often saw that audits would be accepted and staffed with personnel with a range of broker-dealer industry experience. But not all broker-dealers are the same. Just because a firm has a team that has audited introducing broker-dealers doesn’t mean it should or could accept an engagement of a clearing broker-dealer, or even another exempt broker-dealer that engages in complex trading activities and hold difficult-to-value securities. It’s important to understand the detailed activities of the broker-dealer prior to accepting it as a client to ensure that your firm has the staff with the requisite expertise to complete the audit.

In addition, use the acceptance process to set reasonable budgets and charge a fee that will allow you to conduct audits that meet PCAOB Standards. I even recommend sending the PCAOB Spotlight to your clients to start a conversation about the need to invest more time (and money) on audit quality improvements. I’ve been there and understand the challenge – many smaller broker-dealers don’t understand why it takes so many hours to do a quality audit, so show them.

If the client refuses to pay the reasonable fee, let the client go to a low-cost provider that will be out of business in a couple years. That will keep you from becoming one of those firms that are out of business in the next couple of years.

Other Findings and Next Steps

There is a lot more in the Spotlight that can lead to higher quality broker-dealer audits, including applying professional skepticism, gaining experience with PCAOB Standards, having an effective EQR, and establishing a robust client acceptance and continuous process. I recommend spending time reviewing the Staff’s insights and consider how you can use them to increase your firm’s audit quality related to broker-dealer audits.

Don has more than 23 years of regulatory examination, audit, and audit regulation experience, focusing on the broker-dealer industry. He previously served as an Inspections Leader in the Broker-Dealer Firm (BDF) Inspection Program at the PCAOB. His key activities as Inspection Leader included transforming the inspection approach, leading inspection teams, assessing auditor and examination procedures, and reviewing comment forms. He also served as Risk Assessment and Selections Leader for the BDF Program, where he was responsible for selecting audit firms/broker-dealer audits for inspection and served as a liaison between BDF Program and the SEC. During his 12-year tenure at the SEC, Don served as Examination Manager / Branch Chief, Broker-Dealer Examinations, in the Chicago Regional Office.

JGA Pleased To Sponsor 2024 ALI-CLE Accountants' Liability Conference

Thu, 29 Feb 2024 22:22:28 GMT

Johnson Global Advisory (“JGA”) is pleased to sponsor the American Law Institute Continuing Legal Education’s two-day event live in Washington, D.C. and virtually online on May 16th and 17th. Join us and gain insights and perspectives on wide range of hot-button issues. The 2024 conference promises to be better than ever. Hear the latest, engage with colleagues, and stay current in your field.

This year’s program is still being finalized but planned topics include:

Accounting litigation trends
New and proposed accounting standards
Artificial intelligence in the accounting profession
Quality controls and other emerging regulatory issues
ESG/climate accounting
Strategic considerations in regulatory investigations
Beyond the Big Four
SEC perspectives
PCAOB inspection program

About Johnson Global

Joe Lynch, JGA Managing Director to Speak at AICPA® & CIMA® ENGAGE 24

Thu, 15 Feb 2024 06:20:52 GMT

Johnson Global is pleased to announce that Joe Lynch, JGA Managing Director will speak at the AICPA® & CIMA® ENGAGE 24 Conference on June 3–6, 2024, at the ARIA Resort & Casino in Las Vegas, NV and live online.

This CPE-eligible event is one of the largest annual gatherings of standards setters, regulators, and accounting professionals to discuss the year’s biggest accounting, auditing, and regulatory developments.

Joe will speak during the following sessions:

NAA2404. Quality Management for Sole Practitioners and Small Firms
NAA24101. Quality Management: Path to Implementation

*This offer can only be combined with section and credential discounts. It cannot be combined with any other discounts or incentives, not valid on previous purchases. Not valid on group discounts.

About Johnson Global

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Johnson Global Accountancy Expands to Washington, D.C.

Mon, 29 Jan 2024 20:58:32 GMT

Washington, D.C. : Johnson Global Accountancy (“JGA”) is excited to announce our plans to open a new office in the District of Columbia region this year. The new location is slated to be in beautiful downtown D.C., two blocks northwest of the White House.

This planned expansion comes at a time when JGA is growing rapidly. With pressure from increased audit regulation and market dynamics, public accounting firms are seeking advice on audit quality issues.

“Our new location will provide us with a new home to further engage with stakeholders worldwide, who are committed to audit quality and investor protection,” says JGA Managing Director. “I am thrilled to continue planning of a gathering place for our growing DC-based team of directors and managing directors to work together to advise audit firms on actions to transform their practices to meet audit quality initiatives. We look forward to engaging with our clients and stakeholders in the nation’s Capital!”

JGA has continued to serve clients and is passionate and practical in supporting firms through their audit quality journey.

“Having a place to call home in D.C. allows JGA to further its mission to be the most innovative and technically excellent advisory firm at the intersection of companies, auditors, and regulators, that improves investor decision-making confidence. I look forward to welcoming our JGA staff, clients, colleagues, and other key stakeholders in the audit quality ecosystem to our new office,” says Jackson Johnson, JGA President.

About Johnson Global Accountancy

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

The PCAOB and China: What’s Happened Since the HFCAA Became Law

Mon, 29 Jan 2024 20:41:26 GMT

Since the signing of the Holding Foreign Companies Accountable Act (“HFCAA” or “Act”) into law in December 2020, the Public Company Accounting Oversight Board (“PCAOB”), the accounting firms registered with the PCAOB that are headquartered in mainland China and Hong Kong (collectively, “China”), and their US-listed company clients have been very active.

Over the past three years we have seen –

US-listed companies based in China change auditors to accounting firms in PCAOB-accessible jurisdictions;
A game-changing agreement between China authorities and the PCAOB enabling unobstructed access to inspect and investigate China-based auditors registered with the PCAOB;
The completion and publication of the PCAOB’s first full inspections of two China-based accounting firms; and
The first enforcement actions of China-based firms as a result of using its full investigative authority.

We explore more about what has happened over the last three years, what China-based accounting firms may expect from the PCAOB in 2024, and the challenges they face.

The HFCAA and the PCAOB’s Initial Determination it was unable to Inspect and Investigate China Auditors Fully

The HFCAA was enacted to address the limitations on the PCAOB’s ability to inspect and investigate PCAOB-registered public accounting firms headquartered in China because of positions taken by authorities in the People’s Republic of China (“PRC”).

According to the HFCAA, the PCAOB is required to determine whether it is “unable to inspect and investigate completely because of a position taken by an authority in the foreign jurisdiction” (e.g., China and Hong Kong). This determination is made by the PCAOB Board annually in accordance with the PCAOB’s rules ¹ . If the PCAOB does not have complete access for inspections and investigations for two consecutive years, the SEC would be required to prohibit trading in the securities of issuers engaging those audit firms ² .

China-based US-Listed Companies Change Auditors

In December 2021, the PCAOB issued a report on its determination (the “Initial Determination”) that it was unable to inspect or investigate PCAOB-registered public accounting firms headquartered in mainland China and Hong Kong because of positions taken by the PRC ³ .

In March 2022, the SEC published a list of China-based US-listed companies that SEC staff identified were subject to possible trading prohibitions if the PRC did not permit the requisite access to the PCAOB, as required by the HFCAA. The SEC has continued to update the list on a rolling basis since March 2022, which now encompasses 174 companies (the SEC’s “Conclusive List”) ⁴ .

The reaction by many China-based companies from the PCAOB’s Initial Determination and their appearance on the SEC’s Conclusive List was to change auditors in an apparent attempt to avoid the threat of having their stock delisted in the United States. After the Conclusive List was first published, 24 of those companies changed auditors, according to an article published by NikkeiAsia. ⁵

Accounting firms in the US and Singapore were the primary beneficiaries of the fallout, according to the article ⁶ . Accounting firms that were and may continue to be beneficiaries of the reshuffle should carefully consider whether they have the scalability and quality controls in place to take on multiple audit clients over a short duration. Although the PCAOB’s settled enforcement action with Marcum LLP ⁷ is an extreme example of what can go wrong when accepting too many clients at once, any firm that has taken on multiple China-based clients in short duration is at a heightened risk of a PCAOB inspection, investigation, and possible enforcement action.

PCAOB Obtains Access to Inspect and Investigate Completely

In August 2022, the PCAOB announced that it signed a Statement of Protocol with the China Securities Regulatory Commission and the Ministry of Finance of the People's Republic of China, marking the first step toward opening access for the PCAOB to inspect and investigate PCAOB registered public accounting firms headquartered in mainland China and Hong Kong completely ⁸ . This was a game changer for the PCAOB and investors in US-listed companies with China-based auditors.

Inspection Results of the First Two Firms

As a consequence of the Protocol, the PCAOB was successful in conducting its first two full inspections of China-based audit firms in 2022. In December 2022, the PCAOB vacated its Initial Determination because of the full access it experienced ⁹ and the SEC followed suit by acknowledging that there are no issuers currently at risk of having their securities subject to a trading prohibition ¹⁰ .

In May 2023, the PCAOB published the inspection reports of the two firms it inspected in 2022: KPMG Huazhen LLP (“KPMG Huazhen”) in mainland China and PricewaterhouseCoopers in Hong Kong (“PwC HK”). As the PCAOB suspected, there was a high rate of deficiencies, including part I.A deficiencies, which the PCAOB defines as having such significance that the PCAOB believed the firm, (i) at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion(s) on the issuer’s financial statements and/or ICFR or (ii) in audit(s) in which it was not the principal auditor, had not obtained sufficient appropriate audit evidence to fulfill the objectives of its role in the audit.

According to the inspection reports –

KPMG Huazhen ¹¹ was the principal auditor of 30 US-listed audit clients and participated in the audits of 77 other US-listed company audits. Of these, the PCAOB selected four audits for inspection, all of which were determined to have Part I.A deficiencies.
PwC HK ¹² was the principal auditor of three US-listed audit clients and participated in the audits of 27 other US-listed company audits. Of these, the PCAOB selected four audits for inspection, three of which were determined to have Part I.A deficiencies.

Deficiencies were numerous and found in the financial statement areas of cash, revenue (and related accounts), inventory, other investments, goodwill and intangible assets, long-lived assets, and significant transactions, and involved departures from the following PCAOB rules and standards:

Audit evidence (AS 1105)
Audit documentation (AS 1215)
Communications with audit committees (AS 1301)
Auditing internal control over financial reporting (AS 2201)
Responding to the risk of material misstatement (AS 2301)
Substantive analytical procedures (AS 2305.16)
Audit sampling (AS 2315)
Consideration of fraud in a financial statement audit (AS 2401.61)
Auditing accounting estimates (AS 2501)
Auditor reporting on financial statements (AS 3101)
Form AP - reporting of certain audit participants (Rule 3211)

The PCAOB acknowledges that it is not unexpected to find numerous deficiencies in jurisdictions that are inspected for the first time and that the deficiencies identified by the PCAOB above are consistent with the types and number of findings the PCAOB has encountered in other first-time inspections around the world ¹³ . These deficiencies have not resulted in an enforcement action with these firms at this time.

These two firms will almost assuredly be inspected again in 2024 or 2025.

PCAOB Enforcement Activity

The PCAOB was also very active in sanctioning China-based accounting firms since it obtained access to fully investigate China-based accounting firms in the PRC. In 2023, the PCAOB published three settled enforcement actions with PCAOB registered firms based in China. Two of the cases involving PwC were the direct result of information learned in the inspections the PCAOB conducted in 2022 after securing complete inspection access, according to the PCAOB’s press release announcing the settlements ¹⁴ . The following summarizes the PCAOB’s findings and corresponding money penalties imposed (refer to the related Orders for other sanctions), according to the PCAOB’s Orders published on its website –

PwC China and PwC HK violated the integrity and personnel management elements of the PCAOB quality control standards by failing to detect or prevent extensive, improper answer sharing on tests for mandatory internal training courses ¹⁵ . These firms agreed to collectively pay $7 million in money penalties to settle their cases.
Shandong Haoxin and four of its auditors falsified an audit report, failed to maintain independence from their issuer client, and improperly adopted the work of another accounting firm as their own. Interestingly, the US-listed company that was the audit client disclosed in the Order (Gridsum Holding Inc.) is not listed on the SEC’s Conclusive List. The firm agreed to pay $750,000 and the four auditors collectively agreed to pay $190,000 to settle the matter ¹⁶ .

What to Expect in 2024

In a May 2023 news release by PCAOB Chair Erica Williams, she stated, “[t]he two firms we inspected in 2022 audited 40% of the total market share of U.S.-listed companies audited by Hong Kong and mainland China firms, and we are on track to hit 99% of the total market share by the end of this year.” ¹⁷ In addition, The 2024 PCAOB Budget includes the resources necessary to continue to drive inspection activities in support of the PCAOB’s mission to protect investors, “including inspecting the remaining firms registered in mainland China and Hong Kong under our mandate.” ¹⁸

These statements suggest the PCAOB continues to have unobstructed access to inspect and investigate PCAOB registered firms in China and Hong Kong. Accordingly, it is expected that –

The PCAOB will release the inspection reports of the accounting firms that comprise the remaining 56% of the 99% of the total market share of U.S.-listed companies audited by China accounting firms in or about May 2023, and we anticipate those reports to continue to reveal that firms based in China have a lot of work to do to improve audit quality.
Any remaining China-based accounting firms that have not been inspected—those making up the remaining 1% of the total market share—and follow-up inspections on those initially inspected are likely to occur this year, in 2024; and
The PCAOB’s Division of Enforcement and Investigations will likely have continued to receive referrals from the Inspection Division as a result of the 2023 inspections of China-based accounting firms, and there will be multiple enforcement actions in 2024 or later as a consequence.

What Firms in HK and China Should Do Now

Prepare for initial inspection: An inspection is an examination of both the firm’s quality control policies and selected applicable client engagements. In essence, the inspection begins before the firm has even started an audit. An effective system of quality control provides the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm’s standards of quality. In addition to reviewing the firm’s quality control documentation, the inspectors will review the audit work papers of the selected audits. Therefore, it is imperative that audit documentation be robust, easy to follow, provide a clear road map from planning and risk assessment to the conclusions reached, and is fully assembled in compliance with PCAOB standards. The achievement of these two objectives will go a long way toward making the firm’s initial inspection a smooth one.

Post-inspection: The next step for firms after their initial inspection is to perform a root-cause analysis and remediate. A sound remediation plan that includes (i) focused training (ii) enhancements to policies, procedures, and methodologies; (iii) the adoption of PCAOB-specific audit tools and templates; and (iv) the implementation of pre-issuance reviews on riskier audits and post-issuance reviews of completed audits are just a few of the things firms can do to prevent poor inspection results and avert a referral to enforcement.

Conclusion

In sum, every audit should be conducted with the highest level of quality and with the notion that your audit will be selected for a PCAOB inspection. The published inspection reports and enforcement actions of the China-based accounting firms should serve as a guide. Read them carefully and revisit the standards cited therein to understand precisely why the firms were criticized and how the standards should be applied. Make audit quality your top priority.

PCAOB Rule 6100.
This was originally three years in the HFCAA, it was reduced to two years with the singing of the Consolidated Appropriations Act, 2023.
PCAOB Makes HFCAA Determinations Regarding Mainland China and Hong Kong.
The list is located on the SEC’s website at SEC.gov Holding Foreign Companies Accountable Act.
Chinese companies switch auditors to avoid U.S. delisting risk - Nikkei Asia , May 16, 2023.
Id.
See PCAOB press release: Imposing $3 Million Fine and Requiring First-Ever Changes to Supervisory Structure, PCAOB Sanctions Marcum LLP for Significant Quality Control Violations | PCAOB (pcaobus.org)
PCAOB Signs Agreement with Chinese Authorities, Taking First Step Toward Complete Access for PCAOB to Select, Inspect and Investigate in China | PCAOB (pcaobus.org) .
FACT SHEET: PCAOB Secures Complete Access to Inspect, Investigate Chinese Firms for First Time in History | PCAOB (pcaobus.org)
SEC.gov | Holding Foreign Companies Accountable Act
2022 - KPMG China - Inspection Report
2022 - PwC Hong Kong - Inspection Report
PCAOB Secures Complete Access to Inspect, Investigate Chinese Firms for First Time in History | PCAOB (pcaobus.org)
FACT SHEET: PCAOB Imposes Historic Sanctions on China-Based Audit Firms
In the Matter of PricewaterhouseCoopers and In the Matter of PricewaterhouseCoopers Zhong Tian LLP
In the Matter of Shandong Haoxin Certified Public Accountants Co., Ltd., et al
PCAOB Releases 2022 Inspection Reports for Mainland China, Hong Kong Audit Firms | PCAOB (pcaobus.org)
Chair Williams’ Statement Before the SEC Open Commission Meeting on the PCAOB’s Proposed 2024 Budget | PCAOB (pcaobus.org)

2023 AICPA & CIMA Conference: Key Takeaways and What Auditors Need to Know

Fri, 15 Dec 2023 15:49:44 GMT

The 2023 AICPA & CIMA Conference on current SEC and PCAOB developments recently wrapped-up, and consistent with the theme of “Clarity”, there were great insights from the key accounting and auditing regulatory stakeholders including the SEC, the PCAOB, and the FASB. Enforcement, Audit Quality, Standard Setting Agenda and Firm Culture, in addition to Artificial Intelligence (“AI”), Environmental, Social & Governance (“ESG”) as well as Talent pipeline and retention were relevant topics frequently discussed during the three-day conference.

What are the top agenda items for the regulators?

For FY 2024, practitioners should expect a ramp-up of enforcement activities from the PCAOB and SEC as both entities continue to maintain a strategic focus in this space. Representatives from both regulators mentioned the increased enforcement actions and penalties assessed through orders. The Board stressed that the deficiency rate on inspection is trending in the wrong direction and noted that the PCAOB is expanding the criteria used to identify cases and the areas evaluated. The Board also indicated that auditors only find about 4% of frauds and that this is not consistent with the expectations of investors.

Two emerging enforcement actions for the year included the answer sharing by Firm professionals and continued independence violations.

The Board further indicated additional priorities in addition to expanded enforcement efforts related to expediting the issuance of inspection reports, new standard on noncompliance with laws and regulations, or NOCLAR proposed, and pressing ahead with enhancing and updating most of the interim PCAOB standards going back to the inception of the Board. The pipeline is busy, and practitioners should be prepared and diligent with these sweeping changes. Stakeholders were encouraged to participate in both the PCAOB and SEC’s standard setting by offering input through comment letters to proposed standards.

Focus areas for the inspection program of the Board include a continued focus on fraud procedures, audit of digital assets, financial services audit, risk assessments and auditor independence. Given the increased deficiency rate the PCAOB inspection program will also launch the US Global Network Firm Culture Review Initiative in 2024.

Practitioners and Firms are encouraged to take advantage of the Boards remediation process that incentivizes firms to figure out where they went wrong and provides a collaborative feedback loop through a root cause analysis to get it right. Firms need to be very proactive and start early with their remediation efforts during the one-year grace period to improve audit quality.

The SEC continues to focus on the classification of the statement of cash flows and encouraged auditors to attribute the same level of scrutiny of the statement of cash flow as they do other statements in the financials. The SEC also advised on the limits of the use of other auditors and cautioned auditors to understand the work of the other auditor, clearly communicate the work request to the other auditor and evaluate whether the auditor can still be the principle.

The SEC indicated that firms should consider the limits use of other auditors and consider whether the firm is really in the position to be the principal auditors, especially when the other auditor is performing significant parts of the audit. The principal auditor should understand the quality of the work of the other auditor and engage the other sufficiently and ensure clear communication. Additionally, the SEC indicated that the filing of the Form AP is not a perfunctory exercise and is used to inform investors.

Key Take-Aways from the Securities Enforcement Forum

Tue, 21 Nov 2023 14:59:34 GMT

During the “Key Developments for Asset Managers, Broker-Dealers, Private Funds and Hedge Funds” panel at the Securities Enforcement Forum last month in Washington, DC, the panelists highlighted a settled enforcement action against an audit firm and the engagement partner relating to the audit of two private funds. This should alarm, and put on notice, all auditors that perform audits of private funds that the SEC’s enforcement reach extends to them.

In this matter, the SEC alleges that the engagement partner, and the firm did not (i) adequately respond to significant risks identified during the planning stage of the audits, (ii) obtain sufficient appropriate audit evidence to support the audit opinions, (iii) prepare sufficient audit documentation, or (iv) exercise due care and professional skepticism in conformity with U.S. generally accepted auditing standards. Moreover, the engagement partner allegedly did not adequately supervise the audit engagement and the firm did not adhere to American Institute of Certified Public Accountants' quality control standards.

Consequently, the firm settled to be censured and to implement undertakings to retain an independent consultant to review and evaluate certain of its audit, review, and quality control policies and procedures. The engagement partner agreed to a one-year suspension from practicing before the Commission as an accountant pursuant to Rule 102(e)(1)(iv)(B) of the Commission’s Rules of Practice, because of alleged “negligent conduct” for “repeated violations” of GAAS, according to the SEC’s Order. There was no civil money penalty.

In this case, the SEC did not identify the names of the funds that were the subject of the audits and, therefore, it is presumed there was no financial statement or disclosure errors or fraud at these funds or committed by the funds’ management. This case emphasizes the SEC’s quest to hold gatekeepers like auditors accountable for negligence acts in the conduct of an audit of a private entity even when there is no underlying financial reporting issue.

JGA to Sponsor 2023 AICPA Conference

Wed, 08 Nov 2023 21:33:41 GMT

Johnson Global Accountancy (“JGA”) is pleased to sponsor the AICPA & CIMA Conference on Current SEC and PCAOB Developments, Dec 4-6, 2023, Washington, DC, and live online.

“With so much change happening throughout our industry, this conference will set the stage for what we can expect from US and international audit and accounting leaders today and in the future,” stated Jackson Johnson, President of JGA. “I am also excited to participate in a live conference and reconnect with our clients, colleagues, and industry peers.”

Come join us and meet our team of experienced client service professionals in-person at our booth.

About Johnson Global Accountancy

JGA Welcomes Tanieke Samuel as a Director

Mon, 06 Nov 2023 19:27:17 GMT

Johnson Global Accountancy (JGA) is pleased to announce Tanieke Samuel, CPA, CFE. Tanieke is a Director at Johnson Global Accountancy and has more than 17 years of experience in audit and auditor oversight. She previously served as an inspector in the Broker-Dealer Firm Inspection Program at the PCAOB in the Division of Registration and Inspections. In her 12-year tenure at the U.S. audit regulator, Tanieke conducted inspections of audits and systems of quality control of firms, was instrumental in projects to improve inspection methodology, manuals and guides for the Division and developed and delivered trainings to inspectors in the Broker-Dealer Firm Inspection Program.

“I am grateful that Tanieke chose JGA for the next step in career to advance global audit quality," stated Jackson Johnson, JGA President. "Her 12-year tenure at the PCAOB serving as an inspection leader will provide fresh new insights to all of our firm clients worldwide.”

Prior to working at the PCAOB, Tanieke was a manager at Deloitte where she participated in the audits of some of the largest global financial institutions in the world. She holds a BBA in Accounting from Baruch College, and a Masters in Cybersecurity Risk and Strategy from NYU. Tanieke is based in New York City.

“I’m excited to be part of such a dedicated team of talented professionals at JGA," said Tanieke Samuel, JGA Director. "I look forward to furthering the organization’s mission by using the expertise and knowledge gained through inspection and industry experience in improving the audit profession and investor decision-making confidence.”

The addition of Tanieke increases JGA’s professional services team to include thirteen former PCAOB staff, with a cumulative 137 years of service at the PCAOB and SEC, and more than 124 years of experience auditing public companies. She holds a B.S.B.A. in Accounting from Baruch College, and a Masters in Cybersecurity Risk and Strategy from NYU. Tanieke is based in New York City.

Read more about Tanieke, and others' roles at JGA, here .

About Johnson Global Accountancy

JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. Led by CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

JGA Welcomes Vernon Johnson as a Director

Mon, 06 Nov 2023 19:27:10 GMT

Johnson Global Accountancy (JGA) is pleased to announce Vernon Johnson, CPA has joined as a Director at Johnson Global Accountancy (“JGA”). Vernon has more than 20 years of experience in audit, audit regulation, and corporate financial and internal control reporting. He served 10 years as an inspector in the Division of Registration and Inspections at the Public Company Accounting Oversight Board (“PCAOB”), inspecting systems of quality control and audits of global national accounting firms in many jurisdictions. His industry oversight at the PCAOB included insurance, retail and manufacturing, consumer and industrial, financial institutions, mining, and software.

Most recently, Vernon served as a corporate director, leading key SOX oversight over a number of business lines at one of the largest global financial institutions in the world. His corporate experience also includes an officer position at the World Bank. Vernon is KPMG alum, where he was a senior manager conducting global SEC audits.

The addition of Vernon increases JGA’s professional services team to include thirteen former PCAOB staff, with a cumulative 137 years of service at the PCAOB and SEC, and more than 124 years of experience auditing public companies. He holds a BSBA from Berea College and an MBA from Eastern Kentucky University. Vernon is based in the metro D.C. area. Read more about Vernon here .

JGA Sponsors Osprey Village 5th Annual Fall Golf Tournament

Mon, 23 Oct 2023 23:12:34 GMT

JGA is a proud sponsor of this year’s 5th Annual Fall Golf Tournament, hosted by Osprey Village, Inc. Join us on November 12 to golf for a good cause. Click here for more details

CPAB Audit Quality Insights Report: 2023 Interim Inspections Results

Tue, 17 Oct 2023 17:24:45 GMT

The Canadian Public Accountability Board (CPAB) released their 2023 Interim report providing a snapshot of themes and insights from their 2023 audit quality assessment to date. Click the link here to read the report.

Auditors Abound: The Differences Between Internal and External Audit

Mon, 02 Oct 2023 22:52:34 GMT

Auditors Abound: The Differences Between Internal and External Audit

Author: Shane Rogers and Jackson Johnson

It seems that in business, everywhere you look, interactions with auditors abound, whether management is responding to requests from internal audit, preparing for an external audit, or helping the external auditor prepare for their own audit from the PCAOB or a fellow peer inspection. Our regulatory environment is complex and given the overarching desire to preserve trust in the capital markets, various regulatory bodies have passed legislation creating a framework of diverse controls and safeguards. Companies must establish a control environment that ensures fair and accurate financial reporting; companies must also establish a system of internal controls that is effectively designed, operated, and monitored by management and thus internal audit entered the realm. However, because of potential conflicts of interest, independent auditors are critical to the financial markets, and thus external audit entered the scene. And of course, we all know about the failures of the self-regulated external audit industry, and thus the PCAOB entered the space.

We’ve been writing about the PCAOB for many years now. Today, however, we’re going to take a look at the differences between the roles of internal and external audit and how, when coordinated, they can create some powerful synergies.

Roles of Internal and External Audit

Let’s start first by defining the roles of internal and external audit.

Internal audit is typically a separate function within a company that has a formal mandate from the Board of Directors to review and assess the design and operating effectiveness of internal controls mitigating key financial and operational risks faced by the company. They often report directly to the head of the board, audit committee, Chairman or the Chief Executive officer, to ensure that important reported issues are sufficiently owned, actioned and mitigated. The primary focus of internal audit is to monitor the systems of internal control inside a company. While we often think of internal audit in the realm of financial reporting, internal audit’s scope can be much broader. Many companies use internal audit to objectively examine both financial and operational controls intended to mitigate key risks, and to report weaknesses in internal controls and to share forward-looking insights and feedback with management to help the business thrive. Internal auditors tend to have experience in the businesses that they review, and they use this knowledge to assess risks and evaluate the adequacy of internal controls. Although the name implies “internal” to the company, it’s important to know that many companies outsource internal audit to external companies; the distinction here is the focus of internal audit and who they report to. Internal audit is a corporate function with an objective mandate, which reports to the board, audit committee, or executive management.

External audit is as it sounds; the auditor that is external to a company. While they also report to management, their mandate is actually to protect investors and report to the audit committee. Whereas internal audit may be objective, depending on how reporting is structured, external auditors, by definition, must be independent of the company. External auditors are typically concerned only with financial reporting. Depending on the risks and the type of company, external auditors may test the design, implementation and operating effectiveness of internal controls over financial reporting, but they will always perform substantive procedures to audit the financial statements. External auditors understand the operations of a company, but they do not concern themselves with operational risks and controls unless they could potentially impact financial reporting. Whereas internal audit knows the client in and out, external audit knows the accounting and audit industry and often knows the client’s industry in and out.

External Audit Reliance on Internal Audit

When performing an audit of the financial statements, especially when it’s an integrated audit leveraging controls reliance, the auditing standards allow for external auditors to rely on the work of internal auditors. Traditionally, external auditors use internal audit to assist with the audit of internal controls over financial reporting and other relevant functional areas given internal audit’s knowledge base and objectivity. Though permissible, it is rare to use internal audit with substantive testing.

When relying on internal audit, the external auditor must evaluate both the objectivity and competence of internal audit. Objectivity is paramount since internal audit is still employed and/or engaged by management. Objectivity considers many of the following:

• Who makes the hiring / firing decisions around internal audit?

• Who controls performance evaluations and compensation decisions?

• How are internal auditors assigned tasks?

• Does the internal Audit team have sufficient financial and operational risk experience?

• What is the structure for supervision and review?

• Are internal audit workpapers of sufficient quality?

• Who does internal audit report to?

In theory, internal audit should always have a direct line of communication with the board of directors and the audit committee where they can raise any issues they identify.

Competence is more a matter of education and experience. External auditors typically review CVs as well as the internal audit organizational structure, audit methodology, and supervision and review model.

If internal audit is both objective and competent, then the external auditor may leverage the use of internal audit. The extent to which external auditors use internal audit will be a matter of professional judgement (as is everything in audit). As the risk of material misstatement increases, the less external audit will rely on the work of internal audit.

Depending on risk, external auditors will need to perform a mix of review, reperformance, and independent testing. All work from internal audit must be reviewed by the external auditor. Review includes evaluating internal audit’s sample size, the test procedures applied, the timing of the testing (and any year-end roll forward procedures) and the conclusions reached. Although technically leveraging internal audit’s work, the external auditor takes full ownership.

As the risk associated with the audit account increases, external auditors should consider a mix of reperformance and independent testing. Reperformance is as it sounds: reperforming the work of internal audit using the same samples and applying the same procedures to the same audit evidence. Independent testing, in terms of controls, means testing the same or similar controls and evaluating the conclusions reached. As a rule of thumb, external audit should be comfortable that it has performed sufficient testing in higher risk areas and should specifically perform direct testing on any areas that pose a significant and/or fraud risk.

Ostensibly, there is judgment involved in determining when and how to leverage the work of internal audit and whenever there is judgment, the key is documenting those considerations.

While external audit can rely on internal audit, the inverse is not true. Internal audit is inherently an extension of management and management’s controls and internal operations must be entirely independent of the external auditor. However, internal audit can leverage much of the knowledge and experience of external auditors to help improve and refine processes. Through planning discussions, internal auditors and external auditors are sharing information and views about perceived risks and best practices within the industry. There’s a fine line crossing over into consulting, which would breach independence, but external auditors often issue management recommendation letters sharing their thoughts from the audit and this same information can be discussed with internal auditors who often have more agency and insight into the company to drive improvements.

Best Practices

Considering the overlap between the two audit functions, let’s explore some of the best practices when working together.

First and foremost: coordinate! We encourage internal and external auditors to maintain close lines of communication throughout the year and well before the year-end audit crunch time; operating as trusted partners, both internal and external audit teams should look for opportunities to leverage each other’s perspectives for the common good. The quality of the ongoing relationship between external and internal audit is important as is the perceived quality of internal audits work-product. Scheduling planning calls and regular touchpoints throughout the year and during the year-end audit will help ensure a smoother delivery of testing work. Establishing a shared overall timetable and a diary of events helps to keep both internal and external audit on the same page and helps facilitate discussions around changes year over year, including scoping of accounts, locations and controls. While internal audit can offer input and insight, external auditors must maintain control in setting the scope for the audit, including selecting controls to test, setting sample sizes for testing and agreeing on testing procedures.

As with any audit, set clear timelines for performing, documenting, and reviewing planning, walkthroughs, interim and year-end testing. Once the timeline is agreed upon, keep regular touchpoints to monitor status and progress of the audit.

While external audit can leverage much of the work of internal audit, it is important that internal audit and external audit perform

joint walkthroughs . Walkthroughs often serve as the main procedure to understand the business processes and evaluate the design and implementation of controls. As this is a critical component of risk assessment, external audit must attend/perform these walkthroughs.

As testing begins, internal audit should regularly document and external audit should review work timely. Perhaps most important is dealing with issues when and as they arise. Because internal audit does most of the controls testing, its incredibly important that potential control exceptions be raised and discussed, both with management, as well as with external audit so that all parties are involved in the discussion and can adapt accordingly. Again, this speaks to the importance of regular touchpoints between internal and external audit to ensure all issues are triaged appropriately and to ensure a unified front between internal and external audit to both management and the audit committee, free of any mixed messaging.

Looking Forward

As the world debates various ESG initiatives, some sort of ESG reporting will be required, whether from regulators in Europe or domestically by the SEC, or simply because investors demand it. The ESG environment is still in its infancy and there’s no one set of standards for company reporting or for independent verifications of ESG reporting. However, we’d venture to say it will fall within the realm accounting and finance, including internal audit, within a company and the most logical external party would be independent external auditors. Time will tell, but certainly there is high likelihood of continued coordination and collaboration. Until then, it’s important for internal and external auditors to continue to coordinate and share knowledge improving internal operations within companies and enabling higher quality (and more efficient) audits!

Key Takeaways

• Internal audit has a clear mandate from the Board of Directors to be objective in assessing risks and the design and operating effectiveness of internal controls; internal audit has a strong knowledge of risk, processes and internal controls that can assist external audit.

• External audit is entirely independent of the company and they know accounting, auditing and client industries in and out; they can share valuable insights and feedback for internal audit.

• Internal audit must have the proper competencies and MUST be objective (i.e. have a direct line of communication to the board and/or the audit committee).

• External audit can leverage much of the work of internal audit, but the external auditor is still responsible for obtaining sufficient appropriate audit evidence to support the opinion, so the external auditor owns all final decisions.

• When leveraging the work of internal audit, external auditors should incorporate elements of review, reperformance and independent testing, depending on the risk. Internal audit should never be used for audit areas with significant and/or fraud risks.

• As with any audit, proper planning and coordination with all parties involved is critical. During planning, agree on project timelines, scope of work, expected deliverables, and communication protocols, including frequent touchpoints.

Shane Rogers , FCA, MBA, Independent Risk and Audit Consultant, Trainer, and Executive Coach, is the Founder of Rogers Global Audit Advisors, LLC (rogersglobalaudit.com). Shane is also President of CAW (Chartered Accounts Worldwide) Network USA and has 25+ years of experience in re/insurance, fintech, and investment banking. Shane helps businesses respond to risks and thrive by applying progressive, agile auditing and is a catalyst for positive risk culture and change.

PCAOB 101 – Part III: Exploring Enforcement Inquiries

Tue, 19 Sep 2023 15:34:25 GMT

PCAOB 101 Part III: Exploring Enforcement Inquiries is the third of our three-part series on the inspection process. Please also explore Part I: Preparing for a PCAOB Inspection and Part II: Navigating Inspection Week for additional insights.

PCAOB 101 – Part III: Exploring Enforcement Inquiries

The PCAOB has multiple divisions; the largest includes the Division of Registration and Inspections (or DRI). The second largest division is the Division of Enforcement and Investigations (or DEI). While the inspection process acts as a “monitor” ensuring firms adhere to the audit standards, identifying areas for remediation and improvement, the enforcement process is more akin to the “judge and jury” enforcing compliance and deciding on various repercussions for noncompliance. In Parts I and II, we cover the inspection process. Now, in Part III, we’re going to provide an overview of the enforcement process.

Enforcement Inquiries

The enforcement division performs both informal and formal inquiries as part of its information gathering process to determine whether to pursue an enforcement action or not. Through our work supporting firms and their in-house and external counsel through enforcement proceedings, we know that the sources of tips and referrals are not specifically disclosed, but DEI does have contact information for tips and referrals online on its website; these tips could stem from anyone whether auditors, investors or the general public. We also know that there appears to be a correlation between enforcement inquiries and a) engagements with poor inspection results, b) firms with repeat/recurring inspection deficiencies (indicating a failure to sufficiently remediate) and c) SEC matters including restatements and SEC investigations. Based on the potential severity of the matter, DEI will either launch an informal or formal inquiry. DEI leadership has confirmed publicly that DEI (i.e. inspection results) are the largest source of referrals to DEI attorneys.

Informal Inquiry

Most DEI matters start as an informal inquiry whereby the firm can expect to receive an information request. Inquiries can be targeted at a firm, employees of the firm, such as the engagement partner, engagement quality reviewer or even the engagement manager, or both the firm and its employees. In addition, the investigation could be focused on a specific engagement or may focus on the firm and its system of quality control, or both.

Although the inquiry is considered “informal,” be not deceived; all communication with the PCAOB’s DEI is formal and should be considered as information that will be reviewed and potentially used in the case against the firm or its employees. In other words, when receiving a DEI inquiry, presume potential litigation and respond very carefully.

The initial communication will not specifically detail the crux of DEI’s focus, but it will make specific data requests. Through these requests, firms can begin to narrow down the potential concern(s). For instance, enforcement will often ask for audit workpapers for a specific issuer, for specific years and sometimes for narratives regarding audit procedures performed in certain audit areas. Through the power of deduction, if a firm received poor inspection results months earlier in the same focus area, one can reason that DEI is likely investigating the same or similar matter.

The inquiry process starts with data requests, typically being audit workpapers, although firms will sometimes need to provide new / additional documentation depending on the requests. As well, DEI will often request email communications. This is a legal matter, so firms need to understand the preservation requirements and should not be deleting emails or other communication after receiving a DEI inquiry.

Documents must be provided in very specific formats that include the metadata (i.e. various tags linked to data files such as dates documents were created, modified, etc.). We recommend collaborating with counsel to ensure full compliance with the data requests; there are specific service providers that can help with the document production to ensure compliance with PCAOB expectations. Document requests can be very large, so don’t underestimate the time required to comply. While firms may ask for additional time if needed, a pro-active response from the firm demonstrates cooperation.

As DEI goes through the information provided, additional questions or documents may be requested, so there can be multiple phases of back-and-forth. If the enforcement team is unable to resolve its questions through the data requests and/or if the firm/engagement team is being non-cooperative, DEI will then launch a formal investigation through an Accounting Board Demand.

Formal Investigation

Although most investigations start through informal inquiries, some may begin directly with a formal investigation. The starting point is always the same: the document request. Once documents have been reviewed, testimony of individuals relevant to the investigation is often required. While DEI consists predominantly of lawyers, they also have accountants (i.e. auditors) who assist with the investigation process. For instance, while lawyers will build the case and determine the legal ramifications, they consult with accountants who assist in the review of data and advise on the technical auditing standards and rules of the PCAOB.

Interviews start with a set list of questions though these are not communicated in advance and the enforcement team could expand as needed. Typically, the interviews are geared towards the engagement partner, the EQR, and the engagement managers for engagement deficiencies and then firm-level professionals for more quality control related matters. Again, it will always depend on the scope of the investigation, but the enforcement team will make it explicitly clear who they want to interview.

Interviews can take entire days, but there are breaks built into the process, much like the inspection process. During these breaks, we find it beneficial for the firm and its staff to debrief the questions with its legal counsel as well as any accountants and/or PCAOB consultants. Legal counsel and the expert can help interpret the nature of the queries and help the engagement team understand the potential issues and where the PCAOB is going with its questioning.

Enforcement Actions

After testimony is complete, the enforcement team will review the totality of the evidence and conclude on whether to pursue an enforcement actions, if any. The most common actions include one or a mix of the following:

Fines of both individuals and/or of firms.
A permanent or temporary bar of individuals from associating with a PCAOB-registered firm
Revocation of the Firm’s PCAOB registration.
Restrictions on activities such as prohibiting taking on new clients or limiting the types of clients a firm or individual may audit.
Remedial actions, sometimes requiring an independent monitor to ensure appropriate execution.

As DEI evaluates enforcement actions, the investigation team will consider the cooperation of the firm and/or individuals involved in the investigation. Proactive responses, such as immediately remediating issues identified by PCAOB inspectors and investigators can also help reduce enforcement actions as it demonstrates that all parties involved take the matters seriously. Finally, transparency (read: honest and fully responsive) is paramount to the enforcement process. Whatever you do, do NOT modify audit workpapers ; the PCAOB requests metadata and will drill into modifications to workpapers.

With enforcement, this is truly a case of “no news is good news.” In the absence of enforcement actions, DEI will not specifically communicate the closure of an inquiry; rather firms will simply not hear anything additional from DEI. Much like the SEC and comment letters, regulatory bodies often reserve the right to continue to pursue matters in the future should additional information come to light and thus, there is no formal conclusion communicated to the respondents.

Preparation

As we stated earlier, nothing about the enforcement process is informal; firms and individuals need to take the process seriously. Just as with inspections, first impressions matter . When a firm receives an enforcement inquiry, we recommend consulting with legal counsel immediately. And, just as DEI uses both lawyers and accountants, so too, should firms engage both legal counsel and accountants (or PCAOB consultants) to help navigate the enforcement process. Lawyers and accountants can help to:

Interpret the data request to better understand the potential concerns and narrow down the scope as much as possible. Both legal and accounting support can also help determine the potential severity of the issue and the likelihood of advancement to further stages in the enforcement process.
Assist with the review of deliverables to the enforcement team. Part of that review is ensuring documentation is being provided as requested with the appropriate metadata. We’ve seen firms provide data without paying attention to the detailed requests and then having to go back and provide modified data. The PCAOB is strict regarding documentation modification and now, in addition to the general inquiry, the firm is left having to demonstrate that it did not in fact modify any of the workpapers, providing even more documentation. In addition, we have helped review written memos and firm replies to specific questions, ensuring that the documentation is fully responsive to the request.
Prepare individuals for testimony, coaching them on how to respond from a legal and technical accounting perspective, ensuring consistent communication. The key here is to be transparent in defending the work performed.

We’ve seen many firms attempt to handle informal inquiries on their own and then bring in legal counsel later in the process when the inquiry turns formal. The enforcement process can be costly, both in terms of time and money. Bringing in the right counsel early in the process can help maximize efficiency by doing it right the first time, provide complete and accurate responses and demonstrating to the PCAOB that the firm is professional and understands the potential gravity of the matter, creating a strong first impression. Of course, the best advice we can give is for firms to invest in strong quality controls and for engagement teams to apply the auditing standards and perform strong quality audits. Take the inspections process seriously and with clean inspections and quality audits, firms will likely avoid much of the hassle and the potential repercussions that come with enforcement. As with all things PCAOB, know that you don’t have to go it alone. For more information, refer to the PCAOB’s guide to proceedings and don’t hesitate to reach out to us; we’ve supported numerous firms through enforcement proceedings and know the process well.

Key Takeaways

First impressions matter. Hire the right legal counsel and accounting experts to help navigate PCAOB enforcement inquiries.
The first step in an inquiry is the documentation request. Be sure to provide a complete set of workpapers and documentation, adhering to the specific DEI requirements.
For depositions, be transparent: that means being honest and fully responsive to the questions and not avoiding or trying to withhold pertinent information.
Proactive firm and engagement team responses (and remedial actions, if relevant) and strong cooperation with the PCAOB DEI team can help reduce potential enforcement actions.

Chartered Accountants Worldwide Beyond Accounting- Beyond the Numbers Recap

Tue, 19 Sep 2023 15:31:19 GMT

Hear Jackson Johnson, JGA President and Shareholder provide insights into the audit failures in digital assets. This comprehensive program hosted by Chartered Accountants Worldwide explores various topics relating to the future of audit. We were pleased to co-sponsor this event and share our perspectives on upcoming developments.

Broker Dealer Reruns: Haven’t I Seen This Before?

Tue, 19 Sep 2023 14:58:51 GMT

I grew up in the 80’s and 90’s and I love late night reruns replaying some of the best television sitcoms, before streaming services changed the game. Seinfeld , Friends , Will & Grace , Frasier , or the ever-classic Three’s Company . Lately, it feels like I’m watching (well, in this case reading) a rerun of the PCAOB Broker Dealer report. In August 2023, the PCAOB released its Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers . While the report evolves with different graphics and metrics, when boiled down to the basic findings, it reads much like past reports (almost verbatim in sections). We’ve written about most of these in past articles, including, Nine Years and Still Running: Reflections on the State of the PCAOB’s Interim Broker-Dealer Inspection Program and Broker-Dealer Update: Two Years Later and Still Struggling . If the titles don’t say enough already, for better or for worse, there simply isn’t a lot of evolution of the nature of the findings.

Overall Findings

Perhaps the biggest takeaway this year is the fact that inspection findings are increasing. In last year’s report, the PCAOB stated that the overall deficiency rates were “unacceptably high.” And this year, deficiencies increased year over year at the engagement level as well as the firm quality control level (thanks in large part to engagement quality review findings). (See table at bottom of article.)

For context, the deficiency rate within the issuer inspection program also rose over the past three years. However, the issuer audit deficiency rate is lower with deficiencies in only 40% of audits in 2022 (34% in 2021 and 29% in 2020). So, while the negative trend is not a uniquely broker-dealer audit phenomenon, there is still a large discrepancy between 58% for broker-dealer firm inspections and 40% for issuer firm inspections.

Deficiencies Year Over Year

Within broker-dealer firm inspections, deficiencies remained high (or even increased) in the following focus areas:

Revenue
Net capital supplemental information
Contradictory evidence related to exemptions
Auditor’s reports and review reports
Documentation

While overall deficiencies increased, there was some positive news that is worth noting. There was a decrease in deficiencies in audits of customer protection supplemental information and going concern, and a decrease in deficiencies for examination engagements related to testing internal controls over compliance (ICOC). I highlight these improvements because customer protection and ICOC are, in my opinion, some of the most complex and most important areas of broker-dealer audits. So, progress in those areas is definitely a positive for the industry.

Although there has been little change to the standards over the past couple years, here are a couple new considerations specific to current developments we are noticing:

While ICOC deficiencies have decreased overall, the deficiency rate of 50% is still too high. When testing internal controls over compliance, it’s important to remember that this testing is on par with testing internal controls over financial reporting. While ICFR is held in high regard, the testing of ICOC required by AT 1 is actually more stringent. AT 1 requires the evaluation of internal controls over compliance during the period under audit and as of the period end. This means identifying controls and then evaluating the design and implementation and testing the operating effectiveness of those controls throughout the entire period and as of the period end. While not the same as an ICFR opinion, it requires similar testing. Often there is a perception that because it’s an attestation standard and the scope is specifically limited to the broker-dealer’s assertions required under SEC Rule 17a-5, that the work is not as exigent as PCAOB audit standards, but don’t be fooled.

Auditors are still struggling to evaluate broker-dealer's exemption reports. While the review procedures under AT 2 are not overly stringent, it’s important that engagement teams carefully read the requirements and perform the required review procedures. And as the PCAOB points out in its report, engagement teams should also consider the information learned during the audit of the financial statements. Often, there is evidence apparent from audit procedures performed over the financial statements that is contradictory to the exemptions claimed in the broker-dealer's exemption report that is missed. And finally, to make this more complicated, the SEC released updated guidance (Footnote 74) in July 2020 for operations that do not specifically fall under paragraph k of Rule 15c3-3, but still permit the broker-dealer to file an exemption report. And many broker-dealers that should be changing their assertions in their exemption reports to place reliance on Footnote 74 have resisted the change, making the auditor’s job more difficult.

Relevance and reliability and completeness and accuracy continue to emerge across all audits and reviews, whether in broker-dealer or issuer inspections. We cannot emphasize this enough. The first thing an associate learns is to tie everything back to the general ledger before performing any audit procedures. Similarly, now, the first thing (or maybe second thing, after tying out to the GL if possible) auditors should be doing is asking: “how is this audit evidence relevant and reliable (external information) or complete and accurate (internal information)?” Don’t forget that service providers act as an extension of management’s controls and thus information coming from a service provider (such as a clearing broker-dealer) should also be evaluated for completeness and accuracy. The PCAOB has more guidance coming through various new proposals to encompass additional information coming from external parties but maintained within the company’s systems; what this means is that the PCAOB is hyper-vigilant and is very conscientious that an audit is only as good as the audit evidence is relevant and reliable.

For the other deficiencies, we’ve delved into many of these focus areas before, so let’s not do our own rerun here. However, in reading through some of the deficiencies in the most recent report, we thought it was pertinent to call out the importance of review and supervision. While there are difficult and complex audit areas, yes, some of these deficiencies are “low-hanging fruit.” For instance: failures related to documentation and archiving, failure to obtain a management representation letter, failing to identify GAAP departures and omitted disclosures, and report deficiencies (including incorrect dating). These are simple errors that should be caught through proper review and supervision. While many claim the PCAOB is overly exigent, it does not excuse the lack of thorough review and supervision from firms, and we need to own our responsibility here.

New Quality Management Standards

One of the key differences between the broker-dealer and issuer inspection programs is the fact that the broker dealer program is still interim and not permanent. Without a permanent program, the PCAOB does not issue firm-specific reports and as a result, there is no required PCAOB remediation. Certainly, the PCAOB will follow-up on comment forms and ask what firms have done to address the engagement specific issues, but there is no mandatory remediation. While potentially a blessing (less mandatory regulatory procedures), we believe there is the shadow side of a curse. Mandatory remediation affords broker-dealer auditors an opportunity to engage with the PCAOB and have meaningful remediation discussions. These discussions could help clarify where and how firms are falling short and would offer feedback on the efficacy of remedial efforts.

Especially considering the new quality management standards (including ISQM 1 (IAASB), SQMS 1 (AICPA) and QC 1000 (PCAOB)), firms across the entire audit industry will be forced to formally start remediating deficiencies. Although these new quality management standards take effect at various times over the next couple years, firms need to begin planning for these changes today. The standards are all very similar and all include the requirement to perform a root cause analysis to understand the core issue contributing to audit quality deficiencies. Once the root causes are identified, firms will then need to implement remedial actions to address those issues. This is true for both AICPA and PCAOB audits, which means all US broker-dealer audit firms will be subject to these new requirements.

The requirement to perform a root cause analysis and remediate the issues is true regardless of whether the deficiencies are internally identified through in-flight reviews or externally identified through peer reviews or regulatory reviews, such as PCAOB inspections. In other words, broker-dealer audit firms will be required to implement firmwide remedial actions to address PCAOB inspection findings, but they won’t necessarily be afforded the opportunity to seek PCAOB feedback that would enable more informed remedial actions. In our view, this suggests an increased need for a permanent program, or at least an exchange with the PCAOB for firms to obtain current, relevant insights.

Until that day, however, we must keep the course, but know that in a world of reruns and déjà-vu, we’re here to help break the recurring cycle, whether triaging specific PCAOB comments, helping identify root causes or providing feedback on remedial actions. After inspecting hundreds of audits, we’ve seen the gamut and sometimes, it does feel like a rerun of an old television sitcom, though a little less comical.

Key Takeaways

Deficiencies in broker-dealer audits increased year over year and remain significantly higher than the deficiency rates found in the issuer inspection program.
The deficiencies are recurring in nature and continue to revolve around auditing revenue and net capital supplemental information, examining ICOC, and reviewing exemption reports.
Though not specific to a focus area, the concept of relevance and reliability and completeness and accuracy is pervasive in all findings and with the continued integration of IT throughout every part of business, this theme will continue to rise in significance.
Supervision and review are paramount to audit quality.
New quality management standards will soon require all audit firms issuing opinions under ISA, AICPA and PCAOB standards to identify root causes for engagement and firm-level deficiencies and implement remedial measures to address the issues.

PCAOB Releases Proposed Amendments to Auditing Standards Related to a Company’s Noncompliance with Laws and Regulations

Wed, 16 Aug 2023 13:34:58 GMT

In response to the Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations , JGA has provided comments on the proposed amendments . While JGA supports the need for investors to understand the risks of noncompliance with laws and regulations applicable to companies; we also highlight key aspects that may fall outside of the scope of auditor responsibility that should be considered in an effort to both enhance audit quality and better protect investors.

PCAOB 101 - Part II: Navigating Inspection Week

Mon, 14 Aug 2023 15:06:40 GMT

Picking up from Part I of our series on PCAOB Inspections and Enforcement , the opening meeting officially kicks-off the inspection. Remember, first impressions matter, so don’t take it lightly.

Remote vs. On-Site Inspections

Historically, most PCAOB inspections were on-site at firms’ offices. Then the pandemic came and the PCAOB was forced to go entirely remote. Now, as we navigate life in a “post-pandemic” era, inspections are a hybrid of on-site and remote.

Our preference is for on-site inspections. In-person inspections allow for engagement teams to develop rapport with the inspection team and helps boost overall morale through teamwork. For on-site inspections, the firm will need to coordinate meeting rooms for the PCAOB; typically, one room for the inspection team to work in and then a separate break-out room for meetings. We also encourage engagement teams to find a conference room where they can spend the day working on responding to questions and strategizing together. Once the PCAOB is on-site, be sure to check in on the PCAOB Monday morning, introduce the team, provide internet logins and troubleshoot any logistical concerns. Based on public remarks from the Director of the Division of Registration and Inspections at the PCAOB, and based on our current work with firms worldwide, travel for inspectors to conduct in-person inspections has resumed, including for non-U.S. Inspections.

For remote inspections, the PCAOB conducts its meetings purely through conference calls; some teams will be on camera, while others just use conference calls. During remote inspections, it’s important to schedule meetings ahead of time and send out invites to the appropriate individuals. Engagement teams often coordinate follow-up meetings after each of the PCAOB meetings where the team can privately debrief the questions and concerns arising during the PCAOB meeting. As a note, just because the PCAOB is remote does not mean that the team needs to be remote; we encourage engagement teams to gather in the office as this collaboration makes the inspection process easier with real-time discussions and knowledge sharing. We have helped many teams through PCAOB inspections and have found that getting the engagement team together in-person is incredibly beneficial.

Inspection Week Meetings

Inspection week could be described as a series of meetings where PCAOB inspectors pose questions, the engagement team responds and over the course of a week of back and forth, the PCAOB closes out questions and narrows down its concerns. Early in the week, the meetings tend to be organized by focus area and can typically last anywhere from one to two hours. For integrated audits, the first couple meetings are often led by the engagement team and consist of walking through the relevant processes and controls for the selected focus area. Once the process is fully understood, the PCAOB will then move on to posing specific questions about the controls and substantive testing.

The inspection team usually consists of the Inspection Team Leader as well as a financial statement inspector for each focus area and/or issuer (depending on the size of the issuer) and one IT audit inspector to support the entire inspection. Because the impact of technology is so pervasive in audits, we encourage engagement teams to include the member of the engagement team that support the IT aspects of the work in the PCAOB inspection meetings.

At first, the PCAOB will have many questions. Some may be higher level questions around risk assessment while others may be very detailed as they go through each of the specific workpapers. To respond to questions, we encourage engagement teams to dialogue with the PCAOB. If the answers to questions are easy to answer (with confidence), conversation demonstrates knowledge and mastery of the audit file. However, it is always acceptable to write down questions and defer responding until the following meeting. If a question is unclear and/or you cannot understand the relevance of a question, it’s also perfectly acceptable to ask the PCAOB to clarify the question and provide more context around the risk.

Inspection meetings should be attended by the engagement partner and the senior manager/manager as well as any relevant national office representatives and/or PCAOB consultants. We’ve sat through hundreds of inspection meetings and while we don’t respond for the engagement team, we listen to the nature of the questions and then help interpret/translate the PCAOB questions to the team afterwards. Generally, the engagement partner should be doing the bulk of the talking during meetings. It is not critical for the EQR or for more junior staff to attend the meetings, unless they are needed to speak to some of the questions. That said, sitting through a PCAOB inspection can be a great learning opportunity, listening to the types of questions and understanding the PCAOB’s concerns.

At the end of each meeting, the PCAOB will typically ask to set up the following meeting where they will expect responses to the questions already discussed and will then pose additional questions on the same focus area and/or other focus areas.

Concurrent with the audit inspection meetings, the PCAOB will also have meetings with firm management (i.e. the CEO, audit quality leader, professional practice, etc.) to better understand the firm’s system of quality management. The PCAOB will sometimes request specific documentation to evidence/test the system of quality management as well.

Needless to say, the week is full of nonstop meetings.

Responding to Questions

After each inspection meeting, it is best practice for the engagement team to meet and debrief the open items; this is where working in an audit room collectively helps with knowledge sharing. Engaging a PCAOB consultant can significantly help teams with understanding the nature of each question and explaining the questioning in relation to the standards. PCAOB consultants also understand what is considered “fully responsive” to the risk; comprehensive responses can lead to a more efficient inspection, eliminating the back-and-forth.

Historically, most questions were posed orally during inspection meetings. However, we have started to see the PCAOB send emails with lists of questions, dependent upon the inspection team. Regardless, we recommend engagement teams type up all questions (if not already written up by the PCAOB) as well as responses so that they are clear and concise. Responses should be complete, accurate and fully responsive. There is no need to speak to “anticipated” issues or concerns. The PCAOB will ask additional questions if they have further concerns.

Many questions will also require teams to go back to the workpapers and research the work performed. Don’t underestimate the time it takes to respond. In an ideal world, teams would clear their schedules to allow for a dedicated focus on the PCAOB inspection.

If some questions take longer to research and respond, the team can indicate in subsequent meetings that it is still responding to specific questions. It’s important to note which questions are open at the end of each meeting.

Areas of Concern

Throughout the week, as questions are answered, the PCAOB will begin to narrow down the list of open items. When the PCAOB asks a follow-up question and/or asks the same question in a different manner, this is generally a good indication that the initial response did not fully address the inspector’s concerns and there remains a potential risk of material misstatement or non-compliance with the auditing standards.

By Wednesday, the PCAOB will typically have asked all its questions and the remainder of the inspection is a matter of responding and closing out concerns. By Thursday afternoon, the PCAOB should be able to provide an overview of its main concerns, if any. These concerns represent the areas where, barring any further information, the PCAOB is considering a comment form. This initial communication of concerns provides the engagement team another chance to review the workpapers and craft a response that explains how the engagement team responded to the risk and complied with the standards. The starting point for all these discussions is understanding the risk of material misstatement and making the direct linkage between the risk and the response.

The focus of the inspection is always on the documentation in the audit file. However, if there is other persuasive audit evidence (i.e. an analysis that was performed at the time of the audit but not included in the file), the PCAOB has considered the information. In these circumstances, it’s critical to be very clear what is documented in the file, what was performed at the time of the audit but not included in the file and what was performed currently during the inspection. Transparency is key.

When responding to areas of concern, the engagement team should consider what information is new and relevant. Sometimes providing a detailed overview of the entire audit approach with specific discussion around how each audit procedure/response addresses the PCAOB’s concerns can provide a clearer picture to the inspector and may be enough to resolve any concern. Responding with irrelevant information, or repeating information that has already been shared multiple times, rarely changes the mind of the inspection team. Again, leverage the national office and/or a PCAOB consultant to help respond to areas of concern.

Status Meeting and Comment Forms

Although the inspection is never technically closed until the report is issued, the status meeting serves as a chance for the PCAOB to share its assessment of concerns. This is not a time for discussion / rebuttal of the concerns; that is the purpose of the entire week of meetings. The status meeting is really a chance for the PCAOB to provide an overview of its scope and its findings that will result in a comment form.

Comment forms take some time to receive; some come within weeks and others take longer. The PCAOB has its own internal review process and occasionally, some comment forms are quashed. Prior to issuing the comment forms, inspectors may request copies of workpapers or have clarifying questions. These requests serve to ensure the comment form is complete and accurate.

Comment forms are broken down into four sections:

Facts: Review the facts, as presented, and either agree with them or disagree. If the engagement team disagrees, it’s important to detail the factual inaccuracies. The facts may appear incomplete, but the “agree” or “disagree” is really about whether the facts, as presented are accurate.
Deficiency(ies): Review the issue, as written up; this should mirror the issue communicated during the status meeting, although sometimes issues morph as they go through the review process.
Firm’s Response and Firm’s Remedial Action(s): Based on the facts and the deficiency, the firm is given an opportunity to agree or disagree with the issue. If the firm chooses to disagree, it must highlight the information that supports the engagement team’s conclusion that sufficient procedures were performed. The firm could provide additional workpapers and/or support if not already provided during the inspection. Disagreeing to every comment does not paint the right tone to the inspection team and repeating everything communicated during the inspection will not change the PCAOB’s perspective. The focus in the response should be on new/incremental information that was not specifically considered during the inspection. In addition, the firm is given an opportunity to indicate its planned remedial actions. It’s okay to indicate that these actions will be considered at a later time; sometimes, these considerations take time to finalize.
Firm’s System of Quality Control: The comment form also asks about what elements of the firms’ system of quality control failed resulting in the deficiency. Again, it is acceptable to defer the response; to fully respond to this question, firms should consider a root cause analysis to accurately understand the potential issues.

Firms have 10 days to respond to the comments, although extensions can be granted if requested. Once the firm submits its response to the comment form, the firm will not typically hear back from the PCAOB until the report is issued, which could be anywhere from one month to more than a year later.

While the inspection is now complete, firms still need to evaluate AS 2901 and AS 2905 considerations and develop a remedial plan for each specific deficiency. In addition, firms should consider root cause analyses (especially in light of the requirements of the new quality management standards) and firm-wide remedial actions. These actions aren’t required until report issuance when the remediation timeline commences, but we recommend starting early when the inspection findings are fresh and relevant.

As we said in Part I, don’t be afraid to reach out if you have questions. We’ve also created an inspections resource guide that goes into much greater detail and can serve as a navigation tool for engagement teams. You don’t have to go it alone!

Key Takeaways

Working together (ideally in the same room) as a team is incredibly beneficial to engagement teams during the inspection process.
Inspection week is a series of meetings where the PCAOB poses questions, the engagement team provides responses and slowly, the concerns are whittled down.
Engagement teams should focus responses on the risk of material misstatement and describe how the audit procedures performed specifically address the PCAOB’s concerns.
The status meeting closes out inspection week and provides the firm with an overview of the expected comment forms, if any.
Comment form responses are due within 10 days and should focus on new or incremental considerations aside from what was already discussed in the inspection. We don’t encourage firms to disagree simply for the sake of disagreeing. Read the issue, understand the concern, and consider ways to improve. We all still have room to grow and learn.

The Year of Ampersand Part II: The Never-Ending Story of Completeness and Accuracy

Thu, 10 Aug 2023 16:09:28 GMT

I remember in my early days of auditing, there wasn’t much thought given to the completeness and accuracy (C&A) of information. Certainly, engagement teams tied out subledgers to the GL and performed tests of details or analytics to validate information, but there wasn’t the same consciousness as there is currently in this, the information age. Today, it seems testing completeness and accuracy is a never-ending story with always more to be done.

Conscious of the growing need for relevant and reliable information, in October 2021, the PCAOB published its Staff Guidance – Insights for Auditors Evaluating Relevance and Reliability of Audit Evidence Obtained From External Sources . This guidance is predicated on AS 1105.06 – Audit Evidence which states that “Appropriateness is the measure of the quality of audit evidence, i.e., its relevance and reliability. To be appropriate, audit evidence must be both relevant and reliable in providing support for the conclusions on which the auditor's opinion is based.”

In Part 1 of our series on this topic , we wrote about important considerations in evaluating relevance and reliability . While ALL audit evidence must be both relevant and reliable, there is an important distinction between audit evidence that emanates from sources external to the company and information produced by the entity (also known as IPE). The auditing standards are more stringent when considering the relevance and reliability of IPE. AS 1105.10 goes on to specifically require that:

When using information produced by the company as audit evidence, the auditor should evaluate whether the information is sufficient and appropriate for purposes of the audit by performing procedures to:

Test the accuracy and completeness of the information, or test the controls over the accuracy and completeness of that information; and
Evaluate whether the information is sufficiently precise and detailed for purposes of the audit.

Despite the continued focus on C&A, teams are still struggling to sufficiently test IPE for C&A. In its most recent inspection observations , the PCAOB identified issues surrounding C&A of information both within the realm of ICFR as well as in substantive testing. Let’s dig into the two potential testing approaches: controls and substantive.

Testing Controls Over C&A

Given the fact that more and more information is being generated electronically, it’s becoming increasingly difficult to test C&A without testing controls. When applying a controls approach, remember that controls are first and foremost the responsibility of management. In fact, as part of the management representation letter, management must assert to its “responsibility for the fair presentation in the financial statements of financial position, results of operations, and cash flows in conformity with generally accepted accounting principles” (AS 2805.06). As well, for controls, management must state “that management did not use the auditor's procedures performed during the audits of internal control over financial reporting or the financial statements as part of the basis for management's assessment of the effectiveness of internal control over financial reporting” (AS 2201.75).

With that in mind, when testing controls over the C&A of information, it’s important to understand the information pipeline. While the end result may be a simple report, controls over completeness and accuracy require various controls from origination to reporting. As the old adage says, “Garbage in, garbage out.”

What data matters

Before you start tracing the data through the process, you first need to think about the key data that matters. Too often, reports are considered in their entirety, but there is always specific data that is critical to what eventually shows up on the financial statements. For example, for revenue you likely need to know the product sold, the revenue recognition date (e.g., the shipment date), and the purchase price. Additional information may be critical to certain controls over that data (e.g., management review controls), but when understanding the information pipeline, it helps to narrow it down to the data that really matters, especially when testing the reliability of information used in the audit. Too often, a report is tested without addressing all the key data.

Data origination

Consider next the source of the information; where does it originate? Upstream controls are critical as they govern the initial input of information into a system. For instance, when testing an inventory aging report, the input of the initial purchase date is a critical component for calculating the aging of the inventory. These upstream controls typically involve business-process-level controls.

Systems, Interfaces and Data Warehouses

Once source data is input into a system, it’s important to understand the flow of information from input to the reporting system. Sometimes this might be one all-encompassing system, but often, there are multiple interfaces, systems and even sometimes data warehouses involved prior to the generation of a report.

For each system involved in the pipeline, management should have robust information technology general controls (ITGCs) in place to ensure the reliability of the systems. ITGCs themselves don’t provide direct assurance over data or reports, but rather, they are designed to ensure that systems are safeguarded from inappropriate access and inappropriate changes throughout the audit period. In other words, if effective ITGCs are in place, then the system should operate as designed, but that means the auditor still needs to validate the design (i.e. testing the report – we’ll get to that in the next section).

For each interface, it’s important to test the relevant controls that ensure complete and accurate transference of data between systems. Most interfaces involve processing and filtering of data. In these cases, the engagement team will need to validate what filters are in place, whether they are appropriate and how data transmission exceptions are resolved.

Finally, if there are data warehouses involved, similar to systems, it’s critical to understand the controls in place that safeguard the information while it resides in the data warehouse. Data warehouses often store data in different structures than the source system to aid in reporting. How is management comfortable that the data is completely and accurately transferred to the data warehouse?

Reports and queries

The final step in the process is understanding how the information is gathered and aggregated into the report or query. The nature of the controls and testing to be done will always depend on the type of report and output. Standard reports that generate PDFs pose less risk, for example, than customized queries that produce an Excel output.

Regardless of the nature of the report, there is always some testing to be performed. If the report is a simple standard report (e.g., a listing of information), the testing may be limited to understanding the change management controls around the report and validating that the report has in fact not been customized. If, on the other hand, it is a customized query, the engagement team should consider:

What is the report configuration? Teams will need to review and test the report parameters. Does the report run automatically based on a schedule? Or is it run ad-hoc? Are there pre-set report parameters or does the user have the ability to dictate what information is included in the report (i.e. date ranges, business units, GL accounts, customer accounts, etc.)?
What data fields are pulled in for the report? Is there any processing / manipulation / aggregation / synthesis of data as a result of the reporting functionality? If so, we need to understand what processing there is and validate it.
What controls are in place to govern change management around reports? Often, companies will write specific standardized query scripts where the user has to input specific data parameters. In addition to understanding those parameters, teams need to understand and test the change management controls that safeguard the script.
What controls are in place to protect data / queries once reports have been produced? This is especially important for dynamic files that may either a) be modified by human review subsequent to report generation or b) are linked and updated either real-time or on regular frequencies. Because of the susceptibility to change, for any report that is generated in Excel, the team should observe the generation of the report, including transference to the auditor directly.

These are just some of the questions to consider. The reality is that there is no one way to test a report. The testing approach will always be unique to the company’s systems and controls and will be impacted by the nature of the information being tested.

Substantively Testing C&A

Alternatively, if engagement teams opt not to test controls over C&A, they may substantively test the C&A of IPE. When performing substantive testing without controls reliance however, it’s important to remember that teams must test the C&A each and every time they obtain a report.

Completeness

There are various ways to substantively test the completeness of information. One approach is to reconcile a report with an alternative report / source. For instance, an engagement team could reconcile an investments purchases and sales journal with bank/broker statements to ensure completeness. Some reports, such as the journal entry listing could be tested for completeness by performing an account rollforward where the opening trial balances (i.e. prior year balances) are rolled forward to the current period balances using the journal entry listing. Alternatively, some reports such as cash disbursement journals may have sequential numbering which could help validate completeness. The design of the completeness test will always depend on the nature of the information. Finally, the completeness of some reports may be validated through detailed substantive testing such as floor-to-sheet testing for physical inventory. When testing completeness of a report, it is important to distinguish between the testing performed for completeness as a financial statement assertion and completeness as an information processing objective. Sometimes, the testing can accomplish both, such as the floor-to-sheet testing for physical inventory, but often, the completeness of a report does not directly translate into the same completeness for a financial statement assertion.

Accuracy

Accuracy is less difficult a concept to grasp as this is often the nature of a test of detail. In other words, accuracy is typically validated through taking a sample of items on a report and reconciling it back to audit evidence. When testing accuracy, it’s important to test the accuracy of all key data fields.

Other Considerations

Though the standard has not changed, with experience and learning, the industry has become more conscious of C&A. Though everything falls under the realm of either testing controls or substantively testing C&A, some specific considerations include:

ICFR audits: In an ICFR audit, all information that is used in controls must specifically have internal controls that ensure completeness and accuracy. For the substantive portion of the audit (and/or for financial statement audits only), engagement teams have the choice of either identifying controls over C&A or substantively testing information for C&A.
Data fields: often teams will review information directly within the system through remote-screen sharing with a client or through direct observation at a client’s desk. This is still “data” and although it is not a typical report, the engagement team should consider the controls in place from origination to observation of the data in the system.
ITGCs: If ITGCs fail, teams will often have no choice but to test IPE through substantive means as ITGCs are the foundation for all other controls involving systems.
Service Providers: Although service providers are technically “external” to a company, service providers are viewed as an extension of the company’s system of internal control and thus reports from service providers are still considered IPE. This means that teams must either identify and test controls over IPE or substantively test the IPE. If teams obtain SSAE 18 reports (i.e. SOC 1) over service providers, teams cannot automatically assume that C&A of reports are covered by the SSAE 18 report (most often the reports are not covered, but rather, are mentioned in the complimentary user entity controls). Teams must specifically review the SSAE 18 report and ensure the control objectives adequately address C&A of reporting.
FS and IT Auditors: Most teams consider IPE testing to fall within the realm of IT auditors. Certainly, there are numerous IT controls such as ITGCs and automated controls that require the assistance of IT auditors, but teams must begin to shift perspectives and understand that IPE testing is a collaborative effort between FS and IT auditors. FS auditors often understand the purpose / use of a report (including the key data) and thus can understand the risk profile linked to a report. When testing controls, it is not just IT controls, but rather a suite of controls including business-process-level controls. We always encourage teams to engage IT auditors to assist with the testing as IT auditors have the competencies to test system controls, but it is not solely an IT auditor responsibility; integrate the testing!

Key Takeways

C&A continues to be a recurring finding in the audit industry. Information produced by the entity (including service providers) must be tested for C&A either by testing controls or through substantive testing.
When testing controls, consider the entire information pipeline and identify the key controls from origination through to reporting. This includes controls over the source inputs, systems, interfaces, and data warehouses.
All reports (yes, even standard reports) require some testing to understand the report configuration, controls around change management and data integrity once the report is generated.
While controls can be burdensome, substantive testing of C&A can be equally challenging. While there are multiple ways to test completeness and accuracy, a key consideration here is that each and every report must be substantively tested each and every time it is run/generated from a system.
Reports from service providers are still considered IPE even though it is technically “external” from the company.
IPE testing is NOT just an IT auditor’s responsibility. There are IT components for which an FS auditor may not be suitably equipped to test, but IPE testing is a collaborative effort and audit teams need to be integrating FS and IT auditor knowledge, risks, and competencies to design an effective and efficient approach to testing IPE.

PCAOB 101 – Part I: Preparing for a PCAOB Inspection

Tue, 11 Jul 2023 22:02:06 GMT

If you follow the PCAOB at all, you know that at the start of 2022, the SEC appointed a new Board led by PCAOB Chairwoman, Erica Williams. The Board has made it abundantly clear that they take inspections and enforcement seriously. In its April 2023 Spotlight: Staff Priorities for 2023 Inspections , the PCAOB indicated, “…[One] of the enhancements is the expansion of the number of public company audits [it will] select to review.” Similarly, in a September 2022 speech , Chairwoman Williams said, “As our strategic plan makes clear, this Board is approaching enforcement with a renewed vigilance.” Given the strong tone of the new Board and the fact that many new firms will be subject to PCAOB inspections as a result of the Holding Foreign Companies Accountable Act (i.e. audit firms issuing PCAOB opinions in the People’s Republic of China and Hong Kong), we thought it would be a good idea to do a little refresher on PCAOB inspections and enforcement. In this three-part series, we’ll focus on: 1) how to prepare for a PCAOB inspection, 2) what to expect during the inspection itself and 3) how the enforcement process works and what to do if subject to an inquiry. So, without further delay, let’s jump into how to prepare for an inspection.

Notice of Inspection

Typically, firms that audit 100 or more issuers are subject to annual inspections; firms that audit less than 100 issuers are subject to triennial inspections. Increasingly, the PCAOB is accelerating the inspection process for triennial firms depending on risk and historical inspection results. Regardless, every firm that is registered with the PCAOB and audits at least one issuer will receive either an email or a letter from the PCAOB notifying the firm of an upcoming inspection. This communication outlines many of the logistical matters including the anticipated timing of the inspection as well as the various data/document requests. We recommend that firms identify a “project manager” who acts as a point person for the PCAOB. This designee should manage all communication with the PCAOB until the actual inspection begins, at which time the inspection team will begin to communicate directly with the engagement teams. This project manager also manages most of the administrative elements of the inspection, coordinating meetings and dates and facilitating document requests and workpaper access. The initial inspection notification will also indicate the PCAOB Inspection Team Leader. Though PCAOB inspections are to be taken seriously, the process is more casual and the PCAOB understands that firms may have questions and clarifications needed along the way. The PCAOB Inspection Team Leader is the main contact at the PCAOB to help navigate that process and clarify any uncertainty.

Logistically, the most important first step is to confirm the dates of the inspection and the period under inspection (which the PCAOB will specifically identify). The PCAOB provides the anticipated dates, but the firm must check with its staff to ensure their availability during the inspection. The PCAOB does not typically modify the inspection dates, but if the firm has reasonable extenuating circumstances, it could request the PCAOB to change the inspection dates. Once the dates are nailed down, the rest is simply a matter of preparation. Note that depending on the size of the firm and the number of inspections being performed, the inspection may take place in one single week or may span multiple weeks.

The notification letter will provide firms with various data requests. The two most important requests include: a) the QC data request and b) the issuer information form.

QC Data Request : The PCAOB requests various documents to understand and evidence the firm’s system of quality control. The request typically includes documents like the QC manual, consultation logs, training records, independence forms, etc. The request will vary based on the size of the firm and will clearly enumerate the requested documents.
Information Issuer Form : The firm must complete this form which lists out all issuers for which the firm issued an audit opinion during the period under inspection (which is specifically indicated in the notification letter). The form will ask for various data points / metrics for each of the audits, such as fees, hours, partner names, and various financial statement information (i.e. revenues, total assets, etc.).

Issuer Notification

Once the PCAOB receives the initial data requests, the Board will begin its process of issuer selection. As the PCAOB indicates in its 2023 Spotlight (referenced above), the Board uses a mix of random selections as well as risk-based issuer audit selections (i.e. issuers with restatements, financial institutions, large market capitalization, issuers with mergers and acquisitions, digital assets, etc.). Typically, two to three weeks in advance of the inspection, the PCAOB will then notify the firm of the issuers selected for inspection.

Along with notification of the issuers, the PCAOB requests additional information through the Engagement Profile which is a much more in-depth data request for the specific issuers selected for inspection. The information requested on the Engagement Profile varies and is largely dependent on the type of issuer selected for inspection. An integrated audit will request much more detailed information (i.e. controls identified and selected for testing for specific focus areas) for an integrated audit than for a non-integrated audit.

Once the issuers are finalized, the firm should begin coordinating early workpaper access with the PCAOB. This may be done through sending a laptop to the PCAOB or through setting up remote access for PCAOB inspectors. This is where the firm’s project manager can coordinate specifically with the PCAOB Inspection Leader and provide options based on the firm’s technological capabilities. The key with all things related to the inspection is communication . If there is any uncertainty, don’t hesitate to communicate with the PCAOB.

Prep Week

Workpaper Review

Just as the PCAOB inspectors are performing workpaper reviews in preparation for the inspection, so too should the engagement team be reviewing the workpapers during the week or two leading up to the inspection. Along with issuer notification, the PCAOB may inform the firm of specific focus areas ahead of the inspection but more often than not, the focus areas are shared with the firm during the opening meeting. If the team knows the selected focus areas, it should focus its efforts during prep week on those areas. If the focus areas are unknown, the engagement team should focus its preparation efforts on audit areas with significant/fraud risks (i.e. revenue), material new and/or complex accounting (i.e. new lease accounting standard or debt/equity classification), and significant subjectivity and/or judgment (i.e. accounting estimates). In addition, for broker-dealer audits, consider reviewing the net capital calculation and the exemption or compliance reports.

As a note, the PCAOB can always add additional focus areas during the inspection week. In addition, though not specifically considered a focus area, all teams should re-familiarize themselves with the planning, risk assessment and materiality considerations as well as audit findings (i.e. control deficiencies and corrected and uncorrected misstatements) as these are foundational to any audit.

We also encourage engagement teams to review recent PCAOB publications, like the April 2023 Spotlight which provides an overview of the PCAOB’s focus for the upcoming inspection cycle (i.e. fraud, risk assessment and internal controls, financial services, digital assets, mergers and acquisitions (including SPACs), use of other auditors, and other QC areas) as well as other publications like the December 2022 Spotlight: Staff Update and Preview of 2021 Inspection Observations which highlights the most common inspection findings from the 2021 inspection season.

Finally, through our work supporting firms, we have often found that in addition to engagement team review of the workpapers, firms benefit from an objective outside review. We’ve performed numerous pre-inspection workpaper reviews which help identify the “pain points” prior to the inspection so that engagement teams are better prepared to respond to the PCAOB.

Opening Meeting

The official kick-off of the inspection is the “Opening Meeting.” For integrated audits, the opening meeting is much more structured and teams often prepare a slide deck. For non-integrated audits, the opening meeting is much more informal (especially since focus areas are not typically known).

The opening meeting is the first impression and serves as an opportunity for the engagement team (led by the engagement partner who should be doing the majority of the talking) to demonstrate their knowledge of the audit and to walk the PCAOB through the overall audit approach. A successful opening meeting will introduce the engagement team, provide an overview of the issuer’s operations, detail risk assessment and scoping considerations, explain materiality, discuss use of others (other auditors and internal audit) and summarize overall audit findings. If the focus areas are known, the engagement team should also be prepared to walk through the internal controls and substantive approach for each of the focus areas. If the focus areas are unknown, while the engagement team will begin the meeting with a brief overview, the PCAOB will generally then lead the meeting by introducing the focus areas.

Often the PCAOB inspectors will have prepared questions for each of the focus areas. We recommend engagement teams take down the opening meeting questions and set up subsequent meetings during the inspection week to begin responding to the PCAOB’s concerns. Typically, after the opening meeting, we recommend collectively debriefing the questions and coming up with a plan for how to respond to each of the questions.

Engagement teams may choose to respond immediately to simple questions that are navigational in nature and/or that are easy to respond to (where there is no uncertainty), but know this: it is always acceptable to take a question down and respond in the following meeting. We’ll remind you in the next article as well, but the PCAOB does not expect an immediate response to each question. As a team, you are allowed to say, “Let me take that down and get back to you.”

That’s enough for Part I. As you can see, there’s a lot of moving pieces in a PCAOB inspection. Given we at JGA are all former inspectors, we understand the concerns and questions many firms have regarding the inspection process. Don’t be afraid to reach out if you have questions. We’ve also created an inspections resource guide that goes into much greater detail and can serve as a navigation tool for engagement teams. The moral is: you don’t have to go it alone!

Key Takeaways

Identify a “project manager” within the firm who can coordinate the various logistics including confirming inspection dates, facilitating data/document requests, including workpaper access, and scheduling meetings.
For document requests, make sure responses are complete and accurate. The specific information needed will always be highlighted in the PCAOB communications.
Once issuers are selected for inspection, engagement teams should begin reviewing workpapers. In addition, engage an independent reviewer to perform a pre-inspection review to identify potential pain points.
Take time to prepare for the opening meeting. Don’t underestimate the old adage: first impressions matter.

Broker-Dealer Audits: Considerations for Continuous Audit Quality Improvement

Thu, 08 Jun 2023 23:42:06 GMT

It’s been more than a decade since the formation of the interim program and unfortunately, it remains unclear as to when or if a permanent program will be established. Understandably, it’s difficult to agree on the appropriate scope for the broker-dealer program and with multiple changes in government administrations as well as multiple changes to the PCOAB board, it’s been a tumultuous decade.

Despite the lack of a permanent program, the PCAOB is still actively inspecting auditors of broker-dealers, regardless of the size or nature of operations. As well, the PCAOB has made clear time and again, they take the inspection process very seriously; the new Board is big on audit quality and inspections is its largest quality tool.

As firms prepare for inspection season and begin to plan 2023 audits, we thought we’d share some of the key broker-dealer findings that seem to recur, and in light of the current economic situation, there is arguably even greater risk.

Revenue

Revenue is consistently the number one focus area across all audit inspections (including issuers and broker-dealers) with audit deficiencies. In its August 19, 2022 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers (2021 Annual Report), the PCAOB indicated 33% deficiency rate for audits where revenue was inspected. Given the rebuttable presumption of fraud risk in revenue, the PCAOB consistently picks this area for inspection. For context, 79 audits included revenue as a focus area; the next highest focus area was receivables and payables (21 audits).

Specific to broker-dealers, the most common findings included:

Commissions: engagement teams failed to sufficiently test the terms and conditions of revenue and/or to obtain appropriate, sufficient audit evidence to validate the relevant assertions.
Investment banking fees: engagement teams failed to sufficiently test the amount of capital raised, the rate applied to determine the fees, and whether the transaction was executed.
Investment advisory fees: teams struggled to sufficiently test the accuracy of assets under management and the rates applied.
Trading gains and losses: teams failed to test traded prices and quantities.
Success fees: teams failed to test the consideration received by customers which formed the basis for success fees.
Interest: engagement teams failed to test the relevant inputs used to calculate interest, such as the market value of securities borrowed, customer balances, and interest rates applied.

Generally speaking, these findings mean teams are failing to obtain sufficient, appropriate audit evidence to corroborate selling price, volume, and commission/fee/interest rates and percentages applied. Often, teams pull reports from clearing broker-dealers and fail to perform additional procedures to evaluate the completeness and accuracy of those reports. The PCAOB has taken the position that a clearing broker is the equivalent of a service organization, or said differently, an extension of management’s internal control. Thus, although technically outside of management (i.e. external), information coming from the service organization is considered internal.

Regardless of the source of information, teams must always document their evaluation of the relevance and reliability and for internally derived information, teams must either identify and test controls over completeness and accuracy or substantively test reports for completeness and accuracy each time they use a report.

The other theme here is ensuring we test all relevant assertions. Often overlooked, teams must be sure to validate occurrence of revenue transactions.

In light of the current economy and depressed markets, revenues are likely to be lower year over year. Trading prices are down which means commissions will be down. Lower stock prices also mean trailing fee revenues will be down. Given the economic uncertainty, M&A deals are also down which means investment banking fees will be lower. All of these factors and other economic uncertainties increase the risk of fraud surrounding revenue, so teams need to ensure they are critically evaluating the risks and appropriately designing audit procedures responsive to the assessed risks.

Supplemental Information

Common within the broker-dealer industry is the audit of supplemental information included in the financial statements including audit procedures related to the financial responsibility rules. [1] Though each distinctly different, the recurring theme was the failure to test the information used in the calculations (yes, we’re talking about relevance and reliability and completeness and accuracy yet again) as well as validating all calculations were in accordance with the specific rules and regulations.

It's important to ensure teams fully understand the applicable rules and design audit procedures to ensure the broker-dealer calculated and presented supplemental information in accordance with those rules. For information used, those procedures need to address completeness and accuracy for internally derived information.

Considering the current economy and the depressed markets, again, there is heightened risk around compliance such as with the net capital calculation.

Examination Engagements – Compliance Report

As a general rule, broker-dealers that hold customer funds or securities or clear customer transactions must establish internal controls over compliance (ICOC) with the financial responsibility rules, and report on the effectiveness of those controls annually in its compliance report, pursuant Rule 17a-5 of the Securities Exchange Act of 1934. The auditor’s examination of the statements made within the compliance report falls under AT No. 1 - Examination Engagements Regarding Compliance Reports of Brokers and Dealers and for lack of a better comparison, it’s similar to an audit over internal controls over financial reporting, except this standard relates to compliance. AT1 Paragraph 4 states:

To express an opinion on the assertions made by a broker or dealer in a compliance report, the auditor must plan and perform the examination engagement to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether (1) one or more Material Weaknesses existed during the most recent fiscal year specified in the broker's or dealer's assertion; (2) one or more Material Weaknesses existed as of the end of the most recent fiscal year specified in the broker's or dealer's assertion; and (3) one or more instances of non-compliance with the net capital rule or the reserve requirements rule existed as of the end of the most recent fiscal year specified in the broker's or dealer's assertion.

Similar to ICFR findings in issuer audits, auditors of broker-dealers continue to struggle with internal controls over compliance. In order to identify and test the relevant controls, engagement teams need to ensure they have a complete understanding of the processes in place. For instance, understand the entire process for how account statements are generated and sent to customers; this often involves understanding automated controls, which need to be identified and tested. Foundational to automated controls however are effective information technology general controls (ITGCs). So, understand the process and then select the relevant controls that address the risks around each compliance requirement.

Many teams obtain service organization reports and while these are a strong start, teams struggle to sufficiently review and test the reports. Specifically, teams should review the opinion, the coverage dates, the gap period and the bridge letter (if applicable), the inclusion (or exclusion) of subservice organizations, control objectives and the correlated activities (including control exceptions), and the complimentary user entity controls (these need to be tested just like any other control).

Pervasive within the entire audit industry, engagement teams continue to struggle testing management review controls (MRCs). We must ensure we understand the objective of the control, management’s expectations, the level of precision, and the process for resolving exceptions. With MRCs, understanding design is the first step, but we must also test the operating effectiveness which means ensuring the control operated as designed. This often means incorporating elements of reperformance in the testing approach.

Finally, all controls use data and so, yet again, testing completeness and accuracy of data used in the controls is critical for effective operation of the control.

Review Engagements – Exemption Report

Many broker-dealers have limited operations and are exempt from certain SEC rules. SEC Rule 17a-5 allows these broker-dealers to claim an exemption in an exemption report. The auditor’s review of the broker-dealer's exemption report falls under AT 2 - Review Engagements Regarding Exemption Reports of Brokers and Dealers . Although merely a review, engagement teams continue to struggle when performing review procedures. The main issue here stems from which exemption applies to the broker-dealer.

The exemption report is the responsibility of management, but the auditor performs a review to ensure the exemption is appropriate. Engagement teams should perform the appropriate inquiries of management, review regulatory filings and communications (e.g. FINRA membership agreements and FOCUS reports), and consider the totality of audit evidence obtained from all procedures (both under the review engagement as well as the audit of the financial statements). The 2021 Annual Report says: “The most frequently cited deficiency in review engagements involves firms that did not take into account evidence obtained during the audit that contradicted broker-dealer assertions in review reports regarding compliance with the exemption provision claimed.” Contradictory evidence is also a common finding in issuer audits. Though not engaged to identify contradictory evidence, when we become aware of contradictory evidence, we must consider and document the resolution of that information.

EQR

As is true with issuer audits, the PCAOB will consider audit deficiencies and evaluate whether the EQR should have identified the deficiency. Though there is judgment involved, generally, if the deficiency relates to a significant risk and/or to the attestation standards, the PCAOB will take issue with the EQR review. For many teams, the EQR is considered an afterthought and is given a very limited budget to perform a review, typically at the last minute. We encourage EQRs to be actively involved in the planning and risk assessment phases of the audit and to understand (and challenge, if needed) the engagement team’s planned audit responses. As the engagement team completes its testing and documents the conclusions, EQRs need to perform detailed reviews over the significant risks and other areas required by the standards.

Looking Forward

Certainly, a permanent program would help drive audit quality. Currently, under the interim program, the PCAOB does not issue firm-specific reports, which means there is no mandatory remediation process. Ideally firms would take the initiative to proactively address deficiencies, but without remediation, there is limited accountability. Of course, there is always enforcement and the PCAOB has made clear its efforts to strengthen its enforcement activities. But without the reporting and remediation processes, there is not only less accountability to remediate issues, there is also less opportunity for firms making best efforts to remediate issues to engage with the PCAOB and determine if their remediation efforts are adequate. Until we have a permanent program, we encourage firms to continue engaging with the PCAOB through the inspection process and taking the comments seriously and designing and implementing remedial actions at both the engagement and firm level. And if you aren’t sure where to start, we’re here to help.

Key Takeaways

For all significant accounts and disclosures, be sure to perform audit procedures to address all relevant assertions.
With the rise of technology and the information age, data is increasingly important. Engagement teams need to always evaluate the relevance and reliability of audit evidence. For internally derived information, engagement teams need to either identify and test controls over completeness and accuracy or substantively test information for completeness and accuracy.
Broker-dealers can be complex and there are numerous rules and regulations that apply. Be sure you have the skillset and knowledge when performing procedures over supplemental information presented with the financial statements.
Understand the entire process and select relevant controls to address each compliance requirement. Testing controls includes evaluating the design and implementation as well as testing the operating effectiveness of those controls.
Critically evaluate the exemption report and ensure it aligns with the totality of evidence obtained through inquiry as well as through the audit of the financial statements. Dig into any contradictory evidence.
Don’t underestimate the importance of the role of the EQR. EQRs should be given adequate budgets and timing to thoroughly review the audits of broker-dealers.

[1] The term “financial responsibility rules” refers to the rules cited in Exchange Act Rule 17a-5 paragraph (d)(3)(ii) and AT No. 1, namely, the Net Capital Rule, Customer Protection Rule, Quarterly Security Counts Rule, and Account Statement Rule. Paragraph (e) of the Customer Protection Rule, specifically, is referred to as the “Reserve Requirements Rule.”

Triennially Inspected Firms: Blessing and a Curse

Thu, 18 May 2023 18:06:24 GMT

In a day and age where the SEC and the PCAOB are holding auditors more accountable, audit quality is of utmost importance. Given the failures of a peer-regulated industry, in passing the Sarbanes-Oxley Act of 2002, Congress created the PCAOB, an independent audit regulator. Through the inspection process, the PCAOB has made clear its interpretations of the standards and what constitutes a quality audit. Now, more than 20 years later, the audit industry has seen significant changes and we’d argue, improvements, to audits.

Under current guidelines, firms that audit 100 or more issuers are required to be inspected by the PCAOB on an annual basis; in 2021, there were 12 annually inspected firms. For all other firms, the PCAOB performs triennial inspections.

In looking at the results of the 2021 inspection reports for the Big 4 firms (i.e. the largest of the annually inspected firms), the PCAOB inspected an average of 55 audits per firm. Approximately 16% of inspected audits had Part I.A deficiencies (or in other words, opinions that were not supported). For all firms inspected, the PCAOB found an average of 33% of audits with Part I.A deficiencies. That’s double the average for the Big 4 firms. Clearly, there is a distinct difference in audit quality between annually and triennially inspected firms. This has been the case for many years. In the 2020 inspection findings spotlight , the PCAOB commented that: “For the majority of the annually inspected audit firms, we identified fewer findings in 2020 compared to our 2019 inspections. In our triennially inspected audit firms, some improvements were noted, although deficiencies continue to remain high.”

Inspection and Remediation Process

In our view, one of the main drivers of audit improvement has been the inspection and remediation processes, through which, firms are held accountable, and accountability drives change. Logically, this makes sense. Annually inspected firms are constantly in front of the PCAOB; firm leadership has regular meetings with the Board and staff across all levels of the firm are getting constant exposure to the inspection process. Just as many associates truly learn auditing through on-the-job training, so too, do many staff learn audit quality through experience with PCAOB inspections. Inspections afford staff the opportunity to hear the types of questions PCAOB inspectors ask. They get insight into the PCAOB’s view of audit risks and what procedures are considered sufficient (or insufficient) to address those risks. Though comments are often contested, they provide direct feedback to engagement teams on the audit failures and can help teams alter planned future procedures.

Similarly, annually inspected firms are also always in the process of remediating past inspection reports. There are constant messaging and improvement efforts being made to drive change within the firm.

Firm leaders know the hot topics, can track the development of new concerns as they arise and are having perpetual remediation conversations with the Board. These conversations provide invaluable insight into what remedial actions are sufficient (or again, insufficient); the PCAOB is able to provide additional clarity around its concerns, allowing firms to further refine their remedial plans.

While we understand the additional demands and burdens that come with more frequent inspections, (in fact, many of our clients have already started to see their three-year cycles accelerated to two years), there is clearly a correlation between increased exposure to the PCAOB and increased audit quality. For those firms that are still on a triennial basis, whether smaller domestic firms or international affiliates, let’s explore some important actions that can result in perpetual audit quality improvement, without raising your hand and asking for more inspections.

Tone at the Top

Foundational to any system of quality management is the tone at the top. This is highlighted in the fact that it is one of eight quality components in the new quality management standards (including ISQM 1, SQMS 1 and QC 1000). Firm leadership must be aware of the tone at the top and how that trickles down to the engagement team level. Tone at the top consists of both the communications from firm leadership as well as the communications from engagement partners and senior managers.

Often, we see leadership kick off training programs with a note on the importance of audit quality or we’ll see firmwide emails touting the critical nature of perpetual improvement. But what about the dialogue during and after a PCAOB inspection? Do engagement teams pause to reflect on the nature of the questions and consider how they could have approached the audit differently? Or do engagement teams criticize the PCAOB inspectors and discount the questions and findings as impertinent? Are teams professional with the inspectors or are they rude and dismissive? We get it; standing by your work and defending against a potential comment form can create tension, but can we acknowledge that perhaps there is something still to be learned? As former inspectors and consultants supporting audit teams, we’ve seen the gamut in reactions from engagement teams. How partners and firm leadership react to criticism from regulators conveys a lot to everyone at the table about how the firm approaches audit quality and its commitment to quality management.

Obviously, words matter, but tone at the top is more than mere language. It’s also actions. Similarly, once an inspection is completed, does firm management jump in to perform a root cause analysis? Does the firm provide resources and/or guidance to engagement teams to help them perform remedial procedures to address the comments? Does the firm begin crafting firm-wide responses to address quality concerns? Again, we’ve seen the gamut. Waiting until the 11 ^th month in a year-long remediation period inherently communicates a certain tone around audit quality: “It’s not the priority right now” or “It can wait.” We have always been an advocate of early remediation .

Actions extend beyond the inspection process. It includes leadership attendance and participation in audit trainings (read: not being distracted and working during presentations). It includes reading and disseminating PCAOB updates and spotlights. It includes setting priorities and aligning performance metrics with audit quality. I would venture to say that it also means firms should stop allowing differences in audit quality (and sometimes even methodology) between public and private company audits. While the risk profile is inherently differently for public company audits, the reality is that the auditing standards (PCAOB and AICPA) just aren’t that different . Tone at the top is multi-faceted, so let’s not underestimate how our words and actions convey our real thoughts about audit quality.

Intellectual and Human Resources

Another of the new quality management components is resources, including both human and intellectual. Human resources are already built into QC 20 (i.e. personnel management), but in the current war on talent, this is an important element to highlight. Firms must consciously consider who and how they are recruiting staff with the appropriate skillsets. As IT becomes increasingly pervasive across all elements of an audit, for many firms, that will mean hiring more technologically savvy auditors.

Once hired, firms need to be intentional in developing employees. Development comes from conscious assignment to jobs where new skillsets can be learned and refined; perhaps it’s learning a new industry or perhaps its obtaining additional experience in integrated audits. Certainly, for PCAOB audits, there is added value in using staff with robust PCAOB experience, but we would argue that it’s important that all staff get PCAOB experience. Again, more frequent exposure and interaction with the PCAOB seems to be correlated to better inspection results.

For international firms, it can be difficult to obtain PCAOB experience from within, depending on the country, so we encourage you to look without, such as through rotational programs abroad or pulling from network alliance firms.

In addition to human resources, under the new quality management standards, firms will also be responsible for securing the appropriate intellectual resources. This will be a mix of hiring subject matter experts and specialists as well as investing in methodology/guidance and knowledge resources. Perhaps that means hiring specific staff or engaging consultants and specialists to supplement audit teams when performing audits. It will look different for every firm, but the point is that firms need to be investing in obtaining and developing their resources.

Though not specifically the focus here, we would be remiss not to highlight the importance of investing in technological resources as well (also another component under the new quality management standards). Certainly, considering the talent shortage , technology can provide unique opportunities to simplify/automate certain audit procedures and can help coordinate human and intellectual resources.

Internal Inspections

Finally, let’s talk internal inspections. Again, under current quality control standards, firms are required to have internal firm monitoring. Traditionally, this has consisted of annual post-issuance reviews for select audits. In its 2021 observations, the PCAOB indicated that they “continue to identify deficiencies through [their] inspection procedures that were not identified through an audit firm’s internal inspection procedures directed to the same audit areas on a particular engagement.” In other words, the PCAOB’s review is identifying deficiencies that firms are failing to self-identify. This calls into question the quality of a firm’s monitoring program. This appears to correlate with the differences in peer reviews and PCAOB inspections. It seems, as an industry, we are still too lenient with one another when performing internal reviews.

But why? Part of this is attributable, again, to lack of PCAOB experience and the divergence in audit quality expectations for public and private company audits. We recommend firms use professionals with PCAOB experience to perform internal inspections, especially for monitoring over public companies. Many firms have sought to hire former PCAOB inspectors to bring that insight and knowledge into the firm and further refine monitoring programs. If you can’t hire internal, consider engaging consultants or look to network alliance firms to assist with this process.

In addition, firms should consider implementing different forms of monitoring reviews . While post-issuance reviews serve a purpose, it can sometimes feel like “too little too late.” Consider implementing in-flight reviews while the audit is being executed so that teams can learn hands-on, in the moment, as opposed to months later when the audit is no longer fresh. This also gives the audit team the chance to remediate the audit prior to the issuance of the opinion saving time and analysis later. Similar to in-flight reviews, firms could consider targeted reviews for areas with common failures, such as internal controls or estimates. Finally, perhaps the most basic message is this: we need to be more robust with our internal inspections. Again, we seem to carve out PCAOB inspections as “different” or “too detailed” but the reality is that they are identifying areas where we as an industry are still deficient and we need to push for continuous improvement.

There’s no single solution here. That’s partly why the new quality management standards have eight components. The point is we must strive for perpetual improvement. The PCAOB is driving that message home and has stated: “An audit firm’s inadequate response to address recurring deficiencies may warrant additional action, such as…potential investigation or disciplinary action for failing to comply with PCAOB standards.” While that is the role of the regulator, we also need to own our role in the process and take proactive steps to ensuring audit quality.

Key Takeaways

While more frequent inspections is one way to get more PCAOB interaction, consider other ways management can gain PCAOB exposure through various forums such as the PCAOB Small Business Forum or attending various PCAOB open meetings / calls / trainings and reading PCAOB publications. The annual inspection observations provide all the current hot topics.

Don’t underestimate the significance of tone at the top. Words and actions speak volumes, both from firm leadership, but also from engagement partners.

Invest in the right human and intellectual resources. Hiring is the first step, but in the spirit of perpetual audit improvement, we should also be investing in perpetual resource development.

Review current monitoring programs and evaluate whether the right staff (with the appropriate experience and rigor) are assigned to perform internal inspections. Also consider ways to revamp monitoring programs, such as using in-flight reviews to drive real-time change and learning.

SAS 145 Part II: Risks Arising from Technology

Wed, 17 May 2023 19:42:19 GMT

In Part I of our SAS 145 series, we explored the increased focus on risk assessment as the foundation for risk-based audits. In Part II, we’re expanding on the concept of risk assessment and specifically focusing on the risks relating to information technology.

For anyone doing a PCAOB integrated audit, incorporating information technology (IT) considerations, such as general IT controls, into the audit plan might seem like old news, but for everyone else, this is a paradigm shift . We’ve been writing about this for many years now, but the ever-increasing role of technology in business and as a result, in audits, has now made its way into auditing standards applicable to all audits.

Let’s explore some of this new guidance and considerations for teams in applying SAS 145.

Definitions

The new SAS 145 guidance includes 13 definitions. In Part I, we discussed how the AICPA revised the definition of a significant risk, to be more focused on the inherent risk factors and less dependent upon the nature of the procedures to address the risks. Of the 12 remaining definitions, four relate to information technology, including the following:

IT Environment: The IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies.

The standard goes on to further define IT applications (programs used in initiation, processing, recording and/or reporting of transactions or information), IT infrastructure (network, operating systems, and databases), and IT processes (processes to manage access and changes to the IT environment). Though one could argue that “processes” used generically could/would incorporate IT naturally, it’s interesting to note that the AICPA made sure to explicitly call out IT.

Information-processing controls: Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information.

Risks arising from the use of IT: Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.

General IT Controls: Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Understanding Controls

Risk assessment has always been predicated on understanding the processes in place at an entity, which naturally involves understanding the internal controls built into a process. However, historically, many audit engagement teams simply obtained a process narrative from the client, incorporated that narrative into the planning documentation and then moved on to assess risk. If teams weren’t relying on controls, they didn’t feel the need to delve into the control process and thoroughly document the design and implementation of controls. This was generally true for any non-integrated audit, public or private, regardless of the requirements within the auditing standards.

Now, with SAS 145, planning and risk assessment requires engagement teams, regardless of controls reliance, to document their understanding of the design and implementation of controls for the following areas:

Controls addressing significant risks;
Controls over journal entries and other financial reporting adjustments (i.e. financial statement close process);
Controls where the auditor plans to rely on controls to alter the nature, timing, and extent of substantive audit procedures (in other words, controls reliance); and
Controls where the auditor must understand them in order to appropriately assess risk at the assertion level and design further audit procedures.

We’ve yet to see how stringently this last bullet will be enforced through the peer review process, but it is essentially a “catch-all” since, inherently, we need to understand processes (which are made up of various controls) to fully understand potential risks and appropriately design an audit approach. That’s just auditing 101, but perhaps we’re a little biased.

Understanding IT Controls

IT in the modern business world is becoming pervasive as companies automate processes and continue to invest in technology solutions. It should go without saying that understanding the design and implementation of controls fundamentally includes understanding the IT controls. However, because this is such a shift, the AICPA made a point of explicitly calling out requirements related to IT. Beyond just identifying automated controls, this incorporates understanding how IT plays into IT-dependent manual controls and how IT produces information and data. Given data is the foundation of most audit procedures, it is crucial that we understand how information is completely and accurately processed, where data is stored (databases and data warehouses), and how it is produced / reported.

For all audit areas covered by one of the four bullets above, the engagement team must understand “how information flows through the entity’s information system, including how transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated into the general ledger, and reported in the financial statements… [1] ” This means understanding what systems and applications are being used and what risks arising from the use of IT (RAFITs) exist. The engagement team must then also identify and evaluate the design and implementation of the general IT controls (GITCs) that address each of the RAFITs. That means understanding controls addressing concerns around logical access and change management, to name a few of the GITCs.

But what if a company doesn’t have any controls in place? Through various audit quality advisory services, we’ve heard many teams tell us that their clients don’t have formalized processes and controls. In these circumstances, we expect the engagement team to understand what controls (manual and/or IT related are in place and to evaluate whether there is a broad-scale material weakness that should be communicated to those charged with governance, such as the audit committee or board of directors. In addition, the audit should then be designed incorporating this material weakness, which should increase overall risk. If the client refuses to accept a material weakness, then audit teams will have no choice but to dig into the controls and understand the entire process, including IT considerations.

Incorporating IT into Audits

While we can all recognize the importance and prevalence of IT in our own lives, many firms are resistant to invest in the resources needed to incorporate an understanding of IT into the planning and risk assessment process. Firms should consider the following:

Resources : Given the fact that many firms in the private company space only perform substantive audits, we have seen a dearth of IT knowledge and experience amongst engagement teams. Firms will need to consider hiring IT professionals, either as direct hires, such as creating an IT assurance group, or as contractors. Either way, firms should begin to expect that every audit engagement will incorporate some time from IT professionals. For clients that have little to no formalized controls, the IT auditor may only need a couple hours, but for larger clients with more structured internal control environments, audits should be budgeting time for IT auditors to assist with the planning and risk assessment process. Remember, it’s not just understanding the process, but its also evaluating the design effectiveness and implementation of controls; this generally means walkthroughs. While a non-IT auditor might be able to assess whether controls are implemented, understanding the design effectiveness requires an understanding of the relevant risks, including risks arising from the use of IT. In addition to engaging IT professionals, it is also important to ensure firms are hiring the right kind of professionals. There are plenty of IT professionals in the marketplace, but most IT professionals come from a consulting background and IT within the context of an audit is a very different mindset. IT auditors need to understand more than just GITCs; they need to understand the business processes and the flow of transactions in the entity’s information systems. This means that IT auditors need to work in tandem with financial statement auditors to ensure both auditors fully understand the flow of information and with that knowledge, holistically evaluate the risks of material misstatement. Nothing in an audit should be done in isolation as everything is interconnected.

Training : Historically, we have seen many firms offer IT training, but limit the attendees to only IT auditors. We encourage firms to being building out IT trainings for both IT and financial statement auditors. Because IT is so pervasive now, financial statement auditors need to be able to speak the language of IT and hold a conversation. When an IT auditor says there is a change management concern, the financial statement auditor needs to understand the potential gravity of the issue. For instance, a change management deficiency could render an entire system unreliable which could have significant repercussions for relying on any data from that system. While it is incumbent upon IT auditors to speak up and ensure they adequately communicate the risks, it is also critical that financial statement auditors learn the language to engage in that conversation. Integrating IT training so that IT and financial statement auditors are both present will also allow for IT auditors to better understand financial statement audit risks. Ideally, these trainings will allow for cross-line information sharing; we all have something to learn from the other.

In addition, while a financial statement auditor may attend an IT training, it’s important that firms understand that a one-off training over IT does not mean a financial statement auditor can perform full testing over IT controls (including GITCs). Knowledge and competence take time to develop; that’s why the CPA and CISA licenses, amongst other certifications, have both education and experience requirements.

Templates : To build upon the knowledge being taught in trainings, firms should also consider building out templates that help guide auditors in understanding relevant IT considerations, such as templates for performing walkthroughs of IT-automated and/or IT-dependent manual controls. In addition, firms could consider building out templates to help facilitate the aggregation of IT applications, programs, reports and spreadsheets inventories. From this listing, there could then be separate templates to assist with identifying the relevant risks related to each item in the inventory as well as evaluating the design effectiveness and implementation of relevant controls identified to address the RAFITs.

We also encourage firms to embrace the use of flowcharts; while we may understand the general process conceptually, flowcharts really help to map out systems and where/how information is stored and processed; data flow diagrams can be especially useful for entities with a number of systems and interfaces. Visually seeing information flow between systems on a flowchart helps to understand the risks (i.e. “what could go wrongs”) within the process.

Integration : Finally, we recommend firms consider the concept of integration. This concept has two senses:

1. Integration of the audit team : Engagement teams work best when IT auditors are integrated into the financial statement audit and not viewed as “separate.” In other words, IT auditors should be a part of the planning and risk assessment process and should be incorporated into process walkthroughs. Testing approaches should be clearly discussed to understand how all elements of a control are being tested so as to ensure all automated AND manual components of a control are evaluated. This again emphasizes the importance of training engagement teams so that financial statement auditors can dialogue around IT testing and so that IT auditors understand financial statement audit objectives.

2. Integration of the audit: If teams are already performing procedures to evaluate the design and implementation of IT controls, including GITCs, why not go ahead and perform an integrated audit? We’ve written about the inevitability of integrated audits , but certainly now with the new SAS 145 requirements, it seems like an obvious next step to leverage the work performed and plan on a controls reliance approach. The bulk of controls testing work is performed in identifying and evaluating the design and implementation of controls. Testing the operating effectiveness is the easy part once the design has been understood. This will become increasingly important, if for no other reason than testing the completeness and accuracy of information produced by IT systems. The completeness and accuracy of data is paramount for any audit procedure, but especially as data analytics gain traction.

Key Takeaways

As audit standards are updated for the 21 ^st Century, there is an increased focus on the IT environment in the context of understanding the entity and performing risk assessment. This increased focus is directly correlated with the increasing importance and prevalence of IT as companies automate business processes and invest in technology solutions.
Regardless of planned reliance on controls, ALL teams will need to perform procedures to evaluate both the design and implementation of controls for significant risks, journal entries, those areas where the team is leveraging controls reliance and those areas where an understanding of the controls is necessary to appropriately conclude on risk assessment. Part of this understanding requires understanding the IT environment and how it impacts controls.
Firms should consider hiring additional IT resources, whether direct hires and/or through the use of contractors, so that every audit team has an IT presence.
Trainings can help up-skill financial statement auditors so that they understand IT considerations as well as educating IT auditors so that they have a strong understanding of audit objectives.
Tools and templates can facilitate effective walkthroughs to evaluate the design and implementation of controls.
Integration is critical: integration of the financial statement auditors and IT auditors into one engagement team and the eventual integration of controls reliance in all audits.

[1] SAS 145.25.a.i

Remediation in a World of Repeat Findings: PCAOB Guidance for the Remediation Process

Thu, 13 Apr 2023 22:20:17 GMT

It has been more than 20 years since the formation of the PCAOB. Over time, the inspections process has transformed and along with it, the reporting and remediation processes. In February of 2023, the PCAOB published its Spotlight: Additional Insights on the Remediation Process. In light of the new guidance as well as considering the fact that the new quality management standards will require all audit firms (international or domestic, public or private company audits) to remediate both engagement and firm-level deficiencies, it’s clear that there is a renewed emphasis on the remediation process within the industry.

The spotlight provides much of the same information previously released through various publications, such as the PCAOB Staff Guidance from November 2013, which highlights the main considerations that the Board reviews when evaluating the effectiveness of remedial efforts. Specifically, the Board reviews the following criteria:

Change: Is the remedial action a change from the current quality control (QC) system? In what ways?

Relevance: Does the action specifically address the deficiency? Both in terms of subject but also in terms of causal factors? Design: Is the remedial action, as designed, appropriate to address the QC failures?

Implementation: Was the remedial action implemented in the remediation period?

Execution and Effectiveness: How effective was the remedial action? How does the auditing firm evidence that?

While we’ve touched on many of these items in previous remediation articles , let’s explore some of the new insights from the February 2023 Spotlight below:

Repeat Criticisms

Most firms have at some point probably had some sort of repeat finding. For many, the EQR deficiency seems to recur in every inspection report, but I imagine many firms are also seeing repeat findings in ICFR (think of management review controls or MRCs) and estimates, two of the most commonly cited deficiencies for many years running now. When firms have repeat findings (i.e. same or similar deficiencies in consecutive inspection reports), the PCAOB critically assesses the remedial actions to understand how these actions will resolve the issue. We like to use the word “incremental.” How is the remedial action incremental, or “meaningfully different” in the words of the PCAOB. For instance, if you develop and deliver a training on auditing estimates, but then have a repeat finding in your subsequent inspection report, the PCAOB will challenge whether another training is an effective remedial action. The question will be asked “how is that additional training meaningfully different to what was delivered previously?” What other incremental actions could be implemented to address the criticism? We’ll delve more into training later, but the point is that just because a remedial action was considered effective in the past does not mean it will be considered effective today. And if it was truly effective in the past, why then is there a deficiency today?

Root Cause Analysis

This leads well into the next concept: root cause analysis. If you are seeing repeat findings in your inspections, it’s an indication that the root cause for the deficiency has not yet been addressed OR there could also be a new root cause that requires specific attention. The new quality management standards require firms to perform a root cause analysis. A thorough root cause analysis helps firms to understand the causal factors contributing to the overall deficiency. From these causal factors, the firm can then appropriately design remedial actions. Think of it like going to the doctor; a doctor could prescribe medications to treat symptoms, but a root cause will direct the doctor in how to prescribe the right medication to treat the causal illness and thereby eliminating all symptoms.

Firms need to start performing robust root cause analyses to understand what is giving rise to the deficiencies. The PCAOB warns that there may be multiple causes so don’t jump to the most obvious conclusion. If you don’t address all causal factors, while you may be able to pass remediation, you risk having the deficiency occur yet again and the remediation process will only get more stringent.

As well, while root cause analysis is typically focused on deficiencies (negative audit quality), the PCAOB has indicated that many firms are starting to perform root cause analyses for “clean” audits (positive audit quality) so as to identify what worked well. These success factors could be fodder for new remedial actions implemented at a firm-wide level.

Training

Training is the most common remedial response we see in the industry. And that makes sense; awareness is certainly the first step in driving change. However, after 20 years of inspections and remediation, training is proving less effective given the number of recurring deficiencies.

When the PCAOB evaluates the sufficiency of training for remediation purposes, it considers the following:

Is the training specifically tailored to the company? Does the training speak to the specific deficiency? At what level of granularity? Buying an off-the-shelf training that summarizes the requirements of AS 2501 is different than engaging a consultant with audit expertise to specifically design a tailor-made training on AS 2501, pulling in PCAOB inspection results, identifying common PCAOB failures, and crafting case studies from the firm’s specific findings.

What is the format of the training? Live webinars and in-person trainings are typically viewed as more effective than e-learning self- studies.

Who is delivering the training? What are the qualifications and experience of the presenters?

Who is the audience and how was participation monitored/enforced? The PCAOB generally expects that firms identify their target audience. However, if the training is covering something such as inventory observations, it probably makes sense that all staff levels attend the training since the procedures are typically performed by more junior associates and by the time a manager is reviewing, it might be too late to effectuate real change (we rarely go back to perform a second inventory count). How does the firm ensure those absent from the training get “caught up?” Even if the firm offers a make-up session or records the training for future reference, there’s an implicit attitude when only 50% attend live and the rest make-up the training later. It’s an indication of tone-at-the-top and a lack of regard for the importance of that training. Training that is designed for remediation should be attended by all required professionals; truants should be the exception.

Is there a post-course knowledge check? Is the course CPE eligible? Both factors elevate the significance of the training. Post-course knowledge checks are especially important as they help evidence knowledge retention, which helps demonstrate the effectiveness of the remedial action (i.e. refer to the five criteria above). We’ve seen firms fail remediation because they didn’t do knowledge checks, so don’t underestimate its significance.

Guidance and Tools

The other most common remedial action is the development of new guidance and tools/templates to guide teams through various auditing requirements. We’ve helped numerous firms develop templates for auditing ICFR (or even more specifically, auditing management review controls), auditing estimates, evaluating CAMS, etc. When evaluating the sufficiency of tools and templates, the Board considers the following:

Design of the tool: Does the template pull guidance directly from the standard? Does it specifically address the deficiency cited in the inspection report?

Effective date: When was the guidance/tool implemented and effective?

Required use: When is the template applicable? Is it required in all circumstances? Generally, the PCAOB will expect tools to be required to be used on all audits where there is potential for a failure.

Communications: How was the guidance/tool communicated within the firm? Again, tone at the top matters. Did the firm provide any education around the guidance / templates?

Implementation and monitoring: How did the firm go about implementing the tool? Were there required consultations in the first year? Were there targeted inspections to ensure teams are complying with the new guidance and/or effectively completing the templates?

Subsequent Inspections

We have started to see an acceleration of inspections and many clients are being inspected every two years instead of every three years as they were accustomed to. Considering that PCAOB reports are sometimes issued a year or more after the inspection and by the time you add another year for the remediation process, many firms are now being inspected while they still have open remediation periods. So, what’s the big deal? It means that the PCAOB will be in the midst of evaluating the effectiveness of remedial actions while also performing a subsequent inspection. Results of that subsequent inspection could have a direct impact on the remediation assessment.

The Board did clarify that a subsequent inspection finding is not automatically a failure. Rather, the PCAOB looks to see how proactive the firm is in monitoring and addressing known deficiencies. As well, the PCAOB looks to see whether there were multiple actions to address a deficiency or just one and how broad the remedial actions were (i.e. training over inventory estimates vs. training over all accounting estimates). Finally, there’s this concept of continual improvement. If a firm had six ICFR findings in one inspection report, but only had one ICFR finding in the subsequent inspection, that could be a sign of improvement. Of course, it’s always facts and circumstances specific and numbers can be deceiving. If there was only one audit with ICFR, then one finding would result in a 100% hit rate. If there were eight integrated audits and only one with an ICFR deficiency, that tells a different story.

The point is, be aware of the timelines and understand that the results of PCAOB inspections will impact any open remediation assessments. This is why it’s important to understand root causes and map remedial actions to causal factors. While a firm might have ICFR deficiencies recur in multiple inspection periods, if the firm can identify different root causes and thus different remedial actions, it helps demonstrate how and why the firm responded as it did.

The point is to acknowledge subsequent inspection findings and incorporate them into your remediation response, demonstrating how the firm has analyzed the results, what they are proactively doing to address the new findings and how the results impact (or do not impact, and why) any open remediation responses.

Timing and Dialogue

Finally, we can’t emphasize this enough, but start dialogue in the 12-month remediation period early ! In its letter that accompanies inspection reports, the PCAOB has now indicated that it expects firms to initiate a dialogue within 60 days of receiving the report. Remember, the remediation period only lasts for one year and firms need to demonstrate how their remedial actions fulfilled the five criteria during that time; this means, demonstrating the effectiveness of remedial actions which often is validated through internal firm monitoring procedures which take time!

Start the conversation early. Explain the intended remedial responses. Begin implementing the actions and continue dialoguing with the PCAOB to understand their concerns or feedback. Firms are able to have as many conversations as they would like with the PCAOB remediation staff during the one-year timeline, but each submission and review takes several weeks for the PCAOB and PCAOB feedback sometimes requires changing course or entirely altering the intended actions. Allow time to modify your response without being rushed.

Understandably, some remedial actions will take longer than a year to fully implement and/or see the improvement. That doesn’t mean wait until the last minute to implement. In these circumstances, break down your response into milestones to demonstrate progress and help define various measures of success.

Key Takeaways

Consider how remedial actions are incremental and “meaningfully different” from previous remedial actions, especially if there are repeat findings.

Start performing root cause analyses and build the results into your remediation response.

Ensure training is designed appropriately. Consider content modification, expertise of the presenters, delivery methods, target audience, and don’t overlook knowledge checks (an effective tool to demonstrate effectiveness).

Design robust new tools and templates and intentionally communicate the new requirements.

Consider results of subsequent inspections and specifically address them in your remediation response. Some results may indicate a need to perform additional actions. Some results may indicate a nuanced finding that tells a different story.

Start early! Engage in dialogue and keep the process moving.

DÉJÀ-VU: Bank Failures & Audit Quality Risks

Wed, 12 Apr 2023 16:56:37 GMT

For anyone who lived through the 2008 global financial crisis, the recent banking headlines feel like déjà-vu. As Shakespeare said, the past is prologue, and sure enough, we are seeing multiple banks like Signature Bank and Silicon Valley Bank (“SVB”) collapse. There will undoubtedly be robust root cause analyses and in-depth regulatory investigations, but the common issue facing banks right now is the significant increase in interest rates.

As interest rates rise, the value of fixed income securities tends to fall. Conceptually, a 15-year bond issued in 2020 when interest rates were rock bottom will lose value as interest rates rise. The reason being, in the current market, investors can purchase a 15-years bond with today’s higher interest rates, meaning, that the same bond issued in 2020 with lower interest rates is worth less today and would sell at a discount on the open market.

That’s great, but what does this have to do with banks? Well, banks take deposits from customers and invest the cash according to various risk considerations; many of these investments are in more stable fixed income securities. Even if a bank held US treasuries, arguably the most risk-averse investment, given the significant rise in interest rates over the past couple years, these fixed income portfolios have lost value. If the securities are held to maturity, the bank will receive 100% of the principal, so from a long-term perspective, the bank is fine. However, in the short term, if customers lose confidence in the bank and there is a run, the bank would ultimately become insolvent because it would not recover the face value of the lower-interest-rate bonds in today’s high-interest-rate market. Thus, as was the case with SVB, once there was a run on the bank, it had to shut down within hours.

There will be more detailed accounts to follow, but let’s take a moment and reflect on the rise in interest rates and the threat facing many banks. From the 1980’s through the 2008 global financial crisis and even further through the pandemic, we’ve been living in a declining interest-rate environment. For young auditors, this may be the first time they’ve seen rising interest rates. So, what are the relevant audit considerations for a bank engagement? And what are the possible audit concerns for all other companies and industries?

Banking Engagements

Going Concern

Financial statements are predicated on the concept of going concern , that an entity can continue operating for at least another twelve months from the date of auditor’s report. For context, SVB’s financial statements were issued on February 24, 2023. Two weeks later, on March 10, 2023, the bank was closed. There was no explanatory paragraph or emphasis of matter and no critical audit matter (CAM) disclosed in the auditor’s report, and yet, all it took was two weeks. In this case, one might conclude there was no going concern discussion either because the bank’s liquidity was strong, or the watch dog was too weak to bark.

As teams consider the going concern assumption, we encourage you to engage in dialogue with management and really challenge management’s assertions.

Look at the bank’s liquidity. Look at the investment portfolio mix. Deposits, by their very nature, tend to be short-term liabilities. What is the bank’s mix of short-term and long-term bonds? Short term bonds (because they tie up money for less time) are impacted less by interest rate hikes compared to long term bonds.

Review management’s asset and liability stress tests. What happens if there is a decrease in valuation of investments and an increased demand for deposits? If management doesn’t perform stress tests, first consider the impact on internal controls and then consider performing your own stress tests.

Ask management how it intends to weather the current rising interest rate environment. Given higher borrowing costs, many customers will likely try to use cash, pulling from deposits, in lieu of borrowing. How is management hedging this risk? Because inquiry alone is never enough, corroborate management’s assertions.

Consider analysts ratings and external information about the bank. While external information may be biased, it can have a significant impact on credibility and confidence in the bank. All banks have capital reserves and some liquid cash to offset returns of deposits, but a mass run on a bank (typically due to lack of confidence) can bankrupt the bank. Analysts have a lot of power over confidence in a company.

Consider the bank’s exposure to any other banks and/or credit institutions.

Valuation

Rising interest rates also impact valuations. Let’s take a look at some of the more prevalent concerns:

Investments – Equities and Fixed Income: As we’ve all seen, the equity market took a hit last year and has been slow to recover. As well, the rising interest rates have taken a hit on the value of fixed income securities. Essentially, investments are down right now. Audit teams will need to evaluate whether the decreased valuations are indicative of other-than-temporary-impairment (OTTI). Considering there is no current interest rate relief planned (in fact, the Fed continues to raise interest rates in light of bank failures), there are strong indicators of potential impairment. What seemingly used to be “just a disclosure”, OTTI related disclosures have now become very sensitive information used to assess how much of the bank’s investments are under-water and for how long. This begs a question that engagement teams should also consider: classification of investments as held-to-maturity. For many banks, this may no longer be an option; again, what are management’s intentions and more importantly can banks hold onto under-water investments long enough to withstand customers’ demands to withdraw cash?

Investments – Derivatives: Engagement teams should pay particular attention to the valuation of derivatives that incorporate interest rates. Bank failures and overall monetary tightening have introduced new credit risks which could impact the effectiveness of any number of derivatives. Wall Street has created derivatives for everything, so be sure to read the fine print in every contract and understand the inputs into the valuations. While the unrealized positions for derivatives may appear immaterial at times, don’t underestimate the notional value which can be many times the unrealized position and presents real risk if triggers linked to interest rates are met.

Impairment – Goodwill and Intangibles: With increased interest rates comes increased discount rates which brings lower net present values for any discounted cash flow projection. Thus, the risk of impairment for goodwill and intangible assets has increased by default. Given the drastic increases in just over a year, large cushions enjoyed in recent years may easily disappear within a year (or less). Add in the uncertainty in the markets with high inflation rates and the “looming” recession expectations, engagement teams need to really dig into accounting estimates , understand the methods and changes from prior year, validate the data and challenge assumptions. Again, what is management doing to understand and evaluate the sensitivity of significant assumptions?

Allowance for Credit Losses

The most challenging part of any bank audit is the allowance for credit losses (ACL). This is commonly cited as a critical audit matter and is one of the most common findings on PCAOB inspections. While an interest rate increase does not directly correlate to an increase in the ACL, the general economic environment contributing to the increased rates has a direct impact.

In KPMG’s CAM on the ACL in SVB, one of its audit procedures included “evaluating the historical observation period, focusing on the relevance of the full economic cycle relative to the Company’s current portfolio.” What does “full economic cycle” mean in today’s environment? For context, it has been approximately 15 years since the last financial crisis. Interest rates dropped and though there was some recovery pre-pandemic, interest rates remained low and bottomed out during the pandemic. While banks use lookback reviews to develop models for the ACL, most models have no recent, relevant data for the current economic environment: high inflation, rising interest rates, quantitative tightening and significant economic uncertainty.

Though auditing an estimate doesn’t change in light of the economic environment, engagement teams should increase their professional skepticism and seek to understand (and challenge) how management identifies potential credit concerns amongst its loan portfolios. Dig into the assumptions and understand what has changed in the model year over year. Considering many models may not have the most relevant historical data, what adjustments have been made to qualitative factors to adjust for the current economic conditions? Or if there were no changes, is that appropriate?

Communication and Disclosures

As banks prepare financial statements, consider the sufficiency of risk disclosures. SVB had a significant concentration of customers in the venture capital industry. Are customer concentrations appropriately disclosed? Based on the disclosures, ask management how it hedges these risks?

In addition to disclosures, consider also the need for communication with the audit committee. If there is significant doubt about an entity’s ability to continue as a going concern, this should be discussed with the audit committee, and potentially, also be a CAM or included in an explanatory paragraph in the auditor’s report. And do not forget about communications from banking supervisors and regulators, both Federal and State. These regulatory findings may indicate potential troubles in bank’s liquidity management.

All Other Engagements

While banks are currently the most at-risk for rising interest rates, all companies are impacted by both the rise in interest rates as well as the potential bank failures.

Going Concern

Similar to banks, many other companies will need to consider the potential risk to going concern. For companies with large cash positions, what would be the impact on going concern if that cash was no longer available? Inflation, rising interest rates, and a looming recession will impact future revenue growth and increase borrowing costs. What is management doing to mitigate liquidity concerns? What do the stress tests demonstrate?

Valuation

Most companies will be impacted by many of the same considerations on valuation, as discussed above. However, certain industries will have greater risks and/or concerns. For instance, insurance companies use insurance premiums to invest in alternative funds; many of these funds are impacted by the rising interest rates and the depressed market. For any company with significant leases, rising interest rates mean rising incremental borrowing costs which will impact lease valuation.

Debt Covenants

Rising interest rates often impact balance sheets unexpectedly which in turn can trigger unforeseen non-compliance with debt covenants. Teams should be sure to fully understand all terms and conditions pertaining to debt covenants. If a covenant is breached, inquire with management how it is proceeding with the creditor and then corroborate it. If the bank agrees to waive non-compliance, what evidence is there from the bank to support this assertion? How long will the bank waive the non-compliance? A waiver for one quarter may mean the company is okay at year-end, but failure to indicate future waiver could directly jeopardize the going concern assumption, depending on the amount of debt. Considering that banks/creditors rarely provide waivers, what other means of survival does the entity have?

Communication and Disclosures

Similar to banks, non-banking companies need to review risk disclosures. Engagement teams should specifically consider various credit risk disclosures such as cash positions over the FDIC insurance limits and concentrations in banks. And similar to banks, consider any appropriate audit committee communications and potential CAMs to be included in the audit report.

SVB was unexpected and then shortly after, we had another episode of déjà-vu when Credit Suisse made headlines, being given a lifeline by the Swiss regulators before being bought by UBS. And despite the risks facing the banking industry, the Federal Reserve still increased rates in March, albeit only 25 basis points (bps), as opposed to the anticipated 50 bps. The point is, we’re not through the thick of it yet. The risks are real and as auditors who perform risk-based audits, we need to ensure we understand how the current environment is impacting our clients, their customers and their creditors. Everything is more interconnected than we might imagine, so take time to thoroughly evaluate the risks and design appropriate audit procedures to address those risks, which might also include expanding explanatory paragraphs or including an emphasis of matter in the auditors’ report.

Key Takeaways

Going concern is key to financial statements. Thoroughly evaluate the going concern assertion. Understand management’s plans and intentions and corroborate the critical factors that support its assertion, including performing stress tests to identify potential risks.
The current economic environment is uncertain. Higher interest rates directly impact fixed income securities as well as any fair value derived through discounted cash flows (i.e. impairment analyses, leases, etc.). The current economic uncertainty is also making it difficult to forecast cash flow projections; be sure to understand the method/model, validate the relevance and reliability and/or completeness and accuracy of data used and challenge (and obtain support for) the reasonableness of assumptions.
The ACL is already difficult to audit, but with so much uncertainty and considering that most historical data does not reflect the current economic environment, engagement teams need to critically evaluate the current year assumptions and understand how qualitative factors are being adjusted to account for changes in the macro-economy.
Communicate appropriately with the audit committee and management, as necessary and/or required under the auditing standards. This is an unprecedented time for many auditors and many in management, so talk it out and ensure collective understanding of the risks, the appropriate audit procedures, and any pertinent (or required) disclosures in the financial statements.
It’s always a good time to remind teams about the importance of increased professional skepticism. Ask yourself: who is my client? A bank? Its investors? Deposit holders? And let’s keep our names out of the headlines; we don’t want to be the “watchdog that didn’t bark.”

REMEDIATION SPOTLIGHT: PCAOB Additional Insights

Tue, 07 Mar 2023 15:55:03 GMT

The PCAOB recently released the Spotlight: Additional Insights on the Remediation Process . In it, there is a crucial distinction as to what constitutes a repeat or persistent criticism.

"A criticism that occurs in Part II of at least two consecutive inspection reports, or that occurs consistently, even if it skips one or two inspection reports, is considered a repeat or persistent criticism. The inspections staff evaluates similar deficiencies, regardless of how these deficiencies have been categorized in Part II in prior inspection reports. For example, if the year subject to remediation included a QCC related to testing assumptions of estimates, and the prior year included a QCC related to testing assumptions of business combinations, the QCC for the subsequent year would likely count as a recurrence because the underlying deficiency in both instances relates to testing assumptions.”

It is important that firms do not mistakenly believe that because a quality control criticism is not reported in one inspection, that the finding, if it comes up again, is not a repeat finding. It is imperative that firms focus on similar deficiencies as they prepare for subsequent inspections to ensure that any remediation or monitoring processes have effectively addressed the deficiency. Also, a firm’s timely reactions to any previous ineffective actions will count in its favor. “The Staff Guidance further discusses the fact that strong remediation efforts, particularly when accompanied by effective firm monitoring procedures and timely adjustments, can weigh favorably in the inspection staff’s recommended remediation determination, even if subsequent inspection results indicate recurrences of the same type of deficiency.”

The spotlight further mentions that when employing any new tools to address previous deficiencies, it is critical that the firm ensures that the new tools are mandatory and that its teams are using them effectively. Additionally, as firms develop remediation training programs for teams, the spotlight outlines important aspects to be included that firms may lose sight of.

To read the full spotlight please visit the PCAOB’s website by clicking here .

PCAOB INSPECTION OBSERVATIONS: A Recap of 2021 Inspections

Thu, 16 Feb 2023 15:06:11 GMT

PCAOB Inspection Observations: A Recap of 2021 Inspections

As part of its initiative to increase visibility as well as to provide meaningful information, over the past couple years, the PCAOB has released an annual inspections observation report. The 2021 inspection observations, which was most recently published in December 2022, contains various sections which address some of the trends related to inspections, the recurring deficiencies both at the engagement and QC level, as well as some of the best practices observed. Let’s take a closer look at each of the four main sections of the report:

Trends in Inspections

This is the first visibility into audit quality during the pandemic. During 2021, the PCAOB inspected a total of 690 audits across 141 audit firms; 12 of those firms are annually inspected and the other 129 are triennial firms. 2021 inspections were predominantly over audits of fiscal years ending on December 31, 2020. Overall, the PCAOB found an increase in inspection findings across all inspections. Approximately 55% of audits will have at least one Part I.A and/or Part I.B deficiency, up from 44% in 2020.

The PCAOB continued to increase unpredictability in its inspections, both in the selection of issuers and in selection of focus areas. That said, the Board still performs its own risk assessment and intentionally inspected larger public companies with a focus on financial statement areas with a greater risk from COVID, such as impairment and current expected credit losses (CECL). In addition, the PCAOB’s Target Team also performed inspections across firms over specific focus areas. In 2021, the Target Team focused on fraud, going concern, SPACs, and cash and cash equivalents; their findings can be found in the PCAOB’s August Spotlight .

Common Deficiencies

The most insightful portion of the PCAOB’s spotlight is the section on recurring deficiencies. We’ve written about many of these before, including the Regulator Who Cried Wolf and Repeat Findings , so it should come as no surprise that many of the current year's findings are repeats from prior years.

The PCAOB explicitly stated: “We expect audit firm leadership to address the recurring nature of these deficiencies and monitor the effects of actions taken. An audit firm’s inadequate response to address recurring deficiencies may warrant additional action such as the Division of Registration and Inspections referring firms to the Division of Enforcement and Investigations for potential investigation or disciplinary action for failing to comply with PCAOB standards.” We have seen through our work with firms that the PCAOB is in fact taking enforcement seriously. The PCAOB has also expressed its expectation that firms begin performing root cause analyses to understand the reason for repeat findings. Root cause and remediation are significant parts of the new quality control standards , so firms need to take this statement to heart.

Let’s take a closer look at each of the sections identified by the Board:

Internal Control over Financial Reporting (ICFR)

Management review controls (MRCs): MRCs continue to be one of the most cited deficiencies in inspections. Engagement teams need to understand and document precision, review procedures performed by management and how the engagement team validated these procedures, identification of items for follow-up and whether such items were addressed.

Identifying and selecting controls to test: This goes back to understanding the likely sources of potential misstatement or “what could go wrong” (WCGW). Each WCGW should have a correlated control to address the risk. This includes controls around completeness and accuracy of information used in controls.

Testing operating effectiveness (aside from MRCs): Engagement teams need to ensure they are sufficiently testing all relevant control objectives. Remember that inquiry alone is not sufficient. Also, the nature of the test and the evidence obtained must correlate to the assessed risk.

Evaluating deficiencies in ICFR : Engagement teams are quick to document why every deficiency is “just a deficiency” and not a material weakness. We encourage teams to begin with the concept that if a control is in scope, it is designed to address a risk of material misstatement, which means that if it is deficient, it is a potential material weakness. Start with that premise and then consciously pare it back based on the relevant criteria.

ICFR is especially important in integrated audits given the fact that controls often impact the nature, timing and extent of the substantive audit. In other words, if controls are not tested properly, then the substantive audit testing approach may no longer be supported.

Revenue and Related Accounts

Evaluating accounting: Especially in light of the new ASC 606 guidance, the PCAOB has focused on the auditor’s evaluation of the technical accounting, in accordance with the applicable financial reporting framework. Inspectors consistently took issue with engagement teams’ failures to evaluate the identification and satisfaction of performance obligations and the allocation of transaction price. In addition to accounting, the PCAOB cited concerns around insufficient footnote disclosures.

Completeness and Accuracy (C&A): This topic seems to recur throughout all the PCAOB’s findings and will only continue to rise in importance as companies move away from more manual processes and implement more information systems, automating significant processes. Data is only as useful as it is complete and accurate (if generated from inside the company) or relevant and reliable (if generated from outside the company).

Technology-Based Tools: Firms are increasingly using software audit tools in substantive audit procedures; in particular, the PCAOB noted increased use of technology in revenue, but also in testing inventory, journal entry testing, investments, and CECL. Inspectors are identifying concerns around:

Populations used in data analytics: What is the population being used? Is it complete? Is it relevant? Is the data “pure” or is it mixed with other irrelevant information? For instance, if the engagement team is performing a cash proof for revenue, how does the engagement team know that the cash population is ONLY for revenue payments? Does the cash population include cash payments for other financial statement accounts?

Resolving exceptions identified: When using data analytics, all exceptions need to be identified AND resolved.

Accounting Estimates

Estimates have always been difficult to audit, but COVID especially challenged the auditing of estimates given subjective assumptions and measurement uncertainty. The most prominent findings included:

CECL – Engagement teams often did not sufficiently evaluate qualitative factors used in calculating reserves. The PCAOB specifically indicated its concerns around teams’ failures to evaluate changes in qualitative factors AND/OR evaluating the lack of changes year over year.

Reasonableness of significant assumptions: Specifically, in forecasted cash flows, engagement teams failed to sufficiently evaluate the basis for the assumption as well as the consistency of the assumption within the industry or compared to external factors (i.e. COVID) as well as within company, taking into account management’s intent and ability.

In other words, as part of the evaluation of significant assumptions, it’s not enough to just obtain some support; auditors need to take a step back and fulfill all requirements of the standard , including comparing the assumptions to external factors, to management’s intent or ability, and to past years’ performance (i.e. perform a lookback review) to understand changes AND lack of changes in assumptions. This is especially true given the unprecedented nature of COVID.

Inventory

Valuation: Engagement teams failed to sufficiently test the cost of material inventory balances. If a balance is material, by its very nature, it poses a risk of material misstatement. We’re not saying you have to audit all 100% of inventory, but the engagement team needs to evaluate (and potentially document) the residual risk of material misstatement for all untested balances.

C&A: Yet again, completeness and accuracy of information used in valuation testing, such as inventory reserves, needs to be tested and documented.

Equity and Equity Related Transactions

Evaluating accounting: Again, teams need to evaluate technical accounting to ensure it is in accordance with the applicable financial reporting framework. In particular, the PCAOB found that many auditors concluded incorrectly on the accounting for warrants related to SPACs .

Digital Assets

Audit evidence: The PCAOB challenged the appropriateness of audit evidence used in performing audits of digital assets . Said differently, the PCAOB is challenging the completeness and accuracy and/or relevance and reliability of information used in audit procedures when testing digital assets.

Other Areas

CAMS : Engagement teams need to keep in mind the completeness of their evaluation of potential CAMs and ensure the completeness and accuracy of the CAMs disclosure in the audit report. The standard is clear that ALL communications to audit committees must be evaluated and documented, even if it’s clear that the communication is not a CAM.

Audit Report: Despite being several years old, engagement teams are still struggling to appropriately calculate auditor tenure, specifically, the start date. For more information, the PCAOB has provided specific guidance .

Audit Committee (AC) Communications: Teams need to remember to communicate ALL required AC communications, including discussing use of accounting firms and shared service organizations, critical accounting policies/practices, and providing material written communications, such as the management rep letter.

Form AP: Like audit tenure, Form AP has been a requirement for several years, but firms are still failing to accurately (specifically regarding use of other accounting firms and accurately calculating % participation based on hours incurred) and timely file Form AP. Again, the PCAOB has specific guidance over Form AP.

Audit Documentation: The PCAOB was often provided with “persuasive other evidence” during inspections, indicating that firms are failing to archive a complete set of workpapers.

Fraud Considerations: Recurring findings include failing to evaluate/document the completeness of the JE population, examining underlying support for journal entries selected for testing, and testing all journal entries meeting the “characteristics of potential fraudulent entries.”

Quality Control Considerations

Through the inspection process, the PCAOB also reviews different quality control aspects of a firm. Some of these findings are identified through specific inspection procedures (e.g. independence checks) while other findings are derived from themes emerging from the results of engagement inspections (e.g. supervision and review). With the release of the proposed QC 1000 , the PCAOB will continue to focus more on the effectiveness of firms’ systems of quality control.

Independence

SEC Reg S-X Rule 2-01: The PCAOB continues to find that firms are failing to prevent and/or identify Rule 2-01 violations. Inspection results indicated that firms’ internal independence compliance and monitoring is often deficient.

Audit Committee pre-approval: Both the SEC and the PCAOB have specific AC pre-approval requirements for audit work, tax services, and non-audit work. In other words, all services performed for a public issuer audit client must be pre-approved in some capacity by the audit committee.

Supervision and Review

The issues below typically stem from audit engagement failures identified in the section above. In other words, if there is a deficiency in auditing estimates (which are typically linked to significant and/or fraud risks), the PCAOB takes the stance that a thorough review by the engagement partner and EQR should/could/would have identified these issues and thus, a prevalence of Part I issues indicates a deficiency in the supervision and review. Specifically:

Documentation: Audit documentation is often insufficient for managers, partners and EQRs to perform a thorough review.

Evidence of EQR review: The PCAOB took issue with the lack of evidence of review. Remember, an EQR review is more than just a sign-off.

Internal Monitoring

Performing reviews: Internal inspections are a requirement under the current PCAOB QC 20 . They will become an even more important part under the newly proposed QC 1000. Whether internally, externally, or co-sourced, the point is, firms must perform internal inspections.

Ineffective reviews: The PCAOB often performs inspections of audits previously inspected by the firm itself. The point is to evaluate the effectiveness of the firms’ review. When the PCAOB identifies issues NOT identified by the firm, it’s an indication that the firms’ reviews are ineffective.

Registration

State registration: The PCAOB identified multiple audits performed in states where firms are not licensed / registered.

Good Practices

In an attempt to provide more useful information to firms to help remediate deficiencies and ensure quality audits, the PCAOB has begun to release “good practices” it has identified from various interviews with firms. These are important tools and concepts that firms should consider incorporating into their own systems, especially considering the impending overhaul of QC systems.

Templates

Many firms are developing templates (that pull directly from the standards) to help facilitate the execution of audit procedures, such as how to test MRCs or how to audit accounting estimates.

Improving risk assessment

Given an increased focus on risk assessment , many firms are revising how they approach risk assessment; ultimately, we perform risk-based audits, so let’s be sure to thoroughly evaluate the risks and then link our audit procedures to the assessed risks.

Subject Matter Experts (SMEs)

The PCAOB noted that many firms are requiring the use (or perhaps consultation) of SMEs in specific audit areas, typically those with higher risk, such as business combinations. In addition, many firms have used personnel outside of the engagement team to help with reviews of certain areas, such as CAMs. SMEs and targeted reviewers help bring expertise and drive consistency in approach and execution across the firm.

Independence

Technology: Firms are investing in technology to help prevent / detect independence violations. For instance, technology tools tracking time charged vs. financial holdings vs. independence sign-offs. Technology can also be used to expand/change how certain procedures are performed, such as importing brokerage statements as opposed to manual input of financial holdings.

Confirmations: More frequent independence confirmations (i.e. quarterly or semi-annually) have also shown to help prevent independence violations.

Disciplinary actions: Finally, some firms are implementing new processes, including disciplinary actions, for failure to comply with firm policies and independence requirements.

Supervision and Review

Metrics: Firms are using technology to start tracking supervision and review, measuring actual reviews against targeted timelines. Achieving these milestones, or failing to, is also being incorporated into performance evaluations. Similarly, firms are establishing certain ranges for various metrics, such as an engagement partner’s and EQR’s hours as a percentage of total audit hours. For partners and EQRs who fall outside the range, firms are meeting to understand the circumstances and conclude on whether additional measures are needed to ensure audit quality.

Templates: As mentioned above, templates (and training) can help guide reviews in accordance with standards.

Key Takeaways

Whew! Breathe for a minute; that’s a lot of information.

Recurring findings are apparent and the PCAOB expects firms to drive change to remediate these issues.

There are several resources (as evidenced by all the links) to help better understand the identified issues and to help resolve the deficiencies.

You don’t have to go it alone; so, don’t hesitate to reach out if you don’t know where to start.

JGA Comments Released on Proposed PCAOB Standard QC 1000, A Firm's System of Quality Control

Wed, 08 Feb 2023 19:03:00 GMT

In anticipation of the proposed standard QC 1000, the PCAOB requested public comment by 2/1/2023. View JGA’s comments here and the potential impact the proposed standard may have on your firm’s readiness. To view the proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, visit the PCAOB’s site here .

Revisiting Risk Assessment Under SAS 145 Part I: Identifying Significant Risks

Mon, 06 Feb 2023 17:50:09 GMT

In January of 2022, we wrote about the fact that given some of the newly issued AICPA guidance, the differences between AICPA and PCAOB audits is increasingly diminishing. Although not convergent, there is a move within the audit industry to increase alignment. This is true within the US as well as at a more global level. Is it coincidence that AU-C 315, CAS 315, and ISA 315 all have the same number and all deal with risk assessment? As a follow-up to our previous article , we are going to explore two key elements of the new SAS 145 guidance. In this first article, we are exploring some of the renewed focus on risk assessment. In a second article, we will explore the new requirements around understanding the design and implementation of controls with a focus on further developing our knowledge of information systems and the risks they present in an audit.

In working with engagement teams, we get our fair share of consultations asking to brainstorm how to audit a specific account or transaction. Typically, the first question is, “what is the overall risk of material misstatement?” After all, doesn’t everything begin with risk assessment?

While we may all acknowledge this reality, so often, teams consider the nature of the procedures performed to determine whether something is a significant risk. And we get it. Until the new AICPA standards were released, specifically SAS 145 , the previous guidance defined a significant risk as follows:

“An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.”

In other words, a significant risk was determined based on the necessity for special audit consideration. In all fairness, the guidance in AU-C 315 does also provide additional considerations in paragraphs 28 and 29 regarding significant risks. All that changed however with the new SAS 145 which now defines a significant risk as:

An identified risk of material misstatement

i. for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or

ii. that is to be treated as a significant risk in accordance with the requirements of other AU-C sections. (i.e., fraud risks)

The new definition is still a bit “convoluted” but at least it is pointing engagement teams to the inherent risk factors as opposed to the procedures performed1.

Okay, so we have improved the definition of significant risks, but what is the big deal? The issue we are seeing in the industry is a failure of engagement teams to properly identify and document risk assessment and specifically, significant risks . Increasingly, when we support our clients on PCAOB inspections and firm’s counsel as an expert in enforcement investigations, we see the regulators challenge engagement teams on their identification of significant risks. What inspection and enforcement staff are getting at is: if the risk assessment is wrong, the audit approach is also inherently wrong.

Assessing the Overall Risk of Material Misstatement

As part of planning an audit, engagement teams develop an understanding of the entity through inquiries with management, reading press releases and interim financial statements, and performing preliminary analytics, among other procedures. Don’t forget that in the new SAS 145 guidance, teams are required to obtain an understanding of the design and implementation of internal controls. This new requirement, which has been the expectation under PCAOB standards, is required regardless of whether the team plans to rely on controls; this is a foundational part of understanding the entity. From this knowledge, teams can begin to understand the likely sources of potential misstatement which enables teams to perform a complete and robust risk assessment. Based on that understanding of the entity and the financial statements, the engagement team performs its risk assessment with the overall risk of material misstatement being predicated on the separate evaluation of inherent risk and control risk.

Inherent risk is the susceptibility of an assertion (linked to a class of transactions, an account balance, or a footnote) to misstatement that could be material, either individually or when aggregated with other misstatements before consideration of controls. The key here is to ignore controls . AICPA and PCAOB guidance provide examples of risk factors including nature and size of the account/class of transactions, volume of transactions, complexity, homogeneity, exposure to losses within an account, degree of uncertainty and subjectivity in estimates, changes from prior periods related to accounting / disclosure, related party considerations, susceptibility to misstatement due to error or fraud, as well as susceptibility to management bias and judgement. Though not exhaustive, you get the point. Inherent risk is based on the nature of the account itself.

Control risk is the risk that a misstatement could occur that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s system of internal control. This part of risk assessment is simpler; to reduce high control risk, engagement teams must test the operating effectiveness of controls. In other words, is the engagement team relying on controls or not?

Based on inherent risk and control risk, the engagement team then considers the overall risk of material misstatement. The specific identification of significant risks varies from firm to firm. Some methodologies build in the identification of significant and/or fraud risks into the inherent risk assessment and some have a separate consideration. There is no right or wrong way here, but the point is to be sure that the risk assessment incorporates clear documentation around significant and fraud risk identification. When identifying significant risks, the literature places a huge emphasis on related party transactions, complex accounting, estimates (given the subjectivity, uncertainty), as well as significant unusual transactions. These items are not automatically default significant risks, but they have a much higher likelihood of being a significant risk (depending on materiality). Keep in mind that just because an account is immaterial does not inherently mean there is no risk of material misstatement; this is where understanding the nature of the account or the qualitative nature of a disclosure is important. For instance, an immaterial allowance for doubtful accounts does not mean there is no risk of material misstatement. As a reserve account, the engagement team needs to consider the risk of understatement when concluding on magnitude and whether an account poses a risk of material misstatement. The same can be said for qualitative disclosures. Materiality is not purely a quantitative consideration.

Nature, Timing, Extent of Audit Procedures

Once risk assessment is completed, the next step is to then design the nature, timing, and extent (or NTE) of the audit response.

The nature of the audit approach can be broken down into various considerations:

Control test vs. substantive test
Within control testing, the nature of the test, such as inquiry, observation, inspection or reperformance
Within substantive testing, the use of analytical procedure vs. tests of details
For both controls and substantive testing, consideration around the use of work of others and review considerations such as reliance vs. reperformance

Timing is a function of when is the testing being performed (i.e., interim vs. year-end test work) and what balance is being tested (i.e. an interim balance or the year-end balance). Generally, the higher the risk, the more we expect testing performed at year-end (i.e., with the most up to date information) and/or testing performed over year-end balances. Interim testing can certainly be useful, such as testing predictable, often low-risk prepaid balances. However, for a significant accounting estimate (i.e., a significant risk), testing the Q2 balance may not be the best approach as it would require extensive roll-forward procedures to ensure the year-end estimate is also materially correct.

Finally, the extent is the amount of test work being performed. This is most often evidenced in the sample sizes used for controls and/or substantive tests of details. However, the extent could also be found in the mix of procedures performed. For instance, while a test of detail may cover the risk related to an assertion, engagement teams may also perform analytical procedures to obtain additional comfort, adding to the extent of testing.

There is nothing terribly new here. Engagement teams build out the audit plan based on overall risk assessment. And that is the key: risk assessment is so critical because it is the starting point for designing the appropriate mix of procedures . If the risk assessment is inaccurate and/or not thoroughly documented, how can anyone conclude on the appropriateness of the audit procedures to address the risk?

Easy as this concept may be, often when we take a step back and compare the audit approach for a significant risk vs. a normal / minimal risk, in theory, the audit approach should look different. And yet, we have often seen engagement teams use a judgmental sample of five to test a low-risk account and then also use a judgmental sample of five to test a moderate or high-risk account. How does this evidence any change in NTE? The theory and concepts are not hard; it is the application of the concepts and ensuring the audit approach adequately takes risk assessment into account that is difficult.

Documentation

After talking through risk assessment in a consultation, the next question is typically “where is this documented?” Often teams have the risk assessment documented in planning, but when we look at the list of significant risks communicated to the audit committee, it does not reconcile with the planning documentation. Or, when we compare the list of significant risks in the CAM evaluation tool, again, it does not reconcile. Primarily, the risk assessment needs to be consistent throughout the audit file. Second, the risk assessment needs to be thoroughly documented. While nothing in the auditing standards requires teams to document why something is not a significant risk, if there is any question and/or professional judgment applied, that needs to be captured in the documentation. If any of the significant risk factors (AU-C 315.29 or AS 2110.70-71) are present, then engagement teams should either a) identify a significant risk or b) document why those risk factors do not represent a significant risk.

What we are seeing is that absent documentation evidencing the engagement teams’ considerations and professional judgment, the PCAOB is challenging the identification of significant risks. In other words, if there is a material account that has complex, subjective assumptions or if there is a material significant unusual transaction and the engagement team did not identify a significant risk and did not document its considerations, then the PCAOB is challenging the evaluation. So, be consistent with the risks identified and be clear in the documentation in your audit file.

Common and Potential Pitfalls

Two common pitfalls we see, aside from the inconsistency of risk identification within an audit file, include:

Forgetting about management override of controls: Most know that revenue has a presumptive fraud risk (and thus is a significant risk, by definition). However, often teams forget to document the presumptive risk of management override of controls. This risk exists, regardless of whether the engagement team is testing the operating effectiveness of controls. Journal entry testing, as required under AS 2401 , is one procedure to address the risk of management override of controls, so teams often claim “it’s inherently considered a risk because we did JE testing” but this does not really demonstrate to the PCAOB how the engagement team considered the entity-specific risk of management override of controls and designed appropriate procedures to address the specific risk.

Performing a thorough evaluation and review of significant risks: While the PCAOB often challenges the under-identification of risks, I have also seen repeatedly where teams will document a significant risk and then, when the audit approach is questioned during an inspection, the engagement team will provide a list of reasons why the audit approach was sufficient. Those reasons are typically linked to inherent risk factors that support why the risk is low. In other words, the engagement team identified a significant risk during planning, but now, when being forced to defend the audit approach, the engagement team is presenting an argument that the risk is in fact low and not significant. Why was it identified as a significant risk at the time of the audit then? Most of the time, I agree with the engagement teams, but that means the risk assessment was not correctly documented during the audit and/or the risk factors changed during the audit, but the team did not revisit risk assessment.

Two potential pitfalls we could see relate to the following:

The new guidance from SAS 145 defines a significant risk as a risk that is “close to the upper end of the spectrum of inherent risk due…” While conceptually easy to understand, firms will need to make it clear to engagement teams what constitutes a significant risk and how to interpret this new definition. Does this mean all higher inherent risks are considered significant risks? What are the factors to be considered in delineating between higher risk accounts and significant risk accounts? Or perhaps firms will need to revisit methodologies and recalibrate the inherent risk scale to allow for more precise delineation so that all higher inherent risks are not automatically defaulted to significant risks.

SAS 145 also includes a requirement to perform a “stand-back” analysis to ensure the completeness of the engagement team’s identification of significant classes of transactions and significant accounts. In other words, after performing the risk assessment, the engagement team needs to stand back and evaluate the potential risk of material misstatement for all classes of transactions and accounts that were not previously in scope. Is there a risk of material misstatement in aggregate? What assertions?

The point is not to go overboard and identify 20 significant risks. We have challenged teams on over-identification as well as under-identification. The point is to be thorough and complete and to capture the relevant judgments that go into performing risk assessment. Also, if the documentation incorporates the relevant risk factors and the engagement teams’ judgments around those risk factors, then the documentation should speak for itself. That is the goal.

Key Takeaways

Remember to separately consider inherent risk and control risk.
For significant, unusual transactions, complex accounting matters, and/or subjective accounting estimates, unless the amounts are obviously immaterial, consider documenting the professional judgment around why something is or is NOT a significant risk.
Once significant and/or fraud risks have been identified, be sure the nature, timing, and extent of audit procedures are appropriately modified to address the specific risk.
Document all professional judgment applied (and considered) when evaluating risk assessment.
Risk assessment is an iterative process, so be sure to continue to update risks (as merited) throughout the audit and be sure risk assessment is consistent throughout all documentation within the audit workpapers, including audit committee communications.

Calamitous CAMs: Clarifying Critical Audit Matters

Mon, 23 Jan 2023 20:06:51 GMT

Despite being effective for several years now, the PCAOB’s guidance around critical audit matters (CAMs) still seems to confound many audit teams. Although inherent in the label “critical audit matter,” let’s first define this term. According to AS 3101 : The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion states:

A critical audit matter is any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved especially challenging , subjective , or complex auditor judgment . (emphasis added)

The objective of the CAMs guidance is to provide investors with additional insight into some of the challenges within the audit. The CAMs guidance focuses on those items that are material AND that require challenging, subjective, or complex auditor judgment . The standard then goes on to provide guidance to engagement teams on how to identify and evaluate potential critical audit matters and provides specific disclosure and documentation requirements.

Though there is auditor judgement in the final determination of what constitutes a CAM, the process outlined in AS 3101 is fairly straightforward and the recurring comments identified by the PCAOB are often not related to the judgment applied in concluding on CAMs, but rather, around auditor’s failures to follow the CAMs guidance, as prescribed. Specifically, in its most recent inspection observations, the PCAOB cited that it continues to identify recurring issues with CAMs stemming predominantly from the following:

Engagement teams failing to perform a complete evaluation over potential critical audit matters;
Engagement teams failing to sufficiently disclose (in the audit report) the principal considerations that lead the auditor to determine the matter was a CAM; and
Engagement teams failing to accurately disclose the audit procedures performed to address the critical audit matter.

As a former inspector, these types of issues are what we refer to as “low-hanging fruit.” Said differently, these are easy issues for the PCAOB to identify because they’re objective and don’t incorporate judgment; either the engagement team followed the guidance in the standard or they didn’t.

We provide further definition, insight on the effectiveness, and preparedness guidance for CAMs, in our initial JGA blog on critical audit matters here to supplement the information presented in this article.

Completeness of CAMs

The first major issue (which we have seen across the industry on clients of all sizes) is the completeness of the evaluation of potential CAMs. According to AS 3101, the guidance requires that the auditor document its evaluation of all matters that “[were] communicated or [were] required to be communicated to the audit committee” AND “relates to accounts or disclosures that are material to the financial statements.”

At first glance, this sounds easy enough. However, let’s not forget that there are extensive audit committee communication requirements, as outlined in AS 1301 : Communications with Audit Committees. When starting to perform the CAM evaluation and analysis, many engagement teams default to the simple or more obvious communications such as the communication of significant risks and fraud risks, but if you dig into the guidance, audit committee communications incorporate much more than just the significant risks. For instance, engagement teams are required to communicate critical accounting policies and practices, critical accounting estimates, significant unusual transactions, new accounting pronouncements, and alternative accounting treatments, to name just a few. Many of these items will not be a significant risk and may feel routine or ostensibly non-complex, so auditors leave these items out of the CAM analysis. But if you go back to the guidance in AS 3101, these are required communications that typically relate to material accounts or disclosures, which means the evaluation of whether these are CAMs must be documented.

In working with teams through PCAOB inspections or through in-flight or other practice monitoring reviews, we often find that auditors are inherently performing the CAM analysis in their heads but they are not documenting the evaluation, as required. Yes, the A/R allowance might be non-complex, but it’s an estimate and is typically grouped in the accounting policies and/or critical accounting estimates footnote disclosures. This means it’s a required communication to the audit committee and if it’s material, the auditor is required to document its evaluation of whether it is a CAM.

To address this issue, we recommend that firms use a CAMs evaluation tool. A tool that is implemented across the public company audit practice will help ensure that all audit committee communications are considered. In addition, a tool will ensure that all considerations are consistently applied for all matters (e.g. material, challenging, subjective, or requires complex auditor judgment). If an item is not material, then the rest of the tool is relatively easy to complete. If it is material, then the tool will help guide teams in documenting its evaluation taking into account the relevant criteria (refer to AS 3101.12 for specific considerations). There’s no one right way to ensure the evaluation is complete, but a tool will ensure completeness of the potential CAMs and lays out the relevant considerations that support the engagement team’s conclusion on what is and is not a CAM.

Sufficiency of CAMs Disclosure

Once the auditors have concluded on what matters constitute a CAM, the next step is to draft the CAM disclosure language. The guidance in AS 3101 gives specific disclosure requirements including the following:

.14 For each critical audit matter communicated in the auditor's report the auditor must:

a. Identify the critical audit matter;

b. Describe the principal considerations that led the auditor to determine that

the matter is a critical audit matter;

c. Describe how the critical audit matter was addressed in the audit; and

Note: In describing how the critical audit matter was addressed in the audit, the auditor may describe: (1) the auditor's response or approach that was most relevant to the matter; (2) a brief overview of the audit procedures performed; (3) an indication of the outcome of the audit procedures; and (4) key observations with respect to the matter, or some combination of these elements.

d. Refer to the relevant financial statement accounts or disclosures that relate

to the critical audit matter.

While the PCAOB is not often challenging (or at least not taking issue with) the audit team’s conclusion of what constitutes a CAM, the regulator is taking issue with the sufficiency of the CAMs disclosures. Specifically, the PCAOB is finding that audit reports do not provide sufficient discussion around the principal considerations that support the auditor’s conclusion that a matter is a CAM. In other words, the key considerations that are documented in the CAMs evaluation template (i.e. what makes something especially challenging, complex, or subjective, requiring auditor judgment) are not making it to the audit report. The PCAOB has made abundantly clear that CAMs are not intended to use standardized language and that each CAM disclosure should be tailored to the specific audit. However, firms should have draft opinions that include the four bullets cited above so that when the CAM disclosure is drafted, it includes all items required to be disclosed. Again, the PCAOB is not challenging the judgment itself; they’re challenging the lack of disclosure evidencing the auditor’s judgement.

Accuracy of the CAMs Disclosure

In addition to the sufficiency of the disclosure, the PCAOB is also taking issue with the accuracy of the CAMs disclosure in the audit report. Specifically, the PCAOB is finding that CAMs disclosures often cite inaccurate procedures when discussing how the critical audit matter was addressed. Though we haven’t performed a root cause analysis, two of the main issues we’ve seen stem from the following:

Use of boiler plate language: Some firms have drafted standard language for CAMs disclosures. These drafts are typically intended to provide an example. However, some teams don’t tailor this language and as a result, include irrelevant and/or inaccurate procedures.
Use of CAMs from other audits: Similar to the boiler plate discussion above, some teams pull sample CAM disclosures from other audits and don’t tailor the language so that it is client specific.
Drafting CAMs based on planned procedures as opposed to executed procedures: Many teams perform the CAMs evaluation prior to the wrap up the audit procedures. As a result, teams are drafting the CAMs, including referencing the procedures performed to address the critical audit matter, based on the planned audit approach. While we encourage accelerating the audit and applaud early completion of the CAMs documentation, it’s important that the final disclosure mirror the actual audit procedures performed.

Review and Supervision

Although templates and tools help guide teams through the analysis/evaluation and example CAM disclosures can help teams draft the audit report, let’s not forget the importance of the review process. Most firms already have multiple reviews in place for each opinion issued. Despite these elements, the PCAOB is still finding these non-judgmental issues. Thus, certainly, some element of these failures goes back to the timing and quality of the review and supervision.

When I perform inspections, one of the first things I do when reviewing CAMs is to reconcile the CAMs evaluation documentation to the list of significant risks (documented in planning), the planning/interim audit committee communications and the year-end audit committee communications. Often, because there are multiple drafts that go through various team and client reviews, I ensure I am looking at the final audit committee communications.

Similar to the CAMs evaluation tool, when I read the CAMs disclosure in the audit report, the first thing I do is a) reconcile the disclosure to the CAMs evaluation tool to ensure the relevant considerations giving rise to the CAM are adequately discussed in the audit report and b) review the relevant audit steps to ensure the procedures disclosed in the audit report represent the actual executed procedures.

Engagement teams, but especially managers, partners, and engagement quality reviewers should be performing more robust reviews to ensure the completeness of the CAMs evaluation tool and the sufficiency and accuracy of the CAMs disclosures, even if it means performing detailed reconciliations, as discussed above; this is exactly what the PCAOB is doing and if they’re finding the issues, a thorough internal review should also identify these matters. To facilitate these reviews, firms could consider developing a review template (i.e. similar to an EQR checklist) specifically asking about each requirement in AS 3101.

In addition, firms could consider implementing additional “targeted reviews” or require consultations over CAMs. This would ensure an extra layer of review on top of the engagement team, though for any review to be effective, it’s also important that sufficient time be built into the review process; nothing new here – it’s just a matter of planning appropriately.

In December 2022, the PCAOB released an interim analysis report discussing some of its findings around the effectiveness of the new CAMs guidance. Though the evaluation is still ongoing, the goal of the CAMs standard was to provide investors with more specific information related to the audit. That information is only as useful as it is complete and accurate. Thus, the PCAOB’s comments stem largely from the incomplete evaluation of CAMs and the inaccurate/insufficient disclosures related to CAMs. In this, the information age, completeness and accuracy are paramount, whether applying these principles to the data used in audit test work or to the relatively short audit report that sums up the entire audit conclusion.

Key Takeaways

Consider developing a standardized CAMs evaluation tool that includes categories for all required audit committee communications. As part of review, perform a reconciliation from the CAMs evaluation tool to the audit committee communications and to the planning documentation.
Review all CAM disclosures and ensure the disclosures mirror the relevant factors /considerations that lead to the auditor’s conclusion about a CAM.
Reconcile CAM disclosures to the relevant audit workpapers, ensuring the procedures performed to address a CAM are accurately described in the audit report.
Don’t underestimate the PCAOB’s attention detail. Managers, partners, and EQRs need to perform timely, detailed reviews over the CAMs evaluation documentation as well as the CAMs disclosures.
As is always the case, document ANY and ALL judgments applied when evaluating critical audit matters.

PCAOB Regulatory Update: Chinese Firms Avoid Delisting Risks Under HFCC

Tue, 03 Jan 2023 16:50:03 GMT

Last week, the PCAOB announced it gained full access to inspect and investigate firms in China and Hong Kong for the first time ever. This means that the issuers audited by them will prevent delisting from U.S. stock exchanges - at least for now! Read more in this breaking news update from Reuters .

AICPA Conference Takeaways: The Only Constant is Change

Mon, 19 Dec 2022 18:47:22 GMT

I just spent three days in Washington, D.C. at the 2022 AICPA and CIMA Conference on SEC and PCAOB developments. Days were filled with presentations from various regulators such as the SEC, the PCAOB, the FASB, the IASB, and other stakeholders within the industry. Topics were varied but certainly there was a consistent theme: we are living in unprecedented times filled with an incredible amount of uncertainty and with ever-increasing rates of change; exponential evolution some might say. As the old adage goes: the only constant is change.

Tone at the Top

Having attended many of these AICPA conferences, what I thought was perhaps most notable this year was a significant shift in tone, and I saw this in two distinct manners. First, whether the SEC, the PCAOB, the FASB or any other industry group, presenters repeatedly emphasized the importance of acting on behalf of investors and stakeholders and the significance of seeking input from stakeholders. All regulators have processes designed to incorporate feedback on proposed standards and almost every group has various oversight and investor stakeholder committees to ensure the investor public is represented and heard. The other major shift in tone was the emphasis on quality: quality financial reporting, quality disclosures, and perhaps most notably, quality audits . Last year, the SEC enforcement division started that tone shift with a bold statement that auditors are the gatekeepers. This year, the PCAOB’s new board continued that messaging; the Chair of the PCAOB, Chair Williams, made it very clear that the PCAOB is holding auditors accountable and is pursuing strong enforcement actions, as evidenced by the significant increase in both the number of enforcement cases closed in 2022 and the dollar amount of monetary penalties imposed on individuals and registered firms through enforcement actions.

Key takeaway : Investors and stakeholders should get involved and be heard in the standard-setting process. Quality is paramount, and the regulators are holding all responsible parties accountable.

Economic Uncertainty

Though perhaps sensationalized in the media, the reality is that we are indeed living in unprecedented times. Inflation in the US (and most of the world) is the highest it has been in almost 40 years. To combat inflation, interest rates have also been rising to levels not seen in decades. Compounding these factors, there are continued supply chain disruptions partially resulting from effects of the global pandemic, there is Russia’s war in Ukraine, and amongst other variables, there is the unexpected labor shortage (from the Great Resignation). All these factors beg the question: are we in a recession? If not yet, when? How bad will it be? How long will it last?

While these developments make for “interesting” political rhetoric, they also pose real challenges to the accounting and audit professions. For example, rising interest rates (which means higher discount rates) and rising inflation, particularly on costs (which translates to challenging cash flow projections and potentially lower margins), likely implies lower fair values when performing asset valuations for potential impairment. Rising interest rates also indicates higher incremental borrowing rates which equates to lower values for leased assets (and to be fair, lower liabilities as well).

Key takeaway : the uncertainty in the economy is posing real challenges to accounting for and auditing of estimates that are an essential part of financial reporting. Perhaps most simply stated, it’s NOT the same as last year. Auditors need to keep professional skepticism in mind and thoroughly challenge estimates and assumptions, including considering management bias and potential contradictory evidence.

Disclosures and Disaggregation

While many in the audit and accounting profession focus on the numbers in the financial statements themselves, the resounding message from the SEC was simply this: disclosures matter , so get them right! The SEC (Corp Fin, Enforcement, and OCA) spent most of its sessions discussing the significance of disclosures in the financial statements, including disclosures outside the financial statements, but required in the filing such as MD&A. For instance, the SEC made clear that registrants need to revisit risk disclosures and ensure that they are accurate and up to date considering the evolving economic landscape. In fact, though risk disclosures often read as hypotheticals, currently, many of the risks are now actual realities. There is no risk of inflation; inflation is real and relevant. There is no risk of rising interest rates; interest rates have gone up significantly over the past year.

In addition, the SEC and FASB discussed the increasing demand for disaggregation of disclosures. The FASB is currently considering increased disaggregation and disclosure related to segment reporting and income statement line items (such as further disaggregation of expenses and income taxes) and further disclosure related to statements of cash flows. The SEC is similarly releasing additional guidance and interpretations around further disaggregation over disclosures, or perhaps stated differently, around further depth and clarity. Don’t just tell the users “what” but give them more color as to “why.”

Finally, the SEC continued their focus on non-GAAP disclosures and ensuring these are a) labeled appropriately (clearly identified as non-GAAP and not using titles or labels similar to those used in GAAP metrics), b) are NOT more prominent than GAAP disclosures and c) are NOT misleading. The SEC does thorough reviews of SEC filings, but it’s important to know that the SEC also reviews anything available in the public domain including all press releases, earnings reports and issuers’ and management’s social media activity.

Key takeaway: Diligently review disclosures and ensure they are accurate, sufficiently precise (consider further disaggregation) and not misleading or contradictory in any capacity.

Recurring Hot Topics

Just as revenue recognition, leases and credit losses were the subject of recurring discussions for an almost three- or four-year period, the new hot topics included ESG, crypto, and cybersecurity.

Environmental, Social and Governance (or ESG)

Unsurprisingly, ESG was front and center in almost every discussion during the conference. It would be an understatement to say that huge changes are coming. While the fate of the 550-page SEC proposal is undetermined, the future of the US ESG movement is still inextricably linked to the forward progress in Europe. Global multinational firms as well as companies that are in any way a part of the European supply chain will have to start some form of ESG reporting and compliance in the coming years. The discussions at the conference further delved into the potential changes and challenges facing ESG . It seems all major corporations are struggling to find where to house this emerging department, though many agree that financial reporting will house and/or have significant involvement in this area given the current processes and controls in place. Consensus indicates that the biggest struggle will be in two facets:

Divergence in standards and practice: Currently, there are various standards and metrics, and companies are struggling to synthesize the requirements from a global perspective. Much like accounting and financial markets, uniformity across regulators will be difficult to achieve. As well, each industry has different risks and contributions to the ESG space, so uniformity of disclosures and metrics across industries will be difficult. This divergence challenges the comparability of information presented.

Reliability of data: Despite uncertainty in exactly “what” will be required, companies are moving forward with ESG disclosures, thanks largely to investor demands. The other big challenge is figuring out where/how to obtain the data needed for disclosures and then how to ensure this data is reliable. Although data used in financial reporting is subject to rigorous controls over completeness and accuracy (“C&A”), much of the data used for ESG disclosures will come from either internal operations (which may not be subject to strong controls over C&A) or from third parties (which makes it difficult for companies to evaluate C&A). The requirement for some form of assurance (currently expected to be “limited assurance” as opposed to “reasonable assurance” which is the basis for auditing financial statements) will inherently require understanding sources of data and how that data was validated for C&A. This poses a huge challenge to audit firms. Many audit firms are starting “trial runs” with clients to help companies understand the potential level of detail needed to perform a quality audit (or whatever form of attestation the standards eventually require) over ESG reporting. Additionally, ESG will continue to evolve over time and the industry will need to learn to distinguish between errors in previous disclosures and data versus improvements in the quality and granularity of disclosures and data.

Key takeaway : it’s never too early to start preparing for this emerging reporting requirement and do NOT underestimate the amount of time and resources it will take to obtain the data from all potential parties involved, (such as small upstream suppliers), to prepare the disclosures, and to perform a quality assurance service over the ESG reporting.

Crypto

The recurring joke amongst presenters was that you couldn’t sit up on stage and not mention crypto…and sure enough, almost every presenter discussed crypto currency and digital assets . There appears to be a lot of demand for additional guidance (at least the questions submitted to the panels seemed to indicate that); I believe that stems from perhaps a lack of understanding of the emerging technology. Although the SEC and FASB have released interpretations and limited guidance on how to account and report digital assets, both entities seemed to indicate that the current accounting and financial reporting frameworks provide sufficient guidance. The PCAOB also includes crypto as a risk factor when selected risk-based audits for inspection; although there continue to be deficiencies in the audit space, the PCAOB also believes its standards are currently sufficient. So, while there was always mention of crypto, there was actually very little in-depth discussion of crypto.

Key takeaway: understand the technology/industry before engaging in an audit over crypto (meaning, this should be part of your client acceptance considerations, evaluating whether the firm has the right knowledge and competencies to perform a quality audit) and review the various SEC, FASB and PCAOB releases related to crypto and digital assets. I wouldn’t expect drastic changes and/or significant new standards specific to crypto.

Cybersecurity

Surprisingly (in this author’s humble opinion), there was far less discussion of cybersecurity than one might expect. That said, one of the panelists, Pete Cordero, former FBI and current cybersecurity advisor/consultant, also emphatically stated that cybersecurity is “ THE risk of the decade.” And I don’t disagree. Specific to audit and accounting, cybersecurity poses a risk to the integrity of financial reporting systems which in turn poses a pervasive threat to the entire financial reporting process. Cybersecurity also poses a greater risk to society at large whether threatening utilities, financial institutions, or as many learned from Colonial Pipeline, general supply chains, including oil and gas.

Although there was only one hour devoted to cybersecurity, the discussion was robust and informative. The SEC requires disclosures around cybersecurity risks (if they are real and relevant, which given email, inherently applies to every company) and cybersecurity breaches. By its very nature, given the pervasiveness of technology, it’s difficult to determine “what constitutes a material breach?”

Perhaps most indicative of how future regulation may develop, Mr. Cordero discussed some of the proposed amendments to the New York Department of Financial Services’ DFS Part 500 Cybersecurity Rules including the requirement for certain companies with heightened risk to conduct an annual, independent audit of cybersecurity programs. Stop and digest that for a minute. In a realm of ever-changing and unlimited potential risk, what is the appropriate threshold to assert that controls are sufficiently designed, implemented and operating effectively to prevent and/or detect cybersecurity threats and breaches? There’s a lot to unpack here, but for another time.

Key Takeaway: Let’s not overlook cybersecurity just because other hot topics dominate the headlines. Cybersecurity is an ever-present danger that poses pervasive risks to companies and the financial markets and is an important consideration for accountants and auditors alike.

Resources Abound

There is a significant amount of change in the industry and we’re all feeling it. There is a sense of overwhelm at times and we didn’t even touch on the labor shortages and the new quality management standards impacting audit firms. We get it and we feel the pressure many of our clients are facing. Despite the number of changes and emerging topics, I took comfort in seeing just how much the regulators seem to understand the evolving landscape. While they are there to represent their stakeholders, they also want to support the accountants and auditors to empower quality financial reporting and auditing. There is an abundance of resources on almost every topic covered at the conference including publications from the FASB, SEC, PCAOB, AICPA, CAQ, IASB, ISSB, Big 4, industry groups, etc. In addition, as evidenced in the hallways and the underwriter booths, there are literally dozens of companies out there to support you whether in data analytics, scheduling and temporary staffing, knowledge experts and training, etc. And yes, we here at JGA have our fingers on the pulse of the audit industry and are ready to help however we can.

Key takeaway : Resources abound; you don’t have to go it alone!

Transformers: The Ever-Evolving Role of the Auditor

Wed, 14 Dec 2022 15:03:12 GMT

Growing up, I remember the golden age of transformers, these sleek cars that then morphed into incredible fighting machines. Of course, those cartoon childhood memories soon became epic Hollywood action movies. Though perhaps not quite as exciting as Optimus Prime or Bumblebee, as new legislation is passed and as the world is transformed by (actual, not fantastical) technology, it seems every year that the role of the auditor morphs. Auditors are required to have more specialized knowledge about specific emerging industries. At the same time, the FASB and the PCAOB are issuing new standards in the industry while the SEC continues to expand the responsibilities and expectations of the auditor.

As technology advances at exponential rates, its development is impacting auditors in two distinct manners. First is the emergence of unique industries. For instance, blockchain and digital assets have created an entirely new industry; there are companies whose sole purpose is to mine cryptocurrencies . To audit these companies, auditors need to master (or at least thoroughly comprehend) these technologies so as to fully understand the entity and its environment. While many auditors can become conversational in a topic, mastery requires a deeper level of understanding. For instance, understanding the basics of blockchain technology and how it functions is not the same as understanding the mechanics of how crypto currencies are mined. This mastery is necessary to properly assess the risks and thereby design a risk-based audit.

Technology is also revolutionizing how audits are designed and performed. As clients become more automated, with almost all data being maintained within information systems, auditors now need to understand the entire flow of transactions to identify the “what could go wrongs” and thus identify the appropriate controls to address the risks. Given the significance of completeness and accuracy of data, most of which is now generated from IT systems, technology is forcing more and more audits to be designed and executed with a controls reliance approach. The day may come when all audits will be integrated audits because the pervasiveness of information technology within clients’ financial reporting makes a non-integrated audit impractical or impossible. Technology is also being used by auditors to make audits more efficient through the use of systems to automate certain audit processes (such as reconciliations) or to aggregate information and use data analytics to identify anomalies, honing in on more risky accounts and transactions. All of this means that auditors need to have a strong understanding of IT systems including the risks arising from the use of IT, both at the client, as well as internally within a firm’s own technology.

Given some of the efficiency gained from the use of IT in the audits, auditors are now focusing on more complex audit and accounting areas, such as subjective management estimates . Across all industries, management is acknowledging the importance of developing the more creative/critical thinking side of employees, knowing that technology and AI will help supplement the non-judgmental and more routine aspects of any job, but especially within audit and accounting. Job security for an auditor lies in the fact that AI will never truly capture human professional judgment (at least not any time in the near future) and so the ability to think critically and apply judgment in planning, execution and review of an audit will remain a specialized skillset that is critical for auditors.

Outside of IT, both the accounting and the audit industries have had significant changes due to the volume of new guidance. Within the accounting realm, the FASB has released several significant new standards that have taken effect in the past couple years, including changes to accounting for revenue recognition, leases, and the allowance for credit losses. These were significant changes that involved multiple taskforces and years of preparation for the adoption of these standards. In tandem with the accounting changes, the PCAOB released several new standards such as new reporting requirements including critical audit matters, or revised standards around auditing estimates and use of specialists. And currently, considering the new quality management standards taking effect over the next couple years, the industry has been experiencing significant change, adding to the ever-evolving role and expectations of the auditor.

Finally, over the past couple years, the SEC has repeatedly emphasized the role of the auditor as the gatekeeper of financial information and recent actions and sanctions evidence the SEC’s commitment to holding the auditor accountable for quality audits. The PCAOB has also concluded on a number of enforcement cases, further holding auditors accountable in the industry. In 2002, Sarbanes-Oxley expanded the role of the auditor to include opining on internal controls over financial reporting. Then in 2010, the Dodd-Frank Act expanded the role of the PCAOB to include oversight over broker-dealers (both public and private). And now, there is increasing discussion around the role of the auditor especially with regards to reporting over compliance with environmental and social governance standards.

Perhaps most simply stated, ever-increasingly, the role of the auditor is expanding and as a result, auditors are having to become increasingly more competent and knowledgeable. As if that wasn’t enough, the industry is being held to higher expectations and competencies all the while struggling to find and hire the right resources. Considering the current labor market and the future trends in the audit and accounting industry, audit firms need to begin investing more into their resources. As the new quality management standards explicitly call out, resources can be broken down into three main components: human resources, technological resources, and intellectual resources.

Human Resources

When considering human resources, it starts with hiring the right resources with the right education and skillset. Once hired, firms need to focus on retaining the right resources. Retention helps provide cumulative audit knowledge and experience with both clients and with the firm overall. Experience is generally the best way to improve as an auditor; said differently, practice makes perfect. In the current labor market, firms need to consider the various ways of improving retention. While money speaks, job satisfaction is hugely important and that comprises of much more than just salary and benefits. I’m an auditor, so I’m not here to comment on the best practices for retention, but firms need to invest in the resources to better understand what drives employee engagement and ensure the firm can deliver so as to retain top talent.

While retention will help build cumulative audit knowledge and experience, it’s also important for firms to continue to develop their human resources. This means training and educational opportunities. While webinars and online courses may fulfill the CPE requirements for CPA licensing, firms should consider broader training opportunities such as industry conferences and specialized certifications that will truly develop subject matter expertise whether related to specific industries, accounting or audit concepts, or broaden knowledge related to pervasive concepts such as fraud or information technology.

Technological Resources

In addition to investing in human resources, firms need to consider their investments in technological resources. This includes software audit tools and technology, such as audit programs (e.g. cash reconciliations), documentation tools (e.g. automated database workflows), and/or data analytics. These investments will help engagement teams perform more efficient and higher quality audits. Though easy to accept this academically, technology requires a large investment of both money and time. And it requires foresight, looking at emerging trends and thinking outside the box, continually identifying ways to modify and/or automate the audit process. For the larger firms, we’ve seen huge investments in developing in-house technology and tools, but this doesn’t mean the mid-tier and smaller firms can’t also invest in technology. Software services are emerging everywhere and becoming much more affordable, allowing firms of any size to access and use technology to transform audits.

Intellectual Resources

The final component for resources is the concept of intellectual resources. This incorporates various considerations from providing access to subject matter experts, knowledge resources such as accounting resource guides and/or audit programs, methodologies and tools that help engagement teams execute quality audits. Similar to technology, there is a cost in developing intellectual resources. Some of the larger firms develop these resources in-house, but for smaller firms, there are still ways of having access to intellectual resources. Firms can look to alliances and networks to help assist in the development and/or sharing/pooling of intellectual resources. For instance, we’ve worked with a European firm that leveraged its US alliance to consult with audit experts in US GAAP and US GAAS. For smaller firms who may not be connected with an alliance, there are also industry publications and guides such as the AICPA audit guides that provide extensive knowledge and insight. Finally, we’ve worked with numerous firms to help provide intellectual guidance, whether acting as an external “national office” helping with consultations and monitoring programs and overall audit quality initiatives, and/or simply designing audit programs and methodologies for one-off hot topics. The point is, you don’t have to go it alone. There is an abundance of resources available in the market; firms simply need to make the commitment to investing time and money into these resources.

Key Takeaways

• Providing more technical training to auditors, including training about information technology, complex audit areas, such as estimates, and industry knowledge for emerging sectors, will better equip engagement teams to perform quality audits.

• Hiring the right resources and retaining those resources helps build cumulative knowledge and experience both with specific clients as well as with the firm and the audit industry generally.

• Investing in new and emerging technologies will enable auditors to execute quality and efficient audits, through both automation and data analytics.

• Providing knowledge resources through subject matter experts, online research databases, as well through audit methodologies and guidance will enable auditors to execute quality audits competently and effectively.

Given our work with firms across all sizes and sectors, we’ve seen the range of firms that are heavily investing in their resources in anticipation of the industry trends and firms that are struggling to keep up with current expectations. Our message to firms is INVEST more! Audit firms seeking to be proactive can use this investment to gain a competitive edge. Perhaps your firm becomes the go-to firm for auditing digital assets. Or perhaps your firm is able to compensate for the labor shortage through more technologically driven audits allowing it to continue accepting new clients.

Proactive or not, as the role of the auditor evolves, the competitive advantages will, in short time, soon become the expectation. And perhaps speaking to the industry generally, let’s not underestimate the role of the auditor or the time and effort it takes to perform a quality audit. Though historically seen as purely a cost center, auditors and accountants have some of the greatest understanding of businesses and how they operate and with their understanding of past performance, have a wealth of knowledge that is useful for forecasting and projecting into the future and helping manage a business. Perhaps not quite super-heroes like the actual Transformers, but auditors play an ever-changing and ever-increasingly crucial role in the markets.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Cryptic Audits of Crypto Assets: Considerations for Auditing Digital Assets

Mon, 21 Nov 2022 17:22:22 GMT

When Bitcoin first launched in 2009, the founder, known as Satoshi Nakaomoto, published a paper explaining how Bitcoin and the blockchain technology worked. The starting price per coin was $0. In April 2011, Bitcoin passed the $1 threshold. Over time, as traction grew, the Bitcoin steadily gained in value and eventually surpassed $10,000 per coin in 2017. After that first initial peak, the price of Bitcoin became much more volatile with massive increases and decreases in value, capping out at a value of over $60,000 in Q4 2021 and dropping today to a value of closer to $20,000 per coin.

In addition to Bitcoin, there are now also hundreds of other cryptocurrencies. Some are mainstream and accepted as valid payment for college tuition or even delivery pizza, while other cryptocurrencies are more speculative. Regardless of the coin, the fact is cryptocurrencies are growing in popularity and prevalence and sure enough, they are now popping up on company balance sheets. In fact, there are entire companies whose sole mission is to mine cryptocurrencies.

As with any new development in the markets, it takes some time for accounting and auditing guidance to become clear. The SEC and the FASB have both released guidance helping provide clarity on how to account for and report digital assets. In 2020, while not providing explicit guidance, the PCAOB did issue a Spotlight for Audits Involving Cryptoassets: Information for Auditors and Audit Committees. Through the audit inspection process and review of comment forms issued, we’ve started to see how the PCAOB views cryptocurrencies and what procedures are necessary to sufficiently audit these assets. As with any audit, it all boils down to understanding the entity, its operations, and evaluating and appropriately responding to risks of material misstatement.

When auditing digital assets, here are some key considerations to keep in mind:

Acceptance and Continuance

True for every engagement, it all starts with acceptance and continuance. As firms consider whether to accept and/or continue with a client that has digital assets, firms need to evaluate whether they have the right skills and competence to engage in auditing digital assets. While the concepts may be easy to grasp at a high level, the actual underlying technology and transactions involving crypto assets can be quite complex. These are all unique considerations that should be weighed prior to accepting a new engagement or continuing with an engagement that involved digital assets:

Does the engagement team have access to a digital asset specialist?
Does the firm have IT specialists who understand the technology?
How many other engagements involving digital assets does the partner, EQR, and/or senior manager have?
For clients that mine digital assets, where are the operations performed?
How many locations are there? Does the firm have the access and/or ability to visit all these locations / sites to perform audit procedures?
What about regulatory compliance considerations such as “anti-money laundering” and “know your customer” considerations?
What about management? How educated / competent is management in this industry? For lack of a better word, many amateur investors followed the hype and jumped into the crypto markets without fully understanding how these assets worked. Is management following the hype or are they truly experts/experienced in the industry with appropriate internal controls to enable a quality audit?

Planning and Risk Assessment

Once a firm has accepted an engagement, the next step, regardless of the industry, is to develop a deep understanding of the entity . Whereas many firms are familiar with oil and gas or basic manufacturing and production, the reality is that the cryptocurrency industry is new (even if it’s been more than 10 years) and is ever-evolving, especially given the purely technological nature of the industry.

In understanding an entity, consider these questions:

What is the company’s business? And how do digital assets factor in? For instance, does the company hold digital assets as an “investment” or do they actually mine assets?
What are the investors in the business looking for? This will drive operations and help identify potential risks. How does the company make money? What are the biggest costs?
What technology is being used? Are operations centralized? Many digital mining companies have several worldwide data centers (or “mining sites”). How does the auditor know these sites exist? What controls (i.e. access controls, change management, data security, etc.) are in place in the different sites?
What support does a mining company have for proof of work? How did they prove out the encrypted chain? How do they support the portion of the block they mined?
For digital assets held, what proves unique ownership / existence? Especially in pooling situations where companies work collectively to mine assets, how are assets allocated? What support is there to validate these allocations? Given the anonymous nature of cryptocurrencies, just because someone has access to a wallet, does that inherently mean they have ownership rights?
How is pricing calculated? Cryptocurrencies can trade on multiple platforms and since there are no regulated exchanges, what validates the “right” price?

Especially considering the new SAS 145 standard for AICPA, regardless the audit (public or private, integrated or financial statement only), to properly design an audit, engagement teams need to have a thorough understanding of the entity and how it all works. This enables proper identification of the risks which then allows proper design of audit procedures to address the risks . Given the digital nature of crypto assets, a thorough understanding of the entity will necessarily incorporate a thorough understanding of the information systems used to mine the assets, trade the assets (i.e. exchanges), and hold the assets (i.e. wallets). I would venture to argue that given the technological nature of the digital assets, it would be almost impossible to sufficiently perform an audit without testing internal controls over information systems and the processes in place to mine, recognize, and trade these digital assets.

Materiality is also important. If a company has immaterial holdings in digital assets, then perhaps less risk, but if the company’s operations are entirely focused on mining these assets, well then knowledge and experience matter much more in designing and executing the audit. The point is, acceptance and continuance is the first threshold; it acts as a gateway to filter out clients where the firm is not suited to perform a thorough, quality audit.

Responding to Risks

Once the risks have been properly identified and evaluated, the next step is to design and execute audit procedures to respond to the risks. As mentioned above, this will likely mean testing internal controls. Why is that so important? Because there is almost nothing tangible (i.e. no sales orders, no inventory counting, no paper certificates of ownership, etc.), the biggest challenge for any auditor will be, “how is the engagement team comfortable with the completeness and accuracy of the audit evidence used in audit procedures?”

For example, for a digital asset mining company, let’s say the engagement team decides to perform analytics to help prove out ownership of digital assets at the end of the audit period. To do this, the engagement team will use numerous reports and metrics from the company, such as operating reports that show when mining sites were operational and when they were down, or output measurements, computing factors, etc. These data points can be incredibly insightful and help validate coins mined and ownership rights, but the analytics are only as valid as the data is complete and accurate (if it’s internally derived information from management) or relevant and reliable (if it’s externally derived information). While there is nothing explicit in audit guidance that says, “an audit of crypto assets must incorporate testing the internal controls,” we’d venture to say that audits of the crypto asset industry fall under this caveat in AS 2301.17 :

Also, tests of controls must be performed in the audit of financial statements for each relevant assertion for which substantive procedures alone cannot provide sufficient appropriate audit evidence and when necessary to support the auditor's reliance on the accuracy and completeness of financial information used in performing other audit procedures .

Note: When a significant amount of information supporting one or more relevant assertions is electronically initiated, recorded, processed, or reported, it might be impossible to design effective substantive tests that, by themselves, would provide sufficient appropriate evidence regarding the assertions . For such assertions, significant audit evidence may be available only in electronic form. In such cases, the sufficiency and appropriateness of the audit evidence usually depend on the effectiveness of controls over their accuracy and completeness …

The point is that audit procedures need to be commensurate with the risk. The response is based on audit procedures incorporating audit evidence and the quality of the audit evidence necessarily is dependent on relevance and reliability . We encourage teams to ask lots of questions early in the planning phase to ensure a thorough understanding and then design procedures to ensure engagement teams can obtain sufficient quality audit evidence to support conclusions.

When considering reliability, one of the factors to incorporate is whether information is regulated. For instance, we’ve seen engagement teams support valuation assertions for crypto assets by looking to exchanges and validating the price. While this certainly seems logical, let’s not forget that crypto exchanges are not regulated in the same way as the NYSE or NASDAQ and as a result, are inherently less reliable. This would mean that additional procedures would need to be performed to either corroborate the valuation of the crypto assets (especially considering valuation is typically a significant risk) and/or corroborate the reliability of the information pulled from the exchange. If you aren’t sure what procedures are sufficient, then reach out and consult. We’ve worked with numerous firms to help engagement teams understand the risks and then appropriately design procedures to address those risks.

Key Takeaways

There is more and more guidance emerging around digital assets, but every audit is inherently different with a unique set of risks and there just hasn’t been enough history to develop “routine” audit programs for crypto asset audits.
There are resources out there to help educate firms/individuals. There is more and more guidance being provided, so research SEC and FASB developments, continue to look out for PCAOB publications, read up on Big 4 guidance, and look to other industry reports and information. For instance, the Canadian equivalent of the PCAOB (CPAB), just released in August of 2022 a publication on auditing crypto assets. While CPAB and PCAOB and AICPA standards all differ in various ways, the foundation of a risk-based audit is universal and similar concepts apply across the globe.
Firms need to critically evaluate acceptance and continuance, taking stock of whether they have the appropriate knowledge, experience, and capacity to perform crypto audits.
The most important part of any audit boils down to the planning phase. Engagement teams need to ask all the questions to develop a thorough understanding of the entity and how the operations function. This includes understanding the information systems involved.
In designing audit procedures, the quality of audit evidence will be of utmost importance. Engagement teams need to document why information is considered relevant and reliable and for internally derived information from the company, why that information is complete and accurate. Do not underestimate the importance of controls when auditing digital assets.

Invariably, with new industries, no one has experience to start, so there will be some trial and error. Auditing crypto assets can feel a little like taming the wild west. More than ten years in, I think it’s safe to say that crypto assets are not just a temporary fad; they’re only gaining in volume and prevalence across all industries. Some just love the concept of cryptocurrency while others are more interested in the underlying technology which is giving rise to new and unique assets, beyond just digital currency. For instance, blockchain is the same technology being used in NFTs (or non-fungible tokens) which have taken off in the realm of digital art. Each variation of digital assets will pose its own risks, so take the time to understand exactly what the digital assets are, how they’re created, mined, or obtained, and how they’re being used. Then identify the relevant risks. Then execute an audit to address those risks. And if it still feels cryptic and you aren’t sure where to begin, then reach out for help.

Joe Lynch is Joe has over 25 years of experience in technology, audit, and audit quality compliance with a focus on technology. At JGA, Joe is the IT Audit Advisory Services Leader and works with internal auditors, public and private companies, and regional and national mid-market public accounting firms to implement and to integrate technology into financial processes and improve the audit integration of engagement teams performing integrated audits and service organization reports. He also provides critical input to IT-specific requirements related to new QC standards implementation.

As an Information Systems Inspection Leader for over 6 years at the PCAOB, he conducted inspections of QC and global issuer audits at large firms in the US as well as foreign affiliate firms, focusing on examining quality control and the design and implementation of audit work over IT and service organizations in integrated audits. Joe also has over 8 years of experience supporting financial service industry audit teams as a managing director at KPMG. In addition, his experience includes, over 6 years of active-duty service in the US Air Force and directly supporting companies with IT strategic initiatives such as designing the IT framework for technology departments as well as leading implementations of ERPs and systems.

Johnson Global Accountancy Continues Expansion with Team Promotions and Additional Staff

Thu, 17 Nov 2022 17:47:21 GMT

At Johnson Global Accountancy (JGA), 2022 has been a year of exceptional growth. Just recently, the advisory firm celebrated its five-year anniversary , launched new quality management software , and brought on a new Director of client services . As JGA continues to expand, its dedicated team of dynamic experts are broadening their roles to drive discipline and support increasing needs at the firm. In addition, the company promoted Shannon Lauffer to Operations Associate, and Christy Howard to Senior Marketing Associate, and added Sarah Blackburn as JGA’s new Administrative Assistant.

“These new promotions and new hires are indicative towards JGA’s incredible growth”, stated Jackson Johnson, President of Johnson Global. “We are excited to welcome this trio of administrative, operational and marketing expertise and growth to JGA to complement the recent growth in headcount of our professional services staff in 2022.”

Shannon Lauffer brings 6+ years of administrative experience and project management to her new role at JGA. After spending 1+ year as Administrative Assistant at the firm, she will now be overseeing operations as the Operations Associate. “I am grateful for the opportunity to grow into a new position here at JGA and use my skillset to continue to make a difference at this fast-growing company,” she said. Shannon graduated from the University of Nevada, Reno, with her Bachelor's in Community Health Sciences. Prior to her time at JGA, she followed her passion for helping others by becoming a Program Coordinator with The American Lung Association. Shannon and her family currently reside in Las Vegas, NV, near JGA’s office headquarters .

After almost a year as JGA’s Marketing Associate, Christy Howard will be transitioning into a new role as Senior Marketing Associate of the firm. Christy serves as a strategic partner to develop and carry out JGA’s marketing and business development strategy and processes, while advancing the visibility and impact of the company mission. “I have learned so much within my first year here at JGA,” Christy stated. “I’m excited for this opportunity to expand my role in marketing, while continuing to contribute to the positive impact JGA has on the audit and accounting industry.” Christy has 8+ years of experience in communications and engagement, with a strong background in community relations and an M.S. in Organizational Leadership. She is based in Ann Arbor, MI, with her husband.

JGA also welcomes Sarah Blackburn to the team as Administrative Assistant. She brings 10+ years of administrative experience to JGA, with specialties in time management, organization, and productivity. “I’m thrilled to be joining the JGA team at such an exciting time for the company,” she said. “I’m looking forward to bringing my drive, enthusiasm, and skills in administration to support the company and its staff.” Sarah graduated from the University of Mississippi, Ole Miss, with a Bachelor’s in Psychology and Minor in English. She resides in Las Vegas, NV, with her husband and son.

To learn more about the JGA team, read here.

About Johnson Global Accountancy

Johnson Global Accountancy to Reprise Role as Underwriter of AICPA & CIMA Conference

Thu, 17 Nov 2022 17:30:38 GMT

For the second consecutive year, Johnson Global Accountancy (JGA) is honored to return as an underwriter to the AICPA & CIMA Conference on Current SEC and PCAOB Developments. The conference will take place this December, live in Washington, D.C. and virtually online.

“I am excited for JGA to once again be an underwriter for one of the largest annual AICPA conferences," said Jackson Johnson, JGA President, “JGA’s mission is to be the most innovative and technically excellent advisory firm at the intersection of companies, auditors, and regulators, to improve investor decision-making confidence. The cross section of financial report, audit, standard setters and regulators at this conference is the perfect way for our team to interact with all these stakeholders and share how we are fighting the good fight – and winning – for audit quality improvement.”

As one of the largest annual gatherings of standards setters, regulators, and accounting professionals, the AICPA Conference is a yearly opportunity for SEC registrants and auditors to discuss the coming year’s biggest accounting, auditing, and regulatory developments.

The AICPA Conference is scheduled to take place from December 12 to December 14, 2022, at the Marriott Marquis in Washington, D.C., and live online. Join JGA on-site and meet our team of experienced client service professionals at our booth.

About Johnson Global Accountancy

Johnson Global Accountancy Welcomes Jung Lee, CPA, as the Latest Addition to the Growing Firm

Tue, 25 Oct 2022 17:32:00 GMT

Johnson Global Accountancy (JGA) is pleased to announce that Jung Lee, CPA, has joined the firm as a Director. In his role, Jung will join JGA’s team of audit quality experts, applying his in-depth U.S. and international inspection experience to work with mid-market firms worldwide.

With over 25 years of public accounting and audit regulation experience, Jung brings a skill set heavily rooted in regulatory oversight – critical to helping our clients achieve audit quality. He spent eight years at the PCAOB, with his latest title as Inspections Leader. During his time at the PCAOB, Jung’s work focused on audit quality and compliance of global network firms, leading inspections of audits with the world’s largest domestic and international banks, broker dealers, hedge funds, investment banks, and mutual funds. Jung also has an extensive understanding of other languages; he is fully fluent in Korean, Spanish, Portuguese, Italian, and conversant in Japanese.

“I am grateful that Jung chose to join the JGA team of audit quality experts,” said Jackson Johnson, JGA President. “Jung’s experience leading global audits and inspecting audits of complex financial institutions and other industries at firms worldwide builds on JGA’s expertise around audit quality issues facing banking and financial institution audits. In addition, Jung’s multilingual skills will help JGA expand our services into new countries.”

During his time at the PCAOB, Jung was a member of the PCAOB’s Banking Inspections Group. Prior to the PCAOB, Jung worked at the Big 4 accounting firms in Japan and the U.S., rounding out his experience on both sides of inspections and audits. Most recently, Jung was a founding partner of a CPA firm providing accounting and auditing services to private companies in various industries.

“I have audited and inspected some of the largest and complex multinational companies,” said Jung. “I have seen the problems firms face with compliance and am excited to help our clients properly apply auditing and quality management standards in light of current audit and financial reporting regulatory environment. JGA provides our clients with access to audit quality experts with extensive audit experience both domestically and internationally, and I couldn’t be more eager to join this growing team.”

Jung received his BBA at Baruch College and his IFRS Certification at the Institute of Chartered Accountants in England and Wales. He is a Certified Public Accountant in New York. To learn more about Jung and the rest of the JGA team, read here .

About Johnson Global Accountancy

Johnson Gobal is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. Led by CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

Broker-Dealer Update: Two Years Later and Still Struggling

Tue, 04 Oct 2022 17:01:04 GMT

In September of 2020, we published an article summarizing the state of the broker-dealer inspection program, noting that at the time, it had been nine years and still running as an interim program. Now, in August of 2022, the PCAOB released its Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers (“2022 Report”) and sure enough, not much progress has been made, both with regards to audit quality or with regards to establishing a permanent program.

As a refresher, the interim program was established in response to the 2010 Dodd-Frank Act. The Board originally anticipated “being in a position to propose rules for a permanent program by 2013.”1 Now, in 2022, the PCAOB, having been governed by three different boards, has yet to propose rules for a permanent program and broker-dealer audits continue to lag in audit quality, as compared to issuer audits.

SUMMARY OF FINDINGS

Taking a glance at the most recent annual report on the broker dealer inspections program, 78% of firms inspected had at least one audit deficiency, as compared to 89% of firms inspected and disclosed in the 2019 report . Of the audits inspected, 49% had at least one deficiency, compared with 71% of audits inspected and disclosed in the 2019 report . The industry has also continued to consolidate with only 345 audit firms registered, as compared to 411 in 2019.

The PCAOB explicitly states: “While inspection results over that period indicate that the quality of broker-dealer audit and attestation engagements has improved, the overall deficiency rates remain unacceptably high.” Unacceptably – wow! That’s a strong word that carries with it a lot of judgment, especially coming from the objective regulator.

We noted that the majority of findings are in the following areas:

Financial statement audits : Auditing revenue continues to be a challenge for all firms under both programs. In addition, firms struggled to audit related party relationships and transactions (often stemming from expense sharing agreements), going concern, expenses and related accruals (again, typically linked to expense sharing agreements), fair value measurements (which is true across the entire audit industry), and receivables and payables.

Examination engagements (including internal controls over compliance (ICOC)): Engagement teams continue to struggle to sufficiently test the operating effectiveness of controls, including controls over information technology. In addition, engagement teams often fail to test the completeness and accuracy of information used in compliance tests/controls.

Review engagements: Through inspection procedures, the PCAOB continues to identify contradictory evidence that is not sufficiently addressed/considered by the engagement teams. In addition, firms continue to fail to perform all of the requirements under Attestation Standard No. 2 . This includes performing inquiries about controls over compliance, among other requirements.

JGA’S' ANALYSIS

Role of the auditor

While the PCAOB’s findings are valid, it does raise the question of the role of the auditor. Is the audit another compliance test or is it truly an audit of the financial statements, which is inherently predicated on risk assessment? For instance, the PCAOB indicated numerous findings around related party relationships and transactions, specifically around expense sharing agreements. Many broker-dealers are small legal entities that are subsidiaries of larger organizations (often banks or asset management companies). To the extent the broker-dealer is entirely owned either by private investors or by a larger private company, what is the real risk with intercompany expense allocations? We’re not saying that the engagement team shouldn’t perform some procedures to test the related party disclosures, but to what extent? Does the audit team need to test the completeness and accuracy of the source documents coming from the parent company? That could potentially expand the audit to an audit of the parent company’s expenses; that’s not typically built into the audit budget and fees.

When auditing financial statement accounts, engagement teams need to be sure to respond to the risk of material misstatement for each relevant account; this includes documenting all procedures performed and documenting the considerations and judgments made when determining the appropriate audit approach. The extent of procedures should depend on risk.

Tests for compliance objectives do not have the same materiality concept as tests for audit assurance. It seems as if the PCAOB has taken the compliance mindset and applied it to audit, without acknowledging that audit procedures should be commensurate with the risk. That said, engagement teams need to improve their documentation of the audit risks. Absent evidence of the evaluation and documentation of its judgements, the engagement team cannot demonstrate how or why its audit procedures align with the risk assessment.

Inconsistency of PCAOB expectations

We have identified certain differences between the apparent expectations of the PCAOB’s BD inspectors, compared to other PCAOB inspectors, SEC examiners, and the PCAOB’s own guidance. We highlight some of these discrepancies below.

Differences between broker-dealer and issuer inspection programs

We have supported firms and their engagement teams on issuer inspections as well as broker-dealer inspections. We can say that there appear to be differences in the rigor and granularity of the procedures performed by the two programs. This isn’t surprising since so much of an audit comes down to professional judgment and therefore the inspection of an audit will also necessarily incorporate differences in judgment. That said, it seems the broker-dealer inspection program holds the audit quality bar to a different level than the issuer program. This disparity is true even within each program; we have seen PCAOB inspection teams challenge immaterial aspects of a management review control over “cash reconciliations,” which have almost no management judgement or subjectivity, and other inspection teams that have glossed right over a very complex, detailed management review control over investment valuations.

After 11 years, one would expect the audit quality in both broker-dealer and issuer audits to “normalize.” That hasn’t happened: deficiencies in broker-dealer audits continue to be significantly higher than in issuer audits. While there could be any number of causes, some of which we already explored in our previous article , it still begs the question, do the inspection programs have different expectations, thus accounting for some of the divergence in results?

Differences between the PCAOB and SEC

An example of differences between the two regulator’s expectations stems from the reliability of broker statements used by broker-dealers to support revenue. Non-clearing (or “introducing”) broker-dealers often rely entirely on clearing-broker statements to support trade transactions that form the basis of the majority of operations and revenue of an introducing broker-dealer. The SEC has clearly indicated that is okay if introducing brokers rely on the information provided by clearing brokers. 17 CFR § 240.17a-3(c) states, “A member of a national securities exchange, or a broker or dealer registered pursuant to section 15 of the Act (15 U.S.C. 78o), that introduces accounts on a fully-disclosed basis, is not required to make or keep such records of transactions cleared for such member, broker or dealer as are made and kept by a clearing broker or dealer pursuant to the requirements of this section and § 240.17a-4.”Further, the clearing broker-dealers are very heavily regulated and scrutinized by the SEC and FINRA (more so than introducing broker-dealers).

On the other hand, PCAOB guidance( AS 1105 ) indicates that the sufficiency of audit evidence depends largely on the risk of material misstatement and the quality of the audit evidence. Quality of audit evidence is a function of relevance and reliability. Despite this statement, the inspection teams often expect that audit teams test the completeness and accuracy of these clearing broker reports, as if they were unreliable. There appears to be some divergence between what the SEC deems reliable and what the PCAOB inspection teams accept as reliable.

Differences between broker-dealer inspection issues and PCAOB staff guidance

To continue on the path of reliability of the clearing broker statements, in October 2021, the PCAOB released staff guidance on how to evaluate external audit evidence with regards to relevance and reliability. While relevance is not the concern here, the PCAOB inspection teams often challenge engagement teams on how it concluded that clearing broker statements are reliable. The language used during inspections is often in the form of “how did the engagement teams test for completeness and accuracy?” Shouldn’t the question actually be, “how did the engagement team evaluate for relevance and reliability?” And if that’s the real question, it gets more difficult to understand why a clearing broker statement would not be reliable. Taking the considerations from the PCAOB staff guidance, these statements often come from large clearing brokers who are well known players in the industry, such as Pershing or National Financial Services. They have years of proven experience and expertise. They report to numerous stakeholders including FINRA, SEC, investors, and customers; they work in highly regulated industries where almost everything can be reconciled to cash movements and/or to security movements validated through the Depository Trust and Clearing Corporation (DTCC), often considered a “utility” within the industry. The statements are often obtained directly by the auditor from the clearing broker directly. All these considerations would support the conclusion that the statements are highly reliable and yet, inspection teams continue to challenge the reliability of these statements unless the engagement teams perform specific testing over the data, which is really pulling from testing completeness and accuracy. Could this be because the PCAOB views the clearing broker’s (i.e. a service provider) statements as the equivalent of the internal books and records? To auditors with less inspection experience, this kind of nuance, while subtle, has significant implications and so perhaps the PCAOB needs to be more explicit when using references to internal or external support, because the clearing broker is to the layman the equivalent of an external source.

Audit quality considerations

Acknowledging the fact that audit quality continues to lag in the broker-dealer program, the PCAOB has continued to modify the annual report to include “Good Practices” and recommendations for action to help guide teams. Those additions are well received, and definitely a step in the right direction; however, the guidance is often still too high level. During the annual Small Business and Broker-Dealer Forums, perhaps the PCAOB could attempt to work through more hands-on examples demonstrating specific procedures that would be sufficient for recurring deficiencies, such as auditing 12b-1 trailer fees. Of course, no two audits are the same. And perhaps that’s the struggle with providing real guidance or even establishing a permanent program; no two broker-dealers are the same and there are so many different risks and audit approaches. Until the PCAOB establishes a permanent program and firms are held accountable to remediation efforts, auditors will be at a disadvantage to find a real path to improvement. Currently, the main accountability is referrals to the PCAOB’s Division of Enforcement and Investigations. But that feels a little unfair to broker-dealer auditors who aren’t given the benefit of remediation discussions with the PCAOB as they seek to improve, as is the process in the issuer audit inspection program. Regardless of the regulator, as a profession, we should always be striving to make daily improvements in all our audits.

In light of all these questions and reflections, the reality is that there is still room for improvement in the broker-dealer audit industry. To continue to improve quality, consider some of the following:

Improve application of the audit evidence standard: engagement teams should thoroughly document their testing over the completeness and accuracy of internally-derived information as well as their evaluation over the relevance and reliability of externally-derived information.
Improve competencies over ICOC by looking at ICFR principles: engagement teams need to continue developing their understanding and experience over ICFR. ICOC incorporates testing the design and operating effectiveness of controls, which is very similar in theory to what is required for an ICFR opinion.
Enhance engagement team procedures over valuation and accuracy of revenue: The deficiencies cited in the revenue area are more often than not related to the accuracy of the revenue (e.g. accuracy of the commission based on the terms of the trade, the proper rate applied to the actual amount of capital raised for investment banking fees, the rate per the investment advisory agreement applied to the actual amount of AUM, etc.).
Review KSEs of audit personnel around using and auditing the work of specialists: As with any complex or specialty area, ensure engagement teams are staffed with the appropriate knowledge and experience. And if teams lack in a specific area, seek out specialists to assist with the audit of that area. We’ve worked with audit teams in a variety of capacities, whether reviewing planned audit approaches in a more consultative role, performing in-flight reviews, or even performing engagement quality review (EQR) services.

KEY TAKEAWAYS

Broker-dealer audits continue to have unacceptably high rates of deficiencies in audits, examinations engagements, and review engagements.

Engagement teams need to better document evaluations around risk assessment and be sure to document clear correlations between audit procedures performed and how they address the risk of material misstatement for each relevant assertion. If engagement teams document their thoughtful consideration of risk and how they addressed it, the PCAOB will often respect that professional judgement.

Completeness and accuracy of information continues to be a hot topic for the PCAOB. Engagement teams need to document their testing over completeness and accuracy of internally-derived information and/or their evaluation over relevance and reliability of externally-derived information. Sometimes (and we’d argue, increasingly in the future considering the technological nature of financial services), this will require testing controls around information technology.

Despite any number of reasons that could explain why the broker-dealer program has such high deficiency rates, it doesn’t change the reality that we need to continue to improve audit quality. If the regulator doesn’t take more assertive action, then it’s on us as the auditors to drive that change.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

JGA Announces Launch of Quality of Management Software

Thu, 22 Sep 2022 14:27:51 GMT

Johnson Global Accountancy and Grant Thornton to Provide Accounting Firms with Cloud-Based Technology for ISQM1 Compliance

Grant Thornton’s qm.x application customizes and automates quality-management processes ― eclipsing basic spreadsheets and off-the-shelf software

Johnson Global Accountancy bolsters its services to identify, assess and respond to quality risks

CHICAGO AND LOS ANGELES — Johnson Global Accountancy has entered an agreement with Grant Thornton LLP to be a reseller of Grant Thornton’s qm.x application. The qm.x application uses cloud-based technology to help accounting firms implement a new quality standard known as the International Standard on Quality Management 1, or ISQM 1.

The ISQM1 standard was developed by the International Auditing and Assurance Standards Board (IAASB) to strengthen the approach to quality management at organizations that perform audits, review financial statements and provide other assurance and related services. To meet the standard, which takes effect in December 2022, accounting firms often need to create new quality-management processes, frequently based on cumbersome ad hoc systems and dated technologies, such as basic spreadsheets and inventories of files.

Grant Thornton’s qm.x application helps accounting firms to leapfrog commonplace quality-management processes through an integrated and customized system using a unified interface. And the application aids firms in designing and documenting quality-management processes for their evolving needs, while also helping to increase efficiency and automation.

The qm.x approach stands in contrast to more manual practices, such as using basic spreadsheets, because qm.x allows accounting firms to document, test and monitor their unique objectives, risks and responses — which vary for every firm and cannot be easily handled with commonly-used off-the-shelf software.

At the core of the alliance, Johnson Global Accountancy will help accounting firms with all aspects of qm.x deployments, including implementation, testing and monitoring. As a result, firms can enjoy a marriage of consulting know-how from Johnson Global Accountancy and technology from Grant Thornton.

For Johnson Global Accountancy, qm.x represents a significant addition to its suite of quality management services for accounting firms worldwide. These services help clients meet a range of quality-management standards from bodies such as the IAASB, the American Institute of Certified Public Accountants (AICPA), and the Public Company Accounting Oversight Board (PCAOB).

According to Jackson Johnson, president of Johnson Global Accountancy: “We have been advising our U.S. and international clients on improving and monitoring their systems of quality management since 2017 ― and we’ve seen the struggles firms face designing, documenting and monitoring quality requirements. Collaborating with Grant Thornton takes our proven expertise and adds a potent new technology. For our clients, this will open new doors to meeting the ISQM 1 standard.”

Sara Ashton, a managing director in the Audit Methodology and Standards practice at Grant Thornton, describes the alliance this way: “Our qm.x application works by following a simple adage: To standardize quality, make it efficient ― build it in. Grant Thornton’s alliance with Johnson Global Accountancy only serves to underscore this adage; accounting firms can now more easily and efficiently take advantage of qm.x, and also benefit from Johnson Global Accountancy’s broad knowledge about how to meet quality guidelines.”

Johnson Global Accountancy and Grant Thornton expect to extend their agreement to help accounting firms meet future quality standards coming from other bodies and regulators: “This agreement is designed to keep pace with the new industry standards and allow accounting firms to effectively identify, assess and respond to quality guidelines – no matter where they come from,” said Johnson.

For example, the qm.x application has the ability to map documentation for multiple standards from different bodies, such as the IAASB, the AICPA and the PCAOB. This will help accounting firms get the most out of the efficiency and automation improvements they stand to gain from qm.x.

To learn more about qm.x, visit www.grantthornton.com/services/audit-services/qm-x .

To learn more about Johnson Global Accountancy’s quality management services, visit www.jgacpa.com/services/quality-management-services

About Johnson Global Accountancy

Johnson Global Accountancy (JGA) is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. Led by CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

About Grant Thornton LLP

Grant Thornton LLP (Grant Thornton) is one of America’s largest audit, tax and advisory firms — and the U.S. member firm of the Grant Thornton International Ltd global network. We go beyond the expected to make business more personal and build trust into every result. With revenues of $1.97 billion for the fiscal year that ended July 31, 2021, and 51 offices nationwide, Grant Thornton is a community of more than 9,000 problem solvers who value relationships and are ready to help organizations of all sizes and industries create more confident futures. Because, for us, how we serve matters as much as what we do.

“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.

Help Wanted: Audit Quality Considerations in Light of the Great Resignation

Tue, 20 Sep 2022 14:52:54 GMT

As a millennial, I was told that the 2008 global financial crisis was a “once-in-a-lifetime” economy. Many firms went on hiring freezes and some even had layoffs, rescinding offers previously extended to new college graduates. As a young 20-something-year-old, I was happy to know that the “exceptional” economy was early in my career and that the rest of my life would be smooth sailing. Or so I thought.

Then the pandemic of 2020 came around and yet again, the headlines proclaimed the unusual nature of the pandemic and the “once-in-a-lifetime” economic repercussions. Overnight it seemed, more than 10 million people lost their jobs and the world appeared to spiral out of control. Fast forward to August of 2022 and the economy has now fully recaptured the 10 million lost jobs. But surprisingly, there is suddenly a labor shortage. The Great Resignation. What? How is that possible?

Almost every industry is feeling it, whether the medical profession struggling with burnout from two-years of pandemic stress or the transportation industry struggling to find drivers to keep up with home deliveries. The audit industry is no exception; every client we work with is feeling it. We’re feeling it.

In a recent study published by McKinsey & Company, at the end of May 2022, there were 11.3 million job openings. And to make matters worse, “Despite significant changes in the economy since the onset of the Great Attrition (or what many call the Great Resignation), the share of workers planning to leave their jobs remains unchanged from 2021, at 40 percent. That’s two out of five employees in our global sample who said that they are thinking about leaving in the next three to six months.”

Talk with an economist and there are any number of reasons why there is a labor shortage in the current economy. But answers to “why” rarely provide practical solutions to “what do we do?”

For firms that are struggling with resources, we hear you. Within the audit and accounting profession, we know of many firms that have resorted to using part-time employees and independent contractors to help fill needs. Some firms have leveraged staff from various departments such as IT consulting or internal audit. While all these approaches fill the seats and provide resources to execute the audits, the question remains, what procedures are firms putting into place to ensure quality audits?

Firm QC Considerations

Acceptance and Continuance: Paramount to any audit, the firm process starts first and foremost with engagement acceptance and continuance. This process is already in place for firms, but how much thought is put into the careful completion of these checklists? The critical consideration here is capacity and competence . I know when I was an associate, I was charged with rolling forward the A&C forms from prior year; the senior then officially completed the form and the approval process started with the manager, then partner and up the chain depending on the type of client and the risk profile. In light of the current resource constraints, how are A&C forms capturing considerations around capacity and competence? And how do staff know whether the firm has the right resource capacity and competence? These are often higher-level discussions held at regional and national management levels, but how are those considerations being evaluated and documented? The reality is, if the firm doesn’t have the capacity or the right competence, it needs to either decline engagements or hire the right knowledge base/skill sets to execute a quality audit.

Independence : Once an engagement has been accepted, the firm then needs to determine the proper staffing. While it may be easy to pull from internal resources, such as leveraging IT consultants to come perform IT controls testing, the Firm needs to be intentional in making sure all engagement team members understand the independence implications of working on the audit. For instance, consulting has very few independence limitations, so an IT consultant may not be aware of the strict nature of SEC independence rules for a public company audit. Similarly, the use of contractors external to the firm is another viable solution to resource constraints, but the question still stands, despite completing an independence checklist/confirmation, has the consultant been educated on the specific nature of independence requirements for the audit?

Technical Knowledge : Assuming the borrowed staff and/or consultants are independent, what is the firm’s process for evaluating competence of these resources? Sure, firms know to review the CV and certifications, but we all know there is a distinction between an accountant and an auditor and yet both often have the same degree and may even both be CPAs. Or take an IT consultant for example. The IT consultant likely has a strong understanding of information systems and could easily perform a walkthrough and execute tests of operating effectiveness over automated controls and/or information technology general controls (ITGCs). However, mere execution is not the same as truly understanding the audit risks and implications of findings. For instance, in performing a walkthrough, the IT consultant may obtain an understanding of the change management process and as with all processes, there are always exceptions to the rules. The question is, would an IT consultant understand the audit implications for various exceptions? Or if the IT consultant is testing an automated control, would they know to test more than the mere functionality as described in the walkthrough? Would they know to test all possible scenarios to demonstrate that the system can only process information as described in the automated control?

Regardless the area, whether IT, valuation, tax or some other specialty knowledge, understanding audit risks is critical. After all, risk is what drives an audit. So, what does management do to ensure that resources have the proper audit understanding? While a three-hour training on PCAOB audit standards may help provide some insight and may placate the PCAOB from a “checklist” mentality, let’s be frank, audit risk is learned over time. There is a reason managers and partners perform reviews, having years of audit experience, slowly learning the risks and implications of various scenarios that emerge in audits. A three-hour training cannot replace years of experiential learning. The question remains, what are firms doing to bridge this gap? This points to consideration of the staffing mix and the need for appropriate review and supervision, as discussed below.

Monitoring : Current QC standards require various monitoring programs at a firm level. These programs are often executed for all internal resources, but what about external resources or resources from different divisions? Take independence monitoring and/or training/CPE/licensure monitoring, are “fill-in” resources subject to these same processes? While performing an independence check for an occasional contractor may be easy enough, as firms embrace more part-time workers and engage more contractors, firm QC processes will need to be amended to ensure appropriate checks over this emerging resource pool.

Tone at the Top : It’s worth emphasizing the importance of creating a culture of curiosity over conviction. Employees and teams should feel encouraged to ask questions, to seek for better understanding, and to not hesitate to consult with national office / upper management. Considering a lot of cumulative audit knowledge and experience is being lost through the great resignation, promoting a culture of knowledge sharing is even more important to ensuring employees feel comfortable raising their hand when they don’t understand something and feel supported by all levels of management so they can perform quality audits.

Engagement Team Considerations

Team Assignments : At the engagement team level, it’s important that firms consider the staffing mix on audit teams. While firms may have no choice but to use contractors and borrow staff from other departments, audit teams should still have “core audit members” who can share the audit knowledge and keep audit risks front of mind. Maybe that means the firm will need to rotate clients for some of its core assurance staff so that every team has core assurance members. As well, as audit areas are assigned, managers and partners should be thinking through risks at the financial statement level and ensuring higher risk audit areas are completed by stronger, core assurance members.

What about areas like IT or taxes where the area is specialized and may present a pervasive or significant risk? Firms need to be conscientious of these areas and if their resources do not themselves have the requisite audit knowledge and/or experience, then perhaps firms should consider specific coaching programs or targeted in-flight review programs that can compliment the use of contractors and/or borrowed staff. For instance, perhaps the firm uses an IT partner with years of in-depth audit experience to coach less experienced IT contractors across multiple engagements. As the workforce and employment model is changing, so too will the structure and makeup of engagement teams. Be creative.

Review and Supervision: In addition to the staffing mix, firms should consider review and supervision at the engagement team level. Though the standard around engagement team review and supervision has not changed, the expectations may be evolving. For areas performed by less experienced staff, whether new hires, borrowed staff, or independent contractors, managers and partners should be performing more in-depth reviews. For areas of higher risk, teams should consider whether additional levels of review are necessary. And for areas of specialized risk, as mentioned above, firms should consider whether there is a need for targeted in-flight reviews. Perhaps the most important factor for quality review and supervision is workload. What metrics is the firm using to monitor manager and partner workload? What are firms doing to relieve overworked managers and partners? This ties directly into the capacity discussions that management is having at the acceptance and continuance level.

Consultations : Finally, in conjunction with firm management setting the correct tone-at-the-top at the firm level, engagement teams should leverage firm-wide resources and not be afraid to consult when needed. Too often, teams only focus on required consultations, but nothing says that a team can’t consult when questions arise in other non-mandatory scenarios. Knowledge is power and firms have vast sums of cumulative audit knowledge and experience at the management levels, so don’t be afraid to reach out to national office with questions. Chances are, you aren’t the first to have that question.

Use of Other Firms Considerations

So far, we’ve focused mainly on the use of independent contractors and borrowed staff, but there is also a movement to using other audit firms to also assist with audits. Sometimes the other firm will issue an opinion and sometimes the other firm only performs audit procedures on behalf of the principal auditor. Currently, China comes to mind; given various restrictions due to COVID and regulatory concerns, many US firms are leveraging other audit firms in China to assist in executing audits. In our recent article of use of other auditors , we provide factors to consider, but the general theme points to review and supervision. So what procedures are firms implementing to ensure appropriate review over the work performed by other auditors? A mere review of the reporting package is likely not sufficient given the new PCAOB standards/amendments.

Technology Considerations

Given the digital age, we would be remiss not to mention technology. In our joint webinar on ISQM 1, Dayshape CEO, Andrew Bone, said: “For those already struggling to fill their current vacancies, the obvious question is where will this extra capacity come from? Unable to simply recruit and reluctant to scale back fee earning work, firms are looking to technological resources for answers. What firms are finding is that technology can help in a number of different ways.”

For instance, using technology for resource management will help firms easily identify available employees, what skills and experience various resources have, and potentially even reduce administrative burdens on resources, such as finding ways to automate administrative processes. “Technology can be used by firms to track and evidence that the right skills and competencies have been assigned to a project and that independence criteria have been met. When doing this at scale, technology can be extremely useful to help firms track skills firm-wide and demonstrate a robust and standardized process.”

In addition, technology can automate various Firm QC processes or monitor QC metrics (i.e. partner or manager workloads, as mentioned above). Bone continued, “technology can be used to implement automated project controls to provide assurance that the right quality measures and checks are in place and that these are followed consistently. These can be set at a firm level to ensure that the right people review and approve work at the right stage. Or at the engagement level where engagements failing certain quality criteria can also be automatically escalated.”

Finally, as we all know, big data can be incredibly powerful, and technology combined with data analytics could transform future audits. Already, technology is being used to help perform many non-subjective functions such as account reconciliations, cash proofs for revenue, various roll forwards for investments or equity or journal entries, etc. Technology requires an investment, but as we approach a more and more automated world, it will soon be inevitable, and thanks to software-as-a-service models, technology resources are becoming more and more accessible to the masses.

Key Takeaways

The Great Resignation is proving to be a challenging time for everyone. Whether flight cancellations or poor service in restaurants (if the restaurant stayed open), we’re all feeling the effects of staff shortages. For those who didn’t resign, it seems there is more to do with less (yet again). While use of contractors and borrowed staff is a temporary fix, firms should incorporate the following:

Acceptance and continuance decisions need to be thoughtfully considered, taking into account a firm’s capacity and competence.

Independence and ethics requirements should be clearly explained and understood by all staff working on audit engagements, regardless of whether they are internal or external.

Competence is more than just technical ability and should incorporate an element of understanding audit risk. This could be accomplished through trainings, but firms could also incorporate other elements such as engagement team coaching (either by team mangers and partners or through designated coaches), in-flight reviews, and consultations.

Engagement team staffing should be thoughtfully evaluated to ensure there is a mix of core assurance and other staff such as contractors or borrowed staff.

Review and supervision are becoming increasingly important, especially as the use of alternative resources increases. Ensure workloads allow for adequate time for coaching and review during an audit.

When using other audit firms, keep in mind the new PCAOB amendments and standards, largely pointing to increased responsibility around review and supervision for lead engagement teams.

There are tools, technology and services available to help. Firms must assess the gaps whether intellectual, human, or technological, and make investments now for the future.

No one knows how long the labor shortage will last. In the long term, the economy and the markets will adjust. My grandfather worked at one company his entire life. At the time, that was normal. Today, that’s exceptional. In the 90’s, companies complained about lack of loyalty when the younger generations began to change jobs more frequently, but sure enough, the workforce adjusted. Now with the Great Resignation, once again, companies are feeling the strain and in particular, the employees who didn’t resign. But, as has always been the case, the markets will adjust in time. Perhaps this is truly the emergence of the “gig economy” en masse. Perhaps this is creating the impetus needed for firms to more rapidly adopt technology, making audits more efficient. Whatever the outcome, in the short term, we can’t lose sight of audit quality. Filling seats isn’t the same as engaging the right resources with the appropriate firm QC protocols in place to enable teams made up of contractors, borrowed staff, and traditional assurance staff to perform high quality audits.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

The Never-Ending Story: How to Remediate Recurring EQR Findings

Fri, 09 Sep 2022 16:09:17 GMT

In August 2021, we wrote an article summarizing our research on the most common PCAOB Part I audit findings based on inspection reports published from 2017 through July 7, 2021. In that article, we found that 77.8% of deficiencies boiled down to just a couple auditing standards including AS 2201 (internal controls), AS 2301 (response to risk of material misstatement), AS 2501 (auditing estimates), and AS 2810 (evaluating audit results). The focus of the 2021 article was on the nature of Part I findings, but whenever there is a Part I finding, the PCAOB undergoes a process to determine whether the finding is attributable to the engagement quality reviewer (“EQR”). In other words, would a thorough review by the EQR, in accordance with AS 1220: Engagement Quality Review , identify the deficiency? Generally, if the deficiency is in an area of significant risk, the answer is almost always “Yes.”

At first glance, fair enough. But having worked with engagement teams supporting them through PCAOB inspections and looking at the nuanced and sometimes detailed nature of some of the PCAOB Part I findings, attributing the audit issue to a deficient EQR review can sometimes feel like the regulator is being overly exigent. Engagement teams often ask, “What is the PCAOB expecting here? Do they expect the EQR to review every test of design and operating effectiveness for internal controls related to every significant risk? Do they expect the EQR to review every substantive workpaper in significant risk audit areas?” Though not explicitly required in the AS 1220 standard, implicitly by the very nature of the EQR attribution, the PCAOB is inherently creating an expectation of a very detailed EQR review. AS 1220.09 does after all require the EQR to “review documentation.”

While I can empathize with engagement teams, and misery loves company, complaining doesn’t change the view of the PCAOB. The reality for most firms is that if there is a Part I finding in the report (especially if it’s linked to what is typically a significant and/or fraud risk, such as revenue), there will likely also be a Part II finding in the report linked to deficient EQR reviews.

For those not as familiar with PCAOB inspection reports , Part I contains audit deficiencies; this part is made public when the report is published. Part II contains the firm’s QC criticisms; this part isn’t initially released to the public. Rather, the firm has one year from the date the report is published to then remediate the QC criticisms. If the remediation is satisfactory to the Board, then Part II is kept private. If the firm “fails” remediation however, Part II is then released to the public.

When the PCAOB evaluates remediation, they pay particular attention to recurring deficiencies. So if the same deficiency occurs in two subsequent reports, remediation efforts must necessarily be incremental in each report to address the recurring deficiency. Said otherwise, a firm can’t deliver the same training year after year and expect it to drive change; it must change its approach to remediate the recurring deficiencies.

EQR findings started popping up around 2012/2013, so regardless of whether a firm is inspected annually or triennially, all firms with Part I findings are facing the challenge of how to remediate a recurring EQR deficiency. We have numerous clients telling us that this is the second, third, or sometimes even fourth inspection report including an EQR finding. They often ask us, “This time, what can we do that is incremental that we haven’t already done?”

Remediation Considerations

Training

The starting point for many firms is to provide a training specific to AS 1220. Most firms have already attempted this by sourcing an online training from the marketplace. If this is the first time your firm has received a Part II EQR finding, then this might work. In our experience, most of the generic EQR trainings are exactly that, generic. They don’t delve into the specificity of the standard and the nuances that are found in PCAOB comments. We have often partnered with firms to help tailor specific EQR trainings that cover AS 1220, but also focus on the firm’s Part I findings where the EQR failed to identify the audit deficiency(ies). If you’ve already done training once, consider hiring an expert to deliver a more firm-specific training or consider building in hands-on case studies that pull specific examples from the Part I deficiencies.

EQR Checklist

Another common remedial action is to review and modify the EQR checklist. Most audit programs already have a basic EQR checklist that calls out the requirements under AS 1220. However, we’ve worked with firms that have taken steps to either modify the EQR checklist and/or create addendums that specifically call out the issues or concerns identified in Part I. For instance, if there are specific concerns around the firm’s testing of management review controls, we’ve seen instances where firms will modify the EQR checklist to build out specific questions related to management review controls. The idea is to ensure that EQRs are specifically thinking about the firm-specific issues when performing their reviews.

QC Policies

Depending on the size of the firm, we’ve seen a gamut of potential revisions to firm QC policies related to EQRs. Some policy revisions include restricting who can serve as an EQR (i.e. no partner may serve as EQR if they have received Part I comments on other audit inspections and/or received an EQR comment from previous inspections). Some policies focus on partner workload allocations and ensure EQRs do not have too many year-ends at the same time. We’ve even seen some instances where the firm will designate specific partners who only perform EQR reviews so as to specialize their skillset and ensure they have appropriate ability to challenge engagement teams. Finally, for smaller firms with less EQR resources, we’ve seen firms outsource the EQR function to more technical and/or PCAOB-experienced firms. There’s no “silver bullet” here as no one policy is going to work for every firm; the point here is for firms to be intentional about who they assign as EQRs and ensuring that the EQRs have the right skillset and workload to effectively execute a quality review.

EQR Monitoring / Coaching

Many firms have already successfully implemented the previous three actions and the PCAOB has been okay with these efforts up until now. However, seeing that EQRs are continuing to fail to identify Part I issues, the PCAOB is asking firms to do more to ensure quality audits. As we’ve worked with firms on remediation, we’re recommending many firms consider an EQR monitoring and coaching program. Essentially, EQR’s perform their reviews and work with a “coach” who challenges the review process, asks probing questions about specific risks and how the engagement team addressed the matters. For instance, a coach might ask the EQR how the engagement team sufficiently audited the intangible asset valuation from a recent business combination. If management used an income approach, the coach might ask about specific assumptions. The idea is to create a dialog between the coach and the EQR where the two collaborate to ensure the EQR has asked the appropriate questions of the engagement team and has reviewed the relevant documentation. We’ve seen some firms create an internal “EQR coach” role and we’ve also partnered with other firms where we help perform an “in-flight” review so that we can help coach the EQR in their review

Other Considerations

The above remedial actions are the most “classic” that we’ve seen in the industry, but again, remedial actions are going to look different at every firm. The reality is that the remedial action should be in response to the actual root cause of the EQR deficiency. Why are EQR’s not identifying the Part I deficiencies? In light of ISQM 1, SQMS1, and the imminent PCAOB QC standard, all firms will soon be required to perform root cause analyses for deficiencies, so firms might as well consider implementing root cause analyses now. By doing so, they can identify the real root cause behind why EQRs are failing to identify audit deficiencies and then design specific remedial actions to address these root causes.

Given that recurring findings become increasingly difficult to remediate, we can’t stress enough the importance of beginning the remediation process early . Engage the PCAOB in a dialogue to discuss the planned remedial actions and get feedback on the sufficiency of those actions. In addition, to demonstrate the effectiveness of EQR remedial actions, EQRs will need to have performed some year-end audits, which means for many firms, the remedial actions need to be implemented prior to December year-end audits so that the EQR role can function. So don’t underestimate the amount of time it will take to implement remedial actions.

Another important point is that EQRs are essentially the last line of defense with regards to audit quality. Said differently, audit quality starts with the audit team and the firm’s entire QC system that enables and supports audit engagement teams to perform quality audits. That includes the associates, seniors, managers, partner and the EQR. While this article has been solely focused on EQR considerations, firms must also necessarily consider the remedial actions that address the Part I audit deficiency(ies) as well. The EQR finding, while linked to its own standard, is really just the review of the audit work performed by under all the other audit standards. So, let’s not blame the EQR too harshly; it’s a collective effort and the EQR as well as the entire engagement team should be considered when remediating all QC deficiencies identified in firm inspection reports.

By incorporating the EQR finding in the firm inspection reports, the PCAOB is inherently telling firms they need to bring Part I audit deficiencies down to zero. So long as there continue to be Part I deficiencies (which are generally identified in areas of significant risk since that’s the general focus of the PCAOB), there will continue to be EQR findings. While I certainly believe the PCAOB has continued to expect more and more of the audit profession, it doesn’t exonerate firms from continually pursuing greater audit quality.

Key Takeaways

As firms consider the recurrent nature of EQR findings, possible remedial actions include:

Developing more robust trainings that specifically address nuances of firm findings and walk through examples of EQR reviews, such as case studies;

Modifying EQR checklists and/or creating addendums to include specific bullets and questions addressing firm audit deficiencies, specifically calling it out to the EQR’s attention;

Revising firm QC policies linked to how EQRs are assigned to jobs and/or considering outsourcing options using more experienced/technical firms;

Implementing new EQR coaching programs to assist EQRs and challenge their reviews, building in learning through hands-on coaching;

Performing root cause analyses to really delve into the specific issues giving rise to the EQR failures to identify audit deficiencies;

Designing a firm-wide remediation plan to addresses all audit deficiencies and not narrowly focusing on the EQR criticism; and

Engaging the PCAOB early in the remediation process to seek feedback on the sufficiency of the remedial actions.

We are long past the pre-Sarbanes-Oxley audit days and EQR reviews need to be taken seriously. Whereas once they might have consisted of high-level conversations between the lead partner and the EQR, today, an EQR review needs to incorporate a thorough review of the audit documentation supporting the engagement team’s planning of the audit and conclusions reached after executing audit procedures. Perhaps this is the biggest surprise to EQRs, the level of granularity that is now expected of them. It may feel like a never-ending story and perhaps the PCAOB is being overly exigent, but the reality is the PCAOB is not backing down off this issue, so firms need to consider what incremental actions they can take to truly ensure EQRs perform quality reviews.

Geoff Dingle, JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa)

Johnson Global Accountancy President to Speak at 18th Annual SEC Reporting & FASB Forum for Mid-sized and Smaller Companies

Mon, 15 Aug 2022 17:27:16 GMT

Los Angeles, CA: Jackson Johnson, JGA President will co-present with Natalia Greene, Esq.,Senior Vice President of Risk Management at Lemme, a Division of EPIC. The session, Staying Out of Trouble—Audit Quality, Enforcement and Other PCAOB Matters, will be presented on September 22 at 10:45 AM EDT. This session is part of the 2-day conference program sponsored by the Practicing Law Institute in New York City September 22-23, 2022. The conference is also available live online.

JGA’s one-hour session will focus on the current audit regulatory environment from a risk prevention perspective. Topics will include:

Common audit deficiencies including common findings within issuer audits;
The increasing focus in PCAOB enforcement inquiries, including audit documentation and other trends;
Observations of good practices for auditors; and
Imminent changes to firms’ systems of quality management standards and their effects on audit quality and regulation.

“I am pleased to join the faculty for the SEC/PCAOB forum for the second year. Our joint session with Ms. Greene will cover the latest on the regulatory and enforcement environment affecting public company auditors”, stated Jackson Johnson, President of JGA. “I am also excited to speak live in New York City and reconnect with our clients, colleagues, and industry peers.”

To learn more about the conference, speakers, and to register, visit https://www.pli.edu/programs/sec-reporting--fasb-forum-for-mid-sized--smaller-companies?t=live.

About Johnson Global Accountancy

Johnson Global Accountancy is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization.

Auditing Estimates: An Update for Unprecedented Times

Thu, 11 Aug 2022 20:12:01 GMT

For anyone reading the headlines, it sometimes feels as if we are living in unprecedented times, but the reality is, Shakespeare was right: “the past is prologue.” We’ve been through wars before. We’ve experienced inflation. We’ve survived recessions. What’s perhaps unique however, is the confluence of so many uncertainties which feels like uncharted territory for many of the younger generations.

For instance, in March 2020, while typically a lagging indicator of economic health, we saw unemployment uncharacteristically lead the way for economic deterioration with the onset of the pandemic. While the markets tanked in the short term, by Q3 2020, the stock market had fully recovered and then went on to rally through Q4 2021. Though market performance does not equate to economic strength, certainly the pandemic seemed to de-correlate the two metrics. Fast forward to Q3 2022 and headlines are struggling to know what to call the current economic situation. Is it a recession or just a correction? Despite two quarters of negative economic growth, companies across many industries are still posting profits (albeit perhaps less than anticipated) and almost every company is struggling to hire sufficient resources. Supply chains are still disrupted, given the war in Ukraine and the reverse impact of sanctions, as well as the ongoing nature of the pandemic. And finally, we’re all aware of the red-hot inflation trend, leading the Fed to post several interest rate hikes in a very short time.

While we can all acknowledge the economic uncertainties, how do we incorporate these new realities into our audits? Specifically, how does management compensate for these uncertainties in its estimates and how do auditors test these assumptions given how new or different they are from the past economic cycles?

In our first article on Auditing Estimates , we provided various audit considerations for teams when evaluating subjective management assumptions. We stated (and many of our readers echoed their frustrations) that “auditing a management estimate can feel like trying to make concrete out of Jell-O.” Several years later, in its most recent inspection observations , the PCAOB still finds issues with estimates, stating:

“While we have observed improvements in auditing accounting estimates, deficiencies continue to occur, particularly in auditing the allowance for loan losses (ALL), estimates related to accounting for business combinations, investment securities, and long-lived assets.”

The most common deficiencies stemmed from audits where engagement teams:

Did not sufficiently evaluate the appropriateness of models used in valuations;
Did not sufficiently obtain audit evidence for assumptions used in valuations;
Did not sufficiently evaluate changes, or lack of changes , in recurring assumptions used in valuations (specifically for ALL); and
Did not sufficiently evaluate contradictory evidence when concluding on the reasonableness of assumptions.

Building on our previous article, below we expand on the common deficiencies and additional considerations to incorporate into audits of estimates, especially given current economic conditions.

Auditing Estimates Considerations

Valuation Models

While I have rarely seen inappropriate models used in valuations, I have often seen teams fail to sufficiently document its evaluation of the valuation models used in estimates. AS 2501.10 and 11 explicitly require the auditor to evaluate whether the method used by management is in accordance with the financial reporting framework and is appropriate for the specific account. In addition, all changes to models need to be considered. Regardless of the type of model used/applied, it must be evaluated. The more complex the model, the more there is a need for a qualified valuation specialist that can specifically evaluate the appropriateness of the model itself, whether at the macro level (i.e. use of an income approach) or at the micro level (i.e. the appropriate factors to incorporate in building a discount rate).

Support for Assumptions

This finding is arguably the most difficult for auditors to fulfil given the judgment involved in what defines “sufficiency” or “reasonableness.” While we can debate the definitions, the reality is that many teams are still failing to obtain solid evidence and support for assumptions embedded into valuations. I often see teams inquire with management to understand how management derived its assumptions while failing to perform further procedures to obtain actual support for the inputs. Below are some considerations for teams to incorporate into their evaluation of assumptions:

Availability of data / information : In the current economic environment, is there relevant historical or industry data that can support specific assumptions?

For instance, given supply chain disruptions, do the past two or three years of historical internal data support future projections? How long will supply chain disruptions last? What will be the impact on production and sales? What will be the impact on costs and margins?

For start-ups with less operating history or smaller companies with less internal information tracking/monitoring, or less controls around internally derived information, management and auditors may be forced to look to external sources of information to support specific assumptions.

Accuracy and completeness as well as relevance and reliability of information: Engagement teams need to evaluate the accuracy and completeness of any data used by management that is internally derived (i.e. company specific data). In addition, for all externally derived information, auditors need to evaluate the relevance and reliability of that information. Regardless the source of the data, AS 2501.14 specifically requires auditors to evaluate whether “the data is relevant to the measurement objective for the accounting estimate.” The current economic uncertainties will challenge the relevance of information given some of the current conditions have not been seen in 30 or 40 years (i.e. inflation).

Qualitative inputs: Management often discusses qualitative factors that impact the valuations. Somehow, these qualitative inputs need to translate into quantitative figures used in the valuation model. Management is responsible for creating and supporting the quantitative assumptions, so auditors should not hesitate to challenge management on how it derived a specific assumption. I encourage teams to keep asking: “How? Why? Tell me more.” Be curious.

Changes in Recurring Assumptions

Given the changes in economic conditions, management and auditors need to consider changes (or the lack thereof) in recurring assumptions. Part of this evaluation should be built into retrospective reviews over management estimates (as required under AS 2401.63-65 ). Retrospective reviews will help audit teams evaluate how accurate previous management estimates were. To the extent management missed the mark in prior years, I would expect that current year assumptions would change to more accurately reflect the most recent information. In addition, to the extent economic conditions change, again, assumptions should also adjust year over year. For instance, although historical inflation assumptions typically ranged from 2-3%, I would expect current year inflation assumptions to reflect the higher trends being reported in the news.

Too often, auditors simply apply a “status quo” blanket expectation for all assumptions, but the challenge will always be:

If assumptions changed year over year, what supports the change in assumptions?
If assumptions remained static, should they have remained constant? Or should they have changed to reflect evolving macro-economic or company-specific factors?

These same concepts apply for analytics and fluctuation analyses where teams often just use a blanket “status-quo” expectation and investigate any changes greater than $X and/or X%. Well, why is the status quo the appropriate expectation to start? These are the auditor judgments that need to be documented to evidence the team’s considerations.

Contradictory Evidence

Auditors often review large sums of information. Invariably, there will be data that appears contradictory to management’s assumptions/assertions. It is critical for auditors to challenge this information and resolve any discrepancies that arise from contradictory evidence. Auditors should consider the following:

Obtain support from management to validate its assumption and ask management to speak to why the contradictory evidence is irrelevant or unreliable and should not be factored or weighted in the valuation.
Perform a sensitivity analysis to demonstrate how the contradictory evidence does not materially impact the valuation.
If contradictory evidence could materially impact the valuation, consider different scenarios and obtain additional support that further validates management’s assumption and/or invalidates the contradictory evidence. For instance, look at historical performance with the presence of the same contradictory evidence but that would still support management’s assumption.

The extent of additional procedures needed to resolve the contradictory evidence will depend on various factors, such as the risk assessment linked to the estimate, including the fraud risk assessment, the overall evaluation of management bias, the materiality of the valuation and the correlated contradictory evidence, etc. The key here is that auditors cannot simply ignore contradictory evidence. Teams need to document the evaluation.

Bank-Specific Considerations

While estimates for all companies are difficult to audit, it is perhaps even more complex for banks given the allowance for loan losses (or now the allowance for credit losses) has so much tied to economic conditions. How are banks incorporating new realities such as the interest rate volatility? Or supply chain disruptions that may impact borrowers’ abilities to service loans? What about conflicting economic conditions such as declining unemployment figures coupled with two quarters of negative economic growth? Do banks have sufficient historical data from previous time periods that mimicked the current economic conditions? Depending on the source of that information, is that information accurate and complete or relevant and reliable?

For banks, engagement teams should specifically consider the following:

Since the allowance is often predicated on historic loss data, how has the engagement team evaluated the accuracy and completeness of that information? Recurring audits will often use recent historical loss data pulling from systems and reports that have been tested in previous audits. However, what if the engagement team decides to look at information from the 2008 recession or from the inflationary decades such as the 1970s and 1980s? What procedures has management and/or the engagement team performed to validate the accuracy and completeness of that information?

How has the engagement team evaluated the relevance of information? For instance, a two or three-year historical loss lookback would not necessarily reflect the current economic conditions such as inflation, interest rates, unemployment rates, etc. Engagement teams should consider the relevant economic factors that are built into the allowance and evaluate how closely (or not) the historical loss data reflects the current economic conditions. To the extent the data is dissimilar, then management should be adjusting assumptions, such as qualitative factors (Q-factors), to incorporate these differences.

For banks that may not have relevant historical loss data sets, management may be forced to look for external sources to support their assumptions (i.e. look for other banks and their loss ratios). Engagement teams need to consider the relevance and reliability of this information when evaluating the assumptions. For instance, where were the loss ratios obtained? Which industries/segments were included? How similar are the loan portfolios?

Are inputs to qualitative factors auditable? What support is there for changes in qualitative factors? Do changes (or lack of changes) in qualitative factors correlate with macro-economic trends (i.e. did the bank adjust for unemployment and did that adjustment mirror current unemployment trends)? How did the bank determine the percentage change given the qualitative consideration? Often teams will need to look in aggregate at the impact of all changes to qualitative factors on the overall reserve.

In testing controls, are engagement teams considering all relevant controls that might provide comfort over accuracy and completeness of information used to derive assumptions or data used in the valuation? How precise are management review controls around the valuation and how much comfort can engagement teams leverage from the testing of these management review controls? For example, would an entity level credit committee review be sufficiently precise to detect material misstatements in estimation and calculation of allowance, or should the auditors identify and test more precise process level controls?

One tool we often recommend to our clients who perform bank audits is to perform an anchoring exercise, or a look-back analysis performed to locate historical periods with similar economic conditions/outlooks. This requires historical information about losses reported in a time period with similar risk characteristics (e.g. Y1 of recession). Then compare the loss reserves to actual charge-offs (of the loans existed at Y1 YE) that occurred in the periods subsequent to Y1. The difference would be a good indicator of how accurate the historical loss model was and what assumptions / inputs might need to be adjusted in estimation of relevant Q-factors to fully reserve for anticipated losses in the current year.

Key Takeaways

Auditing estimates is never easy. As with all things audit, the nature, timing, and extent of procedures are driven by the risk assessment. Given the confluence of numerous economic uncertainties, many of which are “new” compared to the last couple of decades, the risks surrounding subjective management judgments and assumptions used in valuations will increase the overall risk linked to an estimate, including the potential for fraud risk through management bias. As auditors plan and prepare for audits, consider the following:

Engagement teams must always evaluate the appropriateness of valuation models used in estimates. Some models may require a qualified valuation specialist to conclude.

Auditors need to continue to expand on testing the reasonableness of assumptions by obtaining support from management that is complete and accurate and relevant, or from other external sources (such as industry data) that is relevant and reliable. Given so many changes to economic conditions, relevance will be an important consideration for teams to document.

When the status quo is disrupted and the economy is in a period of significant uncertainty, auditors should consider all changes, or lack of changes, in assumptions and inputs. This is an important part of reviewing estimates for management bias from previous periods and for truly concluding on the reasonableness of current year estimates.

Contradictory evidence must always be considered and sufficiently documented and resolved to conclude on the overall reasonableness of accounting estimates.

Q-factors should be supported by reasonable estimates which are based on accurate, and relevant and reliable information, especially in times of significant uncertainties.

While we’ll never make concrete out of Jell-O, no matter the economy, we must continue to perform robust audit procedures and build in additional considerations to account for the economic changes and uncertainty we’re experiencing today. The hope is not to make concrete, but merely a Jell-O that holds it shape (and jiggles) despite a dynamic, changing environment.

Farkhod Ikramov, JGA Director , has over 25 years of public accounting and audit regulation experience. Most recently, Farkhod held a ten-year tenure as a PCAOB inspector. Throughout his experience there, he inspected a variety of industries, focusing the last four years on financial services, insurance and mining. His experience positions him as a passionate and practical advisor to public accounting firms, assisting leadership in the implementation of the right controls, policies and practices throughout the organization .

Johnson Global Accountancy Celebrates Five-Year Anniversary

Wed, 10 Aug 2022 13:52:37 GMT

Johnson Global Accountancy (“JGA”), a consulting firm that advises public accounting firms to improve audit quality, celebrated its fifth anniversary in the Summer of 2022. JGA’s mission is to be the most innovative and technically excellent advisory firm at the intersection of companies, auditors, and regulators, that improves investor decision-making confidence.

The Firm was founded in 2017 by Jackson Johnson, JGA President, after spending six years inspecting audits and systems of quality management of small and medium-sized firms throughout the world. “As a regulator, not a consultant, my job was to tell firm leadership and their engagement teams what was wrong, but I couldn’t provide advice or help them fix it. Firms needed someone who understood the pressure of audits, but who also understood the regulators point of view, how to do an audit right and how to make sustaining, meaningful improvements in quality control. JGA was created to fill this need with the ultimate goal of improving confidence in the financial reporting ecosystem.”

Today JGA has 12 staff across seven metro locations in the U.S. and advises clients across five continents.

“I am so proud of the cross-functional internal and external professionals that are dedicated to working together to fulfill JGA’s mission. I always knew when I started this Firm that I needed to surround myself with the best and brightest in whatever they do,” stated Jackson. “The JGA family has grown to a dynamic team of experts in whatever their discipline is, whether it be audit quality advisory services, strategic marketing, or finance and operations.”

Most recently, JGA enhanced new services, including software solutions to help firms implement the new quality management standards that will be required by global regulators.

“The future is very bright at JGA,” added Jackson. “I am excited to continue helping our clients manage their compliance risks. With the foundation this team has built over the first five years, I can’t wait to see how far we can go over the next five years and beyond.”

Jackson Johnson, CPA is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality.. He also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

Back to Basics: Why Understanding the Business is Essential

Wed, 27 Jul 2022 20:26:16 GMT

Whether you are part of an engagement team working for an American or an international accounting firm, changes to our industry are being accelerated by new standards.

With SAS 145 in our not-so-distant future and its IAASB equivalent ISA 315 already in place, many of our clients are in the process of thinking strategically about how to update, implement, and monitor audit programs and procedures to align with the new standards. SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides clarification and specific guidance to include the control environment and IT in the engagement team’s understanding of the business, planning, and risk assessment of an audit. A key requirement is for engagement teams to test the design and implementation of control activities (including IT general controls) for significant risks, fraud risks, and journal entry areas of the audit.

Standards aside, many teams are experiencing resource constraints across the board, but specifically around business analysis, controls, and IT knowledge. These pressures are pervasive throughout firms and can surface in internal and external inspections, peer reviews and ultimately lead to heightened risk of non-compliance with auditing and QM standards.

Oftentimes our experience with internal inspections, peer reviews, or regulatory inspections start with a simple question to the engagement team: “Please explain the company’s business and the flow of details to the financial statements.” The auditor’s response is normally at a superficial level. However, when asking a simple question such as, “Where is this information coming from?” all too often we hear, “I don’t know, but I will ask the client." When the team cannot explain where the information is derived from without going back to the company, it could indicate significant issues related to the audit.

With the new standards coming and year-end planning drawing near, now is the perfect time for firms to get back to the basics of auditing and focus on understanding the company they are auditing. This helps to ensure that the scope of the audit work covers all important transactions and subprocesses and supports the performance of the correct procedures. The engagement team needs to have a clear understanding of the company’s business, control environment, and information systems and communication.

Business Understanding

Many problems could be avoided if the auditor obtained a thorough understanding of the client’s business. During our support of various inspections of audit files, we see many audit engagements where the auditor does not have a good understanding of the business, and as a result, the auditor does not perform the correct procedures, or misses audit procedures related to a specific transaction. When this occurs, it is often because the team assumed all the transactions in an account followed the same process. This year, take a fresh look at the business side of the company you are auditing, and do not roll over those planning work papers from last year. A fresh look at the client should include the:

business model
products and services
customer base
competitors, and
industry,

Control Environment Understanding

After the engagement team has obtained a good understanding of the client’s business, the auditor should obtain an understanding of the client’s system of internal controls. Fundamentally, new standards are not changing this requirement; it is a part of basic audit procedures. The new standards provide explicit guidance on procedures to obtain this understanding. During your fresh look this year, consider adding documentation of these areas:

The company’s control environment: Understand what processes are in place at the company outside of the work the engagement team is performing for the external financial statement audit. What are the ongoing tasks, activities, and processes in place at the company that support the achievement of financial reporting objectives?

The company’s risk assessment process: How does the company develop their own risk assessment? Compare this risk assessment to your own for the audit. Corroborating inquiries can help clarify the engagement team’s understanding of the company’s risk assessment procedures.

The company’s process to monitor the system of internal controls: Consider what the company does to ensure financial reporting is controlled if the external audit did not occur.

Information System and Communication Understanding

The companies we audit are modernizing their strategies and investing in technological enhancements to maintain competitiveness. The audit must adapt to provide the investors with relevant information and maintain trust in the market.

Schedule time at the beginning of planning to review the company’s business model.
Use data analytics to better understand the business transactions.
Create a flowchart that allows you to map the business transactions to the financial statements. This will help the entire audit team better understand how the business transactions flow to the financial statements.
Ensure the competency of your engagement team lines up with the industry, technological complexities, and business.
Ask the simple questions and stay curious; don’t assume information magically appears in financial statements.

In all these aspects of understanding the audit client, teams need to budget the time to take a fresh look at their understanding of the company they are auditing. Consider talking to folks at the company you don’t regularly meet. Explore new company documents and information along with staying up to date with industry trends.

Joe Lynch is a Managing Director at Johnson Global Accountancy who works with public and private companies, and public accounting firms to implement and integrate technology into financial processes and improve the audit integration of engagement teams which enhances financial reporting and audit quality. With over 17 years of experience in the auditing industries with a focus on technology, and over 6 years at the PCAOB as an Information Systems Inspection Leader. Joe has supported companies and firms with IT strategic initiatives ranging from implementing the strategic framework for technology departments to leading implementations of ERP and other systems.

The Growing Use of Other Auditors: Managing Risk and the New PCAOB Standard

Fri, 22 Jul 2022 20:16:09 GMT

Globalization has led to increasing decentralization of audits, through the use of shared service centers, branch offices, or other auditors. Principal auditors are farming out portions of their audits to other individuals or firms for a number of reasons, whether it be to maintain margins in an inflationary and competitive US cost market, serve multinational clients more quickly, conduct work by local auditors in local languages, or other reasons. Other auditors may be associated with the principal auditor either through a network or affiliation arrangement or none at all. How does the financial reporting ecosystem manage these risks that have always been there but seem to be increasing in volume and complexity? Let’s discuss the audit quality and regulatory challenges, the risks these approaches can bring with them, and the new standards that will require changes to both the principal auditor and group auditors, now called “Lead Auditor” and “Referred-to Auditors,” respectively.

It is the Lead Auditor’s responsibility to ensure that the referred-to auditors comply with the standards. The PCAOB has made clear from inspection procedures, comment forms, reports, and even public settled disciplinary orders that it will fault the principal auditor for not properly supervising the other auditors. Supervision includes ensuring the referred-to auditors are registered with the PCAOB if they perform a substantial role. A substantial role is defined as auditing 20% or more of the assets or revenues of the entity, or incurring 20% of more of the audit fees or hours.

In practice at JGA, it is most common to see the lead auditor take responsibility of the work of other auditors. We very seldom see reference in the lead auditor’s report to work performed by other auditors. Definitively, the lead auditor is taking on all of the risks over the consolidated audit.

Risks to the Principal Auditor

We have seen through our design, implementation, and continuous monitoring of engagement execution and quality management that the impact on audit quality can be both positive and negative. If done right, using the work of other auditors allows firms to scale and meet the needs of their growing and geographically challenging client base.

But what are the risks of using the work of other auditors? I have seen through my own experience managing a “U.S. desk” in Southeast Asia, that culture, technical experience, and frequency and depth of working on PCAOB audits, all pose potential risks.

Some specific examples where we have seen problems include, but are not limited to:

Lack of understanding of the principal auditor’s role in a group audit;
Supervision is untimely or otherwise insufficient;
Lack of integrated planning and risk assessment with all auditors;
Insufficient knowledge, skills, and experience of the other auditors relative to the group audit; and
Inconsistent systems of quality management over personnel across different firms, including training, ethics, and independence relative to the audit and needs of the principal auditor.

Regulatory Challenges

We have seen the recent disciplinary orders thrown down by the PCAOB on some of the fact patterns where firms are overly “outsourcing” their work in such a way that regulatory compliance is overlooked. We have particularly seen the uptick in using other auditors by firms stateside to get audits done in China (“PRC”) and Hong Kong (“HK”). Since the Holding Foreign Companies Accountable Act, or HFCAA, was implemented to address the lack of access to workpapers of auditors in this region , relying on the work of other auditors from these regions is receiving its due scrutiny from PCAOB inspections and enforcement.

This is directly affecting lead auditor relationships and the allocation of work. We have seen significant activity of Chinese issuers, previously audited by a PRC or HK firm, changing auditors to firms in other countries. The SEC has identified approximately 155 issuers that face delisting unless either (1) the issuer changes auditors, or (2) the PRC’s Ministry of Finance, Chinese Securities Regulatory Commission, and the PCAOB come to agreement quickly for unfettered inspections in the country. The list continues to grow.

Regulatory Responses

Inspectors will continue to look carefully at these types of arrangements to ensure they comply with the various standards, particularly PCAOB Rule 3211, Auditor Reporting of Certain Audit Participants, and how the lead auditor addresses the risk assessment and supervision standards. Inspection issues in this area can quickly lead to enforcement trouble for the principal auditor.

Based on our experience supporting firms with informal inquiries, orders of formal investigation, and working with firms and legal counsel to prepare for investigation or for negotiation of offers for settlement, we know that PCAOB enforcement prefers to take on issues where non-compliance is clear. In the context of compliance with other auditors, these instances of non-compliance can easily lead to an enforcement inquiry:

Untimely, inaccurate (missing other auditor information), or non-filing of Form AP;

2. The other auditor is not PCAOB-registered and performed a substantial role in the audit; and

3. Lack of documentation supporting the work performed by other auditors and how

principal auditors review and supervise others.

After nearly six years of discussions, drafts, and requests for comments, the final standards were adopted in June, 2022. The new standard removes key distinctions in expectations whether a lead auditor is relying on the work of another auditor, or the lead auditor is doing the work themselves. For example, AS 1205, Part of the Audit Performed by Other Independent Auditors, will be superseded but not replaced. Instead, the requirements will be embedded into the supervision, risk assessment, and other standards. In effect, the changes clearly show the lead auditor engagement partner’s responsibility to use a risk-based approach to supervise the work of referred-to auditors. Obtaining a “reporting package” from the other auditor will not be sufficient. These amendments will take effect for audits of fiscal years ending on or after December 15, 2024.

What Firms Should Do Now

I recommend firms take a close look at these factors when determining the compliance of their quality management and planning programs when planning and coordinating work with other auditors:

Take an inventory of and assess the tools available to measure and monitor compliance with the substantial role definition: How does the firm calculate whether another auditor will perform a substantial role on an audit? How does the firm ensure this plan stays within that range through the end of the audit? Are we confident the tools that we have developed for firms will get this process off to the right start? Firms then need to ensure these thresholds are reevaluated on a continuous basis.

Dig deeper to evaluate the audit quality indicators of referred-to auditors. When gathering internal inspection, network or affiliate inspection report results, consider:
Was the engagement partner included in the scope?
Did the sample include a cross-section of partners and audits in the disciplines of PCAOB, ICFR, and US GAAP? Or better, was the specific engagement and partners selected?
What is the status of remediation of relevant findings, if applicable

Determine the KPIs that are important to understanding the risks related to the other auditor(s). For example, do these factors play a role in risk assessment:
billing rates
tenure of the engagement team
size of the book of business of non-PCAOB work
hours managed
proportion and amount of audit hours vs. non-audit hours by the other auditor.

Set and understand language expectations. How is the lead auditor’s supervision effectiveness affected with English being not the primary language of the other auditors? What if workpapers are documented in another language, or originally prepared in local language and then translated into English?

Lead and supervise the audit through the lens of risk assessment. The lead

auditor should be focusing its efforts on audit areas with the greatest risk of

material misstatement to the financial statements, whether those areas are

audited by the lead auditor directly or by another auditor under the lead auditor’s

supervision.

Hold planning discussions with the referred-to auditor(s). In these meetings,

discuss the planned audit program or, where applicable, instructions issued to the

team. Ensure understanding of expectations between the firms.

Ensure you are covered on HFCAA. For firms dealing with an increase in work, or shifting in work among a network, to address the implications of HFCAA, check out my recommendations here .

Consider the impact to the system of quality management: As firms are working now to implement ISQM 1 and/or SQMS 1 , it’s important to identify the risks and controls to address those risks to ensure this work meets the relevant objectives in the standards.

Key Takeaways

Audits of multinational corporations has become increasingly complicated. The globalization of companies has led to a decentralization of the obligations of the auditor.
Movement of PCAOB work out of PRC and HK to other foreign firms creates new global audit quality risk that must be managed by the lead (principal) auditors.
Recurring inspection deficiencies and increasing enforcement actions in these areas mean a heightened compliance risk for both existing and new requirements
The PCAOB’s updated standards, among other changes, shift the objectives of the lead (principal) auditor from reviewing reports of the other auditors to supervising the work of the other auditors.
Firms – both lead and referred-to auditors – should examine their processes and systems of quality management around their planning and supervision of work among other auditors to prepare for the updated standards.

JGA Announces Enhancements to Quality Management Services

Fri, 24 Jun 2022 16:54:36 GMT

Los Angeles, CA.:  Johnson Global Accountancy (“JGA”) is pleased to announce the expansion of our current quality management implementation and monitoring services to launch of a full suite of services to help public accounting firms tackle the new Quality Management (“QM”) Standards required by the IAASB, AICPA, and PCAOB.

“An audit firm’s system of quality management is an important pillar of the financial reporting ecosystem,” stated Jackson Johnson, President of JGA. “Since JGA started in 2017, we have been advising our U.S. and international clients on improving and monitoring their systems of quality management. It is, therefore, a natural fit for us to partner with public accounting firms all over the world on their design, implementation, and continuous monitoring of QM programs under the newly effective standards.”

As firms face the new standards and their respective implementation dates, firms all over the world are required to evaluate and design quality management programs to prepare for the upcoming implementation dates. This includes designing a system that identifies and responds to all the quality risk areas using the firm’s processes, policies, and controls.

JGA QM services include:

Risk Assessment
Implementation and Training
Monitoring
Evaluation and Testing
Quality Management Readiness
Root Cause and Remediation

JGA is committed to supporting firms in the process of enabling their systems of quality management with customized software solutions. Our experience encompasses working with firms to provide expertise in a scaled set of managed services and software to complement the most successful implementation tools for our clients.

Learn more about JGA’s QM services here.

About Johnson Global Accountancy

###

JGA's Continued Support of the Boys & Girls Clubs of Greater Kansas City

Tue, 24 May 2022 18:55:50 GMT

Kansas City, Missouri: On Saturday, May 21st, Johnson Global Accountancy (“JGA”) attended the 26th Annual Kids Night Out, a fundraising event to benefit the Boys & Girls Clubs of Greater Kansas City.

"Kids Night Out knocked it out of the park! For the second year in a row, JGA colleagues came together to raise money for youth in the community. The testimonials from the kids, live auction, and musical talent of Brothers Osborne made the evening a night to remember,” stated Jackson Johnson, President of JGA. “This annual gala is the primary source of funding for their programs and the evening raised over $2.55 million! Congratulations and thank you to the donors for their support!"

The Boys & Girls Clubs of Greater Kanas City has been serving this region for over 100 years and now operates 12 locations, changing the lives of at-risk youth. In addition to Jackson, other JGA attendees included Joe Lynch, JGA Managing Director, Geoff Dingle, JGA Managing Director, and Mark Whittenberg, JGA Director.

Click here to learn more about the Boys & Girls Club of Greater Kansas City and support their fine work.

About Johnson Global Accountancy

Johnson Global is dedicated to helping Public Accounting Firms around the globe achieve the highest level of audit quality. All former PCAOB staff members, Johnson Global professionals are passionate and practical about working alongside firm leadership to ensure right controls, policies and practices are implemented throughout the organization.

JGA Update: SAS 145: The New Risk Assessment Standards for Private Company Audits

Tue, 24 May 2022 18:45:55 GMT

SAS 145 continues with the convergence efforts, explicitly highlighting the necessity of risk-based auditing. Standing back, we have risk assessment, Internal Controls (including ITGCs), and the stand back provision as the primary call outs. Firms can expect SAS145 to trigger a more data-driven risk assessment process, providing less reliance on substantive tests of detail and more on analytics. Firms will need to transform their methodology to incorporate a more robust assessment of inherent risk and appropriate audit responses.

The standard itself is not altering the audit risk model, but it does provide enhancements and clarification of risk identification and assessment with a focus to improve audit quality. Specifically, the standard specifies “obtaining an understanding of the entity’s system of internal control and assessing control risk” as well as “guidance that addresses the economic, technological, and regulatory aspects of the markets and environment in which entities and audit firms operate”. As you’ll note in the standard, it no longer requires the auditor to determine whether a financial statement level risk is a significant risk. Throughout the language of the standard, it is clear that the risk assessment is an iterative process , which many firms reflect in documentation already, but the standard now explicitly requires.

The new stand-back provision supporting the position of completeness was not accompanied by documentation guidance. Firms will need to have a solid set of procedures and documentation to adapt to the requirements of this provision. The revised internal controls (including ITGCs) design and implementation testing requirements for significant risks, fraud risks, and journal entry processes. This also includes the expectation the auditor will identify related general IT controls that address the risks arising from the use of IT and to evaluate their design and determine their implementation. It is not exhaustive for each IT process, but is risk-based. To identify the risks arising from the use of IT, the auditor identifies the IT applications and other aspects of the entity's IT environment that are subject to such identified risks. These IT applications and corresponding elements are identified based on the identified controls addressing RMM at assertion level.

Keep an eye out for upcoming training by the AICPA . The standard is effective for audits of financial statements for periods ending on or after December 15, 2023.

Note: for audits performed under the internal standards ISA 315 is in effect for audits of financial statements for periods ending on or after December 15, 2021.

Financial Fraud Risk: Raising Awareness in a Fiercely Competitive Market

Tue, 24 May 2022 18:27:01 GMT

Today’s market situation — with supply chain challenges, inflation instability, and ever-shifting priorities creating great disruption and intense market contests — deserves risk awareness from those who are tasked with preserving investor confidence. Audit leaders, by design, should see this shift in competitive markets as a leading indicator for increased fraud potential. As a hockey fan, I equate small, illegitimate, effective fraud maneuvers to sucker punches, spraying the goalie, and turtling to win a game against a brutal competitor. Making small, effective, repetitive changes that significantly influence the market is not a new competitive strategy; it’s employed on the ice and in companies. Unfortunately, current economic conditions intensify fraud risks and call for a fierce defensive line.

The best defense in hockey is a strong offense. Same for audit leaders. As we hover over the greater picture to determine a game plan and keep auditors on the offense, we assess risk possibilities that correlate with the ever-changing competitive market, namely competition-driven and occupational fraud risks.

Competition-Driven Risk Awareness

Inflation

Core inflation rose 0.6 percent in April, which was double that of March 2022. Excluding costs for groceries and gas, this inflation rate is a widely used measure to show movement of average consumer prices and serves as a complementary measure to the consumer price index. Regardless of any short-term reprieve as inflation fluctuates, the greater picture does not reveal a quick fix game plan to the inflation issue. Employees, families, and companies are experiencing a cross-check in finances while trying to skate upright. It goes without saying that in times of distress, increased cost of manufactured goods and the pressure from the top to reduce costs, is when we tend to see an increase in fraud risk.

How do the increased costs create fraud risks?

To be a strong competitor, companies maintain lean, cost-effective means to combat inflation. They also reevaluate pricing methodologies to ensure products or services viably pass along increase costs to customers. The extent to which the current inflationary period will last is an unknown factor. As engagement teams conduct fraud planning discussions of increased inflation risk, they have a heightened awareness for improper capitalization, skimming, tax avoidance, and unauthorized use of company assets.

Supply Chain

Balancing supply chain new normal expectations of the market can cause intense pressure for companies. Auditors have reported an increase in inquiry and analyses to document creative ways companies contend with the challenges. Auditors have struggled to determine whether company misstatements were intentional due to the supply chain movements while rushing to update internal controls documentation . An effective tactic to identify deficiencies is integrated walkthroughs.

Should auditors be asking whether there was a shift of controls during the supply chain delay and if there are alternative work locations for key personnel due to the pandemic to consider?

As supply chain complications progress, auditors see an extraordinary play of events unfolding where the opportunity is prevalent for an emergence of dishonesty in financing. Additional considerations during delays of material are loan covenants as companies often consider short-term debt to correct cash flow. When manipulating the financial outlook, there is a gray area that may fall short of the criminal definition of fraud. Earnings management alone may not be fraudulent until a company begins rationalizing and changing estimates under pressure, leading to unreasonable positions.

Financial Statement Fraud Risk Awareness

Estimates

To stay out of the penalty box, auditors should remain risk aware and be clear on the basis for any significant estimate included in the financial statements. Companies can take advantage of the increased opportunity to improve financial results during market downturns by utilizing estimate adjustments. Convincing narratives to subjective estimates have ultimately resulted in bad actors spending time in the penalty box.

Does the change in each estimate appear to be solely the result of market competition or does it exhibit management bias?

The current market may exaggerate this type of fraud condition, requiring the auditor to have deeper understanding of key estimates, greater skepticism, and sharper curiosity. We often see through pre- and post-issuance reviews of audit files that other evidence exists in the workpapers that contradicts assumptions or inputs used to develop an estimate . A properly planned fraud risk assessment will help engagement team members spot potential contradictory evidence.

ESG

Public companies are increasingly disclosing environmental, social, and governance ( ESG ) efforts voluntarily to measure, manage, and provide information to concerned stakeholders. While checking ESG for fraudulent disclosure can be tough, there are clear plays that have occurred to guide precedent and understanding of ESG fraud. If being ESG-friendly pays dividends, what are the fraud risk factors tied to those dividends? One factor is a misstatement of financial figures in ESG reports that do not align with financial ESG disclosures. ESG reports can vary by market and annually, making the foundational knowledge of financial reporting your best defense.

How have you documented your understanding of the company’s ESG position and compared them with their ESG reports?

To remain risk aware, and on the offense, identify the ESG reporting structure of the company and exercise professional skepticism in the novel ESG landscape that support mitigating the fraud risks deking the opposition. ESG is increasingly complex and shifty with derivative terms and varying features. In one of my prior controllership roles, prior to the guidance of the now established GHG accounting, I experienced first-hand the effort to conduct a difficult line pass by reconciling the existing guidance with an emerging industry. Aligning with guidance and offering transparency to map where it did not perfectly align can clarify questions that arise. While regulators are working to strengthen guidance to provide an assist on ESG, you can rely on the basic audit tenets: relevance, reliability, completeness, and accuracy.

Related Parties

Related parties were at the crux of scandals two decades ago that led Congress to pass the Sarbanes-Oxley Act of 2002 and establish the PCAOB. Auditing Standard No. 2410 Related Parties requires auditors of public companies to pay special attention to financial matters that pose increased risks of fraud.

Have there been any changes in segregation of duties that would cause related parties to not be disclosed?

An auditor must obtain an understanding of each related party, every time. At a minimum, undisclosed related parties and unusual transactions are typically at the top-of-mind for auditors. Small and/or effective related party and unusual transaction fraud risks include timing schemes, bill-and-hold arrangements, business combination valuation manipulation, or bid-rigging. In the offensive game against related parties and unusual transactions, consider software audit tools , tax filings, life insurance policies, and interviewing accounting personnel.

Cyber Fraud

Auditors do not need to reinvent the wheel because of the supply chain challenges, inflation instability, and the great resignation, but should incorporate their understanding of the entity and how it is prioritizing and responding to risks.

Are the identified cyber fraud controls selected for testing covering the identified cyber risk and are they performed timely?

A scaled cybersecurity governance and risk management program is one important part of this understanding. A heightened risk awareness of opportunity fraud risk factors includes considering the challenges of social engineering, information security, confidentiality violation, and phishing emails. The uptick in inflation will lead to increased rationalization and pressures heating up cyber fraud.

Occupational Fraud

Industry Trends

Occupational fraud is the use of one’s position to exploit, through misuse or misappropriation, an organizations resources and assets for personal gain. The recent Association of Certified Fraud Examiners (“ ACFE ”) Report to the Nations published the results of a survey conducted to understand the potential costs and financial effects from occupational fraud. The survey showed the current trends and schemes fraudsters engaged in stating that financial statement fraud was the least common (9%) but costliest. Whereas asset misappropriate was the most common (86%) but least costly.

Other indicators from the survey can be used by auditors in their iterative planning process. Nearly half of cases occurred due to lack of internal controls or override of existing controls. The biggest change from the prior ACFE survey, is the new fraud risk of cryptocurrency that was not addressed in the prior report, but accounts for 8% of current fraud cases. The top cryptocurrency reported frauds involved bribery or kickback payments in cryptocurrency (48%) or converting misappropriated assets into cryptocurrency (43%). Fraud stemming from cryptocurrency-related transactions is projected to exponentially rise.

The ACFE also considered COVID’s effect on occupational fraud in the 2020 and 2021 data. The survey noted a shift to remote work, internal control changes, operational process changes, and technology challenges combined for a significant 49% pandemic-related fraud factor.

How to Mitigate Occupational Fraud Prevention

The greatest player in the game are employees who reported the most occupational fraud incidents (55%) based on the ACFE. Therefore, be sure to engage your most valuable players in fraud inquiries. Genuinely assess the employee’s knowledge when understanding an entity, including controls and processes. Fraud risk factors may include data theft, insider threat, multiple reimbursement schemes, and management override of controls (tone-at-the-top). With the great resignation trend, a blend of fraud risks is prevalent, and we are sure to see an increase noted in the next ACFE survey.

Fraud Risk Prevention in the System of Quality Management

With the wide swing of events causing challenges in data analytics, fraud risks are bountiful, Quality Control may be a firms’ single greatest play. The new standards supply measures that will support the firm’s acceptance and continuance measures, it will guide the engagement team to exercise appropriate judgment and documentation, and provide for an overall healthy engagement framework to address quality risks. ISQM1 sets forth the proactive approach to audit quality needed for a successful approach to engagement risks.

Projections do not entail a quick fix for alleviating the current challenges, so in summary consider the following:

Enforce clear documentation of firm audit methodology including due diligence and professional skepticism.
Hold in-depth planning discussions with clients that are centered around fraud risks integrating the current competitive climate.
Specifically ask how the company is competing in the market, what their offensive and defensive strategies are, and how their coaches are pulling them through this difficult period.

Overall, understand that you are in an environment where there are great unknowns that are novel to management decisions creating a desperate need for a strong enforcer, brilliant captain, and a strategic game plan.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

New Concerns around Going Concern: Is Management Properly Prepared?

Mon, 23 May 2022 14:10:42 GMT

It seems like a lifetime ago, but back in early 2020 and continuing into 2021, consideration of a company’s ability to continue as a going concern was top of mind for both management teams and their auditors due to the global COVID-19 pandemic. Back then, going concern considerations were necessary due to shutdowns, mask mandates, employees having to work remotely – many employees were laid off or furloughed, which led to a drop in consumer demand especially in industries such as retail, travel, entertainment, and service industries and a drop in manufacturing / production. In April 2020, our article Weathering the Storm: Auditing Going Concern in an Age of Economic Uncertainty discussed how auditors should have reacted to the address going concern during the global pandemic.

Starting in 2021 and continuing into 2022 we now have different concerns being raised. The global economy has been affected by truly worldwide events – the great resignation has resulted in severe labor shortages in many industries, rapidly rising consumer demand has led to supply chain shortages, the recent microchip shortage resulted in a ripple effect across many industries that use microchips and semiconductors in their products, the war in Ukraine and resulting Russian sanctions has affected the supply of goods from Ukraine and Russia, rising costs of almost every commodity (gas, food, labor), and rising interest rates. All of these are causing companies to reassess and alter their typical business models to respond to the new norm. Companies are experiencing the pressure of higher wages and/or higher raw material costs while trying to pass these costs along to consumers, seeking out alternative supplies of goods and raw materials to mitigate the supply chain delays, and continuing to transition to a greater web presence for sales of goods and services.

The old way of doing business has had to change.

What is an auditor’s responsibility?

With all this change in the business model, we thought we should revisit what is required from an auditor based on the PCAOB’s Auditing Standard (AS) 2415.

Firstly, it is not necessary that an auditor design audit procedures to specifically identify conditions or events that would indicate there is substantial doubt about a company’s ability to operate as a going concern for a reasonable period of time. These going concern indicators can come about from other procedures that the auditor performs as part of his/her regular auditing procedures, such as when performing analytical procedures, reviews of compliance with loans or loan covenants, legal counsel inquiries, and when reading various company minutes. The auditor should not ignore any information identified that calls into question a company’s ability to operate as a going concern. Such information is disconfirming information that needs to be evaluated, and most important of all, the evaluation must be documented in the workpapers. Often when we support our audit firm clients though in-flight reviews, we see red flags that make us step back and ask engagement teams how they addressed this information. These issues usually call into question the company’s ability to continue as a going concern and frankly these important discussion are not happening with management early enough.

As an auditor is working through his/her procedures, here are some other considerations that auditors should consider:

How are a company’s supply chain issues affecting its ability to service its customers and keep their customers happy before they decide to shop elsewhere? Are legacy large customers now looking to other avenues to find suppliers of product? Even in Great Britain, the long staple corner fish and chip shop, is not immune. The supply and costs of cod and fish oil has been devastating for thousands of shops .
Is the ‘great resignation’ labor shortage affecting the company’s ability to manufacture product, develop new product, perform quality controls on its current product? One just has to look at the current US baby formula shortage. The domestic supply of formula is controlled by a handful of manufacturers. COVID-19 had already created significant supply chain issues and when one of the largest manufacturers had to shut down one of its manufacturing facilities due to tainted goods, that caused significant upheaval and shortages in the baby formula industry.
How are rising interest rates affecting the company you’re auditing? How is that affecting the monthly cash flows for existing variable interest rate debt? Is interest expense eating into already slim margins and the company’s available cash flows?

If these types of questions are coming up on your audit, and you conclude based on your considerations that a substantial doubt about the ability of the company to continue as a going concern exists, the auditor should look to obtain information about management's plans and:

Consider whether these plans will mitigate these adverse effects for a reasonable period of time; and
That these plans can be effectively implemented.

The standard provides some examples of considerations that the auditor should make in order to reach a conclusion:

Plans to reduce or postpone expenditures – how feasible is management’s plans to be able to effectively reduce overhead or administrative expenses? Would management delay important machinery maintenance expenses if it affected the useful lives of currently used machinery? Can machinery sit idle for an extended period of time without damage?

Plans to increase ownership equity – how feasible is it that management can increase ownership equity through raising additional capital? Are there already pre-existing commitments to raise additional capital? Just because a company was successful in the past in raising capital, it does not automatically correlate that it would be successful in today’s climate.

Plans to borrow money or restructure its current debt – Consider whether the company currently has access to lines of credit or if not, that there is availability of debt financing. Similar to the point above, just because a company has been successful in the past in borrowing money or being able to restructure their debt, it doesn’t mean this will happen in this environment.

As we coach our audit clients in this area, oftentimes we see auditors evaluating management’s plans by merely having conversations with management, without obtaining appropriate evidence and challenging management on the feasibility of their plans. For example, a general discussion with management on reducing or postponing expenses is insufficient. Management should put pen to paper with specifics about forecasts for the next 12 months (i.e. including appropriate assumptions such as reducing general office headcount by x%, reducing marketing budget by $Y, etc.). The auditor should then demonstrate professional skepticism and examine any available evidence (and contrary evidence) to confirm the plausibility of management’s plans (e.g. is it really feasible that management will not do ANY equipment maintenance in the next 12 months). As part of an auditor’s evaluation, particular focus should be given to assumptions that are:

Very sensitive to change – Consider a trucking company where gas is a significant cost, which would be affected by swings in the gas rate.
Not consistent with historical trends – The difficulty here is that the COVID-19 has reset many historical trends such that is it reasonable to assume that a business will return to pre-COVID sales and operation levels – so is it appropriate to compare to historical trends?
Material to the prospective financial information.

Finally, if the auditor concludes after evaluating management’s plans that substantial doubt about the company’s going concern has been alleviated, the auditor still needs to assess the need for disclosure of the principal conditions and events that initially caused him/her to believe there was substantial doubt. We have also seen SEC comment letters recently where the company has disclosed conditions that raised substantial doubt about its ability to continue as a going concern and the SEC has asked whether the auditor assessed the company’s ability to continue as a going concern and how the auditor concluded that an explanatory paragraph in the audit opinion was not considered necessary.

Clearly, going concern is still top of mind at the SEC and the auditor should thus have good documentation of procedures it has performed to be able to conclude why an emphasis of matter paragraph in the opinion is not necessary.

Points to consider

Here are also a few additional points for auditors to consider as they evaluate going concern:

Evaluate early – If the audit has any inkling that going concern may be an issue for the client, make sure to start having those discussions with management early in the audit process. Don’t wait until the 11th hour.
Communicate to audit committee – Be mindful that AS 1301 requires that the auditor communicate to the audit committee its evaluation of a company’s ability to continue as a going concern.
Evaluate as a Critical Audit Matter (CAM) – Typically going concern determinations are going to meet the definition of CAMs because they are challenging, subjective, or complex and also that the going concern conclusions are required to be communicated to the audit committee.

In summary, always have going concern top of mind. Back in the midst of the COVID pandemic, it was pretty obvious that auditors needed to assess going concern. However, the COVID pandemic has now been replaced with new and different global considerations, and which auditors should not be ignoring as they deal with a company’s ability to continue as a going concern for a reasonable period of time

Johnson Global Accountancy to Sponsor Accountants’ Liability Conference

Tue, 26 Apr 2022 01:51:53 GMT

Washington, D.C.: Johnson Global Accountancy (“JGA”) is pleased to sponsor the American Law Institute Continuing Legal Education’s two-day event live in Washington, D.C. and virtually online on June 9th and 10th.

“The stress and strain placed on accountants and audit firms continues to increase,” stated Jackson Johnson, President of JGA . “As leading advisors to audit firms and their internal and external legal counsel, it’s important for JGA to be part of these important events to share our knowledge on current issues and emerging trends to help all stakeholders in this industry manage compliance and litigation risk.”

This CPE-eligible event will include discussions about:

The latest on active enforcement and regulatory environment for accountants
Current trends in civil litigation
Emerging areas such as cybersecurity and cannabis
Updates on global client issues
Recurring risk in areas of auditor independence, whistleblowers, and CAMs

Key JGA leadership will be in attendance. Key speakers of this event will include Gurbir Grewal, Director, Division of Enforcement at the U.S. Securities and Exchange Commission, and Paul J. Fishman, Arnold & Porter partner and former United States Attorney for the District of New Jersey.

Members of JGA’s leadership team will be in attendance at the in-person event and hosting a booth with resources including the guide Navigating PCAOB Inspections: Understanding the Inspection Process from Start to Finish which can be downloaded here .

About Johnson Global Accountancy

Attention Auditors… Are you Prepared for Questions from your Client’s Audit Committee?

Mon, 25 Apr 2022 15:00:36 GMT

As part of its mission to oversee the audits of public companies, the PCAOB has invited audit committee chairs of public companies to hold discussions with its inspectors. This initiative to connect directly to audit committees started several years ago and continues today. As the PCAOB released its latest Spotlight 2021 Conversations With Audit Committee Chairs , we thought it was important to share some of the interesting observations where we see opportunity for the firms to improve dialogue with audit committee chairs (“AC Chairs”):

49% of AC Chairs did not participate in a PCAOB interview

While there was not specific data shared in terms of the size of those audits, if they were inspected annually or triennially, or what the ratio between US based issuers and international issuers, it is clear this was a huge missed opportunity for Audit Committees, especially if these AC Chairs were from clients of smaller firms! There are very few forums for audit committees to influence the regulator’s focus with its inspections and development of auditing standards, so we strongly recommend that AC Chairs take advantage of these one-on-one interviews with the PCAOB inspectors.

Many Haven’t Read the Report

Approximately 30% of the AC Chairs interviewed admitted that they neither reviewed the firm’s PCAOB inspection report independently nor discussed these reports with their auditors. This is a sizeable percentage which does not reflect well on the audit committee professionals who are meant to be overseeing governance of management and evaluating the quality of its auditors.

Lack of Focus on Controls

Only about a dozen out of 244 AC Chairs who were interviewed said they spent significant time with their auditors discussing matters related to controls. It’s unclear why only a dozen AC Chairs indicated that they discussed controls seeing that there must be scores more AC Chairs over public companies for whom auditors are required to opine on internal controls. Hopefully this result does not mean AC Chairs are uninformed or disengaged about their auditor’s evaluation of the quality of the company’s financial reporting.

High-level Understanding of QC Only

We also noticed the PCAOB acknowledged that during its discussions with AC Chairs, when asked to share their thoughts on their audit firm’s Quality Control (QC) system, the main point raised was that audit firms were doing a satisfactory job with QC. In addition, several AC Chairs made this statement with the caveat that they could only provide high-level impressions regarding this specific topic. This whole question about the quality of an audit firm’s QC system is a concept which is hard for any line-partner to discuss with audit committees in specific detail as they are not in the details of their audit firms QC processes (i.e. the audit partners can perhaps speak to their understanding of the audit firm’s the process of ensuring auditors independence, but they would be unable to articulate how effective these controls are). However, over the next couple of years (once the PCAOB updates its own QC standards to align with the global changes to quality management standards ), audit committees will have access to audit firm evaluations of the QC systems.

Shared Concern on Cyber Security

AC Chairs also shared their concern about the risk of hacking of technology systems at both public companies and audit firms. One AC Chair emphasized that a ransomware or similar attack affecting the company’s data would have effect on the engagement team’s ability to perform procedures.

What are the opportunities for both Auditors and AC Chairs

Although AS 1301, Communications with Audit Committees , lays out required communications with Audit Committees, there are number of opportunities for auditors to improve the quality of its interactions with audit committees:

Use the Spotlight as a Conversation Starter

We recommend that auditors enhance their dialogue with AC Chairs using the Spotlight as a conversation starter. Most continue to use the same communications year after year, so in order to demonstrate your value to the audit process, consider building into your discussions the items described in the Spotlight. This will enable you to keep the audit committee abreast of recent financial reporting developments and prove your value to those that re-engage you as auditor each year. AC Chairs appreciate the auditor’s ability to focus and prioritize their communications, including bringing key issues to the forefront and holding “deep dives” or educational sessions on noteworthy or emerging topics. In order to ensure success of the AC meetings, auditors should have a thorough meeting agenda, conduct quarterly calls ahead of earnings releases, provide meeting materials in advance, and hold pre-meetings to preview the formal discussion.

Encourage the AC Chair to Speak with the PCAOB

The auditor should strongly encourage the AC Chair to agree to the interview and speak openly and honestly with the PCAOB during inspections, when the auditor is asked to coordinate a meeting with the AC Chair. This is a perfect opportunity for AC Chairs to articulate topics and ideas that are of importance to them as they fulfil their governance responsibilities.

Preparation is Key

Engagement partners should go into their AC discussions ready to talk about results of the PCAOB’s most recent inspection report as well as the results of inspections for which a final report has not yet been issued. These conversations should be frank and honest about how the engagement team ensured the same issue did not occur during their audit. Be prepared to discuss how the Firm is remediating deficiencies to enhance audit quality. Also, continue to ask AC Chairs their views, how they evaluate audit quality beyond just timeliness and fees.

Have a Cybersecurity Plan and Discuss it

Cybersecurity continues to grow in importance against which public companies need to contend. As a result, in March 2022, the SEC announced that it had proposed amendments to its rules to both enhance and standardize disclosures by public companies of their considerations around cybersecurity risk management, governance of cybersecurity, and reporting of cybersecurity incidents. Many public companies are already reporting some aspects of cybersecurity breaches, but the lack of SEC rules in this area does not ensure consistency and completeness of cybersecurity considerations across public companies. Accordingly, auditors should expect AC Chairs asking more robust questions around how effective the auditor believes management is in protecting the issuer against cybersecurity breaches and how the auditor has designed it's tests to identify risks related to cyber-attacks.

It is becoming even more important to discuss cybersecurity risks at audit clients and the severity of how any attacks may affect the operations and financial reporting process, including generating, processing, analyzing, and storing information needed to produce timely reports, external and internal. We definitely see an opportunity for auditors to start conversation with the AC Chairs about the nature and potential effect of cybersecurity on IT systems. The firms should inform the AC Chairs about how the firms respond to the risks of cyberattacks within their respective IT systems, including protection of confidential client information.

Other points which auditors should be ready to discuss with Audit Committees include:

Technology and AI Use in Audit Procedures

There are many ways that technology and software can be used as part of the audit – assisting auditors through the use of AI in analytical reviews; testing of individual transactions; identification of unusual / unexpected transactions that may be indicative of fraud and /or error, etc. Auditors should be explaining to audit committees how they are using technology and software in performance of their audit.

Confronting Resource Constraints

How the auditor is dealing with the resource constraints brought on by the pandemic and ‘great resignation’. Audit committees will want to be assured that the audit team members exhibit the appropriate industry and technical knowledge to be able to perform a good quality audit.

Communication on Delays

Keeping audit committees abreast of unexpected delays through early and often communications. The last thing an audit committee wants to experience is a delayed audit because of an issue that was known about for some time but was communicated to them late in the audit.

In conclusion, audit committees are an important cog in the goal of improving audit quality. Each of the items above present excellent ice breaking talking points for audit firms to enhance communications with audit committees. After all, most audit committees are receptive to comments raised by the auditors and will be ready to help the auditors in performing their procedures in order to be able to provide a quality audit.

Farkhod Ikramov, JGA Director, has over 25 years of public accounting and audit regulation experience. Most recently, Farkhod held a ten-year tenure as a PCAOB inspector. Throughout his experience there, he inspected a variety of industries, focusing the last four years on financial services, insurance and mining. His experience positions him as a passionate and practical advisor to public accounting firms, assisting leadership in the implementation of the right controls, policies and practices throughout the organization .

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

JGA Quoted: SPACs Trip Up on Accounting Requirements, Reporting Deadlines

Fri, 01 Apr 2022 19:47:25 GMT

Dane Dowell Quoted in Bloomberg Tax

Dane Dowell, JGA Director, was recently quoted in the Bloomberg Tax article SPACs Trip Up on Accounting Requirements, Reporting Deadlines focused on the recent trend of SPACs missing their filing deadlines.

Read the full article at: https://news.bloombergtax.com/financial-accounting/spacs-trip-up-on-accounting-requirements-reporting-deadlines

PCAOB Update: What you need to know about the confirmations spotlight

Mon, 28 Mar 2022 18:54:13 GMT

PCAOB Update: What you need to know about the confirmations spotlight

On March 21, 2022, the PCAOB released the Spotlight Observations and Reminders on the Use of a Service Provider in the Confirmation Process . The document is a follow up to comments made by George Botic, Director - Division of Registration and Inspections , who spoke at some length about the sufficiency of procedures related to confirmations at annual AICPA National Conference on Current SEC and PCAOB Developments.

While supporting our clients on inspections, we have noticed an increase in inspectors’ questions around the confirmation audit procedures, especially when firms use a confirmation service provider to facilitate their confirmation process. Issues included the failure to maintain control over the conformation requests and responses.

Are firms doing enough to maintain control over the confirmation process when outsourcing this process?

When utilizing third party service providers to perform conformation procedures, these audit procedures rely on the service provider's process and technology. The firm and engagement team should consider these key points:

Maintain Control – The PCAOB puts the responsibility on the firm to maintaining direct control of communications with the person being sent the request to reduce the possibility of biased response.
Coordination – There continues to be challenges with establishing procedures to maintain control of vendors and their technology tools used to support the procedures, processing, and people sending and receiving the confirmations.
Firm level Certification – The firm shall understand use cases. Identify risks and controls, including ITGCs. Ensure testing and results support effective controls.
Firm Policy and Procedure s – Establish procedures and policies that coordination the firm (national office centralized process) and the engagement team to supports a complete evaluation of key steps are completed.

While this recent spotlight highlights the observations of potential flaws and findings, our recent article, Software Audit Tools: Designing and Implementing the Control Environment , takes a deeper dive into industry best practices along with the JGA methodology for establishing software audit tool controls for the current firm and as it matures and grows.

Joe Lynch has over 25 years of experience in technology, audit, and audit quality compliance with a focus on technology. At JGA, Joe is the IT Audit Advisory Services Leader and works with internal auditors, public and private companies, and regional and national mid-market public accounting firms to implement and to integrate technology into financial processes and improve the audit integration of engagement teams performing integrated audits and service organization reports. He also provides critical input to IT-specific requirements related to new QC standards implementation.

The Timeless Truth About Timing: How Planning Impacts Quality

Thu, 10 Mar 2022 12:58:59 GMT

There are so many quotes and sayings about planning and timing.

Failing to plan is planning to fail. Timing is everything. An hour of planning can save hours of doing.

I know, it’s all so cliché, but is it not true? The classic and timeless Jane Austen once wrote: “It is a truth universally acknowledged, that a quality audit in possession of a good engagement team must be in want of a well-planned audit timeline.” Maybe I’m paraphrasing here, but if Jane Austen wrote it, indeed, it must be true.

In the past few years, working with JGA, I have performed numerous root cause analyses looking at both firm and engagement deficiencies. While most deficiencies are the result of multiple contributory root causes, there is one root cause that seems to be pervasive: timing . Countless times I have reviewed audit files where the partner and EQR sign-offs are just days before the opinion. Sometimes planning for a 12/31 audit isn’t prepared until January or February or planning is prepared in October but isn’t reviewed until the year-end audit is well underway. How can an engagement team successfully execute a quality audit if the planning and risk assessment hasn’t been finalized and/or reviewed until half-way through the year-end audit? If partner and EQR reviews occur the day before (or even sometimes the day of) the audit opinion, what ability does the audit team have to feasibly address comments or perform additional procedures based on those reviews?

We get it. Audits are fast-paced. And with so many regulatory reporting requirements, inevitably, no matter how hard we try, there is always a fire drill to complete the work. But that doesn’t excuse the lack of sufficient planning and timely execution of audit procedures.

On numerous pre-issuance reviews, often, I am surprised to find teams still auditing a Q1 acquisition almost a year later. Yes, the measurement period remains open for a year, but that doesn’t mean that it takes a year to perform audit procedures. Management has to report the acquisition in the proceeding 10-Q to the best of its ability. Therefore, engagement teams could be performing audit procedures over the acquisition accounting and fair value measurements right after the acquisition.

But let’s not focus solely on engagement teams. Firms continually approach us to assist with various aspects of quality management, whether performing monitoring procedures, such as post-issuance reviews, or assisting with PCAOB remediation, including drafting the response to the PCAOB as well as designing and implementing remedial actions. Often, firms are coming to us at the eleventh hour asking for help. While this is what we are here for, quality takes time. Anything done at the last minute inherently has a greater risk of errors and mistakes.

As an industry, we don’t give proper weight to planning and timing. So what exactly does it mean to plan effectively?

Better Project Management

Traditionally, there are two types of partners in the accounting industry: technical partners and relationship partners. Technical partners are specialists in audit and accounting. We call them in when we have specific questions about an embedded derivative in a complex debt-equity financing and they’re the ones who will quote the codification in their response. The relationship partners, however, manage client relationships and land new business. But what about the partners who execute strong, quality audits? In the audit profession, auditors are promoted to senior associate and eventually to manager. We expect them to take over audits and manage these “projects”. Project management is a specific skillset that is not specifically linked to audit skills. Perhaps firms could provide training for managers on project management to help facilitate this new role as manager.

Defining the Process

Within an audit specifically, I would break down the timeline into three distinct phases: planning, interim and year-end fieldwork. While planning and risk assessment is an iterative process, the bulk of planning can be done early (e.g. Q2 or Q3). Interim can be built into quarterly reviews for public clients or can be planned around hard closes, such as a 9/30 close, enabling some year-end audit work to be brought forward to October or November. Yes, certain accounts can only be tested at year-end, such as estimates for inventory reserves, but there is plenty of other work that can be done at interim such as revenue, inventory pricing, and PP&E testing. And then finally, there is year-end testing leading up to the audit opinion.

To plan for various phases, teams need to create detailed budgets that align with the timeline. I say this, fully realizing, budgets are a source of much contention. Managers feel pressure from firm leadership and the engagement partners to maintain and/or improve realization year over year while trying to make a realistic budget with appropriate staff and hours to execute the audit correctly.

Having worked with the PCAOB and focusing now on audit quality as opposed to profitability metrics, I challenge the idea that audits in subsequent years will always be more efficient. Certainly, a second-year audit will be more efficient than a first-year audit and over time, some advancements bring efficiencies such as new software or audit technologies. But what about the loss of knowledge and experience from turnover of staff? Or incremental time for new auditing standards such as CAMs, or for new firm practice aids rolled out as part of PCAOB remediation? Are firms adjusting for these areas in the budget?

The point is to be realistic. A budget typically starts with the prior year actuals. Let’s not pretend that those hours are entirely realistic. Firms preach that staff should never eat hours, but then get upset with managers when realization goals aren’t met. There are too many conflicts of interest here. So be realistic. If a firm expects an improvement in realization year over year, have an honest dialogue about where that realization is going to come from? Once the budget is finalized, then it is time to start allocating those hours between planning, interim and year-end.

So far, this all makes sense and many teams do have early planning and interim phases. But, when all the work is documented and prepared, who performs the review? Effective planning means doing real-time reviews as the work is being performed. This also allows for practical coaching of younger staff as they perform audit work and allows for course correction before it’s too late to change an audit approach.

Resource Management

Once budgets and timelines are laid out, the next challenge is to plan resources. Resource management is already embedded in the PCAOB QC standards. However, it will become an even more important component once firms adopt the new AICPA, PCOAB and IAASB standards on quality management.

Speaking purely of human resources, firms need to consider first and foremost, do we have enough staff? Resource shortages create a struggle of prioritization where firms play “catch-up” focusing on the most urgent clients (usually based on deadlines) and thus, planning and interim for other clients is delayed and the cycle perpetuates.

While I can’t claim causation, I can say there is a correlation between staff workloads and audit quality. The greater the workload (especially factoring in concurrent year-ends), typically the lower the audit quality.

In addition to figuring out if you have enough resources (staff), firms then need to think through resource allocation considering strengths, skillsets, etc. In other words, do we have the right resources with technical and/or industry knowledge? Do we have the right staff-level mix? And do we have a project manager to ensure the process is moving along efficiently?

The new quality management standards have an entire component designated to resource management and actually expands from just human resources to incorporate both technology and intellectual resources. Firms will be forced to implement policies to provide the right resources and to monitor the effectiveness of those policies. In other words, if engagement teams are overworked or don’t have the right technological or intellectual resources, firms will need to remediate this deficiency. This requires early planning.

Client Management

While I might advise firms as a consultant and preach “early timing,” I haven’t forgotten the complications of client management. Many delays can be traced, in part, back to client delays. Part of project management is working with the client on timelines that are reasonable. I encourage teams to have these discussions early (e.g. Q1 or Q2 of the fiscal year) so that both the client and the engagement team can plan accordingly.

Equally important is holding both parties accountable to agreed-upon timelines. Engagement teams must meet planning, interim and year-end deadlines. Clients need to be held to agreed deadlines. If the client is delayed by a week, then the logical response is that the opinion will need to be delayed a week as well. The client can’t just expect that the audit team will make up one week of time without some impact on quality. I realize it’s more complicated than this. However, it’s either a tough conversation with the client or risk a potentially poor-quality audit and a tough conversation with the PCAOB during an inspection.

Firm Leadership Management

Finally, these same concepts apply to firm management. One of the main components of quality management is tone at the top. If firm management doesn’t adequately plan for the design, implementation and execution of quality management practices, then how can it hold engagement teams to this same expectation?

Under the current QC standards, there are firm programs that require significant time and planning. Take for instance practice monitoring , which can be a huge time commitment. Despite that, I don’t know of many firms who create a budget or establish timelines to complete these reviews. Even if it’s not client-facing, firms need to understand the nature of the various projects, create budgets, layout timelines and then appropriately staff the programs.

Similarly, PCAOB remediation, depending on the number of QC criticisms, can be a huge undertaking. Many firms are not budgeting for the design and implementation of the remedial actions as well as the actual remediation submission to the PCAOB. Although firms have one year to respond, many wait until the last couple months to initiate remedial actions. Specific to this concern, the PCAOB is now asking firms to engage in a dialogue within 60 days of receiving the report. Early planning leads to effective and quality remediation.

Early planning trickles down into other aspects of quality management, such as releasing new guidance and templates early in the year so that engagement teams have the most updated methodology prior to commencing audit procedures. Similarly, firms that plan training well in advance allow for quality content to be created and can ensure staff reserve the time to participate live.

With the new quality management standards coming down the pipeline , I cannot emphasize enough the importance of planning early for this undertaking.

There’s nothing new here. The point is, in a time where resources are tight and we are attempting to do more with less, it’s critical firms and engagement teams plan early and accelerate timing to facilitate quality both at the audit engagement level as well as the firm quality management level. If that isn’t happening, consider hiring project managers or reach out earlier to consultants to assist. While the industry may preach best practices, we need to start holding ourselves accountable. After the new quality management standards are implemented, firms won’t have a choice, because once the root cause for deficiencies is linked to timing, they’ll have to implement new controls and policies to ensure adequate and early planning.

To keep with my theme of timeless literature, the Ancient Greek poet, Hesiod, once said (and this time, I’m not paraphrasing), "Observe due measure, for right timing is in all things the most important factor."

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

JGA Expands Services with the Addition of Three New Team Members

Mon, 21 Feb 2022 16:40:33 GMT

The company welcomed Farkhod Ikramov, CPA, Adina Kerfoot, CFE, and Christy Howard to the JGA team.

“Our growth is indicative of the great need for quality management services throughout the public accounting industry,” stated Jackson Johnson, JGA President. "Farkhod, Adina and Christy joined JGA to support these increasing needs.”

Farkhod Ikramov, CPA , JGA Director, offers over 10 years’ experience in audit inspections of public companies at the Public Company Accounting Oversight Board. Farkhod also has 15 years of audit experience in public accounting with each of the Big Four firms in the US and globally and has a Master of Science in Economics. Most recently, Farkhod’s career has focused on inspections of systems of quality management and audits of issuers in the financial services and mining industries. With 25 years of public accounting experience, Farkhod is passionate about his work and will be a great asset to JGA. Since joining Johnson Global, Farkhod stated, “My ambition has always been to be recognized for performing high quality work and for sharing my skills and experience with a team of highly motivated people.” Farkhod is based in Atlanta, Georgia and in his spare time loves to travel the world and explore new countries for the cultural enrichment these experiences offer.

Adina Kerfoot, CFE , joined JGA in December as a Senior Consultant. She has over 20 years of audit, internal controls, and controllership experience. She has implemented various frameworks, standards, practices, and policies for firms and companies. Adina has a Master of Science in Accountancy and is pursuing a Doctorate in Business Administration in Accounting. “I am eager to build on JGA’s global reputation as a leader in audit quality,” said Adina. “I am excited to join an enthusiastic team of industry experts.” Adina resides in Jackson, Tennessee and plays an active role in her children’s school activities and the surrounding community. Adina enjoys gardening, reading, traveling, and exploring the outdoors.

JGA also welcomed Christy Howard to the team as the Marketing Associate. “As education and content development are a critical part of how we are helping our clients, JGA is deepening our skills and expertise in marketing to increase our ability to produce world class thought leadership,” stated Sara Trifiro, JGA Director of Marketing.

“I look forward to immersing my marketing passion and skills into the world of audit quality. JGA’s team and global reputation for excellence is one I am proud to be part of,” shared Christy. Christy brings a deep background of team management and customer relationship management and systems experience to JGA. Christy obtained her Master of Science in Organizational Leadership from the University of Michigan. Christy’s hobbies include researching health and nutrition which she applies daily to cooking experiments in addition to swimming, camping and travelling with her husband. Christy is based in Ann Arbor, Michigan.

Learn more about the JGA team here .

About Johnson Global Accountancy

Johnson Global is dedicated to helping Public Accounting Firms around the globe achieve the highest level of audit quality. Consisting of former PCAOB inspection staff, experienced audit professionals, fraud and IT experts. Dedicated to helping public accounting firms achieve the highest level of audit quality, we work alongside firm leadership to develop and implement practical controls, policies and practices throughout the organization. Johnson Global professionals are passionate and practical about working alongside firm leadership to ensure right controls, policies, and practices are implemented throughout the organization.

ISQM 1 and SQMS 1: Influencing the Firm on the Benefits Beyond Compliance (Part I)

Thu, 17 Feb 2022 20:44:44 GMT

Compliance is definitely the main driver of the new System of Quality Management (SQM) standards issued by the IAASB or the drafted standards from AICPA and the PCAOB. There is no disputing that. However, for the early adopters, what we are finding is that there are immense amounts of business value that come out of this process; more if you actually start the process with business value in mind. Given that firms are all in various stages preparing for the go-live date of controls operating on December 15, 2022, we thought it would be helpful to lay out the strategic value drivers from this compliance exercise.

Related: See a breakdown of the various implementation dates here .

SQM implementation requires firms to take a closer look at their internal process; every process that touches the value chain of getting an audit done.

To demonstrate the reach of this requirement, consider these examples:

Employee onboarding, training, and retention;
Software audit tools and technology used to monitor internal aspects like independence, or tools used by engagement teams to test 100 percent of smart contracts or select journal entries to examine for fraud;
Archiving of binders on time, and in compliance with audit documentation requirements; or
Monitoring programs that identify and fix deficiencies in both audit performance and the underlying functions supporting audit performance.

One thing is certain as we embark on this journey with our clients leading the SQM charge – the project is a significant investment in time and resources. Since procuring buy-in from the entire firm is important to a successful implementation, how do we get firm leadership and everyone that is part of the SQM onboard? It’s important for everyone to commit to the goals and understand the benefits of digging deep into component processes. Getting all these individual priorities aligned can be the toughest task to initiate on the right foot.

We have heard the experiences of SQM project implementation leaders struggling to get the buy-in needed from all the various stakeholders. And we have heard leadership at firms across the world ask:

“What’s in it for us?”

“All this investment just for a compliance exercise?”

“Why do I need to be involved in something the audit group has to do?”

And the best question we’ve heard:

“How can the system of quality management implementation improve our business?”

Goals are aligned throughout the organization .

Getting the buy-in from the partnership board down to process owners. Goals that are specific and measurable (e.g. documenting the current process and eventually operating controls consistently and on time). The firm’s tone-at-the-top helps get everyone on the same page. Management’s role is to get the rest of the firm to understand why this is important. For example:

Lay out the long-term benefits of improved business performance, reduced risks, more timely and accurate data in the firm to make sound decisions;
Emphasize the long-term benefits of overall reduced costs over non-compliance with network, firm, peer review, and regulators; and
Determine the potential for lower costs to insurance upon implementation and over time.

In addition, when firms can use key metrics to identify issues within the SQM and know how to solve them, this can lead to employee retention, a consistent or even reduced workload, and less burnout. Articulating and demonstrating the direct positive effect on a firm’s people takes time to nurture, especially for people working in processes of the firm that are not exclusively tied to the assurance practice (Consulting, IT, HR).

Current processes are understood, sometimes for the first time.

Conducting interviews, gathering data, and documenting the process allows everyone to see how it currently works (or doesn’t work). When project leaders invite everyone involved in a process together in one room, open discussions start to strengthen cross-functional teams for a clear picture of how each process really works. For instance, these meetings often result in the realization that two (or more) people are doing the same tasks (inefficiency) or discovering that no one is performing an important review check (gap).

Controls and Processes are formalized, streamlined, and optimized.

Once the current process is understood (“As-Is”) and with the right people in the room, identification of areas where procedures can be more uniform or simplified happens quickly. We often find that processes can be improved without adding more controls. This control optimization effort incorporates standardization and normalization across the firm to benefit processes well beyond the audit practice. Conducting workshops and flowcharting the process allows us to see what risks are addressed and where the control gaps are identified with a plan to close them.

A sound control environment will bring new business insights and metrics to make confident decisions with reliable data.

The control optimization process will identify all the information used in the control environment (very similar concepts to the work auditors perform with their clients as described here ). This information can be used in new ways to help process owners and firm leadership make decisions. Firms can develop key quality metrics that can be used to measure and improve audit quality (i.e., metrics related to workloads, the number of audit staff to partners, realization of audits, chargeable hours managed by partner, average hours of training per audit professional, etc.). When a system is used to monitor the SQM environment, these insights will allow for interim monitoring, enabling firms to quickly make decisions that address anomalies or negative trends as they arise.

Getting started early begins with:

Firm leadership understanding how a consistent and well-monitored SQM can improve the business;
All firm personnel understanding how their roles contribute to the SQM;
Aligning objectives and goals for all firm personnel based on their role within the SQM; and
Persuading all firm personnel to see how a commitment to their objectives and goals contributes to the benefits the firm can realize from having an effective SQM.

While compliance may be the hand forcing you forward, the upside to this “exercise” is that undoubtedly you will be a stronger, more efficient firm when executed correctly. Firms that begin with such a mindset seem to be more successful throughout the process.

Jackson Johnson , CPA is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality.. He also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

Crypto Fraud Risks: What role do auditors play?

Thu, 17 Feb 2022 17:54:02 GMT

Due to the magnitude of corporate failures and effectiveness of fraudsters, fraud receives heightened attention from regulators and researchers. With each scandal and technological advancement, the expectation of the external auditor’s responsibility to detect fraud morphs, and performance of audits involving these assets will require a stronger skillset for auditors to uphold the expectation of the public to report fraud risks. Digital assets (aka “crypto,” or “cryptoassets”) are increasingly becoming more mainstream and present a challenge to all aspects of an audit engagement.

While the responsibility for the detection and prevention of fraud remains firmly with those charged with governance, auditors are expected to be well-versed on fraud risks linked to each technological advancement. A recurring theme in audit inspection findings are concerns that auditors are properly responding to the risks related to the audit. The root cause for failures we often see in audits with inspection comments is due care and professional skepticism. Here, we explore how the increasing assimilation of crypto in business transactions challenges auditors to equip themselves by knowing applicable fraud risk factors, remaining abreast of advancing technologies, and reassessing engagement acceptance, while continuing to maintain professional skepticism.

Identify Fraud Risk Factors

Prior to engaging a digital asset model or incorporation of cryptoassets, companies should have identified controls that commit the appropriate resources to implement and monitor the assets. For example, consider the risk of material misstatement due to fraud through management override of controls over a digital wallet or private keys, which may result in misappropriation. PCAOB AS 2110 , Identifying and Assessing Risks of Material Misstatement , guides the auditor to perform procedures to obtain an understanding of the company’s financial relationships, transactions with executive officers, and aid in identifying risks of material misstatement (see paragraph .10A). Additionally, the involvement of related party transactions may be difficult to ascertain due to the inherently convoluted nature of cryptoassets. How will your expertise of separation of duties, access controls, and physical controls over access be reflected in your clients’ audit risk assessment when evaluating digital wallet(s). Specifically, AS 2301 , The Auditor’s Responses to the Risks of Material Misstatement , directs the auditor to determine the warranted changes to the nature, timing, or extent of audit procedures to adequately address the assessed risks of material misstatement (see paragraph .06).

In a centralized exchange, users exchange fiat currency for crypto and digital assets as well as exchange one digital asset for another. To do this, an audit client may trust the custody of crypto to an exchange like Binance or Coinbase. Exchanges are “on-ramps” as they allow currency to be added to the account using a credit card or bank transfer and then converted into digital assets. Exchanges may perform other services for crypto users like processing trades, deposits and withdrawals, custody of assets, and Know Your Customer and Anti Money Laundering controls. This introduces custody risk as the exchange stores private keys. If anyone else has access to the private keys, the asset holder is not in full control of the value in the account.

Arguably, blockchain technology may cut the need for a financial statement audit altogether as it captures an immutable blockchain, rendering the financial statement audit invalid. As blockchain technology evolves, we understand that risks of unauthorized, fraudulent, undisclosed related party, or incorrect classification in the financial statements is possible.

One way to mitigate the risk is to exercise a healthy dose of professional skepticism in the engagement and evaluate management’s tone. Be thorough in your understanding of why and when a client is engaging in crypto and when they are not. Crypto and non-crypto transactions can be layered for adding confusion to transactions and working around controls. In instances of layered transactions, you will make determinations based on your understanding of management’s intention, ensuring transactions are fully supported, and proving crypto as an exchange medium. Be rigorous with evaluating and documenting crypto risk factors in audit evidence , internal controls , independence , and cybersecurity , all of which are addressed in greater detail by my colleagues.

Continuing Education

Many sectors experience growth and recession with varied speed, challenging auditors to remain sharp in their financial accounting abilities. The digital asset environment sector has exploded signaling a warning for auditors to learn this novel division. Auditor competencies in the face of regulatory, technological, industry, and financial reporting developments weave into every aspect of an audit involving crypto. Crypto itself is not a fad or a fraud, it is transformative technology that can only find fullest potential if cradled by accountability and ingenuity.

The performance of audits involving crypto requires contemporary skills and knowledge through its continuous advancements. Auditors have the professional duty to only undertake those engagements to remain competent. I would argue that ensuring the entire engagement team is skilled and knowledgeable in crypto behavior to be able to recognize an unreported related party transaction takes more than a one-hour lunch-and-learn course. As blockchain evolves, and data on blockchain like NFTs advance, I look forward to innovative training of auditors through this pioneering age. To properly audit title transactions, cold wallets, and evaluate risks of material misstatement of an entity, auditors will continue to be well-informed and a step ahead.

Engagement Acceptance or Continuance

System of quality management ( ISQM 1 ) and the comparable standard proposed by the AICPA ( SQMS 1 ) requires a firm to establish quality objectives addressing the audit acceptance and continuance criteria. Specifically, the standards highlight a firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements. With the design of privacy coins, the art of cryptography, and the brilliance of blockchain technology, how does this novel technology fit into audit acceptance? Technological advancement should not be a reason to pause for many firms, however, depending on the complexity of activities, engagement team preparation, and entity, you may need to consider how crypto fits. A firm’s system of quality management is a stamp of professionalism.

Recently, an article about “The Rise of Crypto Mayors” captured attention. The article boasts of a mayor elected on a platform to improve the infrastructure of a small town in Tennessee. It did not take long for this small-town mayor to engage in crypto with the town’s funds and begin advocating for Bitcoin paycheck options. Viewing it as an opportunity to bridge a wealth gap for the town, the mayor has also chosen a wing of city hall for digital mining efforts, once approved by the state. Firms have a great responsibility to uphold public trust and audit within the framework of competence. The incorporation of crypto activity itself is not a stand-alone purpose to deem it a fraud risk. However, knowing the relevant controls and necessary oversight are of the utmost importance and may require the engagement of a specialist. Regardless of how the entity is a steward of funding and their framework, reporting crypto activities requires an auditor to understand the fraud risks associated with the entity and properly disclose them.

We have seen public accounting firms getting in on the trend making their own investments in digital assets. Firms are taking very prudent approaches to be calculated and experienced. The key take away is, when you engage, engage knowledgably and sensibly, which is the lesson for crypto and all audit engagements alike. If partaking in the activities provides for better learning, then this may enlighten firms to additional crypto fraud risks when engaging firsthand.

Maintain Professional Skepticism

ISQM 1 and SQMS 1 charge firms to achieve the objectives of professional standards and comply with the requirements of applicable laws or regulation by exercising professional judgment and applying professional skepticism. Firms will be developing intellectual resources, including creating alerts for engagement teams on circumstances that are giving rise to the need for professional skepticism and supplying guidance for engagement teams in these circumstances. This type of alert, for example, will include placing an undue reliance on an IT application in the engagement.

The AICPA officially accepts the definition of professional skepticism as an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error , and a critical assessment of audit evidence ( AU-C 200 ).

PCAOB: AS 1015.07 and .08 states: Due professional care requires the auditor to exercise professional skepticism. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor uses the knowledge, skill, and ability called for by the profession of public accounting to diligently perform, in good faith and with integrity, the gathering and objective evaluation of evidence . Gathering and objectively evaluating audit evidence requires the auditor to consider the competency and sufficiency of the evidence. Since evidence is gathered and evaluated throughout the audit, professional skepticism should be exercised throughout the audit process.

When performing an audit involving any variant of crypto transactions, be aware that features, functions, characteristics, operation, use and other properties of digital assets may be complex, technical, or difficult to understand and evaluate. Crypto may be vulnerable to attacks on the security, integrity or operation, including attacks using computing power sufficient to overwhelm the normal operation of the digital asset’s blockchain or other underlying technology. Some digital asset transactions will be recorded on a public ledger at a particular time, however, this may not be the same as the initial transaction date and time. Transactions in digital asset investments may be irreversible, and, accordingly, losses due to fraudulent or accidental transactions may not be recoverable. In 2021, 38% of organizations increased their budget for anti-fraud technology ( Association of Certified Fraud Examiners ) . Exercising professional skepticism in the coming decade of transformative digital assets will be a true differentiator in audit effectiveness.

Concluding Token

The pace of crypto and blockchain innovation is unrelenting. In the coming quarters, how will client acceptance and continuance documentation, engagement team meetings, and risk assessments reflect an evaluation of crypto? Should any advancements or enhanced risks cause an engagement team to reconsider their engagement acceptance or continuance? How has the engagement team prepared for the extraordinary advancements on the horizon in the decade of 2020?

Crypto is novel to your clients as well. Will you expect a strong policy on how, when, and why they use digital currency versus another currency? How will you determine if the misstatement to the financial statements due to crypto was intentional or not? As companies may rely on financing or abide by debt covenants, is there a temptation to smooth ratios or cash flows by controlling transactions through multiple avenues? Companies understand the pressure to perform and the markets expect the engagement team to effectively design and perform procedures to identify and test risk factors as crypto advances. Providing confidence to the public is your strength and exercising professional skepticism is the tried-and-true principle to lean on. While your clients increasingly engage in crypto, maintain your vigilance in knowing and reporting fraud risks.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

2021 Busy Season Reminders for Auditors - Free Webinar

Thu, 03 Feb 2022 19:43:01 GMT

Register today for the "simulated live" recording of our Busy Season Reminders for Auditors co-sponsored with Johnson Global Accountancy. This webinar is a MUST for auditors going into busy season this year. It’s a “greatest hits” list of our A&A Update that we facilitate for accounting firms around the world.

In this webinar we cover:

Impairment reminders
Auditing accounting estimates and the use of specialists
Highlights of ASUs effective for private entities in 2021
Risk assessment and its impact on your audit procedures
Preparing for ASC 842 Leases
Audit integration (between IT and financial auditors) to improve audit quality

Although we can't issue CPE credits for the recording, you can still get all the great content anywhere and anytime!

Software Audit Tools: Designing and Implementing the Control Environment

Fri, 21 Jan 2022 20:25:30 GMT

When audit engagement teams use applications to perform an audit, these applications are referred to as software audit tools by regulators and professionals. Software audit tools include a wide range of applications that perform many different individual functions throughout the audit process. In fact, during the recent AICPA SEC/PCAOB update conference , George Botic, Director of the Division of Registration and Inspections for the PCAOB, discussed a common tool auditors have been using for years: www.confirmation.com . Mr. Botic went on to note recent issues that have been identified as part of the PCAOB inspection program that engagement teams were not appropriately following the standards regarding confirmations when using tools like conformation.com. During the PCAOBs presentation in the conference room chat, many participants submitted or promoted questions around this issue. One of the more popular questions that went unanswered was “what procedures should we be performing when we use Confirmation.com?”

After the conference, JGA fielded many questions from our clients and friends on engagement teams and in firm national office roles. Teams wondered why this is now an issue as they have used Confirmation.com for years and on engagements that had previously gone through PCOAB inspection without an issue in this area. While the standards have not changed in many years, the PCAOB noted in their presentation that the confirmation standard was still relevant. We submit that “relevant” is based on your perspective. For example, when was the last time you sent a facsimile? Audit staff may not know what standard related to facsimiles of audit confirmations and how those aspects of the standards remain relevant today.

Regardless of the unanswered questions, age of the current standards, or your opinion on the issues written by a PCAOB inspection team; audit firms, engagement partners, and engagement team members should follow the current audit standards when using applications in the audit process. At JGA, we work with firms to develop and implement policies and procedures and other elements of the software audit tool control environment that support engagement team’s use of software audit tools throughout the audit process.

What Are Software Audit Tools?

Software audit tools are applications, utilities, or code (e.g., macros, queries, stored procedures, report logic) that process, analyze, calculate, or manipulate data to support an engagement team’s audit procedures. Software audit tools can be used throughout the audit in:

Audit documentation
Planning and risk assessments
Testing the design effectiveness of controls
Testing the operating effectiveness of controls
Substantive testing populations, sampling, and testing
Journal entry populations, sampling, and testing
Substantive analytical procedures
Audit scheduling and time tracking

Certain applications like Excel or Access are not software audit tools on their own but may be used to develop a software audit tool using formulas, macros, code, queries, or other features that process, analyze, calculate, or manipulate data to support an engagement team’s audit procedures.

Common Software Audit Tools

Software audit tools can be used in all areas of the audit and within the audit practice. While most auditors are familiar with audit documentation tools and tools that sort and filter populations of data for testing, more advanced tools are continually being introduced that are used by audit firms to further accelerate audit transformation.

Risks Associated with Software Audit Tools

Now that we have explained software audit tools and how they can be used in the audit process, let’s discuss why software audit tools present risks within the audit process. The following risks are often present when considering the use of software audit tools:

Completeness and accuracy of data input into the software
Accuracy of calculations or data manipulation within the software
Completeness and accuracy of the data output from the software
Managing changes to the tool during development
Managing changes made to the tool after in production
Restricting access to the tool to authorized users
IT general control weaknesses that impact operating effectiveness

As you work through understanding how engagement teams are using software in the audit process, unique risks specific to each software will be identified. Reviewing audit files and the related testing is a fantastic way to understand the wide range of use of software to identify all the risks across the practice. The controls that address these risks, which are discussed in the next section, most often include engagement team procedures as well as centralized procedures performed by the national office (or other centralized group).

Software Audit Tool Control Environment

Given the risks that software audit tools present within the audit process, audit firms should begin to implement controls specific to these risks. The methodology that JGA recommends is to start with engagement-specific controls and add more complex controls as the software audit tools environment within the firm matures. The following six steps cover the key components of the software audit tool control environment:

Step 1: Software Inventory

First, identify all the tools currently being used throughout the firm through discussions with the national office, regional leaders, specialists, engagement partners, and others who may be using tools in the audit process. For each tool, collect all the relevant information about the software and how it is used in the audit process.

Step 2: Engagement Team Process

Next, the first controls to put into place should be developing and implementing policies and procedures for engagement teams using software audit tools. Before national office or other firm-wide processes and procedures are in place, engagement teams should understand their responsibility for ensuring the risk associated with software audit tools are addressed by the engagement team.

Step 3: National Office Process

The audit firm’s National Office (or centralized group) should develop and implement policies and procedures for the certification of certain tools that can be used by engagement teams and other resources used in the audit process. The certification process includes the identification of the risks and controls associated with each software tool and a centralized testing approach for assessing the design and operating effectiveness of each control.

Step 4: Certification Process

Once the policies and procedures are in place, the selected tools should go through the certification process. Then, the controls should be tested. Any control weaknesses should be evaluated to determine if the software audit tool should be certified for use by engagement teams or others involved in the audit process. When a software audit tool is certified, engagement teams should be able to rely on the controls tested by the National Office without testing those controls for each engagement. Note that engagement teams are still responsible for certain controls such as the completeness and accuracy of the information input into the software audit tool and the parameters or other settings used within the software audit tool by the engagement team.

Step 5: Monitoring Process

Once the tools are certified, the audit firm should develop risk-based monitoring procedures to ensure the ongoing effectiveness of the controls supporting each software audit tool. Monitoring may include certain periodic tests, change controls, periodic recertification, and the certification of new software versions or new software audit tools implemented by the firm.

Step 6: Future Tool Planning

Future software audit tool planning is an important activity at anytime during the process. Once the software audit tool is in place the audit firm can develop a roadmap for the development and implementation of future software audit tools. Future audit tool planning includes an evaluation of the capabilities the firm wants to develop within its audit practice, and ensure it has the people, process, and technology resources in place to achieve those capabilities. As the capability gaps are identified, the audit firm can create a roadmap and process to ensure tools are developed, acquired, tested, and certified prior to implementing them throughout the firm.

Software Audit Tool Maturity Model

When developing the software audit tool roadmap, audit firms should assess where they are within the software audit tool maturity model and determine the capabilities the firm needs to add over the next five to seven years. The use of software audit tools is important to improve the quality and efficiency within the audit process, but the effective use of software audit tools is also a competitive advantage for firms within the audit and assurance industry.

As an audit firm progresses in the software audit tool maturity model, the more the audit firm will need to develop supporting people, process, and technology resources to support these new capabilities. A common struggle audit firms encounter is the quality and availability of quality data. More advanced software audit tools require more investment in supporting infrastructure, data management, and technology resources to ensure quality data is readily available.

Getting Started

Addressing all the considerations regarding software audit tools may seem overwhelming, but the full implementation of the software audit tool control environment can be implemented over time. JGA recommends the following four-step process for getting started:

Once these initial steps are completed, the audit firm can formalize its monitoring program and recertification process as it continues to develop new software audit tool capabilities.

Conclusion

Given the recent PCAOB’s comments and our work with firms on designing their systems of quality management under ISQM 1 or SQMS 1, software audit tools continue to be a hot topic with regulators and standard setters. This is no surprise as audit firms continue to add software audit tool capabilities to their audit processes. The effort required to implement a mature software audit tool takes considerable time and resources. Get started by taking inventory of the software your engagement teams are using and how they are used to support the audit process.

Joe Lynch has over 25 years of experience in technology, audit, and audit quality compliance with a focus on technology. At JGA, Joe is the IT Audit Advisory Services Leader and works with internal auditors, public and private companies, and regional and national mid-market public accounting firms to implement and to integrate technology into financial processes and improve the audit integration of engagement teams performing integrated audits and service organization reports. He also provides critical input to IT-specific requirements related to new QC standards implementation.

Call a Spade a Spade: Is there a distinction between PCAOB and AICPA audits?

Fri, 21 Jan 2022 20:21:02 GMT

Firms have a habit of dividing audits between PCAOB/SEC audits and AICPA / private company audits. This permeates methodology, training, staffing, career paths, and honestly, all facets of a firm’s system of quality management.

I fully acknowledge that there are distinct differences in requirements for a PCAOB audit versus an AICPA audit, especially if the PCAOB audit is integrated under SEC 404 requirements. But let’s also have an honest dialogue and acknowledge that the core audit principles (I’m talking planning and risk assessment, understanding the entity and its controls, and the design of the overall responses to the risks of material misstatement) are VERY similar.

While 404 may require the testing of internal controls, regardless of the audit opinion or auditing standard, ALL auditors have to understand the company’s processes and controls and evaluate the design and implementation of those controls. The only difference between an integrated and a non-integrated audit is the testing over operating effectiveness of controls. This is true for both PCAOB and AICPA audits. In fact, let’s take a look at the guidance:

PCAOB: AS 2210.18 and .20 states: The auditor should obtain a sufficient understanding of each component of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures…Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented .

AICPA: AU-C Section 315.13 and .14 states: The auditor should obtain an understanding of internal control relevant to the audit…When obtaining an understanding of controls that are relevant to the audit, the auditor should evaluate the design of those controls and determine whether they have been implemented by performing procedures in addition to inquiry of the entity's personnel.

Both PCAOB and AICPA require the same planning procedures. The extent of those procedures will depend on risk and complexity of a client, but the procedures are the same: understand design of controls and determine whether they have been implemented. In fact, the guidance for AICPA indicates that evaluation of design and implementation is more than just inquiry. The PCAOB also states that in controls, inquiry alone is never sufficient.

If we take a step back, the reason both standards require this understanding of controls is because once an engagement team understands the controls, they can then identify the risks and potential misstatements and from that understanding, appropriately design an audit approach, whether integrated or not.

Time and again, when helping firms with audit quality, I’ll hear firms say something along the lines of “well, that’s a private company audit, so it’s different.” Is it really though?

The most unique aspects of a PCAOB audit stem from certain specific SEC and PCAOB independence requirements, specific audit committee communication requirements, and a few other auditor reporting considerations, such as critical audit matters. However, the majority of the audit standards are very similar. This shouldn’t be a surprise since the PCAOB initially took the AICPA auditing standards and adopted them as interim standards until the PCAOB could issue official guidance. While there is some wordsmithing here and there, the core principles remain largely unchanged. Perhaps the most significant difference in the two audit standards is the requirement of the PCAOB to perform a test of detail to address a significant risk and/or fraud risk, regardless of controls reliance, while the AICPA only requires a test of detail if there is no controls reliance.

There really isn’t much of a distinction otherwise. So why do firms treat AICPA and PCAOB audits so differently? Well, in my opinion, it’s because the PCAOB performs inspections and holds firms strictly to the standard. There is no regulator for the AICPA; rather, enforcement of AICPA standards is accomplished through peer review. Is that really sufficient? Isn’t peer review and the lack of an enforcement agency what ultimately gave rise to the PCAOB in the first place?

Essentially, firms are dividing audits between PCAOB and AICPA standards because the regulator of PCAOB auditing standards holds firms to a higher bar. Standards are largely the same and yet, we treat them as night and day. Is that really the right approach? When I challenge firms on auditing, generally most will acknowledge that audit is audit is audit, regardless of the standards. But when it comes to how we actually execute audits, firms inherently accept that there is a different standard. If we accept that there are minor differences between a PCAOB and AICPA audit, let’s see how that might change or impact aspects of a firm’s system of quality management.

Training

Currently, most firms break up their staff into public company and private company auditors and provide different training and career paths for the two populations. Does that really make sense? Perhaps audit training should be the same for all staff. The principles, after all, are largely the same. For those who work on a PCAOB audit, perhaps those staff should also attend a supplemental training where the “bridge” from an AICPA to a PCAOB audit is explained. But that might only be an additional hour or two of training. There just aren’t that many differences otherwise, to merit two distinct training paths.

In particular, I find this to be overwhelming present within the space of ICFR. Again, both PCAOB and AICPA have the same minimum requirements for understanding the design and implementation of controls and yet, most AICPA auditors never receive in-depth ICFR training. Historically, given most private company audits are non-integrated, perhaps that was okay. But with the ever-increasingly pervasive nature of technology within clients, all auditors need to have a strong understanding of internal controls. This helps to identify risks and plan an appropriate audit response.

Increasingly, I am seeing engagement teams struggle with adopting “hybrid” approaches to testing data and information coming from systems, but ultimately asserting to a “non-controls reliance” approach. In other words, teams don’t think they’re relying on controls, but they are relying on system generated reports which are inherently relying on controls over a system in order to ensure reliability. When I have conversations with these teams, they are quickly lost. Some assert to the fact that they evaluated the design of ITGCs and believed that they could rely on the system without testing the operating effectiveness. Some assert to the testing completeness and accuracy of information by tying a report back to the system. Well, that’s fine, except you haven’t tested controls over inputs into the system and you have tested controls around the system. These hybrid approaches are popping up more and more and teams don’t have the rhetoric or knowledge to understand internal controls, in particular around systems and information. If teams understood these concepts (because they were invited to ICFR trainings), they might be able to better plan a more appropriate audit approach, taking into account the decision to test or not test controls. It starts first with understanding; knowledge is power.

Methodology

Methodology is another area firms distinguish between PCAOB and AICPA audits. Again, I fully acknowledge that there are differences between the two standards and so an audit binder should have supplemental workpapers for a PCAOB audit that “bridge” the gap, such as requirements around independence and audit committee communications, etc. But again, the main audit principles are the same.

I think it’s appropriate to have two different “workpaper setups” for public and private company audits that ensure engagement teams will meet the minimum requirements. What I find is perhaps less acceptable is to have different methodologies when the standards are largely the same.

Let’s consider sampling for a moment. I’ve worked with multiple firms that have different sampling methodologies for public and private company audits. In the public company space, the PCAOB often challenges the use of a judgmental sample if the remaining untested balance is material. As a result, firms have moved away from judgmental samples in PCAOB audits and instead pushed teams to either apply targeted sampling (i.e. targeting items until the untested balance is below materiality) or statistical sampling. However, I’ve heard comments that in the private company space, the firm still often uses judgmental samples, and these are considered acceptable.

Let’s take a look at the sampling guidance for an AICPA audit. AU-C Section 530.06-.08 indicates:

When designing an audit sample, the auditor should consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn. (Ref: par. .A7–.A11) The auditor should determine a sample size sufficient to reduce sampling risk to an acceptably low level. (Ref: par. .A12–.A14) The auditor should select items for the sample in such a way that the auditor can reasonably expect the sample to be representative of the relevant population and likely to provide the auditor with a reasonable basis for conclusions about the population. (Ref: par. .A15–.A17)

When taking a deeper look into the referenced guidance (i.e. A14), the AICPA guidance specifically states:

The decision whether to use a statistical or nonstatistical sampling approach is a matter for the auditor's professional judgment; however, sample size is not a valid criterion to use in deciding between statistical and nonstatistical approaches …An auditor who applies nonstatistical sampling exercises professional judgment to relate the same factors used in statistical sampling in determining the appropriate sample size. Ordinarily, this would result in a sample size comparable with the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters…

The AICPA does allow for judgmental samples, but it also explicitly states that those samples should consider the same sampling parameters (i.e. tolerable misstatement, expected misstatement, risk of material misstatement, assurance from other substantive procedures, number of sampling units, and stratification, etc.) and should be comparable to a statistical sample. Do you know how many times I’ve seen teams apply “professional judgment” and test only five items or maybe ten items? And when I ask what a statistical sample would yield, the answer is “Way too many. We ran the model and it would have been in the hundreds.” The AICPA explicitly states that “…sample size is not a valid criterion to use in deciding between statistical and nonstatistical approaches.” My response is always, “So how does this judgmental sample take into account risk of material misstatement and materiality?” The answer, to which, is typically silence. No documentation and no response.

This is just one example of how firms allow for different methodologies for public and private company audits, even though the principles are largely the same.

Firm Monitoring

Finally, as part of PCAOB and AICPA quality management standards, firms are required to perform internal monitoring procedures. This typically translates into lookback reviews performed during the slower summer months over a sample of audits.

In its Staff Update and Preview of 2020 Inspection Observations , the PCAOB indicates that it is

We also observed situations where we identified deficiencies through our inspection procedures that were not identified through an audit firm’s internal inspection procedures directed to the same engagements. Such results may indicate that the audit firm’s QC system related to monitoring does not provide reasonable assurance that the audit firm’s internal inspection program is suitably designed and/or being effectively applied.

What this tells me is that firms apply a different level of rigor internally than the PCAOB. It comes as no surprise that the PCAOB, being the regulator is by far the most exigent in terms of adhering to standards. Some might argue, it’s overly exigent, but that’s a debate for another time. The point of the matter is that firms are inherently missing the mark when inspecting their own work and are failing to identify quality concerns.

If firms are failing to identify internal issues, what does that mean for the peer review process for AICPA audits? The auditing profession was self-regulated up until the Enron scandal and the collapse of Arthur Andersen which brought about the advent of the PCAOB and Sarbanes-Oxley. I’m not saying the PCAOB is always right or justified, but that the profession missed the mark once before and if the PCAOB is finding that firms’ internal inspections are not of a sufficient quality, then arguably, peer reviews are not being held to the same rigor. I believe this all stems from the fact that firms, and the industry as whole, views PCAOB and AICPA standards as inherently different and thus, applies an inherently different level of quality. Yes, there is less public exposure in the private company world, but does that mean audits should be performed at a different level of quality?

When the auditing standards (or the core principles at least) are arguably the same, why do we have such a divergence in application of the standards when we execute on public company and private company audits? At the December AICPA SEC Conference, the SEC’s Division of Enforcement asked the question, “Where are the gatekeepers?” They indicated that there is an erosion of trust in the markets. The Division went on to share numerous examples of accounting concerns and made very clear they are challenging the gatekeepers, which includes the audit firms issuing the opinions.

Let’s call a spade a spade. An audit is an audit is an audit, regardless of whether it’s a PCAOB audit or an AICPA audit. Yes, there are distinct differences, but the core of an audit is the same. It’s time we as a profession apply the same level of quality to public as well as to private company audits.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

2021's Most Read JGA Blogs

Fri, 21 Jan 2022 17:55:57 GMT

As we bring in the new year, we wanted to take a more to highlight some of our top read blogs of last year incase you missed them.

The Rise of ESG Reporting: What is the Auditor’s Role?

Geoffrey Dingle • Jul 21, 2021

The Rise of environmental, social, and governance (ESG) considerations have been around in various forms going back decades. However, only in recent years has ESG reporting become an area of growing interest for a wide range of financial statement users and stakeholders

Is it Just a Significant Deficiency? Evaluating Deficiencies in ICFR

Dane Dowell • Jun 10, 2020

When I ask an engagement team about its evaluation of control deficiencies and whether there could be a material weakness, the team will almost always respond, “No, we really think it’s just a significant deficiency.” The thought process being, how could a little control deficiency that deals with an immaterial variance possibly rise to the level of a material weakness? Of course, I always follow up with “Tell me why.”

The Regulator Who Cried Wolf: Why is the PCAOB Citing the Same Standards Year After Year After Year?

Dane Dowell • Aug 20, 2021

As children, we all heard the story of the boy who cried wolf. Leaving the sheep and wolves aside, what happens when the audit regulator continues to cite the same auditing standards year after year in its firm inspection reports?” Does the PCAOB’s message lose its effectiveness?

Please Mind the Gap: Identifying Control Gaps in ICFR

Dane Dowell • Apr 13, 2021

Tourists the world over love to visit London and ride the Tube, always listening for the famous expression, “Please mind the gap”. Much like the Tube in London, a control gap can be a dangerous thing. While auditors and accountants don’t usually risk losing a limb, a control gap on the other hand could be an undiscovered material weakness which could allow for a potential material misstatement which could result in any number of possible damages to the public sector.

ITGC Deficiency Evaluation: Why Understanding the Transaction Process is So Important

Joe Lynch • May 20, 2021

Over the years, we have noticed a common trend in IT audit issues in PCAOB inspection reports that can be grouped into two general topics: Inadequate scoping of IT systems for controls testing, and Evaluating Information Technology General Controls (ITGC) deficiencies

Constant Change: Recap of PCAOB Hot Topics from the 2021 AICPA National Conference

Fri, 17 Dec 2021 02:22:13 GMT

Last week, the annual AICPA National Conference on Current SEC and PCAOB Developments was held in-person in Washington D.C. (as well as virtually for those who could not attend). Most of my conversations started with a reflection of how nice it was to connect with peers face-to-face. In addition, Johnson Global Accountancy was proud to underwrite this event. It was truly gratifying to catch up with so many clients with whom we have only had the pleasure of working with over Zoom.

As always, there were updates provided from a wide variety of speakers covering many accounting and auditing-related topics. If you were not able to join the event, here are a few important SEC and PCAOB-related topics that were discussed by the various presenters.

Inspection Program Updates: Inspection Focus, Reverting Back to In-person Inspections and Continued Unpredictability

Although the PCAOB Board members did not speak at this year’s convention, PCAOB staff provided updates as follows:

Areas of inspection focus – Based on 2021 being the first full year of the pandemic, inspectors focused their reviews on impairments, going concern assessments, allowance for loan losses, and fraud risks. For 2022, the PCAOB sees the audit risks being driven by IPOs, disruption in supply chains, continued negative effects from COVID-19 on certain industries, and the focus on audits of SPAC and de-SPAC transactions.
Confirmations – George Botic, Director - Division of Registration and Inspections, spoke at some length about the sufficiency of procedures related to confirmations. During the process of supporting our clients on inspections, we have noticed an increase in inspectors’ questions around the confirmation process, especially when firms use a confirmation service provider to facilitate their confirmation process. Are firms doing enough to maintain control over the confirmation process when they use a service provider?
In-person inspections – In all likelihood, starting early 2022, PCAOB inspectors will be headed back out to firm offices to conduct their inspections in-person. Pre-COVID, the PCAOB did perform a small number of inspections remotely, but personally, I believe the inspection process is much more efficient when inspections are being performed face-to-face.
Unpredictability – The PCAOB will continue to increase the percentage of random selections and review non-traditional focus areas such as cash and cash equivalents. This is consistent with last year’s comments at the conference and is meant to encourage firms to perform quality audits across all audits and all areas of each audit. Our belief is that all firms should be reflecting on the selection process of their monitoring programs for their pre- and post-issuance reviews. Firms should not focus their monitoring entirely on their larger, “riskier” clients under a traditional risk assessment model but should consider adding a level of randomness in their selection process. In addition, we encourage firms to consider including some non-traditional focus areas in your monitoring reviews.

Independence: Continuing Violations

Firms continue to struggle to comply with independence standards. With the increasing complexity of client relationships in a truly global economy, auditors need to pay extra attention to evaluate whether they are truly independent of their clients, especially with firm offices and client subsidiaries located all over the world. The message relayed to attendees was that auditor independence must be a shared responsibility – between the auditor, management, and the audit committee. While firms often do their own assessment, they should be asking, “Is the audit committee involved? What is the audit committee’s conclusion?” During the SEC Enforcement session, it was stated that the SEC has little patience for firms that notify the SEC of an independence violation that came about out of their own making. Identifying independence violations isn’t sufficient … preventing them is more important. Enforcement staff also mentioned that penalties may need to be ratcheted up as it seems like the punishments are not severe enough to change behavior.

Materiality: Incorrect Application of Staff Guidance

Although not a new concept, materiality was also discussed in a number of sessions. The point was raised that oftentimes engagement teams are misapplying the guidance of SEC Staff Accounting Bulletin No. 99, Materiality (“SAB 99”) – which basically requires that even if an error or misstatement is quantitatively immaterial, from a qualitative point of view, such an error or misstatement could ultimately be concluded as being material. The SEC has noted that some teams are applying this approach, but in the inverse direction. The SEC challenged and inherently asserted that it is not appropriate (at least, not often) to argue that a quantitatively material error or misstatement is immaterial because the engagement team concluded the error or misstatement to be qualitatively immaterial. Additional points raised by the speakers that auditors should consider as they are concluding on materiality include:

Disclosures must be accurate and cannot be misleading – don’t walk right up to the line.
All information needs to be considered, not just the information that supports your preconceived conclusion. What that means is try to resist the tendency to use the guidance to get to a pre-determined judgment.
Do not look at SAB 99 as a checklist that can be added up and scored. The criteria listed in the staff guidance is not an exhaustive list and engagement teams are strongly encouraged to read the staff guidance in its entirety.
Lastly (and this is key ) – a material accounting error should generally equate to an auditor concluding that there is a material weakness that should be disclosed. It takes a lot to conclude that a material error in the financial statements, is something less than a material weakness .

ESG: Increasing Transparency and Investor Confidence

One of my biggest takeaways from the conference was how rapidly ESG has moved to the forefront of the profession. In fact, the CAQ stated that its own research has found that 95% of S&P 500 companies are currently reporting some ESG information. Many speakers from different interest groups (including the SEC), discussed how investors and users are looking for some sort of approach or standard that ensures that ESG information is comparable, consistent, and reliable from company to company. It is clear that ESG is going to continue to gain prominence as the CAQ reported that 91% of stakeholders would like to see ESG information assured over time.

Quality Control Standard Update

In last year’s conference recap, we reported that it had been exactly a year since the PCAOB released the Quality Control Concept Release for comment (in December 2019). Now another full year has passed and there has been no noticeable movement on the new QC standard from the PCAOB. Both the IAASB and AICPA have made great strides and are much further along than the PCAOB. Although undoubtedly the PCAOB sees the revised QC standard as a high priority, the fact that the majority of the Board is new to their roles cannot be good for a timely issuance of the standard. However, as both the IAASB and AICPA guidance is out there, firms should already be planning for this eventual PCAOB QC standard and seeking out resources and tools to get ahead of the eventual requirements .

Looking Ahead

In summary, the conference did not disappoint. Clearly there are new considerations bubbling up (namely ESG, digital assets, and cybersecurity), but there are still old established topics that have been around for a while that are resurfacing again (think independence and materiality).

The auditing profession is continually evolving. As we continue to cope with COVID-19 and the advent of remote work, as we navigate the great recession, as ESG rises in prominence, as QC standards are reshaped, as technology continues to permeate issuer and auditor systems and processes, and as regulators continue to “keep up” with the developments, in the words of Heraclitus, “The only constant in life is change.” Rest assured, at JGA we will continue to monitor and communicate these updates as they develop.

Preparing for 2021 Audits – Considerations for Management and Auditors

Wed, 15 Dec 2021 17:06:36 GMT

Los Angeles, CA: Dane Dowell, JGA Director, and Geoffrey Dingle, JGA Managing Director, will partner again with George Wilson, PLI SEC Institute Director, for Preparing for 2021 Audits – Considerations for Management and Auditors, a timely and informative one-hour briefing held virtually on January 13, 2022 at 3:00 PM EST.

This briefing will help auditors, audit committees and management deal with new and on-going challenges for the 2021 annual audit process. It will focus on what all parties involved in the financial reporting process should plan for to address current challenges in the audit industry. The topics will range from emerging issues brought about by the rise of information technology to the recurring audit deficiencies identified by the Public Company Accounting Oversight Board (PCAOB).

“Over the past few years, so much has changed for auditors, ” commented Dane. “This briefing will help you stay ahead of current regulatory trends and changes to ensure a successful year-end audit.”

Topics will include:

Emerging issues with the rise of information technology:
Cybersecurity - audit considerations whether there is a known breach or not
Relevance and reliability of information – dissecting new PCAOB Staff guidance
Importance of effective ITGCs for business process controls and information produced by the entity
Common audit deficiencies - exploring common findings within issuer audits including ICFR, revenue, accounting estimates, inventory, and critical audit matters
Common audit firm deficiencies including independence concerns
Documentation – the increasing focus on audit documentation
The PCAOB’s observations of good practices for auditors
Key issues for audit committees and management in working with auditors in 2021
Auditor considerations for imminent changes to firms’ systems of quality management.

“January is always a good time to refresh and refocus on recent changes in the profession,” stated Geoffrey, “We are excited and looking forward to partnering with George Wilson and PLI as we look towards this year’s upcoming busy season.”

Dane Dowell , JGA Director, has over 15 years of experience in the accounting and auditing industry including over five years of experience working at the PCAOB. Prior to the PCAOB, Dane worked for PwC in Denver, Singapore, and Washington, D.C.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent almost ten years at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

About Johnson Global Accountancy

Johnson Global Accountancy Awarded a Platinum MarCom Award for Guide on Navigating PCAOB Inspections

Mon, 22 Nov 2021 19:27:12 GMT

Los Angeles, CA: Johnson Global Accountancy (“JGA”) has been awarded the highest award from MarCom Awards for the recent print publication “Navigating PCAOB Inspections” which can be downloaded at https://www.jgacpa.com/navigatingpcaobinspections .

This 52-page guide helps PCAOB-registered accounting firms worldwide understand every aspect of the inspection cycle and provides insight and advice to ensure engagement teams and firm management are fully prepared and for an effective inspection and remediation process.

The publication was written by Dane Dowell, JGA Director, Geoff Dingle, JGA Managing Director, and Jackson Johnson, JGA President. It was produced and edited by Sara Janjigian Trifiro, JGA Director of Marketing, and designed by CleoDigital .

“This was truly a collaborative effort and a joy to be a part of creating this important guidance to the industry,” stated Johnson. “The greatest reward is hearing the positive impact it has for our clients and other firms worldwide.”

MarCom Awards is an international creative competition that recognizes outstanding achievement by marketing and communication professionals. These awards are administered and judged by the Association of Marketing and Communication Professionals. There were over 6,000 entries from 41 countries in the MarCom Awards 2021 competition. MarCom’s Platinum Award is presented to those entries judged to be among the most outstanding entries in the competition, and a small percentage of the entries. Platinum Winners are recognized for their excellence in terms of quality, creativity, and resourcefulness.

About Johnson Global Accountancy

ISQM 1 one year to go: The tools and knowledge to know

Wed, 17 Nov 2021 19:20:02 GMT

With one year to go until the IAASB’s set of new and revised international quality standards come into effect, the audit quality landscape is braced for change globally. The International Standard on Quality Management (ISQM) 1 is the new standard that deals with quality management at a firm level, and will become mandatory from December 15, 2022.

Through this standard, audit firms are being directed to raise the bar for quality management. Preparation will present challenges for many firms and require bridging gaps across their current knowledge, resources, and capabilities.

Join us for a panel discussion with experts from Dayshape, Intapp and Johnson Global Accountancy. We’ll consider:

- What will ISQM 1 mean for your accounting firm?

- What are the key challenges?

- How crucial is “tone at the top” for embedding audit quality?

- What tools and technology are available?

Webinar

Date: Thursday, December 2nd
Time: 9:30 am CST | 10:30 am EST | 3:30 pm GMT
Duration: 45 min including Q&A

Hosted by Dayshape, in collaboration with Intapp and Johnson Global Accountancy.

Speakers

Andrew Bone

Dayshape, CEO and Co-Founder

Andrew Bone is the CEO & Co-founder of Dayshape, an award-winning enterprise software company founded in Edinburgh. As a software engineer and former Big Four chartered accountant, Bone has first-hand experience and insight into the challenges of resource management in professional services.

Dayshape is an AI-powered planning and scheduling platform developed specifically for accountancy firms. Dayshape has gone from strength to strength, counting two of the Big Four as customers, with over 15,000 users across ten countries.

Jey Purushotham
Intapp, Practice Group Leader of Risk Solutions

Jey Purushotham is Practice Group Leader of Risk solutions at Intapp. At Intapp, Jey helps firms modernise their acceptance, continuance and independence processes using Intapp’s suite of risk management solutions. Jey spent most of his career at the New York Stock Exchange where he oversaw the Exchange’s risk and compliance programs.

Dane Dowell

Director, Johnson Global Accountancy
Dane Dowell is a Director at Johnson Global Accountancy who works with PCAOB-registered accounting firms to help them identify, develop, and implement opportunities to improve audit quality. With over 12 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Dowell has extensive experience in audits of ICFR and has worked closely with attorneys in the PCAOB’s Division of Enforcement and Investigations. Prior to the PCAOB, he worked with asset management clients at PwC in Denver, Singapore, and Washington, DC.

Johnson Global Accountancy to Sponsor AICPA Conference

Mon, 15 Nov 2021 20:44:09 GMT

Johnson Global Accountancy to Sponsor AICPA Conference

Washington D.C: Johnson Global Accountancy (“JGA”) is pleased to sponsor the AICPA & CIMA Conference on Current SEC and PCAOB Developments this December live in Washington, DC and virtually online.

The AICPA Conference on Current SEC and PCAOB Developments takes place from Dec 06 - Dec 08, 2021, Washington, DC, and live online. Come join us and meet our team of experienced client service professionals in-person at our booth.

Register today at https://future.aicpa.org/cpe-learning/conference/aicpa-conference-on-current-sec-and-pcaob-developments and use the code SEC21 to save $100.

About Johnson Global Accountancy

Which Quality Management Standards Apply to Your Firm?

Fri, 12 Nov 2021 21:40:14 GMT

The PCAOB, AICPA, and the IAASB have each developed a plan to issue (or have issued) standards to address quality management (QM).

This infographic depicts which quality management standards apply to your firm and when they would apply based on the reporting framework you perform audits under. Firms need to make sure that they have started planning for the effort that will be required of them.

(This image was updated in April 2025 to reflect current and proposed dates.)

If you have any questions about these standards and whether they apply to your firm, reach out to Joe Lynch .

Joe Lynch , JGA Managing Director and Shareholder, and a member of the AICPA Quality Management Implementation Task Force. Joe works with mid-market public accounting firms worldwide to implement quality management programs that integrate technology and process to improve the delivery of audits. Joe spent more than six years as an Inspection Leader at the PCAOB, he conducted inspections of quality control and global issuer audits at large firms in the US as well as foreign affiliate firms, focusing on examining quality control and the design and implementation of audit work. Joe also has experience supporting financial service industry audit teams at a Big Four firm. In addition, his experience includes active-duty service in the US Air Force and supporting companies with IT strategic initiatives such as designing the IT framework for technology departments as well as leading implementations of ERPs and systems.

The Year of the Ampersand Part I: Completeness & Accuracy, Relevance & Reliability

Fri, 12 Nov 2021 18:20:47 GMT

In 2014, Denver Eater published an article: What’s in a Name: The Year of the Ampersand . Essentially, for the foodies out there, in 2014, it seemed all new, trendy restaurants used the ampersand (yes, the “&” symbol) to link two words (sometimes entirely unrelated) together and then suddenly, voilà, you had yourself the next hottest restaurant. In Denver, top of mind are Stoic & Genuine, Work & Class, Guard & Grace, and Williams & Graham, to name a few.

In an entirely different industry (arguably less exciting), the same naming trend seems to be picking up heat today. It’s almost impossible to talk about audit without using the words “completeness & accuracy” or “relevance & reliability.” Whether supporting teams on PCAOB inspections or performing in-flight reviews, these paired words seem to surface time and again. In fact, in October 2021, the PCAOB published guidance specifically addressing this topic : Staff Guidance – Insights for Auditors – Evaluating Relevance and Reliability of Audit Evidence Obtained From External Sources.

Quantity & Quality (there’s that ampersand again)

Information technology is enabling the aggregation of more and more data as well as allowing access to these vast sums of data. The more data, the more evidence and thus logic would dictate, the better the audit. However, we’re all familiar with the concept of “fake news” and so, it’s important to evaluate the quality of that information.

As with almost everything related to an audit, it all starts with risk assessment. As the risk increases, so too does the quantity and the quality of the audit evidence needed to address the risk. In its publication, the PCAOB stated:

The concepts of sufficiency and appropriateness of audit evidence are interrelated – the quantity of audit evidence needed is affected by both the risk of material misstatement (in the audit of financial statements) or the risk associated with the control (in the audit of internal control over financial reporting) and the quality of the evidence (i.e., its relevance and reliability).

Quantity is often driven by the nature, timing and extent of procedures. Quality is driven by the relevance and reliability of the information obtained or used in those procedures. Relevant information but from an unreliable source doesn’t hold much value for the auditor. Similarly, reliable information that is irrelevant renders audit evidence useless.

Factors to Consider

Relevance

The PCAOB states: The relevance of audit evidence refers to its relationship to the assertion or to the objective of the control being tested and depends on the design and timing of the audit procedure.

Essentially, how well does the evidence pertain and/or relate to the assertion being tested? For instance, if an auditor is using industry data to corroborate management’s assumptions, how comparable are the companies underlying the industry data? If you’re auditing a start-up company, pulling information from long-established Fortune 500 companies may not be relevant information.

How disaggregated is the data? Often, the more disaggregated data is, the more relevant it becomes since you can select the data that is most pertinent/similar.

Another factor when considering relevance of data is its age. Typically, current data is more relevant than data from a decade ago. However, it really all depends. Arguably, data from 2020 (the year of COVID) may not be the most relevant data to represent “typical” operations. So perhaps 2019 is more relevant than 2020. Similarly, if we were to have another global pandemic in 2030, well, then the data from 2020 (even if it’s ten years old) may be the most relevant data since it would show how companies fared during a global pandemic (which has not been a common occurrence).

Reliability

As it relates to reliability, the PCAOB states: The reliability of audit evidence depends on the source and nature of the evidence and the circumstances under which it is obtained.

Source of information

When considering the source, consider the expertise and reputation of the source of the data. We inherently do that ourselves when we read the news: headlines from NPR are generally more trusted than the sensational scandals reported by grocery store tabloids. The same concept applies to audit evidence. Factors that might increase the reliability of the source include regulatory oversight and statutory mandates and reporting. US Banks, for instance, are generally accepted as providing reliable information given the incredibly stringent regulatory environment. Finally, auditors need to consider conflicts of interest. A research study on the effects of leaded gasoline funded by the manufacturers of lead additives is a clear conflict of interest (and yes, this was the case for years when cars used leaded gasoline). Obviously, auditors need to consider the source of information and the potential relationship to the company being audited.

In addition to analyzing each source, the more sources that can be obtained, generally, the more reliable the information becomes. For instance, if a company is using a market multiple approach to determine the enterprise value of a company, the more multiples that can be obtained (assuming they’re all relevant), the more reliable the information becomes.

Nature of information

Once the source has been vetted, the auditor must consider the nature of the information being obtained. To the extent the information is “raw data” that has not been manipulated, it is considered more reliable. As data is aggregated, manipulated, and/or synthesized, the data becomes less reliable (given the increased risk of error). However, data that has been reviewed or subject to some sort of “attestation” would inherently become more reliable.

How information is obtained

Auditors should also consider how information is obtained. External data obtained directly by the auditor is more reliable than data provided by a client. Further, the more complex the process to obtain the data, the less reliable it becomes as there is greater risk of error.

Ultimately, all of these factors need to be considered in combination. And there are likely many other factors that could impact relevance and reliability. While no single factor renders information relevant or reliable on a standalone basis, I would caution that one single factor could render the information irrelevant and unreliable.

As auditors consider these factors and review data from various sources, it’s important to maintain professional skepticism. To the extent inconsistent data or contradictory evidence surfaces, the auditor needs to evaluate this; you can’t just ignore it.

Most of the time, it’ll be a matter of professional judgement, so document these considerations.

Difficulties with Relevance & Reliability

In working with teams on various audit quality initiatives, there have been a few sources of frustration that perpetually surface: availability of external data, ability to audit external data, and inconsistent application of the “guidance” above.

Availability of external data

While information technology has made it generally easier to access data, there are some companies that operate in largely “uncharted” territory. Many of my clients who audit start-up companies struggle to find “comparable data” in these emerging industries; there just isn’t any historical data, often because the other start-ups are so small and/or private and it’s a brand new product. In these cases, there just isn’t a lot of information to obtain. For the limited information that is available, auditors often struggle to conclude on the relevance and reliability of that information. For instance, if there is only one public competitor that launched a similar product ten years ago, given the guidance above (single source with ten-year old data), arguably, the information is no longer relevant. But if that is the ONLY information available, it’s the most relevant. I’ve seen these cases time and again and the best thing I can advise is to document all considerations.

Ability to audit external data

Sometimes, external data is available, but how can an auditor really assert completeness and accuracy of that information? The auditor has the ability to audit the client, but there’s no guarantee that a client has contractual rights to audit external information (say, from its customers). Take software services. I’ve worked with many clients who audit software companies. Sometimes the revenue is generated through use of the software. Sometimes the client has insight to that usage. Other times, it must rely on the customer to report usage in order to bill for revenue. Given the auditor cannot necessarily go out and audit these customers, how can the team really assert completeness and accuracy?

In its publication, the PCAOB states: … [W]e understand that some firms are considering using as audit evidence new information from nontraditional external sources that has become available because of the advances in information technology. To determine the nature and strength of any relationship between this information and the company’s transactions, and to substantiate conclusions reached, the auditor may need to perform additional procedures (e.g., correlation or regression analyses) . The PCAOB seems to indicate analytics may be sufficient. The key is that “additional procedures” need to be performed. Again, this will come down to risk, professional judgment, and documentation.

Inconsistent application of the “guidance”

What is frustrating, perhaps, is the inconsistency with which the guidance seems to be applied, or the implicit expectations that have formed over time through inspection findings. Take the example above: AR confirmations (from customers) are considered best practice to obtain comfort over the existence of AR; in fact, it’s required under PCAOB auditing standards . However, in a recent audit inspection, the PCAOB challenged the use of a customer-provided list of revenue transactions indicating the team had failed to test the completeness and accuracy of that information. Why is an AR confirmation considered relevant and reliable but a list of revenue transactions from the customer not? Obviously, it’s more complicated than just that, but it seems inconsistent.

Or take another example: bank confirmations and similarly, bank statements (which include cash transaction history), are generally accepted as relevant and reliable audit evidence. It’s external data from a third party that is highly regulated. All that makes sense and is in line with the PCAOB’s recent guidance. However, let’s go to the broker-dealer industry. Talk about regulation! This industry arguably has just as much oversight and regulatory reporting as banks. Clearing firms act very similar to a bank (in fact, they often are a part of banks) except they deal in securities, which then clear in cash. Although very similar, through my experience supporting clients with broker-dealer inspections, the PCAOB appears to have different expectations asking engagement teams if they obtained a SOC 1 report (which provides reliance over the controls in place at a service provider) over the clearing broker. Why is a bank generally accepted as providing complete and accurate information without the need for controls testing but a clearing broker requires a SOC 1 report for its information to be considered C&A? Again, it’s more nuanced than that, but this also seems inconsistent.

I think this is starting to surface more and more within the PCAOB and that’s partly why they issued this guidance. It’s becoming a very hot topic.

Moral of the Story

Ultimately, the PCAOB is trying to get firms to understand that getting data is one thing, but there is still more work to be done (and documented) . Sometimes, the relevance and reliability is incredibly obvious. Sometimes it’s not as clear.

Regardless the frustrations, perhaps the key is to document the considerations to evidence that the engagement team considered the relevant factors and to capture IN WORDS the professional judgment exercised at the time of the audit. As long as audits incorporate professional judgement, so too will PCAOB inspections incorporate professional judgment. And so, the only way to defend your position is to ensure it was documented at the time of the audit. And when you think you’ve documented enough, add more.

As is the way with any trend, the “AMPERSAND” naming convention seems to be coming to a close. Sadly, one of my favorite restaurants, Church & State in LA, closed its doors in 2019. In Denver, Beast + Bottle closed its doors during the pandemic. And so it goes. But unlike restaurants, the trend in auditing is not going to fade away. Rather, I anticipate the concepts of “completeness & accuracy” and “relevance & reliability” will only become more critical concepts.

In fact, the rise of AI and data analytics threatens to automate much of the audit profession and will disrupt the industry as we know it. Maybe my role will be obsolete in 15-20 years as traditional auditing may go by the wayside, but it will be entirely predicated on the concept that data is complete, accurate, relevant and reliable . Hopefully by then, I’ll be in retirement running a cozy little bed and breakfast which of course will be called “C&A, R&R.” To former auditors, it’ll be an homage to “Completeness & Accuracy, Relevance & Reliability,” but to everyone else, it’ll simply be known as “Cocktails & Accommodations, Rest & Relaxation.”

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Five practices every team should implement now to improve audit integration

Wed, 20 Oct 2021 20:58:50 GMT

How much do the IT auditors on your audit team understand the client’s business processes? How much do financial auditors on your audit team understand systems and IT considerations? Too often, financial auditors and IT auditors, or specialists perform their procedures in a silo, often with too little communication. The question is if neither understands the full picture of the business process how can you ensure all the risks in the business processes are addressed? The following integrated activities will make an immediate impact on the audit team’s integration and help amplify audit quality.

1. Integrated Walkthroughs

Integrated walkthroughs include all the audit team participants, including IT auditors, specialists, experts, contractors, or other resources that support the audit of a specific business process. An integrated walkthrough will help audit teams:

Understand the business and associated risks with the initiation, process, and procedures used to record and report the transactions of the company;
Identify controls that occur throughout the process, including controls that an IT auditor or a specialist may be aware of that other team members might not identify;
Analyze the manual and automated attributes or components of the controls;
Trace the data lineage through the business process and identify all reports and other information produced by the entity (IPE) used in the execution of controls; and
Inventory all systems (Applications, Databases, and Operating Systems) and tools (i.e. Software Audit Tools) used in the execution of controls.

When walking through a process to identify "what could go wrongs", work as a team to identify the controls that address each likely source of misstatement. Performing the walkthrough as an integrated team can help to identify design deficiencies, missing controls, redundant controls, or automated controls that address risks that may eliminate the need to test certain manual controls.

Note: Taking a fresh look at each process is an important step that drives audit quality.

In other words, do all the audit team participants, including IT auditors, Tax team members, specialists, experts, contractors, or other resources that support the audit of a specific business process understand all the components listed in Figure 1- Components of the Business Process below within the business process and how they all fit together?

Figure 1 Components of the Business Process

2. Integrated Key Business Process Discussions

An integrated walkthrough is a strongly recommended process for higher risk or complex business processes (see activity 1 above). If the financial auditors already performed the walkthroughs on their own the team should schedule and integrated team discussion of the key business processes. The walkthrough of the business process with the client is a key step, but we have found an integrated team discussion where the team discusses the processes, risks, and controls is even more impactful on audit quality. Again, this doesn’t necessarily have to be held for every process. The integrated walkthrough should include all the audit team participants including IT auditors, specialists, experts, contractors, or other resources that support the audit of a specific business process. This allows the team to really dig into the process and determine where the critical risks and controls exist, identify potential control gaps, and strategize how the design and operating effectiveness of controls should be tested.

These discussions can occur naturally as part of the audit fieldwork procedures. Set the expectation that team members should be prepared for the discussion by reviewing available information and documentation. Then plan a common meeting place: audit room, virtual room, or office conference room are some common logistical ideas. During the discussion use whiteboards and projectors to share information and collaborate on individual understandings. We have found individual audit team members know unique aspects of the business processes and these collaborative discussions bring together all these unique understandings

3. Integrated Application scoping

Once we identify the controls in the integrated walkthroughs and integrated business process discussions, the integrated team can work together to identify or finalize the scoping of the following IT components:

IT systems (Applications, Databases, and Operating Systems)
Interfaces
IT Application Controls
Key Reports & Data

In more complex environments with multiple systems, the audit team should whiteboard or draw the system data flow, which can help scope the items above, as well as help trace key data through the applicable systems. When we discuss potential root causes of why key controls or systems were missed, it’s often a result of not understanding the data flow. For example, the data may flow through an intermediate system that extracts the data from the source and transforms it to load into the destination system, or the true source data used in a control may be generated from a data warehouse or other reporting database the team may not have previously identified. We commonly see companies use a mix of on premises and hosted IT environments, and these system components may not be properly identified and tested unless the data flow is understood.

When finalizing decisions on scoping of systems, consider:

Significance of the accounts or transactions related to the application
Volume and complexity of transactions in the system
Significance of IPE stored in, generated from, processed in the system used in other controls
Extent of other non-automated (i.e., fully manual) controls that address relevant WCGWs

Other Considerations:

Significant changes to systems
System migrations / conversions
Third-party hosting

Refer to the Figure 1- Components of the Business Process diagram above, and work from the to p down and ensure that the team has a complete understanding of how the traditional IT Audit procedures support the traditional financial statement audit procedures that address the business processes. This is a helpful tool to maximize the understanding of the business process and the associated audit strategy.

4. Integrated IT environment understanding & risk assessment

Multiple applications, data warehouses, report writers, and layers of supporting IT infrastructure (database, operating system, and network) are likely involved in the business process, from initiation of a transaction to its recording in the general ledger. Such transactions ultimately lead to reporting in the financial statements, and therefore, these systems and IT infrastructure layers are likely relevant to the audit.

To complete your understanding of the IT environment, refer to the Figure 1-Components of the Business Process diagram above, and include the following activities to address risks in the IT environment:

Consider the risk over significant accounts and which systems, interfaces, application controls, and key reports are used in the financial reporting over these accounts.
For instance: If the valuation of the Allowance for Loan Losses is considered a significant risk, then the system used to calculate the Allowance for Loan Losses is inherently linked to this significant risk.
Separately consider each system and assess risk.
Is it hosted (covered by a SOC1) vs. internally managed?
To what extent is it hosted?
Vendor developed/provided vs. custom in-house system?
Access to source code / changes?
The same “linkage” and risk factors considered in the activities 1-3 above are going to be the same considerations that the engagement team (financial and IT auditors) consider in evaluating all deficiencies identified in the testing of IT controls (whether IT application controls, ITGC, interfaces, etc.). In general, given the pervasive nature of IT in controls, IT deficiencies are difficult to evaluate but often more significant than we want to acknowledge.
Another angle would be to consider the impact to the audit if the ITGC components (logical access, change management, computer operations, system development lifecycle) or infrastructure components (database, operating system, network) were found to be to be ineffective?

5. Communication….Communication…Communication

What is your communication plan with the integrated team? Is the discussion focused on hours and status, or does it include current issues, challenges, and results as an integrated team? We see audit teams get stuck in various stages of teaming model – Forming, Storming, Norming, and Performing (see “Developmental Sequence in Small Group” by Bruce Tuckman). Engagement teams should have a manager or partner monitoring how the team is working together to maximize effective performance of the team.

Schedule a regular weekly, bi-monthly, or monthly meeting as in integrated team and make it more than just a status and budget meeting. What are you seeing? Where are the challenges? Remember your responsibility of professional skepticism and challenge each other to identify shortcomings and address them as a team.

As you work through this year’s audits keep these five items in mind and deploy them as necessary to break down silos within your audit. This is not a set it and forget it exercise rather integration of all team members takes regular maintenance and attention. A key aspect of audit quality is gaining a cohesive understanding of the business.

Back to Basics: Audit Documentation Failures Have Become Dangerous Low Hanging Fruit

Wed, 20 Oct 2021 15:19:49 GMT

Since the early 2000s, PCAOB registered firms have been subject to regulatory review of their engagement teams’ audit procedures. These reviews culminate in a publicly-released inspection report that describes engagement-specific and quality management areas where the PCAOB has concerns.

As mentioned in our previous article The Regulator Who Cried Wolf: Why is the PCAOB Citing the Same Standards Year After Year After Year? the PCAOB has identified consistent themes in the top three areas of internal controls over financial reporting, responding to risks of material misstatement, and auditing estimates. Naturally, because of these repetitive themes, firms have focused their attention on remediating these issues. To some extent, firms and engagement teams have taken their eyes off the ball and have slipped in complying with one of the cornerstones of the PCAOB standards: having appropriate and timely audit documentation of the audit procedures.

We thought it would be good to take a moment and focus on audit documentation of the audit procedures.

Repercussions of failures in Audit Documentation

The PCAOB’s Auditing Standard 1215, Audit Documentation , has very specific requirements about:

What information needs to be documented in the workpapers and by when;
When workpapers need to be archived; and
What to do when an engagement team determines that changes need to be made to already archived workpapers.

Typically, failures to comply with PCAOB auditing standards result in inclusion of the issue in a firm’s inspection report. For context, audit documentation (AS 1215) has almost never been cited in an inspection report. However, over the last 2 years, five enforcement orders have been issued by the PCAOB’s Division of Enforcement against both individuals and registered firms related to audit documentation. These documentation issues, which we will cover in more detail, range from:

failing to institute a process to prevent engagement teams from backdating work papers prior to archiving.
failing to archive workpapers within 45 days after the report release date.
modifying workpapers that were provided to PCAOB inspectors and not notifying the inspection team about this fact or misrepresenting that they were workpapers that existed at the time of the audit.

These enforcement orders included sanctions such as:

censure,
monetary penalties,
revisions to be made to firm’s quality management process related to audit documentation,
required additional training, or
temporary disbarment from working on issuer audits.

Each of these are serious repercussions for any audit professional or firm. I’ll break each of these items down with my considerations to prevent these from occurring at your firm.

Backdating workpapers

In a very recent enforcement order, the firm made a conscious effort to improve its quality management processes by instituting an automated process of only allowing sign off surrounding the preparation and review of workpapers to be currently dated, meaning professionals could not theoretically backdate sign offs to an earlier date. However, the firm became aware that this control could be circumvented by professionals changing the internal clock on their computers to an earlier date and thereby overriding the software by “currently” dating workpapers, but to the date incorrectly set on their computer’s clock.

Although the firm was aware of this potential weakness, the firm failed to address the issue and failed to communicate to audit professionals that engagement teams should not circumvent the system in this manner. Of course, some intuitive auditors figured out this flaw and began to change the internal clocks on their computers and thus effectively “backdate” workpapers. So, although the backdating of workpapers was an issue unto itself, it became compounded because the firm identified this control gap but failed to mitigate or remediate this risk by doing nothing.

Some questions to ask yourselves:

What do you know about your audit software?
Does your audit software have this weakness where your own professionals could do the same thing?
Have you communicated directly to your professionals that they should not be backdating workpapers?

These are important technology considerations and an issue that seems be a consistent theme with our clients. It is critical to understand the risks that audit and technology tools present, and to identify similar risks to those mentioned. This is a perfect time to do this as firms gear up to perform risk assessments over the Resources component of the quality management standards.

Archiving timely

AS 1215 states that “a complete and final set of audit documentation should be assembled for retention as of a date not more than 45 days after the report release date.” In my discussions with clients and other firms, some have misunderstood the requirements to mean that engagement teams merely had to assemble a final set of workpapers – not actually be required to archive them. The view of the PCAOB is that workpapers need to be assembled and locked down within 45 days – basically nobody should be able to make changes to them after that date.

Another issue we have encountered during our work with our clients is that some firms do not have a process to monitor that this 45-day lock down requirement is consistently followed – some firms have no accurate reporting system to warn firm management that an audit file is coming up to the 45-day archiving deadline. Once you have missed the 45-day deadline, you are unable to cure this defect!

If you are not sure about this at your firm, I suggest running an internal report to see if audit work papers are consistently being archived timely. If you don’t have reliable reports to gain this understanding, contact me to discuss ways to build this information into your processes.

Modifying workpapers after the opinion date

Modifying workpapers to document additional audit procedures performed after the audit opinion date is generally a no-no. We all know this. Even when documentation is added after the documentation completion date, and the requirements are followed, the optics don’t look good from an inspection perspective. I have seen inspectors take a harder look at all the files when they see this on one file during an inspection.

Further, modifying workpapers after being informed of an upcoming PCAOB inspection and failing to inform the inspection team of the changes, or misrepresenting that work was done at the time of the audit, is a path no one wants to go down. Yet, this stuff still happens. I tell my clients that it’s the lesser of two evils to get a comment form from the PCAOB for failing to perform a specific audit procedure, rather than being called in front of the Division of Enforcement for failing to “cooperate with the Board in the performance of any Board inspection”. ¹

What about sharing documentation from outside the file with the inspection team? When I am supporting my clients on inspections, and other documents are shared with the inspection team, I always ask the engagement team if this document is included in the audit file and if it is not (perhaps it’s an email that the engagement team is using to support an oral discussion with the inspection team, or perhaps it’s an analysis demonstrating a potential issue is not material), I advise engagement teams to explicitly make this representation. Full disclosure and clarity with the inspection team is paramount.

Learning from the lessons on these recent and noteworthy enforcement cases, let’s address some common questions that have been on the minds of many of you:

Can you make changes to workpapers after the opinion date and after the archiving?

Stepping back and looking at the big picture; let’s refresh ourselves as to what an audit opinion is. It’s an audit professional’s written assertion opining that based on the audit procedures and evidence obtained, the financial statements are not materially misstated. “Cleaning up” the audit files after the opinion date, should be just that. Engagement teams should not be performing any audit procedures after the opinion has already been issued, as this would imply that the engagement team had no basis to assert it had done sufficient audit work as of the date of the opinion. The types of things that engagement teams could perform include deleting review notes that had been addressed by the engagement team prior to the audit opinion date or including a clean ticked and tied financial statements that already had been agreed to the working copy version in the file.

The reality is, there should be limited need to document any procedures after the opinion date and perform clean-up, if reviews are happening real time.

Can you make changes to the audit documentation after archiving an audit file?

Yes, the standard specifically discusses that there may be situations where, after an audit file has been archived, an engagement team determines that revisions need to be made to the audit file. However, the standard is very clear that documentation may only be added but never 'taketh away'. In circumstances where changes are made to an archived file, the engagement team must include documentation indicating (i) the date the information was added, (ii) the name of the person who prepared the additional documentation, and (iii) the reason for adding the information. We recommend that this documentation be robust such that it is very specific as to what changed in the workpapers. ²

How does all this tie in with the new Quality Management Standards?

Finally, in very short order the Statement on Quality Management Standard 1 (SQMS 1) will be effective and all firms that report under AICPA auditing standards will be required to comply with the new QM standard. One of the objectives under Engagement Performance requires that firms establish quality objectives that ensure that engagement documentation is assembled on a timely basis after the engagement report. Audit firms should already be thinking about their processes and controls at the firm level to determine where they may have gaps in controls that won’t meet the control objectives required by the QM standard. What’s more, SQMS 1 will also require firms to start “testing” their quality controls meaning, you’re going to need to design tests to validate your engagement teams are documenting in accordance with audit standards, including timely archiving a complete and final set of audit workpapers.

Given the ever-increasing complexity of the regulatory environment, firms will invariably struggle with certain elements of audit quality. But considering the foundational and elementary nature of audit documentation, it’s time we, as a profession, step up and ensure we comply with these standards.

It’s October and the harvest has passed: let’s commit to no more low-hanging fruit.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

¹ PCAOB Rule 4006, Duty to Cooperate with Inspectors

² Also refer to the requirements of AS 2901, Consideration of Omitted Procedures After the Report Date and AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report

Trends in the Accounting Industry

Mon, 20 Sep 2021 17:58:46 GMT

Johnson Global Accountancy is pleased to announce Shannon Lauffer has joined the Firm to oversee the administration of the organization. This will include the management of the company’s president at Johnson Global Accountancy.

This is Shannon’s first role within the realm of accounting after working in healthcare for over 6 years. To gain more insight on what is happening in today’s auditing world, she sat down to interview a couple of the firm’s professionals, as well as the Jackson Johnson, JGA's President.

Shannon: What changes do you hope to see in the accounting industry over the next 5 years?

Shannon" What are some of the biggest challenges regarding audit quality within the accounting industry today?

Shannon: What aspect of audit quality do you most enjoy helping your clients with at JGA?

Jackson Johnson, JGA President, Featured on Accounting Today’s Podcast Series

Tue, 14 Sep 2021 17:53:45 GMT

Jackson Johnson, JGA President, shares best practices for auditors facing their overseer -- and for making audits better in general on Accounting Today's podcast series.

HFCAA: What Firms Should Do Now, and the Effects on China and Hong Kong

Fri, 20 Aug 2021 20:34:55 GMT

We have seen over the years indications that there is more work to be done to improve audit quality in China and Hong Kong. Whether it be through failed IPOs, restatements, or audit enforcement cases that came down from the SEC or local regulators, clearly we know that the quality of financial reporting can improve.

The problem is, what about what we don’t know? What about the potential that investors, and the global markets lack important information about the public company? Or worse, what about the potential that investors have materially inaccurate information about the company?

What we don’t have is full insight into how audit quality and audit compliance contributes to these financial reporting risks in China and Hong Kong. To put the risk into context, the PCAOB indicated that, as of March 31, 2021, there are 213 Chinese and Hong Kong companies listed on U.S. exchanges with a market cap of approximately $2.1 trillion.

PCAOB has been inspecting non-U.S. firms since 2005. When they were prevented from inspecting a foreign firm, those firms often cited legal conflicts of interests of sovereignty-based from local governments. In the case of Hong Kong and China, in particular, firms asserted state secrets as reasons they were unable to produce workpapers.

During my tenure at a large international accounting firm in Hong Kong, I was stuck in the crosshairs navigating workpaper requests when conflicts in laws prevented a consistent protocol within the accounting firm’s international network. Subsequently, during my time at the PCAOB, it was personally frustrating that, while inspectors had unfettered access to conduct inspections in many countries, China was one of the few we couldn’t inspect. At the same time, globalization and the exportation of production to China seemed to require more insight on how auditors were reacting to these changes. This regulatory impasse has been an issue for quite some time. And I noted in my interview with Bloomberg in December that internal practice monitoring programs alone don’t reach the level of objectivity, rigor, and investor-minded insight to risks that external inspections provide.

Holding Foreign Companies Accountable Act

One real solution toward this lack of access is the Holding Foreign Companies Accountable Act (“HFCAA”). Signed into law in December, 2020, these rules will apply to all companies reporting on forms 20-F, 40-F, and 10-K, and N-CSR. It requires certain disclosures of companies that are audited by a firm that the PCAOB has been unable to inspect. More importantly, HFCAA requires the SEC to delist foreign companies that are audited by a firm in a jurisdiction where access to conduct inspections is denied for three years in a row. Without a transition to a PCAOB-approved jurisdiction/firm, trading of those shares on US exchanges (including OTC) would be halted. Trading can resume once the company retains a firm that PCAOB is able to inspect (for example, a US-based auditor). Further, if the issuer switches back to an auditor in an unacceptable jurisdiction, shares will be halted and will be subject to a 5-year prohibition on trading in US markets. This rule will have a disproportionately direct effect on companies that engage auditors based in China or Hong Kong.

This is the SEC’s latest attempt to address, with real consequences, the PCAOB’s inability to inspect auditors whose public company clients are listed on U.S. Stock Exchanges. While this information is readily available on the PCAOB’s website with a little digging, this shows the SEC and PCAOB’s growing impatience and strong stance to take action. China and Hong Kong have been on the PCAOB’s public list since the list’s creation. Now they stand alone as other jurisdictions have to provide adequate changes to access to move off the list.

The SEC has stated it expects public companies to begin complying with HFCAA in 2023. However, the SEC will not begin counting what they term as “non-inspection years” until the PCAOB finalizes its determination process. The PCAOB process, as of the date of this article, is still a “Proposed Rule” and the comment period closed in July, 2021. Given the Board is currently short two members, with the remaining three members told they will soon be replaced, I expect this reporting won’t occur until at least for 2022 calendar year-end reports. That gives companies and their auditors until at least 2026 before we start to see delistings occur.

What Should Firms Do Now?

I offer these solutions to address these big regulatory changes and minimize the disruption to the quality of the audits of your affected clients:

Consider internally the potential avenues to transition the principal auditor role or substantial role to an “approved” auditor.
Chinese or Hong Kong members of a global network firm should develop a strategic approach with the global network alliance of firms, specifically U.S. firms and other firms in the network that (i) are subject to PCAOB inspection; (ii) have the requisite audit, accounting and US regulation expertise; and (iii) may want to transition to a principal auditor role. This may require a shift in resources and personnel that will take significant time to implement.
If you are a Chinese or Hong Kong member of an alliance, more work will be necessary for a strategic plan, including identifying candidate firms within the alliance, but also identifying other unique challenges, such as how different methodology, audit technology and tools may affect audit performance and the client service experience. Potential solutions might include looking for firms outside the alliance, or other firms joining the alliance to prepare for this shift.
Perform mock or actual joint audits with the potential successor firm to identify differences in approach, potential gaps in systems of quality management, and how this could affect client service and audit quality. Address these gaps over the 3-year period so there are no surprises in the year of transition.
Consider changes to local firm and global client acceptance and continuance policies and procedures.
Improve internal audit quality oversight among the firms, through internal inspection, gatekeeping pre-issuance reviews, and consideration of how regulatory reports from one country can be applicable or a potential opportunity for non-inspected firms to improve audit quality. While each entity within a network or affiliation is a separate legal entity, information sharing of regulator reports helps others in the network improve and prevent deficiencies in other firms not yet subject to PCAOB inspections.

All firms that are directly or indirectly affected by this should discuss with their client now how HFCAA may affect company disclosures, and how it may affect the audit, audit participants, and the principal auditor assignment. Having candid, transparent discussions now will help maintain the relationship and ensure a smooth transition should any transition be necessary.

Enforcement of HFCAA is expected to be some time out in the future and requirements could change. We have yet to see how this will be enforced and what the effect will be to the U.S. and other markets, but we have no doubt the effects of this will result in increased transparency.

Jackson John s on, CPA is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality.. He also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

The Regulator Who Cried Wolf: Why is the PCAOB Citing the Same Standards Year After Year After Year?

Fri, 20 Aug 2021 20:02:57 GMT

As children, we all heard the story of the boy who cried wolf. Leaving the sheep and wolves aside, what happens when the audit regulator continues to cite the same auditing standards year after year in its firm inspection reports? Does the PCAOB’s message lose its effectiveness? Does the public become like the townspeople who eventually stop listening or responding?

Did you know that there are currently over 50 auditing standards that have been issued by the PCAOB? 55 to be precise. On top of that there are other various rules over ethics and independence, quality control standards, and attestation standards. Some of the auditing standards are only five paragraphs, such as AS 1010 – Training and the Proficiency of the Independent Auditor while other standards are 98 paragraphs long with as many as three appendices such as AS 2201 – An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statement s.

Wow. That’s a lot of guidance and presents so many opportunities for audit deficiencies. And yet, surprisingly, the PCAOB seems to take issue with many of the same auditing standards year after year after year.

After analyzing the PCAOB’s common findings , we decided to perform our own analysis of PCAOB inspection reports to evaluate the evolution of those reports over time and the nature of the findings described by the PCAOB. Perhaps not surprising, we found many of the same themes that the PCAOB self-reported. However, what was surprising is that approximately 77.8% of the PCAOB’s findings can be boiled down to just a couple auditing standards (AS 2201, AS 2301, AS 2501, AS 2810) and within those standards, the PCAOB seems to generally cite just a couple paragraphs. Add in two more standards (AS 1105 and AS 2315) and you have now accounted for approximately 90.6% of all deficiencies.

The Process

To start, we began by analyzing the general evolution of firm inspection reports. Understandably, early on in its formation, the PCAOB was growing and adapting as it learned what it meant to be an audit regulator. The early reports morphed almost every year. Earlier reports were organized by issue while later reports came to be organized by issuer . Sometimes the reports varied between the detail for Big Four and those for the small and mid-tier firms. Early on, there was no specific citation of auditing standards. In fact, auditing standards were not specifically referenced in the public reports until 2014.

The PCAOB continued to modify reports over time and then with the entirely new Board appointed in 2018, the entire report changed. The inspection reports became more uniform, more condensed, and provided some context for readers to understand how to interpret the results, such as historical inspection results so that readers could understand quality trends.

To do our analysis specifically, we took the information from all domestic inspection reports published from 2017 (after the PCAOB codified the old standards) through July 7, 2021. In Part 1 of the inspection reports, we then counted each time an auditing standard was cited (one reference to a standard equates to one deficiency, regardless of the number of paragraphs referenced). Then we began to aggregate and analyze the data.

The Findings

Let’s take a closer look at the findings and what they indicate:

AS 2201 An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statement (35.8%)

Surprise, surprise. Deficiencies in testing over internal controls have been a challenge since the onset of Sarbanes-Oxley. Over the last couple years, there seem to be more and more concerns related to auditor’s testing over management review controls (MRCs), but this has been the case since 2013 when the PCAOB released SAPA 11 with specific guidance over MRCs. Yet, teams continue to struggle with identifying controls to address relevant assertions, testing completeness and accuracy over information used in controls, and sufficiently testing the design and operating effectiveness of controls. What this means is that in almost 20 years since the onset of SOX, the industry still struggles to “get it right.”

AS 2301 The Auditor’s Responses to Risks of Material Misstatement (17.5%)

The PCAOB references a number of different paragraphs within this standard, but the general issue boils down to the fact that engagement teams fail to design and execute procedures sufficient to address the risk of material misstatement. Some of the guidance is very prescriptive; for instance, for significant and/or fraud risks, auditors must perform a test of detail (no exceptions). For all relevant assertions, engagement teams must perform substantive procedures (no exceptions). However, the overall design of the audit is inherently based on risk. Applying significant, professional, auditor judgment, engagement teams must determine the nature, timing and extent of testing to be performed, taking into account both controls and substantive procedures. The PCAOB’s findings with respect to AS 2301 calls into question the auditor’s ability to apply judgment and effectively design audits to address the risks of material misstatement. Considering how foundational risk assessment is to the overall execution of the audit, this finding carries a lot of weight.

AS 2501 Auditing Accounting Estimates, Including Fair Value Measurements (15.5%)

Again, no surprise here. The continued findings involving estimates is perhaps what spurred the PCAOB to issue new guidance in a revised AS 2501 standard. But let’s be honest, that standard didn’t really change the guidance significantly. It really condensed AS 2501, AS 2502 and AS 2503 into one main standard, but the meat and bones of the audit procedures expected to test management estimates did not drastically change. Despite the continued focus over auditing estimates, firms across the industry are failing to sufficiently audit these areas.

AS2810 Evaluating Audit Results (9.0%)

Scanning through our findings, the deficiencies related to AS 2810 tended to fall into two main areas. First, engagement teams failed to sufficiently consider contradictory evidence. This means that teams did not sufficiently document or dispose of information that might have contradicted management assertions or engagement team conclusions. Second, auditors failed to perform sufficient procedures to conclude on specific accounting considerations and whether financial statements were appropriately presented. Both of these findings are alarming considering audits are designed to act as a check on management. So, to think that auditors are not considering contradictory evidence would inherently call into question the purpose of an audit. In addition, audits are designed to ensure that the financial statements are fairly stated (including presentation and disclosure, which is predicated on accounting considerations). So, to think that auditors are failing to sufficiently audit accounting considerations, again, makes us wonder, what is the audit actually accomplishing?

Other Considerations

As the table shows, there were, of course, other audit areas that are cited. And this is certainly not a complete picture of the PCAOB’s findings. This analysis represents only Part I findings, or in other words, findings that mean the auditor’s opinion is not supported. For instance, a PCAOB comment over audit committee communications would not necessarily jeopardize the audit opinion and so these types of comments have traditionally only been disclosed in Part II of inspection reports, which are private, unless a firm fails to pass remediation. Only recently with the new report format, Part I B discloses some of these findings. As well, this analysis does not take into account clean inspection reports where no Part I issues were identified.

It is worth noting however, of all inspection reports published from 2017 to 2021 (to-date) approximately 58% of firms have at least one deficient audit. That means more than half of the industry is failing in the eyes of the PCAOB. Whoa!

So What Does it All Mean?

Taking a step back, what does the data mean or suggest? For us, it raises several questions:

Does the PCAOB have a moving target?
While the PCAOB has issued new auditing standards, the standards cited above have not significantly changed in the last five years. And yet, despite the lack of significant changes, firms still seem to be missing the mark. In our work supporting firms, time and again we’ve heard engagement teams defend their work, saying, “Well, the PCAOB was okay with this during the last inspection,” only to then get a comment this year on the most recent inspection. This begs the question, does the PCAOB have a moving target? Why is it that management review controls became a hot topic in 2013 and has since yet to be resolved? Were firms sufficiently testing MRC’s prior to 2013 and then suddenly the industry shifted? Realistically, no. Rather, the PCAOB refined its knowledge and understanding and interpretation of the guidance and started issuing comments over MRCs where teams only checked for sign-off. Call a spade a spade; that’s essentially a moving target. We aren’t saying that the PCAOB can’t evolve and refine guidance and/or interpretations, but it also makes it hard to satisfy PCAOB expectations when the bar keeps apparently shifting.

Are the PCAOB’s expectations unattainable?
Perhaps the PCAOB’s expectations are not a moving target. But are they achievable? Audits are predicated on the concept of “reasonable assurance.” What does that actually mean? When an estimate is inherently uncertain and unable to be justified with exactitude, what is defined as reasonable assurance? Despite the recurring nature of these findings, firms are struggling to meet expectations. At a certain point, the regulator has to wonder, are we being reasonable?

How effective is the PCAOB remediation process?
As part of the PCAOB inspection process, firms have one year to remediate issues identified in Part II of the report. Part II includes quality control criticisms that are derived from the Part I findings. Most firms pass remediation, meaning the PCAOB believes the actions undertaken by the firms are sufficient to remediate the potential quality control issues present at the firm, such that they should address the inspection findings. Despite the fact that most firms pass remediation, if we’re seeing the same issues in inspection reports year over year, what does that actually say about the remediation process? Is it actually effective? Do firms understand the root cause of the issues? If a firm fails to remediate the QC criticisms, the PCAOB will release those Part II criticisms to the public. For context, this has happened a handful of times for various firms; for one of the Big Four firms, out of the 17 inspection reports published for the US firm, the PCOAB has released portions of the Part II report only twice. Is the threat of releasing Part II sufficient to encourage firms to effectively remediate issues? And is the remediation process actually working if we’re still seeing the same issues surface across the industry year after year?

Is the PCAOB doing enough to provide relevant guidance?
When the industry continually fails to achieve expectations, it is incumbent upon the regulator to understand why. Should the PCAOB be providing more guidance to help firms improve quality and better understand expectations. On inspections, the PCAOB currently focuses on identifying the issues, but does not provide guidance on how to fix them. Even the comment forms issued after an inspection read as a “failure” without providing guidance on what could be done to improve the testing or to avoid the issue. While we realize there is no “one way” to perform an audit, perhaps in addition to identifying the failures, the PCAOB could start to offer solutions such as “here’s what you could do.” In fact, for many of us at JGA, this is what prompted us to leave the PCAOB. We got tired of merely pointing out the problem without providing solutions. Maybe it is time the PCAOB put itself in the shoes of the firms and offer guidance on what firms could have done differently to overcome the issues.

What will it take for the industry to finally achieve audit quality in the eyes of the PCAOB?
We would be remiss to point all fingers at the PCAOB without taking some responsibility as an industry. In our role supporting firms, there are those engagement teams that put a lot of effort and barely miss the mark; when the PCAOB issues comments in these situations, it makes us wonder about “moving targets” or “unattainable expectations.” But let it also be known, there are situations where audit firms grossly miss the mark and these are the situations for which PCAOB inspections were designed; to identify audit quality concerns. These situations are where firms need to take a serious look at “what went wrong?” and take ownership over the fact that there were quality control issues. Perhaps firms need to revisit staffing and ensure jobs have the appropriate resources, both in terms of number of staff, knowledge of staff, and time allocated for engagements. Perhaps firms need to provide additional guidance, tools and templates to their staff to help enable effective quality audits. This is exactly what the remediation process is designed to do. Maybe this is a wake-up call for firms to commit more resources to ensuring all audits are performed in a quality manner.

Not only is it the same deficiencies, but looking at reports published from 2017 through 2020, there are more and more deficiencies being cited per inspection report. That’s not a positive trend. We think the industry overall would agree that the PCAOB has brought about significant change and audit quality has improved from the turn of the century. But have we reached a plateau? What will it take to tackle these recurring issues? And is the PCAOB merely crying wolf in citing the same standards year over year over year without taking action to effectuate change? Give it enough time and people stop listening when it’s the same message and there’s no change. What will happen then when the PCAOB finally spots an actual wolf and identifies a truly egregious audit issue?

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

JGA is Proud to Support the Boys & Girls Clubs of Greater Kansas City

Thu, 19 Aug 2021 01:39:54 GMT

Kansas City, Kansas: On Saturday, August 14th, Johnson Global Accountancy (“JGA”) took part in celebrating the 25th Annual Kids Night Out, an exciting evening to benefit children served by Boys & Girls Clubs of Greater Kansas City.

"We were so pleased to sponsor this event. It's been a long time since we've been able to see JGA colleagues in person and share an evening with the greater Kansas City community,” stated Jackson Johnson, President of Johnson Global Accountancy. “This annual gala is the primary source of funding for their programs. The evening raised $2.4 million, which is a new record."

Dane Dowell, JGA Director, and Jackson Johnson, JGA President, at the Kids Night Out Gala.

The Boys & Girls Clubs of Greater Kansas City has been serving this region for over 100 years and now operates 12 locations, changing the lives of at-risk youth. In addition to Jackson, other attendees included Joe Lynch, JGA Managing Director, and Dane Dowell, JGA Director.

Click here to learn more about the Boys & Girls Club of Greater Kansas City and support their fine work.

About Johnson Global Accountancy

Keeping up with Technology: Aligning Career and Training Paths of IT Auditors

Wed, 28 Jul 2021 21:27:18 GMT

Companies of all sizes are spending money and allocating significant resources to implement more complex financial reporting applications. The adoption of new technology systems has accelerated in recent years to a point where we see many small and mid-size companies taking advantage of new software and applications previously adopted only by their much larger counterparts. We know that it is becoming almost impossible to audit many companies without having controls over systems and the information produced from those systems . We sometimes hear audit teams say the new system did not change anything associated with financial reporting. This can quickly be challenged with a simple question ‘why did the company spend resources and money to maintain the same manual process and controls as before?’

Now more than ever, it is important that auditors understand and consider the impact of technology on financial reporting. It is critical for all audits, not just those that test internal controls over financial reporting. But, in our work with firm leadership and their engagement teams, we have seen that this opportunity to improve audit quality is made more difficult because IT auditors tend to be segregated from the rest of the audit team. In addition, we have seen cases where the performance goals of an IT auditor are aligned differently than their financial audit peers. These are important issues that we are working to address in the quality control systems and audit rooms of our clients.

Here are some solutions that audit quality leaders at firms should focus on changes to bring the teams into closer alignment.

Develop a robust IT Audit Program and Career Path

Historically, a deep technical understanding of systems has not been part of the financial statement audit. Therefore, it makes sense that the traditional career for auditors does not always allow professionals to gain specialized knowledge in new technologies, advancements and processes. Most IT audit groups or practices are loosely tied to the core audit team. Even if firms say “the IT audit group is part of audit” a few quick questions will reveal their goals and key incentives are often tied to revenue outside of ICFR audits. Teams tend to be part of larger consulting practices with conflicting demands resulting in IT auditors prioritizing more lucrative projects over ICFR IT audit work.

Traditional audit resources at public accounting firms follow the new hire to partner career trajectory. Currently, the audit work is structured to use this career path to train, develop, and promote the staff resources which maintains a focus on the busy season cycle which serves a client or a group of smaller clients through the annual audit cycle.

Firms should consider these steps when evaluating their IT audit needs:

Evaluation – Take stock in complexity of systems used by all of your audit clients.
Inventory – Take an inventory of the firms’ IT audit skills.
Planning – How many IT auditors should your practice have?
Survey – Ask team members if they are interested in an IT audit career trajectory.

We have seen these exercises are useful not only to understand gaps between talent and client needs, but also in preparation for upcoming quality control standards .

Design a Training Program and Path

Traditionally, IT auditors have a technically diverse background which includes accounting and audit experience related to internal controls. The IT auditors also incorporate technical experience that is often tied to specific systems or applications. IT audit skill sets are rounded out by solidifying knowledge related to testing IT general controls, including automated functionality that companies implement to process transactions for financial reporting. These skills cumulate into an auditor that has specialized knowledge of how companies are using and controlling the accounting information system to support key aspects of financial reporting.

We have found that some of the strongest IT auditors start out as core audit team members that are trained to focus on the IT aspects of the financial audit. This might be different from your regular IT consulting professionals that performs IT audit support. Moreover, this diversity of skill sets at the core team level has resulted in the best integrated team.

Firms should consider developing a separate track within the audit practice for IT auditors focused on financial statements. Ideally, the path should start at the associate level with a planned career path to partner. Associates looking for an alternative to the traditional audit progression can sign up (or be tapped) to specialize in this important and growing area of need. They should still be trained in the traditional audit process, but with these additional IT trainings.

Plan for the future

Technology is not going away; it is only going to get more complicated and more embedded. As we continue to discover new ways to connect and assemble our audit teams using technology platforms and creating virtual audit groups, we should also seriously consider how to hone and develop our IT audit skills and professionals.

Take this opportunity to start a strong pipeline of dedicated IT audit professionals that assist our teams in asking the right questions, consider the right controls and innovate the audit process at the core team level. As someone very smart once said, the best time to plant a tree was 20 years ago, the second best is now. Start building your pipeline of skilled professionals now, to support your firm needs today and into the future.

The Rise of ESG Reporting: What is the Auditor’s Role?

Wed, 21 Jul 2021 16:58:42 GMT

The Rise of ESG

Environmental, social, and governance (ESG) considerations have been around in various forms going back decades. However, only in recent years has ESG reporting become an area of growing interest for a wide range of financial statement users and stakeholders – including investors, accountants, credit rating agencies, lenders, regulators, among many others.

So why is ESG the hottest topic in public company disclosure?

One of the reasons is that ESG-related concerns matter to an ever-broadening population of stakeholders, including millennials and iGens ¹ . Many socio-economic factors are considered extremely important to these groups – protecting the environment, concerns over climate change, poverty, appreciation of the need for diversity based on race, gender, and sexual orientation…the list goes on. This expanding base has (and will continue to have) a lot of influence and make their purchasing / consumption / investing decisions based on ESG considerations. A company that exhibits a focus on protecting the climate is generally going to have a better chance of earning their business rather than a company who has no appreciation for what matters to this base.

Accounting regulations that currently apply to ESG reporting

From an accounting point of view, there are a variety of reporting frameworks in place that public companies currently use to present their ESG information. However, these frameworks are not broadly adopted, nor do they always use consistent metrics and disclosures. Many large asset managers are calling on companies to use standards set by bodies such as the Task Force on Climate-Related Financial Disclosures and the Sustainability Accounting Standards Board . In March 2021, the FASB published a staff educational paper to provide stakeholders with an overview of how ESG reporting intersects with existing financial accounting standards . While the educational paper is not formalized guidance, it provides some illustrative examples where the accounting profession, based on current standards, should be considering ESG when it is preparing its public reports. Examples provided by the educational paper include:

Going Concern – When performing its going concern determination, management may need to consider the effects of environmental matters (e.g. related to newly enacted emissions regulations) that may be material to an entity to meet its financial obligations and thus could affect its going concern assumption.
Inventory – In determining the net realizable value of inventory, management will need to consider factors like regulatory changes that make inventory obsolete or perhaps a significant climate event that causes physical damage to an entity’s inventory.

Due to the variety of approaches/frameworks out there, none more generally accepted or popular than others, making ESG comparisons between companies can be very difficult for stakeholders, even in the same industry.

Current responsibilities of auditors

When issuers include ESG reporting in documents that are part of audited financial statements (i.e. an ESG attestation report is included as an addendum or part of a Form 10-K filing), auditors should consider the requirements of PCAOB Auditing Standard (“AS”) 2710, Other Information in Documents Containing Audited Financial Statements . AS 2710 lays out an auditor’s requirements for other information that is included in a document such as a Form 10-K or annual report. Although an auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report, AS 2710 requires that the auditor read the other information, including ESG information, and consider whether this information, or its presentation is materially inconsistent with the information or disclosures in the financial statements. The Center for Audit Quality has acknowledged in reported articles that a material misstatement of fact is a fairly high bar and, given the nature of ESG information, it will probably be highly unlikely that an auditor would be aware of a misstatement of fact seeing that this information is outside the scope of its audits of an issuer’s financial statements and internal control over financial reporting. In cases where ESG information is not included in financial information that includes the issuer’s audited financial statements, the auditor has even less responsibility.

Future responsibility of auditors

Many of the qualitative disclosures and metrics used in ESG reporting that were mentioned above are not governed by any established framework (unlike GAAP for accounting or COSO for ICFR, etc.). I expect that stakeholders will at some point require ESG reporting to be subject to the same level of rigor under a uniform framework that would ensure consistency of application and that the information underlying the ESG reporting is accurate and appropriately applied.

Although the reporting of ESG information presents a challenge to companies, auditors have the perfect opportunity to transfer some of their accountability, impartiality, and standards-based analysis to perform oversight over ESG reporting. Public company auditors already have a base skillset and a place in the financial market system to lead stakeholders in this area:

Auditors adhere to strict ethics and independence standards and require their professionals to maintain continuing professional education.
Auditors have experience understanding and interpreting frameworks and adapting to changes happening around them.
Auditors have experience working with organized teams of professionals who have access to knowledge and expertise from sources internal or outside the firm, including subject matter resources.
Auditors have familiarity working with specialists when extensive experience is required that they do not have internally.
Last but not least, auditors have experience in compliance reporting engagements and executing their work within a system of quality control.

The press has reported that auditors are already using their skills to provide assurance over ESG information. Many of the leading companies in the United States (Coca Cola, Nike, and Starbucks for example) are already engaging auditors to evaluate their ESG reports to be able to provide some reliability of these reports to stakeholders. In fact, the CAQ reported that auditors already provide independent assurance for more than ten percent of S&P 100 companies’ ESG reports. This trend will grow as investors and other stakeholders increasingly look to public companies to disclose their ESG metrics and expect independent auditors to validate those disclosures. A company’s objectives when presenting its ESG information will affect the scope and level of assurance they seek from their auditor. The types of services may include:

Examination – the auditor provides an independent opinion as to whether the ESG information is reported in accordance with certain agreed-upon criteria. This type of service is considered the closest equivalent to the reasonable assurance statement made by an auditor in a typical audit.

Review – the auditor expresses a conclusion whether material modifications should be made to the ESG information so that it is reported in accordance with agreed-upon criteria. Review engagements are less in scope than an examination engagement and provides limited assurance.

What the road ahead looks like

There are various U.S. regulators, and reporting bodies, and stakeholder groups that are expected to step into the fray to help determine ESG reporting guidance – the CAQ, the SEC, the PCAOB, and the AICPA. From an accounting perspective, SEC Chair Gensler’s recent remarks make consideration of ESG reporting a clear priority of the SEC. As the SEC oversees the PCAOB, the SEC will probably require the PCAOB to explore providing guidance to auditors to assist them:

As they consider ESG when performing their financial statement and ICFR audits, and
when they are called upon to report specifically on a company’s ESG disclosures.

Prior to his departure from the PCAOB, Board member J. Robert Brown was considered the most outspoken proponent (probably the only vocal proponent) of ESG reporting out of the then PCAOB Board members. Currently there are only three Board members appointed at the PCAOB and the SEC has announced that their seats will be coming vacant soon. Dan Goelzer (ex- PCAOB Board member and acting chairman) discussed during a July 2021 Bloomberg Tax podcast that the process of vetting and appointing all five new Board members at the same time could be a major hurdle that delays the PCAOB’s progress on broadening the scope of reporting of ESG indicators. My expectation is that the three remaining Board members would probably leave this hot potato for a future, five-person Board to tackle.

The PCAOB should be taking a prominent lead to define the role auditors can play to make investors confident over ESG-related information. There are many ESG considerations that need to be evaluated – as an example, could materiality (defined as that which would impact an investor’s decision) take on a different form in the future? The SEC thinks so .

Already the PCAOB is falling behind as the IAASB has issued its quality control standards in 2020 and the AICPA has issued its own QC exposure draft for comment. I hope the PCAOB and the SEC will lead the charge of such an important initiative. Auditors should continue to take a lead role in driving the regulators to reach this end goal. Stakeholders want to rely on what companies report and disclose through a formalized framework applied by companies and subject to consistent procedures performed by their auditors. With different frameworks out there, different interpretations of such frameworks, and different levels of services provided by auditors, it is almost impossible for stakeholders to make informed and reliable decisions.

¹ People born approximately between 1995 and 2012 who have been exposed to technology and the 1990’s web revolution and thus have had access to information on the internet their whole lives.

Johnson Global Accountancy Releases Whitepaper to Help PCAOB-Registered Firms Worldwide Navigate the Inspection Process

Tue, 22 Jun 2021 13:55:40 GMT

LOS ANGELES, CALIFORNIA: Johnson Global Accountancy (JGA) has published a new whitepaper examining the key considerations faced by public company auditors during their PCAOB inspections. Drawing experience as audit and audit regulation experts and advisors to firms worldwide on all aspects of audit quality improvement, the JGA team has authored NAVIGATING PCAOB INSPECTIONS: Understanding the Inspection Process from Start to Finish .

The 55-page guide includes:

A roadmap through the entire PCAOB inspection and remediation process,
Actions to apply and implement continuous audit quality improvement,
Best practices to reduce regulatory risks, and
Lessons learned from JGA’s work with small and large firms worldwide.

Printed copies are available upon request. A download is available on JGA’s website at https://www.jgacpa.com/navigatingpcaobinspections .

About Johnson Global Accountancy

###

ITGC Deficiency Evaluation: Why Understanding the Transaction Process is So Important

Thu, 20 May 2021 20:54:08 GMT

Over the years, we have noticed a common trend in IT audit issues in PCAOB inspection reports that can be grouped into two general topics:

Inadequate scoping of IT systems for controls testing, and
Evaluating Information Technology General Controls (ITGC) deficiencies.

Inadequate scoping of IT systems for controls testing generally happens because the audit engagement team does not have a complete understanding of how the systems process the transaction, miss scoping of important systems, and the related risk assessment falls short.

It is critical that the audit team understands which systems support important business processes through an integrated and thoughtful risk assessment. While the concept is simple, we often see cases where teams are not taking the time to properly understand and document the process with the company and the full audit team, including IT audit team members. Working as an integrated team is paramount to an effective risk assessment. Inadequate teaming can result in an incomplete list of key systems for ITGC testing or testing a set of systems that do not completely represent the true business process flow. This results in scoping and testing gaps.

The second most common IT-related finding, evaluating ITGC deficiencies, is often the result of team missing the full understanding of the systems when planning and performing a risk assessment. Once again, when audit teams have breakdowns in gaining a complete understanding of how the system processes the transaction, the information is not available to properly assess the impact of control deficiencies relating to systems.

As we approach the middle of Q2, interim testing and planning ITGC scoping for calendar year-end audits, now is the best time to discuss these points with your engagement team. Here are some of the ways firms and their engagement teams can start to address issues relating to incorrect systems in scope for control testing and the evaluation of ITGC deficiencies.

Align System Scoping with Risk Assessment

Engagement teams work hard to perform risk assessment procedures that are founded on their understanding of the flow of each set of business transactions. As you look to identify systems for control testing, be curious about the business you are auditing. Challenge teams to take that understanding one step further and truly dig deep into the systems and the data that supports the transactions being audited. This requires an integrated audit team member(s) with technical understanding of systems and how they process transactions that contain audit risks, especially significant risks.

As an integral part of risk assessment, scoping procedures should include:

Specific names of applications in all audit documentation,
All applications and modules used in the process,
Documentation of a simple flow of the transactions,
An understanding of the variations of processing transactions, and
Non-core applications or bolt-on modules to an in-scope application.

Take Teaming to the Next Level with Joint Walkthroughs

The collective audit team (including IT auditors) must understand how the transaction makes its way through the processes. Usually a simple process flow, connecting each step of the process, will allow key controls to be easily identified along with what systems are supporting the flow and how data is captured and usually includes:

Transaction path from cash to financial statement,
Policies and procedures that apply,
Employee interaction and notification, and
The underlying technology enables each step along the way.

Our suggestion to capture the simple flow is to gather key team members for a whiteboard session. Start with the transaction (payment, shipment, sale, etc.) as one image/shape on the board. Then, ask the group, “What happens next?” adding on that action. After it is complete, circle back an ask, “How does the information move from one step to the next?” If these steps are repeated until the transaction makes it to the financial statements, it will help the engagement team see new areas or have a deeper understanding of what was previously documented. Through this exercise, teams benefit from a clear picture and can quickly identify the appropriate follow-up questions. As the team gains this understanding and asks more questions, we typically see new processes, interfaces, applications, and databases get introduced to the audit team. This complete picture is critical to the audit, and can confidently determine what should be scoped in and what could be scoped out.

Evaluate ITGC Deficiencies Against the “Integrated” Scoping and Risk Assessment

As the engagement team runs into control deficiencies, they will have a good understanding of how the issuer’s processes, policies, people, and procedures work to produce the financial statements. Consider responding by adjusting some audit procedures:

Go back to documentation of why the deficient system was originally scoped in.
Link the key controls that are dependent on the deficient system (it could be several processes).
Tie in the original risks and “what could go wrong” analysis when the team planned the audit, with the evaluation of the ITGC deficiencies.
Review the planning understanding, testing and conclusion to ensure a logical flow across the file.

The next time you purchase your morning coffee let your mind wonder and think like an IT auditor: How does that payment make its way to the financial statements of a large publicly-traded coffee shop? What are all the different systems used to support the processing of the actual payments and get the money to the bank and to the quarterly report?

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Hurry Up and Wait: The Importance of Performing Remediation Early

Tue, 18 May 2021 21:56:35 GMT

Still waiting for the PCAOB to issue your 2019 or 2020 inspection report? Don’t worry, you’re not alone. Last Fall we analyzed report data and wrote about on the PCAOB’s slow pace in issuing its overdue inspection reports . The main reason provided by the Board for the delay was that they were transitioning to a new format for the inspection report which was first released back in the summer of 2020. In recent months, the regulator has since kicked it into gear and is clearing its backlog, issuing a flurry of 51 reports since early April, with approximately half of them including at least one inspection deficiency. Compare that to only 46 reports issued in 2020. Despite this recent activity, there are still hundreds of 2019 and 2020 inspection reports yet to be issued. Based on recent speeches , the Board expects the delayed reports to be issued throughout 2021.

However, what does this delay mean to your firm? What are the repercussions of receiving a delayed report? We’ve been having many discussions with clients and other firms about how this overlap is affecting them. Below, we offer some best practices to keep a proactive approach despite these delays.

Potential Upcoming Inspections

As a triennially inspected firm, you may think you are safe from the next PCAOB inspection until you at least get your last report. That’s typically how it worked in the past. Unfortunately, think again. Even though firms haven’t received 2019 and 2020 inspection reports, many firms have been notified of yet another inspection. That’s right, your firm could be subject to another inspection before the Board has even issued your 2019 inspection report, before you’ve implemented all the remedial actions to address the deficiencies from the last inspection and before the PCAOB concluded on the efficacy of your firm’s remedial actions. Wow! The reality is that even triennially inspected firms could be managing multiple inspection cycles at the same time (although each at different points in the cycle) – causing an unnecessary drain on firm resources.

The Drain on Firm Resources

National office professionals who are working on implementing remedial actions to address 2019 inspection criticisms will now also be required to deal with issuer engagement and QC questions/issues arising from a potential upcoming inspection. This also means that because there are overlapping inspection cycles, your firm may have QC criticisms repeated in the 2021 inspection report. You may have remediated these criticisms as part of the 2019 inspection remediation, but those actions may not have gone into effect until after the 2021 inspection. It can get complicated, we know, especially when trying to demonstrate to the PCAOB how remedial actions were sufficient, despite potential 2021 inspection findings.

Many firms are also deep in the throes of evaluating and implementing the new QC standard that was recently issued by the IAASB (with the AICPA and PCAOB following close behind with their own standards). As firms have started this evaluation process, they are starting to realize the sheer scope of implementing the new QC standards. Designing, implementing, and testing their own internal QC process is a monumental task that is going to take a lot of time, manpower, and resources. My colleague, Dane Dowell, recently published the eye-opening and informative article Bridging the Gap: ISQM 1 and the Knowledge and Resource Gaps to help guide you the planning and prioritization of that process.

The Drain on PCAOB Resources

While the audit regulator may issue hundreds of inspection reports in 2021, this will also mean that hundreds of firms will all be in their 12-month remediation window all at the same time. This bottleneck will create a great deal of strain on the PCAOB staff who are designated with the task of evaluating firms’ remedial actions. Firms are encouraged to engage in dialogue with remediation staff to review draft remediation submissions. In doing so, firms get feedback early in the process allowing time to revise or supplement their remedial actions before the end of the 12-month deadline, helping ensure a favorable determination from the PCAOB . Hopefully the Board will increase the number of its staff who are responsible for evaluating firm remediation responses, but if not, then the PCAOB may have a tough time providing timely feedback to individual firms.

What Firms Can Do

We recommend that you plan to get your draft remediation response in front of the PCAOB staff as early as possible along with the following:

Perform AS 2901 and AS 2905 procedures immediately upon receiving a comment form after an inspection. Even if you disagree with the issue in the comment form, rarely does an engagement team’s response change the PCAOB’s position. They would’ve had all the facts at the time of the inspection. Unless you raise some new audit evidence from the audit file in your response that the PCAOB had not previously seen, your issue will likely still be included in your inspection report.
Evaluate potential root causes for each comment form deficiency. The sooner the better, so consider performing this analysis after you receive comment forms. As a side note, the new QC standards being issued by the major regulatory bodies are all requiring root cause analysis to be performed, so you may as well start the process as soon as you can.
Consider QC remedial actions based on the results of your root cause analysis. It is generally safe to say that inspection comments will translate to Part II QC findings in the inspection report (which remain non-public so long as the deficiency is satisfactorily remediated). You don’t need to wait until you get your draft inspection report to begin the remediation process. Consider each comment form issue and potential remedial efforts might address the deficiency at a firm-wide level that. For instance, if you received a comment over auditing estimates, consider doing a firm-wide training or creating an audit tool or template to assist teams with auditing management estimates. Start your firm’s QC remediation activities immediately after you receive any comment forms at the end of the inspection.
Prepare your draft remediation response timely. If you have performed the steps above, be ready to provide a draft remediation response to the PCAOB staff as soon as your final report is issued. As mentioned above, receiving feedback from the remediation staff is important. These discussions will give you a sense of how impactful your remedial actions are. Early draft submissions within the 12-month remediation window should help you address any significant shortcomings. And, due to this current backup situation, we anticipate hundreds of firms entering their 12-month remediation period at the same time. So, submit early to allow for extra turnaround time.

Considering the potential delays with the PCAOB, as an alternative or in complement, consider engaging an outside consultant with PCAOB-specific experience who can provide feedback on root causes and your planned remedial actions. A fresh perspective rooted in PCAOB experience is sure to help refine your remediation submission.

ISQM 1 Implementation and its Effect on Remedial Actions

ISQM 1 explicitly requires firms to link deficiencies arising from monitoring activities (which includes external inspections) to potential gaps in a firm’s QC process for purposes of its ISQM 1 analysis. In fact, PCAOB comment forms already request that firms describe the relevant controls (i.e. policies and procedures) within the firm’s system of QC that was designed to prevent or to detect and correct the deficiency presented within the comment form. In addition, for each control identified, the firm is asked to describe the risk that the control was designed to mitigate. Thus, as firms perform their comment form evaluation, this will inform them of potential gaps in their ISQM 1 analysis that need to be addressed through revised QC controls along with other remedial actions. This will require even greater coordination between those in leadership who are reviewing comment forms, those who are responsible for remediation, and those who are tasked with implementation of ISQM 1. These should not be performed in silos!

Prevent a Similar Drain on Firm Resources

If our predictions are correct, these overlapping issues along with other QC initiatives will add further pressures on your firms already stretched resources. Many firms are starting to plan out how they will internally staff for the QC standards implementation (including which tools they should use to document and test their QC processes). Now is the best time to consider if you have the appropriate resources to handle all these competing priorities. You may be forced to reallocate internal resources or hire additional resources to fill these roles.

Whether you’re scheduled for a 2021 inspection or not, the current backlog in issuing inspection reports, will weigh on the process and affect firms directly. It is in the firms’ best interests to act quickly and address remedial actions in 2021; more quickly than in past inspection cycles. By remediating early, your firm can prevent the mad scramble with all other firms in month 11 of your remediation window period. In addition, keeping this proactive mindset will help advance other important initiatives where remediation insight will be important, such as ISQM 1, implementation.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

Bridging the Gap: ISQM 1 and the Knowledge and Resource Gaps

Thu, 13 May 2021 12:36:34 GMT

Many in the profession remember passage of the Sarbanes-Oxley Act of 2002 and the amount of time and effort that went into the adoption and implementation of internal controls over financial reporting (ICFR). Issuers worked months upon months with consultants and audit firms to create an internal controls framework and to formalize processes so that both management and the auditors could opine on the design and operating effectiveness of ICFR.

Now, with the adoption of the International Standard on Quality Management 1 ( ISQM 1 ), issued by the International Auditing and Assurance Standards Board, the profession is bracing for yet another significant change in the industry. Whereas 404 regulated internal control requirements for public issuer companies to ensure quality financial reporting, ISQM 1, for lack of a better comparison, is essentially laying the groundwork for internal controls for audit firms to ensure quality audits.

Though the PCAOB is lagging behind in its QC standard setting process, it has repeatedly indicated that its new QC standard will pull largely from ISQM 1, as was evidenced in the PCAOB QC Concept Release . ISQM 1 is intended to be scalable, but regardless the size of the firm, all firms will be required to design, implement, and certify the effectiveness of controls that address specific audit quality risks.

Isn’t that already in place with the PCAOB’s current QC standards? ¹ Technically, yes. In fact, many of the components of ISQM 1 are already part of current PCAOB standards. While there are new incremental requirements under ISQM 1, principally around risk assessment, root cause analysis and remediation, what make ISQM 1 unique is that audit firms, similar to public companies, will now have to annually assess the effectiveness of their systems of quality management.

Similar to the early days of SOX 404, the weight of ISQM 1 (and the anticipated changes to PCAOB QC standards) is leaving many feeling overwhelmed and unsure where to begin and how to bridge the gap, or should I say gaps (plural), from current QC standards to the new ISQM 1. In my perspective, just like with the advent of internal controls, there is first a knowledge gap and then a resources gap.

The Knowledge Gap

The phrase we’ve been hearing from our clients on this and other audit quality issues is, “We don’t know what we don’t know.” As is often the case with any new guidance, whether accounting or auditing, it takes time to fully digest and understand the literature. Through webinars and articles, many learn about key talking points, such as the new requirement for firms to perform risk assessment or to perform root cause analyses, but what do these concepts entail?

For instance, take risk assessment; what does it mean for an audit firm to perform a risk assessment over its system of quality management? Though firms have become accustomed to performing risk assessments over financial statements when designing an audit, risk assessment over a firm’s system of quality management is foreign. What are the components of the risk assessment? ISQM 1 provides certain required quality objectives, but the guidance does not say it is an exhaustive list. Each firm will need to consider other potential risks. Have all relevant risks been considered? What is the right level of granularity?

Or take root cause as a different example. Root cause has been talk of the town for the past couple years, especially in the “best practices” arena. Now, with ISQM 1, it will become a mandatory component of firms’ systems of quality management. What is the methodology and process to execute an effective root cause analysis? What happens with the results of the root cause analysis?

Start at the Source: Read the Standard

I recommend firms take the time to sit down and actually read the ISQM 1 standard. Although the PCAOB standard will not be issued and effective for several more years, the general requirements are already known and the sooner firms start to internalize the information and have conversations about the new requirements, the more they’ll synthesize and start to understand the potential impact these standards will have. Along with reading the standard, take this time to read other viewpoints about ISQM 1 whether industry publications or thought leadership from large firms who have taken a lead on implementing the new standard.

Create a Gap Analysis

After reading the standard, revisit QC manuals and start to draw linkages between current policies and what is in the new ISQM 1. This a “gap analysis,” will highlight the key differences and make it easier for you to see what’s new. Then, start to have conversations internally with firm leadership as well as externally with peers. These conversations will help stimulate thought about the new guidance and provide diverse perspectives on how other firms are interpreting and implementing the new requirements.

Engage Specialized Knowledge

Finally, don’t be afraid to ask for help. We have started working with multiple firms to help them understand the new requirements, perform the gap analysis, risk-rate controls, and redesign QC policies to comply with ISQM 1. Through our experience as inspectors critically evaluating hundreds of firms’ QC policies from all over the world and now working with firms to improve their systems of QC, we have gained incredible insight into effective systems of quality control that cut across all sizes of domestic and foreign firms. Regardless the actions you take, it starts first with learning what you don’t know and getting the right knowledge.

The Resource Gap

And now that we know, or at least know what we don’t know, the next big hurdle in the implementation of ISQM 1, much like SOX 404, is the resource gap. Though many aspects of firms’ systems of QC will remain unchanged (for instance, I would expect that most independence policies and procedures will remain unchanged), the new requirements around firm monitoring, including root cause analysis and remediation at the engagement level as well as the requirement to test and evaluate the effectiveness of a firms’ system of QC will be a huge undertaking. In an industry where busy season seems to last all year now, do firms have the capacity to design and implement controls to comply with the new requirements of ISQM 1?

Despite its “scalability,” in my perspective, ISQM 1 is a significant undertaking. I think firms that want to be successful need to consider the reality that ISQM 1 may require additional resources, which means additional investment.

Designate Implementation Champions

The first resource is typically “human capital.” Firms should consider designating specific employees to take ownership over ISQM 1 implementation. Perhaps its an ISQM 1 Champion or a team of individuals that works individually to address specific components and collectively to ensure the plan is cohesive and interconnected. Depending on the size of the firm, this could be a part-time job for one individual or a full-time job for a team of individuals for a couple years.

Build Out a Perpetual QC Team

Beyond just the implementation, however, firms will need to build in additional time and resources to execute the updated QC policies, and certify to their effectiveness, on an annual basis. The monitoring program both at the engagement level and the firm QC level is going to need to be much more robust. Given the need to perform root cause analyses as well as perform remedial actions for negative findings, engagement level monitoring programs are going to be much more comprehensive. In addition, the requirement to evaluate the effectiveness of the firm’s QC system will require time to test controls, analyze the results, and evaluate implications from the findings (i.e. impact on the firm’s risk assessment, new controls to address potential risks, etc.).

Invest in Technical Resources

Finally, firms will need to consider additional technological resources. In fact, ISQM 1 has a component dedicated just to the sufficiency of resources and specifically calls out information technology. Establish mechanisms to track, communicate and report information reliably. While some firms will continue to use more manual processes mixed with excel templates, many firms will need to consider implementing new IT systems to assist with the expanded requirements of ISQM 1. I personally think this is important for all firms to consider as IT continues to play a greater and greater role in all aspects of business. While an IT investment is a significant upfront investment, it is intended to drive future efficiency. Don’t be afraid to ask the question, “How can IT help me do this?”

To the extent firms struggle to find resources internally, many will need to look externally, whether to hire in or to partner with during the implementation/transition period. We already assist many firms with various aspects of QC, such as monitoring and pre- and post-issuance reviews, consultations, policy reviews, etc. In addition, we’ve also started researching various technological resources to help support firms as they consider implementing new systems. We’re here to help, whatever your question or need.

ISQM 1 is a large undertaking. Thankfully, there is still time. And thankfully you don’t have to go it alone. The whole industry is going to have to adapt and much like we did for SOX 404, we’ll partner together and embrace the changes. There will be learning curves as we grasp the full extent of the changes required; that’s the nature of overcoming any knowledge gap. And of course, there will be moments where we feel overwhelmed with the amount of work to do to get ISQM 1 compliant; that’s the nature of overcoming any resource gap. But together, we’ll get through yet another major change in the industry and in the end, we hope it truly does result in better audit quality.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

¹ For more information on the need for new standards: https://www.jgacpa.com/why-do-we-need-new-quality-control-standards-don-t-we-have-them-already

Refocusing on Audit Integration: Why are IT Audit Issues Increasing?

Thu, 22 Apr 2021 02:12:02 GMT

Internal controls over financial reporting (ICFR) audits are seeing an increase of audit failures related to the technology aspect of the controls. PCAOB inspection reports issued in 2020 and 2021 show audit teams continue to struggle with scoping, understanding, and concluding on the underlying systems supporting financial reporting transactions.

Most business processes have the support of powerful applications and processing for companies of all sizes. Technology is empowering the smallest companies with sophisticated ERPs that have fantastic reports, dashboards, application configurations to prevent errors, and real-time transaction processing. These advancements for companies have caused resource and skill gaps for the firms that audit them. In addition, these advancements have made many audits inefficient or ineffective unless they are performed through the systems with an integrated audit team knowledgeable in IT.

Information technology general controls (ITGC) risks are conceptually difficult to maintain perspective when dealing with the audit conclusions. The knowledge of applications, operating systems and databases along with the potential impact to your audit, is often fragmented across several team members. Challenges with integrating the knowledge of technology along with audit is often illustrated when ITGC deficiency evaluations disrupt the whole audit process. Unfortunately, many of the recent PCAOB reports have examples of ITGC issues related to deficiency evaluations where engagement teams failed to properly respond to the risk, some even missed reporting of a material weakness.

So often teams fail to understand how information technology systems support the business transaction and financial reporting process. Audit teams that start these discussions, with IT audit, during the initial walkthrough and planning phases of the audit are set themselves up to reaching the conclusion that supports the audit opinion of the year-end filing.

With tight budgets and a high demand for resources that are in short supply, firms frequently ask us for advice on how to address these issues. Based on our work with firms, here are some of the components that we see making a big immediate impact on audit quality:

Establish a Base Audit Environment. Foundational elements of this integration include prepared team members, who openly collaborate in an objective way to avoid biases. Preparation relates to knowledge of the industry, accounting, or control area. Firm and engagement leadership must enforce meetings, logistics and other cross team discussions.

As tools take a new meaning during times of remote working, engagement team members have quickly adapted. Think of a base environment that maintains a few key elements:

Prepared team members
Objective views
Technical knowledge
Digital enablement
Collaborative
Leadership tone supporting integration

Proactively and early integration of all team members . Audit firms with a top-down tone of integration, combined with the action of incorporating team members with different experiences and areas of expertise, will lead to a comprehensive understanding of the business cycles. These different areas can include understanding in technology, tax, using an industry specialist, and areas requiring judgement by those with specialized knowledge of a topic. A tactical example would be joint risk assessment discussion, including all IT auditors and specialist playing an active role in identifying and agreeing collectively on the “what could go wrongs” in the audit.

Conduct Joint Walkthroughs of the Process and Controls. We recommend both audit and IT team members perform the walkthrough and use a flow chart. Performing walkthroughs as a team with the IT auditors is an easy way to put these collaborative audit techniques into practice. IT audit members should be invited into all relevant meetings (challenge the status quo for what meetings are or are not relevant for the IT auditor). This becomes very clearly an issue when we review the engagement teams understanding of the flow of data. In our review of process narratives, we commonly see applications are discussed sporadically throughout the document. When this business process narrative is compared to the IT understanding document in a different part of the audit file the disjointed logic appears and gaps in the data lineage are confirmed. The use of a flow chart is recommended because it helps the team logically move from one step to the next in the process and incorporates all the people and systems along the process. Joint walkthroughs and collaborative documentation techniques are indicators of a comprehensive understanding.

Integration should be on-going in planning, quarterly work, company preparation, fieldwork, sign off, wrap-up, review, and reporting. Collaboration across skill sets brings out the best in the understanding of the collective team (including the firm).

The foundation of connecting with members of your team with deep knowledge in areas such as technology, eliminates some blind spots. Today technology is part of every process, so having team members with a passion and understanding of how company systems work is necessary.

Please Mind the Gap: Identifying Control Gaps in ICFR

Tue, 13 Apr 2021 14:18:12 GMT

Tourists the world over love to visit London and ride the Tube, always listening for the famous expression, “Please mind the gap” (with that terrific British accent, of course). The announcer on the train says it specifically because, indeed, there is a gap between the train and the platform and for the unaware pedestrian, a foot through the gap could result in any number of possible injuries and damages.

Much like the Tube in London, a control gap can be a dangerous thing. While auditors and accountants don’t usually risk losing a limb, a control gap on the other hand could be an undiscovered material weakness which could allow for a potential material misstatement which could result in any number of possible damages to the public sector.

Control gaps are hard to identify, but they matter significantly. Almost twenty years after the implementation of SOX, it’s become easy for auditors to test internal controls that are in scope (i.e. that which we see). But what if the issuer doesn’t have a control in place to cover a potential material risk? Or what if the auditor did not scope in an important control to cover a material relevant assertion? It is much harder to identify a problem we cannot see, or, in other words, a gap.

Often, the focus of controls testing is on evaluating the design and operating effectiveness of internal controls. In fact, many of the PCAOB’s recurring findings surround firms’ failures to sufficiently test the design and operating effectiveness of controls, such as management review controls (MRCs). What is perhaps less well known is that the PCAOB also takes issue with engagement teams’ identification of controls to address deficiencies. In its Staff Preview of 2018 Inspection Observations which details recurring deficiencies, the PCAOB noted, “Auditors did not select controls for testing that address the specific risks of material misstatement.” Similarly, in its 2019 observations , the PCAOB said, “Auditors did not identify and test controls that sufficiently addressed the risks of material misstatement related to relevant assertions of certain significant accounts.” These issues translate into control gaps.

If you read through the auditing standards, specifically AS 2201, An Audit of Internal Control Over Financial Reporting That is Integrated with an Audit of Financial Statements, you’ll notice that there is actually very little guidance around testing the design and operating effectiveness of internal controls. In fact, the first 41 paragraphs of AS 2201 (and for context, there are 98 paragraphs, not including the appendices) deal with planning the audit, understanding risk assessment, incorporating materiality, understanding the control environment, scoping significant accounts and assertions, understanding likely sources of potential misstatement, and finally, selecting controls to test. Almost half of the standard provides guidance to help auditors identify and select controls to address risks of material misstatement. Then, the PCAOB provides four paragraphs (AS 2201.42-.45) that speak to testing the design and operating effectiveness of controls. WOW! 41 paragraphs to ensure auditors select the appropriate controls and only four paragraphs to ensure auditors appropriately test controls.

In my experience with teams, a majority of the time and energy is spent on testing internal controls and very little time is spent on analyzing the controls in scope. In fact, most teams I know often take the “same as last year” approach without critically re-assessing the relevant risks and assertions, the likely sources of potential misstatement and selecting the right controls to address those risks. Control gaps are significant and can just as easily amount to a material weakness as can an ineffective control, whether due to design or operating effectiveness.

Given the significance of first identifying the appropriate controls and then testing those controls, consider the following:

Data lineage and process flows

The industry knows the importance of walkthroughs, but I have come to find that they are narrow in scope and often have become “perfunctory.” Many teams simply perform a walkthrough to understand the design of a control . But a walkthrough is actually intended to walk through a transaction from start to finish; in other words, to walk through the entire process . As controls occur (in the process), then yes, the engagement team should ask more clarifying questions to understand and evaluate the design of the specific control, but transactions don’t necessarily go from control to control. There is a process flow and teams need to understand that process in its entirety. I often advocate for the use of flow charts. If the client doesn’t have them, then the engagement team should consider creating a flow chart to help navigate the walkthrough. At each step in the process, the engagement team should ask, “what happens next?” – not , “what’s the next control?” A flow chart should map this exactly, allowing the engagement team to more easily identify potential control gaps.

While more often used in the IT realm, there’s an important concept of data lineage. It is vital that engagement teams understand the flow of data starting with where it originates and where it ends up (i.e. eventually the general ledger).

For instance, data that flows through multiple systems (Systems A, B and C) will need to have controls to ensure the complete and accurate transfer of information from system to system. If the engagement team only performs a walkthrough of a specific control (Control B.1), then the engagement team may conclude that the Control B.1 is appropriately designed. But without a walkthrough of the entire process, the engagement team may miss the fact that the data originates in System A and thus may need an “input control” and may also need an interface control to ensure the complete and accurate transfer of data between System A and B. In addition, without a walkthrough of the entire process , the engagement team may miss the fact that there needs to be a control to govern the complete and accurate transfer of data between System B and System C (which happens after Control B.1). These would all be control gaps that could jeopardize the relevant assertions of the account and result in a material weakness.

Especially today, given the integration of IT systems and automation, it is important for engagement teams to perform walkthroughs of entire processes with both financial statement and IT auditors.

Risk matrices

Most issuers have risk and control matrices. These matrices can be burdensome given the size and amount of information included within. I encourage teams to create a simpler version on their own; these simplified matrices can be the most effective method for mapping significant accounts, risks, and likely sources of potential misstatement (also referred to as “what could go wrong” or WCGW) to specific controls. Each account will have relevant assertions. Each relevant assertion will have multiple WCGWs. And each WCGW should have at least one control that specifically addresses that risk. Though usually completed by more junior team members, managers and partners should spend a significant amount time reviewing this matrix mapping since this is the foundation for the identification and scoping of controls.

Once scoped, it’s just a matter of testing the design and operating effectiveness. I realize that testing can take a significant amount of time as well, but generally speaking, the more time spent upfront planning an audit (including understanding and scoping controls), the better the execution of the audit.

Errors and exceptions

As we move into substantive testing, I encourage teams to consider errors and exceptions as these generally have control repercussions. Some errors may not be significant, such as reconciling differences between the subledger and GL due to rounding. A true error, however, often indicates a breakdown in controls. When teams find an error, consider whether the controls in place operated. If they in fact operated as designed, then either the controls are ineffectively designed or there is a control gap somewhere in the process that should address this error. Of course, take into account materiality; there may not be a risk of material misstatement, but the audit team should consider the effect of errors, the potential for material misstatement or material weakness, and document its judgments around these considerations.

Regarding exceptions, while engagement teams are quick to explain why exceptions are not errors, consider if there are control implications. For instance, in a substantive test over revenue occurrence, I’ve seen numerous tick marks explaining why there are no shipping documents (i.e. occurrence) for a specific selection. Maybe it’s because the this particular sale is actually a service and not a shipment. Okay, point noted; I’m not challenging the validity of the revenue. However, for this specific selection, the typical revenue recognition process is not applicable and that means the client should have controls designed and in place to ensure revenue recognition for this revenue stream is in accordance with accounting guidance. Did the client and did the engagement team identify a control to cover this “exception?” Regulators are keen to identify these types of situations for potential control gaps. Again, take into account materiality; to the extent this is an immaterial revenue stream, then perhaps no controls need to be identified and tested, but the engagement team should at least document its judgment.

When performing walkthroughs, I can’t emphasize enough the importance of asking control owners, “what happens when there’s an exception?” Or for automated processes, “is it possible to have a manual workaround?” These are potential exceptions that should have controls identified and operating to ensure there is no gap.

“Fresh” reviews

Finally, I encourage engagement teams to get “fresh” perspectives. While recurring year after year helps build a strong understanding of the client (which is critical to identifying potential control gaps), in an effort to drive efficiency, most audit approaches are simply rolled forward from the prior year. Thus, in lieu of re-assessing the risks and the in-scope controls meant to address the risks, teams simply adopt the prior year scoping.

Taking a step back though, is that really the most effective or appropriate action? The initial scoping of controls is often performed either a) upon client acceptance or b) upon initial SOX implementation.

Client acceptance: In a first-year audit, regardless the size of the company, there is so much “learning” that occurs that it’s almost foolish to think that the scoping of controls made in the first year is the “best” or “most appropriate” scoping. Surely the engagement team will continue to learn and better understand a client over time and therefore identify additional controls that are needed to cover relevant risks.
SOX implementation: Similarly, the first year of a SOX implementation is a huge undertaking. While the controls may cover the relevant risks at the time of implementation, there are often oversights that both management and auditors realize over time and thus controls will constantly be adapting. Layer onto this the fact that clients are perpetually changing, and it’s important to critically re-assess every year the scoping of controls.

To get fresh perspectives, consider the use of in-flight and lookback reviews or targeted ICFR gap analyses across clients to help engagement teams identify potential control gaps. It is important to have objective perspectives that can raise new insights about the scoping of controls.

And now back to London, the mere fact that there is such a large separation between the train and platform is possibly an indication that there was a control gap somewhere in the design and construction of the London Underground. I’m not sure who first identified the error, whether it was the engineers or an injured passenger, but clearly the London Tube is aware of the issue and has implemented a control to cover this risk and it goes: “Please mind the gap.”

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Analyzing and Remediating Internal Control Over Financial Reporting Deficiencies

Fri, 09 Apr 2021 16:26:06 GMT

Los Angeles, CA: Joe Lynch, CITP, JGA Managing Director, and Dane Dowell, JGA Director are excited to partner with George Wilson, PLI SEC Institute Director, for Analyzing and Remediating Internal Control Over Financial Reporting Deficiencies , an informative one-hour briefing held virtually on May 3rd at 1pm EDT.

This briefing will focus on the impact of deficiencies in internal control over financial reporting, the complexities of evaluating the severity of an ICFR deficiency, and the challenges of building an effective remediation plan.

“The more I work with clients, the more I realize how difficult it can be for auditors to effectively conclude on the severity of ICFR deficiencies” stated Dane Dowell. “Trying to balance the nuances of maintaining a client relationship, but also independently conclude on the severity of a control deficiency, which could be a material weakness, is not easy. That’s why it’s important to educate both management and auditors about the relevant considerations when evaluating deficiencies.”

“I continue to see teams struggle with incorporating ITGC deficiencies into the evaluation process” said Joe Lynch. “The pervasive nature of systems and applications supporting key business processes often leads to IT deficiencies with a large potential magnitude, including all associated business processes supported by an application with deficiencies becomes complex.”

Topics for this program will include:

Discussing the ownership of internal controls and testing over design and operating effectiveness of internal controls
Determining if a control deficiency is a material weakness, or a significant deficiency:
Evaluating severity in terms of magnitude / potential
Evaluating compensating controls, remedial actions with mitigating effects
Evaluating the severity control deficiencies in aggregation
Evaluating the effect of control deficiencies on the substantive audit
Building a specific plan to remediate control deficiencies
Testing strategies to determine the success of remediation plans
Making appropriate communications about control deficiencies and remediation

Click here to register for this briefing.

About Johnson Global Accountancy

Facing Today's Accounting Challenges An Interview with Jackson Johnson, JGA President

Wed, 17 Mar 2021 15:44:57 GMT

Johnson Global Accountancy is pleased to announce Fannie Polcari has joined the Firm as a Senior Associate. With over 10 years of business and operations experience, as well as a diverse background in accounting and auditing roles, Fannie will assist with client management and their engagement teams to identify, develop, and implement opportunities for improvement over financial reporting and audit quality.

In an effort to learn more JGA’s perspective and what our clients are facing, Fannie interviewed Jackson Johnson, JGA President.

Fannie: Jackson, what are the biggest challenges you see in the accounting world today?

Jackson: I think the biggest challenge is maintaining a level of transparency and audit quality that keeps up with the pace of the companies we audit. What we are seeing is an increase in globalization – accelerated by the pandemic – coupled with the acceleration of a company’s reliance on technology. As advisors to auditors, and as thought leaders on audit quality, it has become increasingly clear to me that we need to push the audit industry to catch up with how companies process transactions and compile their financial reports, while meeting the increasing demands of the PCAOB.

Fannie: What are some of the trends in PCAOB inspections and audit quality at large?

Jackson: Specifically, the trends we see in PCAOB inspections continue to be firms’ difficulty with being best prepared for an inspection under all their competing priorities and time constraints. Inspectors have not let up on the high expectations they have over the quality of the work. Increasing demands by the regulator also means new rules and new expectations are coming up the pike; which translates to stress and added pressure at firms. For example, the international shift to enhance the system of quality management at firms, initiated by ISQM 1, requires firms to go through every aspect of their system of quality control to ensure that it addresses all the risks over audits that comply with the standards. A complementary standard issued by the PCAOB will follow.

Fannie: What advice would you give someone who is newer in the accounting industry and wants to remain relevant and at the cutting edge of the industry?

Jackson: New auditors are at an advantage because the younger generations are already tech savvy in their personal lives, embrace remote work and video conferences, and future leaders will quickly adapt to managing work and teams virtually. Because of those factors, auditors entering this industry now are going to be expected to have a solid information technology (IT) background. Dane Dowell, JGA Director, recently published an article titled “The Inevitability of Integrated Audits” where he highlights how audits are becoming increasingly focused on IT and that the only way we are going to be able to stay relevant as companies continue evolving and on their internal controls we must focus on IT. Therefore, auditors need to have a well-rounded balance of financial accounting and IT to connect the two elements as they are becoming one and the same.

Fannie: During my classroom study and in the real-world I have heard a lot of talk about external auditors implementing fraud analysis as part of their audit work. From your experience do you think this should be considered as part of a larger scope of an external audit? And how do you think this would impact the PCAOB inspection process?

Jackson: Currently, auditors are required to understand management’s process over financial reporting to address risk of management override of controls due to fraud. That includes understanding where the risks in the process could be circumvented, as well as identifying the areas of the financial statements and classes of transactions where fraud could occur (such as fraudulent journal entries or where management bias could be applied).

As auditors we are trained to take a careful look at the nature of company’s business and the types of accounts and transactions where we need to focus. Often, we look at estimates. Estimates are a good example because anywhere where there’s significant judgment involved - such as valuing a company or an intangible asset, or an inventory reserve - there is a number of assumptions and inputs where bias could be applied to achieve a desired number or outcome. Fraud is becoming more of a focus at the regulator and at the SEC, and as auditors it is important for us to always have that high level of professional skepticism when planning and performing these procedures. In fact, we recently conducted an internal fraud investigation for a company, and it touched on many of these points.

Fannie: Lastly, what is your favorite part of the accounting profession?

Jackson: I love to help people fix problems! First, as an auditor at Grant Thornton, I was able to help mid-market companies during a time when Sarbanes-Oxley Act was rolling out. This was a very difficult transition for organizations to make, but helping them taught me about systems, project management and most importantly, how to help teams move through difficult situations.

Then, as an audit regulator at the PCAOB, I helped firms identify where they could do better. Although we could not help them directly, we were able to pinpoint where they fell short and where they may face deficiencies in the system of quality control. This gave me a unique perspective on the extensive problems affecting firms of all sizes.

Now, at JGA we work as a team, pulling from our vast experiences helping companies, firms, and engagement teams improve quality throughout the entire process. It is a joy to work side by side with clients all over the world to enhance quality throughout every level of the organization and improve inspections, client retention and strengthen firms at their core.

Fannie: Thank you Jackson for carving out time to speak with me and providing me with further insight as I continue growing in this profession. As someone who has embraced technology early on and understands its wide application, I have already seen its day-to-day impact on how we conduct business. In my last role we utilized several key technological tools that allowed us to synthesize large amounts of data and present that data into an interpretable and digestible way. The goal was always to identify the big picture and draw conclusions from collective understandings. Much in the same way, JGA takes the same approach and welcomes the use of technology and innovation to augment our findings. I am excited and looking forward to the opportunity of working with a team of professionals to tackle some of the industries toughest challenges.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

JGA Expands Services with the addition of Joe Lynch

Wed, 17 Mar 2021 13:52:45 GMT

Johnson Global Accountancy is pleased to announce Joe Lynch has joined the firm as a Managing Director. With over 17 years of experience as an IT auditor, PCAOB IT inspector, and IT consultant, Joe is perfectly positioned to assist public and private companies, and public accounting firms to implement and integrate technology into financial processes at companies and improve the audit integration of engagement teams at firms.

" Information Technology is a critical element to accurate financial reporting of companies and to the integrated audits of their auditors ," stated Jackson Johnson, JGA President. " Joe brings deep IT and regulatory experience to JGA, a perfect complement to our team because his broad experience will be valuable to all of our clients whether they are companies, internal auditors, or external auditors. "

"It is my pleasure to join the team at JGA and be part of helping our clients amplify quality throughout the financial reporting and audit process," said Joe. "Their passion for helping the accounting industry is infectious and I’m excited to bring my IT perspective to the JGA process."

As an Information Systems Inspection Leader for over 6 years at the PCAOB, Joe conducted inspections of large and mid-market global issuer audits at firms in the U.S. and their foreign affiliate firms, focusing on examining quality control, design, and implementation of audit work over IT and service organizations in integrated audits.

His experience also includes advising engagement teams and the national offices of foreign affiliate firms facing inspections by the PCAOB and other foreign audit regulators. In addition, Joe has supported companies and firms with IT strategic initiatives ranging from implementing the strategic framework for technology departments to leading implementations of ERP. Joe will be based in Houston, Texas.

Learn more about Joe and the rest of the JGA team here at Meet Our Team .

About Johnson Global Accountancy

Did your last inspection feel too easy? Take-aways from a Clean PCAOB Inspection

Tue, 16 Mar 2021 18:15:50 GMT

Auditors typically feel a sense of tremendous relief when the regulators complete an inspection without receiving comment forms. There is a deep sense of accomplishment to know the audit was nearly perfect. However, does that mean if the same audit is reviewed next year and all other factors remain equal, will the inspection result still be clean? Not necessarily. Different inspection teams, different regulatory focus-areas and different overall internal and external market pressures could produce different results.

In fact, some clients with recent clean PCAOB inspections are concerned that they may have ‘just been lucky’ in their last inspection and are concerned they are one inspection away from a vastly different outcome. We think this is a valid concern that firms should take to heart. We thought we might take a moment to dig into why this happens and what areas you should consider even in the event of a clean report to prevent surprises in the next inspection.

When discussing concerns with clients, we hear a desire from firm quality control (QC) leadership and engagement teams to be proactive and continue to drive improvement on their engagements. Not only are they preparing for the next inspection, but they are strengthening the quality control of the firm and the quality of their engagements. Here are some things to consider.

The PCAOB inspection is not an absolute guarantee of audit quality.

While the PCAOB may select other audit areas to incorporate unpredictability into the inspection process, they focus much of their attention on specific audit areas – and often only specific assertions – that they consider to be of greater complexity or a heightened risk of material misstatement. In fact, in its newly formatted reports, the PCOAB states that its reviews “are not an assessment of all of the firm’s audit work nor of all of the audit procedures performed for the audits reviewed.” Through our practice monitoring and pre-inspection reviews of issuer audit files, we have raised concerns to engagement teams about design and testing of a particular audit procedure or test of control that were not identified in the last inspection. Unidentified important interface controls, compensating controls that are insufficiently precise, or substantive procedures to test an estimate that uses data that was contradictory to the conclusions or that was not tested for completeness and accuracy are just a few examples of situations we identify that do not always get picked up in the inspection but could raise to the level of a finding. Sometimes it turns out the scope of the inspection was not focused on these issues. Making engagement teams aware that this could be a concern in the next inspection helps the firm be prepared and make changes during the next audit.

The focus and approach of a new inspection team may be different from the last inspection team.

Just as engagement team members are in a constant state of change, so are inspection team members. Each inspection team brings their own unique experience of:

the types of firms they have inspected in the past,
the type of public accounting experience earlier in their career, and
their technical and industry experience.

Each inspector brings previous experience and issues they have worked through in the past to their subsequent inspections. As an example, in our work supporting firms through their inspection and remediation, we have seen inconsistencies applied where some inspectors expect an inventory cycle count program to be equivalent to a full physical (i.e. the program should count everything at least once per year). In other cases, however, this is not an explicit issue, so long as the risk of what could go wrong is properly addressed.

To further illustrate how someone else coming into an inspection can look at the same thing and reach a different conclusion, consider a recent firm monitoring client. We assisted them with a deep dive into a revenue process flowchart for a pre-issuance review and identified key controls that should have been flagged and tested by the engagement team. This was never identified as an issue in any previous inspection.

Client process and business changes may and should require a change in audit strategy.

We are going out on a limb here saying that every audit client is continuously evolving their processes, procedures, and operations. This requires auditors to change the strategy and scope from one audit to the next. Avoid the trap of applying a “same as last year” approach without ensuring this is the right approach. All these factors should be considered as you change your strategy and approach as part of your audit planning for your upcoming audits. Just a couple examples:

Increased incorporation and integration of automated information technology processes into a company’s operations. This integration could arise because of many reasons – as a result of forced changes due to the current pandemic or perhaps because that is how the industry is naturally evolving. Consider how industries such as the financial services industry have changed over decades to become highly automated and so over the years auditing in this industry has changed from a mix of manual and IT control testing to highly automated and integrated control testing. My colleague Dane Dowell penned an article on this topic where he discussed "The Inevitability of Integrated Audits".

Acquisitions and disposals of business units are a constant in today’s economy. Companies are always looking for new targets to acquire. Along with those acquisitions are new considerations such as merging different business models, systems and processes of two companies. Has your client made changes to an acquiree’s internal control structure? Are there (or should there be) new or different procedures to centralize the process with a common set of controls? Or has the client decided that the acquired company’s controls will remain unchanged? All of these shifts in the company could cause necessary shifts in the audit procedures and controls.

Changes to the firm’s tools could mean new and unexpected inspection procedures.

Firms are constantly updating and changing tools and resources available to its engagement teams. As a result, an audit that used a specific tool on your last audit that was inspected by the PCAOB, may be changed, or revised by the firm. Many of our clients have integrated AI or other technology tools from external providers to identify the journal entries to test for the risk of management override due to fraud. Although these tools are designed to make the audit more efficient, it leads us to ask other questions:

How does the engagement team know that the tool is working as intended?
Does the external provider control the process whereby they provide a service auditors report?
Is this a new tool that is part of the Firm’s QC system over audit technology (consider the IT component per ISQM 1)?
Does the tool allow flexibility to address the unique risks of each audit?

Changes in tools could affect the conclusions made by a future inspection team on the sufficiency of your audit procedures or system of quality control.

How can you prevent these surprises in the next inspection?

Now that we have identified some of the reasons a clean inspection may have a different outcome next time around, here are some actions we recommend firms take to mitigate some of these risks:

Review the approach and procedures that were performed in the most recent audit with a fresh perspective. Be honest in your considerations and seek input even from less experienced team members. Thinking critically about the risks and whether they are covered from a controls and substantive perspective provides that all-important on-the-job-training and development skills.
Perform post-issuance reviews of completed audits to determine whether the potential risks and pitfalls could be identified by an astute inspector. An independent reviewer applying an “inspector mindset” helps bring objectivity to this process. These reviews are also used as a tool to consider changes that need to be made to the audit strategy in a future audit.
Perform pre-issuance reviews on riskier audits. In our work with firms on these strategic reviews, we focus on areas that have complexity and auditor judgment, focus on the important considerations, and make sure the documentation is complete.
Conduct engagement team and national office debriefs after the audit, and again after the inspection to understand what went well and what aspects of an audit should change for future audits.

Just like every public investment disclosure, past performance is no guarantee of future returns. The same mantra can be applied to inspections. Have you done enough to mitigate that risk?

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

Jackson Johnson is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality.. He also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

Initial Observations: The New PCAOB Inspection Report Format

Mon, 22 Feb 2021 20:11:24 GMT

You probably have realized – especially if you have been waiting for yours -- there was a dearth of inspection reports published in the last two months. We assumed this pause in frequency and volume was to reengineer the reports in the queue into the new report format. However, that clearly is not the case.

At the time of the release of this article, there have been 46 inspection reports issued with a report date during 2020. Of those 46 reports, 33 were under the new format while 13 kept the old format. JGA collects and analyses comprehensive firm information, inspection, and report data on a continuing basis to help us identify trends and keep our clients and readers informed. Here’s some of the characteristics on those inspection reports approved in 2020:

In the Spring of 2020, the PCAOB issued a guide to assist readers to understand the format of the new inspection report and expected changes in each section . Here are our initial observations:

First, there is no executive summary for triennially-inspected firm reports, and no firm demographic data for annually-inspected firms. In the annually inspected firm reports, the executive summary provides a high-level review of the deficiencies identified by breaking them out between ICFR audits or non-ICFR audits and quickly describes the most common deficiencies identified in that inspection along with a brief summary the Part I findings. This executive summary is excluded from the triennially-inspected firm inspection reports. Additionally, while firm demographic data (e.g. number of issuer audit clients and number of engagement partners with primary responsibility for issuer audits) was always in all reports, it is now excluded from the annually-inspected firm reports.

Randomly-selected audits are reported for annually-inspected firms only. As you probably know, this has been an ongoing topic over the last several years and one that is frequently discussed in public comments by inspection leadership and by Board members. We now see more insight into whether and how many audits were randomly selected by the inspection team. It seems this is now reserved for annually-inspected firms only. In our work with clients supporting them through the inspection process, we have not seen instances where triennially-inspected firms are subject to a random selection. But as with most initiatives, changes start with the larger firms and trickle down to the smaller firms over time. And clearly, firms with only a few issuers, should be immune to this as well.

Focus areas selected by the inspectors are clearly reported. In the past, readers would only know what those areas were if there were deficiencies identified in those areas. The section titled “Audit Areas Most Frequently Reviewed” depicts most, if not all, of the audit areas reviewed for small firms. This new public information provides stakeholders with much more transparency into the complexity of the audits reviewed (i.e. shell companies with no revenue versus operating companies). In addition, with a broad analysis of report data across firms, we can understand what inspectors are focusing on and identify any new trends in focus areas.

A new section brings more findings into the public domain. We previously wrote about this new Part I.B and the Board’s remarks on what types of deficiencies would appear in this section. Based on our review, examples in this section include:

non-compliance with audit documentation,
required communications to audit committees (including pre-approval of non-audit services),
timeliness and accuracy of Form AP reporting,
required management representations, and
non-standard audit report language.

The non-public section on quality control draws broader observations over a firm’s overall QC system. There are examples where an observation is identified in one audit and the Board concluded that the Firm’s system of QC does not provide reasonable assurance over this particular area. Based on our analysis and our work with firm clients to design and implement remedial actions, this appears to be a change from the previous report format. This has spurred many client conversations about whether a particular observation means a specific system of QC is insufficient. Additionally, concerns about root cause analysis continue to rise. We will continue to monitor these changes because they have a direct effect on the effort required for firms over remediation.

Root cause assessments are omitted from the new reports. Over the last several years, the PCAOB has been including its own assessment of the root cause of the quality controls findings in the private portion of inspection reports. However, this no longer seems to be the case as this section has been omitted from current triennially-inspected firm reports. Previously, common assessments included were due care and professional skepticism, supervision and review, technical competence, or others. This change is in line with what we believe is in the best interest of these firms too. Firms are better equipped to narrow down the precise root cause and have a full understanding of their issuer practice and system of QC. Leaving root cause assessments to the firm will open more dialogue with remediation staff, allowing firms to set the direction that remedial actions should take.

We encourage our clients and other firms to take a close look at each of these sections when you receive your draft inspection reports and contact us if you would like additional insight to interpret the findings and discuss the right action plan.

Year 2 of the Pandemic... What May Keep Auditors Awake at Night this Busy Season

Thu, 18 Feb 2021 18:30:26 GMT

When the COVID-19 pandemic was thrust upon our world a year ago, the downturn in global economies could not have come at a more inopportune time for auditors – as in February and March 2020 auditors were in the throes of finalizing their calendar 2019 audit procedures. Now, a year later, although we now have multiple COVID-19 vaccines available, our economy and rate of unemployment is still feeling the long-lingering effects of the pandemic. What does this mean for auditors as they assess audit risks during the current busy season?

Estimates

The most difficult aspects for an auditor to conclude on continues to be in the area of accounting estimates; which by definition it is uncertain and is based on judgment. An estimate could be based on one or a combination of any of the following: future looking projections, using internally generated data, using comparative company data, or using historical data, etc. All these approaches rely on data that is based on some sense of normalcy and predictability. 2020 was not normal and 2021 appears to be following suit. With projection data that is now particularly tenuous at best, auditors should be mindful that a company that continues to report poor operating results runs the risk that management could be biased and/or use inappropriate inputs or data in an estimate to inflate performance.

As we discussed in an earlier article , the new estimates standard (AS 2501, Auditing Accounting Estimates, including Fair Value Measurements) which is effective for calendar year 2020 audits, is designed to integrate the risk assessment aspects of estimates into one single standard so that there is a more uniform approach to testing estimates, including auditing fair value of financial instruments and the use of third-party services such as valuation specialists and pricing services. The standard streamlines the auditor’s approach to test estimates into basically 3 options (or a combination thereof):

test the issuer’s estimation process,
develop an independent expectation which is compared to the company’s own estimate determination, or
evaluate evidence obtained after the accounting estimate measurement and compare to the company’s estimate.

That means that auditors now have the perfect storm - having to audit and document based on a new standard as well as an uncertain future economic outlook in the same year!

Now that we are a year into the pandemic, many businesses may be stretched thin with resources and auditors will need to be challenging management’s inputs and methods. The questions that auditors should be asking when testing estimates include:

Based on the data available to us, which of the three approaches should we use to test the estimate? If we test the company’s own estimate determination, how do we test the company’s methods and data it uses especially given that 2020 operating results did not pan out to the 2020 projections established at the end of 2019? How can we determine that the data is reliable?
If we decide to develop our own independent expectation, do we have a reasonable basis for using our own assumptions? Is the data we use relevant and reliable?

Going Concern

Back in April 2020 we commented that the going concern assessment of companies during the pandemic would require greater scrutiny by auditors . Although there are some industries that have weathered the pandemic well (and in fact have shown significant growth in 2020), many industries have not been as lucky - specifically companies in the entertainment, casino, gaming, restaurant, airlines, travel, and oil and gas drilling sectors. These companies are still feeling the ill effects of the pandemic and are expected to continue to feel this for at least much of 2021. As auditors of these companies, this extended downturn in operations and financial results exacerbates the going concern risk. Here is a list of questions an auditor should be considering as it prepares to finalize its upcoming 2020 audit:

Now that this prolonged pandemic is extending into its second year, does it still have sufficient cash resources available for it to make it through the next 12 months?
Does the company have access to financing if it needed to draw on? The second round of Payroll Protection Program (PPP) loans are much more limited as to who can apply compared to last year’s initial round of PPP loans, so these are not considered much of an option in 2021.
What are the company’s fixed and variable costs? If a reduction in force has already occurred in 2020, was this sufficient to allow the company to continue as a going concern in 2021 if the economy stays depressed? There is only so many times one can go to the well, before productivity and client service is impeded.

Retrospective Review

An additional important point for an auditor to consider is that if management prepared cash flow projections using 2020 revenue and cost projections for last year’s financial statement opinion asserting going concern, and if an auditor did a retrospective look back, how do those projections compare to 2020 actual results? If the lookback does not support the projections, then what does the auditor need to do or consider to be able to conclude that the 2021 cash flow projections for the upcoming going concern assessment will be reasonable? Did the company’s plans to dispose of assets come to fruition? And if so, did they realize the proceeds that they were expecting?

What should auditors expect from upcoming PCAOB inspections?

Auditors should expect that PCAOB inspections will continue to focus on aspects of an audit that are more complex and require considerable judgment. Especially in industries hard hit with the downturn, and along with adoption of the new estimates standard, inspectors will be particularly keen to be ask:

Did the engagement team follow one (or more) of the three approaches in the new estimates standard? Have they documented their approach appropriately?
Did the engagement team appropriately test the completeness and accuracy of the data used in determining the estimate?
How did the engagement team consider the appropriateness of future cash flows, management plans, and availability of financing when determining its assessment of going concern?
Did the engagement team perform a retrospective review of the estimate and incorporate the results of this in their risk assessment and response?
Did the engagement team implement the new standard AS 2501, including performing procedures over specialists?

During our work with our clients, we continue to see that auditors do not clearly or concisely document their considerations in auditing estimates and going concern – always remember to “tell the story” of how you came to your judgment. Especially in these times, auditors should not ignore contradictory or contrary evidence without a full explanation. At the end of the day an estimate that is audited based on sound principles, logic, and methodology, which considers all evidence at hand, should be able to withstand questioning from the regulators. Our experience is that when auditor documentation is lacking in areas that are complex and require judgment, the regulator is going to call you out on that! After all, how can the engagement partner and/or engagement quality reviewer conclude that that an estimate reflected on the balance sheet or the going concern analysis is appropriate if audit documentation is poor and the workpapers are lacking with anything to review. We find that documentation of sound and reasonable judgement wins the day!

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

The Inevitability of Integrated Audits

Wed, 17 Feb 2021 20:51:42 GMT

September 2006 – It was my first day working in public accounting. At lunch, I remember my firm relationship partner telling me how when he started at the firm everything was still done on paper. In an effort to modernize, the firm actually paid its associates extra if they volunteered to use a computer. Mind you, this was before the days of laptops, so using a computer meant carrying around a hefty desktop computer to all of your client sites. He actually had a dolly in his car to carry the computer around.

As technology improved, the public accounting industry began to embrace electronic workpapers and then began to utilize computer assisted auditing techniques. Now, we can’t imagine a time where audits were performed without laptops, email, electronic workpapers, data analytics, and replicating databases with cloud servers. It was an inevitable trend in the public accounting industry and firms sooner or later had to embrace information technology.

As operating companies embrace information technology, once manual processes are becoming ever-increasingly automated. Paper journals and ledgers have become excel spreadsheets. Inventory receiving and shipping has moved from labor-intensive operations to heavily automated processes. Today, I believe we are reaching a critical threshold where it will become impossible to perform an audit without some element of internal controls reliance.

While all public companies must have internal controls, currently, the requirement to perform an integrated audit is limited to public companies who meet certain criteria linked to revenue and market capitalization thresholds . The thresholds requiring an integrated audit are regulated by the SEC while the auditing standards are governed by the PCAOB. Most in the profession know that AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements is the “ICFR” standard.

However, while not an explicit requirement, the PCAOB acknowledges that there are circumstances where substantive procedures alone are not sufficient and, in these circumstances, the engagement team should test controls. Specifically, AS 2301 : The Auditor’s Responses to the Risks of Material Misstatement states this:

An example where this might apply is in the audit of an internet banner company where revenue is derived from “clicks” on banners. There is no tangible evidence that can be pulled to validate the clicks on a banner site. The company has to have effective controls, including controls over its systems, to capture a complete and accurate population for revenue. The engagement team cannot otherwise obtain comfort over completeness. In fact, it can’t even pull an “invoice” to evidence occurrence of revenue since it’s all online and intangible.

While this example may be unique, I believe we are beginning to enter a phase where all companies, public and private, are using information technology. “Companies no longer have to commit significant capital to have robust, technological accounting functions,” said Joe Lynch, JGA Managing Director. “With the advances in usability of ERP platforms, along with favorable cost models, modern systems allow smaller companies the ability to easily implement systems with robust accounting functions on a small month-by-month per user cost.”

The increasing integration of systems into the financial reporting process is progressing to such a great extent that it is becoming almost impossible to audit many companies without having controls over systems and information produced from those systems. The PCAOB has continued to iterate the importance of testing the completeness and accuracy of information used in an audit, regardless of whether it is an integrated audit or not. In fact, this is one of the PCAOB’s recurring inspection deficiencies that has been surfacing since 2016.

When engagement teams use information produced from a system, in simple terms, there are two options to test that data:

Teams can test the controls around systems, interfaces, and production of reports, as well as the controls that govern the input of data into the systems; or
They can manually test the completeness and accuracy of each report (every time they use a report).

When talking about an AR aging, it may be easy enough to just manually test the report at year-end by tying the total balance per the AR aging report to the general ledger and then taking a sample of invoices and corroborating the aging bucket. Okay, easy enough. But what if there are 30 separate AR aging reports, one for each operating location. Is the engagement team going to manually test all 30 reports? Or would it be more efficient to test the controls around the systems and the reports? This is the dilemma facing audit firms.

Let’s leave AR aside and think about inventory for a traditional manufacturing company. Many of these companies have implemented ERP systems and other information technology to automate the sales and inventory processes. While some elements of inventory may be easy to test substantively, what about companies that use the system to track overhead or calculate purchase price variances or calculate price adjustments from standard cost to FIFO. A substantive test over these elements is getting increasingly complicated. The engagement team will need various reports from the system to perform the testing, but without controls, how is the team comfortable with the completeness and accuracy of these reports? Or what about inventory reserves? Many reserve analyses are based on inventory usage and consider factors such as last sale date, number of items sold in a year, or last purchase date. Without controls, how can a team conclude on the accuracy of these data characteristics. Yes, it may be possible to test substantively, but it becomes more and more complicated and the question of efficiency resurfaces: is it more efficient to test controls over the systems and the processes or do we do purely perform substantive procedures?

Though engagement teams may still be able to perform substantive tests, it is getting increasingly complicated and difficult because there is so much information and data coming from systems. Joe speaks from his own experience, “I have led numerous audit teams through the process of system mapping and consistently, as we trace the data lineage and the whiteboard fills up, the reality sets in on how the nature, timing, and extent of substantive testing needs to be increased because systems are out of scope.” As technology improves and more systems and processes are automated, audits are going to become more and more complex. Understanding systems will become increasingly more important and eventually, we will have no choice but to scope in systems for testing. In fact, IT is arguably becoming the most important element in an audit and a “simple IT failure” can dramatically impact and reshape an entire audit.

That’s all great, but what can I really do? The key is to start investing now in ICFR and technology competencies and capabilities.

Train the team over ICFR: Understanding the design and testing of controls takes time to master. Firms should invest in regular training opportunities around internal controls over financial reporting (ICFR). If the firm has this knowledge in-house, then great, use those resources to develop engagement teams through training and on-the-job practice and education. If firms don’t have that knowledge-base in-house, then consider hiring resources with strong ICFR experience and/or engaging external consultants to help deliver trainings and design methodology. An important form of training is “on-the-job” application, and this is where targeted in-flight reviews can be useful. For instance, for teams that are embracing integrated audits, perform targeted ICFR reviews over one account such as revenue. The information engagement teams learn from the targeted reviews over revenue will transcend to other areas where controls are being integrated.
Invest in IT auditors: Because of the crucial role of information systems, firms need knowledgeable IT auditors. Firms can hire IT resources or consultants to help train their own internal resources. I know of many financial statement auditors who have taken additional education to learn about IT and acquire IT competencies.
Integrate IT and Financial Statement Auditors: Too often, the IT auditors and the financial statement auditors operate in silos and rarely communicate. IT auditors should be integrated with engagement teams. Testing the design and operating effectiveness of controls should be a coordinated effort. Since many controls involve an IT element, integrate the two knowledge bases together so that engagement teams can effectively scope systems and controls and conclude on the design and operating effectiveness.
Identify audits where integration of controls may be more efficient: When I perform lookback and pre-issuance reviews, I often challenge engagement teams on the audit approach. Multiple times, I’ve had firm clients ask me how they are supposed to test certain accounts or assertions like completeness and accuracy, to which my response is often, “It’s complicated, but controls may be the best approach here.” This response usually creates a shift and opens the dialogue to contemplate what an integrated audit might look like in this case. From these discussions, some engagement teams have embraced controls, acknowledging that it’s too complicated to perform a purely substantive audit. The key here is having an objective review with a fresh set eyes since engagement teams often get lost in the cumulative audit knowledge and experience and follow the same audit approach as last year.
Dialogue with clients about ICFR: I CFR starts first with company management. Companies that are implementing and automating certain processes need to also incorporate strong internal controls over financial reporting. Public companies are required to implement these internal controls, but private companies should also implement these internal controls. Once it becomes “impossible” to substantively test certain accounts or assertions, auditors will have no choice but to test controls. Since ICFR must come from management first, engage in discussions with both public and private clients now to help them understand the importance of internal controls. This is especially important as clients embrace information systems and automation, such as the implementation of a new ERP system.

Of course, when I say integrated audit, I don’t mean that firms are necessarily going to issue an opinion on ICFR. The requirement to issue an ICFR opinion is still regulated by the SEC. However, I think firms will begin to perform integrated audits, or partially integrated audits so that they can issue their opinions over the financial statement. Perhaps the integration of controls is only over significant accounts like revenue and inventory as other areas like accounts payable may still be easy to test substantively. Regardless, it is certain that, sooner or later, control testing will need to cover information systems, including ITGCs, automated controls, interfaces and reports and queries. The more prepared a company is, the better.

It used to be that integrated audits were just for public companies and I’ve heard plenty of firms tell me that ICFR doesn’t pertain to them since they only focus on private clients. That may be so, but just like public accounting firms inevitably embraced information technology in the execution of an audit, so too are firms going to be forced to embrace integrated audits, largely due to information systems and automation. It’s an inevitability that’s just a matter of time. So invest now, upfront, so you’re prepared when we reach that point; in a day of Moore’s Law, it’s sooner than we think.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Johnson Global Accountancy Launches New Brand and Website with Enhanced Content Experience

Thu, 04 Feb 2021 22:04:50 GMT

LOS ANGELES, CALIFORNIA: JGA is pleased to announce the launch of a redesigned website, www.jgacpa.com , to complement the firm’s growth and brand. This new website design streamlines the unique service offerings to PCAOB-registered firms worldwide. The new site launched just after the New Year and is filled with resources focused on regulatory compliance and audit quality improvement.

“I am so excited to launch this new website that allows us to build new resource libraries to complement our services pages and thought leadership. Our storefront, for all intents and purposes, is our primary tool to launch our upcoming whitepaper which will be released this Spring,” stated Jackson Johnson, JGA President. “I want to thank our marketing and operations team for undertaking this important project that really brings our branding and online outreach to the next level.”

“It has been such a joy to architect the new digital face of JGA.” stated Sara Janjigian Trifiro, JGA’s Marketing Director and Owner of SJT Marketing LLC. “This platform is built to support the explosive growth and future service opportunities at JGA. The professionals at JGA are terrific to work with. They are eager to push the boundaries on content and technology allowing us to quickly meet the changing needs of the accounting industry.”

The Firm encourages clients, colleagues, and peers in the public accounting industry to visit the website at www.jgacpa.com .

About Johnson Global Accountancy

Easily Forgotten, but Always Essential: SOC 1 Reports in a Year of Substantial Change

Wed, 27 Jan 2021 21:32:20 GMT

Yes, we know, 2020 was the year of change. Gone are the days of “same as last year.” Unfortunately, we already know busy season is going to be like no other. In previous blogs, we have discussed how the pandemic has forced great change in the design and testing of controls . Controls that were designed to operate a certain way have likely changed due to personnel changes (AKA downsizing) and operational changes (such as working remotely). This also means controls are now operating remotely as well. As a result, the nature, timing, and extent of engagement teams’ testing of these controls has had to adapt.

While we tend to focus on the management’s controls at the company, let us not forget the controls operating outside the company at service organizations (reported on in System and Organization Controls (SOC 1) reports) ¹ . These controls, and the company controls over them, are equally critical components in the overall system of ICFR. Even pre-pandemic, we often observed that engagement teams struggled to appropriately consider and evaluate SOC 1 reports in the context of their audit approach and their ability to rely on those reports, especially when findings are identified in those reports. Now layer on the uncertainty and changes from the pandemic, management and engagement teams should plan for the unexpected. Here are our top recommendations to ensure your engagement teams look at this important, but often underemphasized area with a fresh perspective during this unpredictable audit busy season.

Review the SOC 1 report early – earlier than last year. As part of the design of controls, management should identify which service organizations it has relied on within the company’s internal control process. Similarly, engagement teams should make a point to have early discussions with management as part of the audit planning strategy. For companies with a calendar year end, these conversations should have already happened in order to support the engagement team’s reliance over service auditors in the audit planning process. The purpose of this is to understand what changes, if any, were made to the work performed by the service auditor and the results of that work, including any changes to adapt to the global pandemic that affects management’s internal control design and assessment. If SOC 1 reports are not available yet, management should contact the service provider to find out the status of the report and ask about known issues. Engagement teams should be on the lookout for:

Opinion qualification. Ensure that management addresses any qualifications and evaluate the effect such qualifications have on management’s ability to rely on the service organization. Both management and engagement teams should have these discussions immediately to understand the effect of an unexpected qualification, especially if the engagement team has any concerns with the results laid out in the SOC 1 report. Nobody wants surprises at the 11th hour.
Deficiencies and findings. In addition to reviewing the overall SOC 1 report opinion, engagement teams should look through each of the control activities and identify if there are any one-off deficiencies and findings and the effect these deficiencies have on the control environment. Management should have done this themselves, however we are noticing a growing trend with firm clients that this is not happening. Therefore, they have not. When evaluations of the deficiencies within each testing objective are left until the last minute, engagement teams are under pressure because management has to scramble to explain why those findings in the service auditor testing do not negatively affect the company’s control effectiveness . In some cases, we have advised our clients that management needed to quickly identify replacement controls to overcome these issues.

Take the time to compare and understand any changes in scope. Given year over year changes in controls and the risk that certain controls may not be operating as they were previously, SOC 1 reports will likely look different compared to last year. In extreme cases, some control objectives with deficiencies may be left out in an effort to maintain a “clean report.” We recommend that engagement teams take a closer look at how management mapped the relevant control objectives against the control activities that are being performed at the service organization. Given the significant changes to control environments at companies, we expect that the scope of the service auditor’s testing may not be “the same as last year.” Applying this expectation early will ensure the management, and in turn, auditors identify and address these changes completely and timely.

Do not forget to appropriately evaluate CUECs. CUECs are the controls that are the responsibility of the user entity to implement and operate effectively. These controls are listed in the SOC 1 report.

During our work with clients, we often note that engagement teams fall short when reviewing and testing management controls that address all relevant CUECs ² . Much like the changes we have seen at companies, service auditor control considerations continue to evolve because of new controls, new service offerings, or changes in the design of existing controls to adjust to the new normal. Service organizations continuously update the CUECs, and so user entities need to make sure their understanding of the CUECs is always up to date.

To evaluate the scoping of CUECs – especially when any CUECs are considered not applicable or not necessary to test, consider these questions:

Did the engagement team compare the current year CUEC listing to the prior year to identify any new or different controls this year?
Are all CUECs linked to controls tested for operating effectiveness?
Have any CUECs been scoped out? If so, what is the rationale from management?
Has the evaluation for why a CUEC is scoped out been corroborated through substantive procedures?
Is the work performed and documented in accordance with PCAOB AS 2601, AS 1215, and AS 2201 (if applicable)?

The key for the engagement team is to make sure that each relevant CUEC in the SOC 1 report is mapped to specific controls and in operation by the issuer and tested for operating effectiveness by the engagement team.

As we have seen cases when engagement teams miss the mark, it is important to remember that the PCAOB will hold your testing around SOC 1 reports to the same standard of controls testing just as if these were the company’s controls. For example, when testing controls that address CUECs, the same audit approach would apply over elements such as:

Design effectiveness;
Sample sizes;
Evaluation of adjustments and deficiencies in internal controls; and
Conclusion by the engagement team over operating effectiveness.

Examine the relevance and approach over sub-service organizations. Oftentimes, the report carves out specific sub-service organizations which management and engagement teams tend to overlook. This can sometimes be found in the opinion or in the write-up describing the operations and structure of the service organization, however, the report will always make clear what was in or out of scope in the opinion. It is vital that these sub-service organizations are assessed as to whether they are relevant to the internal control process and how internal controls would cover the sub-service organizations ³ .

Evaluate the bridge letter and its effect on the audit. Many times, the SOC 1 report will not cover the full period under audit, most frequently missing a period at the end of the year and posing risks for the audit of internal control over financial reporting. If this is the case, engagement teams should remind management to obtain a bridge letter from the service organization where the service organization represents that its controls have remained consistent since the last audited service auditor report.

For the engagement team’s assessment over the bridge letter obtained by management, the PCAOB has generally accepted a bridge letter to cover a period up to three months since the end of the last SOC 1 report period. Once a bridge letter starts to extend beyond three months, engagement teams should ensure that management is performing additional procedures such as testing additional controls to supplement the fact that last SOC 1 report may not be consistent with the internal control environment of the service organization as of the end of the year. With the onslaught of COVID-19, management should not assume that the service organization will continue to provide a bridge letter along the same timeline as in prior years OR that controls during the “bridge period” did not change. In fact, we expect the controls could have easily changed if operations went remote. If they did change, then management and the engagement team need to consider whether additional testing is required. It is imperative that management communicates with the service organization to ensure that the bridge letter is being received as expected and allows management ample time to evaluate and address anything unexpected.

Ultimately, SOC 1 reports are no different than any other internal control activity – management should already be communicating with its service organizations to understand any changes to the controls being tested at the service organization as well as changes in timing. While the service organization is the responsibility of management, we encourage engagement teams to be proactive in discussing these matters with management and evaluating SOC 1 reports in a timely manner. This will help engagement teams develop an appropriate audit strategy which will result in a smooth year-end audit.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa) .

¹ A SOC 1 report (System and Organization Controls report) is a report a user obtains from a service organization describing the controls which are relevant to the user entities’ financial reporting that have been outsourced, performed, and opined on at the service organization.

² Complementary User Entity Controls

³ See section 2 of Auditing Interpretations of AS 2601 for more considerations on this topic. https://pcaobus.org/oversight/standards/auditing-interpretations/details/AI18

The Rise of SPACs: Risks to Consider for this Emerging Trend

Sun, 24 Jan 2021 16:56:31 GMT

I know, it sounds like a sequel to the Star Trek saga, but I assure you, it is far closer to home than the depths of space. Surprisingly, despite the uncertainty in the markets as a result of COIVD-19, 2020 was a big year for public offerings. While IPOs continue to occur, have you ever heard of SPACs? If you’re like me, the answer is no, not really. At least not until 2020.

A SPAC is a special-purpose acquisition company that raises cash through an IPO for the sole purpose of funding the acquisition of another company. The money raised through the IPO is put in interest-bearing accounts where it sits until an acquisition is made. Each SPAC has differing governing documents, but typically, the SPAC has about two years to complete an acquisition or the entity is liquidated. While some SPACs are formed with a specific target in mind, investors in a SPAC often do not know what company will be acquired and thus, when the transaction comes to fruition, investors in the SPAC are able to liquidate their shares if they don’t want to be invested in the target company. Because the sole purpose of the SPAC is to raise funds to purchase another company, they are sometimes referred to as “blank check companies.” They have no assets and there are no operations and thus the IPO process for a SPAC is much easier than for a traditional operating company. Once the SPAC has raised its funds and selected a target, it executes the transaction and the acquired company now becomes a public company. THIS is the real purpose behind SPACs.

While SPACs are nothing new and have existed for decades, their use has been very limited; that is, until 2020. In 2020, SPACs raised a total of $82.1 billion, up more than six times from the $13.5 billion raised in 2019 ¹ .

So why is there such an interest in SPACs? The appeal behind SPACs is that it can significantly reduce the time it takes for a company to gain access to the public markets, as compared to the traditional IPO process.

In a traditional IPO, the due diligence process is much more robust and a company seeking to go public must submit a registration statement to the Securities and Exchange Commission (SEC) which can involve multiple rounds of SEC reviews and comments prior to the actual offering. Through a SPAC, however, target companies access public markets through a merger with the public SPAC entity. While mergers and acquisitions still take time to complete, there are less hurdles in the process and as a result, it can usually occur faster than an IPO.

So what are some of the risks involved with SPACs? Because of the nature of required disclosures in an acquisition, much of the same data is being provided as in an IPO registration statement; for instance, a registration statement requires audited historical financial statements just like the historical financial statements of the SPAC-acquired company. However, a key difference here is that a traditional registration statement goes through multiple rounds of review by the SEC prior to the IPO which can take months, whereas the audited financial statements of a target company for a SPAC become available to the SEC once the acquisition has been submitted for shareholder approval. Once approved and the merger occurs, the new company has four days to file a super 8-K and the company is now required to adhere to all public company reporting requirements. This means the target company (a private operating company) must be prepared upfront for all public company reporting and operating requirements.

In addition, in the lead up to an IPO, the SEC has strict requirements around what is able to be communicated and by whom. In a SPAC acquisition, the target company is often private and is not specifically restricted in how or what is communicated with the public. For instance, startups that use SPACs to go public can continue to communicate with the public up until the acquisition, including communicating future projections which may not be fully grounded or vetted. Startups typically have strong growth forecasts, but we also know that plenty of IPOs fail to achieve those projections. The same holds true for startups that go the SPAC route. Of course, investors in the SPAC have the option to sell their shares prior to the execution of an acquisition if they think the target company is over-valued, but that assumes investors are knowledgeable enough and have access to financial data to make informed decisions about the target company.

Another risk is found in the potential “conflict of interest” for SPAC sponsors. The sponsors are incentivized to execute a transaction and close a deal. While the sponsors must operate and execute according to the governing documents, some sponsors may be influenced to close on “any” deal as opposed to an “appropriate” deal. Or, without advance regulatory review, this could also result in poorer upfront due diligence by the sponsors for the sake of closing the deal and getting paid.

These risks seem to relate mostly to the public interest. What about audit risks involving SPACs? For auditors, the risks surrounding a SPAC and/or SPAC acquisition are not significantly different from that of any other merger or acquisition. However, there are a couple key points to keep in mind if you run across a SPAC acquisition (likely of your client, the target private company):

Acceptance and Continuance: Given some of the SEC/PCAOB regulation and compliance factors discussed below as well as the “significant unusual transaction” of going public through a merger, we recommend engagement teams re-visit acceptance and continuance decisions and ensure proper completion and approvals throughout the firm. In completing the A&C forms, engagement teams should consider client competencies and readiness for becoming a public client. All of these elements will change the overall risk associated with the client audit.
Independence: Because public companies require a PCAOB opinion, audit firms will now need to consider SEC and PCAOB independence rules with respect to the private client and the public SPAC. There are differences between AICPA independence rules (the rules most typically applied to private company audits) and SEC/PCAOB independence rules. Mergers that result in a private company becoming public can easily lead to independence oversights, so be sure to fully vet out all past and current services and relationships and ensure SEC/PCAOB compliance prior to accepting/continuing the engagement and prior to issuing the PCAOB opinion over the financial statements. For additional insight on common independence pitfalls, refer to Independence Violations.
Risk Assessment: In addition to A&C procedures, re-visit risk assessments such as inherent risks and fraud risks. There are additional fraud considerations such as incentives or pressures for SPAC sponsors to execute transactions. While the SPAC sponsors are separate from the private company management, the target company could also be pressured to promote stronger financial performance or to accelerate the due diligence process including rushing an audit to enable a faster close time for the transaction. Audit teams need to incorporate these potential risks into the planning and risk assessment.

Historical Financial Statements: Target companies must be prepared to issue historical financial statements that are reported under US GAAP applicable to public companies (with some exceptions permitted) and audited in accordance with PCAOB standards. SPACs typically acquire private operating companies and because PCAOB standards are only required for public companies, many target companies will need to obtain PCAOB audits for historical financial statements. In addition, private companies being acquired by a SPAC will now have to accelerate adoption of all new accounting guidance applicable to public companies. While ICFR is not initially mandatory in the first year, target companies will need to start formalizing internal controls and ensuring they have appropriate resources, including knowledgeable staff familiar with US GAAP and SEC reporting.

PCAOB Registration: In complement to the point above, for some audit firms who focus only on private company clients, issuing a PCAOB opinion may require the firm to register with the PCAOB which will open the firm to PCAOB regulation including inspections over engagements and the firm’s system of quality control. Firms should consider these internal regulatory risk factors when doing acceptance and continuance procedures and assessing client risks.

Accounting Treatment: As with any acquisition, it is important to be familiar with how these transactions are typically accounted for. Is it an asset purchase? An acquisition? Reverse merger? For SPACs, often the target company is considered the surviving company (acquirer) because the SPAC would not meet the definition of a business. In these situations, the acquisition would typically be accounted for as a reverse recapitalization which means the target company’s historical financial statements become the surviving entity’s historical financials. It is worth noting that no new goodwill or intangible assets would be recognized as it is not an acquisition but a recapitalization. If you’re not sure about the accounting, there are a number of industry publications that help explain SPACs and lay out the relevant accounting guidance. Engagement teams should consider consultation with technical experts to confirm appropriate accounting treatment and financial statement presentation. We recommend that the accounting – and possibly the auditing – over these types of transactions be a mandatory consultation under a firm’s QC system. This consultation could also cover the adoption of all public-company US GAAP requirements that are triggered as a result of the transaction.

SEC Reporting Requirements: Once the private company is public, on a go-forward basis, it is subject to all SEC reporting requirements, including quarterly reporting, which may only be a few weeks after the transaction closes. Engagement teams must ensure that their client has a robust interim reporting process in place to enable effective quarterly reviews under PCAOB standards at the outset.

Consistency of Other Information: Related to the risk assessment points made above, how did actual results compare to management’s assertions to potential investors before the SPAC transaction? Now that information related to the company’s performance and prospects will be reported in the MD&A, a thorough multi-year audit under PCAOB standards will surely improve the transparency over the historical results and the reasonableness of prospective information. While auditors only issue opinions over the financial statements, keep in mind the following PCAOB standards that relate to other information included with audited financial statements: AS 2701: Auditing Supplemental Information Accompanying Audited Financial Statements and AS 2710: Other Information in Documents Containing Audited Financial Statements.

I think 2020 was just the start of the rise of SPACs. Keep your eyes open and you’ll see them appear in headlines all over the news; after reading my first article on SPACs earlier this year, I have since read dozens more. Most articles seem to be a veiled “warning” of sorts identifying the significant rise in SPAC capital raised and the potential increased risk to investors. No doubt SPACs are on the SEC’s radar and they are considering whether additional oversight and regulation is necessary, but it wasn’t until 2020 when SPACs really began to take center-stage. Time will tell how this stage plays out, but for now, SPACs are becoming a new norm. If you come across a SPAC acquisition, keep in mind the risks and ensure you’re comfortable opining, even if the deadlines are accelerated and tighter than a traditional IPO.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

¹ https://www.wsj.com/articles/startups-going-public-via-spacs-face-fewer-limits-on-promoting-stock-11609678800

Internal Inspections – Part III: Remediation – How to Read and React to the Results

Sun, 24 Jan 2021 16:31:11 GMT

Finally, the last installment of our three-part series on what makes an internal inspection program effective. Part I and Part II of the series focused on the design and execution of an effective internal inspection program, so now that the internal inspections are completed, what do you do with the results? In this article, we would like to explore how you can read and interpret the results and effectively react to remediate potential deficiencies in a firm’s system of Quality Control (QC).

Remediation is typically a natural reaction when something doesn’t quite work as planned. For example, my exercise plan is not yielding the results I expected. Naturally, one would want to fix this, however, rather than implement generic or random remedial actions we think might be the answer, we should understand why the plan did not work. We can do this by gathering and analyzing information; known to most in the auditing practice as a “root cause analysis” or “RCA”.

Root Cause Analysis

RCA’s are not required, however, that could change with the PCAOB’s proposed quality control concept release , and is already required under the new ISQM 1. The current guidance in QC 30, Monitoring a CPA Firm’s Accounting and Auditing Practice, specifically states the following:

Pre-issuance or post-issuance review of selected engagements can be a potential monitoring procedure (QC30, .03)
The adequacy of and compliance with a firm’s quality control system are evaluated by performing such inspection procedures as (QC30, .06):
Summarization of the findings from the inspection procedures, at least annually, and consideration of the systemic causes of findings that indicate improvements are needed;
Determination of any corrective actions to be taken or improvements to be made with respect to the specific engagements reviewed or the firm’s quality control policies and procedures

Additionally, Staff Guidance Concerning the Remediation Process, published November 18, 2013, specifically refers to the use of a root cause analysis in a firm’s evaluation of the relevance of the developed remedial action. To take it one step further, the PCAOB’s own process for reviewing the Firm’s Quality Control Systems includes the consideration of root causes.

Although there is no explicit requirement for Firm’s to perform a formal RCA, perhaps it is expected as implied by the various statements above.

A Root Cause Analysis, whether it’s defined by Wikipedia, Journal of Accountancy or some other source, is simply a technique to determine the underlying cause of a problem or audit findings in our case. The steps vary, depending on what source you turn to, but the fundamental model is to understand the findings, brainstorm on possible causes, collect additional data if necessary, and identify remedial actions. The difficulty is in determining the complexity and depth of the RCA for it to effectively contribute to the development of remedial actions. Our March 2020 article RCA: Seems like EVERYBODY is talking about Root Cause Analysis includes insights and considerations into designing and performing an RCA. We have included some of those highlights here along with a few additional tips.

Independently conduct interviews with the engagement team and those directly involved with the audit to identify possible causal factors to the findings.
Keep asking “why”. There is usually more than one causal factor as well as layers of causal factors.
Don’t dismiss causal factors that appear un-likely or unrelated to the issue as it could lead to unexpected and effective remedial action.
Analyze data in different ways; similar audit findings can be dissected in various ways to yield different causal factors.
Meaningful and effective remedial actions are often developed from the deeper layers of causal factors.
Don’t forget to consider audit quality indicators (AQIs). Internal inspections that were successful also provide pertinent information in developing remedial actions.

RCA’s are not a “one size fits all”. These tips are a good place to start, but RCA’s can vary from firm to firm based on factors such as size and structure of the firm, complexity of issuers, compliment of partners and staff, and types of deficiencies, just to name a few. Firms should consider such factors and implement an RCA to best suit its own circumstances.

Remediation

Once you have identified root causes, as well as AQIs, the next step is to develop remedial actions. The PCAOB released guidance in November 2013 which describes certain staff considerations to determine the sufficiency of a firm’s remediation efforts. The staff’s assessment criteria include Change, Relevance, Design, Implementation, and Execution and Effectiveness. On the surface, these criteria appear to be straightforward, however, as discussed further in the staff guidance and as seen by us in our experience at and with the PCAOB, firms have difficulty in developing remedial actions that satisfy certain criteria, especially when responding to repeat criticisms. The PCAOB, in its guidance, provided additional insight into how it applies certain criteria when evaluating a firm’s remediation efforts. Here are some points we would like to emphasize and provide additional thoughts on the topic.

Repeat or Persistent Criticisms: Responding to a criticism for the first time is always easier than the second, third or even fourth time around. For example, training is an obvious remedial action that doesn’t take much soul searching to come up with, however, how do you make a meaningful enhancement to training on the same topic or criticism year over year? As suggested in the PCAOB’s guidance, firms should think about content and delivery method of training. We believe that by digging deeper to understand whether there’s a different or more specific root cause, firms can do better. This is where a well-designed RCA can be very important in developing more meaningful remedial actions and strengthening a firm’s quality control structure. Firms should also keep in mind, there are many other remedial actions that can cover multiple criticisms and should perform a detailed analysis to link all actions that provide a response to a specific criticism. Having said all this, Dane Dowell, JGA Director, published an article in November 2020, “Will the PCAOB Ever Be Satisfied” , which goes deeper into these repeat criticisms. At some point, all of the firm’s best efforts won’t be enough and the PCAOB will need to provide more clarity on how satisfy its requirements. In the meantime, firms will have to be patient and stay the course.

Remedial Actions: Think outside the box. Not all actions are directly correlated to the criticism. A criticism related to auditing management estimates could certainly be attributable to lack of training or poor supervision and review, but it can also be affected by timing of the audit procedures or the review, or even the manner in which a review was performed (in the field or remotely). These seemingly uncorrelated actions may not appear to be effective or meaningful, but taken in concert with all other relevant actions, a firm can build a strong case.

Monitoring: In order to determine execution and effectiveness, the remedial action must be designed to be measured. If the remedial action is to deliver training with extended content, it might be easy to validate the training was delivered or attended, however, is there a mechanism in place to measure the effectiveness? On one hand, the results of subsequent inspections may imply effectiveness, however, it’s difficult to make a direct or close correlation. For this reason, most criticisms will be addressed with multiple remedial actions. This, again, stresses the importance of a well-designed monitoring and evaluation program . The results of the monitoring program will provide a firm with, hopefully, positive data to support effectiveness of the remedial actions, but even if it doesn’t yield positive results, a firm’s thoughtful evaluation of the remedial actions and results can still demonstrate good faith progress. Refer to an article we published in November 2019 highlighting the importance of monitoring.

Response: Although the response to the PCAOB Inspection Report is not technically part of a firm’s internal inspection program, we wanted to highlight its relevance in the overall remediation process. The response is not specifically addressed by the staff, but we believe the response itself plays an important role in achieving a satisfactory determination. The response provides the firm with an opportunity to paint the picture and “demonstrate substantial, good faith progress toward achieving the relevant quality control objectives”. There’s no doubt that effective remedial actions are critical to a firm’s remediation efforts, however, the overall response can also provide more flow and clarity on how such actions work together to meet a common goal.

Internal inspections can be a powerful tool to strengthen a firm’s quality control structure if it is designed and executed properly. There are, of course, cost benefit considerations, but there’s always a way to scale to size. We understand that firms feel beat down by it all; inspections (internal and external), repeat criticisms, remediation, but firms are not completely helpless. Even though firms can’t control how its evaluated, they do have quite a bit of control in ensuring it continues to focus on quality control and continuous improvement by being proactive, creative, thoughtful, and diligent in planning and executing its internal inspection program.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Recap of PCAOB Hot Topics from the 2020 AICPA National Conference

Wed, 16 Dec 2020 21:58:48 GMT

Last week the annual AICPA National Conference on Current SEC and PCAOB Developments was, as always, a great update from a wide variety of speakers covering many accounting and auditing-related topics. It won’t be a surprise to you that in addition to this conference taking place virtually for the first time, the effects and implications of COVID-19 made a ‘guest appearance’ in almost every presenters’ remarks. If you were not able to join the event, here are a few important PCAOB-related topics that were discussed by the Board, its staff, as well as other presenters on PCAOB matters.

Inspection Program Updates: Increased Unpredictability

The PCAOB plans to revise its 2021 inspection approach by selecting more issuers for inspection on a random basis , although still maintaining the same total number of issuers selected for inspection. Recently appointed Board Member, Megan Zietsman, stated that the PCAOB will still continue to focus their inspection efforts on the largest issuers from a market capitalization perspective, however the increased unpredictability in the PCAOB’s issuer selection process should help raise overall audit quality. The PCAOB’s revised approach to increase random selections of issuers is an attempt to encourage audit firms to consistently perform quality audits across their whole practice rather than dedicating their best resources to just those audit engagements that they believe will have a greater chance of being selected for inspection by the regulator.

Board Member Zietsman went on further to state that the PCAOB is planning to select more non-traditional areas of focus for inspections. Over the years, firms have gotten familiar with the types of focus areas that the PCAOB would select for inspection. The change in the Board’s planned approach for inspections is an attempt to bring in some unpredictability into the inspection process and thus increase audit quality.

Our thinking is that all firms should be reflecting on the selection process of their monitoring programs for their pre- and post-issuance reviews. Firms should not focus their monitoring entirely on their larger, “riskier” clients under a traditional risk assessment model but should consider adding some level of additional randomness in their selection process, and in the process consider including some non-traditional focus areas in their monitoring reviews. We will be incorporating aspects of this in our practice monitoring programs that we perform with our clients.

Inspection Reporting Update: Preparing for Delays

As we are all undoubtedly aware, the PCAOB has recently redesigned the format and content of its inspection reports to reduce some of the boilerplate language and to provide more relevant and useful information. All the 2018 annually inspected firm reports have been recently issued in this new format, and all domestics and international triennially inspected firms will follow suit. George Botic, PCAOB Director – Registrations and Inspections, commented that the final 2019 reports for the annually-inspected firms will be released early in 2021 (we understand that some of the annually-inspected firms have already received draft 2019 inspection reports). In addition, because of the significant backlog, the 2018 reports of triennially inspected firms will only be published “over the coming year” ¹ .

Just stepping back and looking at this holistically, this means that somewhere around 150 2018 inspection reports (which would be reporting the inspection results of 2017 audits), could theoretically only be issued in late 2021…some four years after these audits were performed. At the end of the day, even if the format of the report is more useful to users of the reports, the lack of timeliness of the information almost makes the information in these reports moot as potentially three more audit cycles have already been completed since these inspections. Back in September 2020, we wrote an article covering this very concern .

Revisions to Part II of the Inspection Report

Board Chairman William Duhnke also discussed changes being made to Part II of the inspection report. Historically, the PCAOB sometimes identified its Part II quality control (“QC”) criticisms based on a single deficiency that the inspectors identified as part of their QC review procedures. As Chairman Duhnke stated during the conference, a firm’s QC system should be designed to provide reasonable assurance, not absolute assurance, of QC compliance and that a single audit deficiency is not always indicative of a problem in a firm’s QC system. To mitigate this, the Board has developed an internal QC evaluation framework which looks at the severity of the identified deficiencies and the likelihood of the deficiency recurring. The intent is to assist the Board to identify those deficiencies that are significant enough that, if not remediated, would make the firm's QC system ineffective. Although a single audit deficiency could still result in a firm-level QC criticism, firms should be pleased that the Board is at least considering a deeper, more thoughtful, and consistent dive into what ultimately gets included in Part II of their reports. The framework will be used starting with the soon to be released 2019 reports.

Remediation Updates: Increasing Transparency and Investor Confidence

Board Member J. Robert Brown discussed his thoughts on where he would like the PCAOB to be vis-à-vis transparency in the remediation process. He indicated that the Board should consider the need for changes to policies and guidance with respect to the remediation process. He raised the point that the Board is not making much information public about how the remediation process works in practice or how the PCAOB determines whether remediation efforts are satisfactory. His remarks included a proposal for the Board to annually publish an aggregate anonymized report that provides greater insight into the QC deficiencies that PCAOB inspectors uncover during the inspection process and how these QC deficiencies are remediated. Ultimately, the beneficiaries of this type of information would include audit firms, audit committees, investors, as well as the PCAOB itself. Board Member Brown stated that disclosure and transparency in the remediation process would facilitate public feedback and contribute to a high level of investor confidence in the audit process.

Personally, I see this as a step in the right direction. Often, when working with JGA clients in troubleshooting deficiencies and determining remedial actions to implement, firm clients ask us how other firms remediated similar issues and how PCAOB remediation staff evaluated the proposed remedial actions historically.

Quality Control Standard Update

It has been exactly a year since the PCAOB released the Quality Control Concept Release for comment. Barbara Vanich, PCAOB Acting Chief Auditor, confirmed that the Board still sees the revised QC standards as a high priority, and they continue to monitor the implementation of the recently revised ISQM1 standard. Firms should already be planning for this eventual QC standard and seeking out resources and tools to get ahead of the eventual requirements.

This insightful conference did not disappoint and it is very clear that there are many changes anticipated in the audit and accounting space expected in the near future. You can rest assured that we will continue to monitor and communicate these updates as they develop.

Square is to Rectangle as Control is to Process: The Distinction Between Processes and Controls

Wed, 16 Dec 2020 19:22:11 GMT

For those who remember the SAT exam, the verbal portion of the test used to include analogies where you had to identify the relationship between two words presented and then select two words that had the same correlation from the multiple choice options. For example, some words were antonyms, such as “hot is to cold,” and thus the correct answer would be two words that were also antonyms, such as “high is to low.”

For purposes of this article, I’ll propose the following:

Analogy : square : rectangle :: control : process

Relationship : All squares are rectangles just like all controls are processes. However, not all rectangles are squares, just like not all processes are controls.

The emergence of internal controls really took shape when Congress passed the Sarbanes-Oxley Act of 2002 (SOX). The act required companies to formalize and evaluate their internal controls over financial reporting (ICFR) and, depending on size of the company, auditors were then required to report on the design and operating effectiveness of ICFR. Though internal controls were hardly new, this was the golden era of SOX-implementation.

Now, nearly 18 years later, ICFR may seem like old news, but through my work with firms performing in-flight and lookback reviews or advising engagement teams with their audit planning discussions, I am finding more and more that engagement teams struggle to understand the distinction between processes and controls. This distinction is critical to identify the appropriate controls that address potential “what could go wrongs” in a process and cover the risks of material misstatement in financial reporting.

As you know, as part of planning, auditors are required to obtain an understanding of the design of controls for significant classes of transactions. This understanding is required as part of risk assessment. For ICFR audits or audits with planned controls reliance, in addition to understanding design, engagement teams must also test the operating effectiveness of controls.

Often, engagement teams obtain a process narrative and perform a high-level control walkthrough, identifying easy controls such as dual check signatures or bank reconciliations. However, I find that many teams fail to adequately dig in to the process at a granular level to really understand the controls.

An example process is “sales to cash” which covers the processing of information from the initial receipt of a purchase order through to cash collections. Understanding the overall process is critical, but even more important is truly understanding the specific controls embedded in the process that are part of ICFR. Controls by their very nature are either “preventive” or “detective.” A simple example of a revenue “process” might be as follows:

Once an item is shipped, the invoice is generated and sent to the client for payment.

While this is a simple statement that describes the process, the generation of the invoice, itself, is not inherently a control.

If the Accounting Manager manually generates the invoice, what is the control that prevents or detects errors in the invoice creation? The control would be the separate review and approval of the invoice by someone other than the preparer (i.e. the controller) and would include a reconciliation to the packing slip and purchase order for key revenue recognition terms such as price, quantity, terms, and date. The generation of the invoice itself is part of the process but is not a control. The review is also part of the process but is a control to ensure the invoice is complete and accurate. In addition, other controls that should be built into this process would include review and approval over the journal entry to record revenue, AR, inventory and COGS debits and credits.

What if the invoice is automatically generated? For example, the invoice is generated in the system when inventory items are marked as “shipped” in the inventory module. Whereas the manual process might be covered by one manual control, the automated generation of an invoice is likely to have several automated controls built into the system, such as:

Invoice automatically pulls shipped quantity via interface with the inventory module. ¹
Invoice automatically pulls price from the purchase order.
Invoice cannot be generated without shipment from the inventory module.
Manual price or quantity adjustments on the invoice automatically require separate approval based on pre-set limits within the system.
Generation of an invoice automatically debits AR and credits revenue in the GL.

These are all automated controls that exist in the system, but are often overlooked when engagement teams obtain an understanding of the process.

While I speak from my own experience, in its Staff Update and Preview of 2019 Inspection Observations , the PCAOB identified numerous, recurring ICFR deficiencies, including the following:

Auditors did not identify and test controls that sufficiently addressed the risks of material misstatement related to relevant assertions of certain significant accounts.

I think there are multiple reasons for the lack of understanding of the distinction between processes and controls and thus the failure to sufficiently identify controls that address potential risks of material misstatement.

Changes to ICFR

The ICFR framework is perpetually changing within companies as they grow and evolve. For fiscal year 2020, process have changed for most companies as they have had to adapt to remote work environments ² . If the process has changed, then the controls (which are part of the process) have also inherently changed.

Given the impacts on most P&Ls as a result of COVID 19, materiality thresholds are likely to be lower in FY 2020 and thus new accounts might be in scope. Or, alternatively, there could be new significant and unusual transactions that are occurring in FY 2020 where companies must design controls for transactions that have not otherwise previously occurred. Typically, these controls are management review controls which are often more complex controls with specific auditing considerations ³ .

It’s no longer “same as last year.” That means companies and engagement teams need to dig in to understand the new processes more fully and separately identify the new controls.

To understand processes, whether new, modified, or unchanged, I find it helpful to use flowcharts, breaking down the process into a step by step transactional flow. When I coach engagement teams in this area, I recommend asking detailed questions and literally go step by step. “What happens next?” For anything that takes place in the system, ask the client, “Where did those numbers come from?” or “What triggers that interface? that batch? that invoice?”

Most clients have a controls matrix that inventories all controls. If they don’t, ask for one; ICFR is first and foremost the responsibility of management. As engagement teams perform walkthroughs and write up a process narrative, consider including specific references to each control (from the matrix) so it’s clear where in the process these controls occur. Then take a step back and for each control, ask “what is preventive or detective here?” If you can’t answer that question, ask the client that same question.

For more senior members of engagement teams, when reviewing flowcharts and narratives, take a more critical approach in asking the question, “What could go wrong?” Then ask, “What control addresses this risk?”

Continued Integration of Technology in ICFR

While IT has made operations significantly more efficient for companies, I think it has also contributed to a further lack of understanding of controls. Engagement teams understand that data goes into a system but fail to understand what is occurring in the system and how the configuration is actually a series of automated controls.

Again, this goes back to the importance of understanding each step in the process and how the system processes data. Consider including IT auditors when performing walkthroughs since more and more companies are automating operations. As IT becomes more pervasive, the more internal controls will become IT dependent.

Despite continued automation, there are almost always capabilities for manual overrides and workarounds, so keep asking questions like, “What happens if there’s an exception?” or “What are the controls around manual overrides?”

Lack of Experience in ICFR

I started working in public accounting in 2006 and my start class was one of the last classes to really focus on ICFR implementation. Of course, there are new SOX implementations when clients grow large enough to fall in scope for ICFR compliance or when clients go public. But that is rare. While firms continue to do ICFR training, there is a difference in knowledge and experience gained from simply taking an ICFR training and going through an ICFR implementation. My start class, most of whom are now senior managers, directors and partners within accounting firms or upper-level accounting executives at companies, was the last class to experience mass ICFR implementation across multiple clients. It’s important that firms continue to provide training over ICFR for more junior staff, but they must also be sure to provide hands-on teaching and mentoring from more experienced staff who can pull from years of experience in SOX-implementation. As well, for more complex controls, such as management review controls it is critical to involve experienced auditors in the review.

Given the increasing volume of data, automation of information processing and the PCAOB and SEC’s continued focus on ICFR, internal controls are not going away. It’s important we continue to drill down into processes and understand “what is the process” versus “what is the control.” And remember the square to rectangle analogy: controls are a process, but the process is not necessarily a control.

And for those of you who remember (and probably hated) the analogies section on the SAT exam, you’ll be happy to know that they are no longer part of the verbal section. In fact, the entire verbal section has been replaced by two sections including “reading” and “writing and language.” Perhaps it could best be summarized by the following:

Analogy : new : similar :: change : same

Relationship : New format, same skills, just like the more things change, the more they stay the same, really.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

¹ Note that the interface would have its own set of controls to ensure appropriate communication of data from the inventory system to the revenue system.

² For more information on COVID-19 considerations as regards internal control, please refer to the following: https://www.jgacpa.com/side-effects-of-covid-19-internal-controls-in-a-time-of-pervasive-change

³ For more information on testing management review controls, please refer to the following: https://www.jgacpa.com/meeting-pcaob-requirements-for-icfr-achieving-compliance-with-the-vaguest-of-standards

Critical Audit Matters: Are Your Engagement Teams Ready to Report?

Tue, 17 Nov 2020 14:37:17 GMT

As you know, back in 2017, the PCAOB undertook one of the most significant changes to the audit report in over 70 years which required the auditor to disclose, among other items, critical audit matters (or CAMs) in its issuer audit reports. This was a major departure from the norm where previously almost all information in report filings (Form 10-K’s etc.) originated from management. Prior to that, the only auditor-driven communication was the audit opinion – with the standard audit report language changing in instances of things like reporting on material weaknesses or an emphasis of matter.

The advent of CAM disclosures is intended to spur more comprehensive discussions with audit committees, helping them with oversight responsibilities, as well as to provide additional insight into the audit for investors. So, lets backtrack and provide some background.

What are CAMs?

AS 3101: The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion, describes CAMs as “any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved especially challenging, subjective, or complex auditor judgment.” In determining what should be disclosed as a CAM, the auditor should consider, among others:

The auditor's assessment of the risks of material misstatement, including significant risks;
The extent of judgment required by the auditor related to areas that involved significant management judgment or estimation, including estimates with significant measurement uncertainty; and
Audit effort involved in addressing the matter.

When were (are) CAMs effective?

The reporting of CAMs has been in effect since June 2019 for audits of large, accelerated filers. For all other issuer audit teams, your time of reckoning has arrived – all issuers with fiscal years ending on or after December 15, 2020 are now required to report CAMs in the audit report ¹ . Hopefully, you have started the process of identifying and assessing potential CAMs for disclosure in your audit report if you have a PCAOB issuer client. We have seen that a lot of effort and resources are needed for first-time implementations, including dry runs.

What has been the CAM experience so far?

The PCAOB has been evaluating the effects and benefits of the introduction of CAMs in the company filings that had adopted the AS 3101 requirements and in October, they released an interim analysis of its provisional thoughts on the CAM implementation thus far. The chart below depicts the PCAOBs summary of the financial statement areas where CAMs have been identified, to date.

Although engagement teams spent a fair amount of time and resources during their initial implementation, the costs were generally inconsequential and there were no significant unintended consequences. In addition, the audit regulator concluded that investors were finding the information to be very beneficial and worth the overall efforts.

As evident from the table, the major financial statement areas of CAM disclosure were revenue recognition, goodwill, business combinations, accruals and reserves, and allowance for loan losses. This is consistent with our expectations considering the extent of judgment and estimation that is required when auditing these complex areas. Based on the ongoing pandemic and economic turmoil in certain sectors and industries in 2020, one must expect that along with increased focus on impairment of assets (goodwill, intangibles assets and long-lived assets), auditors will need to address CAM considerations for areas including going concern , allowances for doubtful accounts, loss of suppliers due to their bankruptcy, etc.

It is also interesting to note that on November 4, Board Member Brown delivered a speech at the International Corporate Governance Network Virtual Global Summit where he focused on the hot topic of Environmental, Social and Governance (or ESG) disclosure. While Mr. Brown believes that this is not something that the PCAOB has usually had at the top of its mind, he stated that “the PCAOB and other audit regulators have an important role to play in the ESG disclosure space.” He went on further to acknowledge that the profession is “at the early stages of the implementation of this important audit standard. The audit report and the discussion of ESG CAMs will presumably evolve in content, frequency, and usefulness. Both investors and regulators will have an important role to play in influencing the direction of this evolution.” So, looking ahead to future PCAOB inspections, expect there to be some thought-provoking inquiries from its inspectors around the auditor’s consideration of ESG when determining its CAMs. It is clear that auditors are going to have to give CAM consideration to more qualitative concerns such as climate change, carbon emission mandates, etc.

What should be your next steps?

First, all issuer audit engagement teams should be starting now to identify and analyze potential CAMs that you think will need to disclose and then make sure you have a process in place to collect the information you need to include as part of your CAM disclosure in your audit report. Remember to ensure early and transparent communications with audit committees, explaining the process and the items being considered as CAMs. We recommend that firms map significant risks to their CAM evaluation, applying the considerations that, while not all significant risks will give rise to a CAM, this is a significant step in assessing the completeness of potential CAMs. Our clients have applied a number of different tools to apply these considerations and there is not one right answer. If you or your engagement team need assistance in this evaluation, we have a tool that we can use for our clients’ CAM considerations.

Second, engagement teams should be including in CAM considerations, qualitative concerns, including the effect of ESG on your audit approach and audit testing. As these CAM requirements are new, it almost guarantees that most, if not all, PCAOB inspections in 2021 will include discussions around the engagement team’s CAM disclosure process.

Finally, make sure that your documentation is clear as to the thoroughness of your CAM evaluation and the discussions around these with your audit committees including documenting why items that were discussed with audit committees were not considered CAMs. Through our work, however, we have seen that clear, comprehensive documentation that applies the standard will save the day for accurate reporting and a future pass from inspectors.

As we move into this next phase, we will certainly be following the successes and pitfalls of this final wave of implementation. We are looking forward to learning more on the successes and challenges as we work with our clients on their first-year implementation of CAMs, including through our in-flight reviews and assist them in developing some best practices.

¹ Communication of critical audit matters is not required for audits of (1) brokers and dealers reporting under Exchange Act Rule 17a-5; (2) investment companies registered under the Investment Company Act of 1940 other than companies that have elected to be regulated as business development companies; (3) employee stock purchase, savings, and similar plans; and (4) emerging growth companies.

Repeat Findings: Will the PCAOB Ever Be Satisfied?

Tue, 17 Nov 2020 14:14:51 GMT

When I work with engagement teams during PCAOB inspections, I often hear the same questions and comments throughout the inspection process: Does the PCAOB really expect me to test at that level of granularity? We’ve been working on improving testing for years; what will it take to satisfy the inspection team? This feels like they want absolute assurance. Isn’t an audit designed to achieve reasonable assurance?

Trust me, you’re not alone in your frustrations. In fact, many firms continue to struggle with very similar audit deficiencies and many of these deficiencies are recurring multiple years in a row. Which begs the question; how do we satisfy the PCAOB?

In October 2020, the PCAOB published its Staff Update and Preview of 2019 Inspection Observations detailing some of the PCAOB’s various updates including inspection transformation activities, observations around best practices, and recurring deficiencies identified from its 2019 inspection cycle. The findings summarize the results from inspections (typically) over 2018 fiscal year-end audits from firms of all sizes.

The PCAOB acknowledges that many of the deficiencies are “similar to those [the PCAOB] observed in prior years.” In fact, a brief review of past inspection observation reports dating back to 2015 shows that many of the 2019 themes are in fact “repeat findings.” Below is an analysis of the 2019 common deficiencies and a look at the historical context of these findings.

Revenue

Given the associated fraud risk, revenue is almost always an audit inspection focus area. In 2019, the PCAOB found numerous audit issues around the adoption of ASC 606. In 2018, the PCAOB also identified revenue as a common area of deficiencies though the nature of the findings were different, relating instead to testing of occurrence and sampling . Prior to 2018, the findings are not as specific in terms of focus area and thus revenue is not specifically identified.

Independence

The next 2019 theme identified by the PCAOB relates to independence. In its 2016 and 2017 inspection observations, the PCAOB also identified concerns involving auditor independence. This is consistent with my experience working with audit firms and difficulties ensuring all independence policies are complied with. The SEC continues to issue new guidance such as updated FAQs and even amendments to independence regulations (as recently as October 2020 ). It’s clear that independence has been a continued topic of conversation between auditors, clients and regulators. Why is independence so difficult to adhere too? Are the independence standards too precise or too vague? Complicated? Unnecessarily strict? Could it be that there are too many various sources of independence regulations, including SEC, PCAOB, AICPA, and possibly others depending on the jurisdiction of the issuer?

Accounting estimates

The 2019 inspections observations highlight the continued struggle firms face in auditing accounting estimates. Specifically, the PCAOB discusses difficulties auditing the allowance for loan losses (the qualitative factors used in reserve methodology) as well as estimates related to business combinations, such as auditing projections used to value acquired intangible assets. An accounting estimate is inherently uncertain and by its very nature, there is no one correct answer. Looking back at past findings, the PCAOB has identified deficiencies in auditing estimates since 2015 . Wow – more than five years and still it’s a common theme.

In my experience working with firms, whether in performing lookback/in-flight reviews or supporting firms on PCAOB inspections, there are clearly cases where engagement teams fail to perform procedures over estimates. But I also have seen instances where firms have performed substantive procedures using the limited information that is available in the marketplace, or looking to historical trends to attempt to support cash flow projections and yet the PCAOB still takes issue.

Is the PCAOB being overly exigent in its expectations of audit firms? What is considered “reasonable assurance” when auditing an estimate that is inherently uncertain and impossible to conclude with exactitude? Does the PCAOB have an unrealistic expectation of what auditor’s should be doing to test these estimates? While the PCAOB amended AS 2501, Auditing Accounting Estimates, is that sufficient or should the PCAOB release additional staff audit practice alerts to clarify its expectations?

C&A

In 2019, the PCAOB found that firms failed to sufficiently test information for completeness and accuracy (C&A). This was a sub-finding of its overall auditing accounting estimates finding, but C&A of information (from a substantive perspective) has been a common PCAOB finding dating back to the 2016 inspections observation report. It was even mentioned in the 2015 report when the PCAOB was discussing its concerns around professional skepticism. Why is it that the audit industry can’t seem to remediate this deficiency?

I remember when I was at the firm, more than 10 years ago, there was such a thing as “standard reports” and completeness was often obtained just through tying schedules back to the trial balance. In observing PCAOB inspections recently, I hear questions challenging the assertion that there is such a thing as a “standard report” or asking for additional testing over completeness. While I understand the logic that yes, any report in today’s day and age can be modified given the widespread ability to alter systems, it feels as though the PCAOB’s interpretation of standard report has changed from more than 10 years ago. It seems the more we learn, including the PCAOB, the more we refine our expectations.

Is the PCAOB’s expectations of testing C&A morphing over time? Should the PCAOB release more specific guidance relating to the testing of C&A?

ICFR

Internal controls over financial reporting (ICFR) is a huge area unto itself and thus it’s no surprise that the PCAOB continues to find deficiencies within ICFR. However, there are three main topics that continue to surface:

Identification of controls to address risks of material misstatement: Since 2016, the PCAOB has included language around the identification of controls as well as the testing of design and operating effectiveness. This finding really gets at an engagement team’s failure to identify controls necessary to address a risk of material misstatement, such as controls over a material sub-revenue stream that follows a different process than “normal” revenue.

Management review controls (MRCs): Again, since 2016, the PCAOB has specifically identified teams’ failures to sufficiently test controls that incorporate management review. In 2019, the deficiency specifically states that firms failed to test these controls at a level of precision that would prevent or detect material misstatement and failed to understand what constitutes an exception and how exceptions were resolved. This is hardly a new issue and while the 2016 inspection observation is the first report to specifically mention MRCs, the fact that the PCAOB issued SAPA 11 in October 2013 is a clear indication that this was an issue even as far back as 2013.

More than seven years in and firms across the industry are still struggling to sufficiently test these MRCs. There are certainly instances where engagement teams merely check for a sign-off without delving into the actual review performed by management and I would agree that these controls are not sufficiently tested. That said, most firms have rolled out robust MRC templates asking questions and using criteria from the SAPA 11 guidance. Teams are trying their best to delve into the management review and capture the knowledge and insight that management has. However, it is nearly impossible to capture the full knowledge and expertise of a CFO who has been working at the company for 20 years. The CFO inherently knows what makes sense and what doesn’t make sense. Teams are attempting to quantify and capture as much of that information as possible, but you simply can’t capture it all. Is the PCAOB’s expectation unrealistic? Why is it that the audit industry, in more than seven years, cannot master testing management review controls?
C&A: Again, the theme of C&A surfaces, except this is from a control perspective. Often, management controls rely on information to perform the controls and firms are failing to identify and test issuer controls over C&A. The first mention of C&A within controls is found in the 2016 inspection observations report. C&A has become a hot topic and is front of mind for most of my clients and yet, the industry cannot seem to overcome this deficiency. Does the industry need more clear guidance around controls over C&A?

EQR

The final theme I want to touch on is the engagement quality review. This theme was called out specifically in the 2018 inspections observation report and has been a part of the PCAOB’s QC discussions in previous reports. Though not specifically discussed in the 2019 report, through my work supporting firms with PCAOB inspections in 2019 and working with firms on remediation of PCAOB inspection reports, the EQR is consistently attributed to engagement performance deficiencies. Even in 2020, we have seen the PCAOB issue comments specifically for EQR deficiencies. Again, there are certainly instances where the EQR should have identified blatant significant engagement deficiencies. However, there are also instances where the nature of the PCAOB finding is so specific, it begs the question, do we really expect an EQR to identify deficiencies at this level? The recurrence of the EQR deficiency is implicitly creating an expectation that EQR reviews should be significantly more detailed. Yet again, is the PCAOB being realistic here with its expectations?

Taking a step back, the PCAOB consistently identifies firms’ failures to perform sufficient procedures and highlights these deficiencies. Having worked as an inspection specialist at the PCAOB and now as a consultant supporting firms and helping improve audit quality, I can say firsthand that identifying failures in audits is easy. Helping firms remediate those failures is significantly harder when forced to apply theory and standards to actual practice. Things are always more complex than they appear. Perhaps the PCAOB needs to take a more holistic approach when assessing deficiencies and ask themselves, “realistically, what more could the firm have done?” If the PCAOB can’t tell me how to fix these issues in practical terms, it begs the question, does the PCAOB have a realistic expectation of audits and what it means to obtain reasonable assurance?

The fact that many of these deficiencies are spanning five or more years, also means that most firms, whether annually or triennially inspected, will see these deficiencies repeat in their inspection reports. Repeat findings require new, incremental remedial actions to address the deficiencies. When the EQR finding appears for its third or fourth time in a PCAOB inspection report, it seems to indicate that firms are not capable of remediating the deficiency. So, either the regulator needs to step in to provide additional help and guidance, or could it perhaps be an indication that the PCAOB’s standard is unattainable?

While I’m not here to excuse audit firms, I do think the PCAOB needs to reflect on its own practices and consider if additional guidance, including practical application, is necessary to drive improvement. Identifying the same deficiencies year after year and not providing significant new guidance is almost complicit in the audit industry’s failure to address these deficiencies. Instead of telling firms what they failed to do, should the PCAOB consider advising firms on how to remediate these issues?

Although the actual audit standards applicable to the deficiencies discussed above have barely changed, if at all, it feels as though the PCAOB’s expectations of what it takes to meet those standards is evolving and becoming more and more stringent. To have so many of these failures perpetuate year after year across firms of all sizes within the industry, I begin to wonder, just like everyone else, will the PCAOB ever be satisfied?

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Quality Control: Is it really going to be that difficult to comply?

Tue, 27 Oct 2020 15:49:25 GMT

Accounting and auditing firms are being inundated with continuing change in the profession - new accounting and auditing standards, ever-changing technology, and soon, compliance with new Quality Control standards that are just around the corner. In a continuing effort, to make sense of this all and help you prioritize your organizations efforts, this article will focus on one of the more significant and new aspects of the quality control standards, Risk Assessment . How important is it to perform a Risk Assessment? What are the aspects of this that make it difficult for firms to document how they have complied with the new QC standards?

Before we dive in, let us catch up on some new developments surrounding quality control/management that have happened over the last month.

Latest Developments on the International Front

After issuing its exposure draft in 2019, the IAASB ¹ finally approved ISQM 1 ² – the long-awaited revised quality management standards for firms on the international stage ³ . Although the effective date for implementation is December 2022, we are aware that some firms are already gearing up and are starting to use the standard to improve their audit quality. The wheels are in motion and the countdown clock is starting to tick for all firms out there that are involved in international engagements.

Meanwhile on this side of the pond…what is the PCAOB thinking?

In our previous articles, we have discussed how the PCAOB’s Quality Control concept release was going to use the then Proposed ISQM 1 as the starting point for a future PCAOB quality control standard, but the PCAOB would also include additional aspects that address US-specific rules and regulations. In a recent speech ⁴ , Board Member Jurata stated “as you all know, we issued a [Quality Control] concept release last year, we elicited comment. And we are moving forward with the proposing stage, so that will come out in the next 12 to 18 months.” So that’s 12 to 18 months just to get to the proposing stage. Add on some time for a proposed standard comment period as well as to finally issue the standard and then allow time for implementation, and we are talking about that being several years away.

Now if that “best case scenario” timeframe does not give you pause to reflect; Board Member Brown is also having some misgivings. In a recent statement ⁵ , he raised concern that although the Board is going down an appropriate path of updating the profession’s QC standards, the regulator is keeping in place the remaining legacy standards that were adopted by the PCAOB on an interim basis back in 2003. He went on to state “the need to revise these out-of-date interim standards has become even more pressing with the PCAOB's ongoing consideration of changes to the standards governing quality control (QC) systems at audit firms. …Given the dated nature of these interim standards, this objective could establish a low bar that does not ensure the quality of audits expected by investors and the public.”

So, there we have it. Two different viewpoints from the regulator who is responsible for implementing a quality control standard akin to ISQM 1. We have no visibility as to actual progress, however reading the tea leaves and based on these comments from Board Members Jurata and Brown, it seems like there is still a lot being hammered away behind the doors on K Street.

Risk Assessment

However, leaving all this politics aside, the ISQM 1 standard has been approved (with the equivalent PCAOB QC standard forthcoming). Firms must start considering how they are going to comply and understand the effort involved in implementing both the ISQM 1 standard as well as the PCAOB QC standard. As discussed in previous articles, there are many ways to perform a risk assessment and many ways to document a risk assessment. We are going to walk through an example of a quality control objective in the Independence area and raise the types of considerations that need to be made when performing a risk assessment analysis. Factors to consider as part of a risk assessment include (1) identify and assess risk, (2) select and implement controls to mitigate risks identified, and (3) periodically review the controls in place to ensure the risks have been mitigated to an acceptable level. One of the more common methods to do this is by determining “what could go wrong” (WCGW).

Let us take the following Independence-related issue regarding impermissible non-audit services. An example WCGW is: The Firm fails to be independent in accordance with SEC Rule 2-01 due to an affiliate firm having performed impermissible non-audit services . Using this WCGW, in the table below we have laid out a suggested risk assessment:

By just going through this simple example, it is evident that very soon firms will be spending a lot of time and effort to comply with the new quality standard. We have already started performing work for firms who are trying to get ahead of the curve and resolve issues and discrepancies before it is too late. December 2022 seems like it is a long time away, however before you know it, the compliance deadline will be upon us.

¹ International Auditing and Assurance Standards Board

² International Standard on Quality Management 1

³ ISQM 1 is awaiting approval by the Public Interest Oversight Board, a global group of regulators that oversees the International Federation of Accountants

⁴ Recorded session of “Forum for Auditors of Small Businesses and Broker-Dealers" , posted on PCAOB website on October 19, 2020.

⁵ “Statement Regarding the PCAOB’s Revised Research and Standard-Setting Agendas: Reducing Credibility, Accountability and Confidence in the Financial Reporting Process” by J. Robert Brown, October 13, 2020.

Side Effects of COVID-19: Internal Controls in a Time of Pervasive Change

Wed, 21 Oct 2020 22:17:14 GMT

More than six months after its initial onset on the global stage, COVID-19 is still ever-present and as we move into fall, health officials fear the potential “second wave” and the resulting spike. It seems almost overnight that entire industries shut down and work became remote for the indefinite future.

While many of us may not love the “new norm,” we’ve found ways to adapt both in our professional and personal lives. Now, when I leave my house, I repeat to myself, “Cell phone, wallet, keys AND mask." School systems have adapted to remote learning. Corporate board meetings once set in huge conference rooms have converted to multi-person video conference calls. We may not love all the changes, but frankly we are more adaptable then we ever imagined.

Similarly, gone are the days of “status quo” in the audit world. Year over year fluctuation analyses and analytics will be difficult to execute since the pandemic challenges the very nature of plausible and predictable historical relationships. The sustained impact to the economy elevates the risk surrounding impairment and going concern .

But what about internal controls over financial reporting? For an established company, internal controls are typically static year over year, with few minor changes. In 2020 however, arguably every company’s internal control framework has changed, whether it is as simple as the virtualization of monthly management meetings, or entirely new controls to adapt to new internal processes. As interim audit work begins this fall, auditors should consider the following factors when performing walkthroughs, assessing the design effectiveness and testing operating effectiveness of internal controls over financial reporting:

Changes to materiality, scoping and risk

Given many industries are experiencing significant declines in revenues, materiality for the 2020 audit may be significantly depressed compared to prior years.

Are management’s internal thresholds used for controls sufficient to detect a material misstatement?
For auditors, are there new significant classes of transactions and processes that fall into scope given lower materiality thresholds?
Given the unanticipated economic impact of the pandemic, are there any significant or unusual transactions that require specific one-off controls to operate this year? Are there controls in place to address the accounting for these significant, unusual and sometimes complex transactions?
Was there an acquisition or a divestiture? Did the company discontinue an operating segment or reorganize?
Did the company obtain a PPP loan or other forms of debt and financing?
With changes to companies’ operations, are there new risks that have emerged?
With the move to automation and more virtual operations, do IT controls have more importance in 2020?
Are there more elevated risks of cyber-security?

Changes to the design of internal controls

The virtualization of the corporate world is forcing companies to redesign many controls. While a monthly management meeting that went from in-person to remote may not pose much of a concern for auditors, there are a number of other controls that would change if virtualized. Less automated companies for instance might still use hard-copy reviews and approvals over invoices, account reconciliations, journal entry support, cash receipts and check payments, etc.

How were these controls modified to adapt to remote work?
Were hardcopy papers simply scanned or were new applications developed and implemented to allow for automated system approvals?
Were controls operating effectively for the entire period or were there different controls for different periods (i.e. pre-COVID controls and post-COVID controls)?

Changes to inventory controls

Tangible inventory often requires in-person processing, whether it be picking and signing off on packing slips, loading trucks for delivery, or performing regular inventory cycle counts.

How did these processes and, in turn, the design of controls, change in 2020?
Did the company find creative ways of performing remote counts?
Was there a lag in the controls for a period of time?
If inventory cycle count controls were halted for a couple months during transition, does the original design of the cycle count (which should inherently ensure all items are counted every year) need to be modified for the remainder of the year?
Does the company need to perform an annual count this year?

For the auditor, how can the engagement team “observe” an inventory count if everything is remote?

Could the engagement team rely on virtual counts using video conferencing techniques?
Could drones help count stockpiles of inventory?
Does the auditor need the company to perform an annual count this year?

Changes to control owners

At the start of the pandemic, the headlines seemed to read nothing but increases in infection rates and unemployment rates. Many companies have indefinitely furloughed employees and reduced headcount, operating at bare bones capacity, attempting to financially weather the storm.

How did reductions in headcount impact controls?
Were control owners re-assigned?
Are there any segregation of duties concerns?
Were any controls forgotten or just fell through the cracks?
If tasks were reassigned based on reduced headcount, do control owners have sufficient time to perform all the controls with an appropriate level of precision?

Changes to timing of controls

Change takes time to implement and, with limited resources, how was the timing of controls impacted?

Are monthly controls now being performed quarterly?
Are controls being performed timely within the standard close period?
Was there a lag in controls being performed when the pandemic first started (which was right around Q1 for most companies)?
Has any backlog in controls been remediated?

While the questions above relate to internal controls, don’t forget to then consider the impact on the substantive audit. If there are gaps in controls or deficiencies identified, the substantive audit approach should be modified to address the non-reliance, even if just for a couple months.

With a list of questions this long, I’m certainly not implying that every control will be new, modified or deficient. No, but we face an atypical year with pervasive changes throughout most businesses. It’s important that companies and audit teams consider the various implications in assessing the design and testing the operating effectiveness of controls in 2020. For teams that are starting interim procedures, these are important questions to guide conversations with clients and to understand the evolution in the control environment year over year. The sooner these discussions occur, the more time there is to ensure controls are designed and operating effectively and confirm there are no material weaknesses that could drastically change the audit approach.

Key Issues in ICFR Audits for 2020 in the COVID-19 Environment

Sun, 18 Oct 2020 12:42:34 GMT

Los Angeles, CA: Jackson Johnson, JGA President, and Dane Dowell, JGA Director, are excited to partner with George Wilson, PLI SEC Institute Director, for Key Issues in ICFR Audits for 2020 in the COVID-19 Environment, a timely and informative one-hour briefing held virtually on October 26th at 3pm EST.

This briefing will focus on areas that are worthy of reexamination during these shifts to the financial reporting process, including controls over accounting estimates, business acquisitions, goodwill and other asset impairment considerations, and other areas impacted by the disruption and uncertainty of COVID-19.

“Based on what I’m seeing with clients, the ever-evolving health crisis of 2020 is forcing companies to modify their operations as they find ways to save costs and continue operating in remote environments,” commented Dane. “It’s going to be an interesting year for companies and audit firms alike as they ensure the internal controls over financial reporting are suitably designed and operating effectively throughout the year, even if everyone is now remote.”

“As firms continue to struggle with the effects COVID-19 has had on ICFR and establishing effective internal control over financial reporting,” stated Jackson, “we saw a great need for this program. We are looking forward to a candid dialogue with George Wilson from both a preparer and auditor perspective.”

Topics for this program will include:

Overview of key ICFR concepts and the steps in an audit of ICFR
ICFR for accounting estimates
ICFR for acquisition transactions
ICFR for management issues such as operating segment identification
Impact of COVID-19 on ICFR and the evaluation process
Frequent PCAOB findings in ICFR audits

Click here to register for this briefing.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Transparency... Playing the Push vs. Pull Game!

Wed, 23 Sep 2020 21:46:47 GMT

Over a three-month period in 2018, four of the five PCAOB board member positions turned over with the fifth board member position changing in November 2019. While this change was dramatic, each board member focused on an area of auditing they were passionate about; a tradition that has taken place with every board member appointed before them. Improving the transparency of the inspection process for financial market investors and users was a consistent theme amongst them.

With this as a backdrop, in July 2020, during the height of the dog days of summer, Board Member Brown presented a speech at the CFA Institute’s Corporate Disclosure Policy Council and Capital Markets Policy Council where he introduced a few aspects of the Board’s processes that, in his view, warrant some future consideration. In any normal year, some of Board Member Brown’s comments would have raised a few eyebrows. This is not a normal year and it seems his comments have not really garnered much press.

Pushing Transparency Out to the Markets

One of Board Member Brown’s key points was the current anonymization of issuer names in the inspection reports. Since the inception of the PCAOB, the names of the issuers related to the audits with deficiencies have been kept out of the public eye, not disclosed in any inspection reports. Board Member Brown believes it is time to re-consider this. His overarching concern seems to be that keeping the names of these issuers out of the public eye “has significant consequences with respect to the relevance and usefulness of our [PCAOB] reports.”

So, what issuer information should be in the reports? Should every issuer included in Part I be called out in the report? Let’s go ahead and reflect a little further.

Audit Committee Oversight

It is a common belief that audit committees and investors should be the key players in needing to know about any audit deficiencies. Although there is no formal requirement for an auditor to disclose its audit deficiencies – and thus no formal transparency requirement – as part of an audit committee’s due diligence, corporate governance and oversight (including the appointment of the auditors), audit committees should be asking the auditor if a recent audit has been inspected by the PCAOB and what the results were. The audit committees should also be getting an understanding of the audit firm’s quality control issues in Part II of the report including the remedial actions the audit firm is undertaking to address these deficiencies. This transparency will help the audit committee form its opinion on the quality of its auditors that it is engaging to opine on its financial statements.

Investors’ Access to Information (or lack thereof)

Investors, however, are unfortunately at a disadvantage as they are unable to easily discern audit quality concerns, unless they are made public in Part II of the report – and even in this case there is no identification of specific issuers. Typically, an investor is only aware of potential audit engagement deficiencies when they are reported on Form 8-K (e.g. issuer notifies public that its opinion can no longer be relied upon because of an unexpected restatement). That does not seem to be a very transparent process as by that time the horse has bolted the barn! Board Member Brown believes that naming issuers in inspection reports will help accelerate the timing of disclosing this information to investors.

Over the years, most investors have come to understand that an audit deficiency does not necessarily mean that the financial statements of the audit company are incorrect. I believe that with focused board outreach and continued education, audit committees and other stakeholders will understand the implications of audit findings and what that means from a financial statement accuracy perspective. Who knows, identifying an issuer by name in the report may spur an improvement in audit quality. After all, who wants their work called out in public?

At the one end of the spectrum should inspection reports continue the status quo and not publicly disclose issuer names, or go the opposite extreme and identify all issuers? Or should the regulator do something in between – perhaps only identify issuers if there is a known restatement or new material weakness identified from the audit deficiency? Personally, I feel we must move away from complete anonymity! Since the purpose of the PCAOB is to promote investor protection, misstated financial statements and misstated internal control assessments that are identified through the PCAOB Inspection process should be brought to light faster.

Affiliate Audit Firm Transparency

Board Member Brown also raised the concern of transparency of inspection results between affiliate audit firms. Each audit firm, whether or not it is an affiliate of another firm, is inspected individually and in its own right by the PCAOB. Since each firm is a separately legal entity, with separate registration with the audit regulator, the Board does not share inspection results between affiliate firms. In fact, one affiliate does not know if or when another affiliate is inspected. Thus, a lead audit team is at the same disadvantage of every other user of the inspection report as it does not know who the issuers are in the affiliate’s inspection report. In order to understand the quality of an affiliate / component team (in say country B) who is assisting a lead audit team (in country A), many audit firms require the country A lead audit team to confirm with the country B affiliate audit team (1) if the country B component of the issuer has been inspected, and (2) if so, what the results of the inspection were (i.e. did the PCAOB issue any comment forms as a result of its inspection). With the advent of the global economy and increased usage by lead audit teams of component auditors in other countries, transparency of issuer names in inspection reports can only help.

Pulling Transparency by the Markets

However, transparency of information from the internal workings of the PCAOB out to the stakeholders can also reap big benefits for audit quality. It seems slightly counterintuitive that as of the date of this article (September 2020) only 10 inspection reports have been issued this year! There must be a lot of things going on behind the scenes at the PCAOB! JGA’s detailed tracking of publicly available report data shows the number of issued inspection reports have decreased dramatically over the last 5 years. In 2016, there were 215 inspection reports issued or re-issued; 190 in 2017; 153 in 2018; 104 in 2019; and 10 so far in 2020

As we said previously 2020 is not a normal year for anyone – and considering the Board’s recent project to revise the form and layout of the reports which could be the cause of some of the delay – that is still a large drop-off in issued inspection reports. With so few inspection reports issued this year, there must now be a tremendous backlog of hundreds of inspection reports waiting to be issued.

How Old is Too Old

Stepping back for a second, there are several unintended consequences arising from this backlog:

Many of the backlogged inspection reports are inspections that were primarily undertaken in 2019 (with some probably going back to 2018). That means that in all probability these would have been inspections performed on 2018 fiscal year ends audits. So once these backlogged reports get issued (whether in the fall of 2020 or sometime in 2021), the question to be asked is how useful and relevant is this information for investors, readers, and users of the inspection reports? Now granted, the individual firms are aware of the audit deficiencies they encountered in their 2018 audits.

When we assist a firm with an inspection or are hired to help make improvements in quality controls, our advice is the same: regardless of the delay in the release of your report, take a proactive approach to fixing the audit deficiencies. Even though it won't change the delivery of this information to external users and investors, it is the right thing to do.
Another aspect to consider is that even when these backlogged reports are issued, the Part II portion of the inspection report which describes the quality control issues, is kept non-public. Audit firms have 12-months to remediate these quality control deficiencies. Even once the 12-months have passed, the Board performs its own assessment of the firm’s remediation response. That takes some time to do as well.

If a firm does not appropriately remediate its quality control deficiencies, then its Part II findings are likely only released to the public in 2022 or later. How relevant is this information from a 2018 year-end audit in 2022? Our clients that start the remediation process early (even before they receive the report), have greater success at identifying and addressing root causes and fixing issues before they repeat in next year's audit.

At the end of the day, we can all agree that transparency is generally a positive and welcome action and that Board Member Brown’s comments should be considered further. The PCAOB is encouraged to be informing and interacting with all its stakeholders, so that we all understand the goals and mission of the US audit regulator. At the end of the day we are all aiming for the same goal – improvement in audit quality.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

Internal Inspections - Part II: The Integral Inputs to Implementation

Wed, 23 Sep 2020 21:22:49 GMT

Last month, we began this three-part series on what makes an internal inspection program effective. Internal inspections are a critical part of the overall practice monitoring process and focus on specific engagement performance. We are passionate about this aspect of our clients’ systems of quality control (QC) because so much can be gleaned from the results. Consider all the aspects the program touches, such as client acceptance, independence, methodology, and consultations. Observations from the internal inspection program gives insight to the effectiveness of many elements within the firm's system of QC besides the engagement partner’s approval and issuance of the audit opinion.

In Part I of the series, A Deep Dive Into Design , JGA shared why an internal inspections program is important and what it should be achieving. We covered what we refer to as the Four P’s of designing an effective internal inspection process (The Point, The People, The Planning and The Procedures). In this article, let’s further build on that discussion and talk about execution.

Select the Engagements

Once the planning phase has been completed and the basic framework of the program has been established, you’re ready to determine how to apply the key criteria to select engagements for review. Whether it’s a risk-based, random, or coverage-based selection, the key criteria should be evaluated again to ensure no changes need to be made from the prior practice monitoring period. For example, if performing a pre-issuance review, did any changes in the environment, such as COVID-19, affect any issuers and should the firm consider that factor in its engagement selection process?

Risk-Based Selection

For the risk-based component of engagement selection, consider these factors.

Non-Risk-Based Selection

When we dig into our clients’ internal inspection programs with them, we always suggest they incorporate selection criteria that are non-risk-based.

These include:

Partner coverage each period and over a span of multiple periods;
Market cap of the assurance practice and/or regions or individual offices; and
Some aspects of unpredictability such as random selection.

Assemble the Team

Consider these important elements of assembling and readying the right team for the most effective outcome.

Experience

Individuals and teams performing the inspections should have the appropriate experience. This includes technical accounting, auditing, and firm-specific experience. Often, we see that individuals may be audit experts but not necessarily technical accounting experts. That is perfectly fine, and we expect that a well-executed inspection is a team effort. Perhaps, similar to the audit environment, an inspection team should have the right resources in place to request consultations on important accounting matters identified during the inspection. An effective planning process includes identifying these specific risks in the audit and any technical individual(s) to add to the team. Outside consultants can also play an important role to handle aspects of the inspection that require specialized skills.

Independence

The internal inspection team should be independent, in fact and appearance, with the audit client during the period under audit and through the issuance of the internal inspection report. Procedures should be in place to ensure that only individuals that meet these requirements are assigned to an inspection. This includes individuals within firm leadership that have the ability to influence the results of the internal inspection program. We recommend that firms place a similar process around the planning of the inspection team to what is in place around obtaining representations and ensuring independence among the audit engagement team members while planning the audit.

Objectivity

Consider the individuals assigned to the team and whether they can stand their ground on a tough issue, even if it means there are deficiencies identified that rise to the level of an unsupported audit opinion. The pressure can be significant. Threats to that objectivity need to be addressed to ensure a fair and complete inspection. JGA considers various aspects of assignments that can pose risks to objectivity, including:

reporting relationship;
performance management incentives/disincentives of the individual(s) assigned to the inspection; and
whether the results of that internal inspection can be subject to a second national office review for quality of the inspection procedures performed.

Clients and prospects come to us looking for ways to ensure there is an appropriate balance of objectivity in how their internal inspections are carried out. I believe when programs – and how they are executed – get stale, so does the objectivity and the results. While each firm has a unique set of circumstances, my general advice here is to consider changes to how inspections are assigned and how the inspection team members are evaluated. Incorporating elements of unpredictability is one way to keep inspection teams objective.

Prepare the Reviewers

Take time to prepare for the review. Inspectors assigned to an engagement should review information, including the financial statements, public filings, website, and firm information regarding the audit’s risk profile. Reviewers should begin the inspection with questions ready for the engagement team. Responses to preliminary questions from the engagement team before the review of the file help the reviewer confirm or redirect where to spend time in the file review.

Establish the Expectations

Why is it important?

The firm’s process should explain the importance of the program to engagement teams. Engagement partners facing an internal inspection should have a vested interest in the program’s success. While it’s counterintuitive for the partners going through a review, getting partners to think long-term about seeing the benefits of a strong program – and the opportunity costs of a weak program – will play a role in the program’s success. Overcoming any perceptions that an internal inspection is less important than an external inspection (such as a PCAOB inspection or AICPA peer review) will help identify problems before those other parties do.

How should it be conducted?

Reviewers should set daily or periodic touch points with the engagement team, depending on the size of the audit and length of review. Engagement teams should be expected to be responsive, thorough, and timely in addressing questions and concerns from the reviewers.

Regarding the manner of execution, we have found in our experience performing internal inspections and observing PCAOB inspections of our clients, that in-person inspections are more effective than inspections conducted remotely . While we can’t control the challenges that the pandemic has posed, we encourage firms to plan to get back to in-person interviews when it is safe to do so.

When should it be conducted?

The inspection of files should take place when engagement team members are available and can be focused. This means not during busy season and not when the subsequent year’s audit of the company selected for internal inspection is taking place. Generally, however, the sooner the better, so that observations made during the internal inspection can be incorporated into the subsequent audit’s planning process. From a firm-wide perspective, the sooner the inspections are completed the sooner firm leadership can design and implement policy changes to respond to thematic issues or other root causes associated with deficiencies.

Promote the Consistency

To fully interpret and respond to the firm-wide results of the practice monitoring review, it is critical to have a consistent application of the internal inspection procedures across engagements. A training program during the planning process and a thorough supervision and review function will ensure that inspectors stay objective and fair while also providing a complete review. When we evaluate or perform the outsourced internal inspection for a firm, we advise our clients that the partners, or those leading the review, should be involved at a sufficient level of detail to identify concerns or audit performance deficiencies. Training should provide examples to the reviewers to show just how deep those reviews should be.

While the process can seem painful, it could alternatively be a mutually-beneficial opportunity for the review team and the engagement team to learn with the shared goal of executing high-quality audits.

Whether firms are carrying out internal inspections as designed, or achieving the desired objectives of the program, is a whole new question. Next month we will discuss this aspect of monitoring effectiveness (or, the “monitoring of the monitoring” as coined in ISQM 1) as the final component in Part III of this series.

Jackson Johnson is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality. Jackson also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong .

Unpacking the New Quality Control Standards: Part 2

Wed, 19 Aug 2020 21:01:58 GMT

This article, the second part in our two-part series “Unpacking the new Quality Control standards”, will cover the remaining components and requirements of the proposed QC standards by the PCAOB and IAASB and highlight the key changes to be aware of as firms think about how the new standards will affect them. In Part 1 we covered five components of the proposed Quality Control (QC) standards by the PCAOB and IAASB.

Resources

The current QC standard contains certain requirements related to human resources, including personnel management and assignment of responsibilities. However, the new standard under the Concept Release and ISQM 1, as proposed, expands the resources component to include technological resources as well as intellectual resources. The new standard requires that technological resources should be sufficient for the effective implementation and execution of firms’ system of quality management. Given the potential complexity of many firms’ systems of quality management, as well as the ever-increasing and changing role of technology in audits, firms should take stock of their current technological resources and plan ahead for future technological investment and advancement.

In addition, firms should ensure that they have sufficient “intellectual resources” to ensure consistent quality audits. Intellectual resources could be as simple as having access to the latest accounting/auditing guidance and research literature. Or depending of the complexity and nature of the audit, including valuations or industry specific work, you might need to hire or develop subject matter experts.

While technological and intellectual resources have always been a part of many firms’ strategic plans, the QC standard is going to require the formalization and documentation of policies to specifically address these considerations.

Information and Communication

The concept of information and communication is inherent in many firms’ operations. While the current QC standards are very much silent as to broad information and communication requirements, the new standard has explicit guidance in this area. Under the new QC standard, all policies will need to be formalized, documented and monitored to ensure compliance with the standard.

This component requires firms establish objectives around how personnel communicate relevant and reliable information to firms when conducting engagements or activities within the QC system along with how firms promote a culture of personnel sharing information with the firms. In addition, the standard requires firms to consider communicating information to appropriate external parties about their QC system, similar to a transparency report. In some jurisdictions, this is already required. In the U.S., while not required, we have seen an uptick of regional and non-affiliated national firms joining their larger counterparts in providing these documents for public consumption. Don’t be surprised when audit committees start requiring information on firms’ QC systems when making decisions about appointment or continuance of auditors!

The Monitoring and Remediation Process

The changes being implemented around the monitoring and remediation process are probably the most significant changes in the new proposed standard. The quality objectives and requirements in this concept are significant and build upon current QC standards in the following ways:

More explicit requirements to implement monitoring and remediation processes for each component of a firm’s system of quality management (including ongoing and periodic monitoring of firm level QC processes as well as engagement-level inspections).
For identified deficiencies (both at the firm and engagement level), firms must evaluate the severity (and potential pervasiveness) of the findings and identify possible root causes of the deficiencies. We have noticed that clients where we have assisted performing a robust root cause analysis are more successful in remediating their deficiencies.
For each identified deficiency (again, both at the firm and engagement level) and its correlated root cause, firms must also evaluate the need for remedial actions, and if necessary, design and execute those actions.
For remedial actions (both at the firm and engagement level), firms must also consider the effectiveness of past remedial actions.

Firms will need to review their current monitoring programs and expand the scope and design of the monitoring programs to ensure all quality objectives and responses are incorporated into the program. The results of monitoring and remedial programs must be evaluated and communicated, as appropriate, both internally and externally. These results should also be analyzed and considered in totality for the effect on a firm’s ability to comply with the objectives of the standard. This assessment is required to be performed at least annually, or more often, as the circumstances require.

The expansion of the monitoring program requirement as well as the requirement to perform root cause analyses and remediate identified deficiencies for both internal and external inspections are likely significant undertakings that firms will be required to undertake. The PCAOB is suggesting that monitoring programs should be a mix of annual as well as ongoing monitoring throughout the year and requires designated individuals to perform this monitoring, to ensure competence, objectivity, and execution of the programs.

And if that was not a big enough change, as these are components of the QC standard, the PCAOB will be evaluating firms on the effectiveness and sufficiency of their monitoring and remediation processes. Be aware that any deficiencies identified by the PCAOB and other regulators that are not identified by the firms themselves, will inherently indicate deficiencies in the firms’ monitoring programs. Clients for whom we have assisted with practice monitoring, root cause analysis and remediation, have experienced both successful remediation results in addition to a strong QC environment.

Documentation

This component of the new standard includes more formalized and specific documentation requirements for firms’ system of quality management. Although documentation should be inherent when policies and procedures are created, the QC standard explicitly requires firms to document the system of quality management. Firms should ensure proper audit trails for ongoing monitoring and remediation in addition to being able to provide consistent and accurate information to internal and external parties.

QC documentation must include the quality risks and quality objectives identified as well as the responses to the quality risks (i.e. the actual policies and procedures in place that respond to these risks). This guidance is not inherently new, but it is now very much more explicit.

Similar to the requirement for retention of audit workpapers, firms must also develop their own QC documentation retention policies (at minimum 7 years or perhaps longer depending on other laws or regulations). The PCAOB is also considering that QC documentation be in sufficient detail such that an experienced auditor that understands QC systems can understand the basis for the firms’ assessment of the effectiveness of the QC system (even if they have no knowledge of the firm), including evaluation and remediation of QC deficiencies … think along the lines of PCAOB AS 1215, Audit Documentation. Unfortunately, Yes/No answers will not suffice – documentation about judgments will be a necessity!

Roles and Responsibilities of Individuals

This component of the QC standard explicitly addresses roles and responsibilities of not only professionals involved in the firms’ QC process, but all personnel of the firm. The proposed standard requires firms to establish appropriate structures and reporting lines in the QC structure and requires that QC professionals demonstrate a commitment to quality through their behaviors and actions. The requirements also include specific procedures for individuals working in firms’ independence oversight roles – including formalizing the process around a firm’s independence processes, such as consultations, and maintaining and communicating restricted entity lists. Once again, make sure your professionals in this all-important area are experts.

As we mentioned in our Part 1 article, firms need to be ready to expend and increase the resources allocated to bolster their compliance efforts once the QC standard is released so that they are actively improving their system of quality management. Start preparing now by considering which of these changes might be a major challenge for your firm. What can you do now to ensure the right building blocks are in place? And remember, you are not alone. Reach out to firms that have started. Gather their perspectives and learn from their best practices. The sooner you get started, they more prepared for this change you will be.

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

What Happened to Summer? The State of the Audit and Accounting Industry

Tue, 18 Aug 2020 17:43:51 GMT

Sitting here on a cool August morning in Denver; the crisp air already speaks to autumn, knocking on the door, begging to be let in. It’s mid-August already and yet, where has the summer gone? COVID-19 wreaked havoc on summer plans, cancelling weddings and trips out-of-town, turning liquid happy hours into digital zoom calls, and limiting most everyone’s ability to enjoy life “freely.” Isn’t that what summer is for? A chance to slow down, travel, have fun, breathe, and reset for the next year?

I know I’m not alone in what I’m feeling. I’ve heard similar sentiments from plenty of friends, coworkers and clients. For us auditors and accountants, busy season used to be from January through March, or possibly even April and May for private clients. Occasionally, we might have an off-year-end and that meant a couple weeks of concentrated work during the summer or fall. But what happened to our industry norm? It feels like busy season just never ended this year.

Part of that is certainly related to COVID-19. As a result of the pandemic, regulatory bodies across the world extended filing deadlines providing relief for companies, but in the process, extending our audit busy season. Because of workplace changes, audits took longer to complete as new remote workarounds had to be developed. Studies are showing that management, across all industries, is concerned about employee fatigue and burnout. It seems when you live and work at home, the lines dividing work and life are blurred; there’s no real start or stop to your day.

But it’s not just the pandemic is it? This stress has been building over the last few decades.

As I reflect back on my days as an associate, I started soon after the adoption of Sarbanes-Oxley (SOX), giving rise to the PCAOB and integrated audits. For my generation, audits post-SOX are all we’ve ever known, but with the creation of the PCAOB, public accounting changed and would never be the same. The early 2000’s was a “great opportunity” for new work and increased revenues. Once we got through the SOX implementation, for a brief moment, it felt like there was a reprieve and we had arrived at a new, stable norm in the industry.

Upon formation, the PCAOB adopted the AICPA auditing and quality control standards. However, as the Board matured, it began to issue new auditing standards such as the risk assessment standards proposed in October 2008. Simultaneously, the PCAOB’s inspections programs developed, increasing the expectations of firms for remediation. Now, in 2020, it feels as though audit busy season rolls directly into and often overlaps with the firm’s quality control busy season. The overwhelming tasks of internal monitoring inspections, peer reviews, PCAOB inspections, and remediation initiatives have taken up a substantial part of an audit firm’s calendar.

Meanwhile, the FASB started talking about convergence with IFRS. The FASB and the IAASB worked on several initiatives and while they didn’t exactly reach full convergence, the FASB issued a series of significant accounting changes starting in 2014 with ASC 606, Revenue from Contracts with Customers . Shortly thereafter came ASC 842, Lease Accounting , which was then followed by ASC 326, Financial Instruments – Credit Losses and the emergence of the current expected credit losses model, taking effect this year in 2020. These are significant changes in accounting for which companies and audit firms alike have created task forces to fully understand the guidance and develop implementation strategies, sometimes spanning multiple years.

Currently, I have the privilege to work with several audit firms to help them understand the IAASB’s proposed International Standard on Quality Management 1 (ISQM 1) and the requirements for implementation. While many of the quality objectives exist in current guidance, such as governance and leadership or client acceptance and continuance, the new ISQM 1, if adopted, will create an extraordinary amount of work for public accounting firms, both in its implementation and ongoing execution. Most significant will be the need to formalize and document monitoring programs for all aspects of a firm’s system of quality management and then remediate all quality issues, including performing a root cause analysis for negative quality findings. Though not yet adopted by the IAASB, the PCAOB released a QC concept release in December 2019. The concept release seemed to indicate general adoption of the ISQM 1 guidelines as well as incremental guidance required for PCAOB compliance. This will require a significant amount of time to understand and implement within firms.

With all these developments, it begs the question, will we ever get a break? The rate of change seems only to be increasing and for many, it is leading to a state of perpetual overwhelm where there is just no “business as usual.” Resources are hard to come by whether speaking in terms of qualified employees, information resources, financial resources, or perhaps most importantly, time.

We hear you. We understand you. We can empathize with you.

While I can’t say the rate of change will slow down at all, hopefully regulators across the board are aware of the constant changes and hopefully, there’s a reprieve coming so that we can “catch-up.” Until then, take a minute today and breathe.

Change and transition can be challenging, but it’s also an opportunity for growth and improvement. I have no doubt that the ISQM 1 initiative will strengthen our individual and collective systems of quality management and result in stronger, better quality audits. Most of these developments are designed to improve financial reporting and audit quality which are the foundation of our industry. That doesn’t diminish the efforts it’ll take to get there though. If you’re feeling overwhelmed, here are some considerations to help you navigate these developments:

Prioritize Changes

As we assist firms with all these various changes, the most important part is to help prioritize efforts based on significance, effective date, and potential timeline for implementation. We find this helps firms tackle the most important priorities first.

Leverage Resources

Leverage the resources and knowledge of the Big 4 and other accounting firms. The industry, collectively, publishes enormous amounts of interpretive literature concerning regulatory developments that are useful in understanding changes.

Ask Questions

If you have questions or concerns, reach out to the regulators. Tell them how changes and deadlines are affecting your firm. The FASB considered and deferred (multiple times) the effective dates of the new accounting standards given the significance of the changes they would bring to the accounting profession. It was exactly because the industry was feeling overwhelmed.

Mobilize Networks

Remember, we aren’t in this alone. One of the best things about the accounting and auditing profession is the network and its ability to mobilize. When there’s new accounting guidance, partner with peer firms to better understand the guidance and develop implementation templates, together. Maybe even consider forming alliances; an alliance doesn’t have to mean merging and consolidating, but rather, perhaps joint efforts to create economies of scale.

Of course, my colleagues and I are here to help. Call us for a quick question or a longer conversation. We’ve worked in public accounting and at the PCAOB and now we have the privilege of helping firms tackle these difficult issues. We have seen what works and what doesn’t.

Reaching a new status quo may take years and in fact, as the Greek philosopher Heraclitus taught us, "the only constant is change." Clearly our industry is experiencing incredible changes right now and probably will be for the foreseeable future. We’ll get through it, just like we have before. So before autumn chases away the remnants of summer, take some time with family and friends to feast in a backyard BBQ, indulge in a competitive game of cornhole and enjoy a simple moment just for yourself.

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

'What's Past is Prologue'

Tue, 28 Jul 2020 18:33:34 GMT

The news these days is rather doom and gloom. Some might argue that’s par the course since the advent of the 24 hour news cycle, but even more so today it seems, whether it’s record high unemployment, extreme stock market volatility, spikes in coronavirus cases and deaths, black lives matter protests and heated confrontations with authorities throughout the nation, the start of hurricane and tropical storm season, completely polarized political conflicts or any number of other challenging headlines.

If we narrow the scope to the accounting and auditing industry, well, it’s much the same. We’ve heard the rumors and some of us are living the reality of the rumors; performance based layoffs at this firm (although most suspect there’s certainly some economic motivation behind the layoffs), pay freezes at that firm, no bonuses at another firm, employment offers rescinded. It’s a challenging time we’re living through.

While shocking, it’s nothing new. Many of the headlines literally read like repeats from the 2008 financial crisis, almost word for word. Perhaps Shakespeare was right, “what’s past is prologue. ¹ ”

The current environment brings back my own memories from the 2008 financial crisis. I had my first promotion to Senior Associate. Being only a couple years out of college, I was so excited to finally get a decent bump in my salary and start living less like a college kid on a penniless budget. And then the news came that there would be no raises that year, except for promotes who would receive a standard 5% increase. “WHAT? 5% in a promotion year? That’s it?!” I remember thinking to myself. In the moment it felt unfair, though generous in comparison to my colleagues who otherwise received no increase or in comparison to any number of friends who lost jobs or foreclosed on homes during those first few years of the recession.

For my generation, that was the worst economic crisis we had lived through and gave some perspective on the Great Depression, though it was clearly not the same. Never in my life did I think I would experience something on the same scale economically and yet, speculation dictates that the economic impact and duration of the COVID-19 crisis could be far worse than that the 2008 financial crisis. Wow.

Life has changed with supply chain disruptions, social distancing, remote working, and online purchasing. In March and April, it was new and “temporary” and now, at the end of July, it feels more indefinite. Invariably these changes will have a lasting impact, but much like the Great Depression and the 2008 financial crisis, we will find a way. Both of these crises devastated the economy and yet, they then paved way for some of the largest economic expansions in the history of the United States.

Currently, we are breaking at the seams and yet, the world will find a way and reconstruct and in theory, we’ll be stronger than before. It reminds of the Japanese art form of kintsugi, repairing broken pottery by mending the cracks with gold and silver. The breaking is part of the process; it is change that we must accept. And through the breaking, we make room for a new, more beautiful, stronger version of what we had before. While I don’t know how long this pandemic will last or what we will lose along the way, I am confident that we will endure and, in the end, we will learn to thrive again. So take courage, even if just for this moment.

1 The Tempest, William Shakespeare

Unpacking the New Quality Control Standards: Part 1

Tue, 28 Jul 2020 18:31:03 GMT

As we continue to unpack common preparations for the release of the new PCAOB QC standards, we will build on last month’s discussion “why do we need new QC standards”. Now we can consider “what the new QC standards are,” keeping in mind that there may be some changes in the final QC standard based on comments received during the open comment period.

This article will cover the first 5 aspects being considered as part of the new QC standards. In August we will dive into the others.

Firm Governance and Leadership

This aspect of the QC system relates to the firms’ tone at the top, or in other words what is the culture and environment that has been set by firm leaders. Professionals generally follow the tone set by their leaders, and firm leaders that are lax on ensuring quality work by its professionals or lacking ethics, generally lead to its professionals performing unacceptable quality of work. The PCAOB has already established tone at the top as a critical part of what it expects of firms in their QC process.

Tone at the top has long been included in the PCAOBs inspection procedures as described in their reports. The new QC standards should formalize this quality objective a lot more: making it a lot less touchy-feely, but instead requiring better documentation of aspects, like how leadership is committed to quality, how the firm plans for resource needs, how the firm fulfills its requirement to follow laws and regulations, assigning responsibility of the QC process to the CEO (or their equivalent), periodic performance evaluations being conducted to hold these leaders accountable, and how the firm deals with QC complaints (tip line).

In addition, the PCAOB is proposing the following incremental requirements from what is included in ISQM 1:

Firms must make explicit assignments of supervisory responsibilities at successive levels within various levels of the firm all the way up to the CEO.

The PCAOB is considering requiring a separate, specific requirement to direct firms to allocate sufficient financial resources to its audit and assurance practice.

The PCAOB is considering whether the QC standard should include a mechanism for independent oversight over the firms’ QC systems. Some of the larger firms have already started appointing independent directors to conduct some form of external oversight.

Firm’s Risk Assessment Process

It seems only fitting that the regulator born out of the Sarbanes-Oxley Act would require firms to develop a risk assessment process so that they can assess the design, implementation and operation of the firm’s system of quality control. Currently, the standards do not say much about risk assessment of the firm. ISQM 1 and the Concept Release aim to change that by requiring firms to actively and formally perform a risk assessment on its QC system as a proactive measure to reduce instances of non-compliant audit engagements. Firms would be expected to establish a formalized process for identifying and assessing quality risks.

Once these risks are established, the Firm will need to design and implement responses to address these quality risks. In a nutshell, firms would be performing a ‘what-could-go-wrong' assessment of all aspects of their QC system, which could be documented in something as simple as an Excel spreadsheet or even as intricate as a real-time database. Potentially this element could affect the other elements in the QC system (think about how the PCAOB’s risk assessment standards caused a sea change in the rest of the standards in terms of how to respond to risks).

Relevant Ethical Requirements

Firms will need to follow a process to fulfill firm and individual responsibilities under the appropriate ethical rules, including independence. Since we have seen that independence violations are the backbone of many a settlement order, we view this area as a priority for firms to manage their reputational and financial risks from non-compliance. Firms and their personnel need to understand and fulfill these ethical requirements, along with how to identify and respond to any ethical breaches. As the QC concept release was molded from ISQM 1, the PCAOB expects that a fair number of incremental requirements will be added to tailor the QC standard to the U.S. regulatory environment. This would include adding requirements to meet PCAOB ethics and independence rules and PCAOB and SEC independence rules.

As an example, the PCAOB plans to revise the standard so that professionals will need to report any apparent violations affecting the firm’s independence (such as the firm providing a prohibited service to an audit client), not just violations by a firm’s personnel. This means that firms will need to consider if it currently has a process in place for employees to report such violations. If not, they should set up a formal process for employees to raise these matters so that they can be addressed through the appropriate channels and there is no excuse for anything falling through the cracks! We have encountered circumstances where firms have a solid foundation in place to monitor independence of its people, but needed additional parameters to identify related parties of the firm, such as vendors and leasing relationships, and monitor those for any independence threats.

Also, independence issues will need to be assigned to a qualified individual with the right knowledge, skill, ability, capacity and authority to address these issues – not just a senior person in the firm. Foreign-registered firms should consider how they will be able to respond to this requirement. U.S.-specific ethics and independence rules have a number of nuances that tend to make the rules more restrictive – or at least enforced more strictly -- than their foreign counterpart requirements.

Consider these questions as you explore how your current processes should be adapted:

How is your firm dealing with this now and will you need to make changes to comply with the QC standard?
Do you have someone in your organization that is completely knowledgeable of SEC and PCAOB independence and ethics rules who can take on this role?
Should there be two separate roles in the QC function, one for the creation of the policies/procedures; and the other for monitoring the compliance of those policies and procedures?
How is your firm determining the existence and completeness of firm relationships (i.e. vendors)?

Acceptance and Continuance of Clients and Engagements

This gets back to the age-old dilemma… do we accept (or continue) with this client! The acceptance and continuance responsibilities in the new QC standard expand on the requirements in QC 20 in that firms are required to consider the necessary information needed for this decision and make appropriate judgments about the associated risks and the firm’s ability to mitigate those risks. Also being considered in the final QC standard is the process a firm should have in place to address situations where the firm finds out some relevant contrary information after it has already decided to accept or continue with a client. It’s time to start considering and addressing the following questions:

Do you have a client acceptance committee?
Is your firm’s approval over acceptance and continuance aligned with risk assessment and tone at the top?
What happens when your privately-held client goes public and the audit requirements become more stringent to comply with the PCAOB and SEC?
What could have changed in the year which had previously passed continuance or initial acceptance, which is now going to be harder (or should be harder) in the next year’s continuance decision?
What are the safeguards to ensure that triggering events are properly raised up the flagpole? And what are these triggering events?
What procedures are included in the firm’s practice monitoring program to evaluate effectiveness of client acceptance and continuance?

Engagement Performance

This component addresses the performance of engagement team members to ensure they are meeting the professional standards. Quality objectives that firms will need to consider are:

Personnel understanding their responsibilities on an engagement
Engagement teams exercising appropriate judgment
Engagement documentation being assembled and retained
Establishing policies and procedures addressing the nature, timing, and extent of review of engagement teams, including those less experienced members
Making sure engagement teams have a policy to follow so they know when to consult
What about when there are differences of opinion among team members – what do we need to do then?

The current QC 20 contains a general requirement stating that “policies and procedures should be established to provide the firm with reasonable assurance that the work performed by engagement personnel meets applicable professional standards, regulatory requirements, and the firm's standards of quality.” Clearly, by listing out specific objectives, the QC standard is going to require more effort and consideration by firms to address these objectives.

Generally, the PCAOB is anticipating that the Engagement Performance aspect will be closely aligned with the other PCAOB standards that are already established related to supervision, document retention, engagement quality reviews, fraud, other illegal acts, and going concern. In addition, with the increasing use on audits of parties outside the firm (such as non-affiliated firms, auditor-engaged specialists, and service delivery centers), the PCAOB is also considering incorporating quality controls that address how the principal engagement team evaluates their knowledge and skill; their independence; coordination of activities and supervision of their work. If you use a service delivery center to help with your audits, it seems like changes will be in this area! And even if these outside parties are complying with ISQM 1, the firm will need to consider their compliance with the U.S. QC standard.

Clearly, firms are going to have to expend and increase the resources allocated to compliance efforts once the QC standards are released. Lookout for future blog posts where we will continue to unpack and help you through more considerations of these and the remaining five components of the QC concept release. While the comment period seems like eons ago, these preparation efforts will save you aggravation and unnecessary fire drills when the time comes.

Accelerating Audit Quality for Unaccelerated Filers: Changes to the Thresholds

Tue, 28 Jul 2020 18:25:59 GMT

This Spring was unlike any other and brought many changes to our world. While we are still searching for something positive, companies that no longer require an ICFR audit are enjoying a collective sigh of relief. However, before we start celebrating, I ask you to consider the importance of an effective controls environment and your role as an advocate for that, whether you are an auditor, issuer management, or an audit committee member.

In March 2020, the SEC approved changes to the classification of issuers, impacting which issuers require an auditor’s attestation over Internal Control Over Financial Reporting (“ICFR”).

The changes are effective as of January 1, 2020 and apply to both domestic and foreign issuers that file on domestic forms (e.g. 10-K, 10-Q) under the U.S. GAAP reporting framework. The most significant changes include:

Introducing a revenue threshold of $100 million in the most recent audited fiscal year instead of solely using the market cap to trigger an ICFR audit; and
Increasing the transition thresholds to exit accelerated filer status from $50 million to $60 million public float ¹ .

As a result of the legislation, more issuers that were on the cusp of or had previously required an ICFR opinion, are no longer required to do so. In other cases, issuers that were planning on ramping up for auditors to opine on controls based on the previous rules, can table those plans.

It’s no question that this has reduced the burden on issuers that are either transitioning into or were planning for an ICFR audit requirement that now no longer need to. We’ve seen that these new rules will make more sense for issuers that had high market cap but not much by way of revenues or operations (think tech, life science, and R&D companies). It's still a relevant point for auditors, however, to be discussing ICFR with these same issuers to emphasize the importance of effective financial reporting controls and for the increasing need for effective ITGCs to carry out those controls. Furthermore, keeping the momentum of that mindset will reduce burden and improve the quality of financial reporting in the long run. As planning for calendar year-end audits is happening now, it is time to consider how these new rules can affect the auditor’s approach on the financial statement audit.

The introductory paragraphs of AS 2201, An Audit of Internal Control Over Financial Reporting that is Integrated with An Audit of Financial Statements , emphasize that “Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes. If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective.” ² Auditors can continue to drive the conversation with client management and their audit committees on this principle, whether or not an ICFR opinion is in play. In these important discussions, particularly during the planning phase of the upcoming audits, consider these points:

Management’s responsibilities have not changed and they must still certify to the effectiveness of internal controls .

Management still needs to ensure that risks are identified, controls are designed appropriately to address those risks, and those controls are operating effectively to support management’s certification. Similarly, for auditors, other important responsibilities haven’t changed. They are still required to gain an understanding of the financial reporting process and report significant deficiencies and material weaknesses to management and the audit committee. Auditors should ensure that management’s assertion is consistent with its review of the design of the control environment. To take it a step further, I argue that auditors should be asking about management’s certification process and reporting to the audit committee whether it believes that process is sufficient for an accurate certification. Auditors can be driving these points with the audit committee to ensure there’s no incomplete or inaccurate reporting of management’s assessment.

Sound processes and controls benefit the company, regardless of whether the auditor opines on ICFR.

Before this announcement, many issuers were getting ready for the ICFR audit and should continue on that path to bolster their own internal controls. Considering how COVID-19 has accelerated the embracing of remote processes and controls and an enhanced electronic review environment, auditors should encourage issuers to maintain the inevitable trajectory that audits will become more IT and controls-focused.

Loosened reporting requirements doesn’t mean a non-controls reliance approach is the best audit approach.

Why fix what isn’t broken? Engagement teams should assess how these reduced reporting requirements affect the audit approach, including the assessment of control risk. I challenge teams to resist defaulting to a fully-substantive audit. In discussions with our clients during the planning process, we are asking engagement teams to closely coordinate with the issuer about what changes the company may be thinking about or making if they no longer need an ICFR opinion. Hopefully, controls that were effective will continue to operate. A clear example where going back to a substantive audit approach may be ineffective – or even inappropriate – is over inventory existence and completeness, especially if the company has an effective inventory cycle count program.

While this new guidance will reduce some of the overall regulatory requirements, it is important that auditors, management, and audit committees, who all share the goal of complete, accurate, and timely financial reporting, remember that sound controls facilitate that goal. As busy season planning begins, and changes are contemplated, take a step back to reinforce the principles that haven’t changed.

1 https://www.sec.gov/corpfin/secg-accelerated-filer-and-large-accelerated-filer-definitions

2 https://pcaobus.org/Standards/Auditing/Pages/AS2201.aspx

Jackson Johnson is president of Johnson Global Accountancy, a public accounting and consulting firm with clients throughout the world. He works directly with PCAOB-registered accounting firms and other firms to help them identify, develop, and implement opportunities to improve audit quality. Jackson also works with public and private companies on various technical accounting and transactional matters. His experience includes nearly six years with the PCAOB, where he worked with small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms, in the areas of firm quality control and ICFR audits of financial statements. Prior to the PCAOB, Johnson worked with public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

Johnson Global Accountancy Expands to the Las Vegas Community

Sat, 18 Jul 2020 22:05:12 GMT

Las Vegas, NV : Johnson Global Accountancy (“JGA”) is proud to announce the opening of a new office and expansion to the Las Vegas region. The new location is in beautiful Summerlin, NV, convenient to the airport and downtown Las Vegas.

This expansion comes at a time when JGA is growing rapidly. With pressure from increased regulations and market dynamics, public accounting firms are seeking advice on quality control issues.

“Our work continues to expand in new directions, in both technical and geographical terms. While the economy is in significant uncertainty, and metro Las Vegas is no different, we see opportunities to help firms in this area of the United States.” stated Jackson Johnson, President of Johnson Global Accountancy. “I am so grateful for the opportunity to invest in growing this business and connecting with more firms, companies, and their stakeholders in this vibrant desert economy.”

This expansion was set to begin in April; however, it was delayed several months due to COVID-19. Throughout this period, JGA continued to serve clients and support them through remote inspections, advising on improvements to quality control structures, and getting firms prepared for the upcoming revisions to the domestic and international QC standards.

“I am delighted to split my time between our efforts in the Las Vegas and the Los Angeles offices,” remarked Jackson. “I am personally thrilled to move to this beautiful part of the country and look forward to investing further in the business and local community.”

The new office is located at 1180 N Town Center Drive, Suite 100, Las Vegas, Nevada 89144.

Why do we need new Quality Control Standards? Don't we have them already?

Thu, 18 Jun 2020 22:16:31 GMT

As it has been 6 months since the PCAOB released its Quality Control (“QC”) concept release and 3 months since the comment period closed (with over 30 interested parties providing comments on the concept release), we plan to produce over the next few months a series of monthly blog posts discussing various aspects of the QC concept release. So, to start out, the obvious question may be “why do we need new QC standards? Don’t we already have well-established QC standards?” Well, there are a number of reasons why this thinking is flawed.

Current QC standards are outdated.

For starters, the current QC standards are AICPA holdovers that were implemented mainly during the 1990s, which the PCAOB then itself adopted way back in 2003. In the 17 years since the PCAOB’s inception, the board has issued a significant number of auditing standards, including standards related to audit documentation, auditing estimates, and auditing internal control over financial reporting (remember we even started out with Auditing Standard No. 2 and then moved on to Auditing Standard No.5!). Whereas none of the QC standards have changed. It’s clear that the PCAOB has been actively updating and modernizing the individual auditing standards, whereas the QC standards have remained stagnant.

There is more inspection history to inform policy and quality improvement.

The PCAOB has conducted inspections for over 15 years and although there has been improvement in the number of inspection findings during this time, the audit regulator continues to find issues in individual audit engagements and weaknesses in firms’ systems of quality control. The PCAOB believes that the time has come to modernize the QC standards which will help to drive further improvements in audit quality. Modernizing and updating the QC standards could do more to prompt firms to take a proactive approach to managing audit quality.

Over many years, the accounting profession as evolved, but policies remain the same.

There have been significant changes to the financial reporting and auditing environments as well as significant innovations in technology over the last few decades (i.e. computers and the digital age!). Even the structure of audit firms and the way they service their clients has changed. And yet throughout this same time-period there has been no updates or revisions to the QC standards. As Board Chairman Duhnke stated, “The current quality control standards may no longer be sufficiently resilient to remain relevant. It is appropriate to revisit and modernize those standards now.” ¹

QC standards are a global issue.

The PCAOB is correct to acknowledge that this is not a US-specific issue. The International Auditing and Assurance Standards Board (“IAASB”) is also taking a similar path to update its QC standards. The PCAOB plans to leverage IAASB on their proposed standard, ISQM 1 ² , and supplement it with requirements for certain aspects of a firm's QC system that the PCAOB feels either warrants greater attention or are specific to the US markets. Global firms (and even regional firms) are increasingly managing audit quality on a centralized, network-wide basis. The PCAOB is hoping that by molding its QC standards similar to ISQM 1, it will minimize differences between its QC standards and international standards which will redirect time spent by firms on compliance to areas that directly affect the quality of audits they perform.

So why not just issue a proposed rule for public comment?

The idea for issuing a QC concept release rather than a proposed rule was to obtain broader feedback from all the interested stakeholders before heading down an unpopular path. Clearly, QC standards are a complex and contentious area and the PCAOB wants to strike the right balance in this important area for investors, audit committees, audit firms, and other interested parties. By hearing from all interested parties, the PCAOB is following its path of implementing regulations that everyone can live with.

Clearly the time has come for the auditing profession to take a long, hard look at its own quality controls and processes (with the goal of doing a SOX-type audit of itself). The fact that QC issues are still being identified during inspections implies that the current standards are ineffective and not in touch with the current times. Hopefully, the QC concept release will be able to provide some lifeblood and incentive for firms to improve their QC processes.

¹ PCAOB Open Board Meeting statement on December 17, 2019

² International Standard on Quality Management 1 (ISQM 1), Quality Management for Firms that …. Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements, as proposed by the International Auditing and Assurance Standards Board (IAASB).

Geoff Dingle , JGA Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

Is it Just a Significant Deficiency? Evaluating Deficiencies in ICFR

Wed, 10 Jun 2020 22:26:38 GMT

I know, the words “material weakness” just seem so extreme. When I ask an engagement team about its evaluation of control deficiencies and whether there could be a material weakness, the team will almost always respond, “No, we really think it’s just a significant deficiency.” The thought process being, how could a little control deficiency that deals with an immaterial variance possibly rise to the level of a material weakness? Of course, I always follow up with “Tell me why.”

I suppose to start, we should define a material weakness. The PCAOB defines the term as follows:

A material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis. ¹

The key here is the term “reasonable possibility.” It does not mean that there is in fact a material misstatement, but rather that the internal controls over financial reporting would not sufficiently prevent or detect a material misstatement and thus, there could potentially be a material misstatement.

Time and again, through various pre- and post-issuance reviews as well as through my experience with audit consultations, I have seen engagement teams struggle to appropriately evaluate deficiencies in internal control. Often, teams will look at the control deficiency and point to the fact that the deficiency involves an immaterial variance. If only it were so simple to conclude as such. It’s like engineers building the leaning Tower of Pisa saying, “The ground hasn’t fully settled, but it’s only off by a couple degrees. It’s not that material.” No, a couple degrees may not be significant, but if it compromises the structure of the tower, well, then it’s material.

The guidance within the PCAOB is housed within AS 2201, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements . Controls deficiencies can arise from testing the operating effectiveness of controls in an integrated audit as well as from the identification of audit misstatements during substantive testing. Thus, while AS 2201 is pertinent to integrated audits, it is equally applicable to non-integrated audits when engagement teams are evaluating the severity of control deficiencies. AS 2201 provides numerous factors to be considered when evaluating control deficiencies including some of the following:

Risks : The guidance provides various risk criteria that should be considered including susceptibility to fraud as well as risks related to the nature and complexity of the account. Generally, the greater the risk, whether due to fraud, subjectivity, or complexity, the higher the correlated risk of a material weakness in controls.
Materiality of the misstatement and/or account : When evaluating materiality, teams should consider the materiality of the misstatement (if there is a correlated misstatement) as well as the materiality of the account. For instance, if an engagement team finds a control deficiency in testing revenue controls, the engagement team should consider all revenue at first and then begin to reduce the account balance based on specific characteristics of the deficiency or misstatement. If, for instance, the control deficiency or misstatement only relates to a specific revenue stream, the exposure would then also be limited to a specific revenue stream. As a general principle however, if an audit misstatement was identified and its material, the presumption would be that there is a control deficiency and that it is likely a material weakness.
Compensating controls: Often engagement teams will point to other controls as “compensating controls.” In this evaluation, it is critical that engagement teams consider the following:
Do the compensating controls cover the relevant assertion(s)?
Do the compensating controls operate at a sufficient level of precision to truly identify a potential misstatement? Often, teams will point to financial statement review controls as compensating controls, but if these controls have higher management thresholds or are too high level, would it really compensate for the specific control with the deficiency?
As a general thought, when I begin to see one singular control that acts as a compensating control for most, if not all, control deficiencies identified in an audit, I begin to wonder if that control really is sufficiently precise. It begs the question, why were all the other controls identified as key if all relevant assertions for all accounts could be covered by one or two compensating controls?
Remediation of the control: Though not explicitly identified in the guidance, management and engagement teams often will point to remediation of controls to reduce the risk of material weakness. While remediation is important to consider, engagement teams must also consider if there are sufficient instances of the control occurring after remediation to test and conclude on the operating effectiveness of the control at reporting period end. If so, the control deficiency identified during the period would in fact, at period end, not be considered a control deficiency.

To perform a thorough evaluation of a control deficiency, engagement teams should understand the nature of the deficiency (what went wrong?) and the root cause (why did it go wrong?). From there, the engagement team can make an appropriate determination of the potential account balance at risk and consider what controls would compensate for the known issue.

In addition, teams need to evaluate each deficiency in isolation as well as in aggregate. Aggregation could be grouped by account, location, or client entity; engagement teams should consider multiple levels of aggregation if they exist and/or are merited. AS 2201 specifically states that, “Multiple control deficiencies that affect the same financial statement account balance or disclosure increase the likelihood of misstatement and may, in combination, constitute a material weakness, even though such deficiencies may individually be less severe.” ²

In our work with audit firms, we often instruct teams to first consider each deficiency to be a potential material weakness, and then, after evaluating the various factors, reduce the severity of the deficiency from a material weakness to a significant deficiency or to a control deficiency. Essentially, start first with the presumption that it is a material weakness and then tell me why it’s not.

Regardless of the severity, engagement teams need to document the impact of the control deficiency on the substantive audit. If it’s just a control deficiency and there is a relevant compensating control, there may be no impact on the substantive audit. However, if it evolves into a significant deficiency and/or material weakness, there would likely be some sort of impact on the substantive audit if the engagement team planned on a control reliance approach.

While it’s easy to write all this, performing the evaluation itself is difficult. Teams often feel burdened to “make it go away” because a discussion with management and the audit committee around a material weakness is not easy. But that doesn’t change management or the auditor’s responsibility. Management is responsible for the design and implementation of internal controls over financial reporting. The auditor is simply there to evaluate the design and operating effectiveness and conclude based on the testing.

I encourage teams to take a step back and trust your gut. When I perform reviews, I’m not looking for material weaknesses, but when I find one, it’s generally pretty obvious to me (and to the team, honestly). All it takes is a couple questions and teams agree. So, trust your gut; if it smells like a material weakness, it probably is.

¹ PCAOB Auditing Standard 2201: An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements. Paragraph A7.

² AS 2201.65

About Johnson Global Advisory

Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.

Visit www.johnson-global.com to learn more about Johnson Global.

Jackson Johnson, JGA President, to deliver PCAOB Update and Developments

Wed, 06 May 2020 22:40:10 GMT

Los Angeles, CA: Jackson Johnson, President of Johnson Global Accountancy, is slated to speak at the 35th Midyear SEC Reporting & FASB Forum hosted by the Practicing Law Institute on June 11–12, 2020 (the “Forum”).

Jackson will be co-presenting the PCAOB Update and Developments morning session on day two of the Forum. The session will focus on critical audit matters and an overview of new standards, including auditing accounting estimates and the use of specialists. Additionally, this session will update participants on current research and standard-setting projects such as the concept release on quality control standards, and an outlook on the inspection season. Megan Zietsman, Chief Auditor of the PCAOB, will be co-presenting with Jackson.

“I am delighted for the opportunity to speak at PLI’s Annual Midyear Forum,” stated Jackson. “With the volume of updates and changes happening now, including how we have all needed to adapt quickly in this new normal, this will be a jam-packed program appropriate for all firm leadership, engagement partners, engagement quality reviewers, and their stakeholders that share the commitment to audit quality.”

Jackson's experience includes six years in the Division of Registration and Inspection at the PCAOB, where he conducted and reported on inspection of issuer audits and firm systems of quality control at small and medium-sized accounting firms throughout the world, including foreign affiliates of large international accounting firms. Prior to the PCAOB, Jackson conducted cross-border audits of multi-national public and private clients in a variety of industries at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong.

The Forum will be held virtually this year due to local health guidelines. Register here .

Independence Violations: Why are there still flaws in the independence wall of armor?

Fri, 01 May 2020 16:04:53 GMT

You would think that for the many decades that the independence rules have been around, auditors should be able to easily maintain their independence from their audit clients. Alas, it seems like every time we turn around there is another breaking news story about an independence violation being reported on by the SEC or the PCAOB. These violations should be the easiest to avoid, but over the years being lax on this basic process has caused much unnecessary stress and embarrassment.

Why does auditor independence matter?

Independence is the backbone of the auditing profession and is laid out in both SEC regulations and the PCAOB’s General Auditing and Quality Control Standards. PCAOB AS 1005 requires that an auditor’s independence is paramount as “an independence in mental attitude” is to be maintained by an auditor. As the auditor, you must not have any bias or appearance of any bias. Any bias, no matter how big or small, will rust away at the impartiality that is necessary for your findings to be relied upon by the users of financial statements. Even if you have the best technical proficiency, any break in the wall of armor of independence will weaken the wall to a house of cards.

What are some of the common pitfalls?

The independence rules are tucked away in Rule 2-01 of Regulation S-X, along with various FAQs that have been released along the way. Be that as it may, all audit firms generally have an audit program that helps guide engagement teams through the independence checking process. Engagement teams typically perform independence checks and procedures during audit pre-planning. However, even with the best of programs, these pitfalls can trip you up. Here are some areas to consider:

Delegation to the right level staff – Sometimes engagement teams may seem to be just going through the motions by delegating responsibility of completing these independence procedures to a less experienced engagement team member that may not even fully comprehend what they should be looking for.
Engagement team confirmation – It is important that independence is confirmed for all team members, including engagement team members that may join your engagement team in the middle of interim or final fieldwork. Don’t forget to include your firm’s internal specialists (tax and valuation specialists).
Non-audit services – It's widely known that non-audit services are typically more lucrative economically than your typical attest service. There is always the pressure to improve your revenue growth goals by bringing work into your firm, and as the audit partner you may accept a non-audit service without having done the full due diligence of the service being performed. After all, no one wants to turn down profitable work! The problem is ensuring that non-audit services to issuer audit clients comply with PCAOB rules and SEC regulations, since there have been a number of recent violations in this area.
Foreign affiliate considerations – Also, don’t forget to include foreign affiliates of the firm in your independence confirmation procedures, especially on large multinational issuers – you would hate to find out that a foreign affiliate performed bookkeeping or payroll services for a subsidiary or component of the issuer you are auditing!

How to overcome these pitfalls?

Make sure your auditing firm has clear and easy-to-find independence policies and procedures and includes training on these policies, at least annually along with consistent messaging from leadership. If you want to make it important, include compliance with the firm’s independence policies and procedures as a consideration to an auditor’s compensation or promotion.
Assign these procedures to the appropriate level of engagement team member. Independence procedures are an important part of the success of any audit and the independence rules can be daunting. Sometimes the most junior staff person is not that person! The goal is certainly not to create independence experts out of everyone on your engagement team, but to ensure that your team knows the basics (i.e. Independence 101) and what they need to do if they are unsure about something and who to ask questions.
Review your quality control systems. Recent violations have called out firms for their lack of quality control systems in place to monitor, identify and react to independence concerns. If this is something that keeps you awake at night, consider performing a detailed review of your quality control system.
Lastly, if you are unsure, consult, consult, consult! No one knows every nuance of an independence issue. Use your firm’s network of independence specialists – that’s what they are there for and they have probably come across your issue before.

It’s better to get ahead of an independence issue than determine after completion of your audit that your firm was not independent. Repercussions could be dire – a pulled audit opinion, potential loss of the client, damage to your firm’s reputation, and potential fines and sanctions by the SEC or the PCAOB. Don’t wait to act! You want your independence wall of armor to be firm and steadfast!

Geoff Dingle , Johnson Global Managing Director, works with PCAOB-registered accounting firms helping them identify, develop, and implement opportunities to improve audit quality. With over 20 years of public accounting experience, he spent nearly half of his career at the PCAOB where he conducted inspections of audits and quality control. Geoff has extensive experience in audits of ICFR and firms’ systems of quality controls. Prior to the PCAOB, he worked on audits in various industries at Deloitte in Atlanta and Durban (South Africa).

Meet Geoffrey Dingle: Reflections From the Other Side

Wed, 15 Apr 2020 16:15:39 GMT

Recently, Geoffrey Dingle joined Johnson Global Accountancy as a managing director. Geoff sat down with Sara Janjigian Trifiro, the Firm’s Director of Marketing for an interview of his past experience and his first impressions of JGA and how we serve our clients.

SJT: What makes you excited to join JGA?

GD: Over the past few weeks, it has been really refreshing to witness the commitment of the team at JGA helping accounting firms improve their audit quality. While I was at the PCAOB, I saw how hard firms were struggling to improve audit quality. To now be on the other side of the table working with clients through their pre- or post-issuance reviews, assisting engagement teams in PCAOB comment form responses or helping firms in their root cause analysis, I am delighted to be part of solving the problems and not just identifying them. JGA has such depth of experience to pull from - CPAs and former seasoned PCAOB inspectors. The team comes up with solutions that work, are not overly cumbersome, and will help improve quality over the long term. For JGA, it is not just about making sure firms comply with PCAOB regulations, but helping make real, actionable changes that permeate and strengthen the quality control of firms.

SJT: You have had a varied career. What are the most important aspects of your experience in auditing and in audit regulation that you will bring to your work at JGA?

GD: Throughout my career I have noticed that a common struggle for many firms stems from the varying judgments and decisions that engagement teams and audit committees have to make. So many of these decisions are subjective and based on multiple inputs of data and opinions. My experiences in the corporate world, as a Big 4 auditor, and as a PCAOB regulator overseeing audit firms, have led me to develop an understanding of these varied judgements and how they, while the best intensions are usually at play, can complicate the process. The PCAOB inspection teams are not able to read engagement teams’ minds of what judgments they were considering as part of initial fieldwork. Clear communication and proper workpaper documentation is at the core of solving most problems.

For the 10 years that I was at the PCAOB, I was actively involved in many aspects of the PCAOB’s mission. I worked in the inspection process where I saw how engagement teams implemented and followed auditing standards which included analyzing judgements around things like goodwill impairment and decisions made by engagement teams. I was also involved in the report writing process where we developed Part I PCAOB report findings as well as the development of the nonpublic Part II quality control criticisms. My experience in the PCAOB’s management and monitoring program is even more relevant now as this has become a larger focus area by the Board and have seen an increase in seeking comments on the revisions to be made to the PCAOB Quality Control standards. When it comes to root cause analysis, I was also heavily involved in reviewing accounting firms root cause analysis and remediation processes.

Quality is not one right answer. It is, instead, a cultural mindset, which is as much about changing peoples thought processes, their habits, and their priorities, as it is about changing policies. Having been on different sides of the table helps me to see where the engagement team is coming from in its judgment making as well as where the regulators are coming from related to expected compliance with auditing standards.

SJT: What do you think are the biggest opportunities that firms are dealing with in respect to audit quality?

GD: A huge opportunity the accounting profession continues to encounter is compliance with the independence standards. Independence is at the core of the auditing profession – if an auditor is not seen to be independent, the users of the financial statements question the impartiality of the auditors and the reliability of the financial statements. As the PCAOB Standards quite rightly say, no amount of technical know-how is going to change a user’s belief that an auditor is biased. The breakdown in independence typically occurs when an engagement team breezes through procedures performed related to identifying non-audit services. Or sometimes, they have inappropriately concluded that a service performed by the accounting firm is not an independence violation. Many engagement teams don’t fully grasp the sheer importance of this testing. Independence violations have dire consequences that far exceed significant fines. Investors’ lack of trust in a company’s financial statements can’t be repaired easily or with a fine. Engagement teams should be spending the appropriate time searching for potential independence concerns and consulting internally with their firm’s independence specialists.

The use of technology throughout the process has obviously transformed the industry over the course of my career. At the core, we are still doing the same things, but how we do them, has dramatically changed. Technology, new business models and even brand-new industries are exciting, but with each new step forward, there are additional challenges to consider. Cybersecurity concerns are becoming a significant risk to every company and individual in the world; no one is immune. Auditors now have the additional step of considering these risks within their assessment of internal controls. There is opportunity to adapt and think outside the box, which is exciting, but each decision must be made to address audit quality at the core of all we do.

SJT: Is there something that inspires you from outside the accounting industry?

GD: When my children were young, our favorite place to visit was Disney World. In addition to the joy my family had there, I was fascinated by their client service model. The moment that you arrive you feel like (even for a short time) that all the stresses and tribulations of life and work are forgotten. You are able to forget your daily worries and focus on spending quality times with the ones you love. While this doesn’t apply perfectly to the accounting industry, The Disney Way - “Dream, Believe, Dare, Do” principles to build a successful customer-centric culture, can be applied to our client service model. This is especially true of JGA. Our work with our clients helps them overcome big quality problems and create a better culture for their employees, clients and investors. Sometimes these are easier fixes like increased documentation of well-thought-out judgements; and sometimes there are larger training and development factors that need improvement. Regardless, I look forward to serving my clients and working with them to solve their quality control concerns and improving their firms today and in the future.

Geoffrey Dingle has over 20 years of experience in the accounting industry and brings a diverse set of experiences to JGA. As an Associate Director for almost 10 years, in the Division of Registrations and Inspections at the PCAOB, he conducted inspections of quality control and issuer audits. In addition, he played a senior role in planning, executing and reporting on the annual inspections of Global Network Firms, including, but not limited to, quality control procedures, review of comment forms, development of the inspection report criticisms and quality control themes, and evaluation and review of Firm root cause analysis and remedial actions.

Prior to the PCAOB, Geoff served as an audit senior manager at Deloitte. In this role, he led audit engagements for large publicly held companies. His client portfolio included consumer business, manufacturing, and agriculture companies.

His experience also includes an inside perspective of owning and managing an organization in today’s business environment as owner/CFO of Mathanasium North Marietta. Geoff started his career as a financial accountant of a media/newspaper company where he was responsible for the functioning of the accounting department and the month-end financial close and analysis/reporting process.

Geoff has a Post-Graduate Diploma in accounting and Bachelor’s Degree in Commerce (Accounting) from the University of KwaZulu-Natal. He is registered as a Certified Public Accountant in Virginia and is a member of the American Institute of Certified Public Accountants.