Revisiting Risk Assessment Under SAS 145 Part I: Identifying Significant Risks

In January of 2022, we wrote about the fact that given some of the newly issued AICPA guidance, the differences between AICPA and PCAOB audits is increasingly diminishing. Although not convergent, there is a move within the audit industry to increase alignment. This is true within the US as well as at a more global level. Is it coincidence that AU-C 315, CAS 315, and ISA 315 all have the same number and all deal with risk assessment? As a follow-up to our previous article, we are going to explore two key elements of the new SAS 145 guidance. In this first article, we are exploring some of the renewed focus on risk assessment. In a second article, we will explore the new requirements around understanding the design and implementation of controls with a focus on further developing our knowledge of information systems and the risks they present in an audit.

In working with engagement teams, we get our fair share of consultations asking to brainstorm how to audit a specific account or transaction. Typically, the first question is, “what is the overall risk of material misstatement?” After all, doesn’t everything begin with risk assessment?

While we may all acknowledge this reality, so often, teams consider the nature of the procedures performed to determine whether something is a significant risk. And we get it. Until the new AICPA standards were released, specifically SAS 145, the previous guidance defined a significant risk as follows:

“An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.”

In other words, a significant risk was determined based on the necessity for special audit consideration. In all fairness, the guidance in AU-C 315 does also provide additional considerations in paragraphs 28 and 29 regarding significant risks. All that changed however with the new SAS 145 which now defines a significant risk as:

An identified risk of material misstatement

i. for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or

ii. that is to be treated as a significant risk in accordance with the requirements of other AU-C sections. (i.e., fraud risks)

The new definition is still a bit “convoluted” but at least it is pointing engagement teams to the inherent risk factors as opposed to the procedures performed1.

Okay, so we have improved the definition of significant risks, but what is the big deal? The issue we are seeing in the industry is a failure of engagement teams to properly identify and document risk assessment and specifically, significant risks. Increasingly, when we support our clients on PCAOB inspections and firm’s counsel as an expert in enforcement investigations, we see the regulators challenge engagement teams on their identification of significant risks. What inspection and enforcement staff are getting at is: if the risk assessment is wrong, the audit approach is also inherently wrong.

Assessing the Overall Risk of Material Misstatement

As part of planning an audit, engagement teams develop an understanding of the entity through inquiries with management, reading press releases and interim financial statements, and performing preliminary analytics, among other procedures. Don’t forget that in the new SAS 145 guidance, teams are required to obtain an understanding of the design and implementation of internal controls. This new requirement, which has been the expectation under PCAOB standards, is required regardless of whether the team plans to rely on controls; this is a foundational part of understanding the entity. From this knowledge, teams can begin to understand the likely sources of potential misstatement which enables teams to perform a complete and robust risk assessment. Based on that understanding of the entity and the financial statements, the engagement team performs its risk assessment with the overall risk of material misstatement being predicated on the separate evaluation of inherent risk and control risk.

Inherent risk is the susceptibility of an assertion (linked to a class of transactions, an account balance, or a footnote) to misstatement that could be material, either individually or when aggregated with other misstatements before consideration of controls. The key here is to ignore controls. AICPA and PCAOB guidance provide examples of risk factors including nature and size of the account/class of transactions, volume of transactions, complexity, homogeneity, exposure to losses within an account, degree of uncertainty and subjectivity in estimates, changes from prior periods related to accounting / disclosure, related party considerations, susceptibility to misstatement due to error or fraud, as well as susceptibility to management bias and judgement. Though not exhaustive, you get the point. Inherent risk is based on the nature of the account itself.

Control risk is the risk that a misstatement could occur that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s system of internal control. This part of risk assessment is simpler; to reduce high control risk, engagement teams must test the operating effectiveness of controls. In other words, is the engagement team relying on controls or not?

Based on inherent risk and control risk, the engagement team then considers the overall risk of material misstatement. The specific identification of significant risks varies from firm to firm. Some methodologies build in the identification of significant and/or fraud risks into the inherent risk assessment and some have a separate consideration. There is no right or wrong way here, but the point is to be sure that the risk assessment incorporates clear documentation around significant and fraud risk identification. When identifying significant risks, the literature places a huge emphasis on related party transactions, complex accounting, estimates (given the subjectivity, uncertainty), as well as significant unusual transactions. These items are not automatically default significant risks, but they have a much higher likelihood of being a significant risk (depending on materiality). Keep in mind that just because an account is immaterial does not inherently mean there is no risk of material misstatement; this is where understanding the nature of the account or the qualitative nature of a disclosure is important. For instance, an immaterial allowance for doubtful accounts does not mean there is no risk of material misstatement. As a reserve account, the engagement team needs to consider the risk of understatement when concluding on magnitude and whether an account poses a risk of material misstatement. The same can be said for qualitative disclosures. Materiality is not purely a quantitative consideration.

Nature, Timing, Extent of Audit Procedures

Once risk assessment is completed, the next step is to then design the nature, timing, and extent (or NTE) of the audit response.

The nature of the audit approach can be broken down into various considerations:

Control test vs. substantive test
Within control testing, the nature of the test, such as inquiry, observation, inspection or reperformance
Within substantive testing, the use of analytical procedure vs. tests of details
For both controls and substantive testing, consideration around the use of work of others and review considerations such as reliance vs. reperformance

Timing is a function of when is the testing being performed (i.e., interim vs. year-end test work) and what balance is being tested (i.e. an interim balance or the year-end balance). Generally, the higher the risk, the more we expect testing performed at year-end (i.e., with the most up to date information) and/or testing performed over year-end balances. Interim testing can certainly be useful, such as testing predictable, often low-risk prepaid balances. However, for a significant accounting estimate (i.e., a significant risk), testing the Q2 balance may not be the best approach as it would require extensive roll-forward procedures to ensure the year-end estimate is also materially correct.

Finally, the extent is the amount of test work being performed. This is most often evidenced in the sample sizes used for controls and/or substantive tests of details. However, the extent could also be found in the mix of procedures performed. For instance, while a test of detail may cover the risk related to an assertion, engagement teams may also perform analytical procedures to obtain additional comfort, adding to the extent of testing.

There is nothing terribly new here. Engagement teams build out the audit plan based on overall risk assessment. And that is the key: risk assessment is so critical because it is the starting point for designing the appropriate mix of procedures. If the risk assessment is inaccurate and/or not thoroughly documented, how can anyone conclude on the appropriateness of the audit procedures to address the risk?

Easy as this concept may be, often when we take a step back and compare the audit approach for a significant risk vs. a normal / minimal risk, in theory, the audit approach should look different. And yet, we have often seen engagement teams use a judgmental sample of five to test a low-risk account and then also use a judgmental sample of five to test a moderate or high-risk account. How does this evidence any change in NTE? The theory and concepts are not hard; it is the application of the concepts and ensuring the audit approach adequately takes risk assessment into account that is difficult.

Documentation

After talking through risk assessment in a consultation, the next question is typically “where is this documented?” Often teams have the risk assessment documented in planning, but when we look at the list of significant risks communicated to the audit committee, it does not reconcile with the planning documentation. Or, when we compare the list of significant risks in the CAM evaluation tool, again, it does not reconcile. Primarily, the risk assessment needs to be consistent throughout the audit file. Second, the risk assessment needs to be thoroughly documented. While nothing in the auditing standards requires teams to document why something is not a significant risk, if there is any question and/or professional judgment applied, that needs to be captured in the documentation. If any of the significant risk factors (AU-C 315.29 or AS 2110.70-71) are present, then engagement teams should either a) identify a significant risk or b) document why those risk factors do not represent a significant risk.

What we are seeing is that absent documentation evidencing the engagement teams’ considerations and professional judgment, the PCAOB is challenging the identification of significant risks. In other words, if there is a material account that has complex, subjective assumptions or if there is a material significant unusual transaction and the engagement team did not identify a significant risk and did not document its considerations, then the PCAOB is challenging the evaluation. So, be consistent with the risks identified and be clear in the documentation in your audit file.

Common and Potential Pitfalls

Two common pitfalls we see, aside from the inconsistency of risk identification within an audit file, include:

Forgetting about management override of controls: Most know that revenue has a presumptive fraud risk (and thus is a significant risk, by definition). However, often teams forget to document the presumptive risk of management override of controls. This risk exists, regardless of whether the engagement team is testing the operating effectiveness of controls. Journal entry testing, as required under AS 2401, is one procedure to address the risk of management override of controls, so teams often claim “it’s inherently considered a risk because we did JE testing” but this does not really demonstrate to the PCAOB how the engagement team considered the entity-specific risk of management override of controls and designed appropriate procedures to address the specific risk.

Performing a thorough evaluation and review of significant risks: While the PCAOB often challenges the under-identification of risks, I have also seen repeatedly where teams will document a significant risk and then, when the audit approach is questioned during an inspection, the engagement team will provide a list of reasons why the audit approach was sufficient. Those reasons are typically linked to inherent risk factors that support why the risk is low. In other words, the engagement team identified a significant risk during planning, but now, when being forced to defend the audit approach, the engagement team is presenting an argument that the risk is in fact low and not significant. Why was it identified as a significant risk at the time of the audit then? Most of the time, I agree with the engagement teams, but that means the risk assessment was not correctly documented during the audit and/or the risk factors changed during the audit, but the team did not revisit risk assessment.

Two potential pitfalls we could see relate to the following:

The new guidance from SAS 145 defines a significant risk as a risk that is “close to the upper end of the spectrum of inherent risk due…” While conceptually easy to understand, firms will need to make it clear to engagement teams what constitutes a significant risk and how to interpret this new definition. Does this mean all higher inherent risks are considered significant risks? What are the factors to be considered in delineating between higher risk accounts and significant risk accounts? Or perhaps firms will need to revisit methodologies and recalibrate the inherent risk scale to allow for more precise delineation so that all higher inherent risks are not automatically defaulted to significant risks.

SAS 145 also includes a requirement to perform a “stand-back” analysis to ensure the completeness of the engagement team’s identification of significant classes of transactions and significant accounts. In other words, after performing the risk assessment, the engagement team needs to stand back and evaluate the potential risk of material misstatement for all classes of transactions and accounts that were not previously in scope. Is there a risk of material misstatement in aggregate? What assertions?

The point is not to go overboard and identify 20 significant risks. We have challenged teams on over-identification as well as under-identification. The point is to be thorough and complete and to capture the relevant judgments that go into performing risk assessment. Also, if the documentation incorporates the relevant risk factors and the engagement teams’ judgments around those risk factors, then the documentation should speak for itself. That is the goal.

Key Takeaways

Remember to separately consider inherent risk and control risk.
For significant, unusual transactions, complex accounting matters, and/or subjective accounting estimates, unless the amounts are obviously immaterial, consider documenting the professional judgment around why something is or is NOT a significant risk.
Once significant and/or fraud risks have been identified, be sure the nature, timing, and extent of audit procedures are appropriately modified to address the specific risk.
Document all professional judgment applied (and considered) when evaluating risk assessment.
Risk assessment is an iterative process, so be sure to continue to update risks (as merited) throughout the audit and be sure risk assessment is consistent throughout all documentation within the audit workpapers, including audit committee communications.

< Older Post

Newer Post >

Joe Lynch, JGA Managing Director to Speak at AICPA® & CIMA® ENGAGE 25

April 25, 2025

WASHINGTON, D.C.: Johnson Global is pleased to announce that Joe Lynch, JGA Managing Director will speak at the AICPA® & CIMA® ENGAGE 24 Conference on June 9–12, 2025, at the ARIA Resort & Casino in Las Vegas, NV and live online. This CPE-eligible event is the premier annual event for accounting and finance professionals, bringing together thousands of peers, experts, and industry leaders for top-tier learning, networking, and career growth opportunities. Register by May 1, 2025, to take advantage of Early Bird rates— $1,995 for members ( regularly $2,095 ) and $2,445 for nonmembers ( regularly $2,545 ). *PCPS, Tax and PFP section members and CITP®, PFS™, CGMA® credential holders save an additional $150 . Discount reflected in section member/credential pricing during checkout. Register Today ! About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.

JGA to Sponsor 2025 ALI-CLE Accountants' Liability Conference

March 21, 2025

WASHINGTON, D.C.: Johnson Global Advisory (JGA) is proud to sponsor the Accountants' Liability Conference hosted by ALI-CLE. This two-day event will take place in Washington, D.C. and virtually on June 2nd and 3rd. This is an excellent opportunity to gain valuable insights into a wide range of critical issues. The 2025 conference will focus on audits and oversight, providing essential guidance to help you navigate the evolving landscape of regulatory compliance and better protect your firm and clients. “We are pleased to sponsor this conference for the last several years. This event brings together top law firms, internal counsel, and risk experts for dynamic discussions on trending topics such as accounting liability and other important issues affecting the profession,” said Jackson Johnson, JGA President. “I look forward to personally engaging with participants, presenters, and stakeholders at this conference.” This year’s program is still being finalized but planned topics include: Recent Trends in Accounting Litigation Living in a post- Jarkesy world The future of enforcement PCAOB inspection program update SEC perspectives on gatekeeper liability AI and emerging technologies in the accounting industry Accounting firms entering the legal space International firm considerations Alternative practice structures and AICPA independence rules Register by April 25 to attend in-person and use the code “ JGA ” to save $250 off . OR, for webcast attendance, use the code " JOHNSON " to save $125 off the tuition. Click here to register. About Johnson Global Advisory JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.johnson-global.com to learn more about Johnson Global.

JGA Makes Third Annual Contribution to The Boys & Girls Club of Greater Kansas City

March 21, 2025

WASHINGTON, D.C.: Johnson Global Advisory (JGA) makes third annual contribution to the Boys & Girls Club of Greater Kansas City. The 29th Annual Kids Night Out is scheduled for Saturday, April 26, 2025, and promises to be an unforgettable evening, bringing together over 1,500 guests to support the children served by Boys & Girls Clubs of Greater Kansas City. “We’re thrilled to continue our support for the Boys & Girls Club of Greater Kansas City. This marks our third year backing this chapter, and I know that many of our JGA employees have personally benefited from the programs the Boys & Girls Clubs offer nationwide,” said Jackson Johnson, JGA President. “Kids Night Out is Boys & Girls Clubs of Greater Kansas City’s biggest fundraiser each year– and all dollars raised stay right here in Kansas City”, said Andy Burczyk, Board Member and Chair of Kids Night Out. “This organization is doing extraordinary things, and it is because we as a community invest in their impact.” For over 100 years, Boys & Girls Clubs of Greater Kansas City has provided a safe, supportive environment for youth. Serving over 8,000 kids and teens annually across 11 locations, the organization helps young people achieve their full potential through programs that promote academic success, healthy lifestyles, and character development. Through mentoring and leadership training, they equip members with the skills needed for success now and in the To learn more information on the Boys & Girls Club of Greater Kansas City and their work with the youth, please visit www.bgc-gkc.org . About Johnson Global Advisory JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, as well as JGA professionals, are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.johnson-global.com to learn more about Johnson Global.

Johnson Global Advisory Supports Sustainable Harvest International

March 21, 2025

WASHINGTON, D.C.: Johnson Global Advisory (JGA) is proud to provide a financial contribution to Sustainable Harvest International (“SHI”). SHI is a nonprofit helping Central American farmers adopt sustainable farming practices for over 27 years. Their mission is to address the destruction of tropical forests caused by slash-and-burn farming and logging. SHI’s mission benefits both current and future generations by equipping farmers with the knowledge to farm sustainably. “We’re proud to partner with Sustainable Harvest International in their important work,” said Jackson Johnson, JGA President. “This collaboration helps drive lasting, positive changes and by backing such vital organizations, we stay true to our mission of giving back and making a real difference. JGA’s philanthropic efforts focus on supporting organizations that are important to our people. I appreciate Vernon sharing his experience as a board member and we are grateful to work with him to amplify this organization.” Vernon Johnson, JGA Director, is a Board Member and Treasurer for SHI. He is actively involved in this organization. "My nonprofit work has helped me maintain perspective in both life and at work,” said Vernon. “It’s taught me to stay calm during challenges and focus on the bigger picture. This experience has improved my relationships and made me more resilient in stressful situations. My advice to busy professionals is to step back, appreciate the simple things, and not sweat the small stuff—being thankful and present can make a big difference." To learn more about SHI, visit www.sustainableharvest.org/donate . About Johnson Global Advisory JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff and JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.johnson-global.com to learn more about Johnson Global.

ISQM 1, SQMS 1: Influencing the Firm on the Benefits Beyond Compliance (Part II)

February 26, 2025

The implementation of the System of Quality Management (SQM) is not just a compliance requirement but an opportunity to drive significant business value. By aligning firm-wide goals, improving internal processes, and optimizing controls, firms can streamline their operations, reduce inefficiencies, and improve overall performance. The process also provides an opportunity for firms to gain valuable insights through key metrics, enabling data-driven decisions which provide strategic business insights, enhances audit quality, and promotes employee retention. In addition, early adopters who focus on the business value from the outset see improvements that reach across different practices within the firm, making the SQM implementation a strategic investment that benefits the whole firm long-term. We have seen that our work in this area results in meaningful improvements to the way the business of audit and assurance is conducted, and many of these improvements will have benefits that reach across other practices of the firm. This is part II of a series on the benefits of SQM implementation. This article builds on our insights from 2022 in Part I of this series . Compliance as a Driver Compliance is the main driver of the new System of Quality Management (for all standard-setters, referred to as “SQM”) standards issued by the IAASB, AICPA, and the PCAOB. There is no disputing that. However, for the early adopters, what we are finding is immense business value that come out of this process; more so if you start the process with business value in mind. Our ability to anticipate the benefits of executing ISQM 1 years ago is a key strength. Some firms have already implemented ISQM 1 at some level (partial adoption for group audits, for example). For SQMS 1 and QC 1000, since firms are all in various stages preparing for the December 15, 2025, go-live date, now is the time to lay out the strategic value drivers from this compliance exercise. Related: See a breakdown of the various implementation dates here . SQM implementation requires firms to take a closer look at their internal process; every process that touches the value chain of getting an audit done. To demonstrate how this requirement goes beyond the confines of the “audit practice”, consider these examples: Employee onboarding, training, and retention; Software tools and technology used to monitor internal aspects like independence; Tools used by engagement teams, for example, to test 100 percent of smart contracts or select journal entries to examine for fraud; Archiving of binders on time, and in compliance with audit documentation requirements; or Monitoring programs that identify and fix deficiencies in both audit performance and the underlying functions supporting the audit. Getting Buy-In, Aligning Goals, and Engaging Personnel We have seen firm quality leaders struggling to get the buy-in needed from stakeholders across the business (IT, HR, Tax, Advisory) for effective SQM implementation. And we have heard leadership from firms around the world ask: “What’s in it for us?” “All this investment just for a compliance exercise?” “Why do I need to be involved in something the audit group has to do?” But the best question we’ve heard is: “How can the system of quality management implementation improve our business?” When everyone is working toward the same objectives and goals, implementation becomes a cohesive and streamlined process. It’s important to have goals that are aligned throughout the organization, with them tailored to the component and roles within those areas. This includes: Getting the invested support from the partnership board down to process owners; Having goals that are specific and measurable (e.g. documenting the current process and eventually operating controls consistently and timely); Aligning the firm’s tone-at-the-top helps get everyone in sync; and Reinforcing management’s responsibility to establish a culture of quality and its importance in all the services performed by the firm. Management should: Lay out the long-term benefits of improved business performance, reduced risks, more timely and accurate data created which leads to insightful decisions; Emphasize the benefits of overall reduced costs related to non-compliance with network, firm, peer review, and regulators requirements; and Evaluate the potential for lower costs of insurance upon implementation and overtime. Understanding Current Processes Conducting interviews, gathering data, and documenting the processes within the firm’s system of quality management allows visibility of how these processes currently work (or don’t work). When SQM implementation project leaders invite personnel involved in a process together into one room and facilitates an open discussion, a clear picture of how each process really works materializes, and this strengthens cross-functional teaming. For instance, these meetings often result in the realization that two (or more) people are doing the same tasks (inefficiency) or discovering that no one is performing an important review check (gap). Formalizing and Optimizing Processes Once the current process is understood (“As-Is”) and with the right people in the room, the identification of areas where procedures can be more uniform, streamlined or simplified emerges. We often find that processes can be improved without adding more controls. This optimization effort incorporates standardization and normalization across the firm’s services and business functions providing benefit beyond the compliance exercise of the audit practice. Gaining Business Insights A sound system of quality management will bring new business insights and transparency to make confident decisions with reliable data. The optimization process will identify the key information used in the system of quality management (a similar concept to the work auditors performs with their companies as described here). This information provides new insights to help process owners and firm leaders make decisions. A firm can develop key quality metrics that are used to measure and improve the operation of the firm and audit quality which results in a modernized competitive firm. When a firm establishes a system to monitor the SQM environment, these insights allow for timely monitoring which enables leaders to quickly make decisions that address anomalies or negative trends as they arise. Getting Started Early Getting started early begins with: Firm leadership embracing the need for a consistent and well-monitored SQM to improve the business; Aligning objectives and goals for all firm personnel based on their role within the SQM; Disseminating to all firm personnel the importance of how their role contributes to the SQM; and Incentivizing all firm personnel to commit to their SQM objectives and goals which contributes to the benefits of these modern practices that lead to competitiveness. While compliance may be the hand forcing you forward, the upside to this “exercise” is that undoubtedly you will be a stronger, more efficient firm when executed correctly. We see firms that begin with such a mindset have more success internally and in the marketplace. Conclusion The journey of implementing a quality management system is transformative. Beyond compliance, it reveals deep insights and benefits, positioning firms at an advantage in our profession. For more information, reach out to your JGA audit quality expert. Jackson Johnson , JGA President and Founder, is a seasoned expert in audit quality and technical accounting matters. With nearly six years of experience at the PCAOB, he has worked with small and medium-sized accounting firms globally, focusing on firm quality control and ICFR audits. Jackson advises firms in PCAOB and SEC investigations related to cryptocurrency audits and has served on the Enforcement Advisory Committee of the California Board of Accountancy. Before his tenure at the PCAOB, he worked with public and private clients at Grant Thornton LLP in Boston, Los Angeles, and Hong Kong. Jackson is also a frequent speaker on quality control and enforcement issues in the accounting industry. Joe Lynch , JGA Managing Director and Shareholder, and a member of the AICPA Quality Management Implementation Task Force. Joe works with mid-market public accounting firms worldwide to implement quality management programs that integrate technology and process to improve the delivery of audits. Joe spent more than six years as an Inspection Leader at the PCAOB, he conducted inspections of quality control and global issuer audits at large firms in the US as well as foreign affiliate firms, focusing on examining quality control and the design and implementation of audit work. Joe also has experience supporting financial service industry audit teams at a Big Four firm. In addition, his experience includes active-duty service in the US Air Force and supporting companies with IT strategic initiatives such as designing the IT framework for technology departments as well as leading implementations of ERPs and systems.

PCAOB Withdraws Firm & Engagement Metrics Rule from SEC Approval Process

February 25, 2025

The Public Company Accounting Oversight Board (PCAOB) recently decided to withdraw proposed rules that would have required registered firms to report a significant new set of firms and engagement metrics. It was also set to mandate that large accounting firms submit financial statements to the U.S. Regulator, as part of a wider effort to enhance oversight. This decision came after criticisms from a variety of stakeholders from both the PCAOB and SEC comment process. For example, the American Institute of CPAs (AICPA) expressed concerns that these requirements could harm U.S. capital markets and negatively impact small and midsized audit firms, potentially driving them out of the public company auditing practice. The PCAOB's decision to withdraw the rules was seen as a positive move by the AICPA, which had urged the Securities and Exchange Commission (SEC) to refrain from approving the rules due to the significant challenges they posed. JGA commented to the SEC on the proposal; you can read our position on the proposal here .

Johnson Global Advisory Releases Updated 2025 Guide to Help PCAOB-Registered Firms Navigate the Inspection Process

January 17, 2025

WASHINGTON, D.C.: Johnson Global Advisory (JGA) has published a new third edition guide examining the key considerations faced by public company auditors during their PCAOB inspections. Drawing experience as audit and audit regulation experts and advisors to firms worldwide on all aspects of audit quality improvement, the JGA team has authored NAVIGATING PCAOB INSPECTIONS: Understanding the Inspection Process from Start to Finish.

Firm and Engagement Metrics: Getting a Head Start

December 20, 2024

Firm and Engagement Metrics: Getting a Head Start *** Please see the updated information on the PCAOB Firm & Engagement metrics Rule change. Click here . Introduction As regulatory requirements in the accounting profession continue to evolve, accounting firms are facing new challenges in ensuring compliance with quality management standards. One of the most significant changes comes with the adoption of the PCAOB’s QC 1000 and the associated Firm and Engagement Metrics requirements , which aim to increase transparency and accountability within the auditing process. These new requirements are set to provide critical data on a firm’s operations and other factors that can inform audit quality, including partner involvement, workload distribution, and other factors. In this article, we’ll explore the challenges and opportunities firms face as they begin collecting the information necessary for firm and engagement metrics. We’ll also provide actionable steps that, in concert with implementation of QC 1000 / ISQM 1 / SQMS 1, firms can take to ensure they’re ready for compliance, with a focus on the key areas highlighted in recent industry discussions. 1. Quality Management Implementation: Bridging Internal and External Requirements Key Insights: A major challenge shared by our clients was the distinction between internal quality management (QM) processes and external regulatory requirements. Firms are finding it difficult to ensure that the information they provide to regulators will be complete and accurate. The requirement to report accurate and non-misleading information to external parties under QC 1000 , such as firm and engagement level metrics necessitates a shift in how firms view and manage data internally. Action Items for Firms: Ensure Data Accuracy : Firms must evaluate their quality management system to ensure they are designed to meet the requirements for accurate and non-misleading information. This is crucial as QC 1000 requires firms to communicate data to external parties that is accurate and complete. Implement Data Tracking Systems : Develop systems to track and report data, ensuring that the information provided to external parties, including regulators aligns with quality management objectives. This may require new systems or modifications to existing systems. Evaluate Communication Processes : Firms should focus on improving or implementing communication processes to ensure that all external communications, especially those with regulators, meet the high standards of accuracy and clarity mandated by QC 1000. 2. Comparability of Metrics Among Accounting Firms Key Insights: The introduction of standardized firm and engagement metrics is designed to increase comparability and accountability across accounting firms. This allows regulators, investors, and stakeholders to evaluate firms based on consistent data. However, there are concerns about how these metrics might influence firm selection by audit committees and whether these metrics alone tell the full picture to accurately represent audit quality. Action Items for Firms: Adopt Standardized Metrics : Firms should ensure that their reported metrics align with the prescriptive guidelines outlined in the adopted Firm and Engagement Metrics Rule. This includes applying the defined roles in a consistent manner (such as engagement partners and managers) and calculating metrics consistently across all engagements. Prepare for External Scrutiny : Be aware that these metrics may not only be scrutinized by regulators but also by audit committees and investors. Firms should ensure that they are accurately capturing and reporting their metrics to avoid misrepresentations. Monitor AI Usage in Audits : Consider how AI tools may impact workload calculations and the measurement of audit hours. As AI becomes more prevalent in auditing , firms may need to report on the extent of its use, which could influence workload metrics. 3. Potential Implications of Reporting Metrics Key Insights: While firm and engagement-level metrics can provide valuable insights, there are potential risks to firms that are likely to emerge. These include the possibility that the metrics may inadvertently point to root causes of issues in the inspection process, particularly regarding workload and capacity challenges. Additionally, these metrics – coupled with inspection report findings - may influence how audit committees select firms, potentially providing a skewed representation of audit quality. Action Items for Firms: Use Metrics Internally for Root Cause Analysis : Firms should utilize firm and engagement level metrics as reported, when performing internal root cause analysis , identifying potential problems in workload distribution or staffing levels before they escalate. Evaluate the Impact on Firm Selection : Be mindful of how these metrics might affect firm selection. Firms should aim to demonstrate the full context behind their metrics to avoid misinterpretations that could impact their reputation. Balance Metrics with Qualitative Insights : Firms should complement quantitative metrics with qualitative insights, ensuring a comprehensive picture of their audit quality is presented to external stakeholders. 4. Engaging Stakeholders in the Use of Metrics Key Insights: One concern we have heard was the uncertain use of metrics by investors and other stakeholders. While the objective of the PCAOB in the rule-setting process was for investors and audit committees to analyze these metrics, it’s unclear how much weight they will place on the data in making decisions about firms’ audit quality. In the planning process, firms can take charge and shape stakeholder use and effectiveness of the use of firm and engagement metrics shared publicly. Action Items for Firms: Engage with the Investor Community : To better understand how investors will use the metrics, firms should engage more actively with the investor community. This could include attending shareholder meetings and investor calls to gain insights into what data investors prioritize when evaluating audit quality. Increase Transparency in Reporting : Firms should be transparent in explaining the context and methodology behind their metrics, helping the clients, audit committees and other stakeholders understand the full context to make informed decisions. Ensure Data Relevance : Firms should ask their clients whether the data currently being reported is sufficient, and whether additional data points might be necessary to better assess audit quality and reliability. 5. Getting Started with QC 1000 and Firm Metrics Key Insights: As firms begin implementing QC 1000 and collecting firm and engagement level metrics , they face the challenge of ensuring their existing systems are capable of tracking and reporting the required data. Many firms may need to redesign or enhance their internal controls to capture the necessary information accurately. Action Items for Firms: Align QC 1000 with Firm and Engagement Level Metrics Reporting : Firms should carefully review QC 1000’s requirements and align them with the firm and engagement level reporting requirements. Focus on the information and communication component, ensuring that data is collected and reported accurately and consistently. Evaluate Current Systems : Firms should assess whether their current systems are capable of tracking metrics such as workload and audit hours. If systems are lacking, firms should plan to either redesign or implement new controls to capture this data accurately. Implement Real-Time Monitoring : Firms should adopt real-time monitoring tools that allow them to proactively manage workload issues and other potential risks. This ensures that data is captured and analyzed continuously, improving overall quality management. Be Agile and Proactive : QC 1000 requires firms to monitor metrics and adapt to emerging issues. Firms should adopt an agile approach to quality management, ensuring that metrics are not just reported at the end of the period but are actively managed throughout the year. Conclusion: Preparing for the Future of Quality Management and Firm Metrics The new QC 1000 and firm and engagement level metrics requirements can represent a significant shift in how accounting firms track, report, and manage audit quality. By adopting these standards, firms can improve transparency, enhance accountability, and demonstrate their commitment to high-quality audits. However, the implementation of these new requirements will require careful planning and investment in both systems and processes. Firms that act now to align their systems with QC 1000, engage with stakeholders, and monitor their metrics in real-time will be better positioned to meet regulatory expectations and enhance their market reputation. As the industry moves towards more data-driven decision-making, firms that prioritize accuracy, transparency, and continuous improvement will be the leaders in delivering quality audits. For more information, please contact your JGA audit quality expert .

Key Takeaways from the 2024 AICPA SEC/PCAOB Conference: What It Means for Your Firm

December 18, 2024

Key Takeaways from the 2024 AICPA SEC/PCAOB Conference: What It Means for Your Firm In December 2024, the AICPA SEC/PCAOB Conference in Washington D.C. brought together leaders from the SEC, FASB, and PCAOB to discuss critical developments in the accounting profession. The conference focused on fostering audit quality, improving the resilience of capital markets, and addressing ethical challenges. Below are the key takeaways from the conference speeches most relevant to you, including insights from Paul Munter, SEC Chief Accountant, Erica Williams, PCAOB Chair, Christina Ho, PCAOB Board Member, and Mark Uyeda, SEC Commissioner, and what these developments mean for the accounting firm clients we serve. 1. Munter’s Remarks on Upholding Independence Key Points: In his speech, Paul Munter, SEC Chief Accountant, emphasized the importance of maintaining auditor independence to preserve market integrity. Munter stressed that independence should be seen as a core professional standard, not just a compliance requirement, and urged auditors to foster a culture of skepticism and integrity. He called on auditors to ensure they challenge management when necessary to detect fraud and ensure accurate financial reporting. What This Means for Firms: The points are reminders to keep independence and objectivity at the forefront of engagement teams, despite the new technical complexities (e.g. PE deals), and general lowering our guard around these obligations: ways to continue to demonstrate this important across the firm system of QC are: 1. Reinforcing independence policies and ensure continuous training and monitoring; 2. Encouraging a skeptical mindset within audit teams to prevent ethical lapses; 3. Ensuring firm-wide commitment to independence, especially in long-term client relationships or where conflicts may arise. 2. PCAOB Chair Williams on Improvements in Deficiency Rates, and new standards Key Points: PCAOB Chair Erica Williams shared significant positive news, highlighting improvements in the aggregate deficiency rate at the largest audit firms. She attributed this progress to the firms’ increased efforts to enhance audit quality, including better risk assessment procedures and heightened transparency in reporting. Williams emphasized the importance of maintaining this momentum in order to build trust and credibility in the profession and the capital markets. Williams also discussed the newly adopted QC 1000 , the quality control standard that mandates firms to have comprehensive quality control systems to ensure that they meet PCAOB and SEC standards. She noted that this standard is designed to provide reasonable assurance that audit firms have the necessary controls in place to perform high-quality audits consistently. Additionally, she emphasized the critical role of the SEC in passing firm engagement metrics , which will help ensure that audit firms are held accountable for the quality of their engagements and provide investors with more detailed insight into firms’ performance. What This Means for Firms: Implement QC 1000 : Firms should begin preparing for the adoption of QC 1000 by reviewing and strengthening their own quality control systems. Ensure that these systems are robust enough to guarantee compliance with PCAOB and SEC standards and can provide reasonable assurance of consistent audit quality. Focus on Firm Engagement Metrics : If the SEC passes firm engagement metrics, firms will need to ensure they have clear, accurate data on their engagements, performance, and quality measures. Preparing now for these metrics will help firms stay ahead of the regulatory curve and demonstrate their commitment to transparency and high-quality audits. Enhance Risk Management and Quality Control : Firms should continue refining their risk-based audit approaches, focusing on stronger internal controls, and implementing transparent reporting practices. Continuous improvement will ensure the firm stays in line with both regulatory expectations and industry best practices. 3. PCAOB Board Member Christina Ho on Collaboration to Advance Audit Quality and Market Resiliency Key Points: In her speech, Christina Ho, Board Member of the PCAOB, stressed the need for genuine collaboration among regulators, auditors, and firms to advance audit quality and improve the resiliency of capital markets. This collaboration is essential to address emerging challenges, such as increasing regulatory expectations and the complexities of global markets. Ho highlighted that this collective effort is crucial to maintaining strong, transparent financial reporting and ensuring that audits remain effective and reliable, particularly as financial markets evolve. What This Means for Firms: Engage with regulators : Actively participate in consultations and industry forums to stay ahead of regulatory trends. Foster collaboration : Encourage open communication between audit teams, clients, and audit committees to ensure alignment on regulatory expectations. Adapt to global market changes : Firms must remain agile and ready to respond to the shifting dynamics of both domestic and international markets, ensuring that their audit processes remain resilient and effective. 4. SEC Commissioner Mark Uyeda on Crypto, and PCAOB’s Future Key Points: In his keynote, SEC Commissioner Mark Uyeda discussed the SEC's evolving role in the accounting and auditing of cryptocurrencies, noting that crypto is currently being accounted for and audited through enforcement activities. He stressed the need for greater clarity in crypto accounting and auditing standards. Uyeda also discussed the future of the PCAOB, stating that "all options are on the table." What This Means for firms: Crypto Accounting and Auditing : Firms need to stay abreast of emerging standards and enforcement actions in crypto accounting. As regulations evolve, firms must be prepared to adapt their auditing and reporting practices accordingly. Take a look at positions from other regulators or standard setters (e.g. CPAB), to inform what sufficient procedures looks like. PCAOB’s Future : The potential restructuring of the PCAOB may affect how audits are overseen in the future. Firms should monitor developments closely and assess the impact on their operations and regulatory compliance, and firm strategy. 5. Ethical Considerations and Audit Quality Throughout the conference, both SEC and PCAOB leaders emphasized the need for ethical leadership in the accounting profession. Lapses in ethics, whether intentional or inadvertent, can severely undermine trust in auditors and in financial markets. The speeches underscored the responsibility of firm leaders to uphold high ethical standards and ensure that these values are embedded in their teams’ daily practices. What This Means for Firms: Promote ethical leadership across all levels of the firm, ensuring that ethical considerations are integrated into every stage of the audit process. Invest in ongoing ethics training to reinforce the importance of upholding integrity and objectivity. Implement early detection mechanisms for identifying potential ethical lapses, ensuring timely corrective action. Conclusion: Positioning Your Firm for Success The 2024 AICPA SEC/PCAOB Conference provided crucial insights into the current and future landscape of the accounting profession. By focusing on audit quality, independence, collaboration, and ethical leadership, firms can not only meet regulatory requirements but also strengthen their reputations as trusted professionals in the marketplace. For JGA’s clients, the key takeaway is that maintaining robust quality control systems, engaging in ongoing dialogue with regulators, and staying ahead of emerging trends such as crypto accounting are critical strategies for ensuring continued success in a dynamic regulatory environment. For more information, reach out to your JGA audit quality expert.

Johnson Global Advisory Establishes Strategic Leadership Council and Appoints Three Council Members

November 26, 2024

WASHINGTON, D.C., November 26, 2024 - Johnson Global Advisory (JGA) is announcing the formation of its Strategic Leadership Council (SLC) , an initiative aimed at bolstering the firm's strategic direction and reinforcing its commitment to industry-leading advisory services. The Council, composed of executives from diverse sectors within the audit quality stakeholder ecosystem, will provide insights into the JGA leadership on industry trends, strategic decision-making, and growth opportunities. Kathleen M. Hamm, Greg Jonas, and Dave Sullivan are the first appointees to the SLC. Kathleen M. Hamm has an extensive background in financial regulation, control infrastructures, and risk management, particularly relating to fintech and cybersecurity. Her previous role as a Board Member of the Public Company Accounting Oversight Board (PCAOB) highlights her leadership in regulatory transformation and strategic policy development. "Joining JGA’s Strategic Leadership Council allows me to leverage my experience to further the Firm's mission in these transformative times," remarked Hamm. Greg Jonas is an independent consultant on auditing and business reporting matters. He served as Director of the Division of Research and Analysis at the PCAOB from 2012-2016. In addition to roles as a financial analyst at Morgan Stanley and Moody’s Investors Service, Greg spent 23 years at Arthur Andersen, serving in various roles supporting its global audit practice. “JGA serves a vital role in improving audit quality for the benefit of auditing firms and investors. I look forward to contributing to the firm’s success.” Dave Sullivan, a seasoned executive known for his strategic insight in audit quality and risk management, has over 35 years of experience from Deloitte. His leadership in global audit quality initiatives make him a pivotal addition to the council. "I look forward to collaborating with my fellow council members to propel JGA to new heights," stated Sullivan. The SLC will meet quarterly, advising JGA’s leadership team on critical business opportunities and challenges, ensuring the Firm remains at the forefront of industry innovation and strategic excellence. The first meeting of the SLC was held on Friday November 1, 2024, at JGA's Washington D.C. office. “I am proud to welcome Kathleen, Greg, and Dave to our new Strategic Leadership Council,” said Jackson Johnson, JGA President and Founding Shareholder. “Their collective expertise will be instrumental in guiding our strategic initiatives and ensuring that JGA continues to set high standards our clients expect in this sector.” About Johnson Global Advisory JGA partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB staff, JGA professionals are enthusiastic and practical in their support to firms in their audit quality journey. We accelerate opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide.