Revisiting Risk Assessment Under SAS 145 Part I: Identifying Significant Risks
In January of 2022, we wrote about the fact that given some of the newly issued AICPA guidance, the differences between AICPA and PCAOB audits is increasingly diminishing. Although not convergent, there is a move within the audit industry to increase alignment. This is true within the US as well as at a more global level. Is it coincidence that AU-C 315, CAS 315, and ISA 315 all have the same number and all deal with risk assessment? As a follow-up to our previous article, we are going to explore two key elements of the new SAS 145 guidance. In this first article, we are exploring some of the renewed focus on risk assessment. In a second article, we will explore the new requirements around understanding the design and implementation of controls with a focus on further developing our knowledge of information systems and the risks they present in an audit.
In working with engagement teams, we get our fair share of consultations asking to brainstorm how to audit a specific account or transaction. Typically, the first question is, “what is the overall risk of material misstatement?” After all, doesn’t everything begin with risk assessment?
While we may all acknowledge this reality, so often, teams consider the nature of the procedures performed to determine whether something is a significant risk. And we get it. Until the new AICPA standards were released, specifically SAS 145, the previous guidance defined a significant risk as follows:
“An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.”
In other words, a significant risk was determined based on the necessity for special audit consideration. In all fairness, the guidance in AU-C 315 does also provide additional considerations in paragraphs 28 and 29 regarding significant risks. All that changed however with the new SAS 145 which now defines a significant risk as:
An identified risk of material misstatement
i. for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or
ii. that is to be treated as a significant risk in accordance with the requirements of other AU-C sections. (i.e., fraud risks)
The new definition is still a bit “convoluted” but at least it is pointing engagement teams to the inherent risk factors as opposed to the procedures performed1.
Okay, so we have improved the definition of significant risks, but what is the big deal? The issue we are seeing in the industry is a failure of engagement teams to properly identify and document risk assessment and specifically, significant risks. Increasingly, when we support our clients on PCAOB inspections and firm’s counsel as an expert in enforcement investigations, we see the regulators challenge engagement teams on their identification of significant risks. What inspection and enforcement staff are getting at is: if the risk assessment is wrong, the audit approach is also inherently wrong.
Assessing the Overall Risk of Material Misstatement
As part of planning an audit, engagement teams develop an understanding of the entity through inquiries with management, reading press releases and interim financial statements, and performing preliminary analytics, among other procedures. Don’t forget that in the new SAS 145 guidance, teams are required to obtain an understanding of the design and implementation of internal controls. This new requirement, which has been the expectation under PCAOB standards, is required regardless of whether the team plans to rely on controls; this is a foundational part of understanding the entity. From this knowledge, teams can begin to understand the likely sources of potential misstatement which enables teams to perform a complete and robust risk assessment. Based on that understanding of the entity and the financial statements, the engagement team performs its risk assessment with the overall risk of material misstatement being predicated on the separate evaluation of inherent risk and control risk.
Inherent risk is the susceptibility of an assertion (linked to a class of transactions, an account balance, or a footnote) to misstatement that could be material, either individually or when aggregated with other misstatements before consideration of controls. The key here is to ignore controls. AICPA and PCAOB guidance provide examples of risk factors including nature and size of the account/class of transactions, volume of transactions, complexity, homogeneity, exposure to losses within an account, degree of uncertainty and subjectivity in estimates, changes from prior periods related to accounting / disclosure, related party considerations, susceptibility to misstatement due to error or fraud, as well as susceptibility to management bias and judgement. Though not exhaustive, you get the point. Inherent risk is based on the nature of the account itself.
Control risk is the risk that a misstatement could occur that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s system of internal control. This part of risk assessment is simpler; to reduce high control risk, engagement teams must test the operating effectiveness of controls. In other words, is the engagement team relying on controls or not?
Based on inherent risk and control risk, the engagement team then considers the overall risk of material misstatement. The specific identification of significant risks varies from firm to firm. Some methodologies build in the identification of significant and/or fraud risks into the inherent risk assessment and some have a separate consideration. There is no right or wrong way here, but the point is to be sure that the risk assessment incorporates clear documentation around significant and fraud risk identification. When identifying significant risks, the literature places a huge emphasis on related party transactions, complex accounting, estimates (given the subjectivity, uncertainty), as well as significant unusual transactions. These items are not automatically default significant risks, but they have a much higher likelihood of being a significant risk (depending on materiality). Keep in mind that just because an account is immaterial does not inherently mean there is no risk of material misstatement; this is where understanding the nature of the account or the qualitative nature of a disclosure is important. For instance, an immaterial allowance for doubtful accounts does not mean there is no risk of material misstatement. As a reserve account, the engagement team needs to consider the risk of understatement when concluding on magnitude and whether an account poses a risk of material misstatement. The same can be said for qualitative disclosures. Materiality is not purely a quantitative consideration.
Nature, Timing, Extent of Audit Procedures
Once risk assessment is completed, the next step is to then design the nature, timing, and extent (or NTE) of the audit response.
The nature of the audit approach can be broken down into various considerations:
- Control test vs. substantive test
- Within control testing, the nature of the test, such as inquiry, observation, inspection or reperformance
- Within substantive testing, the use of analytical procedure vs. tests of details
- For both controls and substantive testing, consideration around the use of work of others and review considerations such as reliance vs. reperformance
Timing is a function of when is the testing being performed (i.e., interim vs. year-end test work) and what balance is being tested (i.e. an interim balance or the year-end balance). Generally, the higher the risk, the more we expect testing performed at year-end (i.e., with the most up to date information) and/or testing performed over year-end balances. Interim testing can certainly be useful, such as testing predictable, often low-risk prepaid balances. However, for a significant accounting estimate (i.e., a significant risk), testing the Q2 balance may not be the best approach as it would require extensive roll-forward procedures to ensure the year-end estimate is also materially correct.
Finally, the extent is the amount of test work being performed. This is most often evidenced in the sample sizes used for controls and/or substantive tests of details. However, the extent could also be found in the mix of procedures performed. For instance, while a test of detail may cover the risk related to an assertion, engagement teams may also perform analytical procedures to obtain additional comfort, adding to the extent of testing.
There is nothing terribly new here. Engagement teams build out the audit plan based on overall risk assessment. And that is the key: risk assessment is so critical because it is the starting point for designing the appropriate mix of procedures. If the risk assessment is inaccurate and/or not thoroughly documented, how can anyone conclude on the appropriateness of the audit procedures to address the risk?
Easy as this concept may be, often when we take a step back and compare the audit approach for a significant risk vs. a normal / minimal risk, in theory, the audit approach should look different. And yet, we have often seen engagement teams use a judgmental sample of five to test a low-risk account and then also use a judgmental sample of five to test a moderate or high-risk account. How does this evidence any change in NTE? The theory and concepts are not hard; it is the application of the concepts and ensuring the audit approach adequately takes risk assessment into account that is difficult.
Documentation
After talking through risk assessment in a consultation, the next question is typically “where is this documented?” Often teams have the risk assessment documented in planning, but when we look at the list of significant risks communicated to the audit committee, it does not reconcile with the planning documentation. Or, when we compare the list of significant risks in the CAM evaluation tool, again, it does not reconcile. Primarily, the risk assessment needs to be consistent throughout the audit file. Second, the risk assessment needs to be thoroughly documented. While nothing in the auditing standards requires teams to document why something is not a significant risk, if there is any question and/or professional judgment applied, that needs to be captured in the documentation. If any of the significant risk factors (AU-C 315.29 or AS 2110.70-71) are present, then engagement teams should either a) identify a significant risk or b) document why those risk factors do not represent a significant risk.
What we are seeing is that absent documentation evidencing the engagement teams’ considerations and professional judgment, the PCAOB is challenging the identification of significant risks. In other words, if there is a material account that has complex, subjective assumptions or if there is a material significant unusual transaction and the engagement team did not identify a significant risk and did not document its considerations, then the PCAOB is challenging the evaluation. So, be consistent with the risks identified and be clear in the documentation in your audit file.
Common and Potential Pitfalls
Two common pitfalls we see, aside from the inconsistency of risk identification within an audit file, include:
- Forgetting about management override of controls: Most know that revenue has a presumptive fraud risk (and thus is a significant risk, by definition). However, often teams forget to document the presumptive risk of management override of controls. This risk exists, regardless of whether the engagement team is testing the operating effectiveness of controls. Journal entry testing, as required under AS 2401, is one procedure to address the risk of management override of controls, so teams often claim “it’s inherently considered a risk because we did JE testing” but this does not really demonstrate to the PCAOB how the engagement team considered the entity-specific risk of management override of controls and designed appropriate procedures to address the specific risk.
- Performing a thorough evaluation and review of significant risks: While the PCAOB often challenges the under-identification of risks, I have also seen repeatedly where teams will document a significant risk and then, when the audit approach is questioned during an inspection, the engagement team will provide a list of reasons why the audit approach was sufficient. Those reasons are typically linked to inherent risk factors that support why the risk is low. In other words, the engagement team identified a significant risk during planning, but now, when being forced to defend the audit approach, the engagement team is presenting an argument that the risk is in fact low and not significant. Why was it identified as a significant risk at the time of the audit then? Most of the time, I agree with the engagement teams, but that means the risk assessment was not correctly documented during the audit and/or the risk factors changed during the audit, but the team did not revisit risk assessment.
Two potential pitfalls we could see relate to the following:
- The new guidance from SAS 145 defines a significant risk as a risk that is “close to the upper end of the spectrum of inherent risk due…” While conceptually easy to understand, firms will need to make it clear to engagement teams what constitutes a significant risk and how to interpret this new definition. Does this mean all higher inherent risks are considered significant risks? What are the factors to be considered in delineating between higher risk accounts and significant risk accounts? Or perhaps firms will need to revisit methodologies and recalibrate the inherent risk scale to allow for more precise delineation so that all higher inherent risks are not automatically defaulted to significant risks.
- SAS 145 also includes a requirement to perform a “stand-back” analysis to ensure the completeness of the engagement team’s identification of significant classes of transactions and significant accounts. In other words, after performing the risk assessment, the engagement team needs to stand back and evaluate the potential risk of material misstatement for all classes of transactions and accounts that were not previously in scope. Is there a risk of material misstatement in aggregate? What assertions?
The point is not to go overboard and identify 20 significant risks. We have challenged teams on over-identification as well as under-identification. The point is to be thorough and complete and to capture the relevant judgments that go into performing risk assessment. Also, if the documentation incorporates the relevant risk factors and the engagement teams’ judgments around those risk factors, then the documentation should speak for itself. That is the goal.
Key Takeaways
- Remember to separately consider inherent risk and control risk.
- For significant, unusual transactions, complex accounting matters, and/or subjective accounting estimates, unless the amounts are obviously immaterial, consider documenting the professional judgment around why something is or is NOT a significant risk.
- Once significant and/or fraud risks have been identified, be sure the nature, timing, and extent of audit procedures are appropriately modified to address the specific risk.
- Document all professional judgment applied (and considered) when evaluating risk assessment.
- Risk assessment is an iterative process, so be sure to continue to update risks (as merited) throughout the audit and be sure risk assessment is consistent throughout all documentation within the audit workpapers, including audit committee communications.
The PCAOB’s Technology Innovation Alliance (TIA) Working Group released a report on using AI, data analytics, and digital signatures to improve audit quality and investor protection. It recommends standardizing documentation, adopting responsible AI, and fostering innovation. Joe Lynch , JGA Managing Director, contributed insights as a stakeholder in the TIA roundtables and panels.
Learn how to build your firm’s quality management system on time with actionable insights from Joe Lynch , Managing Director at JGA, as featured in the Journal of Accountancy . This article outlines eight strategic steps to ensure effective and timely implementation of quality management practices for your business.
If you feel like you’ve read this story before, you’re not alone. For the third year in a row, the PCAOB’s annual report on broker-dealer audits paints a familiar picture: high deficiency rates, recurring issues in revenue testing, and quality control systems that continue to fall short. The 2024 report marks more than a decade of inspections under the interim program - and yet, many of the same red flags remain. At JGA , we’ve tracked and provided our insights on these annual reports closely for the last several years¹. While we always take the PCAOB’s findings seriously, we also know that behind every statistic is a firm doing its best to navigate complex standards, resource constraints, and evolving expectations. That’s why Jackson Johnson , JGA President & Founding Shareholder, sat down with Tanieke Samuel , JGA Director, to unpack this year’s latest BD report - not just to highlight some noteworthy findings, but to translate them into practical guidance for firms working hard to get it right. Revenue Testing: A Familiar Story with New Implications Jackson Johnson (JJ) : The PCAOB flagged revenue testing as a recurring issue again this year - 48% of audits had deficiencies in this area. That’s consistent with 2023, but still a big jump from 34% in 2022. And the deficiencies weren’t limited to one revenue stream - they spanned commissions, advisory fees, 12b-1 fees, and more. Why do you think this continues to be such a challenge? Tanieke Samuel (TS) : ASC 606 isn’t new. The PCAOB isn’t moving the goalposts. What we’re seeing is that firms are still struggling to test revenue accurately - across all sources. In many cases, they’re not getting a solid understanding of how revenue is generated, and that’s where the breakdown starts. Whether it’s commissions, trailing fees, or advisory income, you have to understand the components and tailor your testing accordingly. And don’t overlook presentation and disclosure - if you’re lumping everything under ‘commissions’ without disaggregating or explaining the sources, that’s a red flag. Audit Committee Communications: A Missed Opportunity JJ : One of the more surprising findings this year was the uptick in deficiencies related to audit committee communications. The PCAOB cited failures to communicate the overall audit strategy, use of specialists, significant risks like related parties, and even uncorrected misstatements. These seem like foundational elements. What’s going wrong? TS : These aren’t gray areas. The standards are clear. But I think some firms are treating these communications as a formality - just rolling forward last year’s template. That’s risky. Audit committee communications should be a strategic touchpoint. You need to clearly explain your audit strategy, surface the right risks, and give the committee what they need to fulfill their oversight role. If you’re using specialists or identifying related party risks, those need to be part of the conversation - not an afterthought. JJ : This reminds me of recent Actionable Insights we issued earlier this year , where we encouraged firms to move beyond the standard AS 1301 checklist and use the PCAOB’s Spotlight as a conversation starter. Audit committees want more than compliance - they want clarity, prioritization, and meaningful dialogue. When firms treat these communications as a strategic opportunity, they not only meet the standard - they build trust and demonstrate value. Agree? TS : Absolutely. I’ve seen audit committees respond really well when firms take the time to prepare thoughtfully - bringing key issues to the forefront, previewing the discussion in advance, and even holding deep dives on emerging topics. It’s not just about what you say - it’s about how you engage. That’s what makes the difference. Journal Entry Testing: Still a Blind Spot JJ : Journal entry testing continues to be a pain point. The PCAOB noted that firms often fail to test the completeness of the population or apply meaningful fraud risk criteria. In some cases, teams just scan the listing and move on. Why is this still happening? TS : Some firms think that because they’ve tested certain entries substantively elsewhere, they don’t need to do more. But that misses the point of journal entry testing as a fraud detection tool. You have to start by asking: What fraud risks are relevant to this client? Then design your testing around those risks. Don’t just look for a keyword - think about what would actually raise a red flag in this environment. And document your rationale. That’s what separates a thoughtful procedure from a perfunctory one. JJ : Are you seeing this as a broker-dealer-specific issue, or is it just as prevalent in issuer audits? TS : It’s definitely broader. JJ : Across issuers and BD inspections, we’ve seen comment forms where teams selected journal entries based on high-dollar thresholds or year-end timing but didn’t tie those selections back to the fraud risk discussion. In one case, the team documented their criteria but didn’t evaluate whether the entries actually addressed the override risk they had identified. In another, the team selected entries from a non-representative population and didn’t test completeness. What specifically in BD-only firms are you seeing? TS : In BD-only firms, especially smaller ones, the journal entry population might be smaller, which can give a false sense of simplicity. That can lead to shortcuts - like scanning instead of testing. In issuer audits, the volume and complexity might be higher, but the same root issue shows up: teams not linking their procedures back to the fraud risk assessment. Whether it’s a BD or an issuer, the key is to critically evaluate your criteria and make sure your testing is responsive to the risks you’ve identified. QC 1000: Turning Insight Into Action JJ : With QC 1000 going into effect at the end of the year, firms have a real opportunity to use the PCAOB’s findings as a risk assessment tool. But it’s not just about checking a compliance box - it’s about using these findings to inform a more thoughtful, iterative approach to quality. For example, we’ve emphasized the importance of root cause analysis (RCA) as a foundation for risk assessment. TS : Exactly. I emphasize to clients that RCA helps firms move beyond surface-level fixes and identify systemic issues that may be contributing to recurring deficiencies. When firms use PCAOB findings as inputs into their RCA process, they’re not just reacting - they’re proactively identifying where their system might be vulnerable. RCA helps connect the dots between what went wrong and why it happened, which is essential for designing controls that actually work. It’s not just about fixing the symptom - it’s about addressing the underlying condition. JJ : As firms read this report and try to make sense of how to incorporate it into their QC 1000 implementation, how should they approach this? TS : I would say incorporating the observations from this report and reflecting the applicability to your own practice is the concept of continuous improvement. This is a foundational concept of QC 1000. Implementation is about more than policies - it’s about culture . It’s about how you learn from what’s happening in the field and apply it to how you manage risk across the firm. When risk assessment becomes a living process - not a one-time exercise - firms are better positioned to adapt, improve, and ultimately deliver higher-quality audits. That’s the mindset shift we’re encouraging. ¹See our Actionable Insights on the PCAOB’s annual broker-dealer inspection reports from each year by entering “broker-dealer” on the search bar of the JGA Advisor page on our website. At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, reach out to your JGA audit quality expert .
Introduction In today’s regulatory climate, audit firms must take a fresh look at how they evaluate engagement acceptance and client continuance. The stakes have never been higher. With the PCAOB’s newly adopted QC 1000 standard and the AICPA’s SQMS 1 framework now in effect , firms are expected to demonstrate a more rigorous, risk-based approach to quality control—starting with the very first decision: "Should we take this engagement?" The PCAOB recently released a new Audit Focus: Engagement Acceptance on this topic (Audit Focus). At the same time, we’ve been speaking, writing, and helping firms improve their process in this area. On the steps of PCAOB’s recent and timely guidance, this article explores the evolving risk landscape and offers practical guidance for firms to strengthen their engagement acceptance protocols in line with new regulatory expectations and JGA’s quality management insights. The New Risk Landscape: What QC 1000 and SQMS 1 Require The PCAOB’s QC 1000 standard introduces a scalable, risk-based framework that applies to all firms performing PCAOB engagements. It emphasizes that engagement acceptance is not just a procedural checkpoint, it’s a critical quality control decision that must reflect the firm’s risk profile, independence safeguards, and capacity to deliver a high-quality audit. Key risks highlighted in QC 1000 include: Independence and ethics violations: Firms must have systems to identify and escalate potential conflicts, including automated tracking of financial interests. Monitoring of in-process engagements: Firms are expected to assess quality risks before and during engagements, not just after the fact. Scalability and oversight: Larger firms face enhanced requirements, including external oversight and formal complaint tracking mechanisms. Similarly, SQMS 1 requires firms to design and implement a system of quality management that includes robust procedures for engagement acceptance and continuance. These procedures must consider: integrity and reputation of the client firm competence and resources ethical and legal requirements, and risks to audit quality and compliance. Issues arising from poor or inconsistent client or engagement acceptance policies and procedures isn’t new, but is being looked at in new ways by firms and their regulators with the: decrease in public company auditors qualified or going to market on conducting public company audits increasing number of firms that have been stripped of their privilege to conduct public company audits, and movement of companies to different auditors (think BF Borgers as the most egregious example, but your typical attrition in the most common case). The PCAOB, AICPA, and other regulators around the world, will take these business risks and apply them in a new lens in their inspection, peer review, and enforcement processes as they look at how firms have identified and addressed risks when implementing their QC system when it comes to client acceptance. Improving Communications: Predecessor Auditors & Audit Committees Recent PCAOB inspection findings and the Audit Focus document emphasize that engagement acceptance decisions are under increasing scrutiny. Deficiencies in areas like AS 1301 (Communications with Audit Committees) and AS 2610 (Successor Auditor Communications) often stem from weak or incomplete risk assessments at the outset of the engagement. Firms must be prepared to engage in transparent, candid conversations with audit committees, especially when the going gets tough. Whether it’s disclosing an unanticipated CAM , identifying a material weakness in internal control , or explaining a shift in audit scope, the ability to communicate openly and credibly is a hallmark of audit quality. Similarly, in our article on audit committees , we emphasized that audit committees are becoming more sophisticated and assertive. They expect auditors to be proactive, risk-aware, and ready to explain their judgments—not just their procedures. The Audit Focus does a great job of asking questions for firms to consider in assessing the quality of both management and the AC. As part of your engagement acceptance process, assess not only the technical risks of the engagement, but also the firm’s ability to maintain transparency and trust with the audit committee. Ask: Will we be able to have frank conversations with this client’s governance team? Are we prepared to deliver difficult messages if needed? Do we have the right people and protocols in place to support those conversations Internal Inspections: Engagement Acceptance as a Root Cause The Audit Focus also highlights how engagement acceptance decisions can directly impact audit quality and inspection outcomes. We encourage firms to examine their internal inspection programs to see how/whether outcomes can inform or rise to potential root causes targeting the firm’s engagement/client acceptance process. For example, a risk-based selection for the annual internal inspection process should include certain jobs tied specifically to new client and new engagements:
Introduction As explored in previous JGA Advisor articles, the implementation of quality management standards such as ISQM 1, SQMS 1, and QC 1000 has reshaped how audit firms approach compliance, risk, and continuous improvement. These standards demand a proactive, risk-based, and firm-wide system of quality management (SoQM) that is both scalable and adaptable to local jurisdictions. We have seen through our work with firms that a tech solution is just part of the equation. Of course, having the right human capital with the capacity, drive, skills, and leadership to influence implementation across so many functions of the firm is critical. Also, understanding a baseline of risks and controls – beyond the minimum explained in the standards – will go a long way for smoother implementation. We recommend taking a look at the AICPA Practice Aid and many other AICPA resources for firms embarking on their implementation journey. While the standards themselves are rigorous, the complexity of implementation—especially across multiple jurisdictions—has led many firms to look to ways to document their system with reliable workflows in a database or other system. What we have seen is that – at a minimum – an excel solution, especially coupled with other tools like smart sheets, is the easiest entry point for a tech solution for implementation. Other more advanced tools not only streamline compliance but also enhance documentation, accountability, and real-time monitoring. In this article, we explore how three platforms—Inflo, Caseware, and QMCore—are helping firms meet these challenges and elevate their quality management systems. Why Software Matters for Quality Management Successfully implementing a SoQM under ISQM 1, SQMS 1, QC 1000, or other jurisdictional standards requires more than policies and procedures—it requires leadership, training, communication, and a culture of quality. But most importantly, it requires technology. Software platforms like QMCore, Inflo, and Caseware offer firms the ability to: Assign and track ownership of quality tasks across the firm, ensuring accountability, and transparency. Streamline risk assessment, monitoring, and remediation, which are core to all modern quality management standards. Provide real-time reporting and dashboards that allow leadership to monitor compliance and identify deficiencies early. Adapt to evolving regulatory requirements across jurisdictions, including CSQM 1 (Canada), SSQM 1 (Singapore), ASQM 1 (Australia), and PES 3 (South Africa). Educate and enable staff through embedded guidance, links to standards, and intuitive workflows. For firms evaluating whether to adopt software, the key considerations should include: scalability, jurisdictional adaptability, ease of implementation, audit trail integrity, and the ability to evolve with regulatory changes. We strongly suggest taking a look at our previous guidance on adoption of software audit tools as well. There are other applications being developed for the market as well. Inflo: A Centralized Platform for Quality Management Oversight Inflo’s Quality Management solution is designed to help firms implement and maintain a System of Quality Management (SoQM) that aligns with ISQM 1 and other global standards. Unlike traditional tools that focus solely on audit execution, Inflo’s platform provides a centralized environment for managing the entire quality lifecycle—from risk assessment to monitoring and remediation. Key Features of Inflo’s Quality Management Platform: Centralized Oversight: Inflo consolidates all quality management activities into a single platform, giving firm leadership real-time visibility into the status of quality objectives, risks, and responses. Customizable Risk Assessment: Firms can tailor their risk identification and assessment processes to reflect their unique service lines, geographies, and regulatory environments. Automated Monitoring & Remediation: Inflo streamlines the tracking of deficiencies and corrective actions, ensuring that issues are addressed promptly and transparently. Evidence of Compliance: The platform maintains a complete audit trail of all quality management activities, supporting both internal reviews and external inspections. Scalable Across Jurisdictions: Inflo’s solution is adaptable to various regulatory frameworks, making it suitable for firms operating in multiple countries or under different standard-setting bodies. By integrating quality management into a digital workflow, Inflo helps firms move beyond static documentation and toward a dynamic, data-driven approach to compliance and continuous improvement. Caseware: Integrated Methodology and Real-Time Collaboration Caseware’s cloud-based platform, particularly through its Dynamic Audit Solution (DAS), offers a comprehensive approach to quality management. Built in collaboration with CPA.com and the AICPA, Caseware provides: End-to-End Audit Workflow: Integrating methodology, workpapers, and execution tools in a single environment. Real-Time Collaboration: Enabling teams to work simultaneously on engagements, improving efficiency and reducing version control issues. Data-Driven Risk Assessment: Supporting a risk-focused audit approach aligned with ISQM 1 and SQMS 1. Caseware is especially effective for firms embedding quality management into daily audit operations while maintaining compliance with evolving standards. QMCore (FinReg): Purpose-Built for Global Quality Management Standards QMCore, developed by FinReg, is a purpose-built platform designed to help firms implement and maintain a System of Quality Management (SoQM) in compliance with ISQM 1, SQMS 1, QC 1000, and their global counterparts. It is powered by the FinReg GRC platform and has received technology accreditation from the ICAEW. Key Benefits of QMCore: Comprehensive Coverage: Seamlessly integrates all eight components of ISQM 1 and SQMS 1, including governance, risk assessment, monitoring, and remediation Task Ownership and Accountability: Allows firms to assign responsibilities clearly and track progress with ease Monitoring & Remediation: Embedded tools provide high visibility into deficiencies and corrective actions, with real-time dashboards and drill-down analytics Jurisdictional Flexibility: Adaptable to regional standards such as CSQM 1, SSQM 1, ASQM 1, and PES 3 Audit Trail Integrity: Tracks all inputs and changes, ensuring transparency and defensibility; and User Enablement: Educates staff on the standards, enables them to act, and evidences compliance through structured workflows and embedded guidance. QMCore is securely hosted on AWS and accessed via the internet, making it easy to implement and scale across firms of varying sizes and geographies. Conclusion The shift to modern quality management standards is not just a compliance exercise—it’s an opportunity to enhance audit quality, improve operational efficiency, and build a culture of continuous improvement. Software platforms like Inflo, Caseware, and QMCore are proving essential in helping firms navigate this transformation. Other players may be entering the market, and we encourage a discussion to understand the latest and compare benefits and what’s best for your firm. At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, please contact your JGA audit quality expert .
This is an exert of the AI Accounting Playbook . Building Trust in AI Accounting As accounting firms adopt AI tools in audits, they face new questions about reliability, transparency, and compliance. Regulators like the PCAOB have made clear that if AI outputs can’t be explained or reproduced, they could violate existing standards. Yet formal guidance on AI use in audits remains limited, leaving firms unsure about how to move forward. Some firms have responded by limiting AI to non-public clients, but this caution also presents a chance to lead. Firms that build strong AI governance practices now can stay ahead of future regulation and establish trust in their use of AI. This chapter covers key compliance barriers, governance best practices, and steps to create a trusted control environment. Key Compliance Barriers Accountants face several key compliance barriers when using AI, particularly as regulators such as the PCAOB, AICPA, and SEC increase their scrutiny. Explainability One major challenge is explainability. Many AI models, especially machine learning and generative AI, don’t clearly show how they reach conclusions. This is a problem for auditors who need to support their findings. This lack of clarity makes it harder to meet audit evidence requirements, which must be sufficient, appropriate, and easy to understand, as outlined in PCAOB standard AS 1105. Poor Documentation Poor documentation is another major issue. This includes inadequate records of data inputs and outputs, training data, model logic, and controls over changes. Such deficiencies may violate documentation and risk assessment requirements, as seen when audit teams use AI for journal entry testing without documenting the rationale for flagged entries or threshold settings. Data Privacy Data privacy becomes a concern as firms use AI to handle large amounts of sensitive financial and personal information. This can lead to violations of laws like GDPR and CCPA, especially when client data is processed in cloud or third-party systems. Firms often struggle to maintain consistent policies for data classification, encryption, and access. Auditor independence may also be at risk if AI tools are built by a firm’s advisory armor are deeply integrated with a client’s systems. For instance, if both the firm and client use the same predictive AI tool for forecasting, it could lead to a self-review threat. AI Skills Gap A skills gap and overreliance on AI further complicate compliance. Many auditors lack the training needed to critically evaluate AI outputs or to recognize when human judgment should override algorithmic conclusions. This can lead to audit failures, such as misinterpreting a false negative from an AI-driven risk assessment as a clean result. Validation and Testing Testing and validating AI tools is another challenge, especially for tools that keep learning over time. Firms need to test tools when they’re first used and then on a regular basis, just like they do when relying on third-party service providers. But this is hard to do if the AI vendor doesn’t offer enough detail about how the tool works or the controls in place. Change Management Managing updates and changes to AI models is a concern. If a tool is updated or retrained without documentation, it can lead to inconsistent results. For example, a model may flag different transactions in different quarters without any clear reason why. Many firms also lack a formal AI governance plan tied to their quality management systems, which causes inconsistent control practices and unclear responsibilities. Lack of Guidance Regulators have been slow to issue formal guidance on how AI should be integrated into the audit process, leaving many firms in a state of uncertainty. The good news is that momentum is building. PCAOB Board Member Christina Ho has publicly emphasized the transformative potential of AI in auditing, particularly in automating routine tasks such as cross-referencing data, extracting key contract terms, and documenting interviews. She has advocated for the PCAOB to evolve its standards to promote responsible AI use, calling for transparency, bias mitigation, and auditability in AI tools. Similarly, the International Auditing and Assurance Standards Board (IAASB) has demonstrated its commitment to supporting firms by releasing its Technology Position, which is a strategic framework that outlines how the board will adapt auditing standards to align with emerging technologies, including AI. Until these guardrails are firmly in place, firms should proactively develop internal AI frameworks modeled on established control standards. COBIT can support firms in assessing and governing AI systems, including data and system integrity. COSO can be applied to evaluate AI governance, model risk, and internal control implications, particularly when AI impacts financial reporting or ICFR. NIST provides guidance to help firms build trustworthy AI systems and establish appropriate cyber security and governance protocols. Best Practices for Governance To use AI confidently and compliantly in accounting, especially in regulated environments like audit and assurance, firms should implement strong governance practices that align with both regulatory expectations and ethical standards. 1. Test AI Internally Before Use In Engagements Before you bring AI into your audits, you’ll need to put it through its paces. The starting point is an internal review and certification process, ideally led by your firm’s risk or national office. They should evaluate the AI tool’s design, logic, and controls, and may require your vendor to share documentation, control reports, and allow independent testing. A great way to do this is by running the AI on historical data from past audits with known results. That helps confirm whether the AI delivers the same conclusions auditors already reached. Scenario analysis is another smart move. Challenge the AI with tricky edge cases like known fraud or anomalies. This can expose blind spots or bias in the model. Be sure to maintain a complete audit trail of how the tool was tested and what controls were in place. If any issues pop up during testing, document and resolve them. And before you roll it out firm-wide, get an independent review of the tool. Think of it like a second set of eyes, similar to a concurring partner review. Only once your firm is fully confident in the tool should it be used in your accounting processes. 2. Develop AI Governance Policies Strong policies lay the foundation for responsible AI use. These should outline your standards for data inputs, risk reviews, decision-making responsibilities, and transparency. Deloitte recommends a universal governance policy that applies to all AI technologies across the firm. This policy should define acceptable (and prohibited) use cases, require approval for new AI tools, and establish review intervals. Ethical usage also needs to be a priority. That means clear guidelines around privacy, bias, and legal compliance — with transparency as a core value. Internally and externally, stakeholders should understand when and how AI is being used in order to build trust in AI usage. To oversee this, consider forming a dedicated AI GRC (Governance, Risk, Compliance) team. Roles might include a Chief AI Risk Officer, Data Protection Manager, AI Project Manager, and an AI Governance Committee. Need help building your framework? Look to proven models like NIST AI RMF and ISO 42001. COSO’s recent guide Realize the Full Potential of AI shows how to extend COSO’s ERM framework to AI, and it’s a great place to start. 3. Implement Data Quality Controls AI tools are only as reliable as the data they process. The old adage “garbage in, garbage out” underscores the importance of data quality in AI-driven accounting. To minimize the risk of inaccurate or biased AI outputs, firms should implement data validation, cleansing, and standardization processes. High-quality data improves AI performance and supports more reliable audit conclusions. Protecting sensitive data is also crucial. Firms should limit access to confidential information using role-based access controls (RBAC) and multi-factor authentication (MFA). Audit logs tracking data access provide an added layer of oversight, helping firms monitor and secure critical information. Data lifecycle management is equally important. Retention and deletion policies should be in place to ensure outdated data does not become a liability. While GDPR is an EU regulation, it sets a high standard for data management and serves as a strong benchmark for firms looking to enhance their data governance practices
WASHINGTON, D.C.: Johnson Global is proud to announce our first charitable contribution in support of the daughters of the American Revolution (DAR) —a historic nonprofit organization founded in 1890 and dedicated to historic preservation, education, and patriotism. With over 130 years of tradition and more than one million members since its founding, the DAR continues to make a meaningful impact through local, national, and global initiatives. "We are honored to support an organization whose enduring mission aligns with our values and commitment to community" said Jackson Johnson, JGA President. "This partnership marks a significant milestone for Johnson Global Advisory as we expand our philanthropic efforts and invest in organizations creating lasting, positive change". "Thank you JGA for this impactful donation will allow our chapter to continue our mission" said Jill Mathieu, Regent of DAR. To explore more about the impact of DAR, visit: www.dar.org/discover About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.
Johnson Global Advisory ("JGA") is proud to announce that Joe Lynch, Shareholder and Managing Director, will be speaking on a panel at the 40th Midyear SEC Reporting & FASB Forum . Joe will deliver the PCAOB update on June 6, with attendance available both in person and virtually. This panel will summarize the activities of the PCAOB including: • Understand the current regulatory landscape and emerging issues under new SEC leadership • Summarize rulemaking from the FASB’s technical agenda, including segment reporting and disaggregation of income statement expenses • Anticipate accounting and reporting issues incurred with income taxes, including ASU 2023-09 “Improvements to Income Tax Disclosures” • Identify changes from the FASB on accounting for financial instruments • Prepare for disclosure requirements on ESG and climate change, including the EU’s Corporate Sustainability Reporting Directive (CSRD), the requirements of California’s ESG disclosures legislation and the status of the SEC final rule • Recall recent developments and the most frequent comment areas in the SEC review process Click here to register and learn more. About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.
On May 13th, 2025, the PCAOB held a QC 1000 workshop in Washington, DC, providing critical insights into the upcoming quality control standard. With the effective date of December 15th, 2025 , firms must proactively identify and manage quality risks by setting quality objectives, assessing risks, and implementing responses. Examples and case studies with breakout groups played a crucial role to help firms understand and apply each stage of the implementation process, from risk assessment to monitoring and remediation. Many attendees are still early in their understanding of the standard, highlighting the need for clear guidance and support. In a live poll, a significant portion of the workshop attendees indicated they have not yet started implementation. The inspection approach of QC 1000 has not been finalized. As such, they did not take any questions regarding how this would be inspected in its formative years. However, we did read between the lines from a different question around audit documentation, that it’s possible they may select components on a test basis during an inspection. Background of the Standard The QC 1000 standard emphasizes the integration of eight components: the risk assessment process, governance and leadership, ethics and independence, acceptance and continuance of engagements, engagement performance, resources, information & communication, and monitoring and remediation process. For more background information on QC 1000, please see these JGA resources: Applying the QC 1000 and Other Standards to Your Firm Understanding the Broader Benefits of ISQM 1 and SQMS 1 Applying the Benefits of ISQM 1 & SQMS 1 Across the Firm Key Topics from the Workshop Key terms such as applicable professional and legal requirements (APLR), firm personnel, other participants, and third-party providers were defined to clarify roles and responsibilities within the firm's QC system. The workshop included a walkthrough of Appendix A2 of the standard. The firm’s system must consider the APLRs that are applicable to the firm, which is unique to each firm. APLR is defined in the standard as: Professional standards, as defined in PCAOB Rule 1001(p)(vi); Rules of the PCAOB that are not professional standards; and To the extent related to the obligations and responsibilities of accountants or auditors in the conduct of engagements or in relation to the QC system, rules of the SEC, other provisions of U.S. federal securities law, ethics laws and regulations, and other applicable statutory, regulatory, and other legal requirements. It is important to be able to clearly identify the type of resource in your QC 1000 implementation journey. Paragraph .05 also discusses the terms firm personnel, other participants and third-party providers. These are defined in Appendix A.5 (firm personnel), A.7 (other participants) and A.13 (third -party providers). 1. Firm personnel include: EQR (inside the firm), Staff at shared service centers, secondees and leased staff, specialists employed by the firm. 2. Other participants include other auditors, EQR (outside the firm), internal auditors of the client that provide direct assistance to the auditors, specialists engaged by the firm, Networks, and external QC function. 3. Third-party providers include audit software providers, system security vendor, audit methodology provider, confirmation intermediary, pricing services, and broker-dealer monitoring systems. There are four distinct roles and responsibilities as described in paragraphs .11 -.17 of the QC standard. The first two roles are the certifiers of the Firm’s QC results: 1. The principal executive officer and 2. Individual responsible for the operational responsibility and accountability for the QC system as a whole. The principal executive officer (PEO) is ultimately responsible for the design, implementation, operation, and evaluation of the firm’s QC system. Only firm personnel are permitted to fill the roles required by QC 1000 . JGA Insights: 1. Not all “participants” of a firm’s structure must be included in a firm's quality control policies and procedures, which is especially important for shared service centers and outsourced staffing arrangements. These roles must be clearly defined and applied as the different levels of participants within an organization are considered differently by the standard. 2. PCAOB-registered firms of all sizes – regardless of whether the firm currently audits issuers – must adhere to these components, ensuring consistency with international quality control frameworks. 3. While it was expressed in the session by PCAOB Staff that firms are not expected to reengineer their process (e.g. more than 1 set of QC documentation), firms may need to align or “top-up” their processes with multiple standards to ensure comprehensive compliance. Keep in mind here that the top-up may not just be for QC 1000. In fact, a system in compliance with QC 1000 may need top-up considerations for SQMS 1 and/or ISQM 1. Risk Assessment Principles There were several examples and case studies to go through among table groups during the session. These activities helped illustrate the importance of getting risk assessment right, since this drives what the firm focuses on for an effective system. When it comes to implementing QC 1000, there are some key takeaways from the risk assessment process that can really guide firms in the right direction. JGA Insights: Here are a few important points to keep in mind as you work through identifying and assessing quality risks 1. The QC 1000 standard does not prescribe a specific method for identifying and assessing quality risks. This gives firms flexibility but also places responsibility on each firm individually based on their circumstances. It’s more work upfront from a “cookie-cutter” approach but ensures the design of a process that fits a firm’s unique context. 2. Quality risks should not be viewed as the opposite of quality objectives . Instead, they are factors that could potentially hinder the achievement of those objectives. 3. The threshold of “reasonable possibility of occurring” applies to all risks, including risks of intentional misconduct by firm personnel and other participants. This means that firms must consider the likelihood of risks occurring and their potential impact on the quality objectives. The PCAOB staff shared during the workshop that the concept of reasonably possible follows the same definition as used in FASB ASC Topic 450 on Contingencies. Ethics and Independence Considerations The QC 1000 standard does not alter existing ethics and independence requirements under PCAOB or SEC standards. Firms must continue to comply with those as currently written. Compared to other standards like ISQM 1 and SQMS 1, QC 1000 is more stringent in certain areas. For example, it requires: 1. Creating and maintaining a restricted entity list; 2. Periodic review of the list to ensure accuracy; 3. Appropriate certifications related to independence; and 4. Audit committee approvals where applicable. Register for the next workshop and get going on implementation To gain a deeper understanding of the QC 1000 standard and its implementation, we strongly encourage you to attend the PCAOB Smaller Firm Workshop on June 17, 2025, in Irving, Texas. This in-person-only session will provide valuable insights and practical guidance for firms navigating the new quality control standard. Register now to secure your spot. As always, reach out to your JGA Expert with any questions. About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporate solutions which navigate those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.
WASHINGTON, D.C.: Johnson Global is pleased to announce that Joe Lynch, JGA Managing Director will speak at the AICPA® & CIMA® ENGAGE+ 25 on May 15, 2025, and will be attending the full conference on June 9–12, 2025, at the ARIA Resort & Casino in Las Vegas, NV and live online. This CPE-eligible event is the premier annual event for accounting and finance professionals, bringing together thousands of peers, experts, and industry leaders for top-tier learning, networking, and career growth opportunities. Register by May 1, 2025, to take advantage of Early Bird rates— $1,995 for members ( regularly $2,095 ) and $2,445 for nonmembers ( regularly $2,545 ). *PCPS, Tax and PFP section members and CITP®, PFS™, CGMA® credential holders save an additional $150 . Discount reflected in section member/credential pricing during checkout. Register Today ! About Johnson Global Advisory Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB and SEC staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide. Visit www.johnson-global.com to learn more about Johnson Global.
