The U.S. Public Company Accounting Oversight Board (PCAOB) is responding to audit committee requests for more information about PCAOB audit focus areas, stated board member Duane DesParte at the 2018 AICPA Conference on Current SEC and PCAOB Developments in Washington, D.C. Internal auditors are in a unique position to support audit committees in understanding and monitoring these key areas. Internal auditors with a solid understanding of PCAOB expectations and findings can advise audit committees, which have primary oversight responsibility for external audit quality and ensuring the independence and objectivity of the audit firm.
The PCAOB Inspection Process
The U.S. Sarbanes-Oxley Act of 2002 formed the PCAOB, creating an independent auditor oversight institution to protect investors, provide reliable financial reporting, and improve audit quality. The PCAOB performs annual inspections of large audit firms and triennial inspections of small audit firms. A report is issued after every inspection that includes a public portion and, if required, a nonpublic portion.
The public portion describes any significant audit deficiencies and is published on the PCAOB website. Examples of significant audit deficiencies include failure to perform required audit procedures, failure to recognize and address generally accepted accounting principles misapplications, and insufficient testing of the design and operating effectiveness of selected controls. After an inspection, an audit firm may have to modify its audit opinion or prompt the company to issue restated financial statements.
The nonpublic portion of the report addresses deficiencies in the system of quality control. It may include the firm’s procedures for assuring independence, the tone at the top, or the firm’s internal inspection program. The nonpublic portion of the inspection report becomes public if an audit firm fails to remedy the required quality control deficiencies within 12 months of the report being issued. According to the Center for Audit Quality’s (CAQ’s) Guide to PCAOB Inspections, the remediation steps that a firm takes depend on the type of underlying quality control issues identified by the PCAOB. Remediation examples include changing the firm’s audit procedure manuals and additional training. The PCAOB expects larger firms with complex audits to conduct an analysis of the causes of any identified issues, and adapt its remediation measures to the results of that examination. The CAQ Guide can be helpful to internal auditors by providing guidance on remediation steps and root cause analyses.
The PCAOB currently is revising the risk-based selection process of audit engagements, which procedures to perform, and how to assess a firm’s quality control system and culture, as well as changing the nature, timing, and extent of inspection procedures. In addition, the PCAOB will focus on timeliness and relevance of inspections reports, which will aid investor and audit committee decision-making. Some changes will be implemented as early as the 2019 inspection cycle, said George Botic, PCAOB director of the Division of Registration and Inspections, during a Dec. 12, 2018, speech.
The three most frequently recurring audit deficiency areas are assessing and responding to risks of material misstatement, auditing internal control over financial reporting (ICFR), and auditing accounting estimates, including fair value measurements (see “PCAOB Audit Deficiency Examples,” right), Botic said. The PCAOB highlighted these deficiencies in its 2018 Staff Inspection Brief, Staff Preview of 2018 Inspection Observations, released in May 2019.
Key Deficiency 1 — Assessing and Responding to Risks of Material Misstatement Deficiencies related to assessing and responding to risks of material misstatement result in noncompliance with PCAOB Audit Standard (AS) 2301: The Auditor’s Responses to the Risks of Material Misstatement and AS 2810: Evaluating Audit Results. The PCAOB’s 2017 Staff Inspection Brief, Preview of Observations from 2016 Inspections of Auditors of Issuers, notes that some selected firms were not performing substantive tests robust enough to thoroughly assess fraud risk and other risk factors. The 2017 Inspection Brief specifically mentions risk regarding revenue recognition. The 2018 Inspection Brief highlights the need to test the entire revenue transaction, including comparing company-prepared invoices with related contractual obligations and product/service delivery and testing invoice amounts to revenue recognition. Firms should presume there is fraud risk associated with revenue and evaluate accordingly. Audit procedures should be designed and performed to address the assessed risks of material misstatement for each relevant assertion of each significant account and disclosure (AS 2301.08). AS 2301.09 emphasizes that when designing the audit procedures, the auditor should:
- Acquire more persuasive audit evidence the higher the auditor’s assessment of risk.
- Consider the types of potential misstatements that could result from the identified risks and the likelihood and magnitude of potential misstatement.
- In an integrated audit, plan the testing of controls to accomplish the objectives of both audits simultaneously to obtain sufficient evidence to support the auditor’s control risk assessments for purposes of the audit of financial statements and to support the auditor’s opinion on ICFR as of year-end.
Some inspections yielded cases where the presentation of the financial statements and completeness of disclosures were not fully evaluated. AS 2810.03 requires external auditors to consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial statements when forming an opinion on the fairness of financial statements.
Internal auditors should work closely with audit committee members to address recurring audit deficiencies by creating and monitoring procedures to ensure appropriate tone at the top, auditor independence, risk assessment of material misstatement, and accounting estimates.
Key Deficiency 2 — Auditing ICFR Deficiencies in this area result in noncompliance with AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements. They stem from insufficient testing of estimates related to revenue, business combinations, asset impairments, and reserves. External auditors need to exercise an appropriate amount of skepticism as the 2017 Inspection Brief notes that firms tend to rely too much on management explanation, exhibit bias toward controls being effective, and incorrectly match control testing with control objectives. The 2018 Inspection Brief describes instances where external auditors inadequately tested the design and operating effectiveness of controls, or did not select controls for testing that addressed the specific risks of material misstatement.
AS 2201 establishes a risk-based approach to the audit of internal control. The auditing standard is intended to emphasize the most important matters in the audit of internal control and avoid procedures that are unnecessary to an effective audit. When choosing controls for testing, the external auditor should investigate controls that are imperative to his or her conclusion about whether the company’s controls appropriately convey the assessed risk of misstatement to each relevant assertion (AS 2201.39). In addition, AS 2201.42 recommends examining the design effectiveness of controls by verifying whether the company’s controls satisfy the control objectives and can effectively prevent or detect errors or fraud. The external auditor should obtain persuasive evidence that demonstrates control effectiveness. As risk increases, so should the obtained evidence.
Staff Audit Practice Alert No. 11: Considerations for Audits of Internal Control Over Financial Reporting presents the application of certain requirements of AS 2201 and PCAOB standards to audits of internal control. This alert offers guidance on the topics of:
- External auditors’ risk assessment and the audit of internal control.
- Selecting controls to test.
- Requirements for testing management review controls.
- IT considerations, such as
- Roll-forward of control testing performed at an interim date.
- Using the work of others.
- Evaluating control deficiencies.
Internal auditors possess overall knowledge and understanding of an organization’s policies and procedures and are a resource for external audit engagement teams. Internal auditors can assist external auditors in gaining an in-depth understanding of organization processes, transactions, and controls.
Key Deficiency 3 — Auditing Accounting Estimates, Including Fair Value Measurements Deficiencies related to auditing accounting estimates result in noncompliance with AS 2501: Auditing Accounting Estimates. These deficiencies are generally associated with evaluating impairment analyses for goodwill and other long-lived assets, and the valuations of assets and liabilities attained in business combinations. Other instances of auditing deficiencies observed in the 2017 and 2018 Inspection Briefs include revenue-related estimates and reserves, allowance for loan and lease losses, inventory reserves, and financial instruments. The findings demonstrate that the external auditors did not fully understand how estimates were established or did not adequately test the significant inputs and assess the significant assumptions used by management. The 2018 Inspection Brief recognizes that developing these estimates involves unobservable inputs, complex valuation models, and subjective judgments; therefore, external auditors should exercise professional skepticism and involve senior members of the team throughout the audit engagement.
AS 2501: Auditing Accounting Estimates offers guidance on obtaining and evaluating appropriate evidence to support significant accounting estimates in financial statements. AS 2501.03 highlights management’s responsibility to make the accounting estimates based on subjective and objective factors. Subsequently, management’s judgment is required for accounting estimates. This judgment depends on knowledge and experience, as well as assumptions about current and future conditions and courses of action. AS 2501.05 holds management accountable for creating a process for preparing accounting estimates. While the process may not be documented or formally applied, certain steps should be considered:
- Recognize when accounting estimates are required.
- Identify factors that may affect the accounting estimate.
- Accumulate relevant, sufficient, and reliable data on which to base the estimate.
- Develop assumptions that represent management’s judgment of the most likely conditions and events with respect to relevant factors.
- Calculate the estimated amount based on the assumptions and other relevant factors.
- Determine that the accounting estimate is presented in conformity with applicable accounting principles and that disclosure is adequate.
According to the PCAOB Inspections Outlook for 2019, inspectors are focusing on the design and operating effectiveness of firms’ systems of quality control, assessing and monitoring compliance with independence requirements, and evaluating the audit procedures firms use to identify cyber risks. In 2019, the PCAOB will look at the use and development of firm software audit tools to consider whether firms are using these tools effectively and applying due care, including professional skepticism. It also will assess auditors’ responses to risks associated with digital assets, such as cryptocurrencies, initial coin offerings, and use of distributed ledger technology. In addition, the PCAOB will focus on client acceptance and retention decisions, resource management, and planned audit procedures.
Revenue recognition is identified as an area of concern in all deficiency areas, so firms need to pay particular attention to assessing risk related to revenue, designing tests of revenue control, and evaluating revenue estimates. Business combinations also are a recurring item appearing under internal control testing deficiencies as an area affected by economic risk and a financial reporting concern. The 2017 Inspection Brief says that firms need to go beyond management inquiry by testing controls related to other controls, gaining an understanding of the basis of client estimates, and using professional skepticism.
The 2018 Inspection Brief also reports that some audit firms failed to communicate to audit committees significant risks and changes to those risks. Strong communication with external auditors can help audit committee members recognize “the external and company-specific factors considered by the auditor in assessing whether all significant risks have been identified,” as well as assist audit committees in exercising their oversight roles. Internal auditors should take part in communication with the audit committee, as well as external auditors, on any identified PCAOB deficiencies to ensure that all parties involved in the audit engagement have a clear understanding regarding remediation actions.
Internal Auditor as Advisor
The audit committee has a joint oversight role with the PCAOB when it comes to audit quality and engaging in dialogue concerning deficiencies and the PCAOB inspection process. It needs to understand the PCAOB’s recurring audit deficiency findings when fulfilling its supervision responsibility for audit quality and ensure the independence and objectivity of the external audit firm. Internal auditors with sound knowledge of this process can inform and advise the audit committee in this area so it can better fulfill this role.