PCAOB Hopes Updating Quality Control Rules
November 25, 2022
Will Maybe Prevent Audit Firms From Constantly Breaking Quality Control Rules
From the earliest days of Going Concern until most recently last month, quality control has been a problematic thing for audit firms.
For example, the firm that employed the guy who just got the largest fine the PCAOB has ever given to an individual auditor couldn’t get its quality control systems under control:
From 2018 to 2021, SKP failed to comply with PCAOB quality control standards, including with respect to audit documentation. Among other failures, SKP’s system of quality control failed to prevent or detect [Jonathan] Taylor’s improper alteration of work papers in connection with a PCAOB inspection. SKP also failed to obtain engagement quality reviews of issuer audits for multiple years and to timely or accurately file with the PCAOB required annual reports and audit participant reports. Taylor directly and substantially contributed to those violations.
But it’s hard to place 100% of the blame on the audit firms. They’ve dealt with quality control rules that have been on the books since the Dark Ages (pre-Sarbanes-Oxley):
Current QC standards were developed decades ago and issued by the American Institute of CPAs (AICPA) before the PCAOB was established. The auditing environment has changed significantly since that time, including evolving and greater use of technology, and increasing auditor use of outside resources, including other firms and providers of support services. Firms themselves have also changed significantly, as has the role of firm networks. Historically, [PCAOB] advisory groups have indicated general support for strengthening the QC standards, including support for implementing a risk-based approach and for enhancing requirements for firm governance and leadership. And advances in internal control, quality management, and enterprise risk management suggest that factors such as active involvement of leadership, focus on risk, clearly defined objectives, objective-oriented processes, monitoring, and remediation of identified issues can contribute to more effective QC.
So the PCAOB is trying to make good on its pledge to update a slew of outdated auditing standards by proposing an entire revamp of its quality control rules:
We preliminarily believe our QC standards could be improved, thereby leading firms to improve their QC systems and ultimately better comply with applicable requirements, by:
- Expressly requiring a risk-based approach to QC, including well-defined quality objectives and a systematic effort to identify and proactively manage risks to the firm’s achieving those objectives;
- Emphasizing firm governance, the “tone at the top,” and individual accountability;
- Providing more direction regarding monitoring activities and remediation of identified deficiencies to encourage an ongoing feedback loop that drives continuous improvement;
- Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications;
- Providing for a rigorous annual evaluation of a firm’s QC system;
- Introducing annual QC reporting to the PCAOB to underscore the importance of the annual evaluation of the QC system and support PCAOB oversight; and
- Requiring enhanced communication to the audit committee.
There are five specific things that the PCAOB is proposing in its overhaul of the quality control rules:
- Supersede current PCAOB quality control standards with an integrated, risk-based standard, QC 1000, A Firm’s System of Quality Control, that would apply to all registered public accounting firms.
- Create reporting requirements on quality control matters and a new, non-public reporting form, Form QC.
- Expand the auditor’s responsibility to respond to deficiencies on completed engagements under an amended and retitled AS 2901, Responding to Engagement Deficiencies After Issuance of the Audit Report, and related amendments to PCAOB attestation standards for broker-dealer engagements.
- Supersede existing standard ET 102 with a new standard, EI 1000, Integrity and Objectivity, to better align the PCAOB’s ethics requirements with the scope, approach, and terminology of QC 1000.
- Make additional changes to PCAOB standards, rules, and forms.
The proposed QC 1000 standard “includes requirements regarding individual roles and responsibilities in the QC system, a requirement to evaluate the effectiveness of the QC system annually and report on the results of that evaluation to the PCAOB and to the audit committee (or equivalent) of each issuer and broker-dealer audit client, and documentation requirements,” the PCAOB said.
“Under the proposal, all registered firms would be required to design a QC system that meets the requirements of QC 1000. Firms would be required to implement and operate the QC system in compliance with QC 1000 when they perform an engagement under PCAOB standards, play a substantial role in the preparation or furnishing of an audit report (as defined in our rules), or have current responsibilities under applicable professional and legal requirements regarding any such engagement.”