Editor's note: This article is part of a series to highlight the unique experience that JGA professionals possess and deliver to our clients. As busy season winds down, it is an opportune time to reflect on challenges in ensuring audit quality and preparing for a successful outcome to the PCAOB inspections process. There are a myriad of obstacles to audit quality such as time constraints and the complexities of client engagements. Amidst these demands, audit quality remains the utmost priority. Geoff Dingle an author of JGA’s guide, Navigating PCAOB Inspections, Second Edition shares his insights on how firms can effectively prepare for the entire process. The Purpose Registered firms that issue at least one public company audit opinion are subject to inspection at least every three years. Every inspection is different based on the firm, its clients, and PCAOB priorities, but the overall process is the same. It is a long process that takes planning and coordination, and this guide addresses the main phases and pain points. “Through our work at JGA, supporting firms on PCAOB inspections, we are able to witness first-hand the struggles that some firms encounter as they work through the inspection process with the regulator. Although some of this information is available on the PCAOB’s website, we have been able to consolidate our own experiences having supported over 100 firms during their inspections. JGA has a team of alumni from the regulator that have led inspection teams and quality management initiatives, with over 139 years of combined experience at the PCAOB and SEC,” says Dingle. The Process The inspection process often takes more than two years (sometimes as long as four years) from initial notification of an inspection to the final remediation determination. It can take weeks to months to issue comment forms after the inspection week. Report finalization is getting faster but it can still take more than six months to issue an inspection report to a firm. If there are few issues, the PCAOB can respond quickly, but with multiple findings the process oftentimes takes longer. After report issuance Firms have 12 months to remediate Part II findings and provide these remedial plans to the PCAOB for evaluation. Pre-Inspection The PCAOB provides the dates for its intended inspection week. The notification letter includes the period being inspected, questions, and requested documentation about the firm and its clients. There are not many pain points at this stage, but there is typically a four-week deadline to respond. The PCAOB contacts the firm two to three weeks before the inspection starts with the names of the issuers selected for inspection and requests specific information and access to the workpapers for these audits. “We always recommend that firms hold internal meetings to assign responsibilities between the engagement teams and the national office and plan for the inspection. Prep week - the week before the inspection, can be stressful. We suggest that engagement teams go back through their audit files to re-familiarize themselves with the workings of the audit file,” Geoff continues . Key Points About The Process Before COVID, inspections were conducted in-person. Now the majority of the inspections are performed virtually. “With the engagement team and the inspection team not being in the same room, we have observed inefficiencies in getting matters resolved because of the need to coordinate firm personnel and inspection personnel, across various time zones, locations, and schedules,” he mentions. During the inspection week, the PCAOB provides detailed questions to the engagement team regarding the audit file. It’s a mix between written questions sent to the firm and asked questions during meetings. All questions are answered in subsequent meetings. With the remote process, meetings are scheduled to address and answer these questions. “Our own experience is that if a particular line of questions continued for the week (i.e. the engagement team’s response is not satisfying the inspector), then chances are there will probably be an issue that will result in a comment form,” Geoff adds. Be ready for multiple layers of questions on the same subject by providing details based in the working papers and show a deep understanding of the audit. Inspection issues are usually riskier areas involving judgements. Audit documentation should “tell the story” of how auditors came to their conclusions, not just what the conclusion was. Audit documentation should describe in detail what considerations were made by the engagement team in coming to their judgment (i.e. how any contradictory evidence was addressed; why the engagement team went with one model over another, etc.). If judgments are not well documented, the PCAOB has no alternative but to conclude that sufficient procedures were not performed. Comment Forms A few weeks after fieldwork is completed, the inspection team provides comment forms that include a summary of the deficiency and the facts related to the issue. Firms have 10 business days to respond. The Inspection Report Part I inspection findings are in the report’s public portion. Part I.A deficiencies indicate the firm had not supported its opinion on the financial statements, ICFR, or both. Part I.B findings are compliance issues which do not specifically compromise the audit opinion. Part II findings are related to the firm’s system of quality control and are in the report’s nonpublic section and these are not shared with the public. Firms have 12 months to remediate Part II findings before they can become public if the PCAOB concludes that the firm did not adequately remediate. Frequent Part I.A findings in an integrated audit relate to testing controls, testing estimates, and use of service auditor reports. Part I.B findings may result in enforcement cases and include incorrect opinion language, independence breaches, audit committee communication issues, and incomplete or late filing of Form AP. Responding to Findings in Part II of the Inspection Report Ultimately, the firm has 12 months to communicate to the PCAOB how it plans to remediate quality control findings. Geoff provides his insights on the importance of root cause analysis, “In our experience, firms do not do a great job of root cause analysis to identify the remedial action needed for deficiencies because they do not dig deep enough. We review comment forms and related workpapers to understand why the PCAOB issued the comment, and then we interview the engagement teams about root causes, to understand whether the issue was related to areas like staffing, partner workload, supervision and review, technical competence, audit methodology, or firm tools. In fact, firms will soon be compelled to do a rigorous root cause analysis as the proposed quality control standard (QC 1000) requires root cause analysis.” A proactive approach to remediation, specifically quality control findings allows for firms to make corrective actions based on their root cause evaluation and provide time to see the updates work their way through the firm’s audit cycle. Showing examples of the new process goes a long way. See our contribution to Journal Of Accountancy, Quality Management Standards: How to Perform a Root Cause Analysis . “We advise firms to address Part II remediation findings early. If they wait until they receive the report to start remediation, another inspection could start, and a repeat finding could result.” PCAOB guidance details five relevant criteria they use to conclude on the sufficiency of remedial actions. Every firm’s quality control processes are different, so we work with clients to apply the guidance to their own remedial actions and avoid repeat criticisms,” Geoff mentions. In conclusion, the PCAOB has made it clear both through its speeches and its enforcement actions that they will be tougher on enforcing regulation and audit quality. Firms need to plan in advance to make sure the inspection process is as issue-free as it can be. That starts with making sure audits are completed in accordance with the PCAOB auditing standards, not when you get notified of an inspection. Firms should enhance their practice monitoring by engaging firms like JGA to perform in-flight reviews while the audit is happening. In that way, quality is achieved prior to the signing of the audit opinion. Interested in learning more about the PCAOB inspections process and how to prepare? Navigating PCAOB Inspections, Second Edition is a roadmap for firm management and engagement teams through the entire PCAOB inspection and remediation process, to help prepare for inspections and implement continuous audit quality improvements. Geoff Dingle, JGA Managing Director, Shareholder With more than 20 years of experience in the accounting and auditing industry, Geoffrey Dingle works with public accounting firms to help them achieve the highest level of audit quality. Geoff brings a diverse set of experiences to JGA. As an Associate Director for almost 10 years, in the Division of Registrations and Inspections at the PCAOB, he conducted inspections of quality control and issuer audits. In addition, he played a senior role in planning, executing and reporting on the annual inspections of Global Network Firms, including, but not limited to, quality control procedures, review of comment forms, development of the inspection report criticisms and quality control themes, and evaluation and review of Firm root cause analysis and remedial actions. To learn more about Geoff and the JGA Team visit the Meet Our Team page.

Editor's note: This article is the first in a series to highlight the unique experience that JGA professionals possess and deliver to our clients. What is top of mind for the Public Company Accounting Oversight Board (PCAOB)? The PCAOB has made it clear that it intends to carry out an aggressive inspection program to identify and correct the high rate of audit quality deficiencies it continues to find and refer matters to its Division of Enforcement and Investigations (“DEI”). “ As a consultant, I work with audit firms to establish or enhance their policies and procedures so they deliver audit services at the highest quality level and hopefully avoid regulatory scrutiny from the PCAOB and SEC .” When an auditor or firm has become subject to a PCAOB or SEC investigation, JGA can assist in a number of ways including in their responses to informal document requests, Accounting Board Demands, and subpoenas for workpapers, emails, and other documents. Our consultants also perform workpaper review, provide case assessments and strategy guidance, assist with witness preparation, and help in preparing white papers, Statements of Position, and Wells responses. We also serve as expert witnesses by providing expert reports and expert testimony. Johnson Global professionals consult firms on timely remedial and corrective actions and other activities to obtain PCAOB extraordinary cooperation credit to substantially reduce or eliminate monetary penalties and sanctions. Once there is a PCAOB enforcement inquiry, before a case is brought, we review audit workpapers and documents and evaluate the firm’s quality control system to identify the potential violations, assess the significance of the violations, provide a root cause analysis, and propose remedial solutions. Existing or new clients include individuals and firms who have received a letter from DEI or the SEC’s Enforcement Division announcing an informal inquiry, or that a formal order of investigation has been initiated. “Our vast network, includes attorneys that I know from doing forensic accounting for so many years.” As needed, we assist firms in obtaining counsel with experience working with the PCAOB and SEC, if they do not have one. We work with counsel closely in these matters for counsel to provide legal advice and correspond with the regulator directly on behalf of the firm. Recent Trends PCAOB Reporting - Form AP and Form 3 Compliance We have seen an increase in the number of PCAOB enforcement actions related to PCAOB Form AP (Auditor Reporting of Certain Audit Participants) and PCAOB Form 3 (Special Events). The general requirement for Form AP is to file it within 35 days from the date the firm’s audit report is first included in a Form 10-K or 20-F filed with the SEC. For Form 3, the form must be filed within 30 days after the event. Firms are not filing these on time, commonly because they are not aware of the requirements or forget to file. Once the audit is over, attention can get diverted from Form AP. Form 3 is particularly burdensome because there are 18 specified events to report and monitoring these can be a challenge. Also, these forms may not be filled out correctly. For Form AP, it is easy for the PCAOB to determine whether a firm has timely filed it by comparing SEC filings to the Form AP filing, and the inspections group will routinely do that. It is harder for the Board to identify Form 3 compliance issues because their special events are unique to each firm, but we see instances of that occurring and enforcement matters as a result. When compliance failures occur, we have observed that the DEI will send a letter to the firm with a draft order that will propose a settlement, without even discussing the matter with the firm. We discuss the options with the client and client’s counsel, including the costs associated with litigation, so they can decide. Most clients do not challenge the Board and agree to the censure and fine, which can be $5,000 or more per violation, along with the requirement for a self-review and self-certification of the firm’s quality control policies and procedures relating to PCAOB reporting. The consequences of any compliance failure on these forms can be harsh, even though it was just a mistake. Form compliance is an area where we can help firms to make process changes and put policies and procedures in place to timely file and avoid a repeat failure. We recommend annual training on PCAOB reporting and the implementation of an annual certification process for Form 3 events. For Form AP, we help firms institute tracking and monitoring controls by the designated head of quality. For example, we designed a Form AP tracker that includes the relevant required information for all the firm’s PCAOB clients, along with the estimated filing dates and calendar reminders so there is a process to monitor engagement teams to proactively follow up. We also developed a Form 3 checklist that includes the trigger events and can be used at monthly meetings or by email requiring affirmative responses, so firms are able to proactively identify the events that require a filing. Communications with Audit Committees This is an area where the PCAOB is using sweeps, presumably from information gathered at the audit inspection level. Participation of other auditors in the audit must be communicated to the audit committee, but the PCAOB has noted failures to communicate which firms and individuals were involved and what they did. Another common problem area in audit committee communications is the lack of required preapproval of non-audit and audit related services. Firms may need training to understand the requirements, along with additional quality control policies and procedures. There should be audit program steps in the tools firms use that apply to audit committee communication in PCAOB audits, not those under AICPA or international standards, because the rules are not the same. The PCAOB continues to bring cases in this area, even if it is for one single violation of this PCAOB standard. There is an apparent zero tolerance policy at the PCAOB for violations of this nature. Engagement Quality Review EQR is a hot area now. Firms may not have done one at all, or the quality is not there - either on the front end for risk identification and planning, or at the back end when the audit is done. Our firm has developed and provides an EQR mentoring program , which is a collegial one on one approach to help firms get better, and it includes retraining as partners rotate on engagements. Documentation There are a number of inspection findings relating to AS 1215, Audit Documentation, including firms adding, backdating, or altering workpapers after the report release date. There is a process under the standard for adding documents that includes documenting who made the change, when, and why. We advise firms that have documentation issues to follow the standard because it is not advisable to make it look like a workpaper was always there when it was not. Quality Controls The PCAOB is very focused on this area. When the PCAOB finds a number of violations, firms should consider whether they have quality control issues, including whether there is a strong ‘tone at the top’ related to audit quality. Most PCAOB enforcement actions issued in 2023 either cited a QC failure or required the firm to enhance its QC system as part of the sanction. It can be challenging for firms, especially those with fewer than ten or so PCAOB clients, to determine how much financial and personnel resources to commit to the firm’s system of quality control. The notion of scalability seems to have gone by the wayside resulting in a high fixed cost for entering the PCAOB audit market and maintaining a presence in that space. Some firms are hesitant to invest in compliance measures because of the high costs, but better quality likely will lead to getting more clients and the potential for less trouble down the line. There is a new PCAOB auditing standard on quality control coming soon, and it includes a requirement that assigns individual responsibility and accountability for the QC system. There is awareness, but we are encouraging our clients to get ready for this now. We offer quality control review services and can serve as a quality control confidant, especially for small firms that do not have a QC leader. PCAOB Inspections of China and Hong Kong Firms Last year, the PCAOB published inspection reports of PCAOB-registered firms in China and Hong Kong and announced enforcement actions and a record high level of penalties as a result of violations of PCAOB rules and U.S. securities laws. These included auditors cheating on ethics and other internal examinations, and extensive quality control deficiencies. By 2023, the PCAOB will have inspected up to 99 percent of these firms’ audits. Inspection reports are expected to come out in April 2024 showing more of the same deficiencies. The 2024 PCAOB budget includes resources to continue inspections in this region. U.S. firms should look at these inspection results and enforcement cases to be aware of what the PCAOB found and is continuing to look for. Conclusion PCAOB Chair Williams and the current board continue to deliver a tough message about audit deficiencies and enforcement. The PCAOB is filing enforcement cases not only against firms that pose potential danger for not doing anything right but also for compliance failures, including those relating to PCAOB reporting. Auditors need to invest in audit quality and keep on top of changes in audit standards to avoid PCAOB scrutiny and potential sanctions. Matt has more than 30 years of experience in financial reporting, auditing, and fraud detection and prevention. He held enforcement roles at the SEC and PCAOB, along with leadership roles at national consulting firms where he provided clients with solutions in accounting, auditing, financial reporting, forensic accounting, and litigation support.

On January 31, 2024, the PCAOB Staff (the “Staff”) released its first ever Spotlight, Insights Into the PCAOB’s Interim Inspection Program Related to Audits of Broker-Dealers . I commend the Staff for this Spotlight. It provides new insights and more context than their typical annual reports on the broker-dealer inspection program results. To provide some brief background, the broker-dealer inspection Program was created as result of the Dodd-Frank Act, which was enacted into law in 2010. Inspections started in 2011, and the revised Securities Exchange Act Rule 17a-5 was effective in 2013. The most recent Annual Report published in August 2023 reported a 58% deficiency rate for broker-dealer firm inspections conducted in 2022, and stated that the rate was, “unacceptably high.” That compares to a 40% deficiency rate for issuer firm inspections in 2022, so the difference is considerable. See our September 2023 article that talks about the report - Broker Dealer Reruns: Haven’t I Seen This Before? (jgacpa.com) Auditors have, understandably so, argued that they need more guidance from the PCAOB to correct these deficiencies. It looks like the Staff has heard the pleas based on this Spotlight. Here are a few of the key observations by the staff in the report, and our recommendations for firms. PCAOB Finding: Insufficient Understanding of the Broker-Dealer Industry “In addition, broker-dealer specific training for auditors is not widely available. Typically, only larger audit firms offer in-house training and have acquired extensive broker-dealer audit experience that is shared with audit firm personnel. While there are a few vendors who offer quality training, course offerings are limited throughout the year.” The point is that the broker-dealer industry is specialized; you can’t simply be a good auditor and conduct a quality broker-dealer audit without obtaining the requisite understanding of the rules and regulations. For example, the auditor of a broker-dealer also provides an opinion on the supplemental information (e.g. Net Capital Computation, Reserve Formula Computation, etc.), and evaluates whether the supplemental information, including its form and content, is presented in conformity with 17 C.F.R. §240.17a-5 . That involves determining whether the broker-dealer's net capital computation is complete and accurate. Net capital includes assets that are “allowable” or “non-allowable” in the computation. And sometimes an otherwise allowable asset per Rule 15c3-1 may actually be non-allowable if, for example, there isn’t a particular clause in a clearing agreement. And sometimes an asset that is otherwise non-allowable per Rule 15c3-1 can be allowable if certain other conditions are met. The nuances exist in various SEC interpretations released over the last 50 or so years. These nuances are difficult enough for audit professionals with decades of broker-dealer audit experience. If engagement teams don’t gain that specialized knowledge, they won’t know what they don’t know, and will not be set up for success. We continue to see opportunities for engagement teams to have more BD-specific experience on the team. Training is one way to raise the bar, but that leads to the next problem – there simply isn’t a lot of high-quality broker-dealer audit training out there! While providing broker-dealer audit training to our clients, we have found that general training is often not sufficient to meet their needs and/or remediate PCAOB findings. For example, a general training on auditing a common broker-dealer that claims a (k)(2)(ii) exemption and introduces customer transactions to a clearing broker-dealer, will not help an engagement team audit a broker-dealer that specializes in mergers and acquisitions. As the Staff also emphasizes in the Spotlight, there is also an overreliance on standardized audit programs. We don’t look at these topics separately. We work with auditors to tailor their audit programs to the types of broker-dealers they audit and train their engagement staff to apply the programs to the facts and circumstances of their audits. PCAOB Finding: Overreliance on Standardized Audit Programs Inspectors found that standardized audit programs “may not be all encompassing, may reflect only certain criteria in the standards, and may be limited in the scope of procedures to be completed…these programs typically must be tailored to reflect the nature of the broker-dealer’s business operations, internal controls, and financial reporting and attestation risks.” In my time as a PCAOB Inspection Leader, I saw this time and time again. Audit firms subscribe to “off-the-shelf” audit methodology providers and rely on the audit programs they provide. Engagement teams follow the programs, fill them out completely, and still, they don’t conduct sufficient procedures. How can that be? Said differently, the audit programs are a good resource and a great foundation, but they are a guide and simply cannot account for every risk in the audits of your client portfolio. That holds true for any audit, but especially so for unique, complex broker-dealer industry audits. The audit programs are not a substitute for understanding the complexities of the broker-dealer industry (see above regarding the need for industry-specific training). In our work performing practice monitoring reviews for BD audits, we have seen cases where methodology doesn’t get down to the level necessary to force the understanding and documentation of a robust workflow to identify the risks at the assertion level necessary to sufficiently design test procedures. Based on our work with firms, the best path to success is to start with the standardized programs and then tailor them to the types of broker-dealers they audit. For example, if a firm audits broker-dealers that are involved in contractual revenue streams, such as the private placement of securities, we add in steps to address the key elements of revenue recognition within those transactions, such as obtaining evidence of the closing of the transaction, reviewing the contracts for possible claw backs, etc. These are specific considerations that are unlikely to be covered by a standardized audit program. PCAOB Finding: Low-Cost Providers and the Pace of Auditor Changes The staff reported that about a third of all broker-dealer audits have budgets of 40 hours or less and fees of $10,000 or less. These small audits, we believe are the root cause of many audit deficiencies. In the Spotlight, they said everything that is possible without saying it. Take into consideration these points mentioned above : the need for high-quality, broker-dealer industry specific training the need to go beyond the standard audit programs the need to conduct a rigorous risk assessment process that includes obtaining a sufficient understanding of the broker-dealer’s operations revenue transaction cycles related controls that will enable auditors to tailor their planned audit procedures more effectively Now do all of these points in 40 hours or less and collect $10,000. You can start to see why this doesn’t work. Conducting quality audits under that model is not sustainable, especially when the PCAOB levied a record amount of fines in 2023. Auditors would be wise to consider whether retaining a $10,000 audit client under these circumstances is worth the risk of being sanctioned and fined considerably higher dollar amounts. The Spotlight also highlights that about a third of broker-dealers audited by firms inspected during 2022 changed audit firms in the last three years. There are a variety of reasons for changing auditors, but in my experience, cost is the most common reason. Many of the low-cost providers that did not conduct audits in accordance with PCAOB Standards have been sanctioned and shut down by the PCAOB. But there are still some out there. My advice is to enhance your client acceptance and continuance process. The Staff touches on this in the Spotlight as well. Determine whether your firm has the expertise and tools to complete the audit in accordance with the standards. Specifically, when assessing the skills of the potential engagement team personnel, in my previous roles as SEC examiner and PCAOB inspector, I often saw that audits would be accepted and staffed with personnel with a range of broker-dealer industry experience. But not all broker-dealers are the same. Just because a firm has a team that has audited introducing broker-dealers doesn’t mean it should or could accept an engagement of a clearing broker-dealer, or even another exempt broker-dealer that engages in complex trading activities and hold difficult-to-value securities. It’s important to understand the detailed activities of the broker-dealer prior to accepting it as a client to ensure that your firm has the staff with the requisite expertise to complete the audit. In addition, use the acceptance process to set reasonable budgets and charge a fee that will allow you to conduct audits that meet PCAOB Standards. I even recommend sending the PCAOB Spotlight to your clients to start a conversation about the need to invest more time (and money) on audit quality improvements. I’ve been there and understand the challenge – many smaller broker-dealers don’t understand why it takes so many hours to do a quality audit, so show them. If the client refuses to pay the reasonable fee, let the client go to a low-cost provider that will be out of business in a couple years. That will keep you from becoming one of those firms that are out of business in the next couple of years. Other Findings and Next Steps There is a lot more in the Spotlight that can lead to higher quality broker-dealer audits, including applying professional skepticism, gaining experience with PCAOB Standards, having an effective EQR, and establishing a robust client acceptance and continuous process. I recommend spending time reviewing the Staff’s insights and consider how you can use them to increase your firm’s audit quality related to broker-dealer audits. Don has more than 23 years of regulatory examination, audit, and audit regulation experience, focusing on the broker-dealer industry. He previously served as an Inspections Leader in the Broker-Dealer Firm (BDF) Inspection Program at the PCAOB. His key activities as Inspection Leader included transforming the inspection approach, leading inspection teams, assessing auditor and examination procedures, and reviewing comment forms. He also served as Risk Assessment and Selections Leader for the BDF Program, where he was responsible for selecting audit firms/broker-dealer audits for inspection and served as a liaison between BDF Program and the SEC. During his 12-year tenure at the SEC, Don served as Examination Manager / Branch Chief, Broker-Dealer Examinations, in the Chicago Regional Office.

Since the signing of the Holding Foreign Companies Accountable Act (“HFCAA” or “Act”) into law in December 2020, the Public Company Accounting Oversight Board (“PCAOB”), the accounting firms registered with the PCAOB that are headquartered in mainland China and Hong Kong (collectively, “China”), and their US-listed company clients have been very active. Over the past three years we have seen – US-listed companies based in China change auditors to accounting firms in PCAOB-accessible jurisdictions; A game-changing agreement between China authorities and the PCAOB enabling unobstructed access to inspect and investigate China-based auditors registered with the PCAOB; The completion and publication of the PCAOB’s first full inspections of two China-based accounting firms; and The first enforcement actions of China-based firms as a result of using its full investigative authority. We explore more about what has happened over the last three years, what China-based accounting firms may expect from the PCAOB in 2024, and the challenges they face. The HFCAA and the PCAOB’s Initial Determination it was unable to Inspect and Investigate China Auditors Fully The HFCAA was enacted to address the limitations on the PCAOB’s ability to inspect and investigate PCAOB-registered public accounting firms headquartered in China because of positions taken by authorities in the People’s Republic of China (“PRC”). According to the HFCAA, the PCAOB is required to determine whether it is “unable to inspect and investigate completely because of a position taken by an authority in the foreign jurisdiction” (e.g., China and Hong Kong). This determination is made by the PCAOB Board annually in accordance with the PCAOB’s rules 1 . If the PCAOB does not have complete access for inspections and investigations for two consecutive years, the SEC would be required to prohibit trading in the securities of issuers engaging those audit firms 2 . China-based US-Listed Companies Change Auditors In December 2021, the PCAOB issued a report on its determination (the “Initial Determination”) that it was unable to inspect or investigate PCAOB-registered public accounting firms headquartered in mainland China and Hong Kong because of positions taken by the PRC 3 . In March 2022, the SEC published a list of China-based US-listed companies that SEC staff identified were subject to possible trading prohibitions if the PRC did not permit the requisite access to the PCAOB, as required by the HFCAA. The SEC has continued to update the list on a rolling basis since March 2022, which now encompasses 174 companies (the SEC’s “Conclusive List”) 4 . The reaction by many China-based companies from the PCAOB’s Initial Determination and their appearance on the SEC’s Conclusive List was to change auditors in an apparent attempt to avoid the threat of having their stock delisted in the United States. After the Conclusive List was first published, 24 of those companies changed auditors, according to an article published by NikkeiAsia. 5 Accounting firms in the US and Singapore were the primary beneficiaries of the fallout, according to the article 6 . Accounting firms that were and may continue to be beneficiaries of the reshuffle should carefully consider whether they have the scalability and quality controls in place to take on multiple audit clients over a short duration. Although the PCAOB’s settled enforcement action with Marcum LLP 7 is an extreme example of what can go wrong when accepting too many clients at once, any firm that has taken on multiple China-based clients in short duration is at a heightened risk of a PCAOB inspection, investigation, and possible enforcement action. PCAOB Obtains Access to Inspect and Investigate Completely In August 2022, the PCAOB announced that it signed a Statement of Protocol with the China Securities Regulatory Commission and the Ministry of Finance of the People's Republic of China, marking the first step toward opening access for the PCAOB to inspect and investigate PCAOB registered public accounting firms headquartered in mainland China and Hong Kong completely 8 . This was a game changer for the PCAOB and investors in US-listed companies with China-based auditors. Inspection Results of the First Two Firms As a consequence of the Protocol, the PCAOB was successful in conducting its first two full inspections of China-based audit firms in 2022. In December 2022, the PCAOB vacated its Initial Determination because of the full access it experienced 9 and the SEC followed suit by acknowledging that there are no issuers currently at risk of having their securities subject to a trading prohibition 10 . In May 2023, the PCAOB published the inspection reports of the two firms it inspected in 2022: KPMG Huazhen LLP (“KPMG Huazhen”) in mainland China and PricewaterhouseCoopers in Hong Kong (“PwC HK”). As the PCAOB suspected, there was a high rate of deficiencies, including part I.A deficiencies, which the PCAOB defines as having such significance that the PCAOB believed the firm, (i) at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion(s) on the issuer’s financial statements and/or ICFR or (ii) in audit(s) in which it was not the principal auditor, had not obtained sufficient appropriate audit evidence to fulfill the objectives of its role in the audit. According to the inspection reports – KPMG Huazhen 11 was the principal auditor of 30 US-listed audit clients and participated in the audits of 77 other US-listed company audits. Of these, the PCAOB selected four audits for inspection, all of which were determined to have Part I.A deficiencies. PwC HK 12 was the principal auditor of three US-listed audit clients and participated in the audits of 27 other US-listed company audits. Of these, the PCAOB selected four audits for inspection, three of which were determined to have Part I.A deficiencies. Deficiencies were numerous and found in the financial statement areas of cash, revenue (and related accounts), inventory, other investments, goodwill and intangible assets, long-lived assets, and significant transactions, and involved departures from the following PCAOB rules and standards: Audit evidence (AS 1105) Audit documentation (AS 1215) Communications with audit committees (AS 1301) Auditing internal control over financial reporting (AS 2201) Responding to the risk of material misstatement (AS 2301) Substantive analytical procedures (AS 2305.16) Audit sampling (AS 2315) Consideration of fraud in a financial statement audit (AS 2401.61) Auditing accounting estimates (AS 2501) Auditor reporting on financial statements (AS 3101) Form AP - reporting of certain audit participants (Rule 3211) The PCAOB acknowledges that it is not unexpected to find numerous deficiencies in jurisdictions that are inspected for the first time and that the deficiencies identified by the PCAOB above are consistent with the types and number of findings the PCAOB has encountered in other first-time inspections around the world 13 . These deficiencies have not resulted in an enforcement action with these firms at this time. These two firms will almost assuredly be inspected again in 2024 or 2025. PCAOB Enforcement Activity The PCAOB was also very active in sanctioning China-based accounting firms since it obtained access to fully investigate China-based accounting firms in the PRC. In 2023, the PCAOB published three settled enforcement actions with PCAOB registered firms based in China. Two of the cases involving PwC were the direct result of information learned in the inspections the PCAOB conducted in 2022 after securing complete inspection access, according to the PCAOB’s press release announcing the settlements 14 . The following summarizes the PCAOB’s findings and corresponding money penalties imposed (refer to the related Orders for other sanctions), according to the PCAOB’s Orders published on its website – PwC China and PwC HK violated the integrity and personnel management elements of the PCAOB quality control standards by failing to detect or prevent extensive, improper answer sharing on tests for mandatory internal training courses 15 . These firms agreed to collectively pay $7 million in money penalties to settle their cases. Shandong Haoxin and four of its auditors falsified an audit report, failed to maintain independence from their issuer client, and improperly adopted the work of another accounting firm as their own. Interestingly, the US-listed company that was the audit client disclosed in the Order (Gridsum Holding Inc.) is not listed on the SEC’s Conclusive List. The firm agreed to pay $750,000 and the four auditors collectively agreed to pay $190,000 to settle the matter 16 . What to Expect in 2024 In a May 2023 news release by PCAOB Chair Erica Williams, she stated, “[t]he two firms we inspected in 2022 audited 40% of the total market share of U.S.-listed companies audited by Hong Kong and mainland China firms, and we are on track to hit 99% of the total market share by the end of this year.” 17 In addition, The 2024 PCAOB Budget includes the resources necessary to continue to drive inspection activities in support of the PCAOB’s mission to protect investors, “including inspecting the remaining firms registered in mainland China and Hong Kong under our mandate.” 18 These statements suggest the PCAOB continues to have unobstructed access to inspect and investigate PCAOB registered firms in China and Hong Kong. Accordingly, it is expected that – The PCAOB will release the inspection reports of the accounting firms that comprise the remaining 56% of the 99% of the total market share of U.S.-listed companies audited by China accounting firms in or about May 2023, and we anticipate those reports to continue to reveal that firms based in China have a lot of work to do to improve audit quality. Any remaining China-based accounting firms that have not been inspected—those making up the remaining 1% of the total market share—and follow-up inspections on those initially inspected are likely to occur this year, in 2024; and The PCAOB’s Division of Enforcement and Investigations will likely have continued to receive referrals from the Inspection Division as a result of the 2023 inspections of China-based accounting firms, and there will be multiple enforcement actions in 2024 or later as a consequence. What Firms in HK and China Should Do Now Prepare for initial inspection: An inspection is an examination of both the firm’s quality control policies and selected applicable client engagements. In essence, the inspection begins before the firm has even started an audit. An effective system of quality control provides the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm’s standards of quality. In addition to reviewing the firm’s quality control documentation, the inspectors will review the audit work papers of the selected audits. Therefore, it is imperative that audit documentation be robust, easy to follow, provide a clear road map from planning and risk assessment to the conclusions reached, and is fully assembled in compliance with PCAOB standards. The achievement of these two objectives will go a long way toward making the firm’s initial inspection a smooth one. Post-inspection: The next step for firms after their initial inspection is to perform a root-cause analysis and remediate. A sound remediation plan that includes (i) focused training (ii) enhancements to policies, procedures, and methodologies; (iii) the adoption of PCAOB-specific audit tools and templates; and (iv) the implementation of pre-issuance reviews on riskier audits and post-issuance reviews of completed audits are just a few of the things firms can do to prevent poor inspection results and avert a referral to enforcement. Conclusion In sum, every audit should be conducted with the highest level of quality and with the notion that your audit will be selected for a PCAOB inspection. The published inspection reports and enforcement actions of the China-based accounting firms should serve as a guide. Read them carefully and revisit the standards cited therein to understand precisely why the firms were criticized and how the standards should be applied. Make audit quality your top priority. PCAOB Rule 6100. This was originally three years in the HFCAA, it was reduced to two years with the singing of the Consolidated Appropriations Act, 2023. PCAOB Makes HFCAA Determinations Regarding Mainland China and Hong Kong. The list is located on the SEC’s website at SEC.gov Holding Foreign Companies Accountable Act. Chinese companies switch auditors to avoid U.S. delisting risk - Nikkei Asia , May 16, 2023. Id. See PCAOB press release: Imposing $3 Million Fine and Requiring First-Ever Changes to Supervisory Structure, PCAOB Sanctions Marcum LLP for Significant Quality Control Violations | PCAOB (pcaobus.org) PCAOB Signs Agreement with Chinese Authorities, Taking First Step Toward Complete Access for PCAOB to Select, Inspect and Investigate in China | PCAOB (pcaobus.org) . FACT SHEET: PCAOB Secures Complete Access to Inspect, Investigate Chinese Firms for First Time in History | PCAOB (pcaobus.org) SEC.gov | Holding Foreign Companies Accountable Act 2022 - KPMG China - Inspection Report 2022 - PwC Hong Kong - Inspection Report PCAOB Secures Complete Access to Inspect, Investigate Chinese Firms for First Time in History | PCAOB (pcaobus.org) FACT SHEET: PCAOB Imposes Historic Sanctions on China-Based Audit Firms In the Matter of PricewaterhouseCoopers and In the Matter of PricewaterhouseCoopers Zhong Tian LLP In the Matter of Shandong Haoxin Certified Public Accountants Co., Ltd., et al PCAOB Releases 2022 Inspection Reports for Mainland China, Hong Kong Audit Firms | PCAOB (pcaobus.org) Chair Williams’ Statement Before the SEC Open Commission Meeting on the PCAOB’s Proposed 2024 Budget | PCAOB (pcaobus.org)

During the “Key Developments for Asset Managers, Broker-Dealers, Private Funds and Hedge Funds” panel at the Securities Enforcement Forum last month in Washington, DC, the panelists highlighted a settled enforcement action against an audit firm and the engagement partner relating to the audit of two private funds. This should alarm, and put on notice, all auditors that perform audits of private funds that the SEC’s enforcement reach extends to them. In this matter, the SEC alleges that the engagement partner, and the firm did not (i) adequately respond to significant risks identified during the planning stage of the audits, (ii) obtain sufficient appropriate audit evidence to support the audit opinions, (iii) prepare sufficient audit documentation, or (iv) exercise due care and professional skepticism in conformity with U.S. generally accepted auditing standards. Moreover, the engagement partner allegedly did not adequately supervise the audit engagement and the firm did not adhere to American Institute of Certified Public Accountants' quality control standards. Consequently, the firm settled to be censured and to implement undertakings to retain an independent consultant to review and evaluate certain of its audit, review, and quality control policies and procedures. The engagement partner agreed to a one-year suspension from practicing before the Commission as an accountant pursuant to Rule 102(e)(1)(iv)(B) of the Commission’s Rules of Practice, because of alleged “negligent conduct” for “repeated violations” of GAAS, according to the SEC’s Order. There was no civil money penalty. In this case, the SEC did not identify the names of the funds that were the subject of the audits and, therefore, it is presumed there was no financial statement or disclosure errors or fraud at these funds or committed by the funds’ management. This case emphasizes the SEC’s quest to hold gatekeepers like auditors accountable for negligence acts in the conduct of an audit of a private entity even when there is no underlying financial reporting issue.

The Canadian Public Accountability Board (CPAB) released their 2023 Interim report providing a snapshot of themes and insights from their 2023 audit quality assessment to date. Click the link here to read the report.

Auditors Abound: The Differences Between Internal and External Audit Author: Shane Rogers and Jackson Johnson It seems that in business, everywhere you look, interactions with auditors abound, whether management is responding to requests from internal audit, preparing for an external audit, or helping the external auditor prepare for their own audit from the PCAOB or a fellow peer inspection. Our regulatory environment is complex and given the overarching desire to preserve trust in the capital markets, various regulatory bodies have passed legislation creating a framework of diverse controls and safeguards. Companies must establish a control environment that ensures fair and accurate financial reporting; companies must also establish a system of internal controls that is effectively designed, operated, and monitored by management and thus internal audit entered the realm. However, because of potential conflicts of interest, independent auditors are critical to the financial markets, and thus external audit entered the scene. And of course, we all know about the failures of the self-regulated external audit industry, and thus the PCAOB entered the space. We’ve been writing about the PCAOB for many years now. Today, however, we’re going to take a look at the differences between the roles of internal and external audit and how, when coordinated, they can create some powerful synergies. Roles of Internal and External Audit Let’s start first by defining the roles of internal and external audit. Internal audit is typically a separate function within a company that has a formal mandate from the Board of Directors to review and assess the design and operating effectiveness of internal controls mitigating key financial and operational risks faced by the company. They often report directly to the head of the board, audit committee, Chairman or the Chief Executive officer, to ensure that important reported issues are sufficiently owned, actioned and mitigated. The primary focus of internal audit is to monitor the systems of internal control inside a company. While we often think of internal audit in the realm of financial reporting, internal audit’s scope can be much broader. Many companies use internal audit to objectively examine both financial and operational controls intended to mitigate key risks, and to report weaknesses in internal controls and to share forward-looking insights and feedback with management to help the business thrive. Internal auditors tend to have experience in the businesses that they review, and they use this knowledge to assess risks and evaluate the adequacy of internal controls. Although the name implies “internal” to the company, it’s important to know that many companies outsource internal audit to external companies; the distinction here is the focus of internal audit and who they report to. Internal audit is a corporate function with an objective mandate, which reports to the board, audit committee, or executive management. External audit is as it sounds; the auditor that is external to a company. While they also report to management, their mandate is actually to protect investors and report to the audit committee. Whereas internal audit may be objective, depending on how reporting is structured, external auditors, by definition, must be independent of the company. External auditors are typically concerned only with financial reporting. Depending on the risks and the type of company, external auditors may test the design, implementation and operating effectiveness of internal controls over financial reporting, but they will always perform substantive procedures to audit the financial statements. External auditors understand the operations of a company, but they do not concern themselves with operational risks and controls unless they could potentially impact financial reporting. Whereas internal audit knows the client in and out, external audit knows the accounting and audit industry and often knows the client’s industry in and out. External Audit Reliance on Internal Audit When performing an audit of the financial statements, especially when it’s an integrated audit leveraging controls reliance, the auditing standards allow for external auditors to rely on the work of internal auditors. Traditionally, external auditors use internal audit to assist with the audit of internal controls over financial reporting and other relevant functional areas given internal audit’s knowledge base and objectivity. Though permissible, it is rare to use internal audit with substantive testing. When relying on internal audit, the external auditor must evaluate both the objectivity and competence of internal audit. Objectivity is paramount since internal audit is still employed and/or engaged by management. Objectivity considers many of the following: • Who makes the hiring / firing decisions around internal audit? • Who controls performance evaluations and compensation decisions? • How are internal auditors assigned tasks? • Does the internal Audit team have sufficient financial and operational risk experience? • What is the structure for supervision and review? • Are internal audit workpapers of sufficient quality? • Who does internal audit report to? In theory, internal audit should always have a direct line of communication with the board of directors and the audit committee where they can raise any issues they identify. Competence is more a matter of education and experience. External auditors typically review CVs as well as the internal audit organizational structure, audit methodology, and supervision and review model. If internal audit is both objective and competent, then the external auditor may leverage the use of internal audit. The extent to which external auditors use internal audit will be a matter of professional judgement (as is everything in audit). As the risk of material misstatement increases, the less external audit will rely on the work of internal audit. Depending on risk, external auditors will need to perform a mix of review, reperformance, and independent testing. All work from internal audit must be reviewed by the external auditor. Review includes evaluating internal audit’s sample size, the test procedures applied, the timing of the testing (and any year-end roll forward procedures) and the conclusions reached. Although technically leveraging internal audit’s work, the external auditor takes full ownership. As the risk associated with the audit account increases, external auditors should consider a mix of reperformance and independent testing. Reperformance is as it sounds: reperforming the work of internal audit using the same samples and applying the same procedures to the same audit evidence. Independent testing, in terms of controls, means testing the same or similar controls and evaluating the conclusions reached. As a rule of thumb, external audit should be comfortable that it has performed sufficient testing in higher risk areas and should specifically perform direct testing on any areas that pose a significant and/or fraud risk. Ostensibly, there is judgment involved in determining when and how to leverage the work of internal audit and whenever there is judgment, the key is documenting those considerations. While external audit can rely on internal audit, the inverse is not true. Internal audit is inherently an extension of management and management’s controls and internal operations must be entirely independent of the external auditor. However, internal audit can leverage much of the knowledge and experience of external auditors to help improve and refine processes. Through planning discussions, internal auditors and external auditors are sharing information and views about perceived risks and best practices within the industry. There’s a fine line crossing over into consulting, which would breach independence, but external auditors often issue management recommendation letters sharing their thoughts from the audit and this same information can be discussed with internal auditors who often have more agency and insight into the company to drive improvements. Best Practices Considering the overlap between the two audit functions, let’s explore some of the best practices when working together. First and foremost: coordinate! We encourage internal and external auditors to maintain close lines of communication throughout the year and well before the year-end audit crunch time; operating as trusted partners, both internal and external audit teams should look for opportunities to leverage each other’s perspectives for the common good. The quality of the ongoing relationship between external and internal audit is important as is the perceived quality of internal audits work-product. Scheduling planning calls and regular touchpoints throughout the year and during the year-end audit will help ensure a smoother delivery of testing work. Establishing a shared overall timetable and a diary of events helps to keep both internal and external audit on the same page and helps facilitate discussions around changes year over year, including scoping of accounts, locations and controls. While internal audit can offer input and insight, external auditors must maintain control in setting the scope for the audit, including selecting controls to test, setting sample sizes for testing and agreeing on testing procedures. As with any audit, set clear timelines for performing, documenting, and reviewing planning, walkthroughs, interim and year-end testing. Once the timeline is agreed upon, keep regular touchpoints to monitor status and progress of the audit. While external audit can leverage much of the work of internal audit, it is important that internal audit and external audit perform joint walkthroughs . Walkthroughs often serve as the main procedure to understand the business processes and evaluate the design and implementation of controls. As this is a critical component of risk assessment, external audit must attend/perform these walkthroughs. As testing begins, internal audit should regularly document and external audit should review work timely. Perhaps most important is dealing with issues when and as they arise. Because internal audit does most of the controls testing, its incredibly important that potential control exceptions be raised and discussed, both with management, as well as with external audit so that all parties are involved in the discussion and can adapt accordingly. Again, this speaks to the importance of regular touchpoints between internal and external audit to ensure all issues are triaged appropriately and to ensure a unified front between internal and external audit to both management and the audit committee, free of any mixed messaging. Looking Forward As the world debates various ESG initiatives, some sort of ESG reporting will be required, whether from regulators in Europe or domestically by the SEC, or simply because investors demand it. The ESG environment is still in its infancy and there’s no one set of standards for company reporting or for independent verifications of ESG reporting. However, we’d venture to say it will fall within the realm accounting and finance, including internal audit, within a company and the most logical external party would be independent external auditors. Time will tell, but certainly there is high likelihood of continued coordination and collaboration. Until then, it’s important for internal and external auditors to continue to coordinate and share knowledge improving internal operations within companies and enabling higher quality (and more efficient) audits! Key Takeaways • Internal audit has a clear mandate from the Board of Directors to be objective in assessing risks and the design and operating effectiveness of internal controls; internal audit has a strong knowledge of risk, processes and internal controls that can assist external audit. • External audit is entirely independent of the company and they know accounting, auditing and client industries in and out; they can share valuable insights and feedback for internal audit. • Internal audit must have the proper competencies and MUST be objective (i.e. have a direct line of communication to the board and/or the audit committee). • External audit can leverage much of the work of internal audit, but the external auditor is still responsible for obtaining sufficient appropriate audit evidence to support the opinion, so the external auditor owns all final decisions. • When leveraging the work of internal audit, external auditors should incorporate elements of review, reperformance and independent testing, depending on the risk. Internal audit should never be used for audit areas with significant and/or fraud risks. • As with any audit, proper planning and coordination with all parties involved is critical. During planning, agree on project timelines, scope of work, expected deliverables, and communication protocols, including frequent touchpoints.

PCAOB 101 Part III: Exploring Enforcement Inquiries is the third of our three-part series on the inspection process. Please also explore Part I: Preparing for a PCAOB Inspection and Part II: Navigating Inspection Week for additional insights. PCAOB 101 – Part III: Exploring Enforcement Inquiries The PCAOB has multiple divisions; the largest includes the Division of Registration and Inspections (or DRI). The second largest division is the Division of Enforcement and Investigations (or DEI). While the inspection process acts as a “monitor” ensuring firms adhere to the audit standards, identifying areas for remediation and improvement, the enforcement process is more akin to the “judge and jury” enforcing compliance and deciding on various repercussions for noncompliance. In Parts I and II, we cover the inspection process. Now, in Part III, we’re going to provide an overview of the enforcement process. Enforcement Inquiries The enforcement division performs both informal and formal inquiries as part of its information gathering process to determine whether to pursue an enforcement action or not. Through our work supporting firms and their in-house and external counsel through enforcement proceedings, we know that the sources of tips and referrals are not specifically disclosed, but DEI does have contact information for tips and referrals online on its website; these tips could stem from anyone whether auditors, investors or the general public. We also know that there appears to be a correlation between enforcement inquiries and a) engagements with poor inspection results, b) firms with repeat/recurring inspection deficiencies (indicating a failure to sufficiently remediate) and c) SEC matters including restatements and SEC investigations. Based on the potential severity of the matter, DEI will either launch an informal or formal inquiry. DEI leadership has confirmed publicly that DEI (i.e. inspection results) are the largest source of referrals to DEI attorneys. Informal Inquiry Most DEI matters start as an informal inquiry whereby the firm can expect to receive an information request. Inquiries can be targeted at a firm, employees of the firm, such as the engagement partner, engagement quality reviewer or even the engagement manager, or both the firm and its employees. In addition, the investigation could be focused on a specific engagement or may focus on the firm and its system of quality control, or both. Although the inquiry is considered “informal,” be not deceived; all communication with the PCAOB’s DEI is formal and should be considered as information that will be reviewed and potentially used in the case against the firm or its employees. In other words, when receiving a DEI inquiry, presume potential litigation and respond very carefully. The initial communication will not specifically detail the crux of DEI’s focus, but it will make specific data requests. Through these requests, firms can begin to narrow down the potential concern(s). For instance, enforcement will often ask for audit workpapers for a specific issuer, for specific years and sometimes for narratives regarding audit procedures performed in certain audit areas. Through the power of deduction, if a firm received poor inspection results months earlier in the same focus area, one can reason that DEI is likely investigating the same or similar matter. The inquiry process starts with data requests, typically being audit workpapers, although firms will sometimes need to provide new / additional documentation depending on the requests. As well, DEI will often request email communications. This is a legal matter, so firms need to understand the preservation requirements and should not be deleting emails or other communication after receiving a DEI inquiry. Documents must be provided in very specific formats that include the metadata (i.e. various tags linked to data files such as dates documents were created, modified, etc.). We recommend collaborating with counsel to ensure full compliance with the data requests; there are specific service providers that can help with the document production to ensure compliance with PCAOB expectations. Document requests can be very large, so don’t underestimate the time required to comply. While firms may ask for additional time if needed, a pro-active response from the firm demonstrates cooperation. As DEI goes through the information provided, additional questions or documents may be requested, so there can be multiple phases of back-and-forth. If the enforcement team is unable to resolve its questions through the data requests and/or if the firm/engagement team is being non-cooperative, DEI will then launch a formal investigation through an Accounting Board Demand. Formal Investigation Although most investigations start through informal inquiries, some may begin directly with a formal investigation. The starting point is always the same: the document request. Once documents have been reviewed, testimony of individuals relevant to the investigation is often required. While DEI consists predominantly of lawyers, they also have accountants (i.e. auditors) who assist with the investigation process. For instance, while lawyers will build the case and determine the legal ramifications, they consult with accountants who assist in the review of data and advise on the technical auditing standards and rules of the PCAOB. Interviews start with a set list of questions though these are not communicated in advance and the enforcement team could expand as needed. Typically, the interviews are geared towards the engagement partner, the EQR, and the engagement managers for engagement deficiencies and then firm-level professionals for more quality control related matters. Again, it will always depend on the scope of the investigation, but the enforcement team will make it explicitly clear who they want to interview. Interviews can take entire days, but there are breaks built into the process, much like the inspection process. During these breaks, we find it beneficial for the firm and its staff to debrief the questions with its legal counsel as well as any accountants and/or PCAOB consultants. Legal counsel and the expert can help interpret the nature of the queries and help the engagement team understand the potential issues and where the PCAOB is going with its questioning. Enforcement Actions After testimony is complete, the enforcement team will review the totality of the evidence and conclude on whether to pursue an enforcement actions, if any. The most common actions include one or a mix of the following: Fines of both individuals and/or of firms. A permanent or temporary bar of individuals from associating with a PCAOB-registered firm Revocation of the Firm’s PCAOB registration. Restrictions on activities such as prohibiting taking on new clients or limiting the types of clients a firm or individual may audit. Remedial actions, sometimes requiring an independent monitor to ensure appropriate execution. As DEI evaluates enforcement actions, the investigation team will consider the cooperation of the firm and/or individuals involved in the investigation. Proactive responses, such as immediately remediating issues identified by PCAOB inspectors and investigators can also help reduce enforcement actions as it demonstrates that all parties involved take the matters seriously. Finally, transparency (read: honest and fully responsive) is paramount to the enforcement process. Whatever you do, do NOT modify audit workpapers ; the PCAOB requests metadata and will drill into modifications to workpapers. With enforcement, this is truly a case of “no news is good news.” In the absence of enforcement actions, DEI will not specifically communicate the closure of an inquiry; rather firms will simply not hear anything additional from DEI. Much like the SEC and comment letters, regulatory bodies often reserve the right to continue to pursue matters in the future should additional information come to light and thus, there is no formal conclusion communicated to the respondents. Preparation As we stated earlier, nothing about the enforcement process is informal; firms and individuals need to take the process seriously. Just as with inspections, first impressions matter . When a firm receives an enforcement inquiry, we recommend consulting with legal counsel immediately. And, just as DEI uses both lawyers and accountants, so too, should firms engage both legal counsel and accountants (or PCAOB consultants) to help navigate the enforcement process. Lawyers and accountants can help to: Interpret the data request to better understand the potential concerns and narrow down the scope as much as possible. Both legal and accounting support can also help determine the potential severity of the issue and the likelihood of advancement to further stages in the enforcement process. Assist with the review of deliverables to the enforcement team. Part of that review is ensuring documentation is being provided as requested with the appropriate metadata. We’ve seen firms provide data without paying attention to the detailed requests and then having to go back and provide modified data. The PCAOB is strict regarding documentation modification and now, in addition to the general inquiry, the firm is left having to demonstrate that it did not in fact modify any of the workpapers, providing even more documentation. In addition, we have helped review written memos and firm replies to specific questions, ensuring that the documentation is fully responsive to the request. Prepare individuals for testimony, coaching them on how to respond from a legal and technical accounting perspective, ensuring consistent communication. The key here is to be transparent in defending the work performed. We’ve seen many firms attempt to handle informal inquiries on their own and then bring in legal counsel later in the process when the inquiry turns formal. The enforcement process can be costly, both in terms of time and money. Bringing in the right counsel early in the process can help maximize efficiency by doing it right the first time, provide complete and accurate responses and demonstrating to the PCAOB that the firm is professional and understands the potential gravity of the matter, creating a strong first impression. Of course, the best advice we can give is for firms to invest in strong quality controls and for engagement teams to apply the auditing standards and perform strong quality audits. Take the inspections process seriously and with clean inspections and quality audits, firms will likely avoid much of the hassle and the potential repercussions that come with enforcement. As with all things PCAOB, know that you don’t have to go it alone. For more information, refer to the PCAOB’s guide to proceedings and don’t hesitate to reach out to us; we’ve supported numerous firms through enforcement proceedings and know the process well. Key Takeaways First impressions matter. Hire the right legal counsel and accounting experts to help navigate PCAOB enforcement inquiries. The first step in an inquiry is the documentation request. Be sure to provide a complete set of workpapers and documentation, adhering to the specific DEI requirements. For depositions, be transparent: that means being honest and fully responsive to the questions and not avoiding or trying to withhold pertinent information. Proactive firm and engagement team responses (and remedial actions, if relevant) and strong cooperation with the PCAOB DEI team can help reduce potential enforcement actions.