The PCAOB recently released the Spotlight: Additional Insights on the Remediation Process . In it, there is a crucial distinction as to what constitutes a repeat or persistent criticism. "A criticism that occurs in Part II of at least two consecutive inspection reports, or that occurs consistently, even if it skips one or two inspection reports, is considered a repeat or persistent criticism. The inspections staff evaluates similar deficiencies, regardless of how these deficiencies have been categorized in Part II in prior inspection reports. For example, if the year subject to remediation included a QCC related to testing assumptions of estimates, and the prior year included a QCC related to testing assumptions of business combinations, the QCC for the subsequent year would likely count as a recurrence because the underlying deficiency in both instances relates to testing assumptions.” It is important that firms do not mistakenly believe that because a quality control criticism is not reported in one inspection, that the finding, if it comes up again, is not a repeat finding. It is imperative that firms focus on similar deficiencies as they prepare for subsequent inspections to ensure that any remediation or monitoring processes have effectively addressed the deficiency. Also, a firm’s timely reactions to any previous ineffective actions will count in its favor. “The Staff Guidance further discusses the fact that strong remediation efforts, particularly when accompanied by effective firm monitoring procedures and timely adjustments, can weigh favorably in the inspection staff’s recommended remediation determination, even if subsequent inspection results indicate recurrences of the same type of deficiency.” The spotlight further mentions that when employing any new tools to address previous deficiencies, it is critical that the firm ensures that the new tools are mandatory and that its teams are using them effectively. Additionally, as firms develop remediation training programs for teams, the spotlight outlines important aspects to be included that firms may lose sight of. To read the full spotlight please visit the PCAOB’s website by clicking here .

PCAOB Inspection Observations: A Recap of 2021 Inspections As part of its initiative to increase visibility as well as to provide meaningful information, over the past couple years, the PCAOB has released an annual inspections observation report. The 2021 inspection observations, which was most recently published in December 2022, contains various sections which address some of the trends related to inspections, the recurring deficiencies both at the engagement and QC level, as well as some of the best practices observed. Let’s take a closer look at each of the four main sections of the report: Trends in Inspections This is the first visibility into audit quality during the pandemic. During 2021, the PCAOB inspected a total of 690 audits across 141 audit firms; 12 of those firms are annually inspected and the other 129 are triennial firms. 2021 inspections were predominantly over audits of fiscal years ending on December 31, 2020. Overall, the PCAOB found an increase in inspection findings across all inspections. Approximately 55% of audits will have at least one Part I.A and/or Part I.B deficiency, up from 44% in 2020. The PCAOB continued to increase unpredictability in its inspections, both in the selection of issuers and in selection of focus areas. That said, the Board still performs its own risk assessment and intentionally inspected larger public companies with a focus on financial statement areas with a greater risk from COVID, such as impairment and current expected credit losses (CECL). In addition, the PCAOB’s Target Team also performed inspections across firms over specific focus areas. In 2021, the Target Team focused on fraud, going concern, SPACs, and cash and cash equivalents; their findings can be found in the PCAOB’s August Spotlight . Common Deficiencies The most insightful portion of the PCAOB’s spotlight is the section on recurring deficiencies. We’ve written about many of these before, including the Regulator Who Cried Wolf and Repeat Findings , so it should come as no surprise that many of the current year's findings are repeats from prior years. The PCAOB explicitly stated: “We expect audit firm leadership to address the recurring nature of these deficiencies and monitor the effects of actions taken. An audit firm’s inadequate response to address recurring deficiencies may warrant additional action such as the Division of Registration and Inspections referring firms to the Division of Enforcement and Investigations for potential investigation or disciplinary action for failing to comply with PCAOB standards.” We have seen through our work with firms that the PCAOB is in fact taking enforcement seriously. The PCAOB has also expressed its expectation that firms begin performing root cause analyses to understand the reason for repeat findings. Root cause and remediation are significant parts of the new quality control standards , so firms need to take this statement to heart. Let’s take a closer look at each of the sections identified by the Board: Internal Control over Financial Reporting (ICFR) Management review controls (MRCs): MRCs continue to be one of the most cited deficiencies in inspections. Engagement teams need to understand and document precision, review procedures performed by management and how the engagement team validated these procedures, identification of items for follow-up and whether such items were addressed. Identifying and selecting controls to test: This goes back to understanding the likely sources of potential misstatement or “what could go wrong” (WCGW). Each WCGW should have a correlated control to address the risk. This includes controls around completeness and accuracy of information used in controls. Testing operating effectiveness (aside from MRCs): Engagement teams need to ensure they are sufficiently testing all relevant control objectives. Remember that inquiry alone is not sufficient. Also, the nature of the test and the evidence obtained must correlate to the assessed risk. Evaluating deficiencies in ICFR : Engagement teams are quick to document why every deficiency is “just a deficiency” and not a material weakness. We encourage teams to begin with the concept that if a control is in scope, it is designed to address a risk of material misstatement, which means that if it is deficient, it is a potential material weakness. Start with that premise and then consciously pare it back based on the relevant criteria. ICFR is especially important in integrated audits given the fact that controls often impact the nature, timing and extent of the substantive audit. In other words, if controls are not tested properly, then the substantive audit testing approach may no longer be supported. Revenue and Related Accounts Evaluating accounting: Especially in light of the new ASC 606 guidance, the PCAOB has focused on the auditor’s evaluation of the technical accounting, in accordance with the applicable financial reporting framework. Inspectors consistently took issue with engagement teams’ failures to evaluate the identification and satisfaction of performance obligations and the allocation of transaction price. In addition to accounting, the PCAOB cited concerns around insufficient footnote disclosures. Completeness and Accuracy (C&A): This topic seems to recur throughout all the PCAOB’s findings and will only continue to rise in importance as companies move away from more manual processes and implement more information systems, automating significant processes. Data is only as useful as it is complete and accurate (if generated from inside the company) or relevant and reliable (if generated from outside the company). Technology-Based Tools: Firms are increasingly using software audit tools in substantive audit procedures; in particular, the PCAOB noted increased use of technology in revenue, but also in testing inventory, journal entry testing, investments, and CECL. Inspectors are identifying concerns around: Populations used in data analytics: What is the population being used? Is it complete? Is it relevant? Is the data “pure” or is it mixed with other irrelevant information? For instance, if the engagement team is performing a cash proof for revenue, how does the engagement team know that the cash population is ONLY for revenue payments? Does the cash population include cash payments for other financial statement accounts? Resolving exceptions identified: When using data analytics, all exceptions need to be identified AND resolved. Accounting Estimates Estimates have always been difficult to audit, but COVID especially challenged the auditing of estimates given subjective assumptions and measurement uncertainty. The most prominent findings included: CECL – Engagement teams often did not sufficiently evaluate qualitative factors used in calculating reserves. The PCAOB specifically indicated its concerns around teams’ failures to evaluate changes in qualitative factors AND/OR evaluating the lack of changes year over year. Reasonableness of significant assumptions: Specifically, in forecasted cash flows, engagement teams failed to sufficiently evaluate the basis for the assumption as well as the consistency of the assumption within the industry or compared to external factors (i.e. COVID) as well as within company, taking into account management’s intent and ability. In other words, as part of the evaluation of significant assumptions, it’s not enough to just obtain some support; auditors need to take a step back and fulfill all requirements of the standard , including comparing the assumptions to external factors, to management’s intent or ability, and to past years’ performance (i.e. perform a lookback review) to understand changes AND lack of changes in assumptions. This is especially true given the unprecedented nature of COVID. Inventory Valuation: Engagement teams failed to sufficiently test the cost of material inventory balances. If a balance is material, by its very nature, it poses a risk of material misstatement. We’re not saying you have to audit all 100% of inventory, but the engagement team needs to evaluate (and potentially document) the residual risk of material misstatement for all untested balances. C&A: Yet again, completeness and accuracy of information used in valuation testing, such as inventory reserves, needs to be tested and documented. Equity and Equity Related Transactions Evaluating accounting: Again, teams need to evaluate technical accounting to ensure it is in accordance with the applicable financial reporting framework. In particular, the PCAOB found that many auditors concluded incorrectly on the accounting for warrants related to SPACs . Digital Assets Audit evidence: The PCAOB challenged the appropriateness of audit evidence used in performing audits of digital assets . Said differently, the PCAOB is challenging the completeness and accuracy and/or relevance and reliability of information used in audit procedures when testing digital assets. Other Areas CAMS : Engagement teams need to keep in mind the completeness of their evaluation of potential CAMs and ensure the completeness and accuracy of the CAMs disclosure in the audit report. The standard is clear that ALL communications to audit committees must be evaluated and documented, even if it’s clear that the communication is not a CAM. Audit Report: Despite being several years old, engagement teams are still struggling to appropriately calculate auditor tenure, specifically, the start date. For more information, the PCAOB has provided specific guidance . Audit Committee (AC) Communications: Teams need to remember to communicate ALL required AC communications, including discussing use of accounting firms and shared service organizations, critical accounting policies/practices, and providing material written communications, such as the management rep letter. Form AP: Like audit tenure, Form AP has been a requirement for several years, but firms are still failing to accurately (specifically regarding use of other accounting firms and accurately calculating % participation based on hours incurred) and timely file Form AP. Again, the PCAOB has specific guidance over Form AP. Audit Documentation: The PCAOB was often provided with “persuasive other evidence” during inspections, indicating that firms are failing to archive a complete set of workpapers. Fraud Considerations: Recurring findings include failing to evaluate/document the completeness of the JE population, examining underlying support for journal entries selected for testing, and testing all journal entries meeting the “characteristics of potential fraudulent entries.” Quality Control Considerations Through the inspection process, the PCAOB also reviews different quality control aspects of a firm. Some of these findings are identified through specific inspection procedures (e.g. independence checks) while other findings are derived from themes emerging from the results of engagement inspections (e.g. supervision and review). With the release of the proposed QC 1000 , the PCAOB will continue to focus more on the effectiveness of firms’ systems of quality control. Independence SEC Reg S-X Rule 2-01: The PCAOB continues to find that firms are failing to prevent and/or identify Rule 2-01 violations. Inspection results indicated that firms’ internal independence compliance and monitoring is often deficient. Audit Committee pre-approval: Both the SEC and the PCAOB have specific AC pre-approval requirements for audit work, tax services, and non-audit work. In other words, all services performed for a public issuer audit client must be pre-approved in some capacity by the audit committee. Supervision and Review The issues below typically stem from audit engagement failures identified in the section above. In other words, if there is a deficiency in auditing estimates (which are typically linked to significant and/or fraud risks), the PCAOB takes the stance that a thorough review by the engagement partner and EQR should/could/would have identified these issues and thus, a prevalence of Part I issues indicates a deficiency in the supervision and review. Specifically: Documentation: Audit documentation is often insufficient for managers, partners and EQRs to perform a thorough review. Evidence of EQR review: The PCAOB took issue with the lack of evidence of review. Remember, an EQR review is more than just a sign-off. Internal Monitoring Performing reviews: Internal inspections are a requirement under the current PCAOB QC 20 . They will become an even more important part under the newly proposed QC 1000. Whether internally, externally, or co-sourced, the point is, firms must perform internal inspections. Ineffective reviews: The PCAOB often performs inspections of audits previously inspected by the firm itself. The point is to evaluate the effectiveness of the firms’ review. When the PCAOB identifies issues NOT identified by the firm, it’s an indication that the firms’ reviews are ineffective. Registration State registration: The PCAOB identified multiple audits performed in states where firms are not licensed / registered. Good Practices In an attempt to provide more useful information to firms to help remediate deficiencies and ensure quality audits, the PCAOB has begun to release “good practices” it has identified from various interviews with firms. These are important tools and concepts that firms should consider incorporating into their own systems, especially considering the impending overhaul of QC systems. Templates Many firms are developing templates (that pull directly from the standards) to help facilitate the execution of audit procedures, such as how to test MRCs or how to audit accounting estimates. Improving risk assessment Given an increased focus on risk assessment , many firms are revising how they approach risk assessment; ultimately, we perform risk-based audits, so let’s be sure to thoroughly evaluate the risks and then link our audit procedures to the assessed risks. Subject Matter Experts (SMEs) The PCAOB noted that many firms are requiring the use (or perhaps consultation) of SMEs in specific audit areas, typically those with higher risk, such as business combinations. In addition, many firms have used personnel outside of the engagement team to help with reviews of certain areas, such as CAMs. SMEs and targeted reviewers help bring expertise and drive consistency in approach and execution across the firm. Independence Technology: Firms are investing in technology to help prevent / detect independence violations. For instance, technology tools tracking time charged vs. financial holdings vs. independence sign-offs. Technology can also be used to expand/change how certain procedures are performed, such as importing brokerage statements as opposed to manual input of financial holdings. Confirmations: More frequent independence confirmations (i.e. quarterly or semi-annually) have also shown to help prevent independence violations. Disciplinary actions: Finally, some firms are implementing new processes, including disciplinary actions, for failure to comply with firm policies and independence requirements. Supervision and Review Metrics: Firms are using technology to start tracking supervision and review, measuring actual reviews against targeted timelines. Achieving these milestones, or failing to, is also being incorporated into performance evaluations. Similarly, firms are establishing certain ranges for various metrics, such as an engagement partner’s and EQR’s hours as a percentage of total audit hours. For partners and EQRs who fall outside the range, firms are meeting to understand the circumstances and conclude on whether additional measures are needed to ensure audit quality. Templates: As mentioned above, templates (and training) can help guide reviews in accordance with standards. Key Takeaways Whew! Breathe for a minute; that’s a lot of information. Recurring findings are apparent and the PCAOB expects firms to drive change to remediate these issues. There are several resources (as evidenced by all the links) to help better understand the identified issues and to help resolve the deficiencies. You don’t have to go it alone; so, don’t hesitate to reach out if you don’t know where to start.