Johnson Global partners with leadership of public accounting firms, driving change to achieve the highest level of audit quality. Led by former PCAOB staff, JGA professionals are passionate and practical in their support to firms in their audit quality journey. We accelerate the opportunities to improve quality through policies, practices, and controls throughout the firm. This innovative approach harnesses technology to transform audit quality. Our team is designed to maintain a close pulse on regulatory environments around the world and incorporates solutions which navigates those standards. JGA is committed to helping the profession in amplifying quality worldwide.
Learn how to build your firm’s quality management system on time with actionable insights from Joe Lynch , Managing Director at JGA, as featured in the Journal of Accountancy . This article outlines eight strategic steps to ensure effective and timely implementation of quality management practices for your business.
If you feel like you’ve read this story before, you’re not alone. For the third year in a row, the PCAOB’s annual report on broker-dealer audits paints a familiar picture: high deficiency rates, recurring issues in revenue testing, and quality control systems that continue to fall short. The 2024 report marks more than a decade of inspections under the interim program - and yet, many of the same red flags remain. At JGA , we’ve tracked and provided our insights on these annual reports closely for the last several years¹. While we always take the PCAOB’s findings seriously, we also know that behind every statistic is a firm doing its best to navigate complex standards, resource constraints, and evolving expectations. That’s why Jackson Johnson , JGA President & Founding Shareholder, sat down with Tanieke Samuel , JGA Director, to unpack this year’s latest BD report - not just to highlight some noteworthy findings, but to translate them into practical guidance for firms working hard to get it right. Revenue Testing: A Familiar Story with New Implications Jackson Johnson (JJ) : The PCAOB flagged revenue testing as a recurring issue again this year - 48% of audits had deficiencies in this area. That’s consistent with 2023, but still a big jump from 34% in 2022. And the deficiencies weren’t limited to one revenue stream - they spanned commissions, advisory fees, 12b-1 fees, and more. Why do you think this continues to be such a challenge? Tanieke Samuel (TS) : ASC 606 isn’t new. The PCAOB isn’t moving the goalposts. What we’re seeing is that firms are still struggling to test revenue accurately - across all sources. In many cases, they’re not getting a solid understanding of how revenue is generated, and that’s where the breakdown starts. Whether it’s commissions, trailing fees, or advisory income, you have to understand the components and tailor your testing accordingly. And don’t overlook presentation and disclosure - if you’re lumping everything under ‘commissions’ without disaggregating or explaining the sources, that’s a red flag. Audit Committee Communications: A Missed Opportunity JJ : One of the more surprising findings this year was the uptick in deficiencies related to audit committee communications. The PCAOB cited failures to communicate the overall audit strategy, use of specialists, significant risks like related parties, and even uncorrected misstatements. These seem like foundational elements. What’s going wrong? TS : These aren’t gray areas. The standards are clear. But I think some firms are treating these communications as a formality - just rolling forward last year’s template. That’s risky. Audit committee communications should be a strategic touchpoint. You need to clearly explain your audit strategy, surface the right risks, and give the committee what they need to fulfill their oversight role. If you’re using specialists or identifying related party risks, those need to be part of the conversation - not an afterthought. JJ : This reminds me of recent Actionable Insights we issued earlier this year , where we encouraged firms to move beyond the standard AS 1301 checklist and use the PCAOB’s Spotlight as a conversation starter. Audit committees want more than compliance - they want clarity, prioritization, and meaningful dialogue. When firms treat these communications as a strategic opportunity, they not only meet the standard - they build trust and demonstrate value. Agree? TS : Absolutely. I’ve seen audit committees respond really well when firms take the time to prepare thoughtfully - bringing key issues to the forefront, previewing the discussion in advance, and even holding deep dives on emerging topics. It’s not just about what you say - it’s about how you engage. That’s what makes the difference. Journal Entry Testing: Still a Blind Spot JJ : Journal entry testing continues to be a pain point. The PCAOB noted that firms often fail to test the completeness of the population or apply meaningful fraud risk criteria. In some cases, teams just scan the listing and move on. Why is this still happening? TS : Some firms think that because they’ve tested certain entries substantively elsewhere, they don’t need to do more. But that misses the point of journal entry testing as a fraud detection tool. You have to start by asking: What fraud risks are relevant to this client? Then design your testing around those risks. Don’t just look for a keyword - think about what would actually raise a red flag in this environment. And document your rationale. That’s what separates a thoughtful procedure from a perfunctory one. JJ : Are you seeing this as a broker-dealer-specific issue, or is it just as prevalent in issuer audits? TS : It’s definitely broader. JJ : Across issuers and BD inspections, we’ve seen comment forms where teams selected journal entries based on high-dollar thresholds or year-end timing but didn’t tie those selections back to the fraud risk discussion. In one case, the team documented their criteria but didn’t evaluate whether the entries actually addressed the override risk they had identified. In another, the team selected entries from a non-representative population and didn’t test completeness. What specifically in BD-only firms are you seeing? TS : In BD-only firms, especially smaller ones, the journal entry population might be smaller, which can give a false sense of simplicity. That can lead to shortcuts - like scanning instead of testing. In issuer audits, the volume and complexity might be higher, but the same root issue shows up: teams not linking their procedures back to the fraud risk assessment. Whether it’s a BD or an issuer, the key is to critically evaluate your criteria and make sure your testing is responsive to the risks you’ve identified. QC 1000: Turning Insight Into Action JJ : With QC 1000 going into effect at the end of the year, firms have a real opportunity to use the PCAOB’s findings as a risk assessment tool. But it’s not just about checking a compliance box - it’s about using these findings to inform a more thoughtful, iterative approach to quality. For example, we’ve emphasized the importance of root cause analysis (RCA) as a foundation for risk assessment. TS : Exactly. I emphasize to clients that RCA helps firms move beyond surface-level fixes and identify systemic issues that may be contributing to recurring deficiencies. When firms use PCAOB findings as inputs into their RCA process, they’re not just reacting - they’re proactively identifying where their system might be vulnerable. RCA helps connect the dots between what went wrong and why it happened, which is essential for designing controls that actually work. It’s not just about fixing the symptom - it’s about addressing the underlying condition. JJ : As firms read this report and try to make sense of how to incorporate it into their QC 1000 implementation, how should they approach this? TS : I would say incorporating the observations from this report and reflecting the applicability to your own practice is the concept of continuous improvement. This is a foundational concept of QC 1000. Implementation is about more than policies - it’s about culture . It’s about how you learn from what’s happening in the field and apply it to how you manage risk across the firm. When risk assessment becomes a living process - not a one-time exercise - firms are better positioned to adapt, improve, and ultimately deliver higher-quality audits. That’s the mindset shift we’re encouraging. ¹See our Actionable Insights on the PCAOB’s annual broker-dealer inspection reports from each year by entering “broker-dealer” on the search bar of the JGA Advisor page on our website. At Johnson Global Advisory, we support firms in selecting, implementing, and optimizing these tools to meet their unique needs. For more insights, visit our blog or contact us to learn how we can help your firm AmplifyQuality®. For more information, reach out to your JGA audit quality expert .
Introduction In today’s regulatory climate, audit firms must take a fresh look at how they evaluate engagement acceptance and client continuance. The stakes have never been higher. With the PCAOB’s newly adopted QC 1000 standard and the AICPA’s SQMS 1 framework now in effect , firms are expected to demonstrate a more rigorous, risk-based approach to quality control—starting with the very first decision: "Should we take this engagement?" The PCAOB recently released a new Audit Focus: Engagement Acceptance on this topic (Audit Focus). At the same time, we’ve been speaking, writing, and helping firms improve their process in this area. On the steps of PCAOB’s recent and timely guidance, this article explores the evolving risk landscape and offers practical guidance for firms to strengthen their engagement acceptance protocols in line with new regulatory expectations and JGA’s quality management insights. The New Risk Landscape: What QC 1000 and SQMS 1 Require The PCAOB’s QC 1000 standard introduces a scalable, risk-based framework that applies to all firms performing PCAOB engagements. It emphasizes that engagement acceptance is not just a procedural checkpoint, it’s a critical quality control decision that must reflect the firm’s risk profile, independence safeguards, and capacity to deliver a high-quality audit. Key risks highlighted in QC 1000 include: Independence and ethics violations: Firms must have systems to identify and escalate potential conflicts, including automated tracking of financial interests. Monitoring of in-process engagements: Firms are expected to assess quality risks before and during engagements, not just after the fact. Scalability and oversight: Larger firms face enhanced requirements, including external oversight and formal complaint tracking mechanisms. Similarly, SQMS 1 requires firms to design and implement a system of quality management that includes robust procedures for engagement acceptance and continuance. These procedures must consider: integrity and reputation of the client firm competence and resources ethical and legal requirements, and risks to audit quality and compliance. Issues arising from poor or inconsistent client or engagement acceptance policies and procedures isn’t new, but is being looked at in new ways by firms and their regulators with the: decrease in public company auditors qualified or going to market on conducting public company audits increasing number of firms that have been stripped of their privilege to conduct public company audits, and movement of companies to different auditors (think BF Borgers as the most egregious example, but your typical attrition in the most common case). The PCAOB, AICPA, and other regulators around the world, will take these business risks and apply them in a new lens in their inspection, peer review, and enforcement processes as they look at how firms have identified and addressed risks when implementing their QC system when it comes to client acceptance. Improving Communications: Predecessor Auditors & Audit Committees Recent PCAOB inspection findings and the Audit Focus document emphasize that engagement acceptance decisions are under increasing scrutiny. Deficiencies in areas like AS 1301 (Communications with Audit Committees) and AS 2610 (Successor Auditor Communications) often stem from weak or incomplete risk assessments at the outset of the engagement. Firms must be prepared to engage in transparent, candid conversations with audit committees, especially when the going gets tough. Whether it’s disclosing an unanticipated CAM , identifying a material weakness in internal control , or explaining a shift in audit scope, the ability to communicate openly and credibly is a hallmark of audit quality. Similarly, in our article on audit committees , we emphasized that audit committees are becoming more sophisticated and assertive. They expect auditors to be proactive, risk-aware, and ready to explain their judgments—not just their procedures. The Audit Focus does a great job of asking questions for firms to consider in assessing the quality of both management and the AC. As part of your engagement acceptance process, assess not only the technical risks of the engagement, but also the firm’s ability to maintain transparency and trust with the audit committee. Ask: Will we be able to have frank conversations with this client’s governance team? Are we prepared to deliver difficult messages if needed? Do we have the right people and protocols in place to support those conversations Internal Inspections: Engagement Acceptance as a Root Cause The Audit Focus also highlights how engagement acceptance decisions can directly impact audit quality and inspection outcomes. We encourage firms to examine their internal inspection programs to see how/whether outcomes can inform or rise to potential root causes targeting the firm’s engagement/client acceptance process. For example, a risk-based selection for the annual internal inspection process should include certain jobs tied specifically to new client and new engagements:
