Open Board Meeting: PCAOB to Consider Adopting New Standards on General Responsibilities of the Auditor in Conducting an Audit, Quality Control

In September 2024, the PCAOB released a spotlight on auditor independence, highlighting critical observations from inspections (the “Spotlight”). As we react to these findings at JGA, we emphasize the importance of understanding these key themes and translating them into actionable solutions for our clients. 1. Audit Committee Pre-Approval of Services A persistent issue remains regarding the pre-approval of audit and non-audit services by audit committees. Too often, we see audit teams commence work prior to the date necessary engagement letters signed by the audit committee. This practice not only undermines compliance but also risks auditor independence. Actionable Insight: To mitigate this risk, firms should ensure that no work begins until the audit committee has pre-approved the engagement. Implementing an all-inclusive engagement letter that details all services—including consent and comfort letters, as well as quarterly reviews —will streamline the process and enhance compliance. 2. Independence Representations and Compliance Testing The Spotlight indicates an increase in the issuance of comment forms related to independence representations, particularly concerning personal independence compliance testing. A notable concern is the cutoff risk for new hires; for instance, if an independence representation is conducted annually in June, a new hire added in September may not be confirmed as independent. Actionable Insight: Firms should adopt a more frequent compliance representation and testing schedule—ideally quarterly or semi-annually—and ensure that new hires are included in these independence confirmations. This practice can help maintain independence throughout the audit engagement. Another best practice is to obtain independence representation from each new hire prior to commencing any work. Sometimes, we observe engagement partners stumble to respond on how they ensure all team members are independent of the issuer. Some firms require documenting individual team members independence reaffirmations within the issuer audit file while other firms rely on firm wide independence reaffirmations. In latter case, JGA recommends engagement partners should document that they checked that i) each team members’ independence representations had no exceptions and properly filed in the firm wide repository and ii) restricted list include this issuer. 3. Monitoring Restricted Entity Lists The spotlight highlights that smaller firms often circulate their restricted entity lists annually, which can lead to cutoff risks with new clients. This underscores the importance of continuous updates to the restricted list. Actionable Insight: Firms should verify independence based on an updated restricted entity list at the time of any new client engagement. Regular updates and confirmations of independence for new clients are essential to mitigate risks. Also, best practice is to obtain independence representations for each prospective audit client during client acceptance procedures. This practice along with new hire practice mentioned above would substantially bridge the gap between periodic firm wide independence reconfirmation processes. 4. Independence Policies The Spotlight notes that many smaller firms lack detailed written policies for monitoring independence. This gap can lead to inconsistencies in compliance and potential independence violations. Actionable Insight: JGA recommends that all firms, especially smaller ones, develop comprehensive written policies that detail how they monitor independence. This should include procedures for individual engagement independence certifications, ensuring all engagement team members have signed off on the firm-wide independence representation. The policy should outline regular independence testing procedures, including the nature, timing, frequency, and scope of these tests. This should encompass self-assessments of investment portfolio reviews for all partners, as well as independent testing of these reviews by an external consultant or HR personnel, including a sample of other audit staff. Policy should also provide guidance to all personnel on what to do in case of self-identified independence violations. Sometimes in attempt to self-cure the violation personnel may unintentionally exacerbate the issue. So, emphasize on promptly reporting independence violations over trying to self-cure them is very important. 5. Indemnification Clauses Indemnification clauses were particularly noted in foreign firms’ engagements, which can complicate compliance with U.S. requirements. It is crucial for firms to avoid creating conflicting terms across different engagement letters. Actionable Insight: Firms should use separate engagement letter templates for public company audits that strictly adhere to U.S. requirements. If an audit involves local statutory purposes, maintaining the most restrictive requirements across all engagements for the same client is advisable to ensure compliance. We note that most of the time it is not practicable to separate number of hours spent on local statutory audit while doing PCAOB audit. So, we strongly advise to remove any language that may be construed as indemnification of auditor liability from all engagements with SEC issuer audit clients. 6. Inclusion of Contractors in Independence Monitoring The oversight of contractors in the audit process can lead to lapses in independence compliance. The Spotlight suggests that many firms may not fully account for these individuals. Actionable Insight: Firms must obtain annual independence representations from all contractors before they commence work. Such independence representations should cover all period the contractors perform their work. This proactive measure will help ensure that independence is maintained throughout the audit process. Conclusion This spotlight on auditor independence serves as a crucial reminder of the ongoing challenges and the need for vigilance in compliance. At JGA, we are committed to bridging the gap between regulatory expectations and practical solutions. By implementing these actionable insights, firms can enhance their quality control systems, ensure compliance with respective standards and rules, and ultimately foster greater investor confidence. For personalized guidance on how to address these issues in your practice, reach out to your JGA Audit Quality Expert, or contact: Jackson Johnson, CPA President & Founding Shareholder jjohnson@jgacpa.com Farkhod Ikramov, CPA Director fikramov@jgacpa.com

The SEC’s recent approval of PCAOB’s QC 1000 standard marks a significant shift for accounting firms. QC 1000 aims to enhance the quality control (QC) systems of registered firms, with scalability based on firm size and complexity. The response from the industry, including our team at JGA, highlights both the challenges and opportunities that this change will present. This Alert outlines JGA's reaction to QC 1000 and discusses what it means for our clients. JGA commented on the proposal; you can read our position on the proposal here . During the SEC Open Commission Meeting on September 9, 2024, several notable points were raised regarding QC 1000. JGA’s review of the meeting and our team’s subsequent discussions focused on key risks with this change, such as the implementation challenges and effort, but also noted some positives regarding the potential for improved audit quality and opportunities to improve processes and managements insights. Our Main Takeaways Implementation Challenges QC 1000 requires all registered firms to design a system for compliance, even if they do not perform audits of issuers or broker-dealers. This is a significant concern, as firms may need to design systems for hypothetical scenarios, leading to confusion and unnecessary costs. Around 60% of firms will need to design frameworks they may not use. The standard imposes a higher level of rigor compared to existing QC standards, and firms may face difficulties aligning their systems with the new prescriptive requirements. Hester Peirce, one of the SEC Commissioners, cited these challenges as reasons for her opposition, echoing concerns from many smaller firms. Considerations Regarding Effort The design-only requirement (without immediate operational implementation) introduces additional costs for firms, particularly in smaller firms or those that do not handle issuer audits. Paul Munter, SEC’s Chief Accountant, acknowledged that firms could face increased costs, particularly those related to additional personnel, training, and system design. Scalability and Continuous Improvement On the positive side, JGA sees QC 1000 as a framework that, while complex, offers scalability based on firm size. This presents an opportunity for firms to improve audit quality continuously, which is likely to enhance their standing in the marketplace. While some firms might not feel immediate benefits, especially those focusing on non-issuer audits, the overall emphasis on audit quality in capital markets aligns with the long-term interests of many firms. Confidentiality Concerns The content of the new QC forms required under QC 1000 may raise concerns about confidentiality. While some protections are in place, firms must remain cautious about the sensitivity of the information included in these forms. What This Means for Our Clients For our clients—primarily accounting firms that must adopt QC 1000—the implications are multifaceted. Increased Compliance Burden: Clients will need to overhaul or redesign their QC systems, which will incur both time and financial investments. The 60% of firms that Commissioner Peirce mentioned, which are only hypothetically impacted by the standard, must still dedicate resources to comply, even if their actual use of QC 1000 remains limited. Cost of Implementation: Smaller firms will likely face disproportionately high costs as they align their systems with QC 1000's rigorous requirements. JGA recommends that clients assess their current QC systems and consider phased approaches to implementation where feasible. Partnering with external consultants or firms with QC expertise may help mitigate some of these costs. Training and Education Needs: Significant training will be necessary to ensure that teams understand and comply with QC 1000’s requirements. JGA encourages clients to begin training key personnel now, particularly those involved in quality control and compliance, to ensure a smooth transition. Scalability and Competitive Advantage: For firms able to navigate the transition successfully, there is the potential for a competitive advantage in the market. The emphasis on continuous improvement in audit quality could position firms as leaders in audit services, attracting clients who prioritize regulatory compliance and high-quality audits. Future Regulatory Scrutiny: The new standard may invite closer scrutiny from regulatory bodies like the PCAOB, particularly as it relates to the design of QC systems. Firms should expect more frequent inspections, and the robustness of their QC systems may become a key focus. Client Communication: JGA advises that firms begin communicating with their clients about the upcoming changes and the steps they are taking to ensure compliance. Transparency in this process will help maintain trust and demonstrate proactive management of regulatory changes. Conclusion QC 1000 represents both a challenge and an opportunity for our clients in the accounting sector. While the increased costs and implementation challenges are concerning, the scalability and focus on audit quality could yield long-term benefits. JGA recommends that firms take a strategic, proactive approach to compliance, balancing the immediate burdens with the potential to improve service quality and client satisfaction. As the landscape evolves, we will continue to monitor developments and provide guidance to ensure our clients remain compliant and competitive in this changing regulatory environment. Please reach out to your JGA audit quality expert, or contact: Joe Lynch, CPA, CITP Managing Director & Shareholder jlynch@jgacpa.com Shanett Edwards-Morton, CPA Director sedwards-morton@jgacpa.com

On July 25, 2024, the PCAOB released the Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers (PCAOB Release No. 2024-009) which provides (i) information about its 2023 inspections approach, (ii) a summary of the 2023 inspections observations, (iii) a description of good practices that may be effective to address those scenarios; and (iv) reminders for firms of the requirements of certain PCAOB standards. The PCAOB observed higher deficiency rates in examination, review, and audit engagements, which it described as a cause for significant concern . The PCAOB report overall noted at least one deficiency was observed in 70% of the 103 audit engagements reviewed, which marked an increase from the 58% deficiency rate observed in 2022. As has been the trend we've seen over the last couple of years, when supporting clients going through inspection. We, at JGA, have seen the rigor of the inspection process increase, particularly in the areas of revenue, journal entry testing and increasingly, audit committee communications and independence-related matters. The PCAOB’s report outlined an increase in the deficiency rate that was primarily driven by the increase in the number of inspections performed of firms that have not been previously inspected and the increase in the deficiency rate in audit engagements observed at the largest audit firms reviewed. From our perspective, firms that have not been previously inspected are typically smaller practitioners and they may not be aware or prepared for the rigor of an inspection. The PCAOB identified an increase in the deficiency rate in examination engagements of compliance reports. Some deficiencies noted, among others, were around the lack of obtaining a sufficient understanding of the financial responsibility rules and planning the examination engagement by obtaining a sufficient understanding of broker-dealer processes. We have observed this statement expressed over the years and it is the root cause of many inspection findings. We have also seen this issue surface when providing in-flight reviews of audits for our clients. When we see this issue in our practice monitoring engagements, we encourage firms to provide their audit professionals with training around identifying, evaluating and testing relevant controls at their clients. The PCAOB report outlines that revenue deficiencies increased to 48% from 34% in 2022. As seen in previous years, as it relates to the audits of broker-dealer financial statements, the PCAOB noted the highest deficiency rate around firms’ responses to the risk of material misstatement for revenue. The PCAOB identified deficiencies around testing the accuracy of the amount of revenue recorded, including accuracy of inputs that determine revenue, across all revenue sources indicated in the annual report. Our clients have the most success in avoiding these issues by spending the time up front during the risk assessment process and performing detailed walkthroughs of the revenue cycle. The annual report also identified various other areas of deficiencies noted in the 2023 inspection cycle. One area to note is that for the first time, auditor independence was presented separately in the report and the PCAOB noted instances of deficiencies around non-compliance with PCAOB Rule 3526. This could be an indication of the increased focus by the PCAOB on independence-related matters. The PCAOB also observed an increase in deficiencies related to auditor communications with audit committees. Additionally, the report highlighted deficiencies identified around the monitoring of firms’ accounting and audit practice and indicated that some firms did not perform annual internal inspections. Through our work, we’ve noticed a direct correlation between inspection deficiency rates, and a loosely defined or poorly defined internal inspection program. As the expectations haven’t changed around this, we encourage firms to take a look at their internal inspection programs to ensure they specifically cover BD audits and have tailored procedures specific to the risks in a BD audit. Similar to previous reports, for certain areas, the PCAOB has also provided good practices and reminders as illustrative examples that firms may find effective in addressing various scenarios. These include, but were not limited to, good practices related to evaluating service organization reports and the scope of services covered and reliance on evidence in SOC 1 reports. JGA has provided objective, independent feedback to firms, in real-time as engagement teams perform audit procedures around SOC 1 report evaluation and reliance. In addition, we have found that in-depth training sessions to firms on how to evaluate reports on service organization controls have ensured that all engagement team understand the risks around SOC 1 evaluation, especially in areas related to significant risks and what regulators are looking for in an adequate evaluation. We encourage firms to thoroughly read the annual report and explore ways in which the good practices outlined in the report can be used in their audits going forward.

The recent PCAOB spotlight on the integration of GenAI into audits and financial reporting highlights several key observations. GenAI integration is primarily in the early stages, with larger global network firms leading in deployment, mainly for administrative tasks and research activities. There is significant ongoing investment in GenAI tools, often through third-party partnerships, to assist in summarizing accounting policies and performing risk assessments. Data privacy and security are also major concerns, with some firms implementing safeguards to protect confidential information. The PCAOB emphasizes that human involvement remains crucial, with GenAI augmenting but not replacing human auditors. Supervision and review processes ensure accountability for GenAI-assisted work. However, risks related to the reliability of GenAI outputs, and the auditability of source data are noted, with firms developing specific instructions to improve consistency and accuracy. Among preparers, GenAI is used to draft internal documents and assist in repetitive processes, with human supervision ensuring the accuracy and reliability of these outputs. At JGA, our perspective based on our interactions with our clients aligns with the PCAOB's observations while offering critical insights. We have heard from our peers and concur that the current use of GenAI enhances efficiency in tasks such as data extraction, document review, workflow automation, and compliance monitoring. JGA supports the investment in GenAI, highlighting the use of machine learning to predict areas where engagement teams are likely to encounter issues based on historical data allowing for quality control measures. Expert systems are also being utilized to suggest whether to accept a new client based on similar cases and outcomes from other engagements. Emphasizing the need for specific controls, JGA concurs with the importance of data privacy and security to ensure data integrity, address biases, and ensure accuracy. Additionally, as firms prepare to implement the new QM standards into their QC process, it is important that firms recognize that the use of GenAI should be included in its risk assessment evaluation. While supporting the crucial role of human judgment, we agree with the importance of careful supervision of AI outputs to maintain high audit quality and compliance with regulatory requirements. Acknowledging the risks associated with GenAI, we encourage firms to implement transparent and explainable AI models to mitigate biases and inaccuracies. Ultimately, auditors should continue to evaluate and conclude on the relevance and reliability of data used in the conduct of the audit. Finally, we agree that GenAI should not be seen as a tool that minimizes or removes the auditor's responsibility for providing reasonable assurance on financial statements. GenAI should not be seen as a tool that minimizes or takes away the responsibilities of the partner signing the audit opinion - at the end of the day, the engagement partner still has the ultimate responsibility that the audit opinion provides reasonable assurance that the financial statements are fairly presented. In conclusion, JGA underlines a cautious yet optimistic approach to integrating GenAI in audits, emphasizing robust controls, human oversight, and continuous investment to enhance audit quality and compliance. The extent and use of GenAI is going to continue to grow all around the globe in every industry and profession. And this is true for the auditing profession as well. Leadership of firms must continue to embrace the continued use of GenAI but do so making sure they are identifying and evaluating risks related to the use of GenAI. For further insights on using technology in your audits, read our recent JGA Advisor article on JGA Team Perspectives: System of Quality Management – Using Technology in Your Practice and Audits . Also, feel free to reach out to us with questions at any time.

The PCAOB continues to emphasize the importance of quality control (QC) systems and intends to continue to focus on this area in its future inspections. Proposed PCAOB quality control standard QC 1000, A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms , would replace current PCAOB quality control standards in their entirety. QC 1000 would require registered firms to implement and operate QC systems to execute policies and procedures developed to address quality risks, monitor operation of the policies and procedures, and take remedial actions when the policies and procedures are not operating effectively. It includes a requirement for firms to perform root cause analysis (RCA) of all quality control deficiencies and design and implement timely remediation actions. Firms should consider both internal and external inspection findings as part of monitoring. In addition, the IAASB and AICPA have adopted quality management standards, so firms are required to implement new processes to ensure their internal quality controls comply with the new requirements. Jung Lee, JGA Director, works with audit firms worldwide to improve their audit quality and navigate audit and QC regulatory requirements. “In general, the number of comments and enforcement actions from the PCAOB have increased significantly in the last three years, and this trend is not only at the PCAOB, but also other local audit regulators worldwide. Audit deficiencies are costly, time-consuming, and will increase regulatory scrutiny in future inspections,” Lee said. “There has been a general uptick in the level of enforcement activity, and regulators point to QC failures in the monitoring process as a contributing factor.” In April 2024, the PCAOB Staff issued a Spotlight: Root Cause Analysis—An Effective Practice to Drive Audit Quality . The PCAOB notes that RCA has been shown to be an effective practice to drive audit quality; rather than simply detecting and remediating audit deficiencies, by “focusing more on assessing underlying root causes of a deficiency…the deficiency can be effectively addressed and ultimately eliminated.” “The Spotlight shares observations from PCAOB inspections and how firms’ RCA has helped them address repeat or persistent inspection findings,” Lee stated. See more in JGA’s Alert, PCAOB Staff Report Shares Observations on How Root Cause Analysis Can Drive Audit Quality .” Continued Preparedness Planning With respect to their system of quality management, firms need to prepare to initially adopt QC standards and then must continue to evaluate them to remain in compliance year-after-year. The steps a firm should take are cyclical, starting with initial risk assessment and gap analysis, RCA and remediation, annual evaluation and testing of the SQM, and ongoing monitoring. Practice monitoring, a component of SQM – which includes pre/post issuance reviews -- ensures that a firm’s system of quality control provides reasonable assurance that the firm and its personnel comply with professional standards and the reports issued by the firm are appropriate. “We work with firms on remediation after PCAOB inspections and pre-issuance reviews,” said Jackson Johnson, JGA President and Shareholder. “In post inspection services, we assist firms with root cause analysis of identified audit deficiencies. RCA is the underpinning of a sound QC system, and proper root cause analysis helps ensure that deficiencies are remedied.” Remediation After Inspection Frequent areas of concern noted in RCA (the first step in remediation) include lack of proper firm methodology and training, technical knowledge and competence, personnel management, engagement considerations, and supervision and review (including due care). There are often multiple root causes contributing to one deficiency, so it is important for firms to continue to dig in and ask “why.” Remediation of all identified deficiencies will likely require firms to create new QC processes. Root cause of inspection deficiencies often relates to training. “The PCAOB normally recommends a very tailored, precise training related to the area of audit deficiency noted,” Lee said. “An example is the need for a specific training on testing for proof of delivery as part of performance obligations, but firms often offer a general training on revenue recognition under ASC 606. We can help clients obtain customized, tailored training solutions, both internal and external to the firm.” To supplement training, JGA has found that practice aids and templates help firms to ensure audit quality. “An example of a practice aid is a template for journal entry testing with considerations noted in AS 2401, paragraph 61, addressing issues auditors should watch out for when reviewing the criteria used for identifying journal entries as part of fraud procedures. We can review the methodology included in client-prepared templates or create them for clients. The PCAOB asks for templates as a form of remediation of deficiencies,” Lee said. “We help firms with practice monitoring including pre- or post-issuance reviews,” Lee added. “This way, someone outside of the firm’s engagement team or National Office can monitor the performance at both the firm SQC and engagement levels.” Pre-issuance Reviews Having an objective review of an audit before the audit opinion is signed and the audit report is issued (sometimes called an “in-flight review”) is a preventative control that allows firms to get ahead of deficiencies before an inappropriate opinion is issued. “Nothing is more important than a good quality audit, and we work with firms in lock step to help them prevent or minimize deficiencies,” Johnson said. “In this way, there is a more immediate impact on audit quality, because firms can make changes in real time during the current audit rather than waiting until the next audit to see if the issue is fixed.” “We are effectively performing real-time inspections and identifying deficiencies the PCAOB may find. JGA staff were former leaders of PCAOB inspection teams, so we look at audit engagements the same way the PCAOB staff does,” Lee adds. Crucial areas the PCAOB focuses on are planning, audit procedures, and completion. JGA walks with firms in each of these and considers what can go wrong in each. “An example of in-flight for accounts receivable will entail how the firm selected the items to confirm, including the use of sampling and whether it was a stratified sample. In addition, we look at frequent areas of PCAOB findings, including revenue recognition and accounting estimates,” Lee said. “We help firms apply both a preventative and detective approach to identify and remediate their audit quality concerns, which helps them gain insight into their system of quality control and how they perform their audit engagements,” Johnson said. “This not only helps them navigate the requirements of the new quality control standards but also will help them with the PCAOB inspection process and regulatory compliance overall.”

Updated 7.3.2024 The SEC recently announced that it is extending the deadline for comments on QC 1000 to July 16, 2024 . JGA provided comments to the PCAOB on the proposed QC 1000 standard. To read our comments please click here . The PCAOB proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, is available here . The new standard is available for viewing here . Previous updates on QC 1000 5.13.2024 On May 13, 2024 the PCAOB held an Open Board Meeting - PCAOB to Consider Adopting New Standards on General Responsibilities of the Auditor in Conducting an Audit, Quality Control . The PCAOB considered adopting a new auditing standard – AS 1000, General Responsibilities of the Auditor in Conducting an Audit as well as QC 1000, A Firm’s System of Quality Control. JGA provided comments to the PCAOB on the proposed QC 1000 standard. To read our comments please click here . The PCAOB proposed standard QC 1000, A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules and Forms, is available here . The new standard is available for viewing here . PCAOB Updates PCAOB Solidifies Foundation of Every Audit With Adoption of New Standard on General Responsibilities of the Auditor PCAOB Adopts New Quality Control Standard With a Risk-Based Approach Designed to Drive Continuous Improvement in Audit Quality

Johnson Global Advisory (“JGA”) is pleased to announce that Santina Rocca, Managing Director, will be speaking at the CAW Network USA Beyond Accounting – Not Just the Numbers event, in collaboration with Fordham University’s Center for Professional Accounting Practices – Gabelli School of Business on June 13 th , 2024. The conference will be a single stream event with five sessions and offers CPE credits. The sessions will cover: Leadership AI and Third-Party Risk Management Lunchtime breakout groups covering a variety of topics including sustainability, younger member priorities, future of audit and ‘future skills’. Resilience Enterprise Risk Management Evening Presentation – AI and Fraud by Homeland Security Investigations – New York Cyber Division. Click here to register and learn more. About Johnson Global Ad visory JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.jgacpa.com to learn more about Johnson Global.

Johnson Global Advisory (“JGA”) is pleased to announce that Don Melody, Director, will be speaking at the Broker-Dealer Accounting Virtual Conference at CPE INC. on June 11th. Don and others will speak directly about their experience as FINRA, CFTC and PCAOB regulators on their latest initiatives and key priorities. Discover how these decisions may influence your company’s practices and bottom line, get critical updates on regulatory, accounting and auditing issues, and keep up with recent developments, such as the use of cryptoassets and the threats posed by cyberattacks and ransomware. Through this comprehensive agenda and immersive online platform, you’ll gain expert guidance and real-world strategies from current and former regulators, Big 4 leaders and other industry specialists on implementing the latest accounting standards, dealing with regulators, mitigating risks, and more AGENDA HIGHLIGHTS INCLUDE: • Technical Accounting Update • Regulatory Trends, Industry Initiatives & Challenges • PCAOB Update • Accounting for & Auditing of Digital Assets • Comments from the CFTC • SEC Enforcement Issues • Cybersecurity & Ransomware Register today and use the code WK24Z for a 20% off discount. About Johnson Global Ad visory JGA is dedicated to helping public accounting firms around the globe achieve the highest level of audit quality. All CPAs and former PCAOB inspection staff, JGA professionals are passionate and practical about working alongside firm leadership to ensure the right controls, policies, and practices are implemented throughout the organization. Visit www.jgacpa.com to learn more about Johnson Global.

Editor’s note: This article is part of a series to highlight the unique experience that JGA professionals possess and deliver to our clients. The implementation of systems of quality management is a recent focus area of standard-setters and has become a high priority for firms of all sizes. International Standard on Quality Management (ISQM) 1 requires all firms that perform engagements under the IAASB’s international standards to have systems of quality management designed and implemented by December 15, 2022. The AICPA’s Statement on Quality Management Standards (SQMS) No. 1 requires systems of quality management to be designed and implemented by December 15, 2025, with required evaluation of the system within one year following that date. On May 13, the PCAOB approved QC 1000, A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules and Forms, which would replace current PCAOB quality control standards in their entirety. The standard is undergoing review by the SEC. It will apply to all PCAOB-registered firms and will be effective December 15, 2025. It will require firms to identify their specific risks and design a quality control system that includes policies and procedures to guard against those risks, with mandatory annual reporting by the firms. To manage the implementation journey, every firm should develop a roadmap that incorporates existing policies, processes and procedures as well as the need for additional or newly designed policies, processes and procedures. Throughout the remainder of this article, Mark Whittenberg and Shanett Edwards-Morton share their thoughts and recommendations on how technology should be incorporated within the firm’s system of quality management, in order to drive, monitor and maintain audit quality. This includes technology that is used to support engagement teams as well as technology used in the firm’s operations. Technology for Audits and Quality Management While compliance is often the driver when implementing quality control standards , there is strategic value for firms to look at their internal processes for getting audits done and the technology tools and software they use and make improvements that can benefit overall quality management. There is already a rapid change in use of technology in audits, and clients are expecting firms to use technology to enhance efficiency and provide more meaningful insights. Firms should have a plan to incorporate technology into both their engagements and their system of quality management. “Outside the Big 4, firms used to have a handful of software tools they used for audits, but now there is increased investment and rapid development of new applications and more advanced technology,” Whittenberg said. “Firms that don’t use technology for their audits will be at a competitive disadvantage, and it takes time and resources to implement technological changes.” Technology and the System of Quality Management In evaluating technologies and automated tools (i.e., technology resources) related to a firm’s system of quality management (SQM), it is important to consider the overall SQM framework, including the risk assessment process component, the monitoring and remediation process component, and the other components (governance and leadership, relevant ethical requirements, acceptance and continuance, engagement performance, resources, information and communication). Categories of technology resources include those: Related to the design, implementation, and operation of the firm’s SQM – for example to: monitor personnel independence and ethics violations, track personnel time and assess workload, retain and maintain engagement related documentation, and record the firm’s considerations around client acceptance and continuance; Used by engagement teams in performing the engagement – for example: audit software and automated tools used on an engagement to prepare and compile documentation, and tools and software for firm methodology and policies; and Used to ensure effective operation of IT applications – for example: operating systems and databases, hardware, and logical access. When seeking technology solutions for quality management, it is important to first identify the pain points and needs. “Vendor demonstrations at conferences are catchy, but firms frequently buy the software and then say, ‘Now what?’ if they do not have a use case, have not thought about how to apply it to their clients and firm’s specific needs, or do not have the necessary data available,” Whittenberg said. “Firms may have technology that supports their SQM, but they also must have technology tools to help them manage their workflows and components in order to evaluate their overall SQM,” Edwards-Morton said. “It is critical that firms ensure technology is addressed during each step of the SQM implementation process, and that the right technology is deployed for the risks identified.” Firms may attempt to use existing audit software tools that were not designed for this evaluation and for ongoing monitoring and remediation. Firm Operational Monitoring Tools Technologies can drive consistency in firm operations, which impacts quality management. “Firms often use a lot of manual monitoring of their operations, but as they see other firms adopting technology in this area, they are looking into applications, so they do not get left behind,” Edwards-Morton said. Common examples are firms using Excel spreadsheets or Word checklists for engagement acceptance and continuance procedures, independence compliance, and training and tracking CPE. “Technology can look at firm data in more depth and in less time, identify conflicts and risks, and generate evidence that responsive actions were performed, and effectiveness was tested, which is required by the standards,” Whittenberg said. A number of vendors provide operational monitoring tools in areas of risk assessment, ethics and independence, and human resource management and scheduling. Solutions are available to address specific problems and are easier to integrate today. “Cloud-based software permits firms to ramp up quickly without a lot of configuration and to interface with firm software and connect different systems to obtain better insights and monitoring,” Whittenberg said. The new standards require an analysis of the root cause of QC deficiencies t which can be difficult to perform when the data is contained in multiple databases. Cloud-based software can manage data and provide connections to issues that are spread across the firm but contribute to quality risks. Engagement Team Specific Monitoring Tools These are the tools used to perform certain audit procedures, including project management, data analytics, audit documentation, and other solution-specific tools. “These tools are where firms get the biggest bang for their buck, and they are important for client-facing activities,” Whittenberg said. Use of technology in this area can impact team engagement performance and quality. Examples include DataSnipper, that can read financial statements or SOC reports, identify key information auditors need, and auditors can review the information then copy and paste it into audit workpapers. Best Practices in Implementing Technology Tools and Software There are different stages in a software audit tool maturity model, ranging from basic audit documentation software to advanced tools for data analytics and visualization. It is important for firms to assess where they are and have a plan in place. Not all firms need the most advanced solutions, but it is important to anticipate both current and future needs. Firms should start with a use case that identifies the problems to be solved and the software or other solutions that may address their needs. In developing software tools, we recommend a multistep approach that begins with taking a software inventory of tools in use and assessing the engagement team process and the completeness and accuracy of data inputs and outputs. Future tool planning identifies desired future capabilities, the people and processes, training, and the rollout plan. There are a number of risks to consider, including data completeness and accuracy, change management during development and in production, access, and IT general control weaknesses that can impact operating effectiveness. The biggest challenges in integrating technology are lack of buy-in and support from firm leadership, commitment to a long-term investment in technology, resistance to change from auditors, and managing skill gaps. Artificial Intelligence There is a lot of optimism about the potential use of AI for audits, in areas like risk identification and predictive analytics, automating manual tasks, analyzing and testing complete volumes of data, identifying anomalies, and documentation. Also, there are potential applications for firm monitoring and quality management, including, among others, acceptance and continuance, independence and conflicts of interest, and scheduling and resource optimization. “There is a lot of promising software out there, but most firms are not fully using it yet,” Whittenberg said. “Machine learning will get smarter as it continues to ingest data, but it’s not there yet at a large scale, and Chat GPT is producing information that is not yet usable.” As AI evolves, firms should look at their competencies, risks, and proposed solutions and consider whether their required investment will help them improve their audit quality and engagement monitoring. “As firms think about the new quality management standards’ requirements, many may be overwhelmed, especially the smaller firms," Whittenberg said. “They must have a plan to incorporate technology into both their engagements and their SQMs, because their competitors are doing it.“ Firms moving into compliance with the new quality standards (ISQM 1, SQMS 1, and QC 1000) is a significant change. To manage these considerations, every audit firm should have an implementation plan to look at their internal processes for getting audits done. If you have any questions regarding these standards and preparation for compliance, please feel free to contact us.