PCAOB Spotlight: Audit Committee Resource
In response to the current global economic environment impacted by supply chain issues, high inflation, geopolitical tensions, increasing use of technology and cyber threats, the Public Company Accounting Oversight Board (PCAOB) has issued a series of questions for audit committees to consider in their engagement with auditors and management regarding their response to related financial reporting and audit risks.
In August 2022, the PCAOB released its Spotlight: Audit Committee Resource aimed to focus audit committees on several significant areas that may be particularly impacted by our current economy and their effects on corporate financial reporting.
These topics include:
- Fraud and other risks
- Initial public offerings (IPOs) and mergers & acquisitions (M&A)
- Audit execution
- How firms comply with auditor independence requirements
- Firms’ quality control systems
- Technology – Auditing digital assets, responding to cyber threats, and use of data and technology in the audit
The Spotlight summarizes the PCAOB’s focus in a series of questions the audit committee should consider posing. We have provided additional insights as it relates to the auditor’s approach to audit execution to help further guide engagement between the audit committee and the auditor with respect to the PCAOB’s focus areas.
Fraud and Other Risks
As a normal part of audit risk assessment, the auditor is expected to discuss and consider the entity’s susceptibility to fraud and other risks. Current economic factors, such as supply chain disruption and inflationary impacts, should be part of the auditor’s risk assessment. If significant, these matters should be raised with the audit committee as part of planning and continuing audit execution communications and include discussion of:
- Whether and how changes are to be made to the nature, timing or extent of audit procedures to address risks of material misstatement due to fraud.
- Changes to management’s accounting policies, practices or estimates as a result of current events and whether/how that may impact the planned audit approach.
- With respect to the ongoing conflict in Ukraine, consideration of altering the current and future audit strategy if using other auditors in Ukraine, Belarus or Russia to perform audit work to allow for proper supervision and reliance on use of the work and reports of other auditors.
For further information, consider resources provided by the Anti-Fraud Collaboration.
IPOs and M&A
In 2021, M&A was the top-ranked corporate strategy by public company directors. Under today’s economic conditions and anticipated longer term economic pressures, however, it has dropped to third. Rising interest rates, including the Federal Reserve’s 0.75% hike in June and July, have given boards much more to consider when looking to strike deals given broader recession concerns. That does not imply, however, that M&A activity has ceased. Despite being off from peak levels of last year, transaction volume remains robust.
Further, while both IPOs and special purpose acquisition company (SPAC) transactions have slowed in 2022, going public still remains viable for many companies and the accounting for key provisions contained in debt and equity instruments issued to founders, sponsors, and private and public investors can often be complex. For example, regulators have weighed in on complexities in the accounting for and classification of warrants (liability vs. equity) issued in connection with a SPAC transaction as well as impacts on the internal control environment, among other financial reporting considerations.
The SEC has taken particular interest in accounting for SPAC transactions and both auditors and audit committees should consider existing guidance for both sponsors and target entities as well as proposed SPAC guidance to align the financial reporting requirements with traditional IPO offerings.
Client employee retention and continuity may be a potential risk factor for the audit committee as well as the auditor to consider when assessing the quality of the company’s accounting and financial reporting processes, internal controls and the company’s preparedness for the audit. Candid discussion about management’s abilities should be a part of planned executive sessions between the audit committee and the auditor.
By the same token, consideration should be made of the ability for the audit firm to attract and retain engagement team members with appropriate levels of competency, proficiency, training and supervision. Audit committees will want to know the qualifications of the team members as well as, more broadly, the audit firm’s talent management strategies. Many auditors provide detailed information on this matter in their firm’s annual audit quality reports.
As the use of centralized service centers grows in the auditing profession, particular consideration may be needed with regard to adequacy of review and supervision when certain audit procedures are performed within such centers. The audit committee should be comfortable in its understanding of the scope of such procedures and the protocols followed by audit partners and engagement teams in ensuring the level and quality of work performed.
Auditor Compliance with Independence Requirements
While auditors are required to annually discuss and confirm their independence with the audit committee, situations may arise during the course of the audit that may present challenges with respect to that independence. The audit committee should understand and the auditor should take time to explain the firm’s policies and procedures for identifying, evaluating and addressing threats to independence that may impact services provided. Additionally, under PCAOB Staff Guidance for Rule 3526(b), the audit firm is required to communicate in writing to the audit committee any regulatory independence violations that may arise, its evaluation of the violations and that it concluded that the auditor’s objectivity and impartiality with respect to all issues encompassed within the audit engagement has not been impaired. The audit committee should engage in dialogue with the auditor and draw its own conclusion about impairment of the auditor’s objectivity and impartiality.
Another area for consideration is independence rules about personal relationships that may develop between the auditor and the company’s accounting and finance personnel that may introduce bias in an auditor’s exercise of professional judgment and skepticism. Audit committees may want to understand the compliance monitoring established by audit firms to protect against such situations.
Firms’ Quality Control Systems
As global audit firms prepare for the December 15, 2022 effectiveness of the IAASB’s International Standard on Quality Management (ISQM) 1 and anticipate the PCAOB’s issuance of its own proposed quality control standards, audit committees are encouraged to discuss and understand what the audit firm is doing to:
- Promote continuous education with respect to changes in standards, methodologies, emerging topics and specialized industries.
- Address any recuring audit deficiencies identified by regulators or from the audit firm’s own internal quality monitoring processes - e.g., revenue recognition, allowance for loan losses and other accounting estimates, review controls.
Enhanced use of technology, use of digital assets, as well as cybersecurity threats continue to increase.
With respect to digital assets, audit committees should determine whether and how the auditor is considering such assets in the scope of the audit. In particular, the audit committee should determine whether the auditor:
- Understands the financial reporting implications of the company’s activities related to digital assets.
- Has enacted policies and procedures regarding conducting and monitoring audit engagements involving digital assets (e.g., crypto mining), including considering the risks associated with performing such audits.
- Requires monitoring of these types of audits by other professionals in the firm.
With respect to cyber threats to the organization, the audit committee should further determine:
- The auditor’s view on management’s cybersecurity risk assessment approach, overall cyber assessment, and conclusions.
- Whether the auditor identified and assessed cybersecurity risks and evaluated potential cyber breaches within the company’s operations.
- What, if any, were the effects on financial reporting and what were the effects of the auditor’s procedures in that regard.
- Whether the auditor changed its overall approach to addressing cybersecurity risks as a result of increased cyber threats to corporations and government agencies from external sources.
With respect to the use of data and technology within the audit, the audit committee will want to also understand:
- How the use of technology is helping the auditors perform a more effective audit as well as provide more timely insights to the audit committee and management teams.
- Whether there are any complexities (e.g., multiple systems) or concerns (e.g., data security) at the company preventing the use of technology by the auditor and how such can be addressed.
We encourage audit committees to maintain continuous and thoughtful communications with their auditor, be thoughtful in their own continued education, including remaining abreast of industry and reporting trends.
Written by Phillip Austin, Patricia Bottomly and Amy Rojik. Copyright © 2022 BDO USA, LLP. All rights reserved. www.bdo.com