PCAOB Spotlight: Audit Committee Resource

It is the auditor’s responsibility to always consider the risk of fraud when performing their audit procedures. This is a crucial element of the audit risk assessment process. Any identified areas of concern should be communicated to the AC. 

The auditor should: 

• Identify new risks and be able to explain to the AC the procedures performed to the identify the fraud risks.
• Evaluate any significant unusual and related party transactions and the business purpose associated with those transactions.
• Perform inquiries of management on their knowledge of possible illegal acts. 
• Perform procedures to address whether management perpetrated or concealed fraud by presenting incomplete or inaccurate financial statement disclosures or by omitting necessary disclosures.

It is the AC’s responsibility to understand the programs and policies in place to prevent and detect fraudulent activities. The AC should work with management to understand the scope of these programs and the controls. 

For further information, consider resources provided by the Anti-Fraud Collaboration.

Board oversight is key to ensuring that management is accountable for risks facing the organization and is designing a strategy that aligns the appropriate degrees of acceptable risk with organizational goals and objectives. Risk conversations should be a dedicated part of every board meeting agenda. 

The AC needs to be confident that their auditor has taken the necessary steps to understand the business and management’s strategy. The AC should ask questions pertaining to:  

• The auditor’s understanding of, selection and testing of relevant controls.
• Whether appropriate testing of data used in the operation of selected and tested controls has been performed. 
• The testing of management review controls. 
• How the auditor modified their audit approach in response to identified control deficiencies, if any. 
• How were relevant economic factors – e.g., inflation, rising interest rates, supply chain risks, and ability to access capital – contemplated as part of risk assessment procedures. 
• How specific risks to the public company’s internal control over financial reporting (ICFR) resulting from the public company’s current information technology (IT) environment were considered.
• Management’s use of third-party service organizations and the related auditor’s risk assessment and audit response.

Auditing and accounting risks were identified as an area of focus for 2023 PCAOB inspections in a recent publication, Spotlight: Staff Priorities for 2023 Inspections. The report stated that PCAOB inspectors will examine procedures performed by the auditor to identify, assess, and respond to audit and accounting risks, including those related to financial reporting and disclosures. Specifically, ACs are advised to inquire about how the auditor considers:

• Impact of economic factors on determining significant risks.
• Whether selection and application accounting principles and disclosures were consistent with the applicable financial reporting framework.
• Whether any significant modifications to critical accounting disclosures that were proposed to management were not made.
• Management’s materiality conclusion in the instances of restatements. 
• Presence of potential management bias in significant estimates/assumptions.
• Use of data and technology tools in audit execution.

Digital assets and the technology associated with them (i.e., blockchain), present significant new risks that ACs need to be aware of in their oversight duties. The auditors, management and the AC need to have sufficient and current knowledge, skills, and abilities to adequately perform audit procedures around management’s accounting for and disclosure of its digital assets. 

Additionally, many audit firms utilize specialized technology-based tools with respect to digital assets when performing the audit. The AC needs to obtain an understanding of how the use of these tools affected the nature, timing, and extent of audit procedures performed in this area. 

BDO’s recent Spring 2023 Board Pulse Survey, indicates corporate directors identified M&A activity as an area of decreasing investment in the current economic environment. However, many companies may be looking at potential under-valued opportunities or a means of disposing of corporate assets. ACs, in contemplating such activities, need to remain vigilant on risks.  The PCAOB highlights, if a company was involved in a de-SPAC (special purpose acquisition company) transaction, the AC needs to understand the auditor’s key considerations in evaluating management’s determination of the accounting acquirer, and their assessment of the effect of the de-SPAC on any pre-existing compensation agreements. Further, the AC should understand how auditor considered the technical and financial reporting competence of the target’s management while performing risk assessment procedures. 

To further add to this, IPOs can be a tricky and both the SEC and PCAOB have put a lot of emphasis on this area as it’s a root cause of many identified deficiencies.  To learn more about this area, consider reading a recent PCAOB Spotlight: Inspection Observations – Audits of Special Purpose Acquisition Companies and De-SPAC Transactions

Last year, the PCAOB adopted amendments to its auditing standards to strengthen requirements that apply to audits involving other auditors.. The amendments, which benefited from three comment solicitations, aim to improve the quality of audits where other accounting firms or individual accountants perform important work on the audit.

The AC needs to fully comprehend the role that the other auditor played during the engagement. The other auditor may not have the same policies and procedures in place and may not be registered with the PCAOB. The AC should obtain an understanding of how the professional reputation and independence of the other auditors were evaluated. Additionally, the AC should understand how the lead auditor ensures that the work is being performed by other auditors that understand the requirements of the applicable financial reporting framework and professional standards.

The war on talent continues and the aftermath of the “great resignation” is still a pain point for many organizations, including audit firms. Employee retention and continuity of the auditor’s engagement staff may be a possible risk factor for the audit. ACs should understand how their auditors recruit and retain top talent and continue to develop professionals who are skilled and competent to perform the audit. If your auditor isn’t on top of this, your audit could be at risk. 

ACs should also consider whether the audit firms’ policies and procedures allow for adequate supervision and review of all engagement team members, especially in the age of hybrid work environments. Additionally, many firms rely on the work of shared service centers or designated centers of excellence. As the use of centralized service centers grows in the auditing profession, the AC should be comfortable in its understanding of the scope of such procedures, and the protocols followed by audit partners and engagement teams in ensuring the level and quality of work performed.  

Audit quality further depends on the ACs being confident in their expectations that their auditors will hold audit quality to the highest standard of performance. In November 2022, the PCAOB proposed a new quality control standard for audit firms that will enhance communications to AC and other stakeholders, QC 1000, A Firm’s System of Quality Control. This will create uniformity around firm’s quality control processes. While comments received in response to this proposed standard are currently under review, firms are actively preparing for this standard to go into effect. To date, many auditing firms voluntarily provide firm level quality information via annual audit quality reports or within websites and/or marketing materials. 

While auditors are required to annually discuss and confirm their independence with the AC, situations may arise during the audit that may become problematic. It’s important for the AC to understand the firm’s policies and procedures that are in place to address independence issues. The AC should engage in conversations with the auditor and draw its own conclusion about impairment of the auditor’s objectivity and impartiality. 

Additionally, many firms now use automated systems to identify relationships with restricted entities. ACs should question their auditor about these to better understand how these systems are employed and monitored. 

A critical audit matter (CAM) is any matter arising from the audit of the financial statements that  was communicated or required to be communicated to the AC and that (i) relates to accounts or disclosures that are material to the financial statements, and (ii) involved especially challenging, subjective, or complex auditor judgment. The PCAOB issued CAM implementation guidance which can be found here: 

• Implementation of Critical Audit Matters: The Basics
• Implementation of Critical Audit Matters: A Deeper Dive on the Determination of CAMs

To avoid CAM pitfalls, ACs should engage in meaningful conversation with the auditors around the CAM process. CAMs and audit quality go hand in hand so it’s essential for there to be an open dialogue between the AC and auditors. Audit committees should consider asking auditors the following questions to drive discussion around CAMs:

• Will increased focus on CAMs affect the scope of the audit plan and the amount of audit work that needs to be performed? 
• What is the expected timeline of discussions and review of draft CAMs with auditors (e.g., during Q2 – Q3)? 
• What is the protocol to resolve AC and management questions and comments on the draft CAMs?
• What effect did CAM identification have on the auditor’s risk assessment process? Do identified CAMs correlate to significant risks of material misstatement identified for the audit? 
• How will we resolve instances when the content of the draft CAM includes “original information” or sensitive information that was not previously disclosed by the entity? 
• Were there any matters considered to be “close calls” when evaluating potential CAMs but determined not to be a CAM? What were the considerations that led to the determination that these matters were not CAMs?

Digital transformation is unavoidable and can be extremely positive for advancing an organization. However, due to the rapid advancement of technology, cybersecurity threats are also on the rise. Auditors need to prepare for the risks that come with technological advancement and increasing frequency of cybersecurity attacks. Breaches may require modification to the planned audit approach and therefore, make designing and performing audit procedures to address cybersecurity risk an evolving area of focus for auditors and regulators. 

With the enhanced use of technology, artificial intelligence, and other digital assets, organizations are susceptible to attacks and other emerging risks and ACs should determine how their auditors are taking such risks into account in designing their audit procedures. 

The AC needs to determine: 

• Whether the auditor considered the risk of cyberthreats and incidents in their risk assessment.
• Whether the auditor identified a risk of material misstatement related to cybersecurity.