While the PCAOB has not yet released its 2019 inspection reports for the large accounting firms, it has provided a preview of its 2019 findings. See Spotlight: Staff Update and Preview of 2019 Inspection Observations (October 8, 2020) (Preview). The Board suggests that auditors “may find this information useful as they plan and perform their audits, and audit committees may find it useful as they engage with their auditors.” While much of the Preview is primarily of interest to accounting firms, several aspects may – as the PCAOB suggests – be helpful to audit committees in their dialogue with the auditor.

Recurring Deficiencies

Recurring audit deficiencies observed in 2019 inspections were similar to those in prior years. See PCAOB Staff Previews 2018 Inspections Results, May-June 2019 Update. The Preview highlights four areas:

• Revenue. Several types of deficiencies related to implementation of the new revenue recognition accounting standard, including failure to consider “other relevant factors” in validating contractual performance obligations or allocating prices; failure to evaluate whether the reporting company had an enforceable right to payment prior to recognizing revenue; and failure to perform procedures to test the reporting company’s evaluation of whether products created and sold to a specified customer had an alternative use.

• Independence. Some inspected firms had a high rate noncompliance with reporting by firm personnel of financial relationships. In addition, some firms did not comply with PCAOB rules requiring pe-approval of certain tax services and communication with audit committees concerning independence.

• Accounting Estimates. As in past inspection cycles, inspectors found deficiencies related to auditing estimates, particularly financial institution allowances for loan losses (ALL) and the valuation of assets acquired in business combinations. For example:

o Auditors did not evaluate the reasonableness of qualitative factors that management considered in calculating the general reserve component of ALL. “In certain instances, the audit procedures were limited to inquiry of the issuer’s personnel * * * without corroborating the information with appropriate audit evidence.”

o Auditors did not sufficiently test the reasonableness of projections used in determining the valuation of acquired assets. “Auditors limited their procedures to inquiry of the issuer’s personnel and comparing one year of forecasted projections to actual results.”

• Internal Control Over Financial Reporting. Deficiencies in ICFR testing have been a theme in PCAOB inspection reports for the past decade. Common problems identified in 2019 inspections include:

o Auditors did not sufficiently evaluate whether controls with a review element operated with sufficient precision to prevent or detect material misstatements.

o Auditors did not sufficiently test controls related to relevant assertions of significant accounts. For example, where a company had multiple streams of revenue, the auditor may only have identified and tested controls that addressed risks related to one of the streams.

o With respect to management review controls over accounting estimates, auditors did not identify and test controls over the accuracy and completeness of system-generated reports which were used by control owners in the operation of these controls.

Cybersecurity Risk

The PCAOB reviewed audits of companies that experienced a cybersecurity incident during the audit period, focusing on how the auditor considered the cybersecurity incident in its risk assessment. Inspectors found that, some cases, the auditor “did not consider whether the incident affected the auditor’s identification or assessment of risks of material misstatement; whether modifications to the nature, timing, or extent of audit procedures were necessary; and whether the incident could be indicative of deficiencies in ICFR.”

Multi-location Audits

The PCAOB deployed “target teams” to focus on multi-location audits based in the U.S. and on audits in which the U.S. firm played a role but was not the principal auditor. These teams observed improved audit quality when there was “regular, consistent communication between the principal auditor and the other auditors” including the “good practice” of visits by the principal auditor to the offices of the participating auditors in other jurisdictions. However, multi-location audit quality could be improved by enhancing documentation, better compliance with the PCAOB rule requiring disclosure of other firms that participate in the audit, and improving engagement letter templates to exclude indemnification clauses.

Audit Committee Communications

In its 2019 inspections, the PCAOB spoke with the audit committee chairs of most U.S. companies with audits that were reviewed. See What the PCAOB Heard: Report on Conversations with Audit Committee Chairs, January 2020 Update. While audit committee chairs generally reported “frequent and thorough” communication with their auditor, the inspectors’ testing revealed that certain smaller firms “did not communicate all significant risks identified during audit planning--including changes to those risks--to the audit committee.”

Comment: The Preview may be useful to audit committees in understanding what areas of the company’s future audits are likely to attract the attention of the PCAOB’s inspection staff. In particular, the recurring audit deficiencies identified by the PCAOB in 2019 are indicators of challenging audit areas to which the company’s auditor may devote extra attention in anticipation of possible future PCAOB scrutiny. The Preview may also aid audit committees in understanding their auditor’s risk assessments and resource allocation decisions. For example, obtaining an in-depth understanding of how review controls operate is a necessary response to a common PCAOB inspection finding. The Preview also makes clear that auditor/audit committee communication is an area on which the PCAOB is focusing.