PCAOB Staff Summary of 2020 Inspections: Fewer Findings, But Still Room for Improvement
The PCAOB staff has published its observations on the results of the Board’s 2020 inspections. See Spotlight: Staff Update and Preview of 2020 Inspection Observations (Preview). In 2020, the Board inspected 153 audit firms (114 U.S. firms and 39 non-U.S.) and reviewed portions of 617 audits. The audits inspected in 2020 generally addressed financial reporting for years ending during 2019 or the first half of 2020. The staff states that, for the majority of the annually inspected audit firms (i.e., firms with more than 100 public company audit clients), “we identified fewer findings in 2020 compared to our 2019 inspections.” For firms with 100 or less public company clients, which are inspected on a 3-year cycle, “some improvements were noted, although deficiencies continue to remain high.” As of October 25, the underlying inspection reports on which the Preview is based had not yet been made public.
While much of the Preview is primarily of interest to accounting firms, aspects may be helpful to audit committees in their dialogue with the auditor. The 2020 Preview, unlike the 2019 version, does not discuss communications with audit committees. See PCAOB Previews 2019 Inspection Reports, October-November 2020 Update.
2020 Inspection Approach
The Preview notes that the 2020 inspections were impacted by COVID-19. All inspections were conducted remotely. In addition, the staff took various steps to understand firms’ consideration of, and responses to, the effect of the pandemic on audits. However, except for an optional 45-day deferral, “no other modifications were made to reduce the obligation of audit professionals to observe the PCAOB’s rules and other professional standards.”
Recurring audit deficiencies observed in the 2020 inspections were similar to those in prior years. See PCAOB Previews 2019 Inspection Reports, above. The Preview describes five common deficiency areas.
Revenue and Related Accounts. By far, the highest percentage of deficiencies in both financial statement and internal control over financial reporting (ICFR) audits involved revenue and related accounts. Many such deficiencies related to implementation of FASB’s new standard on revenue recognition, which took effect for public companies at the end of 2017. Other revenue-related deficiencies included failure to test controls over the accuracy and completeness of company-provided data or reports on which audit procedures were based. The Preview reminds auditors that, “when using information produced by the public company as audit evidence, the auditor should evaluate whether the information is sufficient and appropriate for purposes of the audit.”
Accounting Estimates. Common deficiencies relating to estimates involved allowance for loan losses (ALL), business combinations, investment securities, and long-lived assets, including:
Auditors did not evaluate evidence supporting the reasonableness of the assumptions management used in determining ALL.
Auditors did not obtain sufficient evidence of the reasonableness of assumptions used to determine the fair value of acquired assets.
Auditors did not evaluate the appropriateness of valuation models and the reasonable-ness of assumptions used in determining the fair value of investment securities.
Auditors did not perform sufficient procedures to resolve known contradictory evidence when evaluating the recoverability of long-lived assets.
Inventory. In testing controls over inventory, auditors sometimes did not properly assess the reliability of cycle counts. (A cycle count program involves periodic counts of a subset of inventory, rather than an annual physical count of the entire inventory.) One common deficiency was that auditors limited their cycle count assessment procedures to management inquiries.
Critical Audit Matters. Audit opinions are required to contain a discussion of critical audit matters (CAMs). CAMs are aspects of the audit that involved especially challenging, subjective, or complex auditor judgment. Common deficiencies relating to CAM reporting included failing to assess all matters that could potentially be CAMs for inclusion in the auditor’s report. In addition, CAM discussions sometimes failed to accurately describe how the CAM was addressed in the audit or the principal considerations that led the auditor to determine that the matter was a CAM.
Form AP. For each public company audit, the auditor is required to file Form AP disclosing the name of the engagement partner and other accounting firms that participated in the audit. These reports were sometimes not timely or contained inaccurate or incomplete firm information.
Quality Control Observations
The Preview describes three common deficiencies in inspected firms’ systems of quality control:
Independence. Certain firms had a high rate of noncompliance with requirements that employees report their financial relationships to the firm. In addition, inspectors found deficiencies in compliance with the PCAOB’s rules on audit committee preapproval of certain tax services and on communication with audit committees concerning independence.
Engagement Quality Review. Before issuing an audit report, a partner not involved in the engagement is required to perform a review. The Preview states that, in some cases, engagement quality reviewers did not properly evaluate areas that the engagement team had identified as involving significant risk. Further, some reviewers did not maintain objectivity – for example, because they assumed responsibilities of an engagement team member.
Internal Monitoring. The Preview states that some firm internal inspection procedures failed to identify deficiencies that were uncovered by the PCAOB’s inspectors. This may suggest that the audit firm’s internal inspection program is not suitably designed or effectively applied.
Other Observations – Cybersecurity and Distributed Ledger Technology
The 2020 inspections reviewed how auditors responded to cybersecurity incidents and to distributed ledger technologies. Deficiencies were identified in both areas. With respect to cybersecurity, some auditors did not consider whether a cybersecurity incident affected the identification or assessment of misstatement risk or whether modifications to audit procedures were necessary. With respect to distributed ledger technology, inspectors found instances in which auditors did not properly evaluate the sufficiency and appropriateness of audit evidence over the existence and valuation of crypto assets.
Comment: The Preview may be useful to audit committees in understanding what aspects of the company’s future audits are likely to attract the PCAOB inspection staff’s attention. Examples include the Board’s emphasis on revenue recognition, cybersecurity incidents, evaluation of management assumptions that underlie estimates, and testing controls over company-provided data or reports on which the auditor relied. All auditors, whether or not they received adverse PCAOB comments on particular recurring audit deficiencies, can be expected to devote attention to these areas in anticipation of possible PCAOB scrutiny. Therefore, the Preview may also aid audit committees in understanding their auditor’s risk assessments and resource allocation decisions and in discussing these matters with the engagement team.