Notice2024-12692
Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on a Firm's System of Quality Control and Related Amendments to PCAOB Standards
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 11, 2024
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 113 (Tuesday, June 11, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 113 (Tuesday, June 11, 2024)]
[Notices]
[Pages 49588-49728]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-12692]
[[Page 49587]]
Vol. 89
Tuesday,
No. 113
June 11, 2024
Part III
Securities and Exchange Commission
-----------------------------------------------------------------------
Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on a Firm's System of Quality Control and Related Amendments to
PCAOB Standards; Notice
��Federal Register / Vol. 89 , No. 113 / Tuesday, June 11, 2024 /
Notices��
[[Page 49588]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-100277; File No. PCAOB-2024-02]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on a Firm's System of Quality Control and Related
Amendments to PCAOB Standards
June 5, 2024.
Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on May 24, 2024, the Public
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'')
filed with the Securities and Exchange Commission (the ``Commission'')
the proposed rules described in items I and II below, which items have
been prepared by the Board. The Commission is publishing this notice to
solicit comments on the proposed rules from interested persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On May 13, 2024, the Board adopted A Firm's System of Quality
Control and Other Amendments to PCAOB Standards, Rules, and Forms
(collectively, the ``proposed rules''). The text of the proposed rules
appears in Exhibit A to the SEC Filing Form 19b-4 and is available on
the Board's website at Docket 046 [verbar] PCAOB (<a href="http://pcaobus.org">pcaobus.org</a>) and at
the Commission's Public Reference Room.
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed any comments it received on the proposed rules. The text of
these statements may be examined at the places specified in Item IV
below. The Board has prepared summaries, set forth in sections A, B,
and C below, of the most significant aspects of such statements. In
addition, the Board is requesting that the Commission approve the
proposed rules, pursuant to section 103(a)(3)(C) of the Sarbanes-Oxley
Act, for application to audits of emerging growth companies (``EGCs''),
as that term is defined in section 3(a)(80) of the Securities Exchange
Act of 1934 (``Exchange Act''). The Board's request is set forth in
section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
The Board adopted a new PCAOB quality control (``QC'') standard
that it believes will lead registered public accounting firms
(``firms'') to significantly improve their QC systems. An effective QC
system protects investors by facilitating the consistent preparation
and issuance of informative, accurate, independent, and compliant
engagement reports. Properly conducted audits and other engagements
enhance the confidence of investors and other market participants in
the information firms report on.
The Board adopted an integrated, risk-based standard, QC 1000, A
Firm's System of Quality Control, that mandates quality objectives and
key processes for all firms' QC systems, with a focus on accountability
and continuous improvement. The Board has designed QC 1000 to be
applied by firms of varying size and complexity. If approved by the
U.S. Securities and Exchange Commission (the ``SEC''), the Board
believes this new standard will lead firms to better serve investors by
more consistently complying with the professional and legal
requirements that apply to PCAOB engagements.
In connection with the adoption of QC 1000, the Board also adopted
other changes to its standards, rules, and forms. QC 1000 and the other
changes adopted substantially reflect the Board's November 2022
proposal,\1\ but have been modified in response to commenter input.
---------------------------------------------------------------------------
\1\ See A Firm's System of Quality Control and Other Proposed
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No.
2022-006 (Nov. 18, 2022) (``proposal'' or ``proposed standards''),
available on the Board's website in Docket 046.
---------------------------------------------------------------------------
In a separate release, the Board also adopted a new auditing
standard, AS 1000, General Responsibilities of the Auditor in
Conducting an Audit, that addresses the general principles and
responsibilities of the auditor.\2\ This release includes references to
AS 1000, where appropriate
---------------------------------------------------------------------------
\2\ See General Responsibilities of the Auditor in Conducting an
Audit and Amendments to PCAOB Standards, PCAOB Rel. No. 2024-004
(May 13, 2024) (``Auditor Responsibilities Release'').
---------------------------------------------------------------------------
Improving the Board's QC Standards
The Board strongly believes that an effective quality control
system facilitates continuous improvement. Over time, the PCAOB's
oversight experience suggests that firm QC systems fall short. For
example, PCAOB inspectors observed that approximately 40% of the issuer
audits they reviewed in 2022 had one or more deficiencies where the
auditor failed to obtain sufficient appropriate audit evidence to
support its opinion, an increase of six percentage points over the
deficiency rate in 2021 and 11 percentage points over the rate in
2020.\3\ In all those cases, auditors issued audit opinions without
completing the audit work that PCAOB standards require for them to
obtain reasonable assurance about whether the financial statements were
free of material misstatement and/or whether the issuers maintained, in
all material respects, effective internal control over financial
reporting.
---------------------------------------------------------------------------
\3\ See Spotlight: Staff Update and Preview of 2022 Inspection
Observations (July 2023) (``2022 Inspection Observations Preview''),
at 3, available at <a href="https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/spotlight-staff-preview-2022-inspection-observations.pdf?sfvrsn=1b116d49_4">https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/spotlight-staff-preview-2022-inspection-observations.pdf?sfvrsn=1b116d49_4</a>.
---------------------------------------------------------------------------
Every step of this rulemaking--from the December 2019 concept
release,\4\ to the proposal, to adoption--has been informed by
extensive research and outreach, as well as by PCAOB inspections and
enforcement activities. The PCAOB's current QC standards were developed
decades ago and issued by the American Institute of Certified Public
Accountants (``AICPA'') before the PCAOB was established. The auditing
environment has changed significantly since that time, including
evolving and greater use of technology, and increasing auditor use of
outside resources, such as other accounting firms and providers of
support services. Firms themselves have also changed significantly, as
has the role of firm networks. And advances in internal control,
quality management, and enterprise risk management suggest that factors
such as active involvement of leadership, focus on risk, clearly
defined objectives, objective-oriented processes, monitoring, and
remediation of identified issues can contribute to more effective QC.
These developments have, in part, led to PCAOB advisory groups' general
support for strengthening the QC standards, including through risk-
based elements and enhanced requirements for firm governance and
leadership.
---------------------------------------------------------------------------
\4\ See Concept Release, Potential Approach to Revisions to
PCAOB Quality Control Standards, PCAOB Rel. No. 2019-003 (Dec. 17,
2019) (``concept release''), available on the Board's website in
Docket 046.
---------------------------------------------------------------------------
Taking into account those considerations, as well as the comments
the Board received on the concept release and proposal, the Board
believes that improving PCAOB standards will lead firms to improve
their QC systems. This should result in more consistent
[[Page 49589]]
compliance with applicable requirements, which ultimately better serves
and protects investors. The specific improvements the Board adopted
include:
<bullet> Emphasizing accountability, firm culture and the ``tone at
the top,'' and firm governance through requirements for specified roles
within and responsibilities for the QC system, including at the highest
levels of the firm; quality objectives that link compensation to
quality; and, for the largest firms, the requirement of an independent
perspective in firm governance;
<bullet> Striking the right balance between a risk-based approach
to QC--which should drive firms to proactively identify and manage the
specific risks associated with their practice--and a set of mandates,
including required risk assessment and other QC-related processes,
quality objectives, and quality responses--which should assure that the
QC system is designed, implemented, and operated with an appropriate
level of rigor;
<bullet> Addressing changes in the audit practice environment,
including the increasing participation of other firms and other outside
resources, the role of firm networks, the evolving use of technology
and other resources, and the increasing importance of internal and
external firm communications;
<bullet> Broadening responsibilities for monitoring and remediation
of deficiencies to create a more effective ongoing feedback loop that
drives continuous improvement; and
<bullet> Requiring a rigorous annual evaluation of the firm's QC
system and related reporting to the PCAOB, certified by key firm
personnel, to underscore the importance of the annual evaluation of the
QC system, reinforce individual accountability, and support PCAOB
oversight.
Framework of the QC Standard
The Board carefully considered the characteristics of an
appropriate framework for a PCAOB QC standard that could accomplish its
regulatory goals. As a threshold issue, section 103 of the Sarbanes-
Oxley Act of 2002 (``Sarbanes-Oxley'') provides that PCAOB QC standards
must include requirements regarding certain specified matters, and also
grants the Board broad authority to include such other requirements as
it may prescribe in carrying out its investor protection mandate. The
Board also considered how best to capture areas it had identified for
improvement and how best to foster consistent, compliant implementation
by the firms it regulates. Because the Board believes it is the best
structure for accomplishing its goals, the Board adopted the QC 1000
framework as proposed.
The Board notes that the framework has commonalities with other
international and domestic standards for firm QC systems, though it
goes beyond those requirements in a number of areas, including with
regard to firm governance of the largest firms, more specific
requirements for monitoring and remediation and the evaluation of the
QC system, an ethics and independence component aligned with SEC and
PCAOB requirements, and more specific provisions addressing technology
and externally communicated firm-level and engagement-level information
and metrics. The Board believes that building on a well-understood
basic framework, appropriately tailored and strengthened to address its
legal and regulatory environment and its investor protection mandate,
will enable firms to implement and comply with QC 1000 more
effectively. In designing, implementing, and operating their QC
systems, firms that are subject to both PCAOB standards and other
international or domestic QC standards--which the Board believes
constitute a very substantial majority of the firms that perform
engagements under PCAOB standards--can leverage the work they have
already done and the investments they have already made to comply with
those other requirements.
QC 1000
The Board developed QC 1000 with a view to its statutory mandate to
protect the interests of investors and the public interest, and the
Board believes the new standard will facilitate the consistent
preparation and issuance of informative, accurate, and independent
engagement reports. The final standard provides a framework for a QC
system that is grounded in an ongoing process of proactively
identifying and managing risks to quality, with a feedback loop from
ongoing monitoring and remediation that should drive continuous
improvement, an explicit focus on firm governance and leadership, firm
culture, and individual accountability, and specific direction in a
number of areas that current PCAOB standards do not address directly.
QC 1000 primarily consists of:
Two process components
<bullet> The firm's risk assessment process
<bullet> The monitoring and remediation process
Six components that address aspects of the firm's organization and
operations
<bullet> Governance and leadership
<bullet> Ethics and independence
<bullet> Acceptance and continuance of engagements
<bullet> Engagement performance
<bullet> Resources
<bullet> Information and communication
Requirements for evaluation of and reporting on the QC system
<bullet> Annual evaluation of the effectiveness of the QC system
<bullet> Reporting to the PCAOB on the QC system evaluation
The standard also includes requirements regarding individual roles
and responsibilities in the QC system and documentation requirements.
Scalability
In the Board's view, the basic objectives of the QC system should
be the same for all firms, but the scope of the QC standard and how it
applies should take into account the wide disparities in nature and
circumstances across registered firms, in particular the extent to
which their practices include engagements required to be performed
under PCAOB standards and the complexity of such engagements. The risks
that firms face, and therefore the specific policies and procedures
necessary to appropriately serve investor interests through an
effective QC system, vary significantly from the largest firms,
operating as part of global networks, to local firms or sole
proprietorships. QC 1000 establishes a uniform basic structure to be
used by all firms, within which firms will be required to pursue an
approach to quality control that is appropriate in light of the risks
associated with their particular PCAOB audit practice. Aspects of the
new standard are risk-based, and to that extent inherently scalable. In
addition, it imposes more stringent requirements for the largest firms
in some areas, while enabling smaller firms to comply with the core
requirements in ways that take into account these firms' size and the
complexity of audits performed by them.
Scalability: Larger PCAOB Audit Practice
The Board believes that firms with a particularly extensive PCAOB
audit practice (i.e., those that issue audit reports for more than 100
issuers per year) should be subject to enhanced requirements, given
such firms' greater complexity and the relatively greater public
interest implicated by the fact that they audit companies that make up
[[Page 49590]]
a substantial majority of U.S. public market capitalization. The
incremental requirements under QC 1000 for such firms include:
<bullet> An external oversight function for the QC system compose
of one or more persons who can exercise independent judgment related to
the QC system;
<bullet> A program for collecting and addressing complaints and
allegations that includes confidentiality protections;
<bullet> An automated system to track investments that may bear on
independence; and
<bullet> Required monitoring of in-process engagements.
Scalability: Smaller PCAOB Audit Practice
Many firms perform only a small number of PCAOB engagements per
year and are subject to resource constraints that larger PCAOB audit
practices do not face. The Board has addressed the particular needs of
these firms in a number of ways, including:
<bullet> Providing that a single individual may be assigned more
than one of the QC system oversight roles required under the standard;
and
<bullet> Allowing firms that issue five or fewer engagement reports
for issuers or broker-dealers in a year to include audits not performed
under PCAOB auditing standards in some of their monitoring activities.
Scalability: Firms That Do Not Have Responsibilities in Relation to a
PCAOB Engagement
All registered firms will be required to design a QC system that
meets the requirements of QC 1000. Firms will be required to implement
and operate the QC system in compliance with QC 1000 when they lead an
engagement under PCAOB standards, play a substantial role in the
preparation or furnishing of an audit report (as defined in PCAOB
rules), or have current responsibilities under applicable professional
and legal requirements regarding any such engagement. This approach
reflects the Board's view that all firms that register with the PCAOB
should be appropriately prepared to perform a PCAOB engagement,
regardless of whether they are currently subject to requirements with
respect to one, while limiting the costs of compliance in circumstances
where the risk to investor protection is minimal.
Key Changes From the QC 1000 Proposal
Key changes from the proposal include:
<bullet> For the firms with larger PCAOB audit practices, the
requirement to include an independent oversight function for their QC
system has been refined. Under the final rule, the external quality
control function (``EQCF'') will be composed of one or more persons who
are not principals or employees of the firm and do not otherwise have a
relationship with the firm that would interfere with the exercise of
independent judgment with regard to matters related to the QC system.
The responsibilities of the EQCF may vary across firms but include, at
a minimum, evaluating the significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system.
<bullet> The final rule requires firms to report on their QC system
evaluation to the PCAOB, but not to the audit committee, as proposed.
Legal constraints limit our ability to require public disclosures about
the effectiveness of firms' QC systems at the level that some investors
have requested. While the final rule recognizes the impediments to
requiring public disclosure of QC system evaluation, the Board remains
committed to finding additional ways of providing public disclosure to
better inform investors about firms and PCAOB audit engagements. To
that end, we have separately proposed a set of firm-level and
engagement-level metrics across 11 areas that would be reported
publicly.
<bullet> The timing of the QC system evaluation and reporting has
changed. Under the final rule, the evaluation date for the annual
evaluation of the QC system is September 30, rather than November 30 as
proposed, with Form QC due by November 30 rather than January 15 of the
following year. This shift allows more time between the evaluation date
and the filing date than we proposed, but still allows sufficient time
to generally enable the firm's monitoring activities to identify
deficiencies in calendar year-end engagements and the results of that
monitoring to be included in the evaluation.
Other Changes to PCAOB Standards, Rules, and Forms
In connection with the adoption of QC 1000, the Board also adopted
other changes to PCAOB standards, rules, and forms. These include,
among other changes, expanding the auditor's responsibility to respond
to deficiencies on completed engagements under an amended and retitled
AS 2901, Responding to Engagement Deficiencies After Issuance of the
Auditor's Report, and related amendments to AT No. 1, Examination
Engagements Regarding Compliance Reports of Brokers and Dealers, and AT
No. 2, Review Engagements Regarding Exemption Reports of Brokers and
Dealers; and replacing the existing standard ET 102, Integrity and
Objectivity, with a new standard, EI 1000, Integrity and Objectivity,
to better align PCAOB ethics requirements with the scope, approach, and
terminology of QC 1000.
Effective Date
If approved by the SEC, the final standard and related amendments
to auditing standards, rules, and forms will take effect on December
15, 2025, with the initial evaluation of the QC system to be performed
as of September 30, 2026, and initial reporting to the PCAOB by
November 30, 2026. Firms will be permitted to elect to comply with the
requirements of QC 1000, except reporting to the PCAOB on the annual
evaluation of the QC system, before the effective date, at any point
after SEC approval of the final standard and related amendments.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of Sarbanes-
Oxley.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board issued a concept release regarding potential changes to
quality control standards for public comment in PCAOB Release No. 2019-
003 (Dec. 17, 2019). The Board received 36 written comment letters on
the concept release. The Board released the proposed rule amendment for
public comment in PCAOB Release No. 2022-006 (Nov. 18, 2022). The Board
received 43 written comment letters on its proposal. The Board has
carefully considered all comments received. The Board's response to the
comments it received and the changes made to the rules in response to
the comments received are discussed below.
Background
This section presents background information on this rulemaking,
including an overview of existing PCAOB QC requirements and current
practice, a review of other developments
[[Page 49591]]
since the current QC requirements were adopted, a summary of relevant
actions taken by other standard setters, a discussion of PCAOB research
and outreach efforts related to QC, the December 2019 concept release
and 2022 proposal, and a summary of the key areas the Board has
identified for improvement of the QC standards.
Overview of Existing Requirements and Current Practice
1. Requirements of the Sarbanes-Oxley Act of 2002
Sarbanes-Oxley requires the Board to establish certain professional
standards, including quality control standards, to be used by
registered public accounting firms in the preparation and issuance of
audit reports for issuers, brokers, and dealers.\5\ Furthermore,
Sarbanes-Oxley requires the PCAOB's QC standards to address:
---------------------------------------------------------------------------
\5\ See sections 101(c)(2) and 103(a)(1) of Sarbanes-Oxley, 15
U.S.C. 7211(c)(2), 7213(a)(1). This release uses the terms
``issuer,'' ``broker,'' and ``dealer'' as defined in Sarbanes-Oxley.
See section 2(a)(7) of Sarbanes-Oxley, 15 U.S.C. 7201(7) (defining
``issuer''); Sections 110(3) and (4) of Sarbanes-Oxley, 15 U.S.C.
7220(3), (4) (defining ``broker'' and ``dealer''); see also PCAOB
Rules 1001(b)(iii), (d)(iii), (i)(iii) (defining ``broker,''
``dealer,'' and ``issuer,'' respectively). Entities that are brokers
or dealers or both are sometimes referred to herein as ``broker-
dealers.''
---------------------------------------------------------------------------
<bullet> Monitoring of professional ethics and independence from
issuers, brokers, and dealers on behalf of which the firm issues audit
reports;
<bullet> Consultation within the firm on accounting and auditing
questions;
<bullet> Supervision of audit work;
<bullet> Hiring, professional development, and advancement of
personnel;
<bullet> Acceptance and continuation of engagements;
<bullet> Internal inspection; and
<bullet> Such other requirements as the Board may prescribe.\6\
---------------------------------------------------------------------------
\6\ See section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(2)(B).
---------------------------------------------------------------------------
2. Current PCAOB QC Standards
Under current PCAOB standards, a QC system is a process to provide
a firm with reasonable assurance that its personnel comply with
applicable professional standards and the firm's standards of
quality.\7\ The QC system encompasses the firm's organizational
structure and the policies adopted and procedures established to
provide that reasonable assurance.\8\
---------------------------------------------------------------------------
\7\ See paragraph .03 of QC 20, System of Quality Control for a
CPA Firm's Accounting and Auditing Practice.
\8\ See QC 20.04.
---------------------------------------------------------------------------
Current PCAOB QC standards were adopted on an interim, transitional
basis in 2003 from QC standards originally developed and issued by the
AICPA.\9\ They include three general QC standards that apply to all
firms.\10\ Beyond that, they also include certain requirements of
membership in the AICPA's former SEC Practice Section (``SECPS''),
which apply only to firms that were SECPS members immediately prior to
the adoption of the PCAOB's interim QC standards. Below is an overview
of the general QC standards and the SECPS member requirements.
---------------------------------------------------------------------------
\9\ See PCAOB Rule 3400T, Interim Quality Control Standards; see
also Establishment of Interim Professional Auditing Standards, PCAOB
Rel. No. 2003-006 (Apr. 18, 2003).
\10\ Under PCAOB Rule 3400T(a), all firms are required to comply
with QC standards as described in ``the AICPA's Auditing Standards
Board's Statements on Quality Control Standards, as in existence on
April 16, 2003 (AICPA Professional Standards, QC Sec. Sec. 20-40
(AICPA 2002)), to the extent not superseded or amended by the
Board.''
---------------------------------------------------------------------------
a. General QC Standards
i. QC 20, System of Quality Control for a CPA Firm's Accounting and
Auditing Practice
QC 20 provides that a firm should have a system of quality control
that provides the firm with reasonable assurance that its personnel
comply with applicable professional standards and the firm's standards
of quality.\11\ In the context of engagement performance, the system of
quality control should also provide reasonable assurance that the work
performed meets applicable regulatory requirements.\12\
---------------------------------------------------------------------------
\11\ See QC 20.03.
\12\ See QC 20.17.
---------------------------------------------------------------------------
The firm's quality control policies and procedures should address
the following elements:
<bullet> Independence, integrity, and objectivity;
<bullet> Personnel management;
<bullet> Acceptance and continuance of clients and engagements;
<bullet> Engagement performance; and
<bullet> Monitoring.\13\
---------------------------------------------------------------------------
\13\ See QC 20.07.
---------------------------------------------------------------------------
These elements of quality control are interrelated.\14\ Policies
and procedures should be established to provide the firm with
reasonable assurance with respect to each of these elements of QC. An
appropriate individual or individuals in the firm should be assigned
responsibility for the design and maintenance of the various quality
control policies and procedures.\15\ These policies and procedures
should be communicated in a manner that provides reasonable assurance
that personnel will understand and comply.\16\ Additionally,
documentation should be prepared to demonstrate compliance with the
firm's policies and procedures for the elements of quality control.\17\
---------------------------------------------------------------------------
\14\ See QC 20.08.
\15\ See QC 20.22.
\16\ See QC 20.23.
\17\ See QC 20.25.
---------------------------------------------------------------------------
ii. QC 30, Monitoring a CPA Firm's Accounting and Auditing Practice
QC 30 addresses how a firm should implement the monitoring element
of quality control discussed in QC 20. Monitoring involves an ongoing
consideration and evaluation of the following:
<bullet> The relevance and adequacy of the firm's policies and
procedures;
<bullet> The appropriateness of the firm's guidance materials and
any practice aids;
<bullet> The effectiveness of professional development activities;
and
<bullet> Compliance with the firm's policies and procedures.\18\
---------------------------------------------------------------------------
\18\ See QC 30.02.
---------------------------------------------------------------------------
Under QC 30, monitoring procedures should enable the firm to obtain
reasonable assurance that its system of quality control is
effective.\19\ A firm's monitoring procedures may include:
---------------------------------------------------------------------------
\19\ See QC 30.03.
---------------------------------------------------------------------------
<bullet> Inspection procedures;
<bullet> Pre-issuance or post-issuance review of selected
engagements;
<bullet> Analysis and assessment of:
<bullet> New professional pronouncements;
<bullet> Results of independence confirmations;
<bullet> Continuing professional education (``CPE'') and other
professional development activities undertaken by firm personnel;
<bullet> Decisions related to acceptance and continuance of client
relationships and engagements;
<bullet> Interviews of firm personnel;
<bullet> Determination of any corrective actions to be taken and
improvements to be made in the quality control system;
<bullet> Communication to appropriate firm personnel of any
weaknesses identified in the quality control system or in the level of
understanding or compliance therewith; and
<bullet> Follow-up by appropriate firm personnel to ensure that any
necessary modifications are made to the quality control policies and
procedures on a timely basis.\20\
---------------------------------------------------------------------------
\20\ See QC 30.03.
---------------------------------------------------------------------------
The nature and extent of monitoring procedures generally depends on
the firm's size and the nature and complexity of the firm's
practice.\21\ QC 30 provides that individuals in a small firm may
perform monitoring procedures, including post-issuance review of
engagement working papers, reports, and clients' financial
[[Page 49592]]
statements, with respect to their own compliance with the firm's QC
policies and procedures, but only if such individuals are able to
critically review their own performance, assess their own strengths and
weaknesses, and maintain an attitude of continual improvement.\22\
---------------------------------------------------------------------------
\21\ See, e.g., QC 30.05, .10, .11.
\22\ See QC 30.09, .10.
---------------------------------------------------------------------------
iii. QC 40, The Personnel Management Element of a Firm's System of
Quality Control--Competencies Required by a Practitioner-in-Charge of
an Attest Engagement
QC 40 addresses the personnel management element of the quality
control system. Personnel management includes hiring, assigning
personnel to engagements, professional development, and advancement
activities. Policies and procedures should be established to provide
the firm with reasonable assurance that:
<bullet> Those hired possess the appropriate characteristics to
enable them to perform competently.
<bullet> Work is assigned to personnel having the degree of
technical training and proficiency required in the circumstances.
Personnel participate in general and industry-specific continuing
professional education and other professional development activities
that enable them to fulfill responsibilities assigned, and satisfy
applicable professional education requirements of the AICPA, and
regulatory agencies.
<bullet> Personnel selected for advancement have the qualifications
necessary for fulfillment of the responsibilities they will be called
on to assume.\23\
---------------------------------------------------------------------------
\23\ See QC 40.02.
---------------------------------------------------------------------------
A firm's policies and procedures related to personnel management
should be designed to provide a firm with reasonable assurance that
practitioners-in-charge of engagements (i.e., engagement partners)
possess the kinds of competencies that are appropriate given the
circumstances of the client engagement.\24\ Competencies are the
knowledge, skills, and abilities that enable an engagement partner to
be qualified to perform an engagement.\25\ Competencies may be gained
in various ways, including through relevant industry, governmental, and
academic positions.\26\ A firm's policies and procedures should
ordinarily address the following competencies for an engagement
partner:
---------------------------------------------------------------------------
\24\ See QC 40.03.
\25\ See QC 40.04.
\26\ See QC 40.05.
---------------------------------------------------------------------------
<bullet> Understanding of the role of a system of quality control
and a code of professional conduct;
<bullet> Understanding of the service to be performed;
<bullet> Technical proficiency;
<bullet> Familiarity with the industry;
<bullet> Professional judgment; and
<bullet> Understanding the organization's information technology
systems.\27\
---------------------------------------------------------------------------
\27\ See QC 40.08.
---------------------------------------------------------------------------
Under QC 40, these competencies are interrelated.\28\ When
establishing policies and procedures related to competencies needed by
an engagement partner, a firm may need to consider the requirements of
policies and procedures established for other elements of quality
control.\29\
---------------------------------------------------------------------------
\28\ See QC 40.09.
\29\ See QC 40.10.
---------------------------------------------------------------------------
b. SECPS Member Requirements
The SECPS was a division of the AICPA for U.S. firms that audited
public companies, which established incremental quality control
requirements for its members. The SECPS requirements originally applied
to all U.S. firms that audited public companies under AICPA standards.
The SECPS ceased to exist following the establishment of the PCAOB.
Under PCAOB rules, certain SECPS requirements still apply to firms
that were members of the SECPS as of April 16, 2003.\30\ Based on
current registration data, the SECPS member requirements apply to 201
(approximately 12% of) PCAOB-registered firms, including 11 of the 14
annually inspected firms in 2023.
---------------------------------------------------------------------------
\30\ PCAOB Rule 3400T(b) requires certain firms to comply with
QC standards as described in ``the AICPA SEC Practice Section's
Requirements of Membership (d), (l), (m), (n)(1) and (o), as in
existence on April 16, 2003 (AICPA SEC Practice Section Manual
1000.08(d), (j), (m), (n)(1) and (o)), to the extent not superseded
or amended by the Board.'' The note to Rule 3400T provides that
those requirements ``only apply to those registered public
accounting firms that were members of the AICPA SEC Practice Section
on April 16, 2003.'' One of the SECPS member requirements,
concerning concurring partner review, was superseded in 2009 by the
PCAOB's adoption of AS 1220, Engagement Quality Review.
---------------------------------------------------------------------------
i. Section 1000.08(d)--Continuing Professional Education of Audit Firm
Personnel
Section 1000.08(d) requires SECPS member firms to ensure that all
professionals residing in the United States, both CPAs and non-CPAs,
participate in at least 20 hours of qualifying CPE every year and at
least 120 hours every three years.\31\ Professionals who devote at
least 25% of their time to performing audit, review, or other attest
engagements, or who have responsibility for supervision or review of
such engagements, must obtain at least 40% of their CPE hours in
subjects related to accounting and auditing.\32\
---------------------------------------------------------------------------
\31\ See SECPS 1000.08(d).
\32\ See SECPS 1000.08(d).
---------------------------------------------------------------------------
Additional information on Section 1000.08(d)'s CPE requirements
appears in SECPS Section 8000, Continuing Professional Education
Requirements Effective for Educational Years Beginning After May 31,
2002.\33\ That information is summarized into three categories: (1)
record-keeping for each professional to ensure that each professional
adheres to all CPE requirements; (2) adherence to standards for CPE
program sponsors for each program sponsored by the member firm; and (3)
compliance with additional CPE requirements of the SECPS.\34\ Appendix
A to Section 8000 includes the AICPA policies related to CPE.
---------------------------------------------------------------------------
\33\ See SECPS 1000.08(d) (referring, in a footnote, to Section
8000).
\34\ See SECPS 8000.
---------------------------------------------------------------------------
ii. Section 1000.08(l)--Communication by Written Statement to All
Professional Personnel of Firm Policies and Procedures on the
Recommendation and Approval of Accounting Principles, Present and
Potential Client Relationships, and the Types of Services Provided
Section 1000.08(l) requires SECPS member firms to communicate,
through a written statement, to all professional firm personnel the
broad principles that influence the firm's quality control and
operating policies and procedures.\35\ Periodic communication also must
inform professional firm personnel that compliance with those
principles is mandatory.\36\
---------------------------------------------------------------------------
\35\ See SECPS 1000.08(l). Section 1000.08(l) includes a cross-
reference to Appendix H SECPS Section 1000.42, Illustrative
Statement of Firm Philosophy, which provides an illustration of such
a statement.
\36\ See id.
---------------------------------------------------------------------------
iii. Section 1000.08(m)--Notification of the Commission of Resignations
and Dismissals From Audit Engagements for Commission Registrants
Section 1000.08(m) requires that, if an SECPS member firm has
resigned, declined to stand for reelection, or been dismissed as the
auditor of an SEC registrant and the registrant has not reported the
change in auditors to the SEC in a timely filed Form 8-K, the member
firm is to report that the client-auditor relationship has ceased
directly, in writing, to the former SEC client and the SEC within five
business days.\37\
---------------------------------------------------------------------------
\37\ See SECPS 1000.08(m). Section 1000.08(m) cross-references
Appendix D SECPS Section 1000.38, Revised Definition of an SEC
Client, which provides the definition of an SEC client, as well as
Appendix I SECPS Section 1000.43, Standard Form of Letter Confirming
the Cessation of the Client-Auditor Relationship, which provides a
standard form of such report.
---------------------------------------------------------------------------
[[Page 49593]]
iv. Section 1000.08(n)--Audit Firm Obligations With Respect to the
Policies and Procedures of Correspondent Firms and of Other Members of
International Firms or International Associations of Firms
Section 1000.08(n) requires SECPS member firms that are members of,
correspondents with, or similarly associated with international firms
or international associations of firms to seek adoption of policies and
procedures that are consistent with the objectives in Appendix K (SECPS
Section 1000.45), SECPS Member Firms With Foreign Associated Firms That
Audit SEC Registrants.\38\
---------------------------------------------------------------------------
\38\ See SECPS 1000.08(n).
---------------------------------------------------------------------------
Appendix K was adopted with the intention of enhancing the quality
of SEC filings by issuers whose financial statements are audited by
foreign associated firms of SECPS member firms.\39\ It requires SECPS
member firms to seek adoption by their international organizations or
individual foreign associated firms of certain policies and procedures,
including:
---------------------------------------------------------------------------
\39\ See SECPS 1000.45.01.
---------------------------------------------------------------------------
<bullet> Procedures to be performed on certain SEC filings by a
filing reviewer who is knowledgeable in applicable accounting and
auditing standards, independence requirements, and SEC rules and
regulations;
<bullet> Inspection procedures for a sample of audit engagements
performed by foreign associated firms for issuer clients, to be
performed by inspection reviewers who are knowledgeable in the same
areas as filing reviewers; and
<bullet> Policies and procedures under which disagreements between
the filing or inspection reviewer and the audit partner-in-charge
should be resolved in accordance with the policy of the international
organization or the filing or inspection reviewer's firm.\40\
---------------------------------------------------------------------------
\40\ See id.
---------------------------------------------------------------------------
v. Section 1000.08(o)--Policies and Procedures To Comply With
Independence Requirements
Section 1000.08(o) requires SECPS member firms to have policies and
procedures in place to comply with applicable independence
requirements.\41\ Section 1000.08(o) cross-references Appendix L, SECPS
Section 1000.46, Independence Quality Controls, which requires firms to
establish written policies \42\ covering relationships with
``restricted entities,'' for example, relationships between the
restricted entity and the member firm, its benefit plans, and its
professionals.\43\ These relationships include investments, loans,
brokerage accounts, business relationships, employment relationships,
proscribed services, and fee arrangements.\44\ Firms should maintain a
database that includes all restricted entities (``restricted entity
list'') and make the restricted entity list available to the firm's
professionals and to foreign associated firms.\45\
---------------------------------------------------------------------------
\41\ See SECPS 1000.08(o).
\42\ PCAOB rules do not mandate that writings be paper-based.
See, e.g., paragraph .04 of AS 1215, Audit Documentation (audit
documentation may be in the form of paper, electronic files, or
other media).
\43\ See SECPS 1000.46 (requirement 1).
\44\ See id.
\45\ See SECPS 1000.46 (requirements 4, 5, and 6).
---------------------------------------------------------------------------
A senior-level partner should be designated to oversee the
independence policies and maintain and communicate the restricted
entity list.\46\ The policies and procedures also should require:
---------------------------------------------------------------------------
\46\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------
<bullet> Reviewing the restricted entity list prior to obtaining
any security;
<bullet> Obtaining independence certifications from the firm's
professionals;
<bullet> Reporting violations of policies;
<bullet> Establishing a monitoring system; and
<bullet> Developing policies for potential sanctions for violations
of the firm's policies and procedures or professional independence
requirements.\47\
---------------------------------------------------------------------------
\47\ See SECPS 1000.46 (requirement 7).
---------------------------------------------------------------------------
The policies and procedures should be made available to all
professionals and a training program should be established to provide
reasonable assurance that professionals understand the policies.\48\
---------------------------------------------------------------------------
\48\ See SECPS 1000.46 (requirement 3).
---------------------------------------------------------------------------
3. Observations From Oversight Activities
In the course of conducting inspections of registered public
accounting firms \49\ and investigating potential violations of PCAOB
standards and other related laws and rules governing audits of public
companies and audits and attestation engagements of broker-dealers, the
PCAOB may identify deficiencies in firms' execution of engagements and
in firms' QC systems. Oversight activities also help the PCAOB to
identify good practices, both for engagements and for QC systems. The
PCAOB also considers information derived from the SEC's enforcement
program.
---------------------------------------------------------------------------
\49\ The information on inspections and remediation efforts is
limited to those firms that are subject to inspection by the PCAOB.
---------------------------------------------------------------------------
Over time, firms have implemented a number of changes to their QC
systems to remediate deficiencies identified through the PCAOB's
inspections program.\50\ Examples of changes firms have made in
response to the Board's inspections include: \51\
---------------------------------------------------------------------------
\50\ Additional information about the PCAOB remediation process
is available on the PCAOB website at <a href="https://pcaobus.org/oversight/inspections/remediation/remediation_process">https://pcaobus.org/oversight/inspections/remediation/remediation_process</a>.
\51\ Examples are drawn from firms' Rule 4009 submissions. A
Rule 4009 submission is a confidential submission prepared by a
firm, pursuant to PCAOB Rule 4009, Firm Response to Quality Control
Defects, concerning the ways in which a firm has addressed a QC
criticism. For additional background, see The Process for Board
Determinations Regarding Firms' Efforts to Address Quality Control
Criticisms in Inspection Reports, PCAOB Rel. No. 104-2006-077 (Mar.
21, 2006).
---------------------------------------------------------------------------
<bullet> Independence--Creating automated links between the firm's
tools for tracking subcontractors and evaluating and tracking business
relationships to ensure that independence evaluations are complete and
timely;
<bullet> Engagement Performance--Implementing new policies and
procedures for engagement teams to focus on obtaining a thorough
understanding of how issuers initiate, record, process, and report
significant classes of transactions and how that information is
recorded in the financial statements;
<bullet> Resources--Creating a committee to evaluate partner
performance in relation to audit quality and establishing an
accountability framework with penalties for negative audit quality
events;
<bullet> Monitoring and Remediation--Adding new leadership
positions to the internal inspection program, developing new analysis
and reporting of internal inspection findings, and disseminating such
findings more broadly; and
<bullet> Monitoring and Remediation--Adding in-process review and
coaching programs to assist engagement teams in certain challenging
areas, including internal control over financial reporting (``ICFR'')
and accounting estimates.
Observations from PCAOB oversight activities have shown that
improvements in quality controls can enhance the quality of
engagements.\52\ However, PCAOB inspections continue to identify
deficiencies related to engagements and the operation of firm QC
systems, suggesting that not all firms have made meaningful
improvements in these areas. Moreover, the pervasiveness of recent
findings regarding such
[[Page 49594]]
deficiencies--both in terms of the number of firms affected and the
percentage of deficient engagements--suggests that an updated QC
standard is needed to drive proactive, systemic, and consistent
improvements in audit quality rather than just case-by-case
improvements in response to firm-specific findings.
---------------------------------------------------------------------------
\52\ See, e.g., Spotlight: Staff Update and Preview of 2021
Inspection Observations (Dec. 2022) (``2021 Inspection Observations
Preview''), at 20-22, available at <a href="https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_4">https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_4</a>; Staff Inspection
Brief: Staff Preview of 2018 Inspections Observations (May 6, 2019)
(``2018 Inspection Observations Preview''), at 1-4, available at
<a href="https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/staff-preview-2018-inspection-observations.pdf?sfvrsn=b5f8cb09_0">https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/staff-preview-2018-inspection-observations.pdf?sfvrsn=b5f8cb09_0</a>.
---------------------------------------------------------------------------
The following discussion summarizes recent observations from PCAOB
inspections \53\ and investigations of QC systems, including
deficiencies and violations--instances of noncompliance with PCAOB
requirements--and good practices that the Board believes support and
strengthen QC systems. The Board has taken these observations into
account in developing the final QC standard and related amendments,
rules, and forms.
---------------------------------------------------------------------------
\53\ PCAOB inspections are designed to assess a firm's
compliance with PCAOB standards and rules and other applicable
regulatory and professional requirements with respect to the firm's
QC system and in the portions of engagements selected for review. An
inspection does not involve a review of all aspects of a firm's QC
system. An inspection also does not necessarily involve a review of
all of a firm's engagements, nor is it designed to identify every
deficiency in the reviewed engagements. The inspection data are
derived from PCAOB inspection reports. Part II of PCAOB inspection
reports include criticisms of, and potential defects in, a firm's QC
system, to the extent any are identified. The PCAOB includes, in
Part II of its inspection reports, deficiencies observed in
inspections of individual engagements when the results indicate that
the firm's QC system does not provide reasonable assurance that firm
personnel will comply with applicable professional standards and
regulatory requirements. In evaluating whether engagement
observations are indicative of QC deficiencies, PCAOB staff consider
the nature, significance, and frequency of deficiencies; related
firm methodology, guidance, and practices; and possible root causes.
---------------------------------------------------------------------------
a. QC Deficiencies and Violations Observed From Oversight Activities
PCAOB observations have generally revealed that while some firms
have made improvements to their QC systems, the progress has been
uneven. Even taking that progress into account, in roughly a third of
the issuer audits the PCAOB inspected from 2020 to 2022, the auditor's
opinion was not adequately supported.\54\ This suggests that there is
significant room for improvement in QC systems' ability to provide
reasonable assurance that firm engagements are performed in accordance
with applicable professional standards and regulatory requirements.
---------------------------------------------------------------------------
\54\ See Figure 1 below, and accompanying text for an analysis
of 2011-2022 inspections data.
---------------------------------------------------------------------------
As described below, the PCAOB's observations all too frequently
indicate that firms' QC systems did not appear to provide reasonable
assurance that firm personnel will comply with applicable professional
standards in, among others, the areas of: (1) acceptance of
engagements; (2) engagement performance; (3) independence, integrity,
and objectivity; (4) personnel management; (5) monitoring; and (6)
engagement quality reviews. Below are examples of the PCAOB's
observations in these areas.
i. Acceptance of Engagements
A firm's QC system should provide the firm with reasonable
assurance that it undertakes only those engagements that the firm can
reasonably expect to be completed with professional competence.\55\
This includes taking into consideration, among other things, the
availability of resources to perform an engagement and the competence
of those resources. The PCAOB has observed instances where a firm's
lack of policies and procedures in the area of engagement acceptance
and continuance resulted in accepting new engagements that were not
completed with professional competence and resulted in numerous
violations of PCAOB auditing standards.\56\
---------------------------------------------------------------------------
\55\ See QC 20.15.
\56\ See, e.g., In the Matter of WithumSmith+Brown, PC, PCAOB
Rel. No. 105-2024-010 (Feb. 20, 2024); In the Matter of Jack Shama
and Jack Shama, CPA, PCAOB Rel.e No. 105-2024-004 (Jan. 23, 2024);
In the Matter of Shandong Haoxin Certified Public Accountants Co.,
Ltd., LIU Kun, MA Yao, SUN Penghuan, and ZHU Dawei, PCAOB Rel. No.
105-2023-045 (Nov. 30, 2023); In the Matter of Alfonse Gregory
Giugliano, CPA, SEC Accounting and Auditing Enforcement Release
(``AAER'') No. 4458 (Sept. 12, 2023); In the Matter of Marcum LLP,
PCAOB Rel. No. 105-2023-005 (June 21, 2023); In the Matter of Marcum
LLP, SEC AAER No. 4423 (June 21, 2023).
---------------------------------------------------------------------------
ii. Engagement Performance
A properly functioning QC system should provide the firm with
reasonable assurance that the work performed by engagement personnel
meets applicable professional standards, regulatory requirements, and
the firm's standards of quality.\57\ A QC system cannot provide
reasonable assurance if, for example, there are severe, frequent, or
widespread deficiencies, or recurring instances of similar types of
deficiencies at the engagement level. The PCAOB has observed
deficiencies and violations in a range of areas of engagement
performance, including, for example:
---------------------------------------------------------------------------
\57\ See QC 20.17.
---------------------------------------------------------------------------
<bullet> Failure to identify and test controls that address risks
of material misstatement or sufficiently evaluate review controls;
<bullet> Insufficient evaluation of significant assumptions or data
used in developing an estimate; \58\
---------------------------------------------------------------------------
\58\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010.
---------------------------------------------------------------------------
<bullet> Unwarranted reliance on data or reports used in testing an
issuer's financial reporting controls or in substantive testing; \59\
---------------------------------------------------------------------------
\59\ See, e.g., PKF O'Connor Davies, LLP, PCAOB Rel. No. 105-
2022-001.
---------------------------------------------------------------------------
<bullet> Engagement partners' failure to adequately supervise the
engagement with due professional care, which contributed to not
identifying deficiencies; \60\
---------------------------------------------------------------------------
\60\ See, e.g., Alfonse Gregory Giugliano, CPA, SEC AAER No.
4458; In the Matter of Deloitte Touche Tohmatsu Certified Public
Accountants, LLP, SEC AAER No. 4342 (Sept. 29, 2022); In the Matter
of RSM, SEC AAER No. 4346 (Sept. 30, 2022); In the Matter of
Mancera, S.C., Alejandro Valdez Mendoza, C.P., and Angel Radames
Corral Nieblas, C.P., SEC AAER No. 4198 (Dec. 17, 2020); In the
Matter of Whitley Penn LLP, Susan Lunn Powell, CPA, Jeffry Shannon
Lawlis, CPA, and John Griffin Babb, CPA, PCAOB Rel. No. 105-2020-002
(Mar. 24, 2020); In the Matter of David M. Burns, CPA, PCAOB Rel.
No. 105-2017-055 (Dec. 19, 2017); In the Matter of BDO Auditores,
S.L.P., Santiago Sa[ntilde][eacute] Figueras, and Jos[eacute]
Ignacio Alg[aacute]s Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039
(Sept. 26, 2017); In the Matter of KPMG LLP and John Riordan, CPA,
SEC AAER No. 3888 (Aug. 15, 2017).
---------------------------------------------------------------------------
<bullet> Failure to implement and maintain adequate policies and
procedures to provide reasonable assurance that work is performed and
documented; \61\ and
---------------------------------------------------------------------------
\61\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010; In the Matter of SW Audit, PCAOB Rel. No. 105-2024-009 (Feb.
20, 2024); Shama, PCAOB Rel. No. 105-2024-004; In the Matter of
Haynie & Company, PCAOB Rel. No. 105-2024-001 (Jan. 23, 2024);
Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel.
No. 105-2023-045; In the Matter of Deloitte & Touche S.A.S., PCAOB
Rel. No. 105-2023-025 (Sept. 26, 2023); Marcum LLP, SEC AAER No.
4423 ; Deloitte Touche Tohmatsu Certified Public Accountants, LLP,
SEC AAER No. 4342; In the Matter of HLB Mann Judd, Darryl Swindells,
and Aidan Smith, PCAOB Rel. No. 105-2020-008 (June 29, 2020); In the
Matter of Castillo Miranda y Compa[ntilde][iacute]a, S.C., Ignacio
Garc[iacute]a Pareras, Juan Mart[iacute]n Gudi[ntilde]o Casillas,
Luis Ra[uacute]l Michel Dom[iacute]nguez, Juan Francisco Olvera
D[iacute]az, Carlos Rivas Ramos, and Bernardo Soto Pe[ntilde]afiel,
PCAOB Rel. No. 105-2019-028 (Oct. 31, 2019); In the Matter of
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 (Oct. 31, 2019); In
the Matter of Deloitte Touche Tohmatsu Auditores Independentes,
PCAOB Rel. No 105-2016-031 (Dec. 5, 2016).
---------------------------------------------------------------------------
<bullet> Failure to ensure audits are performed under PCAOB
standards and not another framework.\62\
---------------------------------------------------------------------------
\62\ See, e.g., In the Matter of Dale Matheson Carr-Hilton
LaBonte LLP, PCAOB Rel. No. 105-2021-021 (Dec. 14, 2021); In the
Matter of WDM Chartered Professional Accountants and Mike Kao, PCAOB
Rel. No. 105-2021-016 (Sept. 30, 2021).
---------------------------------------------------------------------------
iii. Independence, Integrity, and Objectivity
A firm's QC system should also provide the firm with reasonable
assurance that personnel maintain independence--in fact and in
appearance--in all required circumstances.\63\ Observations relating to
auditor independence have been recurring over the last several
years.\64\
[[Page 49595]]
Examples of these observations frequently have included:
---------------------------------------------------------------------------
\63\ See QC 20.09.
\64\ See, e.g., 2022 Inspection Observations Preview at 18; 2021
Inspection Observations Preview at 19; PCAOB, Spotlight: Staff
Update and Preview of 2020 Inspection Observations (Oct. 2021)
(``2020 Inspection Observations Preview''), at 12, available at
<a href="https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2020-inspection-observations-spotlight.pdf?sfvrsn=10819041_4">https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2020-inspection-observations-spotlight.pdf?sfvrsn=10819041_4</a>; Spotlight: Staff Update and Preview
of 2019 Inspection Observations (Oct. 8, 2020) (``2019 Inspection
Observations Preview''), at 7, available at <a href="https://pcaobus.org/Inspections/Documents/Staff-Preview-2019-Inspection-Observations-Spotlight.pdf">https://pcaobus.org/Inspections/Documents/Staff-Preview-2019-Inspection-Observations-Spotlight.pdf</a>; Staff Inspection Brief: Inspections Outlook for 2019
(Dec. 6, 2018) (``2019 Inspections Outlook''), at 2, available at
<a href="https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/inspections-outlook-for-2019.pdf?sfvrsn=538b8bb7_2">https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/inspections-outlook-for-2019.pdf?sfvrsn=538b8bb7_2</a>.
---------------------------------------------------------------------------
<bullet> Violations of independence, including financial
relationship and partner rotation requirements of 17 CFR 210.2-01; \65\
---------------------------------------------------------------------------
\65\ See, e.g., In the Matter of Ernst & Young LLP, James G.
Herring, Jr., CPA, James A. Young, CPA, and Curt W. Fochtmann, CPA,
SEC AAER No. 4239 (Aug. 2, 2021); In the Matter of Raich Ende Malter
& Co., PCAOB Rel. No. 105-2019-009 (Apr. 9, 2019); In the Matter of
Marcum LLP and Alfonse Gregory Giugliano, CPA, PCAOB Rel. No. 105-
2019-022 (Sept. 10, 2019); In the Matter of Marcum Bernstein &
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 (Sept. 10, 2019).
---------------------------------------------------------------------------
<bullet> Noncompliance by firm personnel in reporting their
financial relationships during the independence confirmation process;
<bullet> Independence violations related to the firm providing
impermissible non-audit services; \66\
---------------------------------------------------------------------------
\66\ See, e.g., In the Matter of Pricewaterhousecoopers LLP, SEC
AAER No. 4084 (Sept. 23, 2019); In the Matter of RSM US LLP (f/k/a
McGladrey LLP), SEC AAER No. 4066 (Aug. 27, 2019).
---------------------------------------------------------------------------
<bullet> Noncompliance with PCAOB Rule 3524, Audit Committee Pre-
approval of Certain Tax Services, and PCAOB Rule 3526, Communication
with Audit Committees Concerning Independence; \67\
---------------------------------------------------------------------------
\67\ See, e.g., In the Matter of PricewaterhouseCoopers, S.C.,
PCAOB Rel. No. 105-2019-017 (Aug. 1, 2019); In the Matter of BDO
Magyarorszag Konyvvizsgalo Kft., PCAOB Rel. No. 105-2017-024 (Apr.
12, 2017).
---------------------------------------------------------------------------
<bullet> Improper inclusion of indemnification clauses in
engagement letters, which impaired independence based on the general
standard of independence prescribed by 17 CFR 210.2-01(b); and
<bullet> Failure to implement and maintain adequate policies and
procedures to provide reasonable assurance that firm personnel timely
consult on complex, unusual, or unfamiliar independence issues.\68\
---------------------------------------------------------------------------
\68\ See, e.g., In the Matter of PricewaterhouseCoopers LLP,
PCAOB Rel. No. 105-2024-014 (Mar. 28, 2024).
---------------------------------------------------------------------------
The PCAOB has also observed highly concerning, widespread instances
where firm personnel have improperly shared answers on examinations
required to obtain or maintain professional licenses.\69\ The Board has
acted decisively in responding to this conduct, which was prevalent
both domestically and internationally.\70\ The PCAOB has also observed
instances where firm personnel have not acted with integrity by
altering work papers \71\ or failing to cooperate with the Board.\72\
---------------------------------------------------------------------------
\69\ See, e.g., In the Matter of Navarro Amper & Co., PCAOB Rel.
No. 105-2024-025 (Apr. 10, 2024); In the Matter of Imelda & Rekan,
PCAOB Rel. No. 105-2024-024 (Apr. 10, 2024); In the Matter of KPMG
Accountants N.V., PCAOB Rel. No. 105-2024-022 (Apr. 10, 2024); In
the Matter of KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032
(Dec. 6, 2022); In the Matter of Ernst & Young LLP, SEC AAER No.
4313 (June 28, 2022); In the Matter of PricewaterhouseCoopers LLP,
PCAOB Rel. No. 105-2022-002 (Feb. 24, 2022); In the Matter of KPMG,
PCAOB Rel. No. 105-2021-008 (Sept. 13, 2021); In the Matter of KPMG
LLP, SEC AAER No. 4051 (June 17, 2019).
\70\ See, e.g., In the Matter of PricewaterhouseCoopers Zhong
Tian LLP, PCAOB Rel. No. 105-2023-044 (Nov. 30, 2023); In the Matter
of PricewaterhouseCoopers, PCAOB Rel. No. 105-2023-043 (Nov. 30,
2023); KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032
PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2022-002 KPMG, PCAOB
Rel. No. 105-2021-008.
\71\ See, e.g., In the Matter of Jose Daniel Melendez Gimenez,
PCAOB Rel. No. 105-2022-035 (Dec. 6, 2022); In the Matter of Edgar
Mauricio Ramirez Rueda, PCAOB Rel. No. 105-2022-036 (Dec. 6, 2022);
In the Matter of Marco Alexander Rodriguez Ramirez, PCAOB Rel. No.
105-2022-037 (Dec. 6, 2022); In the Matter of KPMG S.A.S., PCAOB
Rel. No. 105-2022-034 (Dec. 6, 2022); In the Matter of Jonathan B.
Taylor, CPA, PCAOB Rel. No. 105-2022-025 (Oct. 18, 2022); Castillo
Miranda y Compa[ntilde][iacute]a, S.C.PCAOB Rel. No. 105-2019-028
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 Deloitte Touche
Tohmatsu Auditores Independentes, PCAOB Rel. No 105-2016-031.
\72\ See, e.g., Shandong Haoxin Certified Public Accountants
Co., Ltd., PCAOB Rel. No. 105-2023-045 Jose Daniel Melendez Gimenez,
PCAOB Rel. No. 105-2022-035 Edgar Mauricio Ramirez Rueda, PCAOB Rel.
No. 105-2022-036 Marco Alexander Rodriguez Ramirez, PCAOB Rel. No.
105-2022-037 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-
035 Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No.
105-2019-028 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB
Rel. No 105-2016-031.
---------------------------------------------------------------------------
These recurring deficiencies and violations suggest that some firms
and their personnel either do not have the requisite understanding of
applicable independence and ethics requirements, or, as evidenced by
the systemic nature of certain of these violations, do not have
appropriate controls in place to prevent violations.\73\
---------------------------------------------------------------------------
\73\ See 2021 Inspection Observations Preview at 19; 2019
Inspections Outlook at 2.
---------------------------------------------------------------------------
iv. Personnel Management
The quality of a firm's work ultimately depends on the integrity,
objectivity, intelligence, competence, experience, and motivation of
personnel who perform, supervise, and review the work.\74\ A firm's QC
system should provide the firm with reasonable assurance that personnel
participate in general and industry-specific CPE and other professional
development activities that enable them to fulfill responsibilities
assigned and satisfy applicable CPE requirements.\75\ A firm's QC
system also should provide the firm with reasonable assurance that
personnel possess the appropriate characteristics to enable them to
perform competently and that work is assigned to personnel having the
degree of technical training and proficiency required in the
circumstances.\76\
---------------------------------------------------------------------------
\74\ See QC 20.12.
\75\ See QC 20.13c.
\76\ See QC 20.13a. and b.
---------------------------------------------------------------------------
The PCAOB has observed deficiencies related to compliance with the
firm's auditing policies and procedures.\77\ The PCAOB also has
observed deficiencies and violations where the firm did not assign
personnel to engagements who had the training and proficiency required
to perform audit work in accordance with PCAOB standards.\78\
---------------------------------------------------------------------------
\77\ See 2022 Inspection Observations Preview at 18.
\78\ See, e.g., Jack Shama PCAOB Rel. No. 105-2024-004 ; In the
Matter of Hall & Company Certified Public Accountants & Consultants,
Inc., and Anthony J. Price, CPA, PCAOB Rel. No. 105-2022-029 (Nov.
3, 2022); In the Matter of PKF O'Connor Davies, LLP, PCAOB Rel. No.
105-2022-001 (Jan. 25, 2022); In the Matter of WDM Chartered
Professional Accountants, PCAOB Rel. No. 105-2021-016 (Sept. 30,
2021); In the Matter of Grant Thornton LLP, PCAOB Rel. No. 105-2017-
054 (Dec. 19, 2017); BDO Auditores, S.L.P., Santiago
Sa[ntilde][eacute] Figueras, and Jos[eacute] Ignacio Alg[aacute]s
Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039.
---------------------------------------------------------------------------
v. Monitoring
A firm's QC system should provide the firm with reasonable
assurance that its policies and procedures are suitably designed and
effectively applied.\79\ The PCAOB has observed situations where a
firm's internal inspection procedures did not detect significant audit
deficiencies or the firm did not make changes to address repeated
identified audit deficiencies.\80\ These deficiencies and violations
were subsequently identified through SEC and PCAOB oversight.\81\
---------------------------------------------------------------------------
\79\ See QC 20.20.
\80\ See, e.g., 2022 Inspection Observations Preview at 19.
\81\ See, e.g., In the Matter of KPMG Assurance and Consulting
Services LLP and Sagar Pravin Lakhani, PCAOB Rel. No. 105-2022-033
(Dec. 6, 2022); In the Matter of Friedman LLP, SEC AAER No. 4339
(Sept. 23, 2022); In the Matter of BMKR LLP and Joseph Mortimer,
CPA, PCAOB Rel. No. 105-2022-003 (Feb. 24, 2022); PKF O'Connor
Davies, LLP, PCAOB Rel. No. 105-2022-001 WDM Chartered Professional
Accountants, PCAOB Rel. No. 105-2021-016 ; In the Matter of Haskell
& White LLP, PCAOB Rel. No. 105-2021-006 (Aug. 13, 2021); In the
Matter of RBSM LLP, PCAOB Rel. No. 105-2021-004 (Aug. 9, 2021);
Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No. 105-
2019-028 Marcum LLP, PCAOB Rel. No. 105-2019-022 Marcum Bernstein &
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 PricewaterhouseCoopers,
S.C., PCAOB Rel. No. 105-2019-017; In the Matter of Bharat Parikh &
Associates Chartered Accountants, Bharatkumar Balmukund Parikh, FCA,
and Anuj Bharatkumar Parikh, PCAOB Rel. No. 105-2019-003 (Mar. 19,
2019); Grant Thornton, PCAOB Rel. No. 105-2017-054.
---------------------------------------------------------------------------
[[Page 49596]]
vi. Engagement Quality Reviews
Both the PCAOB and SEC have identified deficiencies and violations
in audit areas that require evaluation by the engagement quality
reviewer (``EQR''),\82\ which suggests the EQR did not perform the
evaluation with due professional care.\83\ Additionally, for certain
broker-dealer audit and attestation engagements, the PCAOB has observed
instances where engagement quality reviews were not performed or
sufficiently documented \84\ and policies and procedures did not
provide reasonable assurance that engagement quality reviews were
performed with due professional care.\85\
---------------------------------------------------------------------------
\82\ See, e.g., Spotlight: Inspection Observations Related to
Engagement Quality Reviews (Oct. 2023), available at <a href="https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/eqr-spotlight.pdf?sfvrsn=95a345e6_4">https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/eqr-spotlight.pdf?sfvrsn=95a345e6_4</a>; 2022 Inspection Observations
Preview at 19; 2021 Inspection Observations Preview at 20; 2018
Inspection Observations Preview, at 4; 2020 Inspection Observations
Preview at 12.
\83\ See, e.g., In the Matter of RAM Associates & Company LLC
and Parameswara K. Ramachandran, PCAOB Rel. No. 105-2023-021 (Aug.
8, 2023); In the Matter of Total Asia Associates PLT, PCAOB Rel. No.
105-2023-007 (June 23, 2023); In the Matter of RT LLP, PCAOB Rel.
No. 105-2023-002 (Apr. 11, 2023); In the Matter of Donald R. Burke,
CPA, PCAOB Rel. No. 105-2021-012 (Sept. 29, 2021); RBSM LLP, PCAOB
Rel. No. 105-2021-00; In the Matter of Cheryl L. Gore, CPA and
Stanley R. Langston, CPA, PCAOB Rel. No. 105-2021-020 (Dec. 14,
2021); Whitley Penn LLP, PCAOB Rel. No. 105-2020-002; In the Matter
of Helen R. Liao, CPA, PCAOB Rel. No. 105-2020-014 (Sept. 24, 2020);
In the Matter of Crowe Horwath LLP, Joseph C. Macina, CPA, and Kevin
V. Wydra, CPA, SEC AAER No. 4007 (Dec. 21, 2018); In the Matter of
BDO Auditores, S.L.P., PCAOB Rel. No. 105-2017-039.
\84\ See, e.g., In the Matter of Alvarez & Associates, Inc.,
Certified Public Accountants, and Vicente Alvarez, CPA, PCAOB Rel.
No. 105-2022-039 (Dec. 21, 2022); In the Matter of Citrin Cooperman
& Company, LLP, Joseph Puglisi, CPA, Mark Schniebolk, CPA, and John
Cavallone, CPA, PCAOB Rel. No. 105-2022-007 (May 11, 2022).
\85\ See Annual Report on the Interim Inspection Program Related
to Audits of Brokers and Dealers, PCAOB Rel. No. 2023-005 (Aug. 10,
2023) (``2022 Broker-Dealer Inspection Report''), at 31.
---------------------------------------------------------------------------
b. Good Practices Observed From Inspections
The following observations regarding good QC practices are based on
inspections in recent years.\86\ A good QC practice could be a
procedure, technique, or methodology that is appropriately
comprehensive and suitably designed in relation to a firm's size and
the nature and complexity of the firm's practice. The Board has taken
these observations into account in its consideration of QC 1000, while
recognizing that the nature, extent, and formality of the design,
implementation, and operation of QC systems can vary across firms.
---------------------------------------------------------------------------
\86\ See, e.g., 2022 Inspection Observations Preview; 2021
Inspection Observations Preview; 2020 Inspection Observations
Preview; 2019 Inspection Observations Preview; and 2018 Inspection
Observations Preview.
---------------------------------------------------------------------------
i. Well-Defined QC System
A well-defined QC system includes all key elements of quality
control and is supported by documentation that helps to promote firm
personnel's understanding and consistent application of the firm's QC
system. Helpful characteristics that the PCAOB has observed in some
firms' QC systems include:
<bullet> Narratives and process flows that articulate how and where
quality objectives fit within the QC processes and define risks posed
to those quality objectives, including considering what could go wrong
along the way;\87\ and
---------------------------------------------------------------------------
\87\ See 2021 Inspection Observations Preview at 22; 2019
Inspection Observations Preview at 4.
---------------------------------------------------------------------------
<bullet> Developing risk and control matrices that include well-
defined controls.
ii. Accountability for Audit Quality
Leadership involvement in and commitment to a firm's QC system sets
the tone at the top and drives clear expectations regarding the
importance of audit quality. The PCAOB observed positive behaviors
where firms have placed an emphasis on the importance of audit quality
through extending accountability beyond engagement partners to other
key leaders at the firm, such as audit quality leaders, technical
experts, and office leaders, through performance management
processes.\88\
---------------------------------------------------------------------------
\88\ See 2018 Inspection Observations Preview at 2.
---------------------------------------------------------------------------
iii. Root Cause Analysis of Identified Deficiencies
Identifying causal factors for engagement and QC deficiencies
(i.e., root cause analysis) can enable a firm to determine the
appropriate response to and remediation of deficiencies and modify
policies and procedures to prevent similar occurrences in the future.
The PCAOB has observed that thorough root cause analyses drive better
remediation of identified deficiencies. If root cause analysis is
performed by a centralized team, having a defined process to share data
and lessons learned outside of the root cause analysis team may further
enhance the performance of a firm's QC system.
Through its inspection activities the PCAOB has observed that some
firms' root cause analysis programs have significantly evolved since
the PCAOB was formed. The PCAOB has observed that some firms' approach
to root cause analysis includes one or more of the following:
<bullet> Interviews with engagement teams and firm leadership;
<bullet> Use of proprietary tools to analyze large amounts of data;
<bullet> Root cause analysis training and the use of templates to
facilitate consistency;
<bullet> Consideration of available performance metrics, such as
engagement hours, training records, audit milestone dates, and partner
experience years; and
<bullet> Consideration of positive quality events (i.e., actions,
behaviors, or conditions that resulted in positive outcomes, such as
where aspects of the firm's QC system operated effectively or where no
engagement deficiencies were identified for individual engagements) to
identify whether such actions, behaviors, or conditions were present on
engagements where QC deficiencies were identified.
iv. Timely Monitoring and Evaluation Activities
Timely and effective monitoring activities drive high-quality
audits. The PCAOB has observed several good practices followed by some
firms in their monitoring activities, including:
<bullet> Increased real-time monitoring of in-process audit
engagements, for example, through pre-issuance reviews or coaching
programs; \89\
---------------------------------------------------------------------------
\89\ See 2020 Inspection Observations Preview at 4, 13.
---------------------------------------------------------------------------
<bullet> Formalized monitoring processes and actions for defined
triggering events, including restatements, internal and external
inspection results, and results of peer reviews; and
<bullet> Mature QC processes including internal self-certifications
of the effectiveness of QC components and sub-components.
Other Developments Since the Adoption of Current PCAOB QC Standards
Since the PCAOB's current QC standards were first developed and
issued, the auditing environment has changed significantly. The current
QC standards were developed in the context of the self-regulatory peer-
review system that existed before the establishment of the PCAOB.
Therefore, they were not written with a view to inspection and
enforcement by a regulator and do not address the current regulatory
environment, including firms' responsibilities with respect to
[[Page 49597]]
information brought to their attention through the PCAOB inspection
process.
Since the QC standards were established, there have been
significant developments in the availability and use of technologies
and data analytic techniques, the organizational structure and
management of firms have changed, and some firms have significantly
increased their focus on governance and quality control.
For example, there have been significant developments in the use of
technology by firms in relation to QC activities and performing
engagements. Some firms have made significant investments in internally
developed tools for use in the audit. The increased availability of
``off-the-shelf'' technologies, such as analytical software packages,
has made some tools more readily available for use by firms. Firms
developing or acquiring new technology-based tools, making changes to
existing tools, and training firm personnel on how and when to use such
tools have had impacts on QC. Many of these tools may reduce risk, for
example by reducing the possibility of human error and enabling the
analysis of whole populations of transactions rather than samples. But
they may also create new risks if they do not work as intended or are
used incorrectly.
Furthermore, some firm management and organizational structures
have evolved to include more focus on centralization and a globally
consistent methodology. Some firms have increased their use of services
and resources supplied by firm networks, affiliates, and third-party
providers. For example, some global networks are increasingly imposing
requirements on member firms regarding the use of methodologies,
technology, and policies and procedures that are developed or
established at the network level. Some firms have also increased their
use of shared service centers to assist with QC activities or
performing engagements. In addition, some firms have changed their
governance structures either voluntarily or due to changes in legal
requirements.\90\ At the same time, some firms have begun to publish
``transparency reports'' that seek to inform the public about the
firm's operations and quality control systems and practices.
---------------------------------------------------------------------------
\90\ See, e.g., the UK Financial Reporting Council, Audit Firm
Governance Code (Apr. 2022) available at <a href="https://www.frc.org.uk/getattachment/5af7cdb7-a093-4da8-94d7-f4486596e68c/FRC-Audit-Firm-Governance-Code_April-2022.pdf">https://www.frc.org.uk/getattachment/5af7cdb7-a093-4da8-94d7-f4486596e68c/FRC-Audit-Firm-Governance-Code_April-2022.pdf</a>, and the Japan Financial Services
Agency, Audit Firm Governance Code (Mar. 2017) available at <a href="https://www.fsa.go.jp/news/28/sonota/20170331-auditfirmgc/3.pdf">https://www.fsa.go.jp/news/28/sonota/20170331-auditfirmgc/3.pdf</a>.
---------------------------------------------------------------------------
Additionally, some firms have strengthened their approaches to firm
governance and leadership, incentive systems, culture, and
accountability. For example, some firms have added external parties to
oversight roles. Some firms have also augmented their monitoring and
remediation processes, including through implementing or enhancing
ongoing monitoring activities and internal inspection processes,
establishing processes for considering PCAOB inspection findings,
performing root cause analysis, and increasing remediation efforts.
Observations from PCAOB oversight activities have shown that
improvements in quality controls can enhance the quality of audits.\91\
However, as noted above, PCAOB oversight activities continue to
identify pervasive deficiencies, suggesting that many firms have
meaningful improvements to make.
---------------------------------------------------------------------------
\91\ See, e.g., 2018 Inspection Observations Preview at 1-4.
---------------------------------------------------------------------------
There have also been notable advances in internal control, quality
management, and enterprise risk management frameworks and approaches,
including the Committee of Sponsoring Organizations of the Treadway
Commission (``COSO'') framework for internal control\92\ and the
International Organization for Standardization (``ISO'') quality
control standard ISO 9000:2015.\93\ Many of these share important
commonalities, stressing active involvement of leadership, focus on
risk, clearly defined objectives, objective-oriented processes,
monitoring, and remediation of identified issues. Academic research
suggests that these frameworks improve company performance.\94\
---------------------------------------------------------------------------
\92\ See, e.g., COSO, Internal Control-Integrated Framework (May
2013). An executive summary of COSO's internal control framework is
available at <a href="https://www.coso.org/_files/ugd/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf">https://www.coso.org/_files/ugd/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf</a>.
\93\ More information about ISO 9000:2015 is available at
<a href="https://www.iso.org/standard/45481.html">https://www.iso.org/standard/45481.html</a>.
\94\ See Benefits of related frameworks below.
---------------------------------------------------------------------------
Actions by Other Standard Setters
Following is a brief description of the quality control standards
adopted by the IAASB and the AICPA.
1. IAASB
The IAASB identified concerns related to its then effective QC
standard, International Standard on Quality Control (ISQC) 1, Quality
Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements, and
decided to take steps to improve the standard. In December 2020, the
IAASB released a suite of new quality management standards, including
International Standard on Quality Management 1, Quality Management for
Firms that Perform Audits or Reviews of Financial Statements, or Other
Assurance or Related Services Engagements (``ISQM 1''),\95\ which
became effective on December 15, 2022.\96\
---------------------------------------------------------------------------
\95\ In addition to ISQM 1, the IAASB adopted two other
standards, International Standard on Quality Management 2,
Engagement Quality Reviews (``ISQM 2''), and International Standard
on Auditing 220 (Revised), Quality Management for an Audit of
Financial Statements (``ISA 220 (Revised)''). ISQM 2 operates at the
firm level, and is analogous to PCAOB AS 1220, Engagement Quality
Review. ISA 220 (Revised) operates at the engagement level and deals
with the engagement partner's and the engagement team's
responsibilities for quality management for an audit of financial
statements. Similar topics are addressed in PCAOB standards in AS
1201, Supervision of the Audit Engagement.
\96\ ISQM 1 sets forth eight components of a QC system that
operate in an iterative and integrated manner, as well as other
requirements. See IAASB Fact Sheet, Introduction to ISQM 1, Quality
Management for Firms that Perform Audits or Reviews of Financial
Statements, or Other Assurance or Related Services Engagements (Dec.
2020), available at <a href="https://www.ifac.org/system/files/publications/files/IAASB-ISQM-1-Fact-Sheet.pdf">https://www.ifac.org/system/files/publications/files/IAASB-ISQM-1-Fact-Sheet.pdf</a>.
---------------------------------------------------------------------------
2. AICPA
In May 2022, the Auditing Standards Board of the AICPA adopted new
quality management standards designed to improve a firm's risk
assessment and audit quality, including Statement on Quality Management
Standards (SQMS) No. 1, A Firm's System of Quality Management (``SQMS
1'').\97\ The AICPA's quality management standards closely align with
the IAASB's quality management standards, adapted for private companies
in the United States. The new AICPA standards will become effective on
December 15, 2025.
---------------------------------------------------------------------------
\97\ The AICPA's other QC standards are SQMS No. 2, Engagement
Quality Reviews; Statement on Auditing Standards (SAS) No. 146,
Quality Management for an Engagement Conducted in Accordance With
Generally Accepted Auditing Standards; and Statement on Standards
for Accounting and Review Services (SSARS) No. 26, Quality
Management for an Engagement Conducted in Accordance With Statements
on Standards for Accounting and Review Services.
---------------------------------------------------------------------------
PCAOB Outreach and Research
The Board and its advisory groups have long considered the
potential for improvements to PCAOB QC standards. For example, in 2010,
the Standing Advisory Group (``SAG'') discussed a potential QC
rulemaking project, including considerations and potential challenges
in designing and implementing a QC system.\98\ In 2014,
[[Page 49598]]
the SAG discussed how QC standards may benefit from stronger
requirements and other enhancements with respect to, for example, firm
culture and tone at the top, firm risk assessment, and monitoring of
the quality control system, including use of root cause analyses.\99\
In 2018, the SAG discussed whether additional or more specific
direction in the quality control standards with respect to governance
and leadership would lead to enhancements in firm quality control
systems.\100\ Advisory group members have generally supported including
requirements concerning firm governance and leadership in PCAOB QC
standards.
---------------------------------------------------------------------------
\98\ See Briefing Paper for the Standing Advisory Group,
Designing and Implementing a System of Quality Control (Oct. 13,
2010). An archive of SAG meeting agendas, briefing papers, and
webcasts is available at <a href="https://pcaobus.org/about/advisory-groups/archive-advisory/standing-advisory-group/sagmeetingarchive">https://pcaobus.org/about/advisory-groups/archive-advisory/standing-advisory-group/sagmeetingarchive</a>. The
materials for the Oct. 13-14, 2010, SAG meeting are available at
<a href="https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_476">https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_476</a>.
\99\ See Briefing Paper for the Standing Advisory Group,
Initiatives to Improve Audit Quality--Root Cause Analysis, Audit
Quality Indicators, and Quality Control Standards (June 24, 2014)
(``June 2014 SAG Briefing Paper''). The materials for the June 24-
25, 2014, SAG meeting are available at <a href="https://pcaobus.org/news-events/events/event-details/pcaob-standing-advisory-group-meeting_772">https://pcaobus.org/news-events/events/event-details/pcaob-standing-advisory-group-meeting_772</a>.
\100\ See Briefing Paper for the Standing Advisory Group,
Quality Control: Governance and Leadership (Nov. 29, 2018). The
materials for the Nov. 29, 2018, SAG meeting are available at
<a href="https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_1137">https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_1137</a>.
---------------------------------------------------------------------------
Rulemaking History
On December 17, 2019, the Board issued the concept release to
explore the possibility of revising PCAOB QC standards. The concept
release described an approach similar to the approach taken by the
then-proposed ISQM 1, with certain differences and alternative
requirements to specifically address the PCAOB's objectives, including
establishing requirements that:
<bullet> Align with U.S. Federal securities law, SEC rules, and
other PCAOB standards and rules;
<bullet> Retain important topics in current PCAOB QC standards;
<bullet> Address specific emerging risks and problems observed
through PCAOB oversight activities; and
<bullet> Provide more definitive direction to prompt appropriate
implementation of certain requirements.\101\
---------------------------------------------------------------------------
\101\ See Concept Release at 6.
---------------------------------------------------------------------------
The Board received 36 comment letters in response to the concept
release.\102\ Commenters included firms and related groups, investors
and related groups, academics, trade groups, and others.
---------------------------------------------------------------------------
\102\ The comment letters received in response to the concept
release are available on the Board's website in Docket 046.
---------------------------------------------------------------------------
On November 18, 2022, the Board issued a proposal to supersede
current PCAOB QC standards with an integrated, risk-based standard, QC
1000, A Firm's System of Quality Control, that would apply to all
registered firms. The Board received 42 comment letters in response to
the proposal.\103\ Commenters included firms and related groups,
investors and related groups, academics, trade groups, and others. The
Board has considered all comments in developing the final standard and
related amendments, and commenter input is included where relevant in
the discussion that follows.
---------------------------------------------------------------------------
\103\ The comment letters received in response to the proposal
are available on the Board's website in Docket 046. In addition to
42 letters received from commenters, Docket 046 includes an analysis
prepared by the PCAOB Office of Economic and Risk Analysis.
---------------------------------------------------------------------------
Areas of Improvement to the QC Standards
Taking into account the foregoing considerations, as well as
careful consideration of comments received, the Board adopted changes
to its QC standards that it believes will drive significant
improvements in firms' QC systems, by:
<bullet> Emphasizing accountability, firm culture and the ``tone at
the top,'' and firm governance through requirements for specified roles
within and responsibilities for the QC system, including at the highest
levels of the firm; quality objectives that link compensation to
quality; and, for the largest firms, the requirement of an independent
perspective on firm governance;
<bullet> Striking the right balance between a risk-based approach
to QC--which should drive firms to proactively identify and manage the
specific risks associated with their practice--and a set of mandates,
including mandatory quality objectives; mandatory processes for risk
assessment, monitoring and remediation, and QC system evaluation; and
specific requirements in key areas--which should assure that the QC
system is designed, implemented and operated with an appropriate level
of rigor;
<bullet> Addressing changes in the audit practice environment,
including the increasing participation of other firms and other outside
resources, the role of firm networks, the evolving use of technology
and other resources, and the increasing importance of internal and
external firm communications;
<bullet> Broadening responsibilities for monitoring and remediation
of deficiencies to encourage an ongoing feedback loop that drives
continuous improvement; and
<bullet> Requiring a rigorous annual evaluation of the firm's QC
system and related reporting to the PCAOB, certified by key personnel,
to underscore the importance of the annual evaluation of the QC system,
reinforce individual accountability, and support PCAOB oversight.
In the Board's view, the basic objectives of the QC system should
be the same for all firms, but the scope of the QC standard and how it
applies should take into account wide disparities in nature and
circumstances across registered firms, in particular the extent to
which their practices include engagements required to be performed
under PCAOB standards, and the complexity of such engagements. The
risks that firms face, and therefore the specific policies and
procedures necessary to appropriately serve investor interests through
an effective QC system, vary significantly from the largest firms,
operating as part of global networks, to local firms or sole
proprietorships. The scalability of the new QC standard is discussed in
greater detail below.
QC 1000: Basic Structure, Terminology, and Scalability
Basic Structure
1. Considerations Informing the Structure of QC 1000
Informed by its observations and assessment of changes to auditing
practice, the Board believes it is critical that its new QC standard
strikes an appropriate balance between risk-based elements, which
should drive firms to proactively identify and manage the specific
risks associated with their practice, and a set of mandates to assure
that the QC system is designed, implemented, and operated with an
appropriate level of rigor. Moreover, the Board believes the new QC
standard should foster a proactive approach to QC that drives
continuous improvement. Based in part on its observations, the Board
also believes its new standard should include specific requirements for
some important areas of the QC system that are addressed more generally
in current PCAOB QC standards, such as firm governance and leadership,
technology and other firm resources, and firm communications.
QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires
PCAOB QC standards to address, which the Board believes will provide a
robust framework for a firm's QC system. It incorporates eight
components, which are based on mandatory elements and
[[Page 49599]]
mandatory processes that create a basic structure applicable to all
firms. For example, as discussed in more detail below, QC 1000
establishes mandatory, outcome-based quality objectives and mandatory
processes for risk assessment and monitoring and remediation. Within
the structure created by these mandates, firms will develop their own
policies and procedures based on the specific risks created by their
circumstances and practice. QC 1000 also includes requirements for
annual evaluation of the QC system and reporting to the PCAOB on that
evaluation, which the Board believes will add rigor and accountability
to the firm's evaluation of whether the QC system has met its
objectives, and will strengthen the feedback loop that drives
continuous improvement.
The structure itself addresses areas that current PCAOB standards
do not directly address, such as firm governance and leadership,
technology and other firm resources, and firm communications. In
addition, to the extent it is principles-based and focused on the
specific risks faced by the firm, the structure is inherently scalable
and can be applied to firms of all sizes and circumstances.
The structure of QC 1000 has commonalities with the structure of
ISQM 1 and SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has
informed the Board's thinking, the Board has carefully analyzed every
aspect of that approach and considered where to align and where to
further strengthen the PCAOB standard by including alternative or
incremental provisions that the Board believes will better serve
investor protection and the public interest. The Board believes that
building on a well-understood basic framework, appropriately tailored
and strengthened to address its legal and regulatory environment and
its investor protection mandate, will enable firms to implement and
comply with QC 1000 more effectively. In designing, implementing, and
operating their QC systems, firms that are subject to both PCAOB
standards and IAASB or AICPA QC standards--which the Board believes
constitute a very substantial majority of firms that perform
engagements under PCAOB standards \104\--can leverage the work they
have already done and the investments they have already made to comply
with those other requirements.
---------------------------------------------------------------------------
\104\ See below for a discussion of the assumptions regarding
the baseline.
---------------------------------------------------------------------------
Many commenters, including firms and related groups, were generally
supportive of structuring QC 1000 in a manner similar to the structure
of ISQM 1 and SQMS 1. However, several commenters, including firms and
related groups, suggested that further alignment should be considered,
and any differences should be minimized. Several commenters suggested
that firms would be subject to at least two different quality
management/quality control systems, and commented that this would be
impractical for firms to operate. The Board does not believe that QC
1000 conflicts with the requirements of other standard setters or that
anything prevents firms from developing a single QC system for their
entire practice that satisfies both PCAOB requirements and other
professional standards to which the firm is subject. The Board
acknowledges certain differences between QC 1000 and the quality
management standards set by other standard setters, in particular areas
where QC 1000 establishes additional or more stringent requirements.
However, the Board believes that quality responses developed by firms
under QC 1000 can be considered by firms for the purposes of other
quality management standards to which they are subject, reducing the
need for two or more separate QC systems.
One investor-related group did not support the framework of the
standard, arguing that ISQM 1 is a process-driven and compliance-
oriented framework that does not encourage firms to meaningfully
enhance their QC systems for the benefit of investors. Another investor
expressed concern regarding the reliance on ISQM 1 in the development
of QC 1000 on the basis that it does not always reflect the best
interests of investors. The Board continues to believe that a common
basic structure among quality control standards is beneficial. This is
not only cost beneficial, but it also supports a firm's ability to
operate a single, consistent QC system over its whole practice, which
the Board believes ultimately supports audit quality. Where
appropriate, QC 1000 goes beyond ISQM 1 to incorporate more detailed or
more stringent provisions that are specifically relevant to the U.S.
regulatory environment and investors.
Several commenters supported a principles-based approach to QC
1000. However, some commenters suggested that the specified quality
responses throughout the standard impose prescriptive requirements that
are not consistent with maintaining a principles-based approach. Others
expressed a different perspective, suggesting that the standard was too
principles-based, providing the firms with too much flexibility in
designing, implementing, and operating their QC systems. For example,
an investor expressed concern that a principles-based approach does not
always reflect the best interests of investors. Other investor-related
groups expressed concerns that a principles-based approach allows audit
firms to conduct their own risk assessment and design their own
controls to manage risks, including making the determination of whether
QC deficiencies exist and are remediated without any public awareness
or accountability. One of these investor-related groups suggested that
an emphasis on a risk-based approach will result in little to no change
at the largest auditing firms as they believe that this approach is
already embedded in their QC systems. Another investor-related group
commented that the proposed standard set the bar too low and failed to
focus on audit quality and accountability such that it would only
perpetuate the status quo.
The Board has retained the approach as proposed. The Board believes
that QC 1000 strikes the right balance between mandatory and risk-based
elements. As discussed in more detail below, QC 1000 establishes a
mandatory minimum set of outcome-based quality objectives that apply to
all firms. Firms generally cannot omit or modify any of the quality
objectives set out in the standard. Therefore, firms do not determine
the criteria by which their QC systems will be assessed, only the means
by which they will meet those criteria. Moreover, QC 1000 establishes
requirements with which all firms will have to comply for roles and
responsibilities within the QC system and the firm's risk assessment
process, monitoring and remediation process, and evaluation process, as
well as specified quality responses applicable to all firms in areas
that the Board believes justify a more prescriptive approach. It also
includes evaluation and reporting requirements that the Board believes
will add accountability and rigor to the annual evaluation.
Within that framework, QC 1000 requires firms to develop the
policies and procedures they need to achieve the quality objectives and
the overall objective of the QC system. The Board believes this more
principles-based aspect of the standard will prompt firms to identify
and focus on the most relevant risks to quality in the context of their
own practice and will make QC 1000 appropriately scalable. This
approach also allows for the standard to be operable by firms of all
sizes. Smaller PCAOB audit practices can scale down their responses to
fit the risks associated
[[Page 49600]]
with a small practice, and as the practice grows, the firm can scale up
to respond to new quality risks. In addition, the Board believes that
this approach will make it less likely that the standard will need to
be amended in the future in response to changes in the auditing
environment, including the use of technology.
2. Components of the QC System
Under QC 1000, the QC system consists of eight components that are
designed to be highly integrated:
Two process components:
<bullet> The firm's risk assessment process
<bullet> The monitoring and remediation process
Six components that address aspects of the firm's organization and
operations:
<bullet> Governance and leadership
<bullet> Ethics and independence
<bullet> Acceptance and continuance of engagements
<bullet> Engagement performance
<bullet> Resources
<bullet> Information and communication
The risk assessment process applies to these six components,
requiring firms to:
<bullet> Establish outcome-based ``quality objectives,'' including
those specified throughout the standard (i.e., the desired outcomes to
be achieved by the firm with respect to that component);\105\
---------------------------------------------------------------------------
\105\ ``Quality objectives'' are defined in QC 1000.A10.
---------------------------------------------------------------------------
<bullet> Identify and assess ``quality risks'' to the quality
objectives;\106\
---------------------------------------------------------------------------
\106\ ``Quality risks'' are defined in QC 1000.A12.
---------------------------------------------------------------------------
<bullet> Design and implement ``quality responses'' (i.e., policies
and procedures to address quality risks);\107\ and
---------------------------------------------------------------------------
\107\ ``Quality responses'' are defined in QC 1000.A11.
---------------------------------------------------------------------------
<bullet> Establish policies and procedures to monitor internal and
external changes that may require modifications to the quality
objectives, quality risks, or quality responses.
The monitoring and remediation process applies to all of the
components of the QC system, including monitoring and remediation
itself (i.e., firms are required to identify and remediate deficiencies
that are observed in their monitoring and remediation activities).
The firm is also required to evaluate and report on its QC system
annually, based on the results of its monitoring and remediation
activities.
The following diagram illustrates the structure of the firm's QC
system under QC 1000:
BILLING CODE 8011-01-P
[[Page 49601]]
[GRAPHIC] [TIFF OMITTED] TN11JN24.000
BILLING CODE 8011-01-C
3. Quality Objectives, Quality Risks, and Quality Responses, Including
Specified Quality Responses
For each of the six components to which the risk assessment process
applies, QC 1000 specifies required quality objectives. While QC 1000
provides some flexibility with regard to the quality risks that firms
are required to identify and the quality responses that firms are
required to develop to address those risks, it does not provide the
same flexibility with regard to quality objectives. Instead, quality
objectives that will apply to all firms are specified in the standard.
Firms can establish additional quality objectives--indeed, they are
required to do so if necessary to achieve the objective of the QC
system--but they generally cannot omit or modify any of the quality
objectives set out in the standard. The Board believes that, for many
firms, the quality objectives specified in the standard are likely to
be comprehensive, and does not expect in the current environment that
additional quality objectives would generally be necessary. However,
the Board also recognizes that the nature and circumstances of a firm
and its engagements will vary and the environment may change.
Accordingly, firms are required to establish additional quality
objectives, if necessary.\108\ The quality objectives established by
this standard set forth a floor rather than a ceiling.
---------------------------------------------------------------------------
\108\ See ``The Firm's Risk Assessment Process'' below.
---------------------------------------------------------------------------
Firms are required to identify and assess quality risks to the
achievement of the established quality objectives. They are required to
develop quality responses to address the assessed quality risks.
Quality responses are defined as policies and procedures
[[Page 49602]]
designed and implemented by the firm to address quality risks; policies
are statements of what should, or should not, be done to address an
assessed quality risk, and procedures are actions to implement and
comply with policies. As proposed, the definition of quality responses
provided that policies ``may be documented or explicitly stated in
communications.'' In the final rule, that sentence was eliminated to
avoid confusion or potential conflict with the documentation
requirements set out in QC 1000.81-83.
The correspondence across quality objectives, quality risks, and
quality responses is generally not one-to-one. Most quality objectives
are likely to have multiple quality risks. Some quality risks may
affect one or more quality objectives, either within a single component
or across several components, and may require multiple quality
responses. Some quality responses may address multiple quality risks.
Quality responses would typically be specific to the firm, to
respond to its particular assessed quality risks. QC 1000 also includes
some specified quality responses, which are mandatory for the firms to
which they apply. Specified quality responses carry requirements from
current PCAOB standards into QC 1000 or provide new requirements that
the Board believes are important to a firm's QC system. The specified
quality responses are not intended to be comprehensive; on the
contrary, for most of the components of the firm's QC system, the
standard includes only a few specified quality responses, and for the
engagement performance component there are none. As a result, the
specified quality responses alone will not be sufficient to enable the
firm to achieve all established quality objectives; firms are required
to design and implement their own quality responses. Both the specified
quality responses and the quality responses the firm designs and
implements on its own are critical in addressing quality risks. The
following graphic illustrates the relationship between all quality
responses (i.e., the quality responses necessary to achieve all
established quality objectives) and the specified quality responses
established in QC 1000:
[GRAPHIC] [TIFF OMITTED] TN11JN24.001
Terminology
This section discusses some of the terminology used throughout QC
1000. Appendix A to QC 1000 defines several terms used in the standard.
Two commenters indicated that the proposed terminology was
understandable and appropriate, but most commenters on the topic
requested that the terminology used in QC 1000 be consistent with the
terminology used by other standard setters, primarily to avoid
potential confusion and ensure that the process of evaluating the QC
system and the conclusion reached as to its effectiveness would be the
same under both standards. The Board continues to believe that its
proposed terminology is necessary to capture the basic concepts used in
QC 1000, which differ in some respects from the concepts used by other
standard setters, particularly as regards ``other participants,'' as
the Board has defined that term, and the annual QC system evaluation
process, which is grounded in the concepts of ``engagement
deficiency,'' ``QC deficiency,'' and ``major QC deficiency.'' While
this
[[Page 49603]]
approach will result in an incremental burden for firms that seek to
comply with other QC standards as well as QC 1000, the Board believes
that the burden is justified. The Board also believes that, just as
firms can perform audits under different auditing standards, they can
learn to implement and operate a QC system under different QC
standards. Accordingly, with the clarifications described below, the
Board adopted the terminology substantially as proposed.
1. Applicable Professional and Legal Requirements
As discussed in more detail below, compliance with applicable
professional and legal requirements is a fundamental concept under QC
1000, driving the objective of the QC system as well as many quality
objectives and specified quality responses. The proposed standard
defined ``applicable professional and legal requirements'' as
<bullet> Professional standards, as defined in PCAOB Rule
1001(p)(vi);
<bullet> Rules of the PCAOB that are not professional standards;
and
<bullet> To the extent related to the obligations and
responsibilities of accountants or auditors or to the conduct of
engagements, rules of the SEC, other provisions of U.S. Federal
securities law, and other applicable statutory, regulatory, and other
legal requirements.
Two commenters supported the definition as proposed. One commenter
recommended including the profession's ethical standards explicitly.
Two commenters stated the phrase ``other applicable statutory,
regulatory, and other legal requirements'' could be read broadly and
extend beyond regulations that directly bear on the conduct of audit
engagements. Another commenter suggested amending the definition of
``professional standards'' in PCAOB Rule 1001(p)(vi) to refer to
``quality control standards'' rather than ``quality control policy and
procedures.''
In response to comments, the Board made changes to the third, more
general clause of the definition. As one commenter suggested, the Board
expanded the definition to explicitly mention ethics laws and
regulations.\109\ While the definition as proposed encompassed
applicable ethics requirements, the Board believes an express reference
will help to remind firms and individuals of the centrality of ethics
considerations. The Board also refined the definition to make clear
that it encompasses statutory, regulatory, and other legal requirements
beyond professional standards and other PCAOB rules ``[t]o the extent
related to the obligations and responsibilities of accountants or
auditors in the conduct of engagements or in relation to the QC
system.'' This change is designed to limit the breadth of the
definition to the relevant circumstances.
---------------------------------------------------------------------------
\109\ These include those arising under state law or the law of
other jurisdictions (e.g., obligations regarding client
confidentiality). See QC 1000 footnote 10.
---------------------------------------------------------------------------
The phrase ``quality control policies and procedures,'' used in
PCAOB Rule 1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley.
The Board believes its rule should continue to align with that
statutory provision.
This definition captures all professional and legal requirements
specifically related to engagements under PCAOB standards of issuers
and SEC-registered broker-dealers, including relevant accounting,
auditing, and attestation standards, PCAOB and SEC rules, other
provisions of Federal securities law, other relevant laws and
regulations (e.g., state law and rules governing accountants),
applicable ethics law and rules, and other legal requirements related
to the obligations and responsibilities of accountants or auditors in
the conduct of the firm's engagements or in relation to the QC
system.\110\ It does not encompass requirements that apply to
businesses generally, such as tax laws, safety regulations, and
employment law.
---------------------------------------------------------------------------
\110\ For avoidance of doubt, the requirements relating to
compliance with applicable professional and legal requirements are
meant to make clear that, as relates to engagements subject to PCAOB
standards, all applicable professional and legal requirements must
be followed. The requirement does not suggest that application of
``other applicable statutory, regulatory, and other legal
requirements'' could supersede rules of the SEC, other provisions of
U.S. Federal securities law, rules of the PCAOB that are not
professional standards, or PCAOB professional standards. On the
contrary, requirements relating to ``applicable professional and
legal requirements'' are meant to highlight the importance of
adhering to other requirements when those requirements do not
conflict with or abridge requirements of Federal securities laws,
PCAOB rules, or PCAOB standards.
---------------------------------------------------------------------------
2. Engagement
The proposed standard defined ``engagement'' as (1) any audit,
attestation, review, or other engagement under PCAOB standards
performed by a firm, or (2) any engagement in which a firm ``play[s] a
substantial role in the preparation or furnishing of an audit report''
as defined in PCAOB Rule 1001(p)(ii).\111\ In the final standard, the
term ``engagement'' encompasses the same scope as it did in the
proposal--when the firm leads an engagement as lead auditor or
practitioner, or plays a substantial role--but the definition has been
restructured for clarity.
---------------------------------------------------------------------------
\111\ Generally, and as described in more detail in Rule
1001(p)(ii), a firm plays a substantial role in the preparation or
furnishing of an audit report if (1) its engagement hours or fees
constitute 20% or more of the total engagement hours or fees or (2)
it performs the majority of the audit procedures with respect to a
subsidiary or component whose assets or revenues constitute 20% or
more of the consolidated assets or revenues of the issuer, broker,
or dealer.
---------------------------------------------------------------------------
The final standard defines ``engagement'' as any audit,
attestation, review, or other engagement performed under PCAOB
standards:
<bullet> Led by a firm; or
<bullet> In which a firm ``play[s] a substantial role in the
preparation or furnishing of an audit report'' as defined in PCAOB Rule
1001(p)(ii).
The definition covers not only circumstances in which the firm
serves as the lead auditor or the ``practitioner'' for an attestation
engagement, which is what is customarily meant by the term engagement,
but also any substantial role work the firm undertakes. The Board's
view is that this additional breadth is appropriate because playing a
substantial role in an engagement for an issuer or broker-dealer is
sufficient to require a firm to register with the PCAOB. The definition
covers all engagements under PCAOB standards performed by the firm,
whether the application of PCAOB standards is legally required (e.g.,
for audits of issuers and broker-dealers) or undertaken pursuant to
contractual agreement, where permitted but not required under SEC
rules, or for any other reason.
Commenters on the definition of ``engagement'' generally supported
it. One commenter requested clarification as to why the definition does
not include work performed at less than a substantial role, given that
the standard includes requirements regarding such work.
The Board defined ``engagement'' to exclude work performed on other
firms' PCAOB engagements at less than a substantial role because it
believes the auditor responsibilities associated with such work, and
the risks posed by it, are materially different than the
responsibilities and risks associated with a firm leading an engagement
or playing a substantial role.\112\ QC 1000 contains provisions
specifically applicable to work performed on other firms' PCAOB
engagements at less than
[[Page 49604]]
a substantial role, which have been tailored to reflect those
responsibilities and risks. The Board believes this tailored approach
is appropriate.
---------------------------------------------------------------------------
\112\ PCAOB registration rules reflect this difference in risk
profile: PCAOB registration is required for firms that lead
engagements or play a substantial role in audits of issuers and
broker-dealers, but not for work performed on other firms'
engagements at less than a substantial role. See PCAOB Rule 2100,
Registration Requirements for Public Accounting Firms.
---------------------------------------------------------------------------
Also grounded in the Board's views on relative risk and the
investor interests at stake, the concept of ``engagement'' marks an
important distinction in the level of responsibility created under QC
1000: while all registered firms are required to design a QC system
that complies with QC 1000, the threshold for a firm to implement and
operate the QC system is when the firm has responsibilities under
applicable professional and legal requirements with respect to a firm
engagement. The distinction between scaled applicability under QC 1000
(for firms that do not have responsibilities with respect to
engagements) and full applicability of QC 1000 (for firms that do
perform engagements) is discussed in more detail below.
The Board notes, however, that just because work performed on other
firms' PCAOB engagements at less than a substantial role is not
considered an ``engagement'' does not mean it is disregarded under the
QC system. This work, by itself, does not trigger the requirement to
implement and operate the QC system under QC 1000. However, once a firm
is required to implement and operate the QC system, the system will
operate over all work performed by the firm under PCAOB standards,
including work performed on other firms' PCAOB engagements at less than
a substantial role. If a firm is required to implement and operate a QC
system under QC 1000, the Board believes that the QC system should
address every engagement under PCAOB standards in which the firm
participates.
3. Firm Personnel
The proposed standard defined ``firm personnel'' as individual
proprietors, partners, shareholders, members or other principals,
accountants, and professional staff of a registered public accounting
firm whose responsibilities include assisting with: (1) the performance
of the firm's engagements; or (2) the design, implementation, or
operation of the firm's QC system, including engagement quality
reviews. Professional staff refers not only to employees, but also to
other individuals who work under the firm's supervision or direction
and control and function as the firm's employees. For example,
secondees and leased staff would fall under the definition of ``firm
personnel.''
Two commenters agreed with the definition as proposed. Some firms
and related groups objected to including non-employee contractors and
consultants as firm personnel, in particular because they are not
subject to the firm's performance evaluation or promotion process.
These commenters suggested that such persons be classified as other
participants instead. One commenter expressed concern about potential
exposure due to the differences between QC 1000 and the definitions of
employees with Federal, State, and local tax and labor laws.
The Board continues to believe it is appropriate for the definition
of firm personnel to include individuals, such as non-employee
contractors and consultants, who work under the firm's supervision or
direction and control and function as the firm's employees. In light of
the range of legal structures and arrangements used by firms in
acquiring and deploying staff, the Board believes a definition based
exclusively on legal employment would be too narrow. Instead, the final
rule retains an approach based on the functional role played by the
individual rather than a specific legal relationship.
When the firm is identifying quality risks to quality objectives
that include firm personnel, it may identify different risks associated
with non-employee contractors and consultants than other firm
personnel, and accordingly would have to develop different policies and
procedures for them. For example, non-employee contractors and
consultants may be evaluated through the contracting process to
determine whether the firm should retain them instead of through the
firm's formal evaluation framework.
While the Board expresses no view on any tax or labor law
consequences, it notes that the definition does not conflate ``firm
personnel'' with employees. On the contrary, the Board acknowledges
that firm personnel includes some non-employees.
Some commenters, generally firms and related groups, were opposed
to the definition including anyone who ``assists with'' engagements or
the quality control system, as it may include administrative staff. The
Board revised the definition of firm personnel to clarify that
``professional staff does not include persons engaged only in clerical
or ministerial tasks,'' which aligns with the definition of ``Person
Associated With a Public Accounting Firm (and Related Terms)'' in PCAOB
Rule 1001(p)(i).\113\
---------------------------------------------------------------------------
\113\ By aligning the QC 1000 definition of ``firm personnel''
with the definition of ``Person Associated with a Public Accounting
Firm (and Related Terms)'' in this regard, the Board does not mean
to suggest that only ``firm personnel'' can be associated persons.
``Other participants'' can also be associated persons.
---------------------------------------------------------------------------
4. Other Participants
Over the years, audits of issuers have increasingly involved the
use of entities and individuals outside the firm in performing audit
procedures and evaluating audit evidence. In the context of amending
the standards governing the involvement of other auditors in an audit,
the Board discussed the increasing prevalence and importance of the use
of other audit firms and individual accountants outside the firm, such
as an EQR not employed by the firm, and the use of auditor-engaged
specialists.\114\ While it may be beneficial, and in many cases
essential, to use other participants in some engagements, these
arrangements can pose risks because other participants may not be
subject to the same quality controls as firm personnel (for example,
with regard to personnel assignments, training, supervision, and
monitoring).
---------------------------------------------------------------------------
\114\ See Planning and Supervision of Audits Involving Other
Auditors and Dividing Responsibility for the Audit with Another
Accounting Firm, PCAOB Rel. No. 2022-002 (June 21, 2022), at 13;
Amendments to Auditing Standards for Auditor's Use of the Work of
Specialists, PCAOB Rel. No. 2018-006 (Dec. 20, 2018), at 10-15.
---------------------------------------------------------------------------
With respect to work performed in connection with the firm's QC
system or the performance of its engagements, QC 1000 defines ``other
participants'' as accounting firms (foreign or domestic, registered or
unregistered), accountants, and other professionals \115\ or
organizations, other than firm personnel, whose responsibilities
include assisting with the performance of the firm's engagements or the
design, implementation, or operation of the firm's QC system, including
engagement quality reviews.\116\
---------------------------------------------------------------------------
\115\ In this context, ``professionals'' refers broadly to
workers who perform other than clerical or ministerial tasks.
\116\ It should be noted that ``referred-to auditors,'' as that
term is defined in the amendments to AS 2101, Audit Planning,
adopted in PCAOB Rel. No. 2022-002, are not ``other participants''
under QC 1000 because the referred-to auditor performs its own
engagement and does not participate in the engagement of the lead
auditor.
---------------------------------------------------------------------------
Some commenters expressed concerns with the use of ``other
participants'' throughout the standard. Many commenters said the
proposed responsibilities of the firm with regard to other participants
were too broad. A few commenters suggested removing the reference to
other participants from certain specified quality responses and
allowing firms to tailor their responses to quality objectives for
other participants. Some commenters were
[[Page 49605]]
specifically concerned about the inclusion of internal auditors and
external specialists in the standard through other participants, and
believe they are adequately addressed in other standards. Some
commenters argued that other participants should not be included in
another firm's quality control system because they are covered by their
own firm's quality control system.
Some commenters suggested bifurcating the definition into other
participants whose responsibilities include assisting with the
performance of the firm's engagements and other participants whose
responsibilities include assisting with the design, implementation, and
operation of the firm's QC system, on the basis that this would enhance
clarity regarding to whom the requirements apply. One commenter said
the policies and procedures related to other participants would differ
depending on the type of other participant (for example, an internal
auditor providing direct assistance differs from an auditor,
specialist, or engagement quality reviewer) and QC 1000 imposes the
same requirements for each type. One commenter supported the
definition. One commenter agreed with separately defining ``other
participants'' and ``third-party providers.''
The final standard reflects the Board's view that, in designing,
implementing, and operating its QC system, the firm will have to
address not only firm personnel but also other auditors \117\ and other
professionals or organizations that the firm uses in connection with
the firm's QC system or the performance of its engagements. References
to other participants are included throughout QC 1000 in a tailored and
context-specific way that recognizes the key roles that other
participants play.
---------------------------------------------------------------------------
\117\ See AS 1205, Part of the Audit Performed by Other
Independent Auditors, and AS 1201 (which takes effect for audits of
financial statements for fiscal years ending on or after Dec. 15,
2024).
---------------------------------------------------------------------------
The Board recognizes that some other participants may be covered by
their own firm's quality control system, and that fact may inform the
firm's risk assessment with respect to their participation. But the
firm's own QC system must address all the work done on the firm's
engagements and in connection with the design, implementation, and
operation of the firm's QC system itself, regardless of who does it.
Commenters correctly pointed out that specific performance
standards exist related to the use of certain types of other
participants in an audit, such as other auditors,\118\ internal
auditors,\119\ and specialists,\120\ but that does not mean that QC
over their use in the firm's engagements is unnecessary. In part, the
QC system operates to assure compliance with those specific audit
standards. But it must also provide more general assurance about the
performance of audits in which those types of other participants are
involved. For example, the Board expects that the firm's policies and
procedures would cover, if applicable, engaging specialists,
determining their compliance with ethics and independence requirements,
and communicating with them as part of the firm's quality control
system.
---------------------------------------------------------------------------
\118\ See, e.g., AS 1201, and AS 1206, Dividing Responsibility
for the Audit with Another Accounting Firm.
\119\ See, e.g., AS 2605, Consideration of the Internal Audit
Function.
\120\ See, e.g., AS 1210, Using the Work of an Auditor-Engaged
Specialist.
---------------------------------------------------------------------------
The Board does not believe it is necessary for QC 1000 to bifurcate
other participants between those that participate in engagements and
those that are involved with the QC system. Just because a quality
objective or other provision of QC 1000 refers to all types of other
participants in the same way does not mean that the firm should respond
by treating all types of other participants in the same way. On the
contrary, the firm's policies and procedures addressing other
participants should differentiate based on the types and roles of other
participants to the extent necessary to be responsive to the firm's
quality risks. When designing quality responses, the firm will address
the specific risks posed by the other participants and their
responsibilities within the firm's engagements and QC system. For
example, a firm that uses a network as a resource in many areas, such
as independence tracking and monitoring, engagement performance,
information and communication, and monitoring and remediation, would
have many quality risks and quality responses related to their use of
the network. A smaller firm that only uses one individual from outside
the firm as an engagement quality reviewer may have fewer quality risks
and quality responses related to other participants to address in its
quality control system.
The following diagram provides QC 1000's definitions of ``firm
personnel'' and ``other participants'' and provides examples of each
type:
BILLING CODE 8011-01-P
[[Page 49606]]
[GRAPHIC] [TIFF OMITTED] TN11JN24.002
[[Page 49607]]
BILLING CODE 8011-01-C
As noted in the diagram, the persons performing some roles, such as
an EQR or personnel at shared service centers, may be firm personnel or
other participants, depending on their relationship to the firm. For
example, an EQR employed by the firm would be considered firm
personnel, whereas an EQR contracted from outside the firm that is not
functioning as a firm employee would be an other participant.
Similarly, personnel at shared service centers may be firm personnel
(if they are employed by the firm or function as firm employees) or
other participants (if they are personnel of another organization, such
as a network affiliate).
5. Networks
QC 1000 acknowledges that networks of firms may be structured in a
variety of ways and could include arrangements between firms for
sharing knowledge; developing and implementing consistent policies,
tools, and methodologies; conducting multi-location engagements; or
executing other types of business or administrative matters. Through
its oversight activities, the PCAOB has observed that some networks
provide or require use of a wide range of resources and services and
may involve various levels of personnel, composed of a mix of the
firm's national and local office personnel. Some examples of resources
and services that networks provide include:
<bullet> Audit methodologies;
<bullet> Technology tools;
<bullet> Training;
<bullet> Risk management activities;
<bullet> Consultations on accounting, auditing, and SEC matters;
<bullet> Preventive engagement-level monitoring and coaching;
<bullet> Support for inspections; and
<bullet> Root cause analysis and remediation.
Since networks may involve a wide variety of different arrangements
and different degrees of coordination and cooperation across firms,
rather than attempting to define the term ``network,'' QC 1000
describes these types of arrangements in more general terms.\121\ Under
the standard, networks may include a combination of registered and
unregistered accounting firms and other entities.
---------------------------------------------------------------------------
\121\ In the standard, references to a ``network'' encompass all
of the memberships and affiliations that registered firms must
report to the PCAOB in Item 5.2 of their annual report on Form 2,
including certain networks, arrangements, alliances, partnerships,
and associations. See Item 5.2, PCAOB Form 2 (describing reporting
requirements for memberships, affiliations, and similar
arrangements).
---------------------------------------------------------------------------
6. Third-Party Providers
Commenters on this topic supported the definition of third-party
providers as proposed.
The standard addresses resources used by the firm that are sourced
from third-party providers. Third-party providers are individuals or
organizations, other than other participants, as defined above, that
provide resources to the firm that are specifically designed for use in
the performance of engagements or to assist in the operation of its QC
system.\122\ The following diagram provides QC 1000's definition of
``third-party providers'' and several examples of them:
---------------------------------------------------------------------------
\122\ Providers of resources that are not specifically designed
for use in the performance of engagements or to assist in the
operation of firms' QC systems (e.g., general word processing and
spreadsheet software) are not ``third-party providers'' as the Board
has defined that term.
[GRAPHIC] [TIFF OMITTED] TN11JN24.003
[[Page 49608]]
Scalability
The approximately 1,600 firms registered with the PCAOB differ
significantly based on their nature and circumstances:
<bullet> Approximately 53% of firms are located in foreign
jurisdictions, representing 89 foreign jurisdictions;
<bullet> Approximately 20% of total firms, and 40% of firms located
in foreign jurisdictions, belong to one of six global networks that
contain the largest number of registered, non-U.S. firms that share
resources such as methodology and monitoring activities; \123\
---------------------------------------------------------------------------
\123\ The six global networks that contain the largest number of
registered, non-U.S. firms as reported on Form 2s filed in 2023 are:
BDO International Limited, Deloitte Touche Tohmatsu Limited, Ernst &
Young Global Limited, Grant Thornton International Limited, KPMG
International Cooperative, and PricewaterhouseCoopers International
Limited (the member firms of these networks are collectively
referred to herein as ``GNFs'').
---------------------------------------------------------------------------
<bullet> Approximately 60 firms are sole proprietorships;
<bullet> Approximately 650 firms, or 41% of firms, performed an
engagement under PCAOB standards for an issuer or broker-dealer during
the 12 months ended June 2023;
<bullet> Approximately 70 only played a substantial role in such
engagements in the past year;
<bullet> Approximately 140 performed audits of only broker-dealers
in the past year;
<bullet> Approximately 130 firms that did not perform an engagement
under PCAOB standards for an issuer or broker-dealer in 2022 did
perform such an engagement in the past five years; and
<bullet> Approximately 51% of firms have not performed an
engagement under PCAOB standards for an issuer or broker-dealer in the
past five years.\124\
---------------------------------------------------------------------------
\124\ The data were obtained from Audit Analytics and publicly
available data from the PCAOB's Registration, Annual and Special
Reporting (RASR) available at <a href="https://rasr.pcaobus.org">https://rasr.pcaobus.org</a>. The PCAOB
does not collect information about whether registered firms perform
engagements under PCAOB standards other than for issuers and broker-
dealers. Firms may be engaged, for example, in connection with the
audit of a reporting company that does not meet the Sarbanes-Oxley
definition of ``issuer'' described in footnote 2 above, in
connection with certain offerings of securities that are exempt from
registration under the Securities Act (e.g., offerings under
Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to
a contractual obligation such as a loan covenant, or on an entirely
voluntary basis.
---------------------------------------------------------------------------
While the Board believes the basic objectives of the QC system
ought to be the same across all firms, the Board believes the QC
standard needs to be appropriately scalable, so that firms of different
sizes and characteristics can appropriately design their QC system to
address the risks associated with their own practice.
The specific policies and procedures necessary to achieve the
objectives of the QC system may vary significantly across firms,
depending on their size, the types of engagements they perform, and
other factors. The Board believes that QC 1000 is sufficiently
principles-based and scalable that firms will be able to pursue an
approach to QC that is appropriate in light of their specific
circumstances.
In the Board's view, firms that perform engagements under PCAOB
standards should generally be subject to the same QC requirements. In
particular, the Board does not believe the historical distinction
between firms that were members of the SECPS in 2003 and those that
were not has continuing relevance in determining the QC standards that
should apply today. Accordingly, the Board eliminated that distinction.
As discussed in more detail below, QC 1000 incorporates certain SECPS
requirements, making them applicable to all firms, and eliminates
others. However, the Board also believes there are specific areas, such
as firm governance, where firms with larger PCAOB audit practices
should be subject to enhanced requirements. QC 1000 includes several
requirements that apply only to the firms that meet the statutory
threshold for annual PCAOB inspection.
The Board is aware that there is a significant number of registered
firms that do not perform engagements under PCAOB standards every
year--they only participate in other firms' engagements at less than
the level of a substantial role or have no involvement in issuer or
broker-dealer engagements. The Board believes that the risk to investor
protection is minimal if the firm is not performing engagements under
PCAOB standards for issuers and SEC-registered broker-dealers, and that
it is appropriate to provide for more limited QC obligations in those
circumstances. Under QC 1000, all registered firms are required to
design a QC system but only firms that are subject to applicable
professional and legal requirements with respect to a PCAOB engagement
are required to implement and operate the QC system.
1. Scaled Applicability vs. Full Applicability
The Board created a fundamental distinction in QC 1000 between the
obligation to design a QC system in compliance with the standard, which
will apply to all firms,\125\ and the obligation to implement and
operate an effective QC system, which, broadly speaking, will apply
only to firms that perform engagements under PCAOB standards.
---------------------------------------------------------------------------
\125\ QC 1000.06, discussed below, sets out the requirements for
QC system design.
---------------------------------------------------------------------------
Under the standard, firms are required to implement and operate an
effective QC system--that is, comply with all provisions of QC 1000--at
all times that the firm is required to comply with applicable
professional and legal requirements with respect to any of the firm's
engagements.\126\
---------------------------------------------------------------------------
\126\ QC 1000.07.
---------------------------------------------------------------------------
As noted above, many registered firms do not perform engagements
every year. However, a firm that is not currently performing any
engagements may nevertheless have to comply with applicable
professional and legal requirements with respect to a previous or
future firm engagement. For example, procedures for the acceptance of a
new engagement have to be performed before the engagement is conducted.
Responsibilities may also arise with respect to completed engagements
long after the issuance of the auditor's report--for example, if the
issuer requests the auditor's consent to include its report in a
registration statement, if an engagement deficiency is identified that
requires remediation, or if the auditor becomes aware of facts that may
have existed at the date of the auditor's report which may have
affected the report. In the Board's view, whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to an engagement, those responsibilities should be
performed under a QC system that is implemented, is operating, and
complies with PCAOB standards.
Importantly, if a firm is required to implement and operate an
effective QC system, the firm would not necessarily have to implement
and operate every QC policy or procedure that it has designed. An
effective QC system provides reasonable assurance that the firm is
complying with ``applicable'' professional and legal requirements. The
extent of ``applicable'' requirements could change depending on the
firm's circumstances, and the QC system policies and procedures that
the firm would have to implement and operate could change in response.
For example, if a firm last performed an engagement (as defined in the
standard) five or six years ago and has no current responsibilities
with respect to any other firms' engagements, it might be subject only
to requirements regarding
[[Page 49609]]
the retention of certain engagement-related documentation.\127\ In such
a circumstance, an effective QC system--i.e., a system that provides
reasonable assurance that the firm is complying with applicable
professional and legal requirements regarding such documentation--could
be scaled back to address only engagement-related documentation
retention, as well as ongoing evaluation, reporting, and documentation
requirements with respect to the QC system itself. The Board asked in
the proposing release whether it was clear how a firm's
responsibilities under QC 1000 may change depending on the extent of
applicable professional and legal requirements to which the firm is
subject at a particular time, and commenters that responded on the
issue were generally supportive.
---------------------------------------------------------------------------
\127\ See AS 1215; 17 CFR 210.2-06.
---------------------------------------------------------------------------
If the firm has no more responsibilities with respect to any
engagement, the firm is required to continue operating the QC system
until the next September 30 (the annual evaluation date). This would
ensure that the firm would be required to evaluate and report on the QC
system for any year during which the QC system was required to
operate.\128\
---------------------------------------------------------------------------
\128\ QC 1000.07. The proposed requirements for evaluation of
and reporting on the QC system are discussed below.
---------------------------------------------------------------------------
Firms that are not subject to the requirement to implement and
operate the QC system are still subject to the requirement to design a
QC system that complies with QC 1000.\129\ Paragraph .06 of QC 1000,
discussed below, sets out the requirements for design of the QC system
in more detail.
---------------------------------------------------------------------------
\129\ The standard makes clear that any existing obligations
under QC 1000 (for example, reporting obligations with respect to
prior periods when the firm was required to implement and operate
the QC system) would continue.
---------------------------------------------------------------------------
The Board believes it is appropriate to limit the application of
the requirements of QC 1000 for firms that have no obligations under
applicable professional and legal requirements with respect to firm
engagements. Indeed, in those situations it is hard to see how a firm
could, as a practical matter, ``implement'' or ``operate'' its QC
system. Implementation and operation contemplate, among other things,
the application of QC policies and procedures to the firm's
engagements, monitoring of work performed on engagements, and
identification and remediation of engagement deficiencies. Without
``engagements,'' as the standard defines that term, implementation and
operation of a QC system would be largely hypothetical. Moreover, the
population of firms that are subject only to the design requirements of
QC 1000 is comprised entirely of firms that are not required to be
registered with the PCAOB--because they do not participate in
engagements under PCAOB standards or do so only below the level of a
substantial role.\130\
---------------------------------------------------------------------------
\130\ If a firm requests leave to withdraw from PCAOB
registration and is permitted to do so, the firm, upon its
withdrawal from registration, would no longer be subject to an
obligation to design, implement, or operate a QC system in
accordance with QC 1000.
---------------------------------------------------------------------------
Many commenters, including firms and related groups, investor-
related groups, academics, and others, did not support requiring firms
that are not required to comply with applicable professional and legal
requirements to design a QC system under QC 1000. Several of these
commenters expressed concerns that this would be unnecessarily costly
to those firms, or suggested that there could be challenges associated
with implementing and operating a QC system based on hypothetical risks
that could differ from the actual risks at the time the firm accepts
and performs engagements pursuant to PCAOB standards. Some commenters
suggested that this requirement may cause firms to deregister with the
PCAOB, decline to assist U.S. firms in executing their global audits,
or create a potential barrier to entry for new firms in the
marketplace. One firm-related group commented that as this aspect of
the proposal affects such a large number of firms, the potential
political impacts deserve further consideration. The firm-related group
further commented that foreign firms could see this as an accelerator
to a decision to not service specific audit markets, which potentially
impacts audit markets beyond the U.S., and that policy makers in other
countries may view the potential for further market concentration more
significantly.
Firms and a related group raising cost concerns with the proposed
QC system design requirements suggested allowing firms that do not
perform engagements the flexibility to design their QC system in
accordance with another QC standard, such as ISQM 1 or SQMS 1. One of
these firms further suggested that firms transitioning to performing
engagements under PCAOB standards be given an additional six months to
one year from their annual evaluation date to file their Form QC for
the transition period. The firm asserted that even if a firm has
complied with the design requirements, implementing and operating a QC
system that complies with the standard would involve significant
effort. Another firm suggested that it would be more appropriate to
have a transition period for the registered public accounting firm to
update their system of quality control to adhere to the incremental
requirements of the PCAOB. An academic suggested that the design
requirements for firms that have not performed and do not plan to
perform engagements pursuant to PCAOB standards should be limited to
client acceptance components. One firm suggested that the standard
could include a requirement that firms are not allowed to perform an
engagement under PCAOB standards until they have designed and
implemented QC 1000. Other commenters suggested that registered firms
that do not intend to conduct PCAOB audits should not be required to do
anything under QC 1000.
Other commenters suggested a variety of approaches for when firms
should be required to implement and operate a QC 1000-compliant QC
system. One firm suggested that firms that only perform a substantial
role in more than a certain threshold (presumably to be specified by
the PCAOB) of PCAOB engagements could be permitted to comply with ISQM
1 instead of being subject to full applicability of QC 1000. Another
commenter suggested that smaller firms (e.g., triennially inspected
firms with fewer than 100 issuer engagements) be permitted the option
of complying with ISQM 1 or SQMS 1 as an alternative to QC 1000.
Another firm suggested that the PCAOB should permit non-U.S. firms to
comply with ISQM 1 rather than adopting QC 1000. Another commenter
suggested that the criteria for full applicability of the standard
should be based on whether the engagements individually or in the
aggregate involve a material amount of market capitalization. The
commenter suggested that under such an approach, the requirement to
operate the QC system could be optional for registered firms auditing
companies with a smaller market capitalization.
Some commenters, including a firm, a firm-related group, and an
investor, commented that the requirement to design a QC 1000-compliant
QC system is appropriate for any registered firm, even if it is not
performing engagements or playing a substantial role in other firms'
engagements. One firm-related group agreed that whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to an engagement, those responsibilities should be
performed under a fully implemented and operating QC system that
complies with
[[Page 49610]]
PCAOB standards. However, the commenter asked for clarification on the
circumstances that trigger the need for a firm to implement and operate
a QC system in compliance with QC 1000, and suggested targeted guidance
in that area would be helpful.
The Board continues to believe that requiring all registered firms
to design a QC system that complies with the standard, regardless of
whether they have obligations with respect to engagements, is
consistent with the PCAOB's statutory mandate and historical practice.
Sarbanes-Oxley directs the PCAOB to include in its QC standards
requirements related to numerous topics for ``every'' registered public
accounting firm.\131\ The statute also directs the PCAOB that
applications for registration with the PCAOB must contain ``a statement
of the quality control policies of the [applicant] for its accounting
and auditing practices.'' \132\ Consistent with that directive, as a
condition to registration, applicants are required to furnish ``a
narrative, summary description, in a clear, concise and understandable
format, of the quality control policies of the applicant for its
accounting and auditing practices, including procedures used to monitor
compliance with independence requirements,'' \133\ and that description
must provide an overview of the applicant's quality control policies
regarding each element of quality control.\134\ Therefore, firms that
register with the Board are already required to provide a summary of
the design of their QC system regardless of whether they have
obligations with respect to engagements.\135\
---------------------------------------------------------------------------
\131\ Section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(2)(B).
\132\ Section 102(b)(2)(D) of Sarbanes-Oxley, 15 U.S.C.
7212(b)(2)(D).
\133\ Item 4.1 of PCAOB Form 1 (``Applicant's Quality Control
Policies''). The Board modified the information about QC required in
Form 1. See below.
\134\ See Frequently Asked Questions Regarding Registration with
the Board, PCAOB Rel. No. 2003-011F (Dec. 4, 2017) (Question #32),
available at <a href="https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/registration/information/documents/registration_faq.pdf?sfvrsn=c50d7356_0">https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/registration/information/documents/registration_faq.pdf?sfvrsn=c50d7356_0</a>. As part of this rulemaking
the requirements in Form 1 are being amended.
\135\ In a separate rulemaking, the Board proposed to create a
new form, Form QC--Policies and Procedures (``Form QCPP''), to
require that, once QC 1000 becomes effective, any firm that
registered with the Board prior to the date that QC 1000 becomes
effective must submit an updated statement of the firm's quality
control policies and procedures pursuant to QC 1000. See Firm
Reporting, Rel. No. 2024-003 (Apr. 9, 2024) at 41.
---------------------------------------------------------------------------
The Board also believes that requiring all firms to design a QC
system that complies with all provisions of QC 1000, and not just
limiting the requirement to certain components such as acceptance and
continuance of engagements, is consistent with its investor protection
mandate. While the Board acknowledges that there could be challenges
associated with implementing and operating a QC system based on
hypothetical risks, it continues to believe that it is important for
registered firms to design a QC system based on the quality risks the
firm likely would face if it were to perform engagements. Because
registering with the PCAOB enables a firm to issue audit reports or
play a substantial role on audits performed under PCAOB standards for
issuers and broker-dealers, and because investors and companies
considering engaging the firm could reasonably expect that any firm
that could pursue such an engagement would already have a PCAOB-
compliant QC system designed and ready for implementation and
operation, the Board believes that imposing a design requirement on all
registered firms promotes its mission of protecting investors and
promoting the public interest.
As discussed in more detail below, QC 1000 includes requirements
that do not appear in other QC standards or that are more prescriptive
or more specifically tailored to the PCAOB's legal and regulatory
environment than the provisions of ISQM 1 or SQMS 1. Because of these
key differences, the Board does not believe that a QC system design
based on ISQM 1 or SQMS 1, as suggested by some commenters, would be
sufficient. Furthermore, the Board believes that compliance with ISQM 1
may not be the regulatory baseline within certain jurisdictions. The
PCAOB has observed other standard setters and regulators adopt
variations of ISQM 1, which typically include more detailed and
stringent requirements.\136\ Therefore, the Board believes that audit
firms within some jurisdictions will already have to design and operate
a QC system that goes beyond the requirements of ISQM 1, and it would
not be appropriate for the Board to permit compliance with a less
stringent quality system than the one required in the local regulatory
environment. Similarly, the Board does not believe that it would be
appropriate for it to permit firms to comply with their locally
applicable variation of ISQM 1 as this would result in the PCAOB
requiring and managing compliance with a multitude of different QC
standards.
---------------------------------------------------------------------------
\136\ See, e.g., International Standard on Quality Management
(UK) 1, adopted by the Financial Reporting Council (March 2023).
---------------------------------------------------------------------------
The Board also continues to believe that, whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to a firm engagement, those responsibilities should be
performed under a QC system that is implemented, is operating, and
complies with PCAOB standards. Given the unique features of QC 1000,
compliance with ISQM 1 or SQMS 1 would not, in the Board's view, be an
adequate substitute, nor would the Board's regulatory purposes be
served by providing firms with an extended compliance period after they
take on an engagement.
The Board does not believe that this requirement will result in
disruption to competition in the audit market. Firms that are subject
to applicable professional and legal requirements with respect to
engagements, including substantial role engagements, are required to
implement and operate a QC 1000-compliant QC system. If a registered
firm that has not led an engagement or played a substantial role in the
past anticipates the possibility of transitioning to performing
engagements, the Board believes the requirement to design a QC system
that complies with QC 1000 will facilitate timely implementation and
operation of their QC 1000 QC system, which will in turn facilitate
appropriate performance of the engagements; appropriate monitoring and,
if necessary, remedial action; and timely evaluation and reporting on
Form QC.\137\ QC 1000 shares a basic structure and approach with ISQM 1
and SQMS 1, so designing for the incremental features unique to QC 1000
should not be unduly burdensome for firms that are subject to either or
both of those other QC standards (which the Board believes will be the
case for a very substantial majority of firms that are in a position to
perform PCAOB engagements).\138\
---------------------------------------------------------------------------
\137\ The Board understands that the actual quality risks the
firm faces when it takes on an engagement may differ from the
hypothetical risks considered in designing the QC system. QC 1000
requires the firm to establish policies and procedures to monitor,
identify, and assess changes to conditions, events, and activities
that indicate modifications to the firm's quality objectives,
quality risks, or quality responses may be needed, and to make
timely modifications as needed. See QC 1000.22-23.
\138\ See Section D.
---------------------------------------------------------------------------
The Board does not believe that QC 1000 conflicts with the
requirements of other standard setters or that anything prevents firms
from developing a single QC system for their entire practice that
satisfies both PCAOB requirements and other professional standards to
which the firm is subject. The Board
[[Page 49611]]
acknowledges certain differences between QC 1000 and the quality
management standards set by other standard setters, in particular areas
where QC 1000 establishes additional or more stringent requirements.
However, the Board believes that quality responses developed by firms
under QC 1000 can be considered by firms for the purposes of other
quality management standards to which they are subject, reducing the
need for two or more separate QC systems.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.004
BILLING CODE 8011-01-C
Firms participating in a PCAOB engagement below the level of a
substantial role do not require registration with the PCAOB. If such a
firm does not lead and does not plan to lead engagements or play a
substantial role in engagements pursuant to PCAOB standards, then the
Board believes that the firm should assess whether the costs of
complying with the design requirement are commensurate with their
perceived benefit of being registered with the PCAOB.
2. Other Scalability Considerations
Aspects of QC 1000 are risk-based, which makes them inherently
scalable. Firms are required to apply a risk-based approach to the
design, implementation, and operation of the QC system in the context
of their own audit practice. The standard provides that the firm will
tailor the design of its QC system to its specific facts and
circumstances, such as:
<bullet> The size and complexity of the firm;
<bullet> The types and variety of engagements it performs;
<bullet> The types of companies for which it performs engagements;
and
[[Page 49612]]
<bullet> Whether it is a member of a network and, if so, the nature
and extent of the network relationship.
Several commenters, including firms and a firm-related group,
suggested that the proposed standard was too prescriptive. Many of
these commenters suggested that, to promote further scalability,
specified quality responses could be replaced with quality objectives
to allow each firm to develop quality responses appropriate to the
circumstances and risks for their firm. One of these firms stated that
it disagreed with the notion in the proposing release that a specified
quality response suggests that every firm has the same or similar
quality risks and that the responses to those risks will also be the
same or similar. Another firm suggested that the specified quality
responses make the standard inherently less scalable and could be a
barrier to entry for smaller firms. The firm further suggested that an
overreliance on specified quality responses could discourage firms from
performing robust risk assessments and developing tailored quality
responses. Other commenters also suggested that more scalability could
be incorporated into the standard through consideration of concepts
such as professional judgment, relevance, or reliability. Some
commenters suggested that further alignment of QC 1000 to ISQM 1 or
SQMS 1 would promote further scalability. One firm stated that the
standard was overly prescriptive and suggested that specific guidance
be provided to small and medium-sized firms focused on operationality
of the standard. Several commenters expressed concern that the
prescriptive nature of QC 1000 would negatively affect smaller firms.
As discussed above, some specified quality responses carry
requirements from current PCAOB standards into QC 1000, while others
provide new requirements that the Board believes are important to a
firm's QC system. The Board believes that this approach is appropriate
and that the specified quality responses are required to address
certain quality risks that are present in all firms that perform PCAOB
engagements and to assure that the QC system is designed, implemented,
and operated with an appropriate level of rigor. The inclusion of
specified quality responses in the standard should not be interpreted
to suggest that the Board believes all firms have the same or similar
quality risks overall; the specific risks addressed by specified
quality responses are likely a small subset of the overall population
of quality risks identified by a firm, and the Board expects
potentially wide variation in the full set of risks faced by different
firms.
The Board believes that the standard incorporates the concepts of
professional judgment, relevance and reliability where it is
appropriate, for example, in the ability to exercise professional
judgment in the determination of whether a major QC deficiency exists,
or the discussion in the information and communication component noting
that information would have to be both relevant and reliable such that
it supports the operation of the firm's QC system and the performance
of the firm's engagements in accordance with applicable professional
and legal requirements. The Board continues to believe that the
inclusion of prescriptive requirements in certain areas promotes its
mission of protecting investors and promoting the public interest.
An investor-related group commented that it supports a risk-based
approach up to a point, but it expressed concern that the standard
placed too much emphasis on scalability and recommended the development
of a set of minimum requirements for the establishment of quality
control systems. Another commenter stated that the PCAOB should not let
scalability concerns get in the way of driving change and improving
quality, further suggesting that smaller-firm considerations should not
get in the way of doing the right thing for the largest audit firms.
One commenter suggested more specific requirements relating to the
audits of broker-dealers, commenting that a high deficiency rate in
broker-dealer audits suggests the need for more specific requirements
with respect to audits of broker-dealers, such as requirements for
specific expertise in the conduct of broker-dealer audits, or, to the
extent that the broker-dealer is a subsidiary of an issuer,
requirements relating to coordination between the broker-dealer audit
team and the audit team of the issuer parent company.
The final standard establishes a set of minimum requirements that
all firms must follow in the establishment of their QC system. As
discussed in more detail below, while QC 1000 provides some flexibility
with regard to the quality risks that firms identify and the quality
responses that firms develop to address those risks, it does not
provide the same flexibility with regard to quality objectives or
specified quality responses. Instead, quality objectives and specified
quality responses that will apply to all firms are specified in the
standard. Firms can establish additional quality objectives--indeed,
they are required to do so if necessary to achieve the reasonable
assurance objective--but they generally cannot omit or modify any of
the quality objectives or specified quality responses set out in the
standard.
Within a uniform basic structure to be used by all firms, QC 1000
reflects a risk-based, scalable approach, particularly in the risk
assessment process and the monitoring and remediation process. The
nature and extent of these processes would be commensurate with the
firm's quality risks and would therefore vary across firms in nature,
scope, and complexity. The Board believes it is crucial that the
standard be scalable so that firms of different sizes and
characteristics can appropriately design their QC system to address the
risks associated with their own practice, including specific risks
relating to the types of companies that they audit, such as broker-
dealers. The Board believes that an appropriate balance between quality
objectives and specified quality responses is the best approach to
improve quality across firms of all sizes that perform engagements
pursuant to PCAOB standards, whether these be issuer or broker-dealer
engagements. Similarly, the form, content, and extent of required
documentation related to the QC system will be driven by a firm's
nature and circumstances. QC 1000 contains both provisions that scale
down, by tailoring for smaller PCAOB audit practices, and provisions
that scale up, by focusing on risks faced by the largest firms.
Some provisions of QC 1000 focus particularly on firms with a
smaller PCAOB audit practice. These include:
<bullet> Depending on the nature and circumstances of the firm
(including its size and structure), a single individual may be assigned
more than one of the QC system oversight roles required under the
standard; and
<bullet> If the firm issued engagement reports with respect to five
or fewer engagements for issuers, brokers, and dealers during the prior
calendar year, engagement monitoring activities may include monitoring
audits not performed under PCAOB auditing standards. For firms with
this number of engagements performed under PCAOB standards, the Board
understands that requiring a firm to annually monitor its engagements
that are performed under PCAOB standards increases the likelihood of
the same partner being inspected every year under QC 1000. The Board
believes this could disincentivize partners from serving as the
engagement partner and ultimately affect competitive conditions in the
market.
[[Page 49613]]
Other provisions of QC 1000 impose incremental requirements on
firms that issued audit reports for more than 100 issuers in the prior
calendar year, including:
<bullet> An external oversight function for the QC system composed
of one or more persons who are not partners, shareholders, members,
other principals, or employees of the firm;
<bullet> A program for collecting and addressing complaints and
allegations that includes confidentiality protections;
<bullet> An automated system for identifying investments in
securities that might impair independence; and
<bullet> A requirement to perform in-process monitoring of
engagements.
These incremental requirements specifically target and respond to
potential quality risks that the Board believes are more likely to
arise in audit practices of a certain size and complexity. Firms that
audit fewer than 100 issuers may still determine that the incremental
requirements are an appropriate quality response for quality risks that
they have identified specific to their firm, but these are not
mandatory for these smaller PCAOB audit practices to promote
scalability of the standard.
Several commenters, including firms, suggested that the threshold
for any incremental requirements be raised to 500 issuers, to align
with the existing SECPS requirement that firms that audit more than 500
SEC registrants have an automated system to identify investment
holdings of partners and managers that might impair independence.\139\
One of these firms also suggested a dual-threshold approach that would
consider both the number of issuers audited and the market
capitalization of the issuers. Two commenters, including an investor-
related group and an academic, suggested that there should not be a
threshold for incremental requirements, and all requirements of the
standard should apply to all firms regardless of the size of the firm.
The academic suggested that the incremental requirements may give rise
to actual or perceived differences in audit quality between larger
audit firms that issue audit reports for more than 100 issuers and
smaller audit firms that issue audit reports for fewer than 100
issuers. One firm suggested that the incremental requirements only
apply to those firms subject to annual inspection under the PCAOB's
rules (in case the 100-issuer threshold for regular inspection in Rule
4003, Frequency of Inspections, ever were changed), and another firm
suggested that these should only apply to the top six firms.
---------------------------------------------------------------------------
\139\ See SECPS 1000.46 (requirement 4).
---------------------------------------------------------------------------
Two investor-related groups suggested that if the final standard
does include a threshold for certain incremental requirements, the
threshold should relate to the market capitalization of the issuers
that the firm's audit practice covers rather than the number of issuer
audit reports the firm issues. Other commenters were also supportive of
a market capitalization-based threshold.
Several commenters suggested that the nature of the firm's audit
practice be taken into consideration when determining the applicability
of the incremental requirements, and that just looking to the number of
issuers may not be an appropriate measure for the size or complexity of
the audit practice. One commenter suggested that the proportion of the
PCAOB audits to the size of the practice within a firm is also a
relevant factor to consider. Some commenters suggested that imposing a
threshold of 100 issuers could impose a barrier to entry for firms that
wish to expand their audit practices beyond 100 issuers and, as a
result, firms may manage their practice to stay below the 100-issuer
threshold.
The Board believes that requiring certain incremental requirements
of firms with larger PCAOB audit practices is appropriate and that the
complexities inherent to large and complex firms are likely to give
rise to quality risks for which the incremental requirements would be
appropriate quality responses. Based on the comments received, the
Board considered whether alternative measures could be used that looked
to the nature and complexity of the issuers being audited, for example,
through a market capitalization-based threshold. The Board believes it
is appropriate to retain the threshold as proposed, based on the size
of a firm's issuer audit practice rather than referencing the size of
the companies subject to audit by the firm.
In general, the Board believes that the number of issuers is the
most indicative measure of a firm's size and the complexity of its
audit practice. Under a market capitalization measure, a firm that
audits a single very large issuer could look like a large firm, but its
practice may well be less complex than a firm that audits a large
number of small issuers. The incremental requirements in QC 1000
respond to specific issues or risks--firm governance, confidential
handling of complaints and allegations, tracking investments that may
bear on independence, and monitoring of in-process engagements--that
the Board believes are more significant in complex practices handling
large numbers of engagements. Therefore, the threshold was adopted as
proposed.
In addition, the Board believes that larger PCAOB audit practices
that audit a greater number of issuers are more likely to have the
resources to be able to effectively comply with the incremental
requirements at a level commensurate to the risk.
The Board also believes that firms are familiar with the proposed
threshold of issued audit reports for more than 100 issuers, because it
is used to determine which firms are subject to annual PCAOB
inspection.\140\ The Board does not believe it to be appropriate to
increase the threshold to 500 issuers or to specifically limit the
requirements to certain firms. The Board believes that firms that audit
between 100 and 500 issuers are sufficiently large such that potential
quality risks may arise as a result, and that the incremental
requirements would be responsive to these risks.
---------------------------------------------------------------------------
\140\ See section 104(b)(1)(A) of Sarbanes-Oxley, 15 U.S.C.
7214(b)(1)(A); PCAOB Rule 4003, Frequency of Inspections.
---------------------------------------------------------------------------
Several commenters suggested that a cut-off date for the
measurement of the size of the firm's issuer practice relative to the
100-issuer threshold, and a related transition period after a firm
passes the 100-issuer threshold, be specified in the standard to allow
time for firms to implement the incremental requirements. One of these
commenters specifically requested consideration of the effective date
for the implementation and operation of the incremental requirements
if, because of a merger or acquisition, the resultant firm performs
audits of more than 100 issuers.
The standard specifies a measurement cut-off date for the 100-
issuer threshold of the prior calendar year-end. Therefore, if a firm
has issued audit reports with respect to more than 100 issuers in the
period January 1 to December 31, in any given year, the firm must
implement the incremental requirements beginning the following January
1 and evaluate compliance with the incremental requirements as of the
following September 30. The Board believes that firms continuously
track the size of their issuer audit practice for the purpose of
monitoring the threshold for annual inspection by the PCAOB. Therefore,
prior to the calendar year-end measurement cut-off date, the Board
expects that firms should have an informed view as to whether they will
need to design, implement, and operate the incremental requirements for
the
[[Page 49614]]
following year. Similarly, the Board believes that a merger or
acquisition between firms would take time to finalize such that the
firms would have an informed view of whether the incremental
requirements would be applicable to the successor firm, providing
additional time for the firms to design, implement, and begin operating
the incremental requirements. In addition, the Board does not believe
that it is appropriate or consistent with its investor protection
mandate to allow a firm that audits over 100 issuers to not operate the
incremental requirements beginning the calendar year following the date
of the merger or acquisition if that merger or acquisition resulted in
the firm auditing more than 100 issuers. The Board believes that
specific quality risks could arise as the result of a merger or
acquisition; for example, a sudden increase in the size of the firm
could exacerbate the potential quality risks that exist as a result of
a firm's size, to which the incremental requirements would be
responsive. Furthermore, there is nothing in the standard that prevents
firms from implementing the incremental requirements earlier than
required, if they believe it to be likely that the threshold will be
met.
QC 1000: A Firm's System of Quality Control
Introduction
This section describes the requirements of QC 1000 and highlights
the key differences between the final standard and current QC
standards. Terms defined in Appendix A to QC 1000, Definitions, are
italicized throughout QC 1000.
The introduction section of the standard sets up the structure for
providing the standard's requirements. Paragraphs .01-.02 describe the
risk-based approach to the firm's QC system and acknowledge the
important role of the QC system--supporting consistent performance of
engagements in accordance with applicable professional and legal
requirements--in protecting investors through the preparation of
informative, accurate, and independent engagement reports. To emphasize
the auditor's role in investor protection, the Board added language to
the final standard reminding auditors that the firm's QC system
enhances investors' ability to rely on engagement reports. The Board
also reversed the order of paragraphs .01 and .02 to improve flow.
One commenter suggested a risk-based approach to quality control
with minimum requirements integrated into it, instead of a purely risk-
based approach. The Board agrees that a purely risk-based approach
would be inappropriate. As proposed and as adopted, QC 1000 is not a
purely risk-based standard. It establishes mandatory quality objectives
that every firm is required to achieve; lays out detailed, required
processes for risk assessment, monitoring and remediation, and annual
evaluation of the QC system; requires specified quality responses in
many areas; and fosters accountability and rigor through mandated key
roles for the QC system with specified individual responsibility and
accountability and required reporting to the PCAOB.
The Firm's QC System
1. QC 1000
a. Objective of the QC System (QC 1000.05)
The proposal asked if the reasonable assurance objective was
appropriate and if there were additional objectives that the QC system
should achieve. Many commenters, including firms, supported the
reasonable assurance objective and did not support additional
objectives for the QC system.
Some commenters, including investors and investor-related groups,
said there should be an explicit acknowledgement that auditing serves a
public purpose and that the system of quality control therefore should
serve investors. Other investors and investor-related groups suggested
that the quality control system should seek a higher performance
standard than mere compliance. Two commenters suggested that the
objective should be expanded, so that in addition to complying with
applicable professional and legal requirements, engagements should be
performed in a manner that is responsive to the needs of investors by
ensuring high-quality financial reporting. Another suggested that the
foundation of the system should promote high-quality and ``useful''
financial and non-financial information and achieve a high level of
transparent financial reports. The commenter also suggested removing
the qualifier ``reasonable'' and emphasizing that the term
``assurance'' refers to a high level of assurance.
The Board agrees with these commenters that QC 1000 should frame
auditor responsibilities in terms of investor protection, and revised
paragraph .05 to reinforce that, as discussed in more detail below. The
Board also considered broadening the objective of the QC system beyond
compliance in a number of ways, as suggested by commenters.
For example, the Board considered adding explicit references to
``investor needs'' to the QC system objective. However, the Board are
concerned that the concept of ``investor needs'' is too vague and
indefinite to be interpreted consistently as an objective of the QC
system. Consistent with the reasonable assurance objective, the Board
believes that all investors want informative, accurate, and independent
engagement reports. But beyond that, investors are not monolithic and
may have different preferences. For example, the needs of a large
institutional investor with an actively managed portfolio are different
from those of a retail investor holding index funds. Investor needs
could also vary across issuers and different types of financial
instruments, as well as with changes in market conditions. As a result,
the Board does not believe that a QC system objective that was
expressly phrased in terms of satisfying ``investor needs'' would be
capable of consistent interpretation or would provide firms with
sufficient notice or direction about the conduct required of them.
The Board believes that ``high-quality'' and ``useful'' financial
reporting suffer from the same issues. These terms are subjective,
indefinite, and would mean different things to different financial
statement users and in different situations. In addition, grounding
auditor obligations in the quality or utility of financial reporting
risks conflating the role of the auditor with the role of the preparer.
The fundamental responsibility for financial reporting lies with the
company. The auditor enhances investors' ability on company financial
information through the preparation and issuance of informative,
accurate, and independent engagement reports, but the company prepares
the financial statements and retains ultimate responsibility for them.
The Board considered one commenter's suggestion of phrasing the
objective in terms of ``assurance,'' rather than ``reasonable
assurance.'' However, the Board believes that this would weaken, rather
than strengthen, the standard, in that it could be read to suggest that
any level of assurance, even if less than reasonable assurance, would
be appropriate. As proposed, the final standard includes a note
emphasizing that reasonable assurance is a high level of assurance.
Accordingly, the Board has not revised the objective of the QC
system as these commenters suggested. The Board continues to believe
that investor needs will be best served through an objective that is
grounded in auditors' existing obligations and can be
[[Page 49615]]
interpreted clearly and applied consistently. Auditor obligations under
applicable professional and legal requirements address investors'
fundamental priority: that the financial statements be free of material
misstatement. They also clearly delineate what conduct is required,
which enables both the Board and the firms that the Board regulates to
interpret and apply them on a consistent basis.
The Board has, however, made revisions to paragraph .05 that the
Board believes will be clarifying. The final rule specifies expressly
that the firm's objective is to design, and if applicable, implement
and operate an effective QC system. Further, although the Board
concluded that it could not express the objective of the QC system in
such terms, the Board does believe firms should be prompted to remember
their critical role in investor protection. With that in mind, the
Board revised paragraph .05 to explicitly acknowledge that a properly
conducted engagement and related report enhance the confidence of
investors and other market participants in the company's information to
which the firm's report relates. The Board also revised the paragraph
to remind auditors that an effective QC system protects investors by
facilitating the consistent preparation and issuance of informative,
accurate, and independent engagement reports in accordance with
applicable professional and legal requirements.
Paragraph .05 specifies that an effective QC system consistently
provides a firm with reasonable assurance that the firm, each member of
firm personnel, and each other participant conduct each engagement and
fulfill their other responsibilities in compliance with applicable
professional and legal requirements, and that each engagement report
issued by the firm complies with applicable professional and legal
requirements. The Board revised the provision to refer to ``each member
of'' firm personnel, ``each'' other participant, ``each'' engagement,
and ``each'' engagement report. This change clarifies that the QC
system provides reasonable assurance, not just over the pool of firm
personnel, the pool of other participants, and the portfolio of
engagements, but over each individual and each engagement. The
objective is still reasonable assurance, not absolute assurance. But an
effective QC system has to be designed, implemented, and operate in
such a way that the firm has reasonable assurance that each individual
who performs work on behalf of the firm and each engagement the firm
undertakes will comply with applicable professional and legal
requirements.
One commenter asserted that some prescriptive aspects of the
standard result in absolute assurance instead of reasonable assurance.
The Board disagrees, as it believes this is a misunderstanding of the
standard. Specifically, the reasonable assurance objective under QC
1000 is broadly consistent with the Board's current QC standards, as
well as ISQM 1 and SQMS 1, all of which contemplate that the system of
QC should provide reasonable assurance.\141\ The Board believes that
the combination of quality objectives and specified quality responses
in QC 1000 establishes a balance between prescriptive requirements and
a risk-based approach that contributes to the firm obtaining reasonable
assurance, but does not require absolute assurance. Of course, nothing
precludes a firm from going beyond the requirements in QC 1000 when
designing its QC system.
---------------------------------------------------------------------------
\141\ See ISQM 1.14; SQMS 1.15.
---------------------------------------------------------------------------
One commenter suggested that the concept of reasonable assurance
was not clear and could be clarified by retaining a footnote from QC 20
that reinforces that deficiencies in individual engagements do not, in
and of themselves, indicate a firm's quality control system is
insufficient to provide reasonable assurance. The Board has not
retained that footnote. The concept of reasonable assurance should be
familiar to auditors; it is a basic concept under the Board's current
standards and the Board believes it can be interpreted and applied
consistently. In addition, in light of QC 1000's detailed process for
the evaluation of the QC system, including the new defined terms ``QC
deficiency'' and ``major QC deficiency,'' discussed below, the Board
does not believe such a footnote is necessary. Under QC 1000, firms
will determine whether the QC system meets the reasonable assurance
objective by determining whether any ``major QC deficiencies'' exist.
The existence of major QC deficiencies indicates that the QC system
does not provide reasonable assurance, whereas the existence of QC
deficiencies that do not meet the definition of major QC deficiency
does not. Since that conclusion is apparent from the definitions, the
Board does not believe that the existing footnote is needed.
The ``reasonable assurance objective'' of the firm's QC system is
similar to the objective of the QC system under existing PCAOB
standards, except that the current standard requires reasonable
assurance as to compliance with applicable requirements and ``the
firm's standards of quality'' (i.e., the firm's policies and
procedures),\142\ whereas QC 1000's reasonable assurance objective
refers only to applicable requirements. This change reflects the
different role played by firm policies and procedures under the Board's
current QC standards compared to QC 1000. Firm policies and procedures
are the linchpin of current PCAOB QC standards: Most of the Board's
current QC standards simply require firms to establish, communicate,
document, and monitor specified policies and procedures. Policies and
procedures also play an important role under QC 1000, but they would
have a different context because of the significant differences in the
way in which the standard is structured.
---------------------------------------------------------------------------
\142\ See QC 20.03; QC 20.17.
---------------------------------------------------------------------------
QC 1000 is grounded in the firm's risk assessment process, whereby
the firm's quality objectives and the risks to achieving them are
identified and addressed by the firm in an ongoing, structured fashion.
This risk assessment process drives how the firm develops and refines
its policies and procedures; the ``quality responses'' are designed and
implemented to address quality risks. As such, policies and procedures
are a means to an end--addressing quality risks--rather than an end in
themselves. QC 1000 provides more detailed requirements regarding the
structure, scope, and functioning of the firm's QC system, particularly
in the monitoring and remediation component, than the Board's current
QC standards.
This does not mean that firms' QC policies and procedures are no
longer important. On the contrary, they are critical to addressing
quality risks and thereby achieving quality objectives and the
reasonable assurance objective. However, firms may no longer rely on
simply promulgating policies and procedures as the central, and
sometimes only, component of their QC system. Compliance with the QC
standard ultimately is based on whether the firm has met its quality
objectives and the reasonable assurance objective--which are driven by
whether the firm's policies and procedures have in fact been effective
in addressing quality risks--and on whether the firm has complied with
the requirements of the standard in the design, implementation, and
operation of the QC system. Another commenter suggested that the QC
system should not address firm policies and procedures that go beyond
applicable professional and legal requirements, on the basis that it
might undermine investor protection by disincentivizing firms from
developing policies and procedures that
[[Page 49616]]
go beyond what is required. For the reasons discussed above, the Board
has not included policies and procedures in the reasonable assurance
objective. However, because policies and procedures play an important
role in the firm achieving the reasonable assurance objective, the
Board has determined that some quality objectives have to incorporate
compliance with firm policies and procedures as well as applicable
professional and legal requirements.
The reasonable assurance objective also reflects the view that the
purpose of the QC system is to drive overall compliance by the
[…truncated; see source link]Indexed from Federal Register on June 11, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.