PCAOB Inspection Priorities for 2019
The PCAOB has shared its plans for audit firm inspections early next year, with more focus on how audit firms manage their own operations and less perhaps emphasis on specific risk areas such as Brexit, oil prices, or changing interest rates.
The PCAOB inspections outlook is useful foremost for audit firms, who want to know what the Public Company Accounting Oversight Board inspectors might ask about when they show up next year to review firms’ work. Still, corporate internal auditors and risk managers should keep one eye on PCAOB priorities too, since those priorities shape how audit firms behave when they show up at your office, exasperating you with all sorts of demands for data, evidence, and so forth.
This is also the first inspections outlook the PCAOB has released since it came under new leadership at the start of 2018. So while much of the material is obvious — like, what audit regulator wouldn’t examine a firm’s quality control systems? — we still want to give this document an extra bit of scrutiny.
For example, this year’s outlook is only four pages long. The closest counterpart from 2017 was 19 pages long, as was the inspection brief from 2016.
In both of those years, the PCAOB said it would review audit firms for how well they tested clients’ exposure to economic risks: Brexit, oil prices, the rising U.S. dollar, high levels of M&A activity, and so forth.
This year’s inspections outlook cut all that language, in favor of a single paragraph reminding audit firms to remember “external considerations.” What might those be? The inspections brief doesn’t say. It only tells auditors —
An auditor’s risk assessment procedures should continue throughout the audit and include consideration of relevant external factors. We remind auditors to consider whether assessed risks have changed as a result of changes in economic conditions.
Can we assume that reduction in word count means the PCAOB will let audit firms pay less attention to economic factors? That strikes me as a rather risky conclusion to draw. Then again, I never quite grasped inspection priorities like Brexit. Risk of material misstatement based on Brexit? Really?
Inspections: What We Do Know…
Many of the PCAOB’s inspection priorities are standard stuff: systems of quality control, audit firm independence, and continued trouble with problems raised in prior inspections. So internal auditors might want to pull past inspection reports of their audit firms, to see what the PCAOB flagged in prior years.
If your audit firm has continued trouble with some issue — revenue recognition or internal control over financial reporting, for example — you (or your audit committee) may want to ask the firm how it’s working to resolve its issues, rather than struggle through them yet again and saddle you with higher billable rates.
More relevant to those on the corporate side: the PCAOB will also be inspecting firms for their attention to cybersecurity, their use of software audit tools, and their adoption of the new auditor report format, which will debut in the second half of 2019.
For example, audit firms might probe your company more vigorously to assess cybersecurity risk. That probing won’t be the same as an IT security audit; rather the firm will want to assess how a cybersecurity breach could lead to risk of material misstatement in financial results.
I’m still unclear on how or why cybersecurity thieves would attack a company that way, essentially to cook the books. For them, it’s much more lucrative just to steal your customer data and sell it; or to sting you with a ransomware attack and extort a few thousand dollars. Those are nasty things, but they don’t lead to material misstatement of the financials.
Then again, the SEC did recently publish a report on nine firms that fell victim to phishing attacks, where the hackers duped employees into wiring company monies to overseas accounts, never to be seen again. You could say (and the SEC pretty much did say) those blunders qualify as poor accounting controls. Pressuring the firms to assess cybersecurity more closely is one way the regulators can pressure you to seal up those weaknesses.
New Accounting Standards
The PCAOB will also be looking at how audit firms handle the implementation of several new accounting standards — most notably, the revenue recognition standard that went into effect last year, the new leasing standard going into effect next week, and the current expected credit losses (CECL) standard going into effect 12 months from now.
For revenue recognition and leasing particularly, the real challenge for companies hasn’t been any new math radically changing your financials. Rather, the disclosures that accompany those numbers, and the completeness and accuracy of your systems to estimate revenue or leasing costs — those are the real bear for most filers. The PCAOB will want to see that auditors are following those issues closely, and correctly.
And then there’s the new audit report format, which will begin to include Critical Audit Matters with reports for fiscal years ending after June 30, 2019. CAMs are likely to cause a lot of confusion in the first year or two of auditors including them in their report.
In theory, you and your audit firm have already been preparing for the arrival of CAMs this year, by identifying CAMs in your financial statements and performing dry runs to see how the new audit process goes. In reality, many companies aren’t doing this yet.
Regardless, we do need to remember that the PCAOB is under entirely new leadership this year, with many long-time senior staffers also leaving. So however the inspections regime does unfold next spring (under the leadership of George Botic, promoted to permanent head of the Inspections Division earlier this year), this year’s cycle will be worth watching.