PCAOB Lists 2023 Inspection Priorities

The Public Company Accounting Oversight Board has released its list of priorities for audit firm inspections in 2023, in case any internal audit and financial compliance teams want to understand where your auditor is feeling the pressure and how that pressure might fall through onto you.

The PCAOB releases such a list every spring after the busy season for corporate audits winds down. The document is meant foremost to help audit firms understand what they’re likely to experience as PCAOB inspectors review those audits, but corporate internal control teams can also use the information to anticipate the evidence demands that audit firms might impose upon you to keep their PCAOB inspection overlords happy.

Several of the priorities (released Monday in a PCAOB staff report) are nothing new: fraud risk, risk assessment and internal control, audit firms’ use of other auditors, and cybersecurity; those issues rise to the surface of PCAOB audit inspections every year. On the other hand, this year’s list also includes digital assets and transactions related to SPACs — two issues that are more urgent in 2023, given the high profiles that both had in 2021 and 2022. 

This year’s inspections come amid “a troubling trend in audit quality,” according to PCAOB chairman Erica Williams, who has been pushing for more rigor in inspections (and subsequent enforcement) since she arrived as chairman in 2021.

“Increased deficiencies in 2021 inspections and increased comment forms in 2022 inspections revealed a troubling trend in audit quality, which we are tackling head-on in 2023,” Williams said in a prepared statement. “By staying ahead of new and emerging risks, our inspections plan will hold firms accountable and drive improvements in audit quality for investors.”

So what clues, exactly, can internal control teams glean from this year’s report? Let’s take a look.

Starting With Fraud Risk

We can begin with fraud risk, a cornerstone issue for any internal control team. The PCAOB said it will examine how audit firms identified and assessed risks of material misstatements due to fraud, including five specific issues:

  1. The design of controls intended to address risks of fraud, including risk of management override of controls. 
  2. How fraud could be perpetrated by presenting incomplete or inaccurate disclosures or by omitting necessary disclosures from the financial statements. 
  3. How management and the audit committee responded to inquiries about possible illegal acts, including non-compliance with sanctions and other laws.
  4. Whether the business purpose for significant unusual transactions indicated that the transactions may have been fraudulent.
  5. Whether management has received complaints regarding the public financial reporting, and if so, what management’s response was. 

A good audit or compliance executive should be able to look at any of the five points above and draw a short, straight line to your policies, procedures, and other controls meant to address those issues. 

For example, we’ve talked many times in this blog about management override of internal controls. The specific risk here is management’s improper override of internal controls, since many times management override might be warranted. In that case, the internal control response should be strong documentation requirements, so that an improper override sticks out like a sore thumb. 

fraudLook at Point 3’s mention of how management responds to internal reports of misconduct; that ties to the strength of your company’s control environment. Look at Point 4, talking about the business purpose for unusual transactions; that’s another documentation issue, and one that comes up ad nauseam in guidance for FCPA compliance programs. 

While we’re talking about fraud, let’s remember that last fall the Securities and Exchange Commission’s chief accountant released a pointed statement telling audit firms to do better at identifying fraud risk. That statement came ahead of the financial audits that have just wrapped up for calendar year-end companies, and those are the audits the PCAOB will be inspecting now. 

One can reasonably assume the PCAOB will be looking closely at how the audit firms tackled fraud risk this year. That pressure on the firms will reverberate as more pressure on you, the corporate client, in future audits. So a savvy internal control or anti-fraud team should be able to look at those five specific PCAOB issues mentioned above, and connect them to the internal controls you have in place now. 

You might also want to think long and hard about your fraud risk assessment, to be sure that those controls do reflect a reasonable, risk-based effort to address the fraud risks your company has.

Crypto, SPACs, and More

The PCAOB’s inspection priorities for 2023 included a hodgepodge of other, more timely issues, too. 

Cryptocurrency. Lately the PCAOB has been looking for audits of public companies with a material amount of digital assets, and that’s going to continue this year. Inspectors will first consider whether the audit firm had staff with the right expertise to audit crypto assets, and whether the firm performed adequate procedures for crypto — which might be tricky, since the regulatory framework for crypto is still so immature. 

The PCAOB itself described all this as “supplemental work” meant to further “the development of audit tools and techniques specific to digital assets,” which gives me the impression this is more about developing better audit standards for crypto rather than nailing audit firms for sloppy auditing of this cockamamie asset class.

SPACs and other acquisitions. Remember when SPACs were all the rage? Nowadays they’re about as fashionable as front-pleated pants. Still, lots of SPAC-driven mergers happened in 2021 and 2022 as the SPAC sponsors raced to close a deal — any deal, anywhere — before the sponsors had to give their unspent money back to investors. So the PCAOB says it will be paying attention to how those transactions have unfolded, and whether audit firms have been sufficiently fussy in their audits of the resulting business. 

Those inspections will entail all the usual: a look at valuation methods, especially those that depend on complex valuation models; internal control over financial reporting; financial statement presentation and disclosure; and the entity’s ability to continue as a going concern. But given the weak governance and dubious incentives for SPAC sponsors and their targets, audit firms should have exercised a lot of skepticism here.

Use of other auditors. The PCAOB will be looking at how audit firms relied on other audit firms for a client’s overseas operations, with particular attention paid to audit firms operating in Russia, Ukraine, and Belarus. Inspectors will be examining how the lead auditor may have modified their approach to using other audit firms, and how the lead auditor supervises those activities.

Leave a Comment

You must be logged in to post a comment.