The Public Company Accounting Oversight Board plans to inspect more corporate audits in 2024, casting an especially watchful eye at audits of financial and IT companies, as well as businesses that engaged in mergers and acquisitions in 2023.
So says an alert the PCAOB published earlier this week, previewing the agency’s priorities for 2024 audit firm inspections. The PCAOB always publishes a list of inspection priorities around this time of year, so that audit firms can keep those issues in mind as they audit your company’s financial statements early next year.
That said, SOX compliance officers and corporate finance teams can benefit from understanding the PCAOB’s inspection priorities, too. You can anticipate the demands for documentation and other evidence your audit firm is likely to make when audit time rolls around, and better prepare your systems now.
Foremost, the PCAOB is promising that audit inspections next year will simply be busier: more audits examined, on more issues, and all of that information going under a more unforgiving microscope. Recall that last summer, after 2023’s inspections were complete, PCAOB chair Erica Williams blasted the poor performance of audit firms as “absolutely unacceptable.” Do not expect any change in Williams’ position this year.
For comparison purposes, the PCAOB inspected 157 audit firms last year, and reviewed portions of more than 700 audits. This year, the agency says, “we plan to increase the number of engagements we select for review at our annually inspected firms” — that is, audit firms that audit at least 100 publicly traded entities per year. Exactly how many audit firms and audits will be reviewed, we don’t know; but clearly the PCAOB will be looking at more corporate audits.
The preview report also says PCAOB inspectors will look closely at how audit firms handle fraud risk, communications with the audit committee, the audit report, and audit documentation. SOX compliance and internal audit teams should think about what that might mean for you, given your knowledge of the company’s risks, internal control, and documentation. Then again, the PCAOB always says it will be paying close attention to fraud, documentation, audit committee documentation, and the like. We can take some of this with a bit of salt.
Inspecting Specific Industries
The PCAOB typically selects the corporate audits it will inspect partly at random, and partly based on audits that have certain high-risk issues the agency wants to tackle. That will all still be true for 2024, but the agency said it will also select some audits next year targeting two specific sectors:
- Financial firms, since everyone was spooked at the start of 2023 by the collapse of Silicon Valley Bank and the strain that rapidly rising interest rates put on banks.
- IT firms, since their financials tend to involve a lot of contractual obligations and subjective judgment, which can lead to a higher risk of fraud or misstated financials.
So if you’re a mid-sized bank with lots of held-to-market securities or incomplete documentation of derivatives to hedge your interest rate risks; or you’re a pre-IPO tech company whose documentation of revenue and performance obligations might not live up to your accounting professor’s expectations — you may want to take a deep breath and read this PCAOB report more closely. Your audit could be one PCAOB inspectors pull for examination, and your audit firm knows this, which is why they’ll probably be making demands of you that will leave you and your team exasperated. Prepare your financial reporting processes now for that marathon to come.
PCAOB inspectors will also give more attention to audits of companies engaged in mergers, acquisitions, or business combinations, and audits of broker-dealer firms; but the agency has been saying and doing that for the last several years and it’s not quite news.
Inspections of Specific Issues
The PCAOB also said it will pay close attention to several specific issues. The ones most likely to apply to the most companies: recurring deficiencies among audit firms, cybersecurity, and business technology.
“Recurring deficiencies” refers to several financial reporting issues that the PCAOB seems to flag in its audit firm inspections every year. At this point the agency is exasperated (see Young’s “absolutely unacceptable” comment above), so inspectors are on the warpath to scrutinize those issues in every audit they inspect.
That means PCAOB inspectors will be looking at audit work on revenue and related accounts, accounts affected by business combinations, inventory, long-lived assets, including goodwill and intangible assets, and equity and equity-related transactions. This, in turn, means your audit firm is more likely to go over all those accounts at your company with a fine-tooth comb.
And for all you SOX compliance people needing another reason to pop an Excedrin or two, the PCAOB report also warned, “Testing controls with a review element has been a significant recurring deficiency.”
Compliance and internal audit teams have been griping to me about their audit firms’ obsession with management review controls for years. The testing and documentation demands from audit firms can be excruciating (my favorite: an audit firm that once complained to a client about a checklist where “management’s tick-marks are not sufficiently tick-like”), and yet management review controls are still a constant issue in PCAOB inspection reports. So SOX compliance teams should think now about how to grimace and get through it when your audit firm drives you nuts over management review controls yet again.
Thankfully, this year’s PCAOB preview includes a nifty sidebar about how to select and test management review controls. Again, this material is primarily for external audit firms, but internal audit and SOX teams would do well to study the content as well so you can anticipate your auditor’s needs.
Cybersecurity. Pay attention here too, folks. Remember that over the summer, the SEC adopted new rules for expanded disclosure of cybersecurity risks and events. Those rules went into effect for corporate filers last week. The coming year’s audit firm inspections will include how audit firms reviewed their clients’ cyber disclosures. Specifically:
For audits selected for review where a cyber incident has been identified, we will review how the firm evaluated the public company’s response… We will also review the incident disclosure made in compliance with the U.S. Securities and Exchange Commission rules requiring, among other things, public companies to disclose material cybersecurity incidents they experience and the audit firm’s related audit response, if appropriate.
Business technology. As companies embrace the use of cloud-computing, e-commerce, and artificial intelligence, that changes the nature of their transactions with customers and how their financial reporting processes work. Both are issues crucial to a successful audit, so not surprisingly, PCAOB inspectors will be looking at how audit firms assess their clients’ use of technology.
That’s most likely to manifest as auditors examine your IT general controls. We’ve talked about the importance of IT general controls many times in this blog and won’t rehash it all again now, but once more with feeling: anticipate how your auditors are likely to inspect your IT general controls, and plan your internal audits, testing, and documentation appropriately.
Words to live by every year, really.