October 2, 2023

Audit Insider | September 2023

Audit Insider with Dennis McGowan

Welcome back, Audit Insiders. Fall reminds me of my time as an auditor at PwC, wrapping up planning, preparing for interim, knowing that year end crunch time is near. I remember it fondly, though to current auditors, I still say hang in there! The holidays are right around the corner.

Here at the CAQ, the PCAOB has kept us busy responding to their standard-setting agenda. We also jointly with our brethren at the AICPA, released a resource on the SEC’s new cybersecurity rule and are closely following updates from standard-setters including the IAASB, ISSB, and FASB. More on that below!

In September, we also interviewed KPMG’s Matt Johnson about the SEC’s new cyber disclosure rule.

Hot off the presses, on September 27th the SEC announced the appointment of George Botic to the Public Company Accounting Oversight Board (PCAOB). I couldn’t agree more with PCAOB Chair Williams’ statement that “George’s decades-long commitment to the PCAOB’s mission of protecting investors makes him a uniquely qualified addition to the Board.” George will replace Board member Duane DesParte, whose second term ends October 24, 2023. You may know or be familiar with George as he most recently was the Director of the PCAOB’s Division of Registration and Inspections. He previously served in various roles at the PCAOB and earlier in his career was a senior manager at PwC. The PCAOB is required to have two Board members that are a CPA, and George is a CPA. I want to thank outgoing Board member Duane DesParte for his contributions to audit quality and congratulate George on this well-deserved appointment.

Read on for the latest issues I’m tracking and resources from the profession to assist audit practitioners.

Please note that these perspectives are my own. If this email was forwarded to you, subscribe here so that you never miss a public company auditing update.

What's new in public company audit

We’re closely monitoring these proposals and others from audit regulators and standard setters:

PCAOB

PCAOB Adopts Final Standard for Auditor’s Use of Confirmation: This week, the PCAOB voted to adopt a new standard intended to strengthen and modernize the requirements for the auditor’s use of confirmation. To modernize the PCAOB’s confirmation standard, the new rule includes principles-based requirements that would apply to all methods of confirmation, including paper-based and electronic communications. The rule will also better integrate the PCAOB’s confirmation standard with its risk assessment standards. Now that its approved for adoption by the PCAOB, it will move on to the SEC for final approval.
Interim inspection program report on brokers and dealers: In August, the PCAOB released their Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. This report provides information about their 2022 inspections approach and observations from their inspections of audits of brokers and dealers. I encourage auditors of brokers and dealers to read this report. I find the description of “good practices” which include brief scenarios and possible procedures to be extremely helpful (this was a welcomed change several years ago). The 2022 inspection year marked the eighth year of inspections of firms that audit brokers and dealers under the interim inspection program since broker and dealer audits and the related attestation engagements were required to be performed in accordance with PCAOB standards (I was a senior associate the first year they started inspecting audits of brokers and dealers).
- If you’re planning or performing a broker dealer audit: Consider checking out the CAQ’s Audit Planning Alert for Auditors of Brokers and Dealers where we pose questions for auditors of brokers and dealers to consider as they plan both their audit and attestation engagement. The resource focuses on six areas: auditing revenue, audit evidence produced by service organizations and/or the broker or dealer, auditing related party transactions, auditing the supplemental information, performing examination engagements, and performing review engagements.
NOCLAR: All comments on the NOCLAR proposal are in. In total, the PCAOB received 139 comment letters from board members, investors, public company auditors and other stakeholders. The PCAOB’s proposals do not always receive this level of response. By contrast their recent Technology Assisted Analysis proposal received approximately 20 letters. The CAQ facilitated a sign-on comment letter that received over 200 signatures from board members from over 200 companies with nearly $2T in market cap. The CAQ is currently conducting an analysis of the key themes from the comment letters to inform what we might be able to expect to see in the final rule. I look forward to sharing the full results of our analysis next month. Preliminarily, we have observed the majority (nearly 80%) of letters were not supportive of the NOCLAR proposal. A little over 10% were supportive, and the remaining letters the position of support or not support was not as clear. Most comment letters are supportive of modernizing auditing standards to improve audit quality to protect investors. Not surprisingly, views on how that goal should be achieved are mixed.

IASSB

ISSA 5000: On August 2nd, the IAASB issued the proposed, International Standard on Sustainability Assurance (ISSA) 5000, General Requirements for Sustainability Assurance Engagements, for public consultation. The rule aims to be the most comprehensive sustainability assurance standard available to all assurance practitioners across the globe. Comment letters are due December 1, 2023. Check out this introduction video from IAASB to learn more:

IESBA

Ethics handbook: The International Ethics Standards Board for Accountants released an annual update of its ethics code handbook, 2023 Handbook of the International Code of Ethics for Professional Accountants (including International Independence Standards), to reflect the latest changes in auditing and quality management standards. Among the updates are revisions relating to the definition of the engagement team and group audits as well as the upcoming expiry of the “jurisdictional provision” addressing long association of personnel with an audit client.

From the CAQ

Audit Quality

Audit quality in the U.S. remains high, but in light of economic uncertainty, emerging developments, and demands on talent, audit practitioners should remain up to speed on the latest developments impacting audit quality. Read on for recent news, tools, and resources.

ICYMI: PCAOB Previews 2022 Inspection Results

This fall, we are monitoring for the PCAOB’s 2022 inspection reports for the Global Network Firms, which we know from the PCAOB’s July spotlight will reflect an increased number of deficiencies compared to 2021.

In an opinion for Bloomberg, I explain why these results do not necessarily paint a full picture of audit quality:

In large part, the board selects audits and audit areas using a risk-based approach, focusing on highly complex areas that are more likely to have material misstatements.
Financial statements are also a key benchmark of audit quality. By this measure, audit quality is extremely high. Based on a Center for Audit Quality analysis of PCAOB inspection reports of the largest firms in 2021, none of the audits identified as deficient by the board resulted in changes to the audit opinion or a restatement of company financials. That means none of the board-identified errors had a material effect on the auditor’s opinion.
This result isn’t an anomaly; over the last 20 years, there has been on average a 10% year-over-year decline in restatements.

More of my thoughts here: Audit Quality Is More Complex Than One Board’s Inspection Data.

The Evolving Role of the Auditor

As investor demand evolves, so does the role of public company auditors. The CAQ is dedicated to providing resources to keep you up-to-date on trending topics in corporate reporting.

AICPA and CAQ Release Cyber Resource

In light of the rapid evolution of domestic and foreign cybersecurity threats, particularly with an increase in remote and hybrid work, timely cybersecurity disclosures are becoming increasingly more relevant and useful to investors and other stakeholders in the financial reporting ecosystem. This summer, the SEC adopted a final rule requiring public companies to make timely disclosures of material cybersecurity incidents as well as annual disclosure of information regarding their cybersecurity risk management, strategy, and governance.

Business leaders are closely watching how the rule is being implemented and large public companies are already being challenged with disclosing the material impact of cybersecurity attacks (see Clorox’s recent bulletins).

The CAQ along with the AICPA have developed a resource to help audit committees and public company management understand these new rules and how they might impact reporting and an organization’s cybersecurity program. Read the report to learn about:

Certifications regarding disclosure controls and procedures for cybersecurity disclosures
Cybersecurity incident disclosures
Disclosing cybersecurity risk management and strategy
Cybersecurity governance and board oversight

Download the report: What Management Needs to Know About the New SEC Cybersecurity Disclosure Rules.

CAQ Responds to ISSB’s Agenda

Global organizations are working to finalize and implement their own baseline for sustainability reporting. The International Sustainability Standards Board (ISSB) has been busy working to drive market acceptance and adoption of the IFRS Sustainability Disclosure Standards as a globally accepted baseline for sustainability reporting. The CAQ is supportive of the ISSB’s efforts to develop and seek comment on its agenda priorities. We also recognize that deciding on agenda priorities in a complex and evolving sustainability reporting environment presents many opportunities and challenges. In our comment letter, we express our belief that continuing the momentum generated from IFRS S1 and S2 by focusing on interoperability, implementation, new research and standards, connectivity, and outreach with stakeholders including investors and the IASB, will position the ISSB well to make these important decisions.

Speaking of sustainability reporting, the U.S. is currently waiting for a final rule from the SEC on climate (originally anticipated in October, though SEC Chief Gensler won’t confirm). In the meantime, at least one state has taken action by implementing its own climate disclosure rules, set for 2026. As we continue to monitor the climate reporting debate role out at the state level, my colleague Desirè Carroll breaks down the current state of voluntary climate and other ESG reporting in the U.S. in this video. Check it out:

New Standard Requires Public Companies to Disclose Cryptocurrency Accounting

Cybersecurity incidents aren’t the only new disclosures public companies must make. In September, the Financial Accounting Standards Board (FASB) adopted a new standard that will require businesses holding cryptocurrency to recognize losses and gains immediately.

According to a CAQ analysis as of September 5, 2023 83 comment letters had been submitted to FASB in response to their cryptocurrency proposal. Nearly all commenters across stakeholder groups (including the CAQ) expressed support for accounting for crypto assets within the scope of the Proposed ASU at fair value. Only two commenters specifically opposed accounted for crypto assets within the scope of the Proposed ASU. Many commenters were supportive of the narrow scope of the Proposed ASU but recommend that additional standard setting on a wide range of topics will be needed in the future. These topics included wrapped tokens, NFTs, stablecoins, and other emerging crypto assets fall outside the scope of the Proposed ASU. However, according to this article from Accounting Today, we may need to wait a while for a project on wrapped tokens as a spokesperson for the FAF said “at this time there are no plans for a project specifically addressing NFTs or wrapped tokens.” Commenters on the proposed ASU also requested further guidance on accounting for certain types of digital asset transactions (including, derecognition, crypto lending and borrowing, and crypto receivables and payables).

As we wait for the final standard from FASB, the CAQ offers two resources for audit committees dealing in digital assets.

Jumpstart Your Digital Assets Journey serves as a primer for audit committees to help them understand:

Why and how companies may be engaging with digital assets
Questions audit committees may pose to management and their auditors regarding their digital assets
Risk and financial reporting considerations when it comes to digital assets

Continuing Your Digital Assets Journey examines key digital asset-related topics and provides questions for audit committees to consider when discussing these topics with management and the external auditor.

This month we interviewed Matt Johnson, National Tech Assurance Leader – Audit, KPMG LLP, on the SEC’s new cybersecurity disclosure rule. Read on for his perspective:

What should public company management and audit committees understand about the new SEC cybersecurity disclosure rule?

Now that the rule has passed, management is tasked with a race to comply. There are a few areas invoked in the rule, specifically materiality concepts, cyber security capabilities and risk management processes, as well as reporting processes, that will be baseline compliance measures.

And management has the responsibility to assess materiality of an incident, or collection of incidents, and report within four days. Timeliness of reporting, responsibility over the service provider environment, a view of materiality, and an incident detection process become key factors in determining whether management is able to comply with the requirements. In addition, management has responsibility for evaluating incidents within the company’s environment as well as service providers’ environment.

What are the top three questions you are hearing from public company management and audit committees about this new rule?

Compliance with the new rule will mean that many companies are in unchartered waters. They’re asking what impact, if any, the new rule has on the audit approach, what KPMG’s requirements/expectations are, and whether KPMG will start testing cyber controls?

Companies are also interested in understanding how their peers are defining materiality of cyber incidents. Being able to benchmark and hear what types of experiences are occurring elsewhere would be helpful.

What impact could this new disclosure rule have on the annual audit?

The new rule could also provide a new lens through which the auditor should evaluate the company’s cyber security function. Under the new rule, incidents with third parties may be considered material. This update may necessitate increased and ongoing partnerships with third parties to verify the consistent and comparable delivery of cybersecurity control information. The new rule will increase the scrutiny on the service provider landscape and the suitability of SOC reports in these instances.

Auditors should focus on gaining a deeper understanding of management’s cyber security processes as well as how they related to materiality evaluation and reporting processes. For example, risk assessment procedures may be enhanced to include the areas enumerated in the rule. Testing may focus on whether processes and control activities are suitably designed to meet the new requirements, both in terms of scope, as well as timeliness.

I lived in Atlanta for a few years and in that time became well aware of my colleagues’ passion for their respective SEC football team. What SEC team are you rooting for?

I grew up between where I was born in south India, and where I lived in the US, South Carlina. I went to the University of South Carolina and still go back for home games whenever I can. It’s a (mostly) fun tradition and great way to create memories with our four kids who are 18, 16, 13, and 5. I’m also a private pilot so it’s a great time of year to fly in cooler air and see the colorful foliage from a different vantage point.

Ask an Auditor

Each month, I’ll answer questions from readers. I received the following question in September:

Question: How should me and my team be thinking about current economic conditions as we perform our risk assessment and plan our year end audit?

Answer: That is a great question. Each audit is unique and depends on the facts and circumstances of that particular audit. An audit, including the risks of material misstatement, will vary from one year to the next. Especially when you consider our current changing economic conditions that can change and or create new risks of material misstatement. Risk assessment forms the basis of your audit process. When identifying risks of material misstatement and designing appropriate audit responses auditors should remain alert to potential changes in issuers’ objectives, strategies, and business risks. That is why the auditor’s risk assessment process is so important and continuous. I encourage you and your team to take a look at the statement, The Importance of a Comprehensive Risk Assessment by Auditors and Management, from Paul Munter, Chief Accountant, Office of the Chief Accountant, SEC.

This statement discusses management’s obligations to (1) take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to identify risks in a timely manner, including entity-level risks; (2) design processes and controls that are responsive to identified risks; and (3) effectively identify information that issuers are required to communicate to investors. It also discusses auditors’ responsibilities as gatekeepers to hold management accountable. Changes in the economic environment can also result in new pressures, opportunities, or rationalization for fraud. Exercising professional skepticism, an attitude that includes a questioning mindset and a critical assessment of audit evidence throughout the audit and at all levels of the engagement team is critical. Learn more about the role of the external auditor in fighting fraud here.

Submit your questions for next month to h ello@thecaq.org.

CAQ Explores How the Past Can Inform the Future of Assurance in New Capital Markets Pulse Podcast Episode with Wes Bricker and Lynn Turner

Our CEO Julie Bell Lindsay recently spoke with Lynn Turner, previous Chief Accountant at the SEC and current member of the PCAOB’s Investor Advisory Group (IAG) as well as the PCAOB’s Standards and Emerging Issues Advisory Group (SEIAG), and Wes Bricker, also a former Chief Accountant at the SEC and current Vice Chair, US Trust Solutions at PwC, about where we’re headed in terms of the future of corporate reporting and assurance, opportunities for auditors to enhance trust in the capital markets, and insights for regulators as they work on new proposals.

Listen to their insights here: A Follow-Up Conversation with Former SEC Chief Accountants Lynn Turner and Wes Bricker or on Spotify. And stay tuned for a few more exciting podcasts in the fall, where Julie interviews profession leaders on the accountant shortage and how to attract the next generation of talent as well as the state of audit quality.

Additional Resources and Events

1 CPE Credit: Audit Insider Webinar

This hour-long webcast will showcase emerging issues facing public companies and their auditors. It will feature representatives from the SEC and PCAOB, followed by discussion panels consisting of public company auditors. Panelists will discuss the development, issuance and implementation of auditing standards that are currently underway at the PCAOB. Panelists will also discuss current projects that are the focus of the staff in the SEC’s Office of Chief Accountant. The next episode of Audit Insider will feature the following speakers and panelists:

Participants

Diana Stoltzfus, Deputy Chief Accountant, SEC Office of the Chief Accountant
Barbara Vanich, Chief Auditor, PCAOB
Liz Gantnier, Regional Accounting & Auditing Director, FORVIS
Mark Shannon, Partner, SEC Regulatory Matters, Crowe,
Rohit Elhance, Partner, SEC Regulatory Matters, Grant Thornton LLP
Dennis McGowan, Vice President, Professional Practice, CAQ
Annette Schumacher, Senior Director, Professional Practice, CAQ

REGISTER NOW

This webcast is eligible for 1 CPE credit to those who attend the webcast live.

See you next month Audit Insider.

Dennis McGowan

Vice President, Professional Practice and Anti-Fraud Initiatives

Auditors, Newsletter

Related Resources

The latest news and
resources from the CAQ.