Changes to PCAOB quality control standards could lead to more exposure for audit firms

The Public Accounting Oversight Board issued a concept release last month proposing a significant overhaul to the quality control rules. The proposed changes could have the potential for expanding future enforcement proceedings, which have historically focused on a firm’s quality control efforts in narrow circumstances. But there may be a silver lining: compliance with more specific QC standards may provide firms more concrete guidance compared to the current standards. The PCAOB is seeking comments on the proposal by March 16, 2020.

The current QC rules were developed by the American Institute of CPAs and adopted by the PCAOB in 2003. The December concept release does not propose any specific rules. Instead, it proposes basing the revised rules on the proposed ISQM 1 rule currently under consideration by the International Auditing and Assurance Standards Board. Some notable changes with potential impact on enforcement actions may include the following:

• Additional obligations on individuals in firm leadership: Under the proposed rules, firms may be required to assign ultimate responsibility for the QC system to a specific individual or set of individuals at the highest level of the firm, such as the CEO or the firm’s board. The proposed changes would require the firm to conduct performance evaluations to determine if the individuals are exercising effective oversight. This may leave these individuals more exposed than previously in the enforcement context. If people in such leadership positions are regularly called upon to participate in enforcement proceedings, this could be disruptive to the firm’s business.

Courtesy of PCAOB

• Audit quality risk assessment: The proposed rules would impose a requirement on firms to implement a process for identifying risks to audit quality and to take steps to respond to those risks proactively. The PCAOB acknowledged that “[t]he current QC standards . . . say little about risk assessment and do not expressly require firms to identify, assess, and respond to quality risks.” This change would likely lead to increased scrutiny of firm QC systems in the enforcement setting. Currently, isolated substantive audit deficiencies on their own do not regularly underpin charges against firms for violations of QC standards. Most recent cases involving a QC violation instead involve either (1) firm leadership awareness of some misconduct, especially the improper alteration of workpapers, or (2) a failure of personnel monitoring duties such as monitoring partner performance, partner rotation or independence requirements. Under the proposed rules, however, firms may find themselves faced with questions probing whether an isolated substantive audit deficiency is indicative of a failure by the firm — not just individual engagement team members — to identify and respond to audit quality risks.

• Standardized internal inspections: Many larger firms already utilize internal inspections or similar programs. The PCAOB is considering whether to make such programs mandatory. Learning from past mistakes through an internal review process can lead to future improvement in professional services. In the medical profession, so-called mortality and morbidity conferences allow professionals to examine past mistakes, but in a privileged setting. No such privilege exists for retrospective examinations of audit work (absent communications covered by the attorney-client privilege or privileges applying in anticipation of litigation). Indeed, internal inspection findings have been cited in past disciplinary orders. Most large firms are nevertheless already conducting such monitoring programs. There is still substantial judgment involved, however, in how these programs are designed and executed. To the extent that judgment is replaced with more specific requirements, in the enforcement setting, firms could find themselves more often defending not only a specific audit, but also the application of monitoring procedures to that audit. One type of monitoring activity under consideration that could result in even more exposure is in-process engagement reviews, the completion of which could be required prior to the issuance of the audit report.

• Monitoring the workload and industry-specific training of individual auditors: The proposed QC standards address several aspects of managing technological and human resources. Notably, the contemplated standards may include requirements that firms consider whether auditors assigned to an engagement have “sufficient time to consistently perform quality engagements.” As anyone familiar with an audit busy season knows, whether an auditor has “sufficient time” is highly unpredictable, inherently subjective, and dependent on the unique circumstances of individual auditors and audits. A correlation between a busy audit and a later-discovered deficiency could be mistaken as a causal relationship in the enforcement setting. The PCAOB is also considering more detailed training requirements that may include “industry specific training.” Not all businesses clearly fall within a particular industry, and such a requirement could lead to disputes in an enforcement action over whether industry-specific training was required.

• Monitoring the QC system and potential public reporting: One potentially substantial change is the proposed requirement that firms annually assess their QC system and issue a report on its effectiveness. The PCAOB is considering requiring firms to make such assessments public. Firms may find themselves defending such reports if later enforcement proceedings suggest QC shortcomings beyond those disclosed in the reports.

In addition to changes to the QC standards, the concept release also contemplates a potential change to AS 2901 Consideration of Omitted Procedures After the Report Date. The release notes that the PCAOB is considering clarifying the standard “without changing the auditor’s fundamental responsibilities” because it appears the standard has been subject to misinterpretation, although the release does not explain how. The release is unclear about what specific changes are proposed. Increased engagement monitoring under the proposed QC standards could lead to more instances where engagement teams find themselves applying AS 2901, and firms should consider commenting on the specifics of any proposed change.

The current QC standards are general, high-level principles that leave considerable room for interpretation. Implementing more precise standards may be a positive development in that such standards could provide firms with clear guidelines for compliance. Nevertheless, more stringent requirements for firms to proactively identify audit quality risks through their QC apparatus may lead to an increased focus on firm QC systems in enforcement actions. Just as the audit standards recognize that well-performed audits may not discover all material misstatements, so too should there be recognition that reasonable QC procedures will not detect or prevent all audit deficiencies.

Jessica Pulliam, partner, chairs Baker Botts’ Trial Department in Dallas. She defends public companies and their officers and directors, private enterprises and professional firms in high stakes lawsuits. She has handled matters involving class actions, corporate crisis, business torts, securities fraud, fiduciary litigation, accounting and disclosure issues, SEC and PCAOB investigations, whistleblower claims, and post-deal disputes.

Charles Strecker, special counsel, represents public corporations, private companies and individuals in state and federal courts throughout the country at Baker Botts. His representation includes clients in a variety of industries, such as private equity, professional services, technology and energy. His diverse commercial litigation experience includes securities class actions, trade secret claims, professional liability matters, and disputes arising from acquisitions and divestitures.