Insights

Interpreting the PCAOB’s Spotlight Overview for Planned Inspections and Enforcement Actions

21 Mar 2023 - 14 minutes read

5 ways to stay ahead of changes in the audit profession 

This year’s Public Company Accounting Oversight Board (PCAOB) inspections are likely to focus on how firms are responding to the continued volatility of global markets, the fallout from the pandemic, skills shortages, and the role technology plays for both auditor and client. 

Stephanie Lanke, CPA, Senior Audit & Accounting Consultant with Thomson Reuters® AuditWatch® joined Thomson Reuters Confirmation for a webinar to discuss the key areas of focus and recent PCAOB inspection updates.  

This article covers the insights from the webinar, including what the PCAOB’s spotlight means for auditors, lessons from recent PCAOB enforcement actions, and what firms can expect in the coming year and beyond.  

Watch webinar

Key takeaways from the PCAOB’s Spotlight 

The PCAOB’s Spotlight Overview for Planned Inspections was published in June 2022, giving audit firms insight into its 2022 inspection plan procedures, which focused on the following key areas: 

  • Increased initial public offerings (IPOs) and merger and acquisition (M&A) activities, and special purpose acquisition companies (SPACs) 
  • Widespread disruption in supply chains 
  • Continued negative effects of the COVID-19 pandemic 
  • Increased volatility in financial and commodity markets due to fluctuations  
    in interest rates and inflationary trends 
  • Audit firm-wide risks

“Even if your firm doesn’t have a heavy focus on PCAOB audits, many of these topics are relevant for all audits,” said Stephanie. 

The Spotlight Overview also listed its areas of focus for 2022: 

  • Fraud  
  • Initial public offerings (IPOs) and mergers and acquisitions (M&A) activity 
  • Audit firms’ execution challenges 
  • Broker-dealers 
  • Independence 
  • Use of service providers in the confirmation process 
  • Critical audit matters 
  • Audit areas with continued deficiencies 
  • Firms’ quality control systems  
  • Technology 

Stephanie believes that successful audit firms will prioritize company-wide improvements in five key areas: 

1. Identify risks in skills gaps 

It’s no secret that economic uncertainty is having an impact on resourcing.  

“All firms are feeling the pain in terms of staff shortages and turnover,” said Stephanie. “I think the interesting part is it has the attention of the PCAOB, and specifically, the heightened degree of staff turnover and risks arising from auditing in a remote environment.” 

How staffing needs are addressed will cut across many of the PCAOB’s forthcoming inspections, given the importance of ensuring auditors have the right skills for the task they are performing.  

Firms should consider their staffing challenges, and ask how they’re being addressed and whether these issues present a potential risk.  

“If you’ve worked at a CPA firm, and are trying to hire accounting talent, it’s clear the pool is shrinking or drying up altogether” said Stephanie. “We’ve known that many partners will be reaching retirement age soon, and it is possible that almost 50 to 75% of CPAs could retire in the next 5-10 years.” 

The challenge over the last few years has been to continue to attract and retain talent as these retirements continue. Enrollment statistics for accounting and audit students are down, while sectors continue to experience large numbers of individuals leaving both professions.  

Although this is not the first time the profession has experienced staffing shortages, it has gained the attention of the PCAOB for a number of reasons. “What’s different now is the impact and how long it will go on,” Stephanie said. “There is potential for less experienced team members to complete work they’re not prepared for or trained to understand just yet. And, potentially the assignment of professionals who may not have the appropriate qualifications, particularly if they’re pulled from other areas of business.” 

There is also risk associated with more experienced team members performing work traditionally reserved for less senior personnel. This may result in using technology they are unfamiliar with to cover gaps. 

Part of the PCAOB’s plan is to evaluate whether firms have been significantly modifying the nature and extent of supervision procedures accordingly, and to select audits where the lead partner is new to the engagement. 

2. Assess the role of technology 

The PCAOB has acknowledged the challenges of efficiently and effectively using new technology, and its application within specific areas such as auditing digital assets. The PCAOB is focused on how auditors leverage technology throughout the audit process, along with how they approach more complex areas like digital assets and cybersecurity. 

“They’re noting that everyone from CPA firms, their clients, and anyone who interacts with them, is moving towards digital transformation,” said Stephanie. “Everyone needs to have training to use the tools properly.” 

“This ties into some of the staffing challenges, as both firms and organizations are relying more on technology to help fill some of the staffing gaps,” said Stephanie. “If there are tools to reduce and automate the number of routine transactions normally performed by a human, now is the time to start looking into them.”  

Ultimately, technology and how firms leverage it will be the difference between whether a firm thrives or survives during this unprecedented staffing shortage we are experiencing right now. 

However, it is key that auditors do not forget about the fundamentals of best practice, such as properly vetting the security of technology partners. Technology bias is a growing problem, given how advanced some systems are, and auditors must not assume their outputs are always accurate. 

3. Address areas with continued audit deficiencies and other concerns 

The PCAOB also noted several other areas with continued audit deficiencies, along with several other concerns. These include revenue recognition, allowance for loan losses and estimates, going concern, smaller broker-dealers, and how auditors address risk and internal controls over compliance.  

Auditor independence is a concern, and this includes situations where non-audit services have been provided along with audit committee communications regarding those non-audit services.  

4. Perform required due diligence when using service providers in the confirmation process 

The use of service providers in the confirmation process has risen in importance as firms are increasingly using technology-enabled confirmation tools.   

In December 2022, the PCAOB issued a proposal to replace AS 2310, The Confirmation Process, with an entirely new standard, AS 2310, The Auditor’s Use of Confirmation. This proposal is intended to strengthen and modernize the requirements for the confirmation process.   

The newly proposed standard includes, among other things, new and more specific requirements for firms when using confirmation service providers.  Auditors would be required to evaluate service provider controls preventing interception and alteration of confirmations, as well as controls preventing the audit client from overriding those controls.   

Auditors will typically rely on Independent Service Auditor’s Report on Service Organization Controls (“SOC reports”) to evaluate the design and operating effectiveness of confirmation service provider controls.  But even when this is done, a March 2022 PCAOB Spotlight titled Observations and Reminders on the Use of a Service Provider in the Confirmation Process reminds firms that they must – 

  • Obtain sufficient understanding of the procedures performed in the SOC reports and consider any factors that may affect the engagement team’s execution of the audit plan.  
  • Inquiring about changes in the controls that may have occurred for the time that elapsed since the period covered by the SOC reports. 

The PCAOB proposal also addresses situations in which an audit firm directly accesses a confirming party’s information system.  This might occur, for example, if a firm uses open banking portals in their current state to view bank balances.  According to the PCAOB proposal, this ‘direct access’ would not constitute a confirmation procedure because it does not involve sending a confirmation request and receiving a confirmation response.   

The timing of when this proposal will be issued as a final standard is difficult to predict. The public comment period ended in February 2023 and will be followed by additional public meetings as the Board considers comments and then finalizes the new standard. From there, the standard must be approved and published by the SEC, and a second comment period takes place. Although the Board has expressed a new sense of urgency for projects like this to modernize its standards, it could still be deep into 2023 or later before a final standard is issued. 

Thomson Reuters® Confirmation maintains robust and industry-standard security controls to protect user data and provide a high-quality confirmation process that is efficient, secure, and designed specifically to minimize fraud opportunities.  We undergo annual SOC 1, SOC 2, and ISO 27001 examinations and are well-prepared to assist firms when performing their required due diligence procedures.    

5. Remember the basics 

One of the most important reminders is for firms to not forget the basics. That includes putting more emphasis on professional skepticism while evaluating the reasonableness of management’s representations, estimates, and forecasts. 

“We’re still in a volatile economic environment, and we need to be mindful of our professional skepticism,” Stephanie said. “We must make sure we are aware of any auditor bias we may have, or management bias.” 

The impact remote working environments have in potentially creating new or increased risk of material misstatement, including fraud risks, is also high on the agenda. 

“Remain alert to changes in public companies that could give rise to situations that potentially impair independence,” Stephanie said. “Consider implications arising from the current economic environment while performing procedures for acceptance and continuance of clients and engagements. Make sure as a best practice you are doing that first.” 

One area of PCAOB focus for 2022 and beyond is on Initial Public Offerings (IPO) for both traditional and special purpose acquisition (SPAC) formats, and Mergers and Acquisitions (M & A) due to their complexity. A SPAC deal, which involves the creation of a shell company to complete a reverse merger with another company, intends to accelerate the process of going public in comparison to the traditional IPO route. 

“There have been increased levels of financing activity since 2020 that have continued into 2021, and there will be a specific focus on valuation into the next year as this risk remains high. Also, that public companies, especially newer ones, may try to use public companies to mask underperforming revenues.” 

Much interest remains on the disruption caused by the post-pandemic recovery and resultant economic turbulence. Supply chains continue to be affected, causing fluctuations in financial activity, and exacerbating potential issues in high-risk industries.  

Lessons from recent PCAOB enforcement actions 

2022 saw the highest number of PCAOB enforcement actions since 2017; up 61% from 2021. They reveal where inspectors are observing missteps. 

Failure to maintain a system of quality control occurred repeatedly, including failing to assign personnel with appropriate technical training. Likely these could have been avoided by using appropriate technology and assigning appropriate personnel. 

Evidence of a lack of due professional care was also noted on multiple occasions and is likely to be a focus in forthcoming inspections. This includes not performing proper engagement quality reviews and not performing professional skepticism. “We see this throughout enforcement actions and inspection reports,” Stephanie said.  

Audit documentation also cropped up with regularity. “We saw several cases where documentation was changed after the issuance date, and not in compliance with the 45-day rule.” Stephanie said.  

Penalties for firms and individuals ranged from tens of thousands of dollars to hundreds of thousands, and also included remediation such as continuing professional education or not being associated with a registered firm. 

Observations from the Target Team’s 2021 inspections  

Although relatively new, the use of “target teams” by the PCAOB is also important for firms to note. The teams review specific issues across all inspected audit firms, and the topics vary from year to year.  

One new area of interest pertains to an understanding of whistleblower programs.  

“It’s not enough to note your client has one,” Stephanie said. “Auditors must understand who monitors and administers it, and the education provided around it. It’s also a best practice to verify ensure that it is working.” 

Documenting the journal entry selection and testing process was also mentioned in the 2021 Target Team inspections, which underscores the importance of exercising due professional care. “This issue is relatively pervasive in audits of public and non-public companies,” Stephanie said. “It was a big deal when we first started testing journal entries, but it has become routine over time as team members performing them may be less experienced and not understand the significance. It is primarily a fraud test, and the approach to testing should be risk based.”  

There is a need to document the procedures for initiation and approval of entries, and auditors must determine the completeness of the file when they receive something electronically.  

Incorporating additional procedures related to identifying fraud has been seen as good practice, which includes expanding fraud inquiries, for example by using surveys that touch on the financial reporting processes, vendor relationships, the company’s internal compliance policy and interaction with their supervisor. 

The 2021 target team found issues in the identification of the ability to continue as a going concern, and within management’s going concern assessment. “If you’re an auditor, hopefully you don’t see a lot of going concerns,” Stephanie said. “As an auditor, I would want to consult on that, and to also get additional expertise or work with someone who has more experience.” 

Assigning more experienced staff to going concern assessments was viewed as good practice.  

Confirming cash and cash equivalents has also grown in importance, and is something the target team considered. It will also factor heavily in future PCAOB inspections given the updated standard mentioned above. 

The target team found instances where an engagement team didn’t perform sufficient procedures to support the validity of confirmations received. That might be contacting the sender “telephonically” or by other means to confirm that cash confirmation, particularly if received via email or other non-traditional formats.  

Good practices observed included the firm providing guidance to their teams and updating internal confirmation guidance, along with providing guidance and tools for working with third-party confirmation providers, Stephanie said.  

The PCAOB also noted the “good practice” of evaluating controls at the service provider. 

Evaluating controls at the service provider was also good practice.  

Looking ahead 

The PCAOB is actively ramping up its oversight and enforcement activities.  In September 2022 the Board announced a five-year strategic plan for protecting investors, focusing on four primary goals –   

  • Modernizing standards. 
  • Enhancing inspections.  
  • Strengthening enforcement. 
  • Improving organizational effectiveness.   

In a September 2022 keynote address, the PCAOB said it is expanding its case identification process and broadening the types of cases it will pursue. This will include cases that hinge on only a single, wrongful act, whether reckless or unintentionally negligent.  

In December 2022, a similar message concerning the PCAOB’s enforcement agenda was relayed, with the intention to “use every tool in our enforcement toolbox,” and the message “we won’t be constrained by the types of cases the PCAOB has pursued in the past” or “limited to the level of penalties that have been seen before.”   

This all points to more enforcement activity, greater sanctions, and more risk for firms. It is also likely to lead to more complex interactions between registered public accounting firms and their regulators. 

One way to meet challenges head-on is to send digital bank confirmations with Thomson Reuters® Confirmation.  

  • Confirmation reduces the audit confirmation process from weeks to just days. You’ll save time and meet your audit deadlines, even with less staff.  
  • You’re guaranteed a response from our network of over 4,000 banks. This is especially important should the PCAOB determine negative confirmation requests do not provide sufficient appropriate audit evidence.  
  • A digital confirmation helps auditors find the truth and uncover fraud. In fact, billions of dollars in fraud have been uncovered through the use of Confirmation
  • Our robust data-security system keeps your clients’ data safe. Confirmation passes hundreds of security audits each year, and its services are SOC 1 and SOC 2 certified.  
  • Nine out of 10 auditors say our platform is easy to use. Plus, we offer robust customer support and ongoing training. 

Ready to get started? Registration is free and takes just minutes.  

Sign up for Confirmation