What PCAOB observations mean for your management team


January 21, 2021

Lauren Massey
Partner, Risk and Regulatory, PwC US

Most risk professionals know the mission of the Public Company Accounting Oversight Board (PCAOB): Protect investors by overseeing the audits of public companies and SEC-registered brokers and dealers. One way it does this is through its inspection program.

External auditors use PCAOB inspection observations as one data point to inform their staff training and to evolve their audit approach, among other things. But your management team should also consider potential implications of PCAOB inspection observations on your internal control over financial reporting (ICFR) compliance programs and interactions with auditors. It’s an opportunity to identify appropriate short-term actions and to consider longer-term strategic moves to create more sustainable, cost-effective ICFR programs.

In 2019, PCAOB inspected more than 175 audit firms and reviewed portions of approximately 710 public company audits. The inspections identified several good practices that demonstrated improvement in audit quality. They also identified deficiencies, the most common of which fell into four categories.

  1. Internal control over financial reporting (ICFR)Deficiencies were found in three ICFR-related areas: review control procedures, reliability of data and identification and selection of controls for testing.
  2. RevenueDespite the focus and attention by firms on the new accounting standard, as well as the training and tools firms provided to their auditors, audit deficiencies were noted related to procedures that assessed the risks of revenue-related misstatement.
  3. Auditing accounting estimatesDeficiencies were found in areas involving accounting estimates, particularly in auditing the allowance for loan losses (ALL) and business combinations.
  4. Independence violationsAuditors are required to be independent of their audit clients — both in fact and in appearance. Still, violations of financial relationship requirements (Rule 2-01 of SEC Regulation S-X) were noted, as were deficiencies related to PCAOB Rule 3524, Audit Committee Pre-approval of Certain Tax Services, and PCAOB Rule 3526, Communication with Audit Committees Concerning Independence.

Beyond these categories, the PCAOB noted observations that, while not pervasive across firms, are areas where management could expect greater auditor focus in the future. These areas include distributed ledger technologies and digital assets, cybersecurity risks, software audit tools and communications between auditors and audit committees.

Planning now for the long term

PCAOB inspection observations present the opportunity to consider how well your current capabilities deliver a sustainable, cost-effective ICFR program, one that balances quality and the cost of compliance over the long term. While ICFR compliance is not typically viewed as a strategic business initiative, companies that set a deliberate strategy for their ICFR compliance programs are more likely to have cost-effective compliance that can be sustained in the face of unprecedented levels of business risks and compliance requirements. To position your company for long-term success, we recommend thinking strategically about ICFR compliance and taking action to:

  • Reassess long-term ICFR compliance program strategy and objectives, operating models and performance metrics and consider how well current program capabilities are aligned.
  • Identify opportunities to enhance and optimize the ICFR compliance program, including joining the organization’s digital journey to take advantage of advances in technology and free up resources to focus on strategic objectives.
  • Leverage automation, a key lever as companies consider the long-term sustainability of their ICFR compliance program. Innovative technologies such as customized workflow, enhanced ERP functionalities and intelligent automation can power an ICFR compliance program to become efficient and effective.

Management should also consider several steps to determine what actions may be required in the current accounting cycle and beyond.

  • Focus effort in the right places: A robust risk assessment and scoping exercise can help your team vary the nature, timing and extent (NTE) of testing and focus resources where it makes sense.
  • Reconsider your control setControls change as the business changes and its reliance on technology increases. If your company’s looking at an ERP upgrade or a move to the cloud, now’s the time to ensure your ICFR compliance program has appropriate ongoing risk assessment, monitoring and control rationalization considerations to keep your internal control framework updated and pointed to maintaining an optimal set of controls.
  • Evaluate alternative methods: Control testing may not be your only option. Use ongoing monitoring mechanisms such as a combination of self assessments, data-enabled monitoring and technology like RPA for control testing to optimize the assessment process and provide earlier insights.

The PCAOB inspection process isn’t just a resource to improve audit quality. Its observations can provide the impetus for management to take a strategic look at how to create a more sustainable, cost-effective ICFR program in the long-term, including actions that can begin now.