On November 28, 2017, Baruch College held its annual auditing conference at its campus in New York City; this article presents the highlights of a portion of that conference. Moderated by Clair and Eli Mason Professor of Accountancy Doug Carmichael, PhD, CPA, CFE, four representatives from leading accounting standards setters and regulators detailed their current projects and then participated in a panel discussion. The participants were Megan Zietsman, CPA, deputy chair of the International Auditing Assurance and Standards Board (IAASB); Mike Santay, CPA, chair of the AICPA’s Auditing Standards Board (ASB); Jennifer Rand, CPA, deputy division director and deputy chief auditor at the PCAOB; and Marc Panucci, CPA, deputy chief accountant at the SEC. The views expressed by the panelists are their own opinions and not necessarily those of their respective organizations, or the members and staff thereof.
Zietsman described skepticism as “very complex and multifaceted. This is not something you can solve alone by looking at the auditing standards.”
International Standards and Priorities
Zietsman began by highlighting the foundational principles of the IAASB’s efforts to improve audits: quality control within firms and strengthening professional skepticism. The IAASB has projects underway to address both of these concerns. Regarding the former, she stated, “we see the foundation, the bedrock of having a quality audit, is really having firms invest in the systems of quality control or quality management that support the performance of quality engagements by the firm.” She described skepticism as “very complex and multifaceted. This is not something you can solve alone by looking at the auditing standards.”
Zietsman also gave status updates on several standards. The first, ISA 540, concerns auditing estimates; the board is currently reviewing the comments on its exposure draft. There has been some confusion surrounding the term “qualitative inherent risk factors,” as well as a desire for the IAASB to coordinate its approach on estimates with that of the PCAOB. (The board hopes to finalize this standard shortly.) The second standard, ISA 315, covers risk assessment. Zietsman said that the focus for this standard is modernization, particularly regarding how data analytics fits into the process. Other standards the board is working on relate to engagement-level quality control and group audits; both of these are also heavily affected by the rise of data analytics. Future projects include updating the agreed-upon procedures standard, developing guidance for integrated reports and other types of emerging reporting, and a post-implementation review of the new auditor reporting standards.
An overall theme in the IAASB’s projects is the need to reflect the way companies actually do business. “What we’re trying to do is keep the principles-based nature [of the standards], but also refresh them such that they are capable of being applied [in a manner that reflects] the way in which audits are really being done,” she said.
Developments at the ASB
Santay started by noting that the ASB converged its standards with the IAASB’s several years ago, and therefore was covering much of the same ground with its current projects. “We also recognize there are some major accounting standards coming online,” Santay noted in describing the pace of ASB’s projects, “so we try and build in extra time for comments and outreach in that as we move through our process.”
The ASB is both developing its own projects on quality control, risk assessments, accounting estimates, group audits, and auditor skepticism, he said, and providing the IAASB with feedback. On skepticism, Santay said that emerging technologies such as blockchain and artificial intelligence will have a significant impact on audit evidence. The ASB’s Assurance Services Executive Committee is working on a guide for data analytics, and has issued another on cybersecurity. He described the board’s slow approach to data analytics as “boldly cautious.”
Talking about specific projects, Santay stressed a forthcoming 300-page exposure draft covering several topics, including the reporting of key audit matters (KAM). Santay also mentioned the standard for employee benefit plans, for which the comment period had just closed.
He then discussed newly issued standards. Attestation standards have been clarified, particularly with respect to reporting under both AICPA and PCAOB standards. Other recently released standards covered auditors’ responsibility for going concern and auditor involvement in exempt securities. He also mentioned recent Accounting Standards Executive Committee (AcSEC) guides on emerging topics.
Rand first addressed recently adopted standards and staff guidance, particularly the new audit reporting standard. “This project was adopted after more than six years of outreach and public comment, starting with hearing a lot from investors that they wanted in the audit report to hear more about the key issues that the auditor is seeing, instead of just the pass/fail opinion,” Rand said. “We really did a lot of work to understand what more exactly would be helpful … and of course, there’s been a lot of developments globally.”
Auditors will need to be thinking ahead about “the types of issues in the audit that might have led to a CAM … by the time the first wave of effective dates goes into effect,” Rand said.
The first half of the report includes many changes, such as the required disclosure of auditor tenure, a new explanatory paragraph regarding internal controls on financial reporting, and clarification that the audit includes the notes to the financial statements. Echoing the ASB’s KAM reporting requirement, reporting of critical audit matters (CAM) is included in the new PCAOB standard; Rand called it “the most significant change to the report.”
CAM reporting, Rand continued, will require preparation. Auditors will need to be thinking ahead about “the types of issues in the audit that might have led to a CAM … by the time the first wave of effective dates goes into effect,” she said, and that will require “discussions with management [and the] audit committee” that should begin soon.
Rand then discussed Form AP, which requires disclosure of the engagement partner and any other accounting firms that participate in the audit. As of November 15, she said, more than 13,000 Forms AP have been filed, identifying more than 3,900 unique engagement partners. More than 200 audits were conducted by multiple firms—in one case, 24 of them—which Rand said highlights the need for the PCAOB’s standards on supervision of other auditors. “In some cases, it’s the majority of work that’s done by other accounting firms,” she said.
On the subject of staff guidance, Rand noted that the PCAOB has issued guidance on coordinating work by multiple audit firms, as well as on matters relating to auditing revenue from contracts with customers. The latter guidance, she said, relates to the new revenue recognition standard, but can also be applied to the standards on leasing and current expected credit losses; she stressed that “the same type of considerations would apply” and therefore this guidance would be helpful when implementing those standards.
Finally, Rand covered recently issued proposals and research projects. Aside from proposals on accounting estimates, the work of specialists, and auditors’ use of other auditors—the comment periods on which have all closed—a PCAOB staff member is observing the IAASB’s work on its own estimates standard. In addition, four research projects are underway on quality control standards, data technology, the auditor’s role regarding other information and performance measures, and auditors’ consideration of noncompliance with laws and regulations. These last two in particular are still in the early stages. “Would it be helpful if auditors had a greater role than they do today with some of that?” she asked, saying that, with research still ongoing, the board had not yet come to a final answer on the subject.
The SEC’s Agenda
Panucci began by focusing on leadership, noting President Trump’s recent appointment of Hester Pierce and Robert Jackson to serve on the commission, and the confirmation of new chairman Jay Clayton. He then discussed Chief Accountant Wesley Bricker and interim Deputy Chief Accountant Jennifer Sager’s efforts to address emerging issues. Early efforts have revolved around the implications of blockchain.
“When we think about it, especially around the critical audit matters, there’s a role that each of the stake-holders could be playing as you think about successful implementation,” Panucci said.
The Professional Practice Group, Panucci’s own department, is currently focused on numerous projects, including supervision of the PCAOB’s audit reporting project. “When we think about it, especially around the critical audit matters, there’s a role that each of the stakeholders could be playing as you think about successful implementation,” he said. “Firms can continue their out-reach to the stakeholders, including trying to understand what the investors are looking for, and hopefully there can be a meeting of the minds.”
Panucci also stressed engagement, suggesting that management quiz auditors on where the changes would have affected previous reports. “What would have been the critical audit matters?,” he asked. “What would they have looked like? How many of these would be known early in the process compared to later in the process?” Regulators will also have a role to play, answering questions and analyzing the post-implementation outcome.
Panucci then moved to internal controls over financial reporting, discussing the impact of disclosure of control deficiencies. Unsurprisingly, such disclosure can increase the cost of capital, but studies have found that subsequent remediation of such deficiencies decreases cost of capital to a greater degree. Furthermore, he said, management has told the SEC that communication between audit committees, management, and auditors works best when it is robust, up front, and comprehensive. “Whenever that understanding’s not happening up front and it’s trying to be done through the testing, we see the stress level for people increase, because now it’s all being done in hindsight,” he said. He is seeing this principle emphasized in practice with the implementation of the new revenue recognition standard.
Touching on enforcement matters, Panucci said that failure to properly retain workpapers is a common problem. He also said that auditors are at times “not performing [diligently] enough around computerized information” when it comes to inventory and fair value. “Auditors have got to think about all evidence,” he said, “whether it corroborates and contradicts.” He also cited several instances of failures in the area of auditor independence. Finally, Panucci encouraged listeners to participate in the SEC and PCAOB’s outreach process.
Carmichael began the panel discussion by asking Zietsman for tips on the implementation of new standards. Zietsman cited early feedback from countries such as Brazil and the United Kingdom, saying that it supported Panucci and Rand’s position on the importance of early preparation and communication between management and auditors. Santay agreed, adding that the ASB was looking forward to seeing feedback from its own proposals.
Carmichael then relayed a question from the audience about the PCAOB’s plans for monitoring CAM implementation. Rand replied that, “we’re very interested in hearing from auditors or others that may have any comments that may be helpful.” She also said that a separate group out of the Economic Risk Analysis Office will conduct a post-implementation review.
Asked about outreach on audit reporting, Panucci said that the SEC received many comments supporting the proposal, as well as others suggesting removals or additions. He stressed, however, that the SEC is limited in its ability to make changes to the standard—that being the PCAOB’s remit—but that it can develop guidance and clarification on the board’s position. As an example, he cited concerns around the auditor reporting original information about the company, to which the SEC responded by emphasizing the board’s position that such reporting should be limited, “because a lot of people thought that the auditor was going to replace management as a disclosure tool.”
Another audience question concerned the definition of CAMs, particularly whether they would include matters of public interest or immaterial items requiring substantive effort and judgment. Rand said that the public interest is not part of the definition of a CAM, and that the linchpin is how closely the matter relates to the audit of the financial statements. The other panelists agreed, with Panucci citing an example from the PCAOB’s adopting release.
Rand and Zietsman both opined that the experiences of other countries would be valuable to U.S. firms. Rand also said that the changes will hopefully increase the usefulness of the audit report to investors. “In some of these countries with expanded audit reporting, investors are going to the auditor’s report first. And auditors are saying what they’re doing is making a difference, and that’s also a benefit for auditors,” she said. “I think it’s a great change, and I hope people get excited about it.”
Carmichael asked about possible changes to the composition of engagement teams or changes in firm policies regarding CAM reporting, to which Panucci replied that there will certainly be “changes in methodology,” but likely not in the composition of engagement teams. He also said that the changes will require significant training.
Turning the subject to ethics, Carmichael asked the panelists about any ongoing projects regarding responsibility for detection of material errors in the financial statements. Zietsman replied that the IAASB bases its ethical requirements on compliance with a rigorous code, be it that of the International Ethics Standards Board for Accountants (IESBA) or the auditor’s jurisdiction. She also said that the IAASB and the ASB’s standards focus on risk assessment and the auditor’s responsibilities. Santay said that while the ASB has not yet reached this point in its project, it is watching the activity of the AICPA’s Professional Ethics Executive Committee. Rand said that the PCAOB is monitoring everything as part of its research process, which Panucci echoed.
On the subject of cybersecurity, Carmichael asked whether cybersecurity incidents represent deficiencies in internal control, and if such events need to be evaluated for severity. Panucci opined that this is certainly the case when incidents directly affect relevant reporting systems. He also said that, in cases where the breach is outside such systems, “it’s important for important for management and auditors to at least understand the root cause that allowed for that breach in the operating system.” He also said that even when the cause is not directly related to financial reporting systems, other disclosure requirements might still apply. Santay added that the AICPA’s criteria for descriptions of cybersecurity risk management go beyond internal controls.
“In some of these countries with expanded audit reporting, investors are going to the auditor’s report first. And auditors are saying what they’re doing is making a difference, and that’s also a benefit for auditors,” Rand said.
Finally, Carmichael asked about “other information” disclosures, particularly those relating to non-GAAP financial measures. Zietsman talked about how the IAASB revised its standard, clarifying the scope of such disclosures. Speaking on the ASB’s equivalent project, Santay said that his board has examined both post-issuance information and the broader issue of sustainability information. He also stressed the increasing number of ways this kind of information is being communicated raises questions about what the auditor’s involvement should be.
Rand detailed the PCAOB’s project on other information, noting that the board proposed a standard in 2013 but decided to hold off on implementing any standards. Given the increased use of non-GAAP measures, the board is taking another look at the issue, as well as sustainability reporting. “What would be useful to disclose to investors about what the auditor’s responsibilities are?” she said. “And could that be clear in a way that people understand without further creating a greater expectation gap?”
Panucci said that the SEC will continue to monitor companies to ensure that their non-GAAP disclosures are relevant, useful, and not misleading. Rand added that the PCAOB’s Investor Advisory Group had indicated that FASB standards setters should consider incorporating non-GAAP guidance into its standards, so that the material could then be subject to audit. Finally, Zietsman said that the IAASB had conducted discussions about emerging forms of external reporting, and that the consensus from that feedback was that they should focus on providing guidance on how to apply existing standards to such material rather than develop “a whole separate suite of standards.”