Regulators and Standards Setters

CAMs and KAMs

Carmichael moved to a comparison of critical/key audit matters (CAM/KAM) in the new auditor’s report. Jennifer Rand explained that the PCAOB monitored the IAASB’s KAMs but “ultimately decided to come up with something different.” She explained: “Both have a similar objective, to communicate audit-specific matters in the auditor’s report. And that communication shouldn’t be boilerplate; it should be really specific to the audit using nontechnical language. … But our definitions are different. We have a different process in terms of identifying C-CAMs versus K-KAMs.”

Rand then asked Zietsman for her input. The IAASB’s deputy chair agreed that “the driving objective for the standards comes from the same place both are the kind of things that kept the auditor up at night.” The differences, she said, lie in the definitions of the two terms; as an example of something that might qualify as a KAM but not as a CAM, she cited matters relating to the implementation of a new IT system. “When you take the PCAOB’s definition,” she said, “it needs to refer to things that are material accounts or disclosures in the financial statements.”

Zietsman added that the PCAOB’s definition includes required communications, which “shouldn’t really drive a difference because I think the starting point [for KAMs] should be the things that have been talked about with the audit committee.”

Allen noted that “Sarbanes-Oxley says that whatever the SEC/PCAOB adopt is not necessarily binding on non-SEC-registered work, and there’s not an obligation for either addressing CAMs or KAMs with nonissuers.”

Carmichael then asked whether the experience in the United States would be very different from the experience in Europe. Zietsman responded by noting that the IAASB will be starting its post-implementation review in the next year. “Take a jurisdiction like the U.K.,” she said, “where this has been in place for up to five years; there’s been an evolution in the way in which matters are being reported from when auditors first started to what they’re doing now. I think that the communications will look somewhat different in the U.S., and that is to some extent driven by differences in the environment and differences from a litigation perspective in terms of what people are comfortable putting into a report.”

Santay added that while there are concerns that the new auditor’s report may, in the litigious U.S. atmosphere, chill communications with audit committees, he is “hopeful that the dry run process and the piloting that many firms are doing is going to help alleviate that.”

Panucci said, “I hope the experience isn’t different because internationally, it has been welcomed by the investors and users of financial statements. I think they do see meaning in it.” He advised audit firms and companies to engage with investors now to understand those expectations and “share how you’re thinking about it from a U.S. perspective,” as well as post implementation, to see if the expectations are being met.

Carmichael then asked the panel about dry runs. Rand replied with a report from a meeting of the PCAOB’s Strategic Advisory Group (SAG) the previous week, where just that question was asked of the group’s members. “A key thing that they said was, when they’ve been engaging with audit committees and management in connection with CAMs, that discussion is taking out a lot of anxiety. I think there’s some fear for audit committees and management about what the auditor may be saying … but talking to the auditors, it’s calming people down. The sky is not falling.”

Santay added, “What we’re trying to get out of the dry runs is a consistent approach, in interpretation and application. Every engagement is different, and when we try to run it through the lens of what’s especially challenging, the teams have really embraced that.” He continued, “We also want to work with the teams on the drafting conventions and what our review protocols are going to be. How do we make these CAMs personal? … Let’s drive it down to that level of description specific to the client circumstances, to provide good information to investors.”

Panucci agreed: “I think the dry runs are taking a lot of the anxiety out, especially from an audit committee standpoint. … What I hear is that firms are looking at multiple levels: how new accounting standards interact with critical audit matters. How do you think about that day one with the implementation?”

On the subject of how CAMs interact with critical accounting estimates, he said, “It’s not a one-for-one. The CAMs might be a subset of the critical accounting estimates or focused on an element of it. We hear that management is sometimes thinking about making an assessment of their disclosures, including critical accounting estimates. The exercise should not be to make sure these lists look identical, because those objectives are different. If management is going to make a change, it should be independent of the CAM process.”

Carmichael then asked Rand why the PCAOB decided not to make communication of CAMs required for audits of emerging growth companies. Rand referenced the Jumpstart Our Business Startups (JOBS) Act of 2010, which excluded emerging growth companies from having to report the auditor’s discussion and analysis. “Are CAMs analogous to auditor’s discussion and analysis? At the time of its concept release, the board’s thinking was it was more akin to MD&A [management’s discussion and analysis]. But ultimately, the board decided to err on the side of being more cautious and not to apply CAMs for audits of emerging growth companies,” she said.

Finally, Carmichael asked Zietsman about the IAASB’s implementation guidance. Zietsman mentioned the board’s Implementation Working Group, which provides guidance on its website. “The next focus will be to do a postimplementation review and then consider whether we need to go back and make targeted revisions to the standards. That includes our standard on reporting in relation to other information; for that one in particular, we’ve heard that there are some quite difficult challenges.” As the PCAOB’s standard rolls out, Rand added, the board will pay attention to inspection reports regarding CAMs and use that information to determine whether changes or guidance are necessary, before doing a full postimplementation review after the standard goes into effect for all entities.

New Accounting Standards

Next, Carmichael asked about new accounting standards and how the represented regulators and standards setters keep up with them. Santay said that the AICPA is keeping abreast of the three major accounting standards currently undergoing implementation—revenue recognition, current expected credit loss, and leases—and that he expects them to present challenges for auditors: “For example, in adopting the leasing standard, what has management done to identify all their leases, and is it enough? It’s tough for us to issue guidance on that, but I think certainly we can highlight that through risk alerts and other types of communications to put auditors on notice on how they might think about making those evaluations and judgments and how that gets communicated to audit committees.”

Zietsman added that the IAASB shares this view. “Every time a new accounting standard comes along, that shouldn’t drive a new auditing standard,” she said. “One of the things that was a driver for the revisions that we made to our estimates standard was the increasing use of accounting estimates that involve high levels of estimation, uncertainty, subjectivity, judgment, and complexity. That drove us to take a look at our standard and ask, ‘Are we focused enough on those inherent risk factors that can drive susceptibility to misstatement? Do we have enough of a focus on making sure that auditors get their hands around looking at the models, the data, and the assumptions and think about those in the context of how to understand and then ultimately how to audit that estimate?’”

Rand concurred, saying that a June SAG meeting had included requests for guidance on new accounting standards. “Doing that is somewhat challenging when we’re focused on trying to get out a new standard on auditing accounting estimates,” she said. “Any guidance that we would issue, we’d want to make sure it’s complementary. The new standard is first for us. In the absence of doing anything more specifically, we issued guidance on the revenue standard, and that guidance did talk about considerations for other future new accounting standards regarding ICFR [internal control over financial reporting]. So even though it was specific to revenue, we think there’s broader applicability there.”

The SEC and Internal Controls

Carmichael asked Panucci for specific suggestions regarding ICFR and the new accounting standards. “In our conversations and discussions,” he said, “we try to make sure people are thinking about internal controls with the implementation of the new standards. … As much as management can define good policy processes and controls upfront for consistency of reporting, the same holds true with the new GAAP and successful implementation. And it starts, just like anything, with the risk assessment and asking, ‘Where are the new and enhanced controls needed?’ I think most of those are common sense, and people understand them, but it’s a matter of breaking it down and working through the ICFR process in real time.”

Carmichael then asked Panucci whether the SEC would provide issuers with “clear and direct guidance” about what it considers sufficient evidence that controls are in fact effective. “Right now, there isn’t anything planned,” Panucci said. “It’s actually an area where we’ve seen some improvements around the management review controls and documentation. It’s not really necessarily always a documentation issue when there are issues. … What we see is that when people have a really good understanding of the design of the controls, the documentation and testing follow that.”

Turning to cybersecurity, Carmichael asked Panucci to comment on the implications of cyberthreats for auditors. “Our focus is more on the ICFR piece,” Panucci said. “The way we’ve thought about it is, if there’s a cybersecurity threat or a breach to the financial information systems, people would agree there’s a deficiency to evaluate. When there’s a breach outside the financial information system, though, what does that mean? Even though it might not be in scope for the audit or ICFR, people still have to understand the root cause. Are there gaps in those controls, and do those same gaps exist in the financial information systems?” He added that the SEC’s guidance did not intentionally exclude ICFR, and that in some areas it emphasized them.

Carmichael then asked whether a material misstatement could be assessed as a significant deficiency rather than a material weakness. Panucci replied that, once a deficiency is identified, it’s hard to say that it’s not a material weakness, because it has already produced a material misstatement. Carmichael further asked about the quantitative and qualitative aspects of materiality regarding material weaknesses. “The way I’ve always looked at it is, the same qualitative and quantitative factors apply to the material weakness analysis that were used in the assessment of the financial statements,” Panucci said. “The only difference is, you have to think about what is reasonably possible. The quantitative number may change, but the qualitative factors will typically still be the same.”

Other Matters

Carmichael then asked the big question: Why doesn’t the ASB just accept the PCAOB standards? Santay replied that the ASB “is setting standards for beyond just commercial companies and pension plans. We have a lot of stake-holders and constituents to think about.” Rand added that the ASB and PCAOB both meet with the Government Accountability Office as part of the U.S. Auditing Standards Coordinating Forum, and that the two boards sit on each other’s SAGs.

Carmichael then segued to the PCAOB’s project on going concern. “I would put that into the group of standards that we’ll be talking to our board about in 2019,” Rand said. “Our focus right now has been very much on our three active standards setting projects, plus working a lot on quality control, data, and technology in the auditor’s report.” Asked whether the board has been monitoring what’s going on in practice, Rand replied affirmatively.

Panucci had no updates on the SEC’s proposed changes to the “loan rule,” but said that almost all of the more than 30 comment letters were supportive of the proposal’s direction. Commenters did ask for additional clarity, however, and the issue is on the SEC’s agenda. Regarding how developing technologies like cloud computing and artificial intelligence might affect independence, Panucci said that the SEC has not received much feedback, but has sought consultation on the matter.

Returning to CAMs and the new accounting standards, Carmichael asked whether any dry runs or pilot studies had revealed anything new about the intersection of those topics. Zietsman replied, in her capacity as a partner with Deloitte and Touche LLP, that teams are thinking about the differences between how the standards are viewed on day one of implementation versus on an ongoing compliance basis, and whether those differences give rise to a CAM. Santay added that his firm, Grant Thornton, has been looking at whether the standard has a fundamental effect on revenue as one benchmark.

Carmichael then turned to Rand for a discussion of cybersecurity, blockchain, and other technology issues. “We’ve done outreach to see how management is using technology and how that could potentially affect the evidence that auditors receive from management in connection with the audit,” Rand said, adding that the PCAOB has established a task force for this purpose. A key concern, she said, is whether “anything in our standards is causing any impediment to the use of technology in connection with the audit. What we’ve been hearing from our task force members is that there are no problems in our standards today. We have heard from some of our members that perhaps standards or guidance could be issued to encourage or recognize the use of technology.” Immediate priorities, she said, include data analytics and artificial intelligence.

Allen added that NASBA and state boards have been looking at new technology with regard to how accounting education and training might need to be expanded. “We’re going to watch all the studies in terms of what you expect the next generation of CPAs and auditors to know. Do we tweak the education requirements? Do we leave that to academia? Do we tweak the experience, or do we tweak the exam itself?” Rand noted that the PCAOB does outreach to different groups on the subject as well.

The next topic was auditors’ responsibility for other information, with Carmichael asking the entire panel for updates. Santay said that there are split views on the subject at the ASB. “What is ‘other information’?” he asked, citing as an example situations where an audit report and financial statements might precede a nonissuer’s annual report by several months. Zietsman added that the IAASB had encountered similar issues when it updated its own other information standard. “If it’s information that comes directly from the financial statements,” she said, “obviously then it should be consistent. If it can be derived or reconciled, it should reconcile. But then there’s another bucket of stuff that’s not directly related to financial reporting that management’s putting in its annual report; when the auditor reads that, what is the responsibility? Ultimately, the IAASB settled on that being something the auditor has to read through the lens of what the auditor has learned having done that work.” Jurisdictional differences have played a big role in how the standard is applied, Zietsman noted: “It really does need to be kept at a principles level at the international level, and then really dealt with more specifically at a national level.”