Audit Quality and Risk
Doug Carmichael began the discussion by asking Tracy Harding what the ASB is working on with respect to audit quality. “Our goal at the ASB is to continue to focus on maintaining standards that promote audit quality in the public interest,” he began. Harding noted that SAS 142 addresses audit evidence, which “focuses more on how the auditor assesses the relevance and reliability—we use the term ‘persuasiveness’ of audit evidence—to enable the auditor to form conclusions and, ultimately, an opinion on the financial statements as a whole. Of course, you do still need to perform audit procedures in order to convert it to evidence.”
Harding mentioned the issuance of SAS 143: “We know there are a lot more estimates in the financial statements than ever before and they can be sources of audit risk. We talked about the importance of evaluating estimates in the context of the applicable financial reporting framework. … The adequacy of disclosure is something the auditor certainly needs to focus on, and that includes disclosures related to uncertainty. And of course, the auditor is focused on fair presentation, so that may indicate a need for disclosures beyond those explicitly called for by the applicable financial reporting framework. In issuing SAS 143, we didn’t anticipate a couple of elements that we’re working on in our risk assessment project; first, the requirement for separate inherent risk and control risk assessments, which is required by SAS 143 for estimates. We also talk about inherent risk factors and the concept of the spectrum of inherent risk.”
Harding dove deeper into the board’s thinking on how to address risk. “We’ve heard through peer reviews and inspections around the world that risk assessment is not always well understood,” he said. “People don’t understand why it’s necessary and why an understanding of internal control is necessary. So we put out a standard that, we hope, better explains those items.”
“We’re using a concept where inherent risk falls on a spectrum from lower to higher when you think about their likelihood or magnitude,” Harding continued. “We’ve used that to redefine the term ‘significant risk,’ which some people felt was not well defined before. Significant risk under the proposed standard would be one that falls toward the upper end of the spectrum of inherent risk.”
Quality Control and Evolving Technology
“This year has been the banner example of how things change quickly,” Barbara Vanich began in discussing the PCAOB’s changing agenda. “Quality control [QC] remains at the forefront of our agenda and continues to be a significant priority for our board. QC systems are crucial for supporting consistent performance of quality audits and other engagements. Our current QC standards are quite old and were originally developed before the PCAOB was established. Since then, the auditing environment has changed significantly, including the greater use of technology and the time devoted to QC activities.”
“We know there are a lot more estimates in the financial statements than ever before and they can be sources of audit risk.”
“CAMs are engagement specific, and specific to each year on the audit. There’s no expectation that they will be the same every year, but they could be.”
Vanich described the PCAOB’s concept release soliciting input on a standard addressing governance and leadership, the risk assessment process, and monitoring and remediation, as well as the roles and responsibilities of individuals within the QC system. The release acknowledges that firms audit within not only PCAOB standards, but other standards as well; it would not be feasible for auditors to design and operate fundamentally different QC systems. “We also understand that a QC standard has to include scalability,” she said. “And we think that risk-based approach provides best for something that can be scaled up for the most complicated firms, as well as scaled down for less complicated firms.” Vanich also mentioned the board’s projects on the supervision of other auditors and narrow changes to the independence rules.
“We continue to assess the evolving use of data and technology on the audit and on audit quality, and whether guidance or changes to PCAOB standards may be needed,” Vanich noted, with respect to the board’s research agenda. “We observed that technology-based tools can significantly enhance the auditor’s ability to effectively and efficiently analyze large volumes of data in more depth than traditional techniques. The tools can provide different perspectives in exposing previously identified relationships as risks, as well as to give auditors much more information to be used in assessing the risks themselves.
“Many firms, especially the larger firms, have developed tools to improve communications between the auditor and the company or among members of the engagement team, including other auditors involved. And the tools can track information received during the audit, automate the documentation of procedures performed, give real-time access to firm guidance, as well as facilitate the efficiency of supervisory review. I think, in hindsight, the investment that was made in those tools certainly made auditing and the remote environment more efficient, and maybe even possible.”
Vanich also briefly touched on the unique challenges the past year has presented, including the COVID-19 pandemic: “As things have continued to be a little bit different this year, many of those issues are still relevant for audits that are in process or audits that will take place in the near future.”
The SEC and CAMs
Diana Stoltzfus began by discussing the role of the SEC and the Office of the Chief Accountant (OCA) specifically in overseeing the PCAOB. “We want to applaud the PCAOB for their full transition to remote operation,” she said. “Even in this very challenging environment, the PCAOB continues to focus on its mission to oversee the audits of public companies and SEC-registered broker-dealers in order to serve the public interest in the preparation of informative, accurate, and independent audit reports.”
The subject of critical audit matters (CAM) was the next topic Stoltzfus addressed. “Some questions we get include whether CAMs should be the same year over year, or similar between companies and industries. CAMs are engagement specific, and specific to each year on the audit. There’s no expectation that they will be the same every year, but they could be. Also, within an industry or peer company, there might be similar CAMs, or they could be different.”
“The PCAOB also recently conducted an interim analysis to evaluate the initial impact of CAMs. They got feedback from preparers, committee chairs, auditors, and investors, again demonstrating their goal of active engagement with stakeholders,” she noted. “Their analysis acknowledged significant investments made by audit firms to support the implementation of CAMs and also identified that while investor awareness of CAMs is still developing, some investors find the information beneficial. Lastly, the PCAOB found that there have not been any significant unintended consequences from the implementation of CAMs.”
“Overall, we’re very pleased with the implementation efforts and believe it’s a great example of all parties working together in a proactive way to provide meaningful information to investors,” she added. Stoltzfus concluded by reviewing the OCA’s efforts with regard to auditor independence matters.
Doug Carmichael began the group discussion session by asking Harding about SAS 142 and 143. “There are some concepts in the risk assessment project that are embedded in the estimates project,” he noted. “Because of the alignment, we thought it was important that they have the same effective date.” He noted that early adoption is still permitted notwithstanding the effective date being delayed due to COVID-19.
“There is a suspicion at the ASB that all of our standards are going to have a risk assessment element to them,” Harding responded; in his view, firms will likely have to do more work in this area. “There are many instances in which auditors don’t understand why risk assessment is so important; we’ve seen some evidence of people doing it because it’s a requirement, rather than doing it because it’s necessary in order to effectively audit a set of financial statements. And we’ve also heard that with respect to internal control.” He emphasized that “when you think about fraud risks, you often learn about some fraud risks through gaining an understanding of the entity’s internal control, even if you don’t intend to rely on controls for testing their operating effectiveness.”
“With respect to the larger firms, over the last decade, I’ve seen significant improvement and time spent on further developing and refining risk-based methodology,” Vanich added. “I think we’ve seen significant advances, especially coupled with the use of technology tools, drilling down to an account and to a transaction level. That can then really drive a targeted specific response to risk that I think has a much better chance of identifying real potential misstatements than just applying procedures across accounts.”
Vanich noted that small firm practitioners are less convinced of the merits of a risk-based audit. “It does become more important as we try to have more risk-based procedural standards like estimates and specialists,” she said. “We may learn some things through the application of those projects about some changes we need to make.” With regard to the SEC’s position, Stoltzfus said, “I think right now we’re just letting practice develop and staying engaged.”
Carmichael questioned whether more specific and definitive guidance was needed to balance the ASB’s recent principles-based approach. “Too often, we can get into a discussion of principles-based standards versus rules-based standards like they’re two opposite and very different things,” Harding responded. “I think that it’s fair to say we do believe that our standards should be grounded in principles, because that does enable them to withstand the test of time and to be deployed in an array of individual circumstances. And there’s no way to get around the need for the application and professional judgment by auditors.” He continued, “We’re not doing something that lends itself to black-and-white decisions. That said, the standards do need to be clear in order to enable auditors to appropriately apply professional judgment. That’s the balance that we try to strike in all that we do.”
“This year has been the banner example of how things change quickly.”
“I think principles-based makes sense,” Stoltzfus added. “But I think that there also needs to be enough guidance so that individual and firms and preparers can implement the standards.” She said that the SEC works closely with the PCAOB in accordance with its oversight role.
The discussion turned to the COVID-19 crisis and how to address the challenges of remote auditing. “Some of the things we highlighted back in April are to be mindful that risk assessment isn’t a do once–and-stop thing; you have to be aware of how risks can change over time and take that into account. I think this profession has once again demonstrated an extraordinary ability to adapt and get the job done,” Vanich said. “And while firms have found ways to do things remotely, they have told us that it’s been challenging. Sending your drone or your GoPro isn’t as easy as it might sound; don’t underestimate challenges you never thought of, like areas of a warehouse where WiFi doesn’t work.”
“There are two things that I primarily worry about,” Harding added. “Number one is professional skepticism. When we think about the audit risk model, we do think about detection risk and how we perform audit procedures and design them to assess risk of material misstatement. But there’s sort of an interplay there between inherent risk and detection risk when you start thinking about how the auditor performs procedures which could in fact increase fraud risk. … And the other big thing I worry about is whether we are adequately focused on understanding changes to internal control at the client as a result of COVID, particularly if some people are remote and dealing with different technologies than before. They probably have changed their internal controls, whether it’s how approvals are obtained or how things are reviewed.”
Understanding Client Controls
The panel addressed questions from the online audience as well as the moderator. In response to a question about whether auditors understood the reporting systems filers use, Harding stated: “Part of what we’re trying to accomplish with our risk assessment project is to increase the knowledge level of all audit teams.” He continued: “One of the things that I fear is that some auditors may almost unconsciously assume operating effectiveness of certain controls in designing audit procedures. … Don’t assume things are operating effectively just because the client told you that certain things happen in a certain way, observe it for yourself.”
The panel concluded with a short discussion of the various long-term proposals on auditor independence, professional skepticism, and the evaluation of audit evidence.
- Ensuring Integrity: Regulators and Standards Setters Update
- Ensuring Integrity: Critical Audit Matters
- Ensuring Integrity: Auditors’ Biases
- Ensuring Integrity: COVID-19 and Client Risk Profile
- Ensuring Integrity: Litigation and Enforcement Update