Testing internal control over financial reporting, assessing risks of material misstatement, and auditing accounting estimates (you know, the yoozh) continue to trip up auditors, according to the PCAOB, which offered a sneak preview of what we can expect in 2018 audit firm inspection reports.
More than 160 U.S. audit firms were inspected by the PCAOB in 2018 and portions of about 700 audits of public companies were reviewed by inspectors. The regulator also inspected a bunch of audit firms overseas.
Did RSM US and KPMG turn things around during the 2018 inspection cycle, after both had abysmal 2017 inspection reports? Did Grant Thornton come back down to earth in 2018 following a mind-blowingly good 2017 inspection report after many years of suck? Did Deloitte and PwC auditors finally figure out internal controls and controls testing? Inquiring minds want to know. (Or maybe we just do.)
The news isn’t all bad—the PCAOB observed “good practices” by audit firms during its 2018 inspections. For example, firms are continuing to take steps to improve audit quality. The problem is the PCAOB says this every year. It’s almost like the PCAOB purposely teases all of the “champions of audit quality” out there that auditors have finally got their shit together, only to find out otherwise when inspection reports like RSM’s and KPMG’s are released.
Here are some other good practices that PCAOB inspectors saw in 2018:
Root-cause analyses: Again, the PCAOB seems to tell us every year in these inspection “previews” that firms are doing root-cause analyses more and more. But supposedly audit firms made improvements in 2018 by performing root-cause analyses to “understand the primary factors that contributed to positive and negative audit quality,” as well as “designing and implementing remedial actions that drive audit quality.”
Expanding accountability for audit quality beyond the lead engagement partner: So maybe we’ll see the lead engagement partner take the fall less for crappy auditing whenever the PCAOB takes enforcement action against a firm?
The PCAOB said:
Some firms have established accountability programs for the engagement quality reviewer (EQR) and other partners in leadership roles to reward or penalize these individuals depending on whether the audits in which they participated are found by external or internal inspections to have deficiencies. We saw positive behaviors where firms have placed an emphasis on the importance of audit quality through extending accountability to other key leaders at the firm such as audit quality leaders, technical experts, and office leaders.
Developing and refining guidance to help auditors identify and assess risks of material misstatement: Firms have laid out steps that the auditor should take, such as having focused team discussions, to better identify the types of potential misstatements that could occur—and turn a good inspection report into a KPMG-type inspection report.
Revising training programs: Firms are using real-world examples to more effectively show auditors where things might go horribly wrong in an audit.
For example, training programs may include case studies utilizing audit work papers that contain deficiencies in the audit testing. Participants reviewed these work papers and identified points in the process that resulted in the deficiencies.
Now for the bad, which if you know PCAOB inspection reports usually always starts with deficiencies related to testing ICFR:
Auditors did not sufficiently test the design and operating effectiveness of controls that include a review element. We observed that auditors did not obtain an understanding or evaluate the activities performed and factors considered by the control owner when reviewing the reasonableness of certain estimates and assumptions.
Auditors did not select controls for testing that address the specific risks of material misstatement. We observed that auditors did not obtain a sufficient understanding of whether the control addressed the assessed risk of material misstatement.
Here are some other areas where auditors struggled:
Auditing revenue: Auditors agreed revenue transactions to company-prepared invoices without doing the proper testing, and they limited their testing to revenue transactions exceeding a certain amount or transactions recorded near year-end without considering the need to test the remainder of the population, the PCAOB said.
Based on our observations, auditors should apply due professional care in areas of significant risks, including the risk of fraud. Auditors should also perform sufficient risk assessment procedures to identify the risks of material misstatement and to design procedures responsive to the assessed risks.
Auditing accounting estimates: The most significant deficiencies were found in the areas of allowances for loan and lease losses, accounting for business combinations, and financial instruments.
Engagement quality reviews (EQRs): Many deficiencies inspectors identified occurred in areas that were reviewed by EQRs that failed to spot problems, the PCAOB said.
In some instances, EQRs may have placed too much reliance on discussions with the engagement team. In other instances, EQRs may have limited their review by reading summary memos that did not provide sufficient detail to allow for a review with due professional care.
While some 2018 inspection reports have begun trickling out for smaller U.S. and overseas firms, the 2017 inspection report season is still ongoing, as we’re still awaiting the PCAOB to release exams for EY and BDO USA, among others. So we still have several months to go before we know whether audit firms overall made progress on improving audit quality in 2018 or if the PCAOB is once again blowing smoke up our asses.