Over the last year, we have seen unprecedented change in the Public Company Accounting Oversight Board (PCAOB) and its standards-setting agenda. Tina Hong, Director of Solutions Sales at Toppan Merrill, and I had a great discussion about changes at the PCAOB and SOX compliance audits when I joined her as a webinar panelist earlier this year. We talked at length about the impact of these PCAOB changes and what that means for external auditors and public companies as they prepare for their 2023 internal control over financial reporting (ICFR) or Sarbanes-Oxley (SOX) compliance audits.
Here are some key points for you to consider, and you can watch the full webinar here.
New Chair, New Rules
Since her appointment as the Chair of the PCAOB in late 2021, Erica Williams announced one of the most ambitious standards-setting agendas in the PCAOB’s history. Just one year into her term, she is already actively working to update more than 25 standards. Chairperson Williams has consistently communicated the three tenets of her agenda to protect investors:
- Modernizing standards: Most PCAOB standards have been in place since the organization was formed in 2003, but the world has changed – a lot – since then. Capital markets are exponentially larger and more complex, but our rules are sitting back in 2002.
- Enhancing inspections: Chairperson Williams has indicated the PCAOB is prioritizing inspections of audit engagements involving specific topics such as SPACs and DeSPACs, cryptocurrency and how firms are addressing the rising costs from ongoing supply chain disruptions. She stated that firms do respond to the rigorous inspections by improving their own internal quality assurance. I agree. Almost every firm I have worked with over the last year has added layers of quality assurance to their audit process, with special emphasis on ICFR audits.
- Strengthening enforcement: It is evident that Chairperson Williams is a litigator by trade, and enforcement is clearly near and dear to her heart. In a mid-summer 2022 speech, she stated that in the last six months, the PCAOB has more than doubled average penalties against individuals compared to the last five years. At the same time, they increased average penalties against firms by more than 65%. Further, in both December 2022 and January 2023, the PCAOB made major announcements that they imposed significant fines on external audit firms. I predict that this enforcement wave is not stopping anytime soon.
Impact on public companies starts with impact on external auditors
The impact of these new rules and strengthened enforcement starts with external auditors and then trickles down to public companies.
In the PCAOB’s December 2021 Inspection Observation Spotlight Report, Chairperson Williams and her team continued to call out areas where they feel external auditors are still deficient in their auditing of ICFR, with special emphasis on:
- Management Review Controls (MRCs): The report says auditors consistently failed “to sufficiently evaluate whether a control with a review element operated at a level of precision sufficient to prevent or detect material misstatements.” And while the report notes it was the auditors’ failure to not audit MRCs well, it is the business’s primary responsibility to first define, consistently apply and document that level of precision every time a control executes. In particular, the business and the internal audit team need to be able to illustrate that this precision level control catches errors as well as the business’s procedures for follow up and resolution.
- Information Provided by Entity (IPE): IPE refers to the accuracy and completeness of information used in the operation of a control – think key spreadsheets, reports or queries. It continues to be very high on the radar for both the external auditor and the PCAOB. The external auditor must first look to see that the business has proven out the completeness and accuracy of any IPE used in the execution of a control. Then, they must test it themselves. If the business cannot evidence the completeness and accuracy satisfactorily, then in the worst case, not only does the control fail, but the auditor must do additional substantive work to get comfortable with the information because they cannot rely on the company’s controls.
In practice, MRCs and IPEs are a huge lift. I can tell you from painful experience that when companies do not do the work up front, they end up having to do more work (and I mean a lot more work) and incur more cost on the back end.
4 key SOX considerations
We have covered how the PCAOB has changed its approach and intensified its focus, and what that means for external auditors. We also know that this focus will eventually work its way down into the business and will have a direct impact, or correlation, on how companies design, perform, and evidence their ICFR compliance. Now, what should public companies do as they prepare for their 2023 ICFR audit?
Here are four key considerations:
- Do your own due diligence
Don’t wait for your auditor (or a blog) to alert you of changes. Make sure you are aware of the new regulations coming out and the resulting changes in external audits’ approach. I suggest going to the PCAOB website and signing up for their news bulletins – and doing the same thing on the SEC website.
- Foster a consultative relationship with your external audit firm
There is a clear line between what external auditors can and cannot do. Make sure you are on the same page as your audit firm so there are no last-minute surprises. We all need to be working together – the business, consultants, internal auditors and external auditors – to get the best possible result. The PCAOB (and the SEC, for that matter) has made it very, very clear that enforcement will not just be limited to companies. Individuals are fair game.
- Focus on the most complex areas of your financial statements
For 2023, we should expect to see a continued focus on financial statement areas that are more complex in nature. The PCAOB is looking closely at anything that requires significant judgment or is susceptible to change (think reserves or contingencies). And fraud is always a focus (as it should be), especially now with cryptocurrency fraud all over the news.
- Strengthen your ICFR compliance program
I see companies spend so much time and energy on the financial statement audit, but not give the same resources to their ICFR audit. The same due diligence, awareness and investment should be applied to the overall ICFR compliance program. Your ICFR program should be strong, realistic and responsive – both to the changes in your company, and changes with the regulations.
Buckle up for more changes – but let’s work smarter, not harder
I tell businesses all the time that they better put their seatbelts on and get ready. There is going to be a tsunami of new regulations coming out of the PCAOB in the coming years – and these new regulations will more than likely be supported by the SEC – either through actual regulations or through speeches or statements.
Audit firms will continue to be audited by the PCAOB and show adherence to the new standards. That means the businesses will continue to feel the pressure to be responsive to external auditors. It’s a recurring cycle with the companies often bearing the brunt of this work.
So now you are wondering whether there is a silver lining… There is. I promise.
This increased compliance burden does not necessarily equal more time, cost and headaches for registrants. We now have options to balance the extra work. Technologies to simplify SOX compliance and ICFR audits keep getting better and better. Within my practice, we utilize the Toppan Merrill SOX Automation platform, and I am constantly amazed at what this automated SOX compliance solution can do for us and for our clients.
Make sure you are taking advantage of technology where it is available, and that you have risk and control experts on hand, or on staff, to complement that technology and make your life easier. Let’s work smarter, not harder.