On May 13, 2024, the Public Company Accounting Oversight Board (PCAOB) adopted a new standard that they believe will lead registered public accounting firms to significantly improve their quality control systems. The new standard, A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms (PCAOB Release No. 2024-005), will require all PCAOB-registered firms to identify their specific risks and design a quality control system that includes policies and procedures to guard against those risks. The PCAOB’s current quality control standards were developed and issued by the AICPA before the PCAOB was established in 2002 and, given the significant changes in the auditing environment since then, modernizing its quality control standards has been a top priority for the PCAOB. The Board’s efforts to update its quality control standards included discussion of the topic with the PCAOB advisory groups, issuance of a concept release in December 2019, and the release of a proposal for public comment in November 2022. The new standard, subject to approval by the Securities and Exchange Commission, would:
1) supersede current PCAOB quality control standards with an integrated, risk-based standard, QC 1000, A Firm’s System of Quality Control, that would apply to all registered public accounting firms;
2) create reporting requirements on quality control matters and a new, non-public reporting form, Form QC;
3) expand the auditor’s responsibility to monitor for and respond to deficiencies on completed engagements under an amended and retitled AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report, and related amendments to their attestation standards for broker-dealer engagements;
4) supersede the PCAOB’s existing standard ET 102, Integrity and Objectivity, with a new standard, EI 1000, Integrity and Objectivity, to better align their ethics requirements with the scope, approach, and terminology of QC 1000; and
5) make additional changes to PCAOB standards, rules, and forms.
The specific changes adopted by the PCAOB include:
– Emphasizing accountability, firm culture and the “tone at the top,” and firm governance through requirements for specified roles within and responsibilities for the quality control system, including at the highest levels of the firm; quality objectives that link compensation to quality; and, for the largest firms, the requirement of an independent perspective in firm governance;
– Striking the right balance between a risk-based approach to quality control—which should drive firms to proactively identify and manage the specific risks associated with their practice—and a set of mandates, including required risk assessment and other quality control-related processes, quality objectives, and quality responses—which should assure that the quality control system is designed, implemented, and operated with an appropriate level of rigor;
– Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications;
– Broadening responsibilities for monitoring and remediation of deficiencies to create a more effective ongoing feedback loop that drives continuous improvement; and
– Requiring a rigorous annual evaluation of the firm’s quality control system and related reporting to the PCAOB, certified by key firm personnel, to underscore the importance of the annual evaluation of the quality control system, reinforce individual accountability, and support PCAOB oversight.
The PCAOB states that the framework they are adopting for QC 1000 has “commonalities” with other standards, e.g., International Standard on Quality Management 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (“ISQM 1”), adopted by the International Auditing and Assurance Standards Board (“IAASB”), and the Statement on Quality Management Standards No. 1, A Firm’s System of Quality Management (“SQMS 1”), adopted by the AICPA. However, the PCAOB notes that their QC 1000 standard goes beyond those other standards in several areas, including with regard to firm governance of the largest firms, more specific requirements for monitoring and remediation and the evaluation of the quality control system, an ethics and independence component aligned with SEC and PCAOB requirements, and more specific provisions addressing technology and externally communicated firm-level and engagement-level information and metrics.
QC 1000 A FIRM’S SYSTEM OF QUALITY CONTROL
QC 1000 provides a framework that consists of:
Two process components
1. The firm’s risk assessment process
2. The monitoring and remediation process
Six components that address aspects of the firm’s organization and operations
1. Governance and leadership
2. Ethics and independence
3. Acceptance and continuance of engagements
4. Engagement performance
5. Resources
6. Information and communication
Two requirements for the evaluation of and reporting on the quality control system
1. Annual evaluation of the effectiveness of the quality control system
2. Reporting to the PCAOB on the quality control system evaluation
The standard also includes requirements regarding individual roles and responsibilities in the quality control system and documentation requirements.
SCALABILITY FOR LARGE AND SMALL AUDIT PRACTICES
QC 1000 establishes a uniform basic structure to be used by all firms, within which firms will be required to pursue an approach to quality control that is appropriate considering the risks associated with their particular PCAOB audit practice. Aspects of the new standard are risk- based, and to that extent inherently scalable. In addition, it imposes more stringent requirements for the largest firms in some areas, while enabling smaller firms to comply with the core requirements in ways that consider these firms’ size and the complexity of audits performed by them.
Larger PCAOB Audit Practice. The Board believes that firms with a particularly extensive PCAOB audit practice (i.e., those that issue audit reports for more than 100 issuers per year) should be subject to enhanced requirements. The incremental requirements under QC 1000 for such firms include:
– An external oversight function for the quality control system composed of one or more persons who can exercise independent judgment related to the quality control system;
– A program for collecting and addressing complaints and allegations that includes confidentiality protections;
– An automated system to track investments that may bear on independence; and
– Required monitoring of in-process engagements.
Smaller PCAOB Audit Practice. For firms that perform only a small number of PCAOB engagements per year, the PCAOB has addressed the needs of these firms in several ways, including:
– Providing that a single individual may be assigned more than one of the quality control system oversight roles required under the standard; and
– Allowing firms that issue five or fewer engagement reports for issuers or broker-dealers in a year to include audits not performed under PCAOB auditing standards in some of their monitoring activities.
KEY CHANGES FROM THE QC 1000 PROPOSAL
Changes from the proposal include:
– For the firms with larger PCAOB audit practices, the requirement to include an independent oversight function for their quality control system has been refined. Under the final rule, the external quality control function (“EQCF”) will be composed of one or more persons who are not principals or employees of the firm and do not otherwise have a relationship with the firm that would interfere with the exercise of independent judgment regarding matters related to the quality control system. The responsibilities of the EQCF may vary across firms but include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its quality control system.
– The final rule requires firms to report on their quality control system evaluation to the PCAOB, but not to the audit committee, as proposed. Legal constraints limit the Board’s ability to require public disclosures about the effectiveness of firms’ quality control systems at the level that some investors have requested.
– The timing of the quality control system evaluation and reporting has changed. Under the final rule, the evaluation date for the annual evaluation of the quality control system is September 30, rather than November 30 as proposed, with Form QC due by November 30 rather than January 15 of the following year. This shift allows more time between the evaluation date and the filing date than was originally proposed, but still allows sufficient time to generally enable the firm’s monitoring activities to identify deficiencies in calendar year-end engagements and the results of that monitoring to be included in the evaluation.
OTHER CHANGES TO PCAOB STANDARDS, RULES, AND FORMS
In connection with the adoption of QC 1000, the Board is also adopting other changes to its standards, rules, and forms. These include, among other changes, expanding the auditor’s responsibility to respond to deficiencies on completed engagements under an amended and retitled AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report, and related amendments to AT No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers, and AT No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers; and replacing their existing standard ET 102, Integrity and Objectivity, with a new standard, EI 1000, Integrity and Objectivity, to better align their ethics requirements with the scope, approach, and terminology of QC 1000.
EFFECTIVE DATE
If approved by the SEC, the final standard and related amendments to auditing standards, rules, and forms will take effect on December 15, 2025, with the initial evaluation of the quality control system to be performed as of September 30, 2026, and initial reporting to the PCAOB by November 30, 2026. Firms will be permitted to elect to comply with the requirements of QC 1000, except reporting to the PCAOB on the annual evaluation of the quality control system, before the effective date, at any point after SEC approval of the final standard and related amendments.
The complete text of PCAOB Release No. 2024-005
is available at: https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/2024-005-qc1000.pdf?sfvrsn=355bf24_2