in

Sec Speeches Cryptocurrency Responsibilities of Lead Auditors to Conduct High-Quality Audits When Involving Other Auditors


Introduction – The Impact of Other Auditors in a Global Audit[1]

The increasing integration of world economies and the resultant globalization of multinational public companies has led to increased use of, and more significant roles for, accounting firms and individual accountants other than the lead auditor (“other auditors”) on many issuer audit engagements.[2] In 2021, for example, 26 percent of all issuer audit engagements and 57 percent of large accelerated filer audits involved the use of other auditors by the lead auditor.[3] In some cases, engagements include the use of other auditors that may not even be registered with the Public Company Accounting Oversight Board (“PCAOB”) and that work in countries with different business cultures and languages from those of the lead auditor.[4]

In light of the increased use of other auditors, it is noteworthy that recent academic research indicates an inconsistent quality of work performed by other auditors, which is potentially detrimental to investor confidence in the quality of financial information.[5] Such findings highlight the importance of the lead auditor’s role, and especially that of the lead engagement partner, to ensure investor protections by safeguarding against engagement performance failures due to inadequate planning, supervision, and oversight of other auditors.[6] As discussed throughout this statement, adherence to current auditing standards[7] can help prevent the inconsistent audit quality issues that recent academic literature reveals and that we have observed.

In this statement, we (1) discuss the auditor’s responsibilities with respect to audits involving other auditors, including members of their own network firms;[8] (2) highlight how the auditor’s responsibilities are incorporated currently in the PCAOB standards, including the PCAOB’s quality control standards; and (3) provide reminders on good practices for audit committees and issuers.

Observations on the Use of Other Auditors

We continue to observe shortcomings related to the lead auditor’s performance of its responsibilities in planning, supervising, and evaluating the work performed by other auditors, including in engagements involving the use of network-member other auditors. Recent PCAOB enforcement actions against audit firms and their personnel,[9] and related Commission staff observations, highlight troubling instances where the lead auditor used audit work performed by another, affiliated audit firm that played a “substantial role” in the audit,[10] yet was not registered with the PCAOB. An unregistered accounting firm causes a violation of PCAOB Rule 2100 whenever it plays a substantial role in the audit of an issuer—irrespective of the audit engagement structure used by the lead auditor.[11] Any lead auditor should be aware of this requirement and safeguard against such violations in its use of other auditors during an audit engagement.

In addition, Commission staff have observed technical, but critical issues in engagements involving the use of other auditors. Such issues include violations of PCAOB AS 1301, Communications with Audit Committees, when lead auditors are not attentive to the accurate legal entity name of other auditors that perform audit procedures and therefore fail to communicate correctly such auditors’ names, locations, or planned responsibilities,[12] as well as deficiencies related to Form AP, Auditor Reporting of Certain Audit Participants, which include instances where the lead auditor’s Form AP contains inaccurate or omitted information, such as failing to report the audit participation of the correct legal entity or inaccurately disclosing audit hours incurred by other accounting firms.[13] Audit committee communications and Form AP filings with the PCAOB are key mechanisms for transparency into the participation in the audit. Those communications and filing requirements underscore how critically important it is for lead auditors to prevent unregistered audit firms from playing a substantial role in the audits of issuers, and to correctly identify the role of certain other auditors.

Furthermore, because many accounting firms operate within a network of separate accounting firms, instances of faulty or incomplete communication with the audit committee risks confusing or misleading the committee into thinking that the engagement involves a single registered public accounting firm rather than a lead audit firm and other auditors within the same network. Because audit quality may not be the same in all accounting firms within a network, clear, accurate communication with the audit committee about which firms performed the work and the steps the lead auditor took to drive greater consistency in audit quality throughout the performance of the engagement is critical to the audit committee’s ability to oversee and evaluate the performance of the independent audit firm.

The Importance of Quality Controls When Using the Work of Other Auditors

Under current PCAOB quality control standards (including PCAOB QC 20 and 30),[14] registered public accounting firms must implement appropriate policies and procedures to provide the accounting firm with reasonable assurance that all relevant audits are performed in accordance with applicable PCAOB standards. Specifically, the lead auditor’s system of quality control over personnel management and supervision of the audit engagement must encompass the work of other auditors.[15] However, recent PCAOB inspection reports,[16] Commission and PCAOB enforcement actions,[17] as well as Commission staff observations, demonstrate how audit firms’ quality control systems at times fail to provide reasonable assurance that firm personnel, including personnel of other audit firms, were in compliance with applicable professional standards in an audit engagement.

We remind all auditors, regardless of their role as either lead or other auditor, of the importance of the proper design and application of quality control policies and procedures to sufficiently reduce the risks to audit quality that are inherent in audits involving other auditors. For lead auditors, an appropriately designed quality control system should include critical incremental quality control policies and procedures such that the lead auditor consistently meets its supervision and review requirements over the other auditors.

Roles of Network Firms

Network firms are often structured such that member firms are distinct legal entities and may have different systems of quality control. Other stakeholders do not always understand this structure.[18] Oftentimes, there is a mistaken assumption that the audit quality will be consistent across member firms within the same network.[19] Relatedly, a lead auditor should be mindful of the risk of its own presumptions when using the work of other auditors within its network, and should be vigilant in its supervision and review responsibilities since the lead auditor is ultimately responsible for audit quality. For example, there are unique incremental requirements applicable to the issuers with financial reporting obligations in the U.S. related to internal control over financial reporting.[20] While a few other countries have implemented regulations similar to Section 404 of SOX,[21] there are no international auditing standards analogous to PCAOB AS 2201, related to auditing the effectiveness of internal control over financial reporting. Both academic research[22] and PCAOB inspection results[23] indicate that execution of audit procedures over internal control over financial reporting is challenging for auditors outside of the U.S., including network-member firms.

The lead auditor should, among other things, consider that the professional training and experience of the lead auditor may differ from those of the other auditors, including the training and experience in performing audits of financial statements and the effectiveness of internal control over financial reporting under the PCAOB standards.[24] Networks may also include a combination of registered and unregistered audit firms and other associated entities. Unregistered audit firms performing a role in audits conducted in accordance with PCAOB’s auditing standards are required to comply with the PCAOB’s quality control standards,[25] but are not subject to PCAOB inspection.[26]

While there are no requirements for network firms to apply the same quality controls across the network, there are nonetheless market perceptions about network firms that use the same or similar branding. For example, enforcement actions and adverse inspection results for one member firm could impact the reputation of the network as a whole.[27] As network firms continue to market the importance of the role of the network to its member firms, member firms should seek to achieve consistently high audit quality throughout the network. Therefore, network firms may benefit from governance policies and procedures that support consistency and accountability among the member firms regarding the establishment and application of quality control, and supervision and review policies and procedures. This may include having strong, consistent client acceptance and continuance policies across the network, a vigorous internal inspection function, including cross-firm reviews within the network, continuous and consistent training, and robust audit methodologies and tools.

Independence Considerations for Network-Member Firms

Involvement of other auditors in an audit also elevates the risk to an auditor’s independence. Deficiencies and violations regarding independence suggest that certain auditors, specifically non-U.S. members of network firms and their personnel,[28] may not sufficiently understand SEC and PCAOB independence requirements, or have appropriate controls in place to prevent or detect violations.[29]

Members of a network firm must carefully monitor as part of their quality control systems non-audit relationships with an audit client to avoid situations that impair independence in fact or in appearance.[30] We have observed, through auditor independence consultations, instances where network firms do not consistently apply policies and procedures as a preventive measure to manage risk to the audit firm’s independence. For example, the timeliness of applying appropriate restrictions to a private audit client in an audit firm’s independence monitoring system upon notification of a potential initial public offering (“IPO”) by such audit client can vary among member firms in the same network, increasing the network firm’s risk of potentially entering into or failing to identify existing independence-impairing relationships.

An effective firm-wide, or network-wide, approach looks not only to the current impact of non-audit and business relationships on audit clients but also anticipates foreseeable future impacts, especially for those relationships that cannot be easily unwound. For example, when any member firm of a network has a business relationship with a highly acquisitive business partner, the importance of updating independence restrictions timely upon identification of even a potential event such as an IPO and the real time accuracy of a conflict monitoring system becomes all the more critical to the audit firm’s ability to maintain its independence. To that end, audit firms should consider implementing proactive measures across the network to identify and monitor foreseeable independence violations under Rule 2-01 of Regulation S‑X.[31]

Good Practices for Audit Committees and Issuers

Audit committees make significant contributions to financial reporting through their critical oversight of the independent auditors. With respect to the use of other auditors, audit committees should be actively engaging with the lead auditor to consider the sufficiency of their quality control system, specifically those policies and procedures around supervision and evaluation of the audit work performed by other auditors. This also includes giving careful consideration to the lead auditor’s use of other auditors, especially in areas of significant risk, and engaging in related dialogue in response to communication requirements.[32] Potential questions that audit committees could be asking their auditors include, but are not limited to the following:

  • Are there other participating accounting firms that play a substantial role in the audit?
  • If so, are they registered with the PCAOB and subject to PCAOB inspections?
  • How does the lead auditor supervise the audit work performed by other auditors?
  • How does the lead auditor assure that the work is being performed by other auditors that understand the requirements of the applicable financial reporting framework and the PCAOB’s auditing and related professional standards?

We also remind issuers and audit committees that if an unregistered firm plays a substantial role in the audit, the issuer’s financial statements are considered to be “not audited.”[33] Any accompanying annual report, proxy statement, or registration statement containing or incorporating by reference such financial statements creates potential liabilities for the issuer and others, and may result in time consuming and costly remediation efforts. Therefore, management and audit committees should engage with the auditors regarding the PCAOB registration status of other auditors.

Conclusion

Audit committees, issuers, and auditors all have crucial roles to ensure high quality financial reporting for the protection of investors. The expectation is that the level of audit quality in audits involving other auditors should be consistent and robust. The relevant risks should be considered and the appropriate PCAOB standards must be applied in order to strengthen lead auditors’ supervision over the work of other auditors, within and outside of network firms, to help enhance audit quality. To this end, it is imperative that the audit firm’s system of quality control is dynamic and robust, consistent with PCAOB’s quality control standards and the Commission’s auditor independence requirements, in order to appropriately identify and assess risks related to involvement of other auditors, including network firms, and design and implement the appropriate responses.


[1] The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This statement is provided by the staff of the Office of the Chief Accountant (“OCA”) in their official capacity and does not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff. “Our” and “we” are used throughout this statement to refer to OCA staff.

[2] In this context, “lead auditor” refers to the definition of lead auditor in accordance with PCAOB AS 2101, Audit Planning, paragraph .A4, as amended. By contrast, PCAOB AS 1205, Part of the Audit Performed by Other Independent Auditors, refers to the lead auditor as the “principal auditor.” We use the term “lead auditor” throughout this statement.

[3] See PCAOB Release No. 2022-002, Planning and Supervision of Audits Involving Other Auditors and Dividing Responsibility for the Audit with Another Accounting Firm (June 21, 2022) (“PCAOB’s Other Auditor Adopting Release”).

[4] PCAOB Rule 2100, Registration Requirements for Public Accounting Firms, only requires firms that perform a substantial role in an audit of an issuer, broker, or dealer to be registered with the PCAOB. However, the lead auditor’s responsibilities under the existing and amended other-auditors standards are the same with respect to use and oversight of the work of other participating audit firms regardless of whether or not they are registered with the PCAOB.

[5] See, e.g., Elizabeth Carson, Roger Simnett, Ulrike Thurheimer & Ann Vanstraelen, Involvement of Component Auditors in Multinational Group Audits: Determinants, Audit Quality, and Audit Fees, 60 Journal of Accounting Research 1419–62 (2022).

[6] The “engagement partner” is responsible for the engagement and its performance. See PCAOB AS 1201, Supervision of the Audit Engagement, paragraph .03. Accordingly, the engagement partner is responsible for proper supervision of the work of engagement team members and for compliance with PCAOB standards, including standards regarding using the work of other auditors.

[7] In 2022, the PCAOB and the Commission both unanimously approved amended standards for audits involving other auditors. See PCAOB’s Other Auditor Adopting Release, supra note 3. These amended standards, which become effective in 2024, specifically enhance the lead auditor’s responsibility with respect to the planning, supervision, and evaluation of the work of other auditors.

[8] “Network firms” for the purpose of this statement encompass all of the audit-related memberships and affiliations that registered firms must report to the PCAOB in Item 5.2 of their annual report on Form 2, including certain networks, arrangements, alliances, partnerships, and associations.

[9] Recent PCAOB enforcement actions have addressed, among other things, lead auditors’ failures to comply with their supervisory responsibilities under Section 105(c)(6) of the Sarbanes-Oxley Act of 2022 (“SOX”). See, e.g., In re KPMG LLP (United Kingdom), PCAOB Release No. 105-2022-031 (Dec. 6, 2022) (settled order); In re KPMG Inc., Cornelis Van Niekerk, and Coenraad Basson, PCAOB Release No. 105-2022-015 (Aug. 29, 2022) (same); and In re WWC, P.C., PCAOB Release No. 105-2022-006 (Apr. 19, 2022) (same).

[10] PCAOB Rule 1001, Definitions of Terms Employed in Rules, paragraph (p)(ii) states that the phrase “play a substantial role in the preparation or furnishing of an audit report” means (1) to perform material services that a public accounting firm uses or relies on in issuing all or part of its audit report, or (2) to perform the majority of the audit procedures with respect to a subsidiary or component of any issuer, broker, or dealer, the assets or revenues of which constitute 20% or more of the consolidated assets or revenues of such issuer, broker, or dealer necessary for the principal auditor to issue an audit report.

[11] There are alternative ways that audit engagements for issuers with multiple locations or business units (e.g., foreign or domestic subsidiaries, divisions, components) may be structured. For example, lead auditors may assume the responsibility for the work of other auditors (PCAOB AS 1205) or directly engage other auditors, such that the other auditors serve as an extension of the lead auditor’s engagement team (PCAOB AS 1201).

[12] See PCAOB Spotlight – Staff Update and Preview of 2021 Inspection Observations (Dec. 2022), available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_4.

[13] The term “other accounting firm” means (i) a registered public accounting firm other than the registered public accounting firm that is filing the Form AP with the PCAOB; or (ii) any other person or entity that opines on the compliance of any entity’s financial statements with an applicable financial reporting framework. See, e.g., PCAOB Spotlight – Staff Update and Preview of 2020 Inspection Observations (Oct. 2021); PCAOB Spotlight – Staff Update and Preview of 2021 Inspection Observations (Dec. 2022).

[14] On November 18, 2022, the Board voted to issue a proposal for a new quality control standard, QC 1000, A Firm’s System of Quality Control (“proposed QC 1000”), together with related proposed amendments to PCAOB rules, standards, and forms, for public comment. Proposed QC 1000 includes various quality control requirements related to the role of network firms. Discussion throughout this statement relates to existing QC standards (i.e., PCAOB Quality Control Section 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice, PCAOB Quality Control Section 30, Monitoring a CPA Firm’s Accounting and Audit Practice) and not to proposed QC 1000, which has not been adopted by the PCAOB or approved by the Commission as of the date of this statement.

[15] See PCAOB QC 20.06. Additionally, the PCAOB’s Other Auditor Adopting Release continues to call for the lead auditor to evaluate the other auditors’ quality controls. For example, PCAOB AS 2101, as amended, requires the lead auditor to request and obtain an affirmation that the other auditor’s firm has the necessary policies and procedures, even in circumstances when other auditor engagement team members rely on their firm’s quality control system for independence and ethics compliance.

[16] Examples of these QC deficiencies have been identified in inspection reports issued by the PCAOB. See, e.g., PCAOB Release No. 104-2019-085A, Report on 2017 Inspection of BDO USA, LLP (June 20, 2019) (expanded inspection report posted on Dec. 15, 2022); PCAOB Release No. 104-2018-111A, Report on 2017 Inspection of BDO USA, LLP (July 12, 2018) (expanded inspection report posted on Dec. 15, 2022).

[17] Recent PCAOB and Commission enforcement actions have cited audit firms’ non-compliance with PCAOB’s quality control standards. See, e.g., In re Hall & Co. Certified Public Accts. & Consultants, Inc., PCAOB Release No. 105-2022-029 (Nov. 3, 2022) (settled order); In re PKF O’Connor Davies, LLP, PCAOB Release No. 105-2022-001 (Jan. 25, 2022) (same); In re Ernst & Young LLP, SEC Release No. 4239 (Aug. 2, 2021) (same).

[18] Misperception regarding network firm structures was addressed directly in the PCAOB’s Other Auditor Adopting Release. In explaining that the lead auditor’s oversight responsibility applies consistently, regardless of the other auditor’s affiliation with the lead auditor, the release noted that “affiliation through a network does not automatically provide the lead auditor with an understanding of the other affiliates’ processes and experience.”

[19] This may include the lead auditor’s assumption that the quality of work of affiliated firms is consistent with their own. See supra note 5.

[20] Section 404(a) of SOX requires management to assess the effectiveness of the internal control structure and procedures over financial reporting, and Section 404(b) of SOX and PCAOB AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, require the auditor to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting for some issuers.

[21] Japan has adopted a mandatory internal control testing similar to the requirements of Section 404 of SOX under its Financial Instruments and Exchange Act of 2006. A few other jurisdictions have regulations similar in spirit to Section 302 of SOX. See, e.g., Udi Hoitash, Rani Hoitash & Jean C. Bedard, Corporate Governance and Internal Control over Financial Reporting: A Comparison of Regulatory Regimes, The Accounting Review 839–67 (2009); Katrien Van de Poel & Ann Vanstraelen, Management Reporting on Internal Control and Accruals Quality: Insights from a “Comply-or-Explain” Internal Control Regime, Auditing: A Journal of Practice & Theory 181–209 (August 2011).

[22] See, e.g., Denise Hanes Downey & Kimberly D. Westermann, Challenging Global Group Audits: The Perspective of US Group Audit Leads, 38 Contemporary Accounting Research 1395–1433 (2021).

[23] Examples of these deficiencies in auditor’s testing of internal control over financial reporting have been identified in inspection reports issued by the PCAOB. See, e.g., PCAOB Release No. 104-2023-032, Report on 2021 Inspection of Ernst & Young Associates LLP (India) (Dec. 8, 2022); PCAOB Release No. 104-2023-033, Report on 2021 Inspection of Ernst & Young LLP (United Kingdom) (Dec. 8, 2022).

[24] See, e.g., Michael Barrett, David J. Cooper & Karim Jamal, Globalization and the Coordinating of Work in Multinational Audits, 30 Accounting, Organizations and Society 1–24 (2005).

[25] See PCAOB AS 1110.02, Relationship of Auditing Standards to Quality Control Standards.

[26] Under Section 104 of SOX and as explained in PCAOB Rule 4003, the PCAOB annually inspects registered accounting firms that regularly provide audit reports for more than 100 issuers, while those that regularly provide audit reports for 100 or fewer issuers are inspected at least once every three calendar years, with a few limited exceptions as specified in Rule 4003. An audit firm is required to register with the PCAOB if it prepares or issues any audit report with respect to any issuer, broker, or dealer, or plays a substantial role in the preparation or furnishing of an audit report with respect to any issuer, broker, or dealer. PCAOB Rule 2100; see also supra note 10.

[27] See, e.g., Yoshie Saito & Fumiko Takeda, Global Audit Firm Networks and Their Reputation Risk, 29 Journal of Accounting, Auditing & Finance 203–37 (2014).

[28] For purposes of this section, a member of a network firm is an entity that would be considered an “associated entity” of the “accounting firm” and therefore meets the definition of “accounting firm” for purposes of compliance with Rule 2-01 of Regulation S-X.

[29] See PCAOB Release No. 2021-005, Second Supplemental Request for Comment: Proposed Amendments Related to the Supervision of Audits Involving Other Auditors and Proposed Auditing Standard – Dividing Responsibility for the Audit with Another Accounting Firm 24 (Sept. 28, 2021) (“In addition, observations from PCAOB and SEC oversight indicate that even firms within the same network may have different policies, procedures, and processes for, and may exhibit differing levels of compliance with, independence and ethics requirements.”).

[30] 17 C.F.R. § 210.2‑01.

[31] An example of a foreseeable independence violation would be when an audit firm’s business partner is a beneficial owner with significant influence over a private audit client for which the audit firm knows that it either could not or would not take the necessary actions to become independent should that private audit client choose to become an issuer.

[32] See AS 1301. As part of communicating the overall audit strategy to the audit committee, the auditor should communicate names, locations, and planned responsibilities of other auditors that perform audit procedures. See AS 1301.10d.

[33] PCAOB Rule 2100 requires that any accounting firm playing a substantial role in the audit of an issuer be registered with the PCAOB.



SEC

What do you think?

159 Points
Upvote Downvote

Written by My Crypto Lawyer

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Sec Speeches Cryptocurrency Protecting Investors from Cyberattacks and Enhancing Cybersecurity in U.S. Capital Markets

Sec Speeches Cryptocurrency SEC.gov | Statement on Retail Options