information security

PCAOB Sees Lingering Concerns Over Audits, Cybersecurity

Nov 20th 2017
Share this content

The recent 2016 inspection cycle by the Public Company Accounting Oversight Board (PCAOB) has generated a report full of lingering concerns that include frequently noticed audit deficiencies, the evolving risk area of cybersecurity and auditor independence.

The three most often seen deficiencies include assessment and response to material misstatement risks, the auditing of internal control over financial reporting and auditing accounting estimates.

Challenges and Risk

Inspectors looked at more than 780 issuer audits in 2016 and the quality control at more than 190 firms. They targeted areas that most frequently present challenges and a good deal of risk, including that of material misstatements in financial statements and recurring deficiencies within and across firms.

According to the report, a significant number of audits that were inspected were multinational audits by auditors located in the U.S. and internationally.

Less common than the three most frequent deficiency areas — but still notable — were audit areas affected by economic risks, multinational audits and quality control.

Information Technology/Cybersecurity

According to the report, most software audit tools are being used for substantive audit procedures. Some firms have developed their own tools or customized those that were purchased. Some tools also are used for risk assessment.

Those firms that have had what the report calls “a cybersecurity incident” whose reports were inspected in 2016 apparently were not associated with the risk of material misstatements of financial statements – including disclosures – or material weaknesses in internal control.

Still, inspectors believe cybersecurity is “an evolving risk area” that needs continued scrutiny, the report states. A key consideration is whether cybersecurity risks could raise the risk of material misstatements and if firms should change their audit process. That could include testing general controls in their information technology system.

Auditor Independence

Inspectors continue to find problems with auditors who aren’t in compliance with rules and regulations of the PCAOB and Securities and Exchange Commission (SEC) that require independence from clients during the audit and professional engagement period.

The compliance infractions include:

  • Auditors’ misapplication of Rule 2-01(d) of SEC Regulation S-X and the wrong conclusion that a lack of independence has not impaired the firm’s independence.
  • Inadequate communication to the audit committee about the extent of tax consulting and the potential effect of those services on the firm’s independence.
  • Auditor-client agreements in which the client agrees to indemnify the auditor against liability or expense resulting from the engagement.
  • Unallowed non-audit services being provided during the audit period, including bookkeeping and management duties, but prior to auditor engagement.
  • Auditors who failed to inform the audit committee about independence.

Further, inspectors found instances in which auditors were unqualified to be engagement quality reviewers because they had been an engagement partner during either of the two audits before the audit currently under review.

So what’s the upshot? More due diligence.

Firms need to evaluate their quality control process and how effective it is, and “root cause” analyses of the deficiencies may help remediate systemic issues, the report states.

In fact, various firms are working to develop root cause analyses and have been challenging their prior assessments of what causes audit deficiencies.

“Firms should evaluate whether auditors have a sufficient understanding of PCAOB standards in these areas of recurring deficiencies, whether engagement team leadership is providing appropriate supervision of audit work performed by less experienced staff, and whether [engagement quality reviewers] have evaluated the significant judgments made by the audit team and the related conclusions reached in forming the overall conclusion on the audit and preparing the report,” the report states.