Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on a Firm's System of Quality Control and Related Amendments to PCAOB Standards, 49588-49728 [2024-12692]

Download as PDF 49588 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices SECURITIES AND EXCHANGE COMMISSION A. Board’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rules [Release No. 34–100277; File No. PCAOB– 2024–02] (a) Purpose Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on a Firm’s System of Quality Control and Related Amendments to PCAOB Standards June 5, 2024. Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the ‘‘Act’’), notice is hereby given that on May 24, 2024, the Public Company Accounting Oversight Board (the ‘‘Board’’ or the ‘‘PCAOB’’) filed with the Securities and Exchange Commission (the ‘‘Commission’’) the proposed rules described in items I and II below, which items have been prepared by the Board. The Commission is publishing this notice to solicit comments on the proposed rules from interested persons. I. Board’s Statement of the Terms of Substance of the Proposed Rules On May 13, 2024, the Board adopted A Firm’s System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms (collectively, the ‘‘proposed rules’’). The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b– 4 and is available on the Board’s website at Docket 046 | PCAOB (pcaobus.org) and at the Commission’s Public Reference Room. khammond on DSKJM1Z7X2PROD with NOTICES2 II. Board’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rules In its filing with the Commission, the Board included statements concerning the purpose of, and basis for, the proposed rules and discussed any comments it received on the proposed rules. The text of these statements may be examined at the places specified in Item IV below. The Board has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. In addition, the Board is requesting that the Commission approve the proposed rules, pursuant to section 103(a)(3)(C) of the Sarbanes-Oxley Act, for application to audits of emerging growth companies (‘‘EGCs’’), as that term is defined in section 3(a)(80) of the Securities Exchange Act of 1934 (‘‘Exchange Act’’). The Board’s request is set forth in section D. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 The Board adopted a new PCAOB quality control (‘‘QC’’) standard that it believes will lead registered public accounting firms (‘‘firms’’) to significantly improve their QC systems. An effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, independent, and compliant engagement reports. Properly conducted audits and other engagements enhance the confidence of investors and other market participants in the information firms report on. The Board adopted an integrated, riskbased standard, QC 1000, A Firm’s System of Quality Control, that mandates quality objectives and key processes for all firms’ QC systems, with a focus on accountability and continuous improvement. The Board has designed QC 1000 to be applied by firms of varying size and complexity. If approved by the U.S. Securities and Exchange Commission (the ‘‘SEC’’), the Board believes this new standard will lead firms to better serve investors by more consistently complying with the professional and legal requirements that apply to PCAOB engagements. In connection with the adoption of QC 1000, the Board also adopted other changes to its standards, rules, and forms. QC 1000 and the other changes adopted substantially reflect the Board’s November 2022 proposal,1 but have been modified in response to commenter input. In a separate release, the Board also adopted a new auditing standard, AS 1000, General Responsibilities of the Auditor in Conducting an Audit, that addresses the general principles and responsibilities of the auditor.2 This release includes references to AS 1000, where appropriate Improving the Board’s QC Standards The Board strongly believes that an effective quality control system facilitates continuous improvement. Over time, the PCAOB’s oversight experience suggests that firm QC systems fall short. For example, PCAOB inspectors observed that approximately 1 See A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 2022–006 (Nov. 18, 2022) (‘‘proposal’’ or ‘‘proposed standards’’), available on the Board’s website in Docket 046. 2 See General Responsibilities of the Auditor in Conducting an Audit and Amendments to PCAOB Standards, PCAOB Rel. No. 2024–004 (May 13, 2024) (‘‘Auditor Responsibilities Release’’). PO 00000 Frm 00002 Fmt 4701 Sfmt 4703 40% of the issuer audits they reviewed in 2022 had one or more deficiencies where the auditor failed to obtain sufficient appropriate audit evidence to support its opinion, an increase of six percentage points over the deficiency rate in 2021 and 11 percentage points over the rate in 2020.3 In all those cases, auditors issued audit opinions without completing the audit work that PCAOB standards require for them to obtain reasonable assurance about whether the financial statements were free of material misstatement and/or whether the issuers maintained, in all material respects, effective internal control over financial reporting. Every step of this rulemaking—from the December 2019 concept release,4 to the proposal, to adoption—has been informed by extensive research and outreach, as well as by PCAOB inspections and enforcement activities. The PCAOB’s current QC standards were developed decades ago and issued by the American Institute of Certified Public Accountants (‘‘AICPA’’) before the PCAOB was established. The auditing environment has changed significantly since that time, including evolving and greater use of technology, and increasing auditor use of outside resources, such as other accounting firms and providers of support services. Firms themselves have also changed significantly, as has the role of firm networks. And advances in internal control, quality management, and enterprise risk management suggest that factors such as active involvement of leadership, focus on risk, clearly defined objectives, objective-oriented processes, monitoring, and remediation of identified issues can contribute to more effective QC. These developments have, in part, led to PCAOB advisory groups’ general support for strengthening the QC standards, including through risk-based elements and enhanced requirements for firm governance and leadership. Taking into account those considerations, as well as the comments the Board received on the concept release and proposal, the Board believes that improving PCAOB standards will lead firms to improve their QC systems. This should result in more consistent 3 See Spotlight: Staff Update and Preview of 2022 Inspection Observations (July 2023) (‘‘2022 Inspection Observations Preview’’), at 3, available at https://assets.pcaobus.org/pcaob-dev/docs/ default-source/documents/spotlight-staff-preview2022-inspection-observations.pdf?sfvrsn= 1b116d49_4. 4 See Concept Release, Potential Approach to Revisions to PCAOB Quality Control Standards, PCAOB Rel. No. 2019–003 (Dec. 17, 2019) (‘‘concept release’’), available on the Board’s website in Docket 046. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 compliance with applicable requirements, which ultimately better serves and protects investors. The specific improvements the Board adopted include: • Emphasizing accountability, firm culture and the ‘‘tone at the top,’’ and firm governance through requirements for specified roles within and responsibilities for the QC system, including at the highest levels of the firm; quality objectives that link compensation to quality; and, for the largest firms, the requirement of an independent perspective in firm governance; • Striking the right balance between a risk-based approach to QC—which should drive firms to proactively identify and manage the specific risks associated with their practice—and a set of mandates, including required risk assessment and other QC-related processes, quality objectives, and quality responses—which should assure that the QC system is designed, implemented, and operated with an appropriate level of rigor; • Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications; • Broadening responsibilities for monitoring and remediation of deficiencies to create a more effective ongoing feedback loop that drives continuous improvement; and • Requiring a rigorous annual evaluation of the firm’s QC system and related reporting to the PCAOB, certified by key firm personnel, to underscore the importance of the annual evaluation of the QC system, reinforce individual accountability, and support PCAOB oversight. Framework of the QC Standard The Board carefully considered the characteristics of an appropriate framework for a PCAOB QC standard that could accomplish its regulatory goals. As a threshold issue, section 103 of the Sarbanes-Oxley Act of 2002 (‘‘Sarbanes-Oxley’’) provides that PCAOB QC standards must include requirements regarding certain specified matters, and also grants the Board broad authority to include such other requirements as it may prescribe in carrying out its investor protection mandate. The Board also considered how best to capture areas it had identified for improvement and how best to foster consistent, compliant implementation by the firms it VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 regulates. Because the Board believes it is the best structure for accomplishing its goals, the Board adopted the QC 1000 framework as proposed. The Board notes that the framework has commonalities with other international and domestic standards for firm QC systems, though it goes beyond those requirements in a number of areas, including with regard to firm governance of the largest firms, more specific requirements for monitoring and remediation and the evaluation of the QC system, an ethics and independence component aligned with SEC and PCAOB requirements, and more specific provisions addressing technology and externally communicated firm-level and engagement-level information and metrics. The Board believes that building on a well-understood basic framework, appropriately tailored and strengthened to address its legal and regulatory environment and its investor protection mandate, will enable firms to implement and comply with QC 1000 more effectively. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and other international or domestic QC standards—which the Board believes constitute a very substantial majority of the firms that perform engagements under PCAOB standards—can leverage the work they have already done and the investments they have already made to comply with those other requirements. QC 1000 The Board developed QC 1000 with a view to its statutory mandate to protect the interests of investors and the public interest, and the Board believes the new standard will facilitate the consistent preparation and issuance of informative, accurate, and independent engagement reports. The final standard provides a framework for a QC system that is grounded in an ongoing process of proactively identifying and managing risks to quality, with a feedback loop from ongoing monitoring and remediation that should drive continuous improvement, an explicit focus on firm governance and leadership, firm culture, and individual accountability, and specific direction in a number of areas that current PCAOB standards do not address directly. QC 1000 primarily consists of: Two process components • The firm’s risk assessment process • The monitoring and remediation process PO 00000 Frm 00003 Fmt 4701 Sfmt 4703 49589 Six components that address aspects of the firm’s organization and operations • Governance and leadership • Ethics and independence • Acceptance and continuance of engagements • Engagement performance • Resources • Information and communication Requirements for evaluation of and reporting on the QC system • Annual evaluation of the effectiveness of the QC system • Reporting to the PCAOB on the QC system evaluation The standard also includes requirements regarding individual roles and responsibilities in the QC system and documentation requirements. Scalability In the Board’s view, the basic objectives of the QC system should be the same for all firms, but the scope of the QC standard and how it applies should take into account the wide disparities in nature and circumstances across registered firms, in particular the extent to which their practices include engagements required to be performed under PCAOB standards and the complexity of such engagements. The risks that firms face, and therefore the specific policies and procedures necessary to appropriately serve investor interests through an effective QC system, vary significantly from the largest firms, operating as part of global networks, to local firms or sole proprietorships. QC 1000 establishes a uniform basic structure to be used by all firms, within which firms will be required to pursue an approach to quality control that is appropriate in light of the risks associated with their particular PCAOB audit practice. Aspects of the new standard are riskbased, and to that extent inherently scalable. In addition, it imposes more stringent requirements for the largest firms in some areas, while enabling smaller firms to comply with the core requirements in ways that take into account these firms’ size and the complexity of audits performed by them. Scalability: Larger PCAOB Audit Practice The Board believes that firms with a particularly extensive PCAOB audit practice (i.e., those that issue audit reports for more than 100 issuers per year) should be subject to enhanced requirements, given such firms’ greater complexity and the relatively greater public interest implicated by the fact that they audit companies that make up E:\FR\FM\11JNN2.SGM 11JNN2 49590 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices a substantial majority of U.S. public market capitalization. The incremental requirements under QC 1000 for such firms include: • An external oversight function for the QC system compose of one or more persons who can exercise independent judgment related to the QC system; • A program for collecting and addressing complaints and allegations that includes confidentiality protections; • An automated system to track investments that may bear on independence; and • Required monitoring of in-process engagements. Scalability: Smaller PCAOB Audit Practice Many firms perform only a small number of PCAOB engagements per year and are subject to resource constraints that larger PCAOB audit practices do not face. The Board has addressed the particular needs of these firms in a number of ways, including: • Providing that a single individual may be assigned more than one of the QC system oversight roles required under the standard; and • Allowing firms that issue five or fewer engagement reports for issuers or broker-dealers in a year to include audits not performed under PCAOB auditing standards in some of their monitoring activities. khammond on DSKJM1Z7X2PROD with NOTICES2 Scalability: Firms That Do Not Have Responsibilities in Relation to a PCAOB Engagement All registered firms will be required to design a QC system that meets the requirements of QC 1000. Firms will be required to implement and operate the QC system in compliance with QC 1000 when they lead an engagement under PCAOB standards, play a substantial role in the preparation or furnishing of an audit report (as defined in PCAOB rules), or have current responsibilities under applicable professional and legal requirements regarding any such engagement. This approach reflects the Board’s view that all firms that register with the PCAOB should be appropriately prepared to perform a PCAOB engagement, regardless of whether they are currently subject to requirements with respect to one, while limiting the costs of compliance in circumstances where the risk to investor protection is minimal. Key Changes From the QC 1000 Proposal Key changes from the proposal include: VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 • For the firms with larger PCAOB audit practices, the requirement to include an independent oversight function for their QC system has been refined. Under the final rule, the external quality control function (‘‘EQCF’’) will be composed of one or more persons who are not principals or employees of the firm and do not otherwise have a relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system. The responsibilities of the EQCF may vary across firms but include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. • The final rule requires firms to report on their QC system evaluation to the PCAOB, but not to the audit committee, as proposed. Legal constraints limit our ability to require public disclosures about the effectiveness of firms’ QC systems at the level that some investors have requested. While the final rule recognizes the impediments to requiring public disclosure of QC system evaluation, the Board remains committed to finding additional ways of providing public disclosure to better inform investors about firms and PCAOB audit engagements. To that end, we have separately proposed a set of firm-level and engagement-level metrics across 11 areas that would be reported publicly. • The timing of the QC system evaluation and reporting has changed. Under the final rule, the evaluation date for the annual evaluation of the QC system is September 30, rather than November 30 as proposed, with Form QC due by November 30 rather than January 15 of the following year. This shift allows more time between the evaluation date and the filing date than we proposed, but still allows sufficient time to generally enable the firm’s monitoring activities to identify deficiencies in calendar year-end engagements and the results of that monitoring to be included in the evaluation. Other Changes to PCAOB Standards, Rules, and Forms In connection with the adoption of QC 1000, the Board also adopted other changes to PCAOB standards, rules, and forms. These include, among other changes, expanding the auditor’s responsibility to respond to deficiencies on completed engagements under an amended and retitled AS 2901, Responding to Engagement Deficiencies PO 00000 Frm 00004 Fmt 4701 Sfmt 4703 After Issuance of the Auditor’s Report, and related amendments to AT No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers, and AT No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers; and replacing the existing standard ET 102, Integrity and Objectivity, with a new standard, EI 1000, Integrity and Objectivity, to better align PCAOB ethics requirements with the scope, approach, and terminology of QC 1000. Effective Date If approved by the SEC, the final standard and related amendments to auditing standards, rules, and forms will take effect on December 15, 2025, with the initial evaluation of the QC system to be performed as of September 30, 2026, and initial reporting to the PCAOB by November 30, 2026. Firms will be permitted to elect to comply with the requirements of QC 1000, except reporting to the PCAOB on the annual evaluation of the QC system, before the effective date, at any point after SEC approval of the final standard and related amendments. (b) Statutory Basis The statutory basis for the proposed rules is Title I of Sarbanes-Oxley. B. Board’s Statement on Burden on Competition Not applicable. The Board’s consideration of the economic impacts of the proposed rules is discussed in section D below. C. Board’s Statement on Comments on the Proposed Rules Received From Members, Participants or Others The Board issued a concept release regarding potential changes to quality control standards for public comment in PCAOB Release No. 2019–003 (Dec. 17, 2019). The Board received 36 written comment letters on the concept release. The Board released the proposed rule amendment for public comment in PCAOB Release No. 2022–006 (Nov. 18, 2022). The Board received 43 written comment letters on its proposal. The Board has carefully considered all comments received. The Board’s response to the comments it received and the changes made to the rules in response to the comments received are discussed below. Background This section presents background information on this rulemaking, including an overview of existing PCAOB QC requirements and current practice, a review of other developments E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices since the current QC requirements were adopted, a summary of relevant actions taken by other standard setters, a discussion of PCAOB research and outreach efforts related to QC, the December 2019 concept release and 2022 proposal, and a summary of the key areas the Board has identified for improvement of the QC standards. Overview of Existing Requirements and Current Practice 1. Requirements of the Sarbanes-Oxley Act of 2002 Sarbanes-Oxley requires the Board to establish certain professional standards, including quality control standards, to be used by registered public accounting firms in the preparation and issuance of audit reports for issuers, brokers, and dealers.5 Furthermore, Sarbanes-Oxley requires the PCAOB’s QC standards to address: • Monitoring of professional ethics and independence from issuers, brokers, and dealers on behalf of which the firm issues audit reports; • Consultation within the firm on accounting and auditing questions; • Supervision of audit work; • Hiring, professional development, and advancement of personnel; • Acceptance and continuation of engagements; • Internal inspection; and • Such other requirements as the Board may prescribe.6 2. Current PCAOB QC Standards khammond on DSKJM1Z7X2PROD with NOTICES2 Under current PCAOB standards, a QC system is a process to provide a firm with reasonable assurance that its personnel comply with applicable professional standards and the firm’s standards of quality.7 The QC system encompasses the firm’s organizational structure and the policies adopted and procedures established to provide that reasonable assurance.8 Current PCAOB QC standards were adopted on an interim, transitional basis in 2003 from QC standards originally 5 See sections 101(c)(2) and 103(a)(1) of SarbanesOxley, 15 U.S.C. 7211(c)(2), 7213(a)(1). This release uses the terms ‘‘issuer,’’ ‘‘broker,’’ and ‘‘dealer’’ as defined in Sarbanes-Oxley. See section 2(a)(7) of Sarbanes-Oxley, 15 U.S.C. 7201(7) (defining ‘‘issuer’’); Sections 110(3) and (4) of SarbanesOxley, 15 U.S.C. 7220(3), (4) (defining ‘‘broker’’ and ‘‘dealer’’); see also PCAOB Rules 1001(b)(iii), (d)(iii), (i)(iii) (defining ‘‘broker,’’ ‘‘dealer,’’ and ‘‘issuer,’’ respectively). Entities that are brokers or dealers or both are sometimes referred to herein as ‘‘broker-dealers.’’ 6 See section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B). 7 See paragraph .03 of QC 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice. 8 See QC 20.04. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 developed and issued by the AICPA.9 They include three general QC standards that apply to all firms.10 Beyond that, they also include certain requirements of membership in the AICPA’s former SEC Practice Section (‘‘SECPS’’), which apply only to firms that were SECPS members immediately prior to the adoption of the PCAOB’s interim QC standards. Below is an overview of the general QC standards and the SECPS member requirements. a. General QC Standards i. QC 20, System of Quality Control for a CPA Firm’s Accounting and Auditing Practice QC 20 provides that a firm should have a system of quality control that provides the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm’s standards of quality.11 In the context of engagement performance, the system of quality control should also provide reasonable assurance that the work performed meets applicable regulatory requirements.12 The firm’s quality control policies and procedures should address the following elements: • Independence, integrity, and objectivity; • Personnel management; • Acceptance and continuance of clients and engagements; • Engagement performance; and • Monitoring.13 These elements of quality control are interrelated.14 Policies and procedures should be established to provide the firm with reasonable assurance with respect to each of these elements of QC. An appropriate individual or individuals in the firm should be assigned responsibility for the design and maintenance of the various quality control policies and procedures.15 These policies and procedures should be communicated in a manner that provides reasonable assurance that personnel will understand and comply.16 Additionally, documentation 9 See PCAOB Rule 3400T, Interim Quality Control Standards; see also Establishment of Interim Professional Auditing Standards, PCAOB Rel. No. 2003–006 (Apr. 18, 2003). 10 Under PCAOB Rule 3400T(a), all firms are required to comply with QC standards as described in ‘‘the AICPA’s Auditing Standards Board’s Statements on Quality Control Standards, as in existence on April 16, 2003 (AICPA Professional Standards, QC §§ 20–40 (AICPA 2002)), to the extent not superseded or amended by the Board.’’ 11 See QC 20.03. 12 See QC 20.17. 13 See QC 20.07. 14 See QC 20.08. 15 See QC 20.22. 16 See QC 20.23. PO 00000 Frm 00005 Fmt 4701 Sfmt 4703 49591 should be prepared to demonstrate compliance with the firm’s policies and procedures for the elements of quality control.17 ii. QC 30, Monitoring a CPA Firm’s Accounting and Auditing Practice QC 30 addresses how a firm should implement the monitoring element of quality control discussed in QC 20. Monitoring involves an ongoing consideration and evaluation of the following: • The relevance and adequacy of the firm’s policies and procedures; • The appropriateness of the firm’s guidance materials and any practice aids; • The effectiveness of professional development activities; and • Compliance with the firm’s policies and procedures.18 Under QC 30, monitoring procedures should enable the firm to obtain reasonable assurance that its system of quality control is effective.19 A firm’s monitoring procedures may include: • Inspection procedures; • Pre-issuance or post-issuance review of selected engagements; • Analysis and assessment of: • New professional pronouncements; • Results of independence confirmations; • Continuing professional education (‘‘CPE’’) and other professional development activities undertaken by firm personnel; • Decisions related to acceptance and continuance of client relationships and engagements; • Interviews of firm personnel; • Determination of any corrective actions to be taken and improvements to be made in the quality control system; • Communication to appropriate firm personnel of any weaknesses identified in the quality control system or in the level of understanding or compliance therewith; and • Follow-up by appropriate firm personnel to ensure that any necessary modifications are made to the quality control policies and procedures on a timely basis.20 The nature and extent of monitoring procedures generally depends on the firm’s size and the nature and complexity of the firm’s practice.21 QC 30 provides that individuals in a small firm may perform monitoring procedures, including post-issuance review of engagement working papers, reports, and clients’ financial 17 See QC 20.25. QC 30.02. 19 See QC 30.03. 20 See QC 30.03. 21 See, e.g., QC 30.05, .10, .11. 18 See E:\FR\FM\11JNN2.SGM 11JNN2 49592 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 statements, with respect to their own compliance with the firm’s QC policies and procedures, but only if such individuals are able to critically review their own performance, assess their own strengths and weaknesses, and maintain an attitude of continual improvement.22 iii. QC 40, The Personnel Management Element of a Firm’s System of Quality Control—Competencies Required by a Practitioner-in-Charge of an Attest Engagement QC 40 addresses the personnel management element of the quality control system. Personnel management includes hiring, assigning personnel to engagements, professional development, and advancement activities. Policies and procedures should be established to provide the firm with reasonable assurance that: • Those hired possess the appropriate characteristics to enable them to perform competently. • Work is assigned to personnel having the degree of technical training and proficiency required in the circumstances. Personnel participate in general and industry-specific continuing professional education and other professional development activities that enable them to fulfill responsibilities assigned, and satisfy applicable professional education requirements of the AICPA, and regulatory agencies. • Personnel selected for advancement have the qualifications necessary for fulfillment of the responsibilities they will be called on to assume.23 A firm’s policies and procedures related to personnel management should be designed to provide a firm with reasonable assurance that practitioners-in-charge of engagements (i.e., engagement partners) possess the kinds of competencies that are appropriate given the circumstances of the client engagement.24 Competencies are the knowledge, skills, and abilities that enable an engagement partner to be qualified to perform an engagement.25 Competencies may be gained in various ways, including through relevant industry, governmental, and academic positions.26 A firm’s policies and procedures should ordinarily address the following competencies for an engagement partner: • Understanding of the role of a system of quality control and a code of professional conduct; • Understanding of the service to be performed; 22 See QC 30.09, .10. QC 40.02. 24 See QC 40.03. 25 See QC 40.04. 26 See QC 40.05. 23 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 • Technical proficiency; • Familiarity with the industry; • Professional judgment; and • Understanding the organization’s information technology systems.27 Under QC 40, these competencies are interrelated.28 When establishing policies and procedures related to competencies needed by an engagement partner, a firm may need to consider the requirements of policies and procedures established for other elements of quality control.29 b. SECPS Member Requirements The SECPS was a division of the AICPA for U.S. firms that audited public companies, which established incremental quality control requirements for its members. The SECPS requirements originally applied to all U.S. firms that audited public companies under AICPA standards. The SECPS ceased to exist following the establishment of the PCAOB. Under PCAOB rules, certain SECPS requirements still apply to firms that were members of the SECPS as of April 16, 2003.30 Based on current registration data, the SECPS member requirements apply to 201 (approximately 12% of) PCAOB-registered firms, including 11 of the 14 annually inspected firms in 2023. i. Section 1000.08(d)—Continuing Professional Education of Audit Firm Personnel Section 1000.08(d) requires SECPS member firms to ensure that all professionals residing in the United States, both CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE every year and at least 120 hours every three years.31 Professionals who devote at least 25% of their time to performing audit, review, or other attest engagements, or who have responsibility for supervision or review of such engagements, must obtain at least 40% of their CPE hours in subjects related to accounting and auditing.32 27 See QC 40.08. QC 40.09. 29 See QC 40.10. 30 PCAOB Rule 3400T(b) requires certain firms to comply with QC standards as described in ‘‘the AICPA SEC Practice Section’s Requirements of Membership (d), (l), (m), (n)(1) and (o), as in existence on April 16, 2003 (AICPA SEC Practice Section Manual 1000.08(d), (j), (m), (n)(1) and (o)), to the extent not superseded or amended by the Board.’’ The note to Rule 3400T provides that those requirements ‘‘only apply to those registered public accounting firms that were members of the AICPA SEC Practice Section on April 16, 2003.’’ One of the SECPS member requirements, concerning concurring partner review, was superseded in 2009 by the PCAOB’s adoption of AS 1220, Engagement Quality Review. 31 See SECPS 1000.08(d). 32 See SECPS 1000.08(d). 28 See PO 00000 Frm 00006 Fmt 4701 Sfmt 4703 Additional information on Section 1000.08(d)’s CPE requirements appears in SECPS Section 8000, Continuing Professional Education Requirements Effective for Educational Years Beginning After May 31, 2002.33 That information is summarized into three categories: (1) record-keeping for each professional to ensure that each professional adheres to all CPE requirements; (2) adherence to standards for CPE program sponsors for each program sponsored by the member firm; and (3) compliance with additional CPE requirements of the SECPS.34 Appendix A to Section 8000 includes the AICPA policies related to CPE. ii. Section 1000.08(l)—Communication by Written Statement to All Professional Personnel of Firm Policies and Procedures on the Recommendation and Approval of Accounting Principles, Present and Potential Client Relationships, and the Types of Services Provided Section 1000.08(l) requires SECPS member firms to communicate, through a written statement, to all professional firm personnel the broad principles that influence the firm’s quality control and operating policies and procedures.35 Periodic communication also must inform professional firm personnel that compliance with those principles is mandatory.36 iii. Section 1000.08(m)—Notification of the Commission of Resignations and Dismissals From Audit Engagements for Commission Registrants Section 1000.08(m) requires that, if an SECPS member firm has resigned, declined to stand for reelection, or been dismissed as the auditor of an SEC registrant and the registrant has not reported the change in auditors to the SEC in a timely filed Form 8–K, the member firm is to report that the clientauditor relationship has ceased directly, in writing, to the former SEC client and the SEC within five business days.37 33 See SECPS 1000.08(d) (referring, in a footnote, to Section 8000). 34 See SECPS 8000. 35 See SECPS 1000.08(l). Section 1000.08(l) includes a cross-reference to Appendix H SECPS Section 1000.42, Illustrative Statement of Firm Philosophy, which provides an illustration of such a statement. 36 See id. 37 See SECPS 1000.08(m). Section 1000.08(m) cross-references Appendix D SECPS Section 1000.38, Revised Definition of an SEC Client, which provides the definition of an SEC client, as well as Appendix I SECPS Section 1000.43, Standard Form of Letter Confirming the Cessation of the ClientAuditor Relationship, which provides a standard form of such report. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices iv. Section 1000.08(n)—Audit Firm Obligations With Respect to the Policies and Procedures of Correspondent Firms and of Other Members of International Firms or International Associations of Firms Section 1000.08(n) requires SECPS member firms that are members of, correspondents with, or similarly associated with international firms or international associations of firms to seek adoption of policies and procedures that are consistent with the objectives in Appendix K (SECPS Section 1000.45), SECPS Member Firms With Foreign Associated Firms That Audit SEC Registrants.38 Appendix K was adopted with the intention of enhancing the quality of SEC filings by issuers whose financial statements are audited by foreign associated firms of SECPS member firms.39 It requires SECPS member firms to seek adoption by their international organizations or individual foreign associated firms of certain policies and procedures, including: • Procedures to be performed on certain SEC filings by a filing reviewer who is knowledgeable in applicable accounting and auditing standards, independence requirements, and SEC rules and regulations; • Inspection procedures for a sample of audit engagements performed by foreign associated firms for issuer clients, to be performed by inspection reviewers who are knowledgeable in the same areas as filing reviewers; and • Policies and procedures under which disagreements between the filing or inspection reviewer and the audit partner-in-charge should be resolved in accordance with the policy of the international organization or the filing or inspection reviewer’s firm.40 khammond on DSKJM1Z7X2PROD with NOTICES2 v. Section 1000.08(o)—Policies and Procedures To Comply With Independence Requirements Section 1000.08(o) requires SECPS member firms to have policies and procedures in place to comply with applicable independence requirements.41 Section 1000.08(o) cross-references Appendix L, SECPS Section 1000.46, Independence Quality Controls, which requires firms to establish written policies 42 covering relationships with ‘‘restricted entities,’’ 38 See SECPS 1000.08(n). SECPS 1000.45.01. 40 See id. 41 See SECPS 1000.08(o). 42 PCAOB rules do not mandate that writings be paper-based. See, e.g., paragraph .04 of AS 1215, Audit Documentation (audit documentation may be in the form of paper, electronic files, or other media). 39 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 for example, relationships between the restricted entity and the member firm, its benefit plans, and its professionals.43 These relationships include investments, loans, brokerage accounts, business relationships, employment relationships, proscribed services, and fee arrangements.44 Firms should maintain a database that includes all restricted entities (‘‘restricted entity list’’) and make the restricted entity list available to the firm’s professionals and to foreign associated firms.45 A senior-level partner should be designated to oversee the independence policies and maintain and communicate the restricted entity list.46 The policies and procedures also should require: • Reviewing the restricted entity list prior to obtaining any security; • Obtaining independence certifications from the firm’s professionals; • Reporting violations of policies; • Establishing a monitoring system; and • Developing policies for potential sanctions for violations of the firm’s policies and procedures or professional independence requirements.47 The policies and procedures should be made available to all professionals and a training program should be established to provide reasonable assurance that professionals understand the policies.48 3. Observations From Oversight Activities In the course of conducting inspections of registered public accounting firms 49 and investigating potential violations of PCAOB standards and other related laws and rules governing audits of public companies and audits and attestation engagements of broker-dealers, the PCAOB may identify deficiencies in firms’ execution of engagements and in firms’ QC systems. Oversight activities also help the PCAOB to identify good practices, both for engagements and for QC systems. The PCAOB also considers information derived from the SEC’s enforcement program. Over time, firms have implemented a number of changes to their QC systems to remediate deficiencies identified through the PCAOB’s inspections 43 See SECPS 1000.46 (requirement 1). id. 45 See SECPS 1000.46 (requirements 4, 5, and 6). 46 See SECPS 1000.46 (requirement 5). 47 See SECPS 1000.46 (requirement 7). 48 See SECPS 1000.46 (requirement 3). 49 The information on inspections and remediation efforts is limited to those firms that are subject to inspection by the PCAOB. 44 See PO 00000 Frm 00007 Fmt 4701 Sfmt 4703 49593 program.50 Examples of changes firms have made in response to the Board’s inspections include: 51 • Independence—Creating automated links between the firm’s tools for tracking subcontractors and evaluating and tracking business relationships to ensure that independence evaluations are complete and timely; • Engagement Performance— Implementing new policies and procedures for engagement teams to focus on obtaining a thorough understanding of how issuers initiate, record, process, and report significant classes of transactions and how that information is recorded in the financial statements; • Resources—Creating a committee to evaluate partner performance in relation to audit quality and establishing an accountability framework with penalties for negative audit quality events; • Monitoring and Remediation— Adding new leadership positions to the internal inspection program, developing new analysis and reporting of internal inspection findings, and disseminating such findings more broadly; and • Monitoring and Remediation— Adding in-process review and coaching programs to assist engagement teams in certain challenging areas, including internal control over financial reporting (‘‘ICFR’’) and accounting estimates. Observations from PCAOB oversight activities have shown that improvements in quality controls can enhance the quality of engagements.52 However, PCAOB inspections continue to identify deficiencies related to engagements and the operation of firm QC systems, suggesting that not all firms have made meaningful improvements in these areas. Moreover, the pervasiveness of recent findings regarding such 50 Additional information about the PCAOB remediation process is available on the PCAOB website at https://pcaobus.org/oversight/ inspections/remediation/remediation_process. 51 Examples are drawn from firms’ Rule 4009 submissions. A Rule 4009 submission is a confidential submission prepared by a firm, pursuant to PCAOB Rule 4009, Firm Response to Quality Control Defects, concerning the ways in which a firm has addressed a QC criticism. For additional background, see The Process for Board Determinations Regarding Firms’ Efforts to Address Quality Control Criticisms in Inspection Reports, PCAOB Rel. No. 104–2006–077 (Mar. 21, 2006). 52 See, e.g., Spotlight: Staff Update and Preview of 2021 Inspection Observations (Dec. 2022) (‘‘2021 Inspection Observations Preview’’), at 20–22, available at https://assets.pcaobus.org/pcaob-dev/ docs/default-source/documents/staff-preview-2021inspection-observations-spotlight.pdf?sfvrsn= d2590627_4; Staff Inspection Brief: Staff Preview of 2018 Inspections Observations (May 6, 2019) (‘‘2018 Inspection Observations Preview’’), at 1–4, available at https://pcaob-assets.azureedge.net/ pcaob-dev/docs/default-source/inspections/ documents/staff-preview-2018-inspectionobservations.pdf?sfvrsn=b5f8cb09_0. E:\FR\FM\11JNN2.SGM 11JNN2 49594 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices deficiencies—both in terms of the number of firms affected and the percentage of deficient engagements— suggests that an updated QC standard is needed to drive proactive, systemic, and consistent improvements in audit quality rather than just case-by-case improvements in response to firmspecific findings. The following discussion summarizes recent observations from PCAOB inspections 53 and investigations of QC systems, including deficiencies and violations—instances of noncompliance with PCAOB requirements—and good practices that the Board believes support and strengthen QC systems. The Board has taken these observations into account in developing the final QC standard and related amendments, rules, and forms. khammond on DSKJM1Z7X2PROD with NOTICES2 a. QC Deficiencies and Violations Observed From Oversight Activities PCAOB observations have generally revealed that while some firms have made improvements to their QC systems, the progress has been uneven. Even taking that progress into account, in roughly a third of the issuer audits the PCAOB inspected from 2020 to 2022, the auditor’s opinion was not adequately supported.54 This suggests that there is significant room for improvement in QC systems’ ability to provide reasonable assurance that firm engagements are performed in accordance with applicable professional standards and regulatory requirements. As described below, the PCAOB’s observations all too frequently indicate that firms’ QC systems did not appear to provide reasonable assurance that firm personnel will comply with applicable professional standards in, among others, the areas of: (1) acceptance of 53 PCAOB inspections are designed to assess a firm’s compliance with PCAOB standards and rules and other applicable regulatory and professional requirements with respect to the firm’s QC system and in the portions of engagements selected for review. An inspection does not involve a review of all aspects of a firm’s QC system. An inspection also does not necessarily involve a review of all of a firm’s engagements, nor is it designed to identify every deficiency in the reviewed engagements. The inspection data are derived from PCAOB inspection reports. Part II of PCAOB inspection reports include criticisms of, and potential defects in, a firm’s QC system, to the extent any are identified. The PCAOB includes, in Part II of its inspection reports, deficiencies observed in inspections of individual engagements when the results indicate that the firm’s QC system does not provide reasonable assurance that firm personnel will comply with applicable professional standards and regulatory requirements. In evaluating whether engagement observations are indicative of QC deficiencies, PCAOB staff consider the nature, significance, and frequency of deficiencies; related firm methodology, guidance, and practices; and possible root causes. 54 See Figure 1 below, and accompanying text for an analysis of 2011–2022 inspections data. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagements; (2) engagement performance; (3) independence, integrity, and objectivity; (4) personnel management; (5) monitoring; and (6) engagement quality reviews. Below are examples of the PCAOB’s observations in these areas. i. Acceptance of Engagements A firm’s QC system should provide the firm with reasonable assurance that it undertakes only those engagements that the firm can reasonably expect to be completed with professional competence.55 This includes taking into consideration, among other things, the availability of resources to perform an engagement and the competence of those resources. The PCAOB has observed instances where a firm’s lack of policies and procedures in the area of engagement acceptance and continuance resulted in accepting new engagements that were not completed with professional competence and resulted in numerous violations of PCAOB auditing standards.56 ii. Engagement Performance A properly functioning QC system should provide the firm with reasonable assurance that the work performed by engagement personnel meets applicable professional standards, regulatory requirements, and the firm’s standards of quality.57 A QC system cannot provide reasonable assurance if, for example, there are severe, frequent, or widespread deficiencies, or recurring instances of similar types of deficiencies at the engagement level. The PCAOB has observed deficiencies and violations in a range of areas of engagement performance, including, for example: • Failure to identify and test controls that address risks of material misstatement or sufficiently evaluate review controls; • Insufficient evaluation of significant assumptions or data used in developing an estimate; 58 • Unwarranted reliance on data or reports used in testing an issuer’s 55 See QC 20.15. e.g., In the Matter of WithumSmith+Brown, PC, PCAOB Rel. No. 105–2024–010 (Feb. 20, 2024); In the Matter of Jack Shama and Jack Shama, CPA, PCAOB Rel.e No. 105–2024–004 (Jan. 23, 2024); In the Matter of Shandong Haoxin Certified Public Accountants Co., Ltd., LIU Kun, MA Yao, SUN Penghuan, and ZHU Dawei, PCAOB Rel. No. 105– 2023–045 (Nov. 30, 2023); In the Matter of Alfonse Gregory Giugliano, CPA, SEC Accounting and Auditing Enforcement Release (‘‘AAER’’) No. 4458 (Sept. 12, 2023); In the Matter of Marcum LLP, PCAOB Rel. No. 105–2023–005 (June 21, 2023); In the Matter of Marcum LLP, SEC AAER No. 4423 (June 21, 2023). 57 See QC 20.17. 58 See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105–2024–010. 56 See, PO 00000 Frm 00008 Fmt 4701 Sfmt 4703 financial reporting controls or in substantive testing; 59 • Engagement partners’ failure to adequately supervise the engagement with due professional care, which contributed to not identifying deficiencies; 60 • Failure to implement and maintain adequate policies and procedures to provide reasonable assurance that work is performed and documented; 61 and • Failure to ensure audits are performed under PCAOB standards and not another framework.62 iii. Independence, Integrity, and Objectivity A firm’s QC system should also provide the firm with reasonable assurance that personnel maintain independence—in fact and in appearance—in all required circumstances.63 Observations relating to auditor independence have been recurring over the last several years.64 59 See, e.g., PKF O’Connor Davies, LLP, PCAOB Rel. No. 105–2022–001. 60 See, e.g., Alfonse Gregory Giugliano, CPA, SEC AAER No. 4458; In the Matter of Deloitte Touche Tohmatsu Certified Public Accountants, LLP, SEC AAER No. 4342 (Sept. 29, 2022); In the Matter of RSM, SEC AAER No. 4346 (Sept. 30, 2022); In the Matter of Mancera, S.C., Alejandro Valdez Mendoza, C.P., and Angel Radames Corral Nieblas, C.P., SEC AAER No. 4198 (Dec. 17, 2020); In the Matter of Whitley Penn LLP, Susan Lunn Powell, CPA, Jeffry Shannon Lawlis, CPA, and John Griffin Babb, CPA, PCAOB Rel. No. 105–2020–002 (Mar. 24, 2020); In the Matter of David M. Burns, CPA, PCAOB Rel. No. 105–2017–055 (Dec. 19, 2017); In the Matter of BDO Auditores, S.L.P., Santiago Sañé Figueras, and José Ignacio Algás Fernández, PCAOB Rel. No. 105–2017–039 (Sept. 26, 2017); In the Matter of KPMG LLP and John Riordan, CPA, SEC AAER No. 3888 (Aug. 15, 2017). 61 See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105–2024–010; In the Matter of SW Audit, PCAOB Rel. No. 105–2024–009 (Feb. 20, 2024); Shama, PCAOB Rel. No. 105–2024–004; In the Matter of Haynie & Company, PCAOB Rel. No. 105– 2024–001 (Jan. 23, 2024); Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel. No. 105–2023–045; In the Matter of Deloitte & Touche S.A.S., PCAOB Rel. No. 105–2023–025 (Sept. 26, 2023); Marcum LLP, SEC AAER No. 4423 ; Deloitte Touche Tohmatsu Certified Public Accountants, LLP, SEC AAER No. 4342; In the Matter of HLB Mann Judd, Darryl Swindells, and Aidan Smith, PCAOB Rel. No. 105–2020–008 (June 29, 2020); In the Matter of Castillo Miranda y Compañı́a, S.C., Ignacio Garcı́a Pareras, Juan Martı́n Gudiño Casillas, Luis Raúl Michel Domı́nguez, Juan Francisco Olvera Dı́az, Carlos Rivas Ramos, and Bernardo Soto Peñafiel, PCAOB Rel. No. 105–2019–028 (Oct. 31, 2019); In the Matter of Deloitte Anjin LLC, PCAOB Rel. No. 105– 2019–025 (Oct. 31, 2019); In the Matter of Deloitte Touche Tohmatsu Auditores Independentes, PCAOB Rel. No 105–2016–031 (Dec. 5, 2016). 62 See, e.g., In the Matter of Dale Matheson CarrHilton LaBonte LLP, PCAOB Rel. No. 105–2021– 021 (Dec. 14, 2021); In the Matter of WDM Chartered Professional Accountants and Mike Kao, PCAOB Rel. No. 105–2021–016 (Sept. 30, 2021). 63 See QC 20.09. 64 See, e.g., 2022 Inspection Observations Preview at 18; 2021 Inspection Observations Preview at 19; PCAOB, Spotlight: Staff Update and Preview of E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 Examples of these observations frequently have included: • Violations of independence, including financial relationship and partner rotation requirements of 17 CFR 210.2–01; 65 • Noncompliance by firm personnel in reporting their financial relationships during the independence confirmation process; • Independence violations related to the firm providing impermissible nonaudit services; 66 • Noncompliance with PCAOB Rule 3524, Audit Committee Pre-approval of Certain Tax Services, and PCAOB Rule 3526, Communication with Audit Committees Concerning Independence; 67 • Improper inclusion of indemnification clauses in engagement letters, which impaired independence based on the general standard of independence prescribed by 17 CFR 210.2–01(b); and • Failure to implement and maintain adequate policies and procedures to provide reasonable assurance that firm personnel timely consult on complex, unusual, or unfamiliar independence issues.68 The PCAOB has also observed highly concerning, widespread instances where firm personnel have improperly shared answers on examinations required to 2020 Inspection Observations (Oct. 2021) (‘‘2020 Inspection Observations Preview’’), at 12, available at https://pcaob-assets.azureedge.net/pcaob-dev/ docs/default-source/documents/staff-preview-2020inspection-observationsspotlight.pdf?sfvrsn=10819041_4; Spotlight: Staff Update and Preview of 2019 Inspection Observations (Oct. 8, 2020) (‘‘2019 Inspection Observations Preview’’), at 7, available at https:// pcaobus.org/Inspections/Documents/Staff-Preview2019-Inspection-Observations-Spotlight.pdf; Staff Inspection Brief: Inspections Outlook for 2019 (Dec. 6, 2018) (‘‘2019 Inspections Outlook’’), at 2, available at https://pcaob-assets.azureedge.net/ pcaob-dev/docs/default-source/inspections/ documents/inspections-outlook-for2019.pdf?sfvrsn=538b8bb7_2. 65 See, e.g., In the Matter of Ernst & Young LLP, James G. Herring, Jr., CPA, James A. Young, CPA, and Curt W. Fochtmann, CPA, SEC AAER No. 4239 (Aug. 2, 2021); In the Matter of Raich Ende Malter & Co., PCAOB Rel. No. 105–2019–009 (Apr. 9, 2019); In the Matter of Marcum LLP and Alfonse Gregory Giugliano, CPA, PCAOB Rel. No. 105– 2019–022 (Sept. 10, 2019); In the Matter of Marcum Bernstein & Pinchuk LLP, PCAOB Rel. No. 105– 2019–023 (Sept. 10, 2019). 66 See, e.g., In the Matter of Pricewaterhousecoopers LLP, SEC AAER No. 4084 (Sept. 23, 2019); In the Matter of RSM US LLP (f/ k/a McGladrey LLP), SEC AAER No. 4066 (Aug. 27, 2019). 67 See, e.g., In the Matter of PricewaterhouseCoopers, S.C., PCAOB Rel. No. 105–2019–017 (Aug. 1, 2019); In the Matter of BDO Magyarorszag Konyvvizsgalo Kft., PCAOB Rel. No. 105–2017–024 (Apr. 12, 2017). 68 See, e.g., In the Matter of PricewaterhouseCoopers LLP, PCAOB Rel. No. 105– 2024–014 (Mar. 28, 2024). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 obtain or maintain professional licenses.69 The Board has acted decisively in responding to this conduct, which was prevalent both domestically and internationally.70 The PCAOB has also observed instances where firm personnel have not acted with integrity by altering work papers 71 or failing to cooperate with the Board.72 These recurring deficiencies and violations suggest that some firms and their personnel either do not have the requisite understanding of applicable independence and ethics requirements, or, as evidenced by the systemic nature of certain of these violations, do not have appropriate controls in place to prevent violations.73 iv. Personnel Management The quality of a firm’s work ultimately depends on the integrity, objectivity, intelligence, competence, experience, and motivation of personnel who perform, supervise, and review the work.74 A firm’s QC system should provide the firm with reasonable 69 See, e.g., In the Matter of Navarro Amper & Co., PCAOB Rel. No. 105–2024–025 (Apr. 10, 2024); In the Matter of Imelda & Rekan, PCAOB Rel. No. 105– 2024–024 (Apr. 10, 2024); In the Matter of KPMG Accountants N.V., PCAOB Rel. No. 105–2024–022 (Apr. 10, 2024); In the Matter of KPMG LLP (United Kingdom), PCAOB Rel. No. 105–2022–032 (Dec. 6, 2022); In the Matter of Ernst & Young LLP, SEC AAER No. 4313 (June 28, 2022); In the Matter of PricewaterhouseCoopers LLP, PCAOB Rel. No. 105– 2022–002 (Feb. 24, 2022); In the Matter of KPMG, PCAOB Rel. No. 105–2021–008 (Sept. 13, 2021); In the Matter of KPMG LLP, SEC AAER No. 4051 (June 17, 2019). 70 See, e.g., In the Matter of PricewaterhouseCoopers Zhong Tian LLP, PCAOB Rel. No. 105–2023–044 (Nov. 30, 2023); In the Matter of PricewaterhouseCoopers, PCAOB Rel. No. 105–2023–043 (Nov. 30, 2023); KPMG LLP (United Kingdom), PCAOB Rel. No. 105–2022–032 PricewaterhouseCoopers LLP, PCAOB Rel. No. 105– 2022–002 KPMG, PCAOB Rel. No. 105–2021–008. 71 See, e.g., In the Matter of Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105–2022–035 (Dec. 6, 2022); In the Matter of Edgar Mauricio Ramirez Rueda, PCAOB Rel. No. 105–2022–036 (Dec. 6, 2022); In the Matter of Marco Alexander Rodriguez Ramirez, PCAOB Rel. No. 105–2022–037 (Dec. 6, 2022); In the Matter of KPMG S.A.S., PCAOB Rel. No. 105–2022–034 (Dec. 6, 2022); In the Matter of Jonathan B. Taylor, CPA, PCAOB Rel. No. 105– 2022–025 (Oct. 18, 2022); Castillo Miranda y Compañı́a, S.C.PCAOB Rel. No. 105–2019–028 Deloitte Anjin LLC, PCAOB Rel. No. 105–2019–025 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB Rel. No 105–2016–031. 72 See, e.g., Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel. No. 105–2023– 045 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105–2022–035 Edgar Mauricio Ramirez Rueda, PCAOB Rel. No. 105–2022–036 Marco Alexander Rodriguez Ramirez, PCAOB Rel. No. 105–2022–037 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105–2022–035 Castillo Miranda y Compañı́a, S.C., PCAOB Rel. No. 105–2019–028 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB Rel. No 105–2016–031. 73 See 2021 Inspection Observations Preview at 19; 2019 Inspections Outlook at 2. 74 See QC 20.12. PO 00000 Frm 00009 Fmt 4701 Sfmt 4703 49595 assurance that personnel participate in general and industry-specific CPE and other professional development activities that enable them to fulfill responsibilities assigned and satisfy applicable CPE requirements.75 A firm’s QC system also should provide the firm with reasonable assurance that personnel possess the appropriate characteristics to enable them to perform competently and that work is assigned to personnel having the degree of technical training and proficiency required in the circumstances.76 The PCAOB has observed deficiencies related to compliance with the firm’s auditing policies and procedures.77 The PCAOB also has observed deficiencies and violations where the firm did not assign personnel to engagements who had the training and proficiency required to perform audit work in accordance with PCAOB standards.78 v. Monitoring A firm’s QC system should provide the firm with reasonable assurance that its policies and procedures are suitably designed and effectively applied.79 The PCAOB has observed situations where a firm’s internal inspection procedures did not detect significant audit deficiencies or the firm did not make changes to address repeated identified audit deficiencies.80 These deficiencies and violations were subsequently identified through SEC and PCAOB oversight.81 75 See QC 20.13c. QC 20.13a. and b. 77 See 2022 Inspection Observations Preview at 18. 78 See, e.g., Jack Shama PCAOB Rel. No. 105– 2024–004 ; In the Matter of Hall & Company Certified Public Accountants & Consultants, Inc., and Anthony J. Price, CPA, PCAOB Rel. No. 105– 2022–029 (Nov. 3, 2022); In the Matter of PKF O’Connor Davies, LLP, PCAOB Rel. No. 105–2022– 001 (Jan. 25, 2022); In the Matter of WDM Chartered Professional Accountants, PCAOB Rel. No. 105– 2021–016 (Sept. 30, 2021); In the Matter of Grant Thornton LLP, PCAOB Rel. No. 105–2017–054 (Dec. 19, 2017); BDO Auditores, S.L.P., Santiago Sañé Figueras, and José Ignacio Algás Fernández, PCAOB Rel. No. 105–2017–039. 79 See QC 20.20. 80 See, e.g., 2022 Inspection Observations Preview at 19. 81 See, e.g., In the Matter of KPMG Assurance and Consulting Services LLP and Sagar Pravin Lakhani, PCAOB Rel. No. 105–2022–033 (Dec. 6, 2022); In the Matter of Friedman LLP, SEC AAER No. 4339 (Sept. 23, 2022); In the Matter of BMKR LLP and Joseph Mortimer, CPA, PCAOB Rel. No. 105–2022– 003 (Feb. 24, 2022); PKF O’Connor Davies, LLP, PCAOB Rel. No. 105–2022–001 WDM Chartered Professional Accountants, PCAOB Rel. No. 105– 2021–016 ; In the Matter of Haskell & White LLP, PCAOB Rel. No. 105–2021–006 (Aug. 13, 2021); In the Matter of RBSM LLP, PCAOB Rel. No. 105– 2021–004 (Aug. 9, 2021); Castillo Miranda y Compañı́a, S.C., PCAOB Rel. No. 105–2019–028 Marcum LLP, PCAOB Rel. No. 105–2019–022 76 See E:\FR\FM\11JNN2.SGM Continued 11JNN2 49596 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices vi. Engagement Quality Reviews Both the PCAOB and SEC have identified deficiencies and violations in audit areas that require evaluation by the engagement quality reviewer (‘‘EQR’’),82 which suggests the EQR did not perform the evaluation with due professional care.83 Additionally, for certain broker-dealer audit and attestation engagements, the PCAOB has observed instances where engagement quality reviews were not performed or sufficiently documented 84 and policies and procedures did not provide reasonable assurance that engagement quality reviews were performed with due professional care.85 appropriately comprehensive and suitably designed in relation to a firm’s size and the nature and complexity of the firm’s practice. The Board has taken these observations into account in its consideration of QC 1000, while recognizing that the nature, extent, and formality of the design, implementation, and operation of QC systems can vary across firms. khammond on DSKJM1Z7X2PROD with NOTICES2 i. Well-Defined QC System A well-defined QC system includes all key elements of quality control and is supported by documentation that helps to promote firm personnel’s understanding and consistent application of the firm’s QC system. b. Good Practices Observed From Helpful characteristics that the PCAOB Inspections has observed in some firms’ QC systems include: The following observations regarding • Narratives and process flows that good QC practices are based on inspections in recent years.86 A good QC articulate how and where quality objectives fit within the QC processes practice could be a procedure, and define risks posed to those quality technique, or methodology that is objectives, including considering what could go wrong along the way;87 and Marcum Bernstein & Pinchuk LLP, PCAOB Rel. No. • Developing risk and control 105–2019–023 PricewaterhouseCoopers, S.C., matrices that include well-defined PCAOB Rel. No. 105–2019–017; In the Matter of Bharat Parikh & Associates Chartered Accountants, controls. Bharatkumar Balmukund Parikh, FCA, and Anuj Bharatkumar Parikh, PCAOB Rel. No. 105–2019– 003 (Mar. 19, 2019); Grant Thornton, PCAOB Rel. No. 105–2017–054. 82 See, e.g., Spotlight: Inspection Observations Related to Engagement Quality Reviews (Oct. 2023), available at https://assets.pcaobus.org/pcaob-dev/ docs/default-source/documents/eqrspotlight.pdf?sfvrsn=95a345e6_4; 2022 Inspection Observations Preview at 19; 2021 Inspection Observations Preview at 20; 2018 Inspection Observations Preview, at 4; 2020 Inspection Observations Preview at 12. 83 See, e.g., In the Matter of RAM Associates & Company LLC and Parameswara K. Ramachandran, PCAOB Rel. No. 105–2023–021 (Aug. 8, 2023); In the Matter of Total Asia Associates PLT, PCAOB Rel. No. 105–2023–007 (June 23, 2023); In the Matter of RT LLP, PCAOB Rel. No. 105–2023–002 (Apr. 11, 2023); In the Matter of Donald R. Burke, CPA, PCAOB Rel. No. 105–2021–012 (Sept. 29, 2021); RBSM LLP, PCAOB Rel. No. 105–2021–00; In the Matter of Cheryl L. Gore, CPA and Stanley R. Langston, CPA, PCAOB Rel. No. 105–2021–020 (Dec. 14, 2021); Whitley Penn LLP, PCAOB Rel. No. 105–2020–002; In the Matter of Helen R. Liao, CPA, PCAOB Rel. No. 105–2020–014 (Sept. 24, 2020); In the Matter of Crowe Horwath LLP, Joseph C. Macina, CPA, and Kevin V. Wydra, CPA, SEC AAER No. 4007 (Dec. 21, 2018); In the Matter of BDO Auditores, S.L.P., PCAOB Rel. No. 105–2017– 039. 84 See, e.g., In the Matter of Alvarez & Associates, Inc., Certified Public Accountants, and Vicente Alvarez, CPA, PCAOB Rel. No. 105–2022–039 (Dec. 21, 2022); In the Matter of Citrin Cooperman & Company, LLP, Joseph Puglisi, CPA, Mark Schniebolk, CPA, and John Cavallone, CPA, PCAOB Rel. No. 105–2022–007 (May 11, 2022). 85 See Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers, PCAOB Rel. No. 2023–005 (Aug. 10, 2023) (‘‘2022 Broker-Dealer Inspection Report’’), at 31. 86 See, e.g., 2022 Inspection Observations Preview; 2021 Inspection Observations Preview; 2020 Inspection Observations Preview; 2019 Inspection Observations Preview; and 2018 Inspection Observations Preview. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 ii. Accountability for Audit Quality Leadership involvement in and commitment to a firm’s QC system sets the tone at the top and drives clear expectations regarding the importance of audit quality. The PCAOB observed positive behaviors where firms have placed an emphasis on the importance of audit quality through extending accountability beyond engagement partners to other key leaders at the firm, such as audit quality leaders, technical experts, and office leaders, through performance management processes.88 iii. Root Cause Analysis of Identified Deficiencies Identifying causal factors for engagement and QC deficiencies (i.e., root cause analysis) can enable a firm to determine the appropriate response to and remediation of deficiencies and modify policies and procedures to prevent similar occurrences in the future. The PCAOB has observed that thorough root cause analyses drive better remediation of identified deficiencies. If root cause analysis is performed by a centralized team, having a defined process to share data and lessons learned outside of the root cause analysis team may further enhance the performance of a firm’s QC system. Through its inspection activities the PCAOB has observed that some firms’ 87 See 2021 Inspection Observations Preview at 22; 2019 Inspection Observations Preview at 4. 88 See 2018 Inspection Observations Preview at 2. PO 00000 Frm 00010 Fmt 4701 Sfmt 4703 root cause analysis programs have significantly evolved since the PCAOB was formed. The PCAOB has observed that some firms’ approach to root cause analysis includes one or more of the following: • Interviews with engagement teams and firm leadership; • Use of proprietary tools to analyze large amounts of data; • Root cause analysis training and the use of templates to facilitate consistency; • Consideration of available performance metrics, such as engagement hours, training records, audit milestone dates, and partner experience years; and • Consideration of positive quality events (i.e., actions, behaviors, or conditions that resulted in positive outcomes, such as where aspects of the firm’s QC system operated effectively or where no engagement deficiencies were identified for individual engagements) to identify whether such actions, behaviors, or conditions were present on engagements where QC deficiencies were identified. iv. Timely Monitoring and Evaluation Activities Timely and effective monitoring activities drive high-quality audits. The PCAOB has observed several good practices followed by some firms in their monitoring activities, including: • Increased real-time monitoring of in-process audit engagements, for example, through pre-issuance reviews or coaching programs; 89 • Formalized monitoring processes and actions for defined triggering events, including restatements, internal and external inspection results, and results of peer reviews; and • Mature QC processes including internal self-certifications of the effectiveness of QC components and sub-components. Other Developments Since the Adoption of Current PCAOB QC Standards Since the PCAOB’s current QC standards were first developed and issued, the auditing environment has changed significantly. The current QC standards were developed in the context of the self-regulatory peer-review system that existed before the establishment of the PCAOB. Therefore, they were not written with a view to inspection and enforcement by a regulator and do not address the current regulatory environment, including firms’ responsibilities with respect to 89 See 2020 Inspection Observations Preview at 4, 13. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices information brought to their attention through the PCAOB inspection process. Since the QC standards were established, there have been significant developments in the availability and use of technologies and data analytic techniques, the organizational structure and management of firms have changed, and some firms have significantly increased their focus on governance and quality control. For example, there have been significant developments in the use of technology by firms in relation to QC activities and performing engagements. Some firms have made significant investments in internally developed tools for use in the audit. The increased availability of ‘‘off-the-shelf’’ technologies, such as analytical software packages, has made some tools more readily available for use by firms. Firms developing or acquiring new technology-based tools, making changes to existing tools, and training firm personnel on how and when to use such tools have had impacts on QC. Many of these tools may reduce risk, for example by reducing the possibility of human error and enabling the analysis of whole populations of transactions rather than samples. But they may also create new risks if they do not work as intended or are used incorrectly. Furthermore, some firm management and organizational structures have evolved to include more focus on centralization and a globally consistent methodology. Some firms have increased their use of services and resources supplied by firm networks, affiliates, and third-party providers. For example, some global networks are increasingly imposing requirements on member firms regarding the use of methodologies, technology, and policies and procedures that are developed or established at the network level. Some firms have also increased their use of shared service centers to assist with QC activities or performing engagements. In addition, some firms have changed their governance structures either voluntarily or due to changes in legal requirements.90 At the same time, some firms have begun to publish ‘‘transparency reports’’ that seek to inform the public about the firm’s operations and quality control systems and practices. 90 See, e.g., the UK Financial Reporting Council, Audit Firm Governance Code (Apr. 2022) available at https://www.frc.org.uk/getattachment/5af7cdb7a093-4da8-94d7-f4486596e68c/FRC-Audit-FirmGovernance-Code_April-2022.pdf, and the Japan Financial Services Agency, Audit Firm Governance Code (Mar. 2017) available at https://www.fsa.go.jp/ news/28/sonota/20170331-auditfirmgc/3.pdf. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Additionally, some firms have strengthened their approaches to firm governance and leadership, incentive systems, culture, and accountability. For example, some firms have added external parties to oversight roles. Some firms have also augmented their monitoring and remediation processes, including through implementing or enhancing ongoing monitoring activities and internal inspection processes, establishing processes for considering PCAOB inspection findings, performing root cause analysis, and increasing remediation efforts. Observations from PCAOB oversight activities have shown that improvements in quality controls can enhance the quality of audits.91 However, as noted above, PCAOB oversight activities continue to identify pervasive deficiencies, suggesting that many firms have meaningful improvements to make. There have also been notable advances in internal control, quality management, and enterprise risk management frameworks and approaches, including the Committee of Sponsoring Organizations of the Treadway Commission (‘‘COSO’’) framework for internal control92 and the International Organization for Standardization (‘‘ISO’’) quality control standard ISO 9000:2015.93 Many of these share important commonalities, stressing active involvement of leadership, focus on risk, clearly defined objectives, objective-oriented processes, monitoring, and remediation of identified issues. Academic research suggests that these frameworks improve company performance.94 Actions by Other Standard Setters Following is a brief description of the quality control standards adopted by the IAASB and the AICPA. 1. IAASB The IAASB identified concerns related to its then effective QC standard, International Standard on Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and decided to take steps to improve the standard. In December 2020, the IAASB released a suite of new 91 See, e.g., 2018 Inspection Observations Preview at 1–4. 92 See, e.g., COSO, Internal Control-Integrated Framework (May 2013). An executive summary of COSO’s internal control framework is available at https://www.coso.org/_files/ugd/3059fc_ 1df7d5dd38074006bce8fdf621a942cf.pdf. 93 More information about ISO 9000:2015 is available at https://www.iso.org/standard/ 45481.html. 94 See Benefits of related frameworks below. PO 00000 Frm 00011 Fmt 4701 Sfmt 4703 49597 quality management standards, including International Standard on Quality Management 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (‘‘ISQM 1’’),95 which became effective on December 15, 2022.96 2. AICPA In May 2022, the Auditing Standards Board of the AICPA adopted new quality management standards designed to improve a firm’s risk assessment and audit quality, including Statement on Quality Management Standards (SQMS) No. 1, A Firm’s System of Quality Management (‘‘SQMS 1’’).97 The AICPA’s quality management standards closely align with the IAASB’s quality management standards, adapted for private companies in the United States. The new AICPA standards will become effective on December 15, 2025. PCAOB Outreach and Research The Board and its advisory groups have long considered the potential for improvements to PCAOB QC standards. For example, in 2010, the Standing Advisory Group (‘‘SAG’’) discussed a potential QC rulemaking project, including considerations and potential challenges in designing and implementing a QC system.98 In 2014, 95 In addition to ISQM 1, the IAASB adopted two other standards, International Standard on Quality Management 2, Engagement Quality Reviews (‘‘ISQM 2’’), and International Standard on Auditing 220 (Revised), Quality Management for an Audit of Financial Statements (‘‘ISA 220 (Revised)’’). ISQM 2 operates at the firm level, and is analogous to PCAOB AS 1220, Engagement Quality Review. ISA 220 (Revised) operates at the engagement level and deals with the engagement partner’s and the engagement team’s responsibilities for quality management for an audit of financial statements. Similar topics are addressed in PCAOB standards in AS 1201, Supervision of the Audit Engagement. 96 ISQM 1 sets forth eight components of a QC system that operate in an iterative and integrated manner, as well as other requirements. See IAASB Fact Sheet, Introduction to ISQM 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (Dec. 2020), available at https://www.ifac.org/system/ files/publications/files/IAASB-ISQM-1-FactSheet.pdf. 97 The AICPA’s other QC standards are SQMS No. 2, Engagement Quality Reviews; Statement on Auditing Standards (SAS) No. 146, Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards; and Statement on Standards for Accounting and Review Services (SSARS) No. 26, Quality Management for an Engagement Conducted in Accordance With Statements on Standards for Accounting and Review Services. 98 See Briefing Paper for the Standing Advisory Group, Designing and Implementing a System of Quality Control (Oct. 13, 2010). An archive of SAG E:\FR\FM\11JNN2.SGM Continued 11JNN2 49598 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices the SAG discussed how QC standards may benefit from stronger requirements and other enhancements with respect to, for example, firm culture and tone at the top, firm risk assessment, and monitoring of the quality control system, including use of root cause analyses.99 In 2018, the SAG discussed whether additional or more specific direction in the quality control standards with respect to governance and leadership would lead to enhancements in firm quality control systems.100 Advisory group members have generally supported including requirements concerning firm governance and leadership in PCAOB QC standards. related groups, academics, trade groups, and others. On November 18, 2022, the Board issued a proposal to supersede current PCAOB QC standards with an integrated, risk-based standard, QC 1000, A Firm’s System of Quality Control, that would apply to all registered firms. The Board received 42 comment letters in response to the proposal.103 Commenters included firms and related groups, investors and related groups, academics, trade groups, and others. The Board has considered all comments in developing the final standard and related amendments, and commenter input is included where relevant in the discussion that follows. Rulemaking History Areas of Improvement to the QC Standards Taking into account the foregoing considerations, as well as careful consideration of comments received, the Board adopted changes to its QC standards that it believes will drive significant improvements in firms’ QC systems, by: • Emphasizing accountability, firm culture and the ‘‘tone at the top,’’ and firm governance through requirements for specified roles within and responsibilities for the QC system, including at the highest levels of the firm; quality objectives that link compensation to quality; and, for the largest firms, the requirement of an independent perspective on firm governance; • Striking the right balance between a risk-based approach to QC—which should drive firms to proactively identify and manage the specific risks associated with their practice—and a set of mandates, including mandatory quality objectives; mandatory processes for risk assessment, monitoring and remediation, and QC system evaluation; and specific requirements in key areas— which should assure that the QC system is designed, implemented and operated with an appropriate level of rigor; • Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications; • Broadening responsibilities for monitoring and remediation of deficiencies to encourage an ongoing khammond on DSKJM1Z7X2PROD with NOTICES2 On December 17, 2019, the Board issued the concept release to explore the possibility of revising PCAOB QC standards. The concept release described an approach similar to the approach taken by the then-proposed ISQM 1, with certain differences and alternative requirements to specifically address the PCAOB’s objectives, including establishing requirements that: • Align with U.S. Federal securities law, SEC rules, and other PCAOB standards and rules; • Retain important topics in current PCAOB QC standards; • Address specific emerging risks and problems observed through PCAOB oversight activities; and • Provide more definitive direction to prompt appropriate implementation of certain requirements.101 The Board received 36 comment letters in response to the concept release.102 Commenters included firms and related groups, investors and meeting agendas, briefing papers, and webcasts is available at https://pcaobus.org/about/advisorygroups/archive-advisory/standing-advisory-group/ sagmeetingarchive. The materials for the Oct. 13– 14, 2010, SAG meeting are available at https:// pcaobus.org/news-events/events/event-details/ standing-advisory-group-meeting_476. 99 See Briefing Paper for the Standing Advisory Group, Initiatives to Improve Audit Quality—Root Cause Analysis, Audit Quality Indicators, and Quality Control Standards (June 24, 2014) (‘‘June 2014 SAG Briefing Paper’’). The materials for the June 24–25, 2014, SAG meeting are available at https://pcaobus.org/news-events/events/eventdetails/pcaob-standing-advisory-group-meeting_ 772. 100 See Briefing Paper for the Standing Advisory Group, Quality Control: Governance and Leadership (Nov. 29, 2018). The materials for the Nov. 29, 2018, SAG meeting are available at https://pcaobus.org/ news-events/events/event-details/standingadvisory-group-meeting_1137. 101 See Concept Release at 6. 102 The comment letters received in response to the concept release are available on the Board’s website in Docket 046. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 103 The comment letters received in response to the proposal are available on the Board’s website in Docket 046. In addition to 42 letters received from commenters, Docket 046 includes an analysis prepared by the PCAOB Office of Economic and Risk Analysis. PO 00000 Frm 00012 Fmt 4701 Sfmt 4703 feedback loop that drives continuous improvement; and • Requiring a rigorous annual evaluation of the firm’s QC system and related reporting to the PCAOB, certified by key personnel, to underscore the importance of the annual evaluation of the QC system, reinforce individual accountability, and support PCAOB oversight. In the Board’s view, the basic objectives of the QC system should be the same for all firms, but the scope of the QC standard and how it applies should take into account wide disparities in nature and circumstances across registered firms, in particular the extent to which their practices include engagements required to be performed under PCAOB standards, and the complexity of such engagements. The risks that firms face, and therefore the specific policies and procedures necessary to appropriately serve investor interests through an effective QC system, vary significantly from the largest firms, operating as part of global networks, to local firms or sole proprietorships. The scalability of the new QC standard is discussed in greater detail below. QC 1000: Basic Structure, Terminology, and Scalability Basic Structure 1. Considerations Informing the Structure of QC 1000 Informed by its observations and assessment of changes to auditing practice, the Board believes it is critical that its new QC standard strikes an appropriate balance between risk-based elements, which should drive firms to proactively identify and manage the specific risks associated with their practice, and a set of mandates to assure that the QC system is designed, implemented, and operated with an appropriate level of rigor. Moreover, the Board believes the new QC standard should foster a proactive approach to QC that drives continuous improvement. Based in part on its observations, the Board also believes its new standard should include specific requirements for some important areas of the QC system that are addressed more generally in current PCAOB QC standards, such as firm governance and leadership, technology and other firm resources, and firm communications. QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires PCAOB QC standards to address, which the Board believes will provide a robust framework for a firm’s QC system. It incorporates eight components, which are based on mandatory elements and E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices mandatory processes that create a basic structure applicable to all firms. For example, as discussed in more detail below, QC 1000 establishes mandatory, outcome-based quality objectives and mandatory processes for risk assessment and monitoring and remediation. Within the structure created by these mandates, firms will develop their own policies and procedures based on the specific risks created by their circumstances and practice. QC 1000 also includes requirements for annual evaluation of the QC system and reporting to the PCAOB on that evaluation, which the Board believes will add rigor and accountability to the firm’s evaluation of whether the QC system has met its objectives, and will strengthen the feedback loop that drives continuous improvement. The structure itself addresses areas that current PCAOB standards do not directly address, such as firm governance and leadership, technology and other firm resources, and firm communications. In addition, to the extent it is principles-based and focused on the specific risks faced by the firm, the structure is inherently scalable and can be applied to firms of all sizes and circumstances. The structure of QC 1000 has commonalities with the structure of ISQM 1 and SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has informed the Board’s thinking, the Board has carefully analyzed every aspect of that approach and considered where to align and where to further strengthen the PCAOB standard by including alternative or incremental provisions that the Board believes will better serve investor protection and the public interest. The Board believes that building on a well-understood basic framework, appropriately tailored and strengthened to address its legal and regulatory environment and its investor protection mandate, will enable firms to implement and comply with QC 1000 more effectively. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and IAASB or AICPA QC standards—which the Board believes constitute a very substantial majority of firms that perform engagements under PCAOB standards 104—can leverage the work they have already done and the investments they have already made to comply with those other requirements. Many commenters, including firms and related groups, were generally supportive of structuring QC 1000 in a 104 See below for a discussion of the assumptions regarding the baseline. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 manner similar to the structure of ISQM 1 and SQMS 1. However, several commenters, including firms and related groups, suggested that further alignment should be considered, and any differences should be minimized. Several commenters suggested that firms would be subject to at least two different quality management/quality control systems, and commented that this would be impractical for firms to operate. The Board does not believe that QC 1000 conflicts with the requirements of other standard setters or that anything prevents firms from developing a single QC system for their entire practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject. The Board acknowledges certain differences between QC 1000 and the quality management standards set by other standard setters, in particular areas where QC 1000 establishes additional or more stringent requirements. However, the Board believes that quality responses developed by firms under QC 1000 can be considered by firms for the purposes of other quality management standards to which they are subject, reducing the need for two or more separate QC systems. One investor-related group did not support the framework of the standard, arguing that ISQM 1 is a process-driven and compliance-oriented framework that does not encourage firms to meaningfully enhance their QC systems for the benefit of investors. Another investor expressed concern regarding the reliance on ISQM 1 in the development of QC 1000 on the basis that it does not always reflect the best interests of investors. The Board continues to believe that a common basic structure among quality control standards is beneficial. This is not only cost beneficial, but it also supports a firm’s ability to operate a single, consistent QC system over its whole practice, which the Board believes ultimately supports audit quality. Where appropriate, QC 1000 goes beyond ISQM 1 to incorporate more detailed or more stringent provisions that are specifically relevant to the U.S. regulatory environment and investors. Several commenters supported a principles-based approach to QC 1000. However, some commenters suggested that the specified quality responses throughout the standard impose prescriptive requirements that are not consistent with maintaining a principles-based approach. Others expressed a different perspective, suggesting that the standard was too principles-based, providing the firms with too much flexibility in designing, PO 00000 Frm 00013 Fmt 4701 Sfmt 4703 49599 implementing, and operating their QC systems. For example, an investor expressed concern that a principlesbased approach does not always reflect the best interests of investors. Other investor-related groups expressed concerns that a principles-based approach allows audit firms to conduct their own risk assessment and design their own controls to manage risks, including making the determination of whether QC deficiencies exist and are remediated without any public awareness or accountability. One of these investor-related groups suggested that an emphasis on a risk-based approach will result in little to no change at the largest auditing firms as they believe that this approach is already embedded in their QC systems. Another investor-related group commented that the proposed standard set the bar too low and failed to focus on audit quality and accountability such that it would only perpetuate the status quo. The Board has retained the approach as proposed. The Board believes that QC 1000 strikes the right balance between mandatory and risk-based elements. As discussed in more detail below, QC 1000 establishes a mandatory minimum set of outcome-based quality objectives that apply to all firms. Firms generally cannot omit or modify any of the quality objectives set out in the standard. Therefore, firms do not determine the criteria by which their QC systems will be assessed, only the means by which they will meet those criteria. Moreover, QC 1000 establishes requirements with which all firms will have to comply for roles and responsibilities within the QC system and the firm’s risk assessment process, monitoring and remediation process, and evaluation process, as well as specified quality responses applicable to all firms in areas that the Board believes justify a more prescriptive approach. It also includes evaluation and reporting requirements that the Board believes will add accountability and rigor to the annual evaluation. Within that framework, QC 1000 requires firms to develop the policies and procedures they need to achieve the quality objectives and the overall objective of the QC system. The Board believes this more principles-based aspect of the standard will prompt firms to identify and focus on the most relevant risks to quality in the context of their own practice and will make QC 1000 appropriately scalable. This approach also allows for the standard to be operable by firms of all sizes. Smaller PCAOB audit practices can scale down their responses to fit the risks associated E:\FR\FM\11JNN2.SGM 11JNN2 49600 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices with a small practice, and as the practice grows, the firm can scale up to respond to new quality risks. In addition, the Board believes that this approach will make it less likely that the standard will need to be amended in the future in response to changes in the auditing environment, including the use of technology. khammond on DSKJM1Z7X2PROD with NOTICES2 2. Components of the QC System Under QC 1000, the QC system consists of eight components that are designed to be highly integrated: Two process components: • The firm’s risk assessment process • The monitoring and remediation process Six components that address aspects of the firm’s organization and operations: • Governance and leadership • Ethics and independence VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 • Acceptance and continuance of engagements • Engagement performance • Resources • Information and communication The risk assessment process applies to these six components, requiring firms to: • Establish outcome-based ‘‘quality objectives,’’ including those specified throughout the standard (i.e., the desired outcomes to be achieved by the firm with respect to that component);105 • Identify and assess ‘‘quality risks’’ to the quality objectives;106 • Design and implement ‘‘quality responses’’ (i.e., policies and procedures to address quality risks);107 and 105 ‘‘Quality objectives’’ are defined in QC 1000.A10. 106 ‘‘Quality risks’’ are defined in QC 1000.A12. 107 ‘‘Quality responses’’ are defined in QC 1000.A11. PO 00000 Frm 00014 Fmt 4701 Sfmt 4703 • Establish policies and procedures to monitor internal and external changes that may require modifications to the quality objectives, quality risks, or quality responses. The monitoring and remediation process applies to all of the components of the QC system, including monitoring and remediation itself (i.e., firms are required to identify and remediate deficiencies that are observed in their monitoring and remediation activities). The firm is also required to evaluate and report on its QC system annually, based on the results of its monitoring and remediation activities. The following diagram illustrates the structure of the firm’s QC system under QC 1000: BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49601 Structure of the Firm's QC System •••.> ·:t$~,•#onandiet>o~ . ·. -- _; - - - - - - ~- - .. ; - --< Governance & Leadership Engagement Performance Acceptance & Continuance khammond on DSKJM1Z7X2PROD with NOTICES2 BILLING CODE 8011–01–C 3. Quality Objectives, Quality Risks, and Quality Responses, Including Specified Quality Responses For each of the six components to which the risk assessment process applies, QC 1000 specifies required quality objectives. While QC 1000 provides some flexibility with regard to the quality risks that firms are required to identify and the quality responses that firms are required to develop to address those risks, it does not provide the same flexibility with regard to quality objectives. Instead, quality objectives that will apply to all firms are VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Information & Communication Resources specified in the standard. Firms can establish additional quality objectives— indeed, they are required to do so if necessary to achieve the objective of the QC system—but they generally cannot omit or modify any of the quality objectives set out in the standard. The Board believes that, for many firms, the quality objectives specified in the standard are likely to be comprehensive, and does not expect in the current environment that additional quality objectives would generally be necessary. However, the Board also recognizes that the nature and circumstances of a firm and its engagements will vary and the PO 00000 Frm 00015 Fmt 4701 Sfmt 4703 environment may change. Accordingly, firms are required to establish additional quality objectives, if necessary.108 The quality objectives established by this standard set forth a floor rather than a ceiling. Firms are required to identify and assess quality risks to the achievement of the established quality objectives. They are required to develop quality responses to address the assessed quality risks. Quality responses are defined as policies and procedures 108 See ‘‘The Firm’s Risk Assessment Process’’ below. E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.000</GPH> Ethics& Independence 49602 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices designed and implemented by the firm to address quality risks; policies are statements of what should, or should not, be done to address an assessed quality risk, and procedures are actions to implement and comply with policies. As proposed, the definition of quality responses provided that policies ‘‘may be documented or explicitly stated in communications.’’ In the final rule, that sentence was eliminated to avoid confusion or potential conflict with the documentation requirements set out in QC 1000.81–83. The correspondence across quality objectives, quality risks, and quality responses is generally not one-to-one. Most quality objectives are likely to have multiple quality risks. Some quality risks may affect one or more quality objectives, either within a single component or across several components, and may require multiple quality responses. Some quality responses may address multiple quality risks. Quality responses would typically be specific to the firm, to respond to its particular assessed quality risks. QC 1000 also includes some specified quality responses, which are mandatory for the firms to which they apply. Specified quality responses carry requirements from current PCAOB standards into QC 1000 or provide new requirements that the Board believes are important to a firm’s QC system. The specified quality responses are not intended to be comprehensive; on the contrary, for most of the components of the firm’s QC system, the standard includes only a few specified quality responses, and for the engagement performance component there are none. As a result, the specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives; firms are required to design and implement their own quality responses. Both the specified quality responses and the quality responses the firm designs and implements on its own are critical in addressing quality risks. The following graphic illustrates the relationship between all quality responses (i.e., the quality responses necessary to achieve all established quality objectives) and the specified quality responses established in QC 1000: The Relationship Between Quality Responses and Specified Quality Responses Quality Responses Specified Quality Responses khammond on DSKJM1Z7X2PROD with NOTICES2 Terminology This section discusses some of the terminology used throughout QC 1000. Appendix A to QC 1000 defines several terms used in the standard. Two commenters indicated that the proposed terminology was understandable and appropriate, but most commenters on the topic requested VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 that the terminology used in QC 1000 be consistent with the terminology used by other standard setters, primarily to avoid potential confusion and ensure that the process of evaluating the QC system and the conclusion reached as to its effectiveness would be the same under both standards. The Board continues to believe that its proposed terminology is necessary to capture the PO 00000 Frm 00016 Fmt 4701 Sfmt 4703 basic concepts used in QC 1000, which differ in some respects from the concepts used by other standard setters, particularly as regards ‘‘other participants,’’ as the Board has defined that term, and the annual QC system evaluation process, which is grounded in the concepts of ‘‘engagement deficiency,’’ ‘‘QC deficiency,’’ and ‘‘major QC deficiency.’’ While this E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.001</GPH> //) Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices approach will result in an incremental burden for firms that seek to comply with other QC standards as well as QC 1000, the Board believes that the burden is justified. The Board also believes that, just as firms can perform audits under different auditing standards, they can learn to implement and operate a QC system under different QC standards. Accordingly, with the clarifications described below, the Board adopted the terminology substantially as proposed. khammond on DSKJM1Z7X2PROD with NOTICES2 1. Applicable Professional and Legal Requirements As discussed in more detail below, compliance with applicable professional and legal requirements is a fundamental concept under QC 1000, driving the objective of the QC system as well as many quality objectives and specified quality responses. The proposed standard defined ‘‘applicable professional and legal requirements’’ as • Professional standards, as defined in PCAOB Rule 1001(p)(vi); • Rules of the PCAOB that are not professional standards; and • To the extent related to the obligations and responsibilities of accountants or auditors or to the conduct of engagements, rules of the SEC, other provisions of U.S. Federal securities law, and other applicable statutory, regulatory, and other legal requirements. Two commenters supported the definition as proposed. One commenter recommended including the profession’s ethical standards explicitly. Two commenters stated the phrase ‘‘other applicable statutory, regulatory, and other legal requirements’’ could be read broadly and extend beyond regulations that directly bear on the conduct of audit engagements. Another commenter suggested amending the definition of ‘‘professional standards’’ in PCAOB Rule 1001(p)(vi) to refer to ‘‘quality control standards’’ rather than ‘‘quality control policy and procedures.’’ In response to comments, the Board made changes to the third, more general clause of the definition. As one commenter suggested, the Board expanded the definition to explicitly mention ethics laws and regulations.109 While the definition as proposed encompassed applicable ethics requirements, the Board believes an express reference will help to remind firms and individuals of the centrality of ethics considerations. The Board also 109 These include those arising under state law or the law of other jurisdictions (e.g., obligations regarding client confidentiality). See QC 1000 footnote 10. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 refined the definition to make clear that it encompasses statutory, regulatory, and other legal requirements beyond professional standards and other PCAOB rules ‘‘[t]o the extent related to the obligations and responsibilities of accountants or auditors in the conduct of engagements or in relation to the QC system.’’ This change is designed to limit the breadth of the definition to the relevant circumstances. The phrase ‘‘quality control policies and procedures,’’ used in PCAOB Rule 1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley. The Board believes its rule should continue to align with that statutory provision. This definition captures all professional and legal requirements specifically related to engagements under PCAOB standards of issuers and SEC-registered broker-dealers, including relevant accounting, auditing, and attestation standards, PCAOB and SEC rules, other provisions of Federal securities law, other relevant laws and regulations (e.g., state law and rules governing accountants), applicable ethics law and rules, and other legal requirements related to the obligations and responsibilities of accountants or auditors in the conduct of the firm’s engagements or in relation to the QC system.110 It does not encompass requirements that apply to businesses generally, such as tax laws, safety regulations, and employment law. 2. Engagement The proposed standard defined ‘‘engagement’’ as (1) any audit, attestation, review, or other engagement under PCAOB standards performed by a firm, or (2) any engagement in which a firm ‘‘play[s] a substantial role in the preparation or furnishing of an audit report’’ as defined in PCAOB Rule 1001(p)(ii).111 In the final standard, the 110 For avoidance of doubt, the requirements relating to compliance with applicable professional and legal requirements are meant to make clear that, as relates to engagements subject to PCAOB standards, all applicable professional and legal requirements must be followed. The requirement does not suggest that application of ‘‘other applicable statutory, regulatory, and other legal requirements’’ could supersede rules of the SEC, other provisions of U.S. Federal securities law, rules of the PCAOB that are not professional standards, or PCAOB professional standards. On the contrary, requirements relating to ‘‘applicable professional and legal requirements’’ are meant to highlight the importance of adhering to other requirements when those requirements do not conflict with or abridge requirements of Federal securities laws, PCAOB rules, or PCAOB standards. 111 Generally, and as described in more detail in Rule 1001(p)(ii), a firm plays a substantial role in the preparation or furnishing of an audit report if (1) its engagement hours or fees constitute 20% or more of the total engagement hours or fees or (2) it performs the majority of the audit procedures PO 00000 Frm 00017 Fmt 4701 Sfmt 4703 49603 term ‘‘engagement’’ encompasses the same scope as it did in the proposal— when the firm leads an engagement as lead auditor or practitioner, or plays a substantial role—but the definition has been restructured for clarity. The final standard defines ‘‘engagement’’ as any audit, attestation, review, or other engagement performed under PCAOB standards: • Led by a firm; or • In which a firm ‘‘play[s] a substantial role in the preparation or furnishing of an audit report’’ as defined in PCAOB Rule 1001(p)(ii). The definition covers not only circumstances in which the firm serves as the lead auditor or the ‘‘practitioner’’ for an attestation engagement, which is what is customarily meant by the term engagement, but also any substantial role work the firm undertakes. The Board’s view is that this additional breadth is appropriate because playing a substantial role in an engagement for an issuer or broker-dealer is sufficient to require a firm to register with the PCAOB. The definition covers all engagements under PCAOB standards performed by the firm, whether the application of PCAOB standards is legally required (e.g., for audits of issuers and broker-dealers) or undertaken pursuant to contractual agreement, where permitted but not required under SEC rules, or for any other reason. Commenters on the definition of ‘‘engagement’’ generally supported it. One commenter requested clarification as to why the definition does not include work performed at less than a substantial role, given that the standard includes requirements regarding such work. The Board defined ‘‘engagement’’ to exclude work performed on other firms’ PCAOB engagements at less than a substantial role because it believes the auditor responsibilities associated with such work, and the risks posed by it, are materially different than the responsibilities and risks associated with a firm leading an engagement or playing a substantial role.112 QC 1000 contains provisions specifically applicable to work performed on other firms’ PCAOB engagements at less than with respect to a subsidiary or component whose assets or revenues constitute 20% or more of the consolidated assets or revenues of the issuer, broker, or dealer. 112 PCAOB registration rules reflect this difference in risk profile: PCAOB registration is required for firms that lead engagements or play a substantial role in audits of issuers and brokerdealers, but not for work performed on other firms’ engagements at less than a substantial role. See PCAOB Rule 2100, Registration Requirements for Public Accounting Firms. E:\FR\FM\11JNN2.SGM 11JNN2 49604 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 a substantial role, which have been tailored to reflect those responsibilities and risks. The Board believes this tailored approach is appropriate. Also grounded in the Board’s views on relative risk and the investor interests at stake, the concept of ‘‘engagement’’ marks an important distinction in the level of responsibility created under QC 1000: while all registered firms are required to design a QC system that complies with QC 1000, the threshold for a firm to implement and operate the QC system is when the firm has responsibilities under applicable professional and legal requirements with respect to a firm engagement. The distinction between scaled applicability under QC 1000 (for firms that do not have responsibilities with respect to engagements) and full applicability of QC 1000 (for firms that do perform engagements) is discussed in more detail below. The Board notes, however, that just because work performed on other firms’ PCAOB engagements at less than a substantial role is not considered an ‘‘engagement’’ does not mean it is disregarded under the QC system. This work, by itself, does not trigger the requirement to implement and operate the QC system under QC 1000. However, once a firm is required to implement and operate the QC system, the system will operate over all work performed by the firm under PCAOB standards, including work performed on other firms’ PCAOB engagements at less than a substantial role. If a firm is required to implement and operate a QC system under QC 1000, the Board believes that the QC system should address every engagement under PCAOB standards in which the firm participates. 3. Firm Personnel The proposed standard defined ‘‘firm personnel’’ as individual proprietors, partners, shareholders, members or other principals, accountants, and professional staff of a registered public accounting firm whose responsibilities include assisting with: (1) the performance of the firm’s engagements; or (2) the design, implementation, or operation of the firm’s QC system, including engagement quality reviews. Professional staff refers not only to employees, but also to other individuals who work under the firm’s supervision or direction and control and function as the firm’s employees. For example, secondees and leased staff would fall under the definition of ‘‘firm personnel.’’ Two commenters agreed with the definition as proposed. Some firms and VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 related groups objected to including non-employee contractors and consultants as firm personnel, in particular because they are not subject to the firm’s performance evaluation or promotion process. These commenters suggested that such persons be classified as other participants instead. One commenter expressed concern about potential exposure due to the differences between QC 1000 and the definitions of employees with Federal, State, and local tax and labor laws. The Board continues to believe it is appropriate for the definition of firm personnel to include individuals, such as non-employee contractors and consultants, who work under the firm’s supervision or direction and control and function as the firm’s employees. In light of the range of legal structures and arrangements used by firms in acquiring and deploying staff, the Board believes a definition based exclusively on legal employment would be too narrow. Instead, the final rule retains an approach based on the functional role played by the individual rather than a specific legal relationship. When the firm is identifying quality risks to quality objectives that include firm personnel, it may identify different risks associated with non-employee contractors and consultants than other firm personnel, and accordingly would have to develop different policies and procedures for them. For example, nonemployee contractors and consultants may be evaluated through the contracting process to determine whether the firm should retain them instead of through the firm’s formal evaluation framework. While the Board expresses no view on any tax or labor law consequences, it notes that the definition does not conflate ‘‘firm personnel’’ with employees. On the contrary, the Board acknowledges that firm personnel includes some non-employees. Some commenters, generally firms and related groups, were opposed to the definition including anyone who ‘‘assists with’’ engagements or the quality control system, as it may include administrative staff. The Board revised the definition of firm personnel to clarify that ‘‘professional staff does not include persons engaged only in clerical or ministerial tasks,’’ which aligns with the definition of ‘‘Person Associated With a Public Accounting Firm (and Related Terms)’’ in PCAOB Rule 1001(p)(i).113 113 By aligning the QC 1000 definition of ‘‘firm personnel’’ with the definition of ‘‘Person Associated with a Public Accounting Firm (and Related Terms)’’ in this regard, the Board does not PO 00000 Frm 00018 Fmt 4701 Sfmt 4703 4. Other Participants Over the years, audits of issuers have increasingly involved the use of entities and individuals outside the firm in performing audit procedures and evaluating audit evidence. In the context of amending the standards governing the involvement of other auditors in an audit, the Board discussed the increasing prevalence and importance of the use of other audit firms and individual accountants outside the firm, such as an EQR not employed by the firm, and the use of auditor-engaged specialists.114 While it may be beneficial, and in many cases essential, to use other participants in some engagements, these arrangements can pose risks because other participants may not be subject to the same quality controls as firm personnel (for example, with regard to personnel assignments, training, supervision, and monitoring). With respect to work performed in connection with the firm’s QC system or the performance of its engagements, QC 1000 defines ‘‘other participants’’ as accounting firms (foreign or domestic, registered or unregistered), accountants, and other professionals 115 or organizations, other than firm personnel, whose responsibilities include assisting with the performance of the firm’s engagements or the design, implementation, or operation of the firm’s QC system, including engagement quality reviews.116 Some commenters expressed concerns with the use of ‘‘other participants’’ throughout the standard. Many commenters said the proposed responsibilities of the firm with regard to other participants were too broad. A few commenters suggested removing the reference to other participants from certain specified quality responses and allowing firms to tailor their responses to quality objectives for other participants. Some commenters were mean to suggest that only ‘‘firm personnel’’ can be associated persons. ‘‘Other participants’’ can also be associated persons. 114 See Planning and Supervision of Audits Involving Other Auditors and Dividing Responsibility for the Audit with Another Accounting Firm, PCAOB Rel. No. 2022–002 (June 21, 2022), at 13; Amendments to Auditing Standards for Auditor’s Use of the Work of Specialists, PCAOB Rel. No. 2018–006 (Dec. 20, 2018), at 10–15. 115 In this context, ‘‘professionals’’ refers broadly to workers who perform other than clerical or ministerial tasks. 116 It should be noted that ‘‘referred-to auditors,’’ as that term is defined in the amendments to AS 2101, Audit Planning, adopted in PCAOB Rel. No. 2022–002, are not ‘‘other participants’’ under QC 1000 because the referred-to auditor performs its own engagement and does not participate in the engagement of the lead auditor. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices specifically concerned about the inclusion of internal auditors and external specialists in the standard through other participants, and believe they are adequately addressed in other standards. Some commenters argued that other participants should not be included in another firm’s quality control system because they are covered by their own firm’s quality control system. Some commenters suggested bifurcating the definition into other participants whose responsibilities include assisting with the performance of the firm’s engagements and other participants whose responsibilities include assisting with the design, implementation, and operation of the firm’s QC system, on the basis that this would enhance clarity regarding to whom the requirements apply. One commenter said the policies and procedures related to other participants would differ depending on the type of other participant (for example, an internal auditor providing direct assistance differs from an auditor, specialist, or engagement quality reviewer) and QC 1000 imposes the same requirements for each type. One commenter supported the definition. One commenter agreed with separately defining ‘‘other participants’’ and ‘‘third-party providers.’’ The final standard reflects the Board’s view that, in designing, implementing, and operating its QC system, the firm will have to address not only firm personnel but also other auditors 117 and other professionals or organizations that khammond on DSKJM1Z7X2PROD with NOTICES2 117 See AS 1205, Part of the Audit Performed by Other Independent Auditors, and AS 1201 (which takes effect for audits of financial statements for fiscal years ending on or after Dec. 15, 2024). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 the firm uses in connection with the firm’s QC system or the performance of its engagements. References to other participants are included throughout QC 1000 in a tailored and context-specific way that recognizes the key roles that other participants play. The Board recognizes that some other participants may be covered by their own firm’s quality control system, and that fact may inform the firm’s risk assessment with respect to their participation. But the firm’s own QC system must address all the work done on the firm’s engagements and in connection with the design, implementation, and operation of the firm’s QC system itself, regardless of who does it. Commenters correctly pointed out that specific performance standards exist related to the use of certain types of other participants in an audit, such as other auditors,118 internal auditors,119 and specialists,120 but that does not mean that QC over their use in the firm’s engagements is unnecessary. In part, the QC system operates to assure compliance with those specific audit standards. But it must also provide more general assurance about the performance of audits in which those types of other participants are involved. For example, the Board expects that the firm’s policies and procedures would cover, if applicable, engaging specialists, determining their compliance with ethics and 118 See, e.g., AS 1201, and AS 1206, Dividing Responsibility for the Audit with Another Accounting Firm. 119 See, e.g., AS 2605, Consideration of the Internal Audit Function. 120 See, e.g., AS 1210, Using the Work of an Auditor-Engaged Specialist. PO 00000 Frm 00019 Fmt 4701 Sfmt 4703 49605 independence requirements, and communicating with them as part of the firm’s quality control system. The Board does not believe it is necessary for QC 1000 to bifurcate other participants between those that participate in engagements and those that are involved with the QC system. Just because a quality objective or other provision of QC 1000 refers to all types of other participants in the same way does not mean that the firm should respond by treating all types of other participants in the same way. On the contrary, the firm’s policies and procedures addressing other participants should differentiate based on the types and roles of other participants to the extent necessary to be responsive to the firm’s quality risks. When designing quality responses, the firm will address the specific risks posed by the other participants and their responsibilities within the firm’s engagements and QC system. For example, a firm that uses a network as a resource in many areas, such as independence tracking and monitoring, engagement performance, information and communication, and monitoring and remediation, would have many quality risks and quality responses related to their use of the network. A smaller firm that only uses one individual from outside the firm as an engagement quality reviewer may have fewer quality risks and quality responses related to other participants to address in its quality control system. The following diagram provides QC 1000’s definitions of ‘‘firm personnel’’ and ‘‘other participants’’ and provides examples of each type: BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 VerDate Sep<11>2014 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4725 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.002</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 49606 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices As noted in the diagram, the persons performing some roles, such as an EQR or personnel at shared service centers, may be firm personnel or other participants, depending on their relationship to the firm. For example, an EQR employed by the firm would be considered firm personnel, whereas an EQR contracted from outside the firm that is not functioning as a firm employee would be an other participant. Similarly, personnel at shared service centers may be firm personnel (if they are employed by the firm or function as firm employees) or other participants (if they are personnel of another organization, such as a network affiliate). khammond on DSKJM1Z7X2PROD with NOTICES2 5. Networks QC 1000 acknowledges that networks of firms may be structured in a variety of ways and could include arrangements between firms for sharing knowledge; developing and implementing consistent policies, tools, and 121 In the standard, references to a ‘‘network’’ encompass all of the memberships and affiliations that registered firms must report to the PCAOB in Item 5.2 of their annual report on Form 2, including certain networks, arrangements, alliances, partnerships, and associations. See Item 5.2, VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 methodologies; conducting multilocation engagements; or executing other types of business or administrative matters. Through its oversight activities, the PCAOB has observed that some networks provide or require use of a wide range of resources and services and may involve various levels of personnel, composed of a mix of the firm’s national and local office personnel. Some examples of resources and services that networks provide include: • Audit methodologies; • Technology tools; • Training; • Risk management activities; • Consultations on accounting, auditing, and SEC matters; • Preventive engagement-level monitoring and coaching; • Support for inspections; and • Root cause analysis and remediation. Since networks may involve a wide variety of different arrangements and different degrees of coordination and PCAOB Form 2 (describing reporting requirements for memberships, affiliations, and similar arrangements). 122 Providers of resources that are not specifically designed for use in the performance of engagements PO 00000 Frm 00021 Fmt 4701 Sfmt 4725 cooperation across firms, rather than attempting to define the term ‘‘network,’’ QC 1000 describes these types of arrangements in more general terms.121 Under the standard, networks may include a combination of registered and unregistered accounting firms and other entities. 6. Third-Party Providers Commenters on this topic supported the definition of third-party providers as proposed. The standard addresses resources used by the firm that are sourced from third-party providers. Third-party providers are individuals or organizations, other than other participants, as defined above, that provide resources to the firm that are specifically designed for use in the performance of engagements or to assist in the operation of its QC system.122 The following diagram provides QC 1000’s definition of ‘‘third-party providers’’ and several examples of them: or to assist in the operation of firms’ QC systems (e.g., general word processing and spreadsheet software) are not ‘‘third-party providers’’ as the Board has defined that term. E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.003</GPH> BILLING CODE 8011–01–C 49607 49608 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Scalability khammond on DSKJM1Z7X2PROD with NOTICES2 The approximately 1,600 firms registered with the PCAOB differ significantly based on their nature and circumstances: • Approximately 53% of firms are located in foreign jurisdictions, representing 89 foreign jurisdictions; • Approximately 20% of total firms, and 40% of firms located in foreign jurisdictions, belong to one of six global networks that contain the largest number of registered, non-U.S. firms that share resources such as methodology and monitoring activities; 123 • Approximately 60 firms are sole proprietorships; • Approximately 650 firms, or 41% of firms, performed an engagement under PCAOB standards for an issuer or broker-dealer during the 12 months ended June 2023; • Approximately 70 only played a substantial role in such engagements in the past year; • Approximately 140 performed audits of only broker-dealers in the past year; • Approximately 130 firms that did not perform an engagement under PCAOB standards for an issuer or broker-dealer in 2022 did perform such an engagement in the past five years; and • Approximately 51% of firms have not performed an engagement under PCAOB standards for an issuer or broker-dealer in the past five years.124 While the Board believes the basic objectives of the QC system ought to be the same across all firms, the Board believes the QC standard needs to be appropriately scalable, so that firms of different sizes and characteristics can 123 The six global networks that contain the largest number of registered, non-U.S. firms as reported on Form 2s filed in 2023 are: BDO International Limited, Deloitte Touche Tohmatsu Limited, Ernst & Young Global Limited, Grant Thornton International Limited, KPMG International Cooperative, and PricewaterhouseCoopers International Limited (the member firms of these networks are collectively referred to herein as ‘‘GNFs’’). 124 The data were obtained from Audit Analytics and publicly available data from the PCAOB’s Registration, Annual and Special Reporting (RASR) available at https://rasr.pcaobus.org. The PCAOB does not collect information about whether registered firms perform engagements under PCAOB standards other than for issuers and brokerdealers. Firms may be engaged, for example, in connection with the audit of a reporting company that does not meet the Sarbanes-Oxley definition of ‘‘issuer’’ described in footnote 2 above, in connection with certain offerings of securities that are exempt from registration under the Securities Act (e.g., offerings under Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to a contractual obligation such as a loan covenant, or on an entirely voluntary basis. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 appropriately design their QC system to address the risks associated with their own practice. The specific policies and procedures necessary to achieve the objectives of the QC system may vary significantly across firms, depending on their size, the types of engagements they perform, and other factors. The Board believes that QC 1000 is sufficiently principlesbased and scalable that firms will be able to pursue an approach to QC that is appropriate in light of their specific circumstances. In the Board’s view, firms that perform engagements under PCAOB standards should generally be subject to the same QC requirements. In particular, the Board does not believe the historical distinction between firms that were members of the SECPS in 2003 and those that were not has continuing relevance in determining the QC standards that should apply today. Accordingly, the Board eliminated that distinction. As discussed in more detail below, QC 1000 incorporates certain SECPS requirements, making them applicable to all firms, and eliminates others. However, the Board also believes there are specific areas, such as firm governance, where firms with larger PCAOB audit practices should be subject to enhanced requirements. QC 1000 includes several requirements that apply only to the firms that meet the statutory threshold for annual PCAOB inspection. The Board is aware that there is a significant number of registered firms that do not perform engagements under PCAOB standards every year—they only participate in other firms’ engagements at less than the level of a substantial role or have no involvement in issuer or broker-dealer engagements. The Board believes that the risk to investor protection is minimal if the firm is not performing engagements under PCAOB standards for issuers and SEC-registered broker-dealers, and that it is appropriate to provide for more limited QC obligations in those circumstances. Under QC 1000, all registered firms are required to design a QC system but only firms that are subject to applicable professional and legal requirements with respect to a PCAOB engagement are required to implement and operate the QC system. 1. Scaled Applicability vs. Full Applicability The Board created a fundamental distinction in QC 1000 between the obligation to design a QC system in compliance with the standard, which PO 00000 Frm 00022 Fmt 4701 Sfmt 4703 will apply to all firms,125 and the obligation to implement and operate an effective QC system, which, broadly speaking, will apply only to firms that perform engagements under PCAOB standards. Under the standard, firms are required to implement and operate an effective QC system—that is, comply with all provisions of QC 1000—at all times that the firm is required to comply with applicable professional and legal requirements with respect to any of the firm’s engagements.126 As noted above, many registered firms do not perform engagements every year. However, a firm that is not currently performing any engagements may nevertheless have to comply with applicable professional and legal requirements with respect to a previous or future firm engagement. For example, procedures for the acceptance of a new engagement have to be performed before the engagement is conducted. Responsibilities may also arise with respect to completed engagements long after the issuance of the auditor’s report—for example, if the issuer requests the auditor’s consent to include its report in a registration statement, if an engagement deficiency is identified that requires remediation, or if the auditor becomes aware of facts that may have existed at the date of the auditor’s report which may have affected the report. In the Board’s view, whenever a firm has responsibilities under applicable professional and legal requirements with respect to an engagement, those responsibilities should be performed under a QC system that is implemented, is operating, and complies with PCAOB standards. Importantly, if a firm is required to implement and operate an effective QC system, the firm would not necessarily have to implement and operate every QC policy or procedure that it has designed. An effective QC system provides reasonable assurance that the firm is complying with ‘‘applicable’’ professional and legal requirements. The extent of ‘‘applicable’’ requirements could change depending on the firm’s circumstances, and the QC system policies and procedures that the firm would have to implement and operate could change in response. For example, if a firm last performed an engagement (as defined in the standard) five or six years ago and has no current responsibilities with respect to any other firms’ engagements, it might be subject only to requirements regarding 125 QC 1000.06, discussed below, sets out the requirements for QC system design. 126 QC 1000.07. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 the retention of certain engagementrelated documentation.127 In such a circumstance, an effective QC system— i.e., a system that provides reasonable assurance that the firm is complying with applicable professional and legal requirements regarding such documentation—could be scaled back to address only engagement-related documentation retention, as well as ongoing evaluation, reporting, and documentation requirements with respect to the QC system itself. The Board asked in the proposing release whether it was clear how a firm’s responsibilities under QC 1000 may change depending on the extent of applicable professional and legal requirements to which the firm is subject at a particular time, and commenters that responded on the issue were generally supportive. If the firm has no more responsibilities with respect to any engagement, the firm is required to continue operating the QC system until the next September 30 (the annual evaluation date). This would ensure that the firm would be required to evaluate and report on the QC system for any year during which the QC system was required to operate.128 Firms that are not subject to the requirement to implement and operate the QC system are still subject to the requirement to design a QC system that complies with QC 1000.129 Paragraph .06 of QC 1000, discussed below, sets out the requirements for design of the QC system in more detail. The Board believes it is appropriate to limit the application of the requirements of QC 1000 for firms that have no obligations under applicable professional and legal requirements with respect to firm engagements. Indeed, in those situations it is hard to see how a firm could, as a practical matter, ‘‘implement’’ or ‘‘operate’’ its QC system. Implementation and operation contemplate, among other things, the application of QC policies and procedures to the firm’s engagements, monitoring of work performed on engagements, and identification and remediation of engagement deficiencies. Without ‘‘engagements,’’ as the standard defines that term, implementation and operation of a QC system would be 127 See AS 1215; 17 CFR 210.2–06. 1000.07. The proposed requirements for evaluation of and reporting on the QC system are discussed below. 129 The standard makes clear that any existing obligations under QC 1000 (for example, reporting obligations with respect to prior periods when the firm was required to implement and operate the QC system) would continue. 128 QC VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 largely hypothetical. Moreover, the population of firms that are subject only to the design requirements of QC 1000 is comprised entirely of firms that are not required to be registered with the PCAOB—because they do not participate in engagements under PCAOB standards or do so only below the level of a substantial role.130 Many commenters, including firms and related groups, investor-related groups, academics, and others, did not support requiring firms that are not required to comply with applicable professional and legal requirements to design a QC system under QC 1000. Several of these commenters expressed concerns that this would be unnecessarily costly to those firms, or suggested that there could be challenges associated with implementing and operating a QC system based on hypothetical risks that could differ from the actual risks at the time the firm accepts and performs engagements pursuant to PCAOB standards. Some commenters suggested that this requirement may cause firms to deregister with the PCAOB, decline to assist U.S. firms in executing their global audits, or create a potential barrier to entry for new firms in the marketplace. One firm-related group commented that as this aspect of the proposal affects such a large number of firms, the potential political impacts deserve further consideration. The firmrelated group further commented that foreign firms could see this as an accelerator to a decision to not service specific audit markets, which potentially impacts audit markets beyond the U.S., and that policy makers in other countries may view the potential for further market concentration more significantly. Firms and a related group raising cost concerns with the proposed QC system design requirements suggested allowing firms that do not perform engagements the flexibility to design their QC system in accordance with another QC standard, such as ISQM 1 or SQMS 1. One of these firms further suggested that firms transitioning to performing engagements under PCAOB standards be given an additional six months to one year from their annual evaluation date to file their Form QC for the transition period. The firm asserted that even if a firm has complied with the design requirements, implementing and operating a QC system that complies 130 If a firm requests leave to withdraw from PCAOB registration and is permitted to do so, the firm, upon its withdrawal from registration, would no longer be subject to an obligation to design, implement, or operate a QC system in accordance with QC 1000. PO 00000 Frm 00023 Fmt 4701 Sfmt 4703 49609 with the standard would involve significant effort. Another firm suggested that it would be more appropriate to have a transition period for the registered public accounting firm to update their system of quality control to adhere to the incremental requirements of the PCAOB. An academic suggested that the design requirements for firms that have not performed and do not plan to perform engagements pursuant to PCAOB standards should be limited to client acceptance components. One firm suggested that the standard could include a requirement that firms are not allowed to perform an engagement under PCAOB standards until they have designed and implemented QC 1000. Other commenters suggested that registered firms that do not intend to conduct PCAOB audits should not be required to do anything under QC 1000. Other commenters suggested a variety of approaches for when firms should be required to implement and operate a QC 1000-compliant QC system. One firm suggested that firms that only perform a substantial role in more than a certain threshold (presumably to be specified by the PCAOB) of PCAOB engagements could be permitted to comply with ISQM 1 instead of being subject to full applicability of QC 1000. Another commenter suggested that smaller firms (e.g., triennially inspected firms with fewer than 100 issuer engagements) be permitted the option of complying with ISQM 1 or SQMS 1 as an alternative to QC 1000. Another firm suggested that the PCAOB should permit non-U.S. firms to comply with ISQM 1 rather than adopting QC 1000. Another commenter suggested that the criteria for full applicability of the standard should be based on whether the engagements individually or in the aggregate involve a material amount of market capitalization. The commenter suggested that under such an approach, the requirement to operate the QC system could be optional for registered firms auditing companies with a smaller market capitalization. Some commenters, including a firm, a firm-related group, and an investor, commented that the requirement to design a QC 1000-compliant QC system is appropriate for any registered firm, even if it is not performing engagements or playing a substantial role in other firms’ engagements. One firm-related group agreed that whenever a firm has responsibilities under applicable professional and legal requirements with respect to an engagement, those responsibilities should be performed under a fully implemented and operating QC system that complies with E:\FR\FM\11JNN2.SGM 11JNN2 49610 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 PCAOB standards. However, the commenter asked for clarification on the circumstances that trigger the need for a firm to implement and operate a QC system in compliance with QC 1000, and suggested targeted guidance in that area would be helpful. The Board continues to believe that requiring all registered firms to design a QC system that complies with the standard, regardless of whether they have obligations with respect to engagements, is consistent with the PCAOB’s statutory mandate and historical practice. Sarbanes-Oxley directs the PCAOB to include in its QC standards requirements related to numerous topics for ‘‘every’’ registered public accounting firm.131 The statute also directs the PCAOB that applications for registration with the PCAOB must contain ‘‘a statement of the quality control policies of the [applicant] for its accounting and auditing practices.’’ 132 Consistent with that directive, as a condition to registration, applicants are required to furnish ‘‘a narrative, summary description, in a clear, concise and understandable format, of the quality control policies of the applicant for its accounting and auditing practices, including procedures used to monitor compliance with independence requirements,’’ 133 and that description must provide an overview of the applicant’s quality control policies regarding each element of quality control.134 Therefore, firms that register with the Board are already required to provide a summary of the design of their QC system regardless of whether they have obligations with respect to engagements.135 The Board also believes that requiring all firms to design a QC system that complies with all provisions of QC 131 Section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B). 132 Section 102(b)(2)(D) of Sarbanes-Oxley, 15 U.S.C. 7212(b)(2)(D). 133 Item 4.1 of PCAOB Form 1 (‘‘Applicant’s Quality Control Policies’’). The Board modified the information about QC required in Form 1. See below. 134 See Frequently Asked Questions Regarding Registration with the Board, PCAOB Rel. No. 2003– 011F (Dec. 4, 2017) (Question #32), available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/ default-source/registration/information/documents/ registration_faq.pdf?sfvrsn=c50d7356_0. As part of this rulemaking the requirements in Form 1 are being amended. 135 In a separate rulemaking, the Board proposed to create a new form, Form QC—Policies and Procedures (‘‘Form QCPP’’), to require that, once QC 1000 becomes effective, any firm that registered with the Board prior to the date that QC 1000 becomes effective must submit an updated statement of the firm’s quality control policies and procedures pursuant to QC 1000. See Firm Reporting, Rel. No. 2024–003 (Apr. 9, 2024) at 41. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 1000, and not just limiting the requirement to certain components such as acceptance and continuance of engagements, is consistent with its investor protection mandate. While the Board acknowledges that there could be challenges associated with implementing and operating a QC system based on hypothetical risks, it continues to believe that it is important for registered firms to design a QC system based on the quality risks the firm likely would face if it were to perform engagements. Because registering with the PCAOB enables a firm to issue audit reports or play a substantial role on audits performed under PCAOB standards for issuers and broker-dealers, and because investors and companies considering engaging the firm could reasonably expect that any firm that could pursue such an engagement would already have a PCAOB-compliant QC system designed and ready for implementation and operation, the Board believes that imposing a design requirement on all registered firms promotes its mission of protecting investors and promoting the public interest. As discussed in more detail below, QC 1000 includes requirements that do not appear in other QC standards or that are more prescriptive or more specifically tailored to the PCAOB’s legal and regulatory environment than the provisions of ISQM 1 or SQMS 1. Because of these key differences, the Board does not believe that a QC system design based on ISQM 1 or SQMS 1, as suggested by some commenters, would be sufficient. Furthermore, the Board believes that compliance with ISQM 1 may not be the regulatory baseline within certain jurisdictions. The PCAOB has observed other standard setters and regulators adopt variations of ISQM 1, which typically include more detailed and stringent requirements.136 Therefore, the Board believes that audit firms within some jurisdictions will already have to design and operate a QC system that goes beyond the requirements of ISQM 1, and it would not be appropriate for the Board to permit compliance with a less stringent quality system than the one required in the local regulatory environment. Similarly, the Board does not believe that it would be appropriate for it to permit firms to comply with their locally applicable variation of ISQM 1 as this would result in the PCAOB requiring and managing compliance 136 See, e.g., International Standard on Quality Management (UK) 1, adopted by the Financial Reporting Council (March 2023). PO 00000 Frm 00024 Fmt 4701 Sfmt 4703 with a multitude of different QC standards. The Board also continues to believe that, whenever a firm has responsibilities under applicable professional and legal requirements with respect to a firm engagement, those responsibilities should be performed under a QC system that is implemented, is operating, and complies with PCAOB standards. Given the unique features of QC 1000, compliance with ISQM 1 or SQMS 1 would not, in the Board’s view, be an adequate substitute, nor would the Board’s regulatory purposes be served by providing firms with an extended compliance period after they take on an engagement. The Board does not believe that this requirement will result in disruption to competition in the audit market. Firms that are subject to applicable professional and legal requirements with respect to engagements, including substantial role engagements, are required to implement and operate a QC 1000-compliant QC system. If a registered firm that has not led an engagement or played a substantial role in the past anticipates the possibility of transitioning to performing engagements, the Board believes the requirement to design a QC system that complies with QC 1000 will facilitate timely implementation and operation of their QC 1000 QC system, which will in turn facilitate appropriate performance of the engagements; appropriate monitoring and, if necessary, remedial action; and timely evaluation and reporting on Form QC.137 QC 1000 shares a basic structure and approach with ISQM 1 and SQMS 1, so designing for the incremental features unique to QC 1000 should not be unduly burdensome for firms that are subject to either or both of those other QC standards (which the Board believes will be the case for a very substantial majority of firms that are in a position to perform PCAOB engagements).138 The Board does not believe that QC 1000 conflicts with the requirements of other standard setters or that anything prevents firms from developing a single QC system for their entire practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject. The Board 137 The Board understands that the actual quality risks the firm faces when it takes on an engagement may differ from the hypothetical risks considered in designing the QC system. QC 1000 requires the firm to establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or quality responses may be needed, and to make timely modifications as needed. See QC 1000.22–23. 138 See Section D. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices acknowledges certain differences between QC 1000 and the quality management standards set by other standard setters, in particular areas where QC 1000 establishes additional or more stringent requirements. However, the Board believes that quality responses developed by firms under QC 1000 can be considered by firms for the purposes of other quality management 49611 standards to which they are subject, reducing the need for two or more separate QC systems. BILLING CODE 8011–01–P Decision Tree for Requirements of QC System Does the firm currently perform any of the following procedures or is subject to the foDowing responsibilities with respect to a PCAOB engagement?t Engagement acceptance procedures (e.g., accepting new eugagement) Responsibilities when performing eugagements (e.g.. independence, engagem.ent procedures) Design QC system (QC 1000.06) Eugagement post-iss11ance responsibilities (e.g., issuing consent) Engagement post-issuance responsibilities (e.g., issuing consent, document retention) Design, implement, & operate QC system (over all work performed under PCAOB standards, including referred work) (QC 1000.06 and ,07) khammond on DSKJM1Z7X2PROD with NOTICES2 BILLING CODE 8011–01–C Firms participating in a PCAOB engagement below the level of a substantial role do not require registration with the PCAOB. If such a firm does not lead and does not plan to lead engagements or play a substantial role in engagements pursuant to PCAOB standards, then the Board believes that the firm should assess whether the costs of complying with the design VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 requirement are commensurate with their perceived benefit of being registered with the PCAOB. 2. Other Scalability Considerations Aspects of QC 1000 are risk-based, which makes them inherently scalable. Firms are required to apply a risk-based approach to the design, implementation, and operation of the QC system in the PO 00000 Frm 00025 Fmt 4701 Sfmt 4703 context of their own audit practice. The standard provides that the firm will tailor the design of its QC system to its specific facts and circumstances, such as: • The size and complexity of the firm; • The types and variety of engagements it performs; • The types of companies for which it performs engagements; and E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.004</GPH> •An engagement perli,rni.ed by tire firm under PCAOB siandards or an engagement performed under PCAOB siandards by another firm that the firm plays a substantial roki in. "APLR-Applkable professional and legal requirements. khammond on DSKJM1Z7X2PROD with NOTICES2 49612 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices • Whether it is a member of a network and, if so, the nature and extent of the network relationship. Several commenters, including firms and a firm-related group, suggested that the proposed standard was too prescriptive. Many of these commenters suggested that, to promote further scalability, specified quality responses could be replaced with quality objectives to allow each firm to develop quality responses appropriate to the circumstances and risks for their firm. One of these firms stated that it disagreed with the notion in the proposing release that a specified quality response suggests that every firm has the same or similar quality risks and that the responses to those risks will also be the same or similar. Another firm suggested that the specified quality responses make the standard inherently less scalable and could be a barrier to entry for smaller firms. The firm further suggested that an overreliance on specified quality responses could discourage firms from performing robust risk assessments and developing tailored quality responses. Other commenters also suggested that more scalability could be incorporated into the standard through consideration of concepts such as professional judgment, relevance, or reliability. Some commenters suggested that further alignment of QC 1000 to ISQM 1 or SQMS 1 would promote further scalability. One firm stated that the standard was overly prescriptive and suggested that specific guidance be provided to small and medium-sized firms focused on operationality of the standard. Several commenters expressed concern that the prescriptive nature of QC 1000 would negatively affect smaller firms. As discussed above, some specified quality responses carry requirements from current PCAOB standards into QC 1000, while others provide new requirements that the Board believes are important to a firm’s QC system. The Board believes that this approach is appropriate and that the specified quality responses are required to address certain quality risks that are present in all firms that perform PCAOB engagements and to assure that the QC system is designed, implemented, and operated with an appropriate level of rigor. The inclusion of specified quality responses in the standard should not be interpreted to suggest that the Board believes all firms have the same or similar quality risks overall; the specific risks addressed by specified quality responses are likely a small subset of the overall population of quality risks identified by a firm, and the Board VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 expects potentially wide variation in the full set of risks faced by different firms. The Board believes that the standard incorporates the concepts of professional judgment, relevance and reliability where it is appropriate, for example, in the ability to exercise professional judgment in the determination of whether a major QC deficiency exists, or the discussion in the information and communication component noting that information would have to be both relevant and reliable such that it supports the operation of the firm’s QC system and the performance of the firm’s engagements in accordance with applicable professional and legal requirements. The Board continues to believe that the inclusion of prescriptive requirements in certain areas promotes its mission of protecting investors and promoting the public interest. An investor-related group commented that it supports a risk-based approach up to a point, but it expressed concern that the standard placed too much emphasis on scalability and recommended the development of a set of minimum requirements for the establishment of quality control systems. Another commenter stated that the PCAOB should not let scalability concerns get in the way of driving change and improving quality, further suggesting that smaller-firm considerations should not get in the way of doing the right thing for the largest audit firms. One commenter suggested more specific requirements relating to the audits of broker-dealers, commenting that a high deficiency rate in broker-dealer audits suggests the need for more specific requirements with respect to audits of broker-dealers, such as requirements for specific expertise in the conduct of broker-dealer audits, or, to the extent that the brokerdealer is a subsidiary of an issuer, requirements relating to coordination between the broker-dealer audit team and the audit team of the issuer parent company. The final standard establishes a set of minimum requirements that all firms must follow in the establishment of their QC system. As discussed in more detail below, while QC 1000 provides some flexibility with regard to the quality risks that firms identify and the quality responses that firms develop to address those risks, it does not provide the same flexibility with regard to quality objectives or specified quality responses. Instead, quality objectives and specified quality responses that will apply to all firms are specified in the standard. Firms can establish additional quality objectives—indeed, they are PO 00000 Frm 00026 Fmt 4701 Sfmt 4703 required to do so if necessary to achieve the reasonable assurance objective—but they generally cannot omit or modify any of the quality objectives or specified quality responses set out in the standard. Within a uniform basic structure to be used by all firms, QC 1000 reflects a risk-based, scalable approach, particularly in the risk assessment process and the monitoring and remediation process. The nature and extent of these processes would be commensurate with the firm’s quality risks and would therefore vary across firms in nature, scope, and complexity. The Board believes it is crucial that the standard be scalable so that firms of different sizes and characteristics can appropriately design their QC system to address the risks associated with their own practice, including specific risks relating to the types of companies that they audit, such as broker-dealers. The Board believes that an appropriate balance between quality objectives and specified quality responses is the best approach to improve quality across firms of all sizes that perform engagements pursuant to PCAOB standards, whether these be issuer or broker-dealer engagements. Similarly, the form, content, and extent of required documentation related to the QC system will be driven by a firm’s nature and circumstances. QC 1000 contains both provisions that scale down, by tailoring for smaller PCAOB audit practices, and provisions that scale up, by focusing on risks faced by the largest firms. Some provisions of QC 1000 focus particularly on firms with a smaller PCAOB audit practice. These include: • Depending on the nature and circumstances of the firm (including its size and structure), a single individual may be assigned more than one of the QC system oversight roles required under the standard; and • If the firm issued engagement reports with respect to five or fewer engagements for issuers, brokers, and dealers during the prior calendar year, engagement monitoring activities may include monitoring audits not performed under PCAOB auditing standards. For firms with this number of engagements performed under PCAOB standards, the Board understands that requiring a firm to annually monitor its engagements that are performed under PCAOB standards increases the likelihood of the same partner being inspected every year under QC 1000. The Board believes this could disincentivize partners from serving as the engagement partner and ultimately affect competitive conditions in the market. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Other provisions of QC 1000 impose incremental requirements on firms that issued audit reports for more than 100 issuers in the prior calendar year, including: • An external oversight function for the QC system composed of one or more persons who are not partners, shareholders, members, other principals, or employees of the firm; • A program for collecting and addressing complaints and allegations that includes confidentiality protections; • An automated system for identifying investments in securities that might impair independence; and • A requirement to perform inprocess monitoring of engagements. These incremental requirements specifically target and respond to potential quality risks that the Board believes are more likely to arise in audit practices of a certain size and complexity. Firms that audit fewer than 100 issuers may still determine that the incremental requirements are an appropriate quality response for quality risks that they have identified specific to their firm, but these are not mandatory for these smaller PCAOB audit practices to promote scalability of the standard. Several commenters, including firms, suggested that the threshold for any incremental requirements be raised to 500 issuers, to align with the existing SECPS requirement that firms that audit more than 500 SEC registrants have an automated system to identify investment holdings of partners and managers that might impair independence.139 One of these firms also suggested a dual-threshold approach that would consider both the number of issuers audited and the market capitalization of the issuers. Two commenters, including an investorrelated group and an academic, suggested that there should not be a threshold for incremental requirements, and all requirements of the standard should apply to all firms regardless of the size of the firm. The academic suggested that the incremental requirements may give rise to actual or perceived differences in audit quality between larger audit firms that issue audit reports for more than 100 issuers and smaller audit firms that issue audit reports for fewer than 100 issuers. One firm suggested that the incremental requirements only apply to those firms subject to annual inspection under the PCAOB’s rules (in case the 100-issuer threshold for regular inspection in Rule 4003, Frequency of Inspections, ever 139 See SECPS 1000.46 (requirement 4). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 were changed), and another firm suggested that these should only apply to the top six firms. Two investor-related groups suggested that if the final standard does include a threshold for certain incremental requirements, the threshold should relate to the market capitalization of the issuers that the firm’s audit practice covers rather than the number of issuer audit reports the firm issues. Other commenters were also supportive of a market capitalization-based threshold. Several commenters suggested that the nature of the firm’s audit practice be taken into consideration when determining the applicability of the incremental requirements, and that just looking to the number of issuers may not be an appropriate measure for the size or complexity of the audit practice. One commenter suggested that the proportion of the PCAOB audits to the size of the practice within a firm is also a relevant factor to consider. Some commenters suggested that imposing a threshold of 100 issuers could impose a barrier to entry for firms that wish to expand their audit practices beyond 100 issuers and, as a result, firms may manage their practice to stay below the 100-issuer threshold. The Board believes that requiring certain incremental requirements of firms with larger PCAOB audit practices is appropriate and that the complexities inherent to large and complex firms are likely to give rise to quality risks for which the incremental requirements would be appropriate quality responses. Based on the comments received, the Board considered whether alternative measures could be used that looked to the nature and complexity of the issuers being audited, for example, through a market capitalization-based threshold. The Board believes it is appropriate to retain the threshold as proposed, based on the size of a firm’s issuer audit practice rather than referencing the size of the companies subject to audit by the firm. In general, the Board believes that the number of issuers is the most indicative measure of a firm’s size and the complexity of its audit practice. Under a market capitalization measure, a firm that audits a single very large issuer could look like a large firm, but its practice may well be less complex than a firm that audits a large number of small issuers. The incremental requirements in QC 1000 respond to specific issues or risks—firm governance, confidential handling of complaints and allegations, tracking investments that may bear on independence, and monitoring of inprocess engagements—that the Board PO 00000 Frm 00027 Fmt 4701 Sfmt 4703 49613 believes are more significant in complex practices handling large numbers of engagements. Therefore, the threshold was adopted as proposed. In addition, the Board believes that larger PCAOB audit practices that audit a greater number of issuers are more likely to have the resources to be able to effectively comply with the incremental requirements at a level commensurate to the risk. The Board also believes that firms are familiar with the proposed threshold of issued audit reports for more than 100 issuers, because it is used to determine which firms are subject to annual PCAOB inspection.140 The Board does not believe it to be appropriate to increase the threshold to 500 issuers or to specifically limit the requirements to certain firms. The Board believes that firms that audit between 100 and 500 issuers are sufficiently large such that potential quality risks may arise as a result, and that the incremental requirements would be responsive to these risks. Several commenters suggested that a cut-off date for the measurement of the size of the firm’s issuer practice relative to the 100-issuer threshold, and a related transition period after a firm passes the 100-issuer threshold, be specified in the standard to allow time for firms to implement the incremental requirements. One of these commenters specifically requested consideration of the effective date for the implementation and operation of the incremental requirements if, because of a merger or acquisition, the resultant firm performs audits of more than 100 issuers. The standard specifies a measurement cut-off date for the 100-issuer threshold of the prior calendar year-end. Therefore, if a firm has issued audit reports with respect to more than 100 issuers in the period January 1 to December 31, in any given year, the firm must implement the incremental requirements beginning the following January 1 and evaluate compliance with the incremental requirements as of the following September 30. The Board believes that firms continuously track the size of their issuer audit practice for the purpose of monitoring the threshold for annual inspection by the PCAOB. Therefore, prior to the calendar year-end measurement cut-off date, the Board expects that firms should have an informed view as to whether they will need to design, implement, and operate the incremental requirements for the 140 See section 104(b)(1)(A) of Sarbanes-Oxley, 15 U.S.C. 7214(b)(1)(A); PCAOB Rule 4003, Frequency of Inspections. E:\FR\FM\11JNN2.SGM 11JNN2 49614 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices following year. Similarly, the Board believes that a merger or acquisition between firms would take time to finalize such that the firms would have an informed view of whether the incremental requirements would be applicable to the successor firm, providing additional time for the firms to design, implement, and begin operating the incremental requirements. In addition, the Board does not believe that it is appropriate or consistent with its investor protection mandate to allow a firm that audits over 100 issuers to not operate the incremental requirements beginning the calendar year following the date of the merger or acquisition if that merger or acquisition resulted in the firm auditing more than 100 issuers. The Board believes that specific quality risks could arise as the result of a merger or acquisition; for example, a sudden increase in the size of the firm could exacerbate the potential quality risks that exist as a result of a firm’s size, to which the incremental requirements would be responsive. Furthermore, there is nothing in the standard that prevents firms from implementing the incremental requirements earlier than required, if they believe it to be likely that the threshold will be met. khammond on DSKJM1Z7X2PROD with NOTICES2 QC 1000: A Firm’s System of Quality Control Introduction This section describes the requirements of QC 1000 and highlights the key differences between the final standard and current QC standards. Terms defined in Appendix A to QC 1000, Definitions, are italicized throughout QC 1000. The introduction section of the standard sets up the structure for providing the standard’s requirements. Paragraphs .01–.02 describe the riskbased approach to the firm’s QC system and acknowledge the important role of the QC system—supporting consistent performance of engagements in accordance with applicable professional and legal requirements—in protecting investors through the preparation of informative, accurate, and independent engagement reports. To emphasize the auditor’s role in investor protection, the Board added language to the final standard reminding auditors that the firm’s QC system enhances investors’ ability to rely on engagement reports. The Board also reversed the order of paragraphs .01 and .02 to improve flow. One commenter suggested a riskbased approach to quality control with minimum requirements integrated into it, instead of a purely risk-based VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 approach. The Board agrees that a purely risk-based approach would be inappropriate. As proposed and as adopted, QC 1000 is not a purely riskbased standard. It establishes mandatory quality objectives that every firm is required to achieve; lays out detailed, required processes for risk assessment, monitoring and remediation, and annual evaluation of the QC system; requires specified quality responses in many areas; and fosters accountability and rigor through mandated key roles for the QC system with specified individual responsibility and accountability and required reporting to the PCAOB. The Firm’s QC System 1. QC 1000 a. Objective of the QC System (QC 1000.05) The proposal asked if the reasonable assurance objective was appropriate and if there were additional objectives that the QC system should achieve. Many commenters, including firms, supported the reasonable assurance objective and did not support additional objectives for the QC system. Some commenters, including investors and investor-related groups, said there should be an explicit acknowledgement that auditing serves a public purpose and that the system of quality control therefore should serve investors. Other investors and investorrelated groups suggested that the quality control system should seek a higher performance standard than mere compliance. Two commenters suggested that the objective should be expanded, so that in addition to complying with applicable professional and legal requirements, engagements should be performed in a manner that is responsive to the needs of investors by ensuring high-quality financial reporting. Another suggested that the foundation of the system should promote high-quality and ‘‘useful’’ financial and non-financial information and achieve a high level of transparent financial reports. The commenter also suggested removing the qualifier ‘‘reasonable’’ and emphasizing that the term ‘‘assurance’’ refers to a high level of assurance. The Board agrees with these commenters that QC 1000 should frame auditor responsibilities in terms of investor protection, and revised paragraph .05 to reinforce that, as discussed in more detail below. The Board also considered broadening the objective of the QC system beyond compliance in a number of ways, as suggested by commenters. PO 00000 Frm 00028 Fmt 4701 Sfmt 4703 For example, the Board considered adding explicit references to ‘‘investor needs’’ to the QC system objective. However, the Board are concerned that the concept of ‘‘investor needs’’ is too vague and indefinite to be interpreted consistently as an objective of the QC system. Consistent with the reasonable assurance objective, the Board believes that all investors want informative, accurate, and independent engagement reports. But beyond that, investors are not monolithic and may have different preferences. For example, the needs of a large institutional investor with an actively managed portfolio are different from those of a retail investor holding index funds. Investor needs could also vary across issuers and different types of financial instruments, as well as with changes in market conditions. As a result, the Board does not believe that a QC system objective that was expressly phrased in terms of satisfying ‘‘investor needs’’ would be capable of consistent interpretation or would provide firms with sufficient notice or direction about the conduct required of them. The Board believes that ‘‘highquality’’ and ‘‘useful’’ financial reporting suffer from the same issues. These terms are subjective, indefinite, and would mean different things to different financial statement users and in different situations. In addition, grounding auditor obligations in the quality or utility of financial reporting risks conflating the role of the auditor with the role of the preparer. The fundamental responsibility for financial reporting lies with the company. The auditor enhances investors’ ability on company financial information through the preparation and issuance of informative, accurate, and independent engagement reports, but the company prepares the financial statements and retains ultimate responsibility for them. The Board considered one commenter’s suggestion of phrasing the objective in terms of ‘‘assurance,’’ rather than ‘‘reasonable assurance.’’ However, the Board believes that this would weaken, rather than strengthen, the standard, in that it could be read to suggest that any level of assurance, even if less than reasonable assurance, would be appropriate. As proposed, the final standard includes a note emphasizing that reasonable assurance is a high level of assurance. Accordingly, the Board has not revised the objective of the QC system as these commenters suggested. The Board continues to believe that investor needs will be best served through an objective that is grounded in auditors’ existing obligations and can be E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices interpreted clearly and applied consistently. Auditor obligations under applicable professional and legal requirements address investors’ fundamental priority: that the financial statements be free of material misstatement. They also clearly delineate what conduct is required, which enables both the Board and the firms that the Board regulates to interpret and apply them on a consistent basis. The Board has, however, made revisions to paragraph .05 that the Board believes will be clarifying. The final rule specifies expressly that the firm’s objective is to design, and if applicable, implement and operate an effective QC system. Further, although the Board concluded that it could not express the objective of the QC system in such terms, the Board does believe firms should be prompted to remember their critical role in investor protection. With that in mind, the Board revised paragraph .05 to explicitly acknowledge that a properly conducted engagement and related report enhance the confidence of investors and other market participants in the company’s information to which the firm’s report relates. The Board also revised the paragraph to remind auditors that an effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, and independent engagement reports in accordance with applicable professional and legal requirements. Paragraph .05 specifies that an effective QC system consistently provides a firm with reasonable assurance that the firm, each member of firm personnel, and each other participant conduct each engagement and fulfill their other responsibilities in compliance with applicable professional and legal requirements, and that each engagement report issued by the firm complies with applicable professional and legal requirements. The Board revised the provision to refer to ‘‘each member of’’ firm personnel, ‘‘each’’ other participant, ‘‘each’’ engagement, and ‘‘each’’ engagement report. This change clarifies that the QC system provides reasonable assurance, not just over the pool of firm personnel, the pool of other participants, and the portfolio of engagements, but over each individual and each engagement. The objective is still reasonable assurance, not absolute assurance. But an effective QC system has to be designed, implemented, and operate in such a way that the firm has reasonable assurance that each individual who performs work on behalf of the firm and each engagement the firm undertakes will VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 comply with applicable professional and legal requirements. One commenter asserted that some prescriptive aspects of the standard result in absolute assurance instead of reasonable assurance. The Board disagrees, as it believes this is a misunderstanding of the standard. Specifically, the reasonable assurance objective under QC 1000 is broadly consistent with the Board’s current QC standards, as well as ISQM 1 and SQMS 1, all of which contemplate that the system of QC should provide reasonable assurance.141 The Board believes that the combination of quality objectives and specified quality responses in QC 1000 establishes a balance between prescriptive requirements and a riskbased approach that contributes to the firm obtaining reasonable assurance, but does not require absolute assurance. Of course, nothing precludes a firm from going beyond the requirements in QC 1000 when designing its QC system. One commenter suggested that the concept of reasonable assurance was not clear and could be clarified by retaining a footnote from QC 20 that reinforces that deficiencies in individual engagements do not, in and of themselves, indicate a firm’s quality control system is insufficient to provide reasonable assurance. The Board has not retained that footnote. The concept of reasonable assurance should be familiar to auditors; it is a basic concept under the Board’s current standards and the Board believes it can be interpreted and applied consistently. In addition, in light of QC 1000’s detailed process for the evaluation of the QC system, including the new defined terms ‘‘QC deficiency’’ and ‘‘major QC deficiency,’’ discussed below, the Board does not believe such a footnote is necessary. Under QC 1000, firms will determine whether the QC system meets the reasonable assurance objective by determining whether any ‘‘major QC deficiencies’’ exist. The existence of major QC deficiencies indicates that the QC system does not provide reasonable assurance, whereas the existence of QC deficiencies that do not meet the definition of major QC deficiency does not. Since that conclusion is apparent from the definitions, the Board does not believe that the existing footnote is needed. The ‘‘reasonable assurance objective’’ of the firm’s QC system is similar to the objective of the QC system under existing PCAOB standards, except that the current standard requires reasonable assurance as to compliance with applicable requirements and ‘‘the firm’s 141 See PO 00000 ISQM 1.14; SQMS 1.15. Frm 00029 Fmt 4701 Sfmt 4703 49615 standards of quality’’ (i.e., the firm’s policies and procedures),142 whereas QC 1000’s reasonable assurance objective refers only to applicable requirements. This change reflects the different role played by firm policies and procedures under the Board’s current QC standards compared to QC 1000. Firm policies and procedures are the linchpin of current PCAOB QC standards: Most of the Board’s current QC standards simply require firms to establish, communicate, document, and monitor specified policies and procedures. Policies and procedures also play an important role under QC 1000, but they would have a different context because of the significant differences in the way in which the standard is structured. QC 1000 is grounded in the firm’s risk assessment process, whereby the firm’s quality objectives and the risks to achieving them are identified and addressed by the firm in an ongoing, structured fashion. This risk assessment process drives how the firm develops and refines its policies and procedures; the ‘‘quality responses’’ are designed and implemented to address quality risks. As such, policies and procedures are a means to an end—addressing quality risks—rather than an end in themselves. QC 1000 provides more detailed requirements regarding the structure, scope, and functioning of the firm’s QC system, particularly in the monitoring and remediation component, than the Board’s current QC standards. This does not mean that firms’ QC policies and procedures are no longer important. On the contrary, they are critical to addressing quality risks and thereby achieving quality objectives and the reasonable assurance objective. However, firms may no longer rely on simply promulgating policies and procedures as the central, and sometimes only, component of their QC system. Compliance with the QC standard ultimately is based on whether the firm has met its quality objectives and the reasonable assurance objective—which are driven by whether the firm’s policies and procedures have in fact been effective in addressing quality risks—and on whether the firm has complied with the requirements of the standard in the design, implementation, and operation of the QC system. Another commenter suggested that the QC system should not address firm policies and procedures that go beyond applicable professional and legal requirements, on the basis that it might undermine investor protection by disincentivizing firms from developing policies and procedures that 142 See E:\FR\FM\11JNN2.SGM QC 20.03; QC 20.17. 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49616 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices go beyond what is required. For the reasons discussed above, the Board has not included policies and procedures in the reasonable assurance objective. However, because policies and procedures play an important role in the firm achieving the reasonable assurance objective, the Board has determined that some quality objectives have to incorporate compliance with firm policies and procedures as well as applicable professional and legal requirements. The reasonable assurance objective also reflects the view that the purpose of the QC system is to drive overall compliance by the firm, each member of firm personnel, and each other participant with applicable professional and legal requirements, and not necessarily to drive more narrow compliance with firm policies and procedures. Under QC 1000, the reasonable assurance objective of the firm’s QC system is generally consistent with the objective of the QC system under the Board’s existing QC standards but, in addition to the changes discussed above, it places more emphasis in three key areas: • Expressly reminding auditors that an effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, and independent engagement reports; • Specifying that responsibilities be fulfilled not only with respect to professional standards, but also with respect to legal requirements to the extent they apply (e.g., SEC and PCAOB rules, other provisions of U.S. Federal securities law, and other applicable legal and regulatory requirements); and • Expressly mentioning compliant engagement reporting (an existing responsibility under PCAOB standards), given the explicit reference to audit reports in Sarbanes-Oxley.143 Responsibilities in this context include all responsibilities that are subject to applicable professional and legal requirements—for example, in relation to the firm’s engagements, work the firm does on other firms’ engagements, training, independence monitoring, and other activities that are part of or subject to the firm’s QC system. In addition, the objective covers the activities of a broader group than current standards. It applies not only with respect to firm personnel and other auditors, but also to other participants 143 See, e.g., section 103(a)(1) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(1); section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 involved in the firm’s engagements and QC activities whose work is performed at the direction of the firm. As discussed above, the Board believes that QC 1000 should reach such other participants in light of, among other things, the increasing prevalence and importance of the use of professionals and organizations outside the firm, such as auditor-engaged specialists and service centers, in audits performed under PCAOB standards. Many commenters, generally firms and related groups, expressed concern about the inclusion of other participants in the reasonable assurance objective. The Board believes that the firm’s own QC system must address all the work done on the firm’s engagements and in connection with the design, implementation, and operation of the firm’s QC system, regardless of who does it. The reasonable assurance objective in QC 1000 appropriately reflects that scope. b. Requirements To Design, Implement, and Operate a QC System (QC 1000.06– .07) QC 1000 requires all firms to design a QC system that complies with the standard. This entails assigning QCrelated roles and responsibilities as provided in paragraphs .10–.17; establishing quality objectives, at least annually identifying and assessing quality risks to the achievement of those objectives, and designing quality responses to address those risks, as provided in paragraphs .18–.57; designing a monitoring and remediation process that, upon implementation, would comply with paragraphs .58–.76; and documenting the design of the QC system as provided in paragraphs .81.86. The design of the QC system is based on the quality risks the firm likely would face if it performed engagements. The PCAOB received a significant volume of comments on this aspect of the proposal, which is discussed above. In addition, one commenter suggested emphasizing the concept of professional judgment by incorporating it in paragraph .06 or .07 and defining it in Appendix A of QC 1000. It is true that under QC 1000, judgment may have to be exercised in areas of the QC system, such as assessing risk and evaluating QC deficiencies. However, the basic approach of QC 1000, which specifies quality objectives to be achieved through specified risk assessment and monitoring and remediation processes, is outcome-based and not simply a matter of professional judgment. Moreover, under paragraph .10, all activities related to the QC system must be performed with due professional care. This means that even in PO 00000 Frm 00030 Fmt 4701 Sfmt 4703 judgmental areas, professional judgment is not unbounded; individuals must exercise professional skepticism and use the requisite knowledge, skill, and ability to diligently (and in good faith and with integrity) obtain and objectively evaluate information. Accordingly, the Board adopted these requirements as proposed. In addition to the obligation to design the QC system, firms are required under paragraph .07 to implement and operate an effective QC system (i.e., comply with all provisions of the standard) at all times that the firm is required to comply with applicable professional and legal requirements with respect to any of the firm’s engagements.144 This would occur, for example, whenever the firm has responsibilities with respect to the acceptance of an engagement, the performance of an engagement, remediation of deficiencies in an engagement, or matters associated with an engagement that arise or continue after issuance of the engagement report, such as retention of audit documentation, issuance of reports included in Securities Act filings (including consent to the inclusion of such reports),145 other engagement deficiencies,146 and subsequently discovered facts.147 Once a firm no longer has any responsibilities under applicable professional and legal requirements with respect to any firm engagements, the firm will be required to continue operating the QC system until the next September 30 (the next date as of which the firm is required to evaluate the QC system). This ensures that the firm will evaluate and report on the QC system for any year during which the QC system was required to operate.148 Note that firms may not have lengthy advance notice before responsibilities arise under applicable professional and legal requirements with respect to an engagement. For example, a firm may be contacted by an affiliated firm to play a substantial role in an engagement or may be asked to consent to the inclusion of a previously issued audit report in 144 Note, however, that the firm would not necessarily have to implement and operate every QC policy and procedure it has designed. See Scalability above. 145 See AS 4101, Responsibilities Regarding Filings Under Federal Securities Statutes. 146 See AS 2901. The Board amended AS 2901 in connection with this rulemaking to expand auditor responsibilities with respect to engagement deficiencies. See Amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, and Related Amendments below for additional discussion. 147 See AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report. 148 The requirements for evaluating and reporting on the QC system are discussed below. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 the registration statement of a company previously audited by the firm. Under the standard, registered firms will have to stand ready to have their QC system implemented and operating over such responsibilities whenever they arise. Although all PCAOB-registered firms are required to design a QC system that complies with the standard, the obligation to implement and operate that system applies only when the firm is required to comply with applicable professional and legal requirements with respect to the firm’s engagements. Implementing and operating a QC system means that assigned personnel are fulfilling their QC-related roles and responsibilities under QC 1000, the relevant quality responses (i.e., policies and procedures) and monitoring and remediation process that the firm has designed are operational, and the firm is documenting the implementation and operation of its QC system. As noted above in the discussion of scalability, the scope of the QC system is driven by the professional and legal requirements that apply to the firm and its engagements and the relevant risks, which may vary depending on the nature and extent of the firm’s practice. The standard also makes clear that existing obligations under QC 1000, such as the obligation to evaluate and report on the QC system for periods in which the QC system was required to be implemented and operating, are not extinguished when a firm transitions from full applicability to scaled applicability. As discussed in more detail above, the Board’s view is that requiring all registered firms to design a QC system that complies with QC 1000 is consistent with the PCAOB’s statutory mandate, historical practice, and investor protection mission, and that scaling back obligations under QC 1000 to the design of the QC system, as described under paragraph .06, is justified in cases where a firm is not subject to any obligations under applicable professional and legal standards with respect to any firm engagement. b. Risk-Based Approach (QC 1000.08– .09) The Board did not receive comments specifically on these paragraphs and adopted them as proposed. These paragraphs require a firm to employ a risk-based approach to quality control, such that the firm proactively manages its QC system and the quality of the work it performs on engagements. Under the standard, the firm is required to design, implement, and operate a QC system that reflects and VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 responds to the firm’s particular risks through two process components. • The firm’s risk assessment process—establishing quality objectives, identifying, and assessing quality risks to the achievement of those objectives, and designing and implementing quality responses to address the identified quality risks—is applied to all of the aspects of the firm’s organization and operations that are covered by the QC system and thus is tailored to each firm’s specific facts and circumstances. • The monitoring and remediation process is carried out in a way that is informed by and responsive to risks— for example, quality risks influence both the selection of engagements to monitor and the design and extent of monitoring activities. The requirement to evaluate the effectiveness of the QC system supports continued improvement in these risk assessment and monitoring and remediation processes by requiring the firm to evaluate and report on whether the quality objectives and the reasonable assurance objective have been achieved. These requirements are discussed in more detail below. The aspects of QC 1000 that are riskbased are inherently scalable. In applying a risk-based approach, the firm is required to tailor its QC system to the firm’s specific facts and circumstances, including the size and complexity of the firm, the types and variety of engagements it performs, the types of companies for which it performs engagements, and whether it is a member of a network (and if so, the nature and extent of the relationship between the firm and the network). Accordingly, a large, complex firm that performs a wide variety of engagements will likely be required to have a more complex QC system than a small firm that performs a small number of less complex engagements. 2. Current PCAOB Standards As described above, under current QC standards, a QC system is broadly defined as a process to provide a firm with reasonable assurance that its personnel comply with professional standards applicable to its accounting and auditing practice and the firm’s standards of quality.149 The QC system encompasses the firm’s organizational structure, policies adopted, and procedures established to provide that reasonable assurance.150 Registered firms are required to design, implement, 149 See 150 See PO 00000 QC 20.03. QC 20.04. Frm 00031 Fmt 4701 Sfmt 4703 49617 and operate a system of quality control to provide this reasonable assurance. Roles and Responsibilities Expectations of individuals within the QC system are established through the assignment of roles and responsibilities that are essential to a well-functioning QC system. This aspect of the QC system creates clearer lines of communication and decision-making authority and greater accountability for those assigned to such roles. One commenter on the overall requirements supported them as proposed. Some firm commenters also supported the proposed roles and offered operational suggestions, while other firm commenters asserted that the proposed roles and responsibilities were not clear and appropriate for the reasons described in the following subsections. 1. QC 1000 a. Due Professional Care (QC 1000.10) Paragraph .10 of the standard addresses due professional care in performing responsibilities in relation to the QC system. Due professional care, applicable to all firm personnel and other participants, includes professional skepticism. The concept of due professional care imposes a responsibility upon firm personnel and other participants to observe relevant professional standards including, in the context of quality control, QC 1000. The Board believes that this provision is a helpful clarification because the PCAOB standards describing due professional care do not specifically mention QC activities.151 One commenter urged the PCAOB to clarify the need for professional skepticism by leadership in quality control roles. The Board does not believe specific provisions are needed in that regard, because paragraph .10 applies to all individuals performing QC roles, including those in leadership roles. The Board has adopted this provision with modifications to align with the descriptions of due professional care and professional skepticism being adopted in AS 1000.152 b. Assignment of Roles and Responsibilities (QC 1000.11–13) The Board proposed to require the highest-ranking executive in the firm to bear ultimate responsibility and 151 A new auditing standard, AS 1000, is being adopted to combine and update the four standards that set forth the general principles and responsibilities of the auditor, including AS 1015, Due Professional Care in the Performance of Work. See Auditor Responsibilities Release. 152 Id. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49618 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices accountability for the QC system as a whole. If a firm has co-principal executive officers, each of them would bear such ultimate responsibility and accountability. The PCAOB did not prescribe the substantive qualifications the highest-ranking executive in the firm should have; the proposal did not include any such criteria (unlike the assigned roles under paragraph .12, which only may be assigned to personnel who have the experience, competence, authority, and time to carry out their responsibilities). The Board’s intention was to establish accountability for QC at the highest level within the firm and underscore the critical importance of the QC system. One commenter supported this requirement, as it is analogous to the CEO being jointly responsibly for the SEC certifications with respect to the financial statements and internal controls. One commenter requested clarification on the structure of smaller firms where the firm’s CEO may not be an audit practitioner and may rely on others to fulfill the requirements of the QC system. The Board believes it is important for the firm’s principal executive officer, irrespective of whether that person is an audit practitioner, to be ultimately responsible and accountable for the firm’s QC system, because the Board believes that this will lead to more vigorous oversight of the audit practice; benefiting investors and other stakeholders that rely on the firm’s work. The requirement in paragraph .12 of QC 1000 is limited to roles that are expected to exist in any firm and allows each firm to assign these roles based on the nature and circumstances of the firm, provided that those assigned have the experience, competence, authority, and time to enable them to carry out their assigned responsibilities. This approach also addresses scalability; as the note to paragraph .12 makes clear, depending on the nature and circumstances of the firm, one individual may be assigned to more than one of the roles in paragraphs .11 and .12. A number of commenters suggested that the roles in paragraph .12 should be able to be split into multiple roles or assigned to multiple people. Commenters asserted that the roles, such as operational responsibility for the ethics and independence component, are complex enough to require two individuals. Several of the same commenters expressed that the requirement is generally too prescriptive. Several firms indicated that many firms in larger networks may VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 commonly have these specified roles filled by individuals outside of the firm and the restriction of these roles to firm personnel may be problematic operationally. For the roles specified in paragraph .12, the final standard retains the requirement that only one individual may be assigned responsibility for each role. A firm may have multiple individuals or multiple layers of personnel supporting these roles, but the responsibility for the assigned role may not be delegated and will remain with the one assigned individual. For example, a firm could assign one person to ethics-related matters and another person to independence-related matters, as long as both of these individuals report to the person with operational responsibility for the firm’s compliance with ethics and independence requirements. The Board acknowledges that some firms may seek assistance from their network or other participants in performing some of their QC-related activities, but the Board believes a single individual within the firm should remain responsible for the operational responsibilities of the assigned roles. Regardless of whether specific tasks are delegated to others, the individual assigned to a specified role remains responsible and accountable for the role’s related responsibilities. Commenters generally supported allowing one person to hold multiple responsibilities under certain circumstances, such as smaller firms with limited resources. Two commenters supported the roles as proposed and one commenter suggested the firm’s head of audit practice also be included as a role. The Board’s view is that the roles specified in paragraph .12 would be appropriate for every firm. Provided that the criteria in paragraph .12 of QC 1000 are met, the individual assigned ultimate responsibility and accountability for the QC system also may assume responsibility for all aspects of the QC system, including operational responsibility for the QC system, the firm’s compliance with ethics and independence requirements, and the monitoring and remediation process. The Board has not been specific about who should be assigned the roles identified in paragraph .12. A firm may determine, based on its nature and circumstances, that it is appropriate to assign already established leaders to one or more of these roles, such as the head of audit practice as suggested by a commenter. One commenter requested clarification of the intended role in .12d. The role in paragraph .12d allows firms PO 00000 Frm 00032 Fmt 4701 Sfmt 4703 to assign operational responsibility for other components (e.g., the resources component) based on the nature and circumstances of the firm. The standard provides firms the ability to add additional roles and responsibilities, if appropriate, and the flexibility to assign one individual to more than one of the roles specified. The proposal asked if firms would have difficulty filling the assigned roles. Two commenters were optimistic these roles could be filled in light of the requirements. Commenters cited increased liability or workload associated with these roles as potential disincentives that may keep qualified individuals from accepting these roles. Specifically, some commenters asserted that the proposal would lower the threshold for individual liability compared to current requirements, and that the threat of enforcement sanctions would deter individuals from accepting the roles.153 One commenter sought clarification on the supervision obligations prescribed under QC 1000 and the Board’s authority to bring enforcement actions for failure to reasonably supervise under section 105(c)(6) of Sarbanes-Oxley. One commenter recommended amending paragraph .11 to acknowledge that individuals assigned ultimate responsibility for the QC system as a whole can rely on information provided to them and their responsibility is governed by a good faith standard. Two commenters expressed concern that firms, especially smaller issuer or broker-dealer practices, would have difficulty filling the specified roles. One commenter was concerned with increased accountability and suggested balancing accountabilities such that processes and outcomes, as well as rewards and penalties, are more appropriately weighted. Current QC standards generally impose responsibilities directly on the firm rather than on individuals. Enforcement actions related to the failure to comply with current QC standards can be brought against individuals for contributing to violations by the firm154 or for failing to 153 Analogous concerns were also raised by commenters in relation to the separate rulemaking Proposed Amendments to PCAOB Rule 3502 Governing Contributory Liability, available on the Board’s website in Docket 053. 154 See PCAOB Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations. The Board has proposed to amend Rule 3502 in certain ways, including by changing the standard of conduct for associated persons’ contributory liability from recklessness to negligence. See Proposed Amendments to Rule 3502 Governing Contributory Liability, PCAOB Rel. No. 2023–007 (Sept. 19, 2023). E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices reasonably supervise an associated person of the firm who commits certain violations.155 Under QC 1000, the individuals who are assigned specific responsibilities with respect to the QC system could be charged with violations if they fail to comply with those enumerated responsibilities, as well as for contributing to firm violations or failing reasonably to supervise.156 As discussed further in the sections that follow, the individuals who fill the roles specified in paragraphs .11 and .12 of QC 1000 have specified responsibilities spelled out in paragraphs .14 through .17 of the final standard. Those individuals must exercise due professional care (see paragraph .10), and their failure to properly discharge their duties—for example, to establish or direct the establishment of certain QC-system reporting lines (see paragraph .14b), to certify the firm’s Form QC report to the PCAOB (see paragraphs .14d and .15b), or to timely communicate certain information to others (see paragraphs .16b and .17b)—would constitute violations of QC 1000. So while current QC standards generally require either a primary violation by the firm to trigger an individual’s potential liability under Rule 3502 or a primary violation by another associated person to trigger a supervisory person’s potential liability under section 105(c)(6) of SarbanesOxley, QC 1000 creates a framework in which an individual’s failure to discharge prescribed responsibilities could give rise to individual liability without regard to whether primary violations were committed by another. That is not to say, however, that the individuals filling the roles specified in paragraphs .11 and .12 of QC 1000 no longer can be charged with contributing to violations by the firm or for failing to reasonably supervise an associated person who commits certain violations. Because of the important role played by the individuals filling those roles, their failure to properly fulfill their responsibilities may contribute to violations by their firm. Furthermore, paragraphs .15a, .16a, and .17a of the final standard make clear that the individuals who fill the roles discussed therein are supervisory persons who have supervisory responsibilities under the Board’s QC standards, for purposes of section 105(c)(6) of Sarbanes-Oxley. The Board believes that providing another basis for enforcement against responsible individuals could enhance their accountability for the QC system. 155 See Sarbanes-Oxley sec. 105(c)(6), 15 U.S.C. 7215(c)(6). 156 See PCAOB Rel. No. 2023–007. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Enhanced accountability emphasizes the importance of the firm assigning roles to firm personnel who have the experience, competence, authority, and time needed to carry out their assigned responsibilities. Although the Board recognizes that some commenters expressed concern about whether individuals would be willing to assume these specified roles, the Board believes that these roles are necessary and appropriate for every firm. The Board also believes that, with appropriate incentives, firms should be able to fill these roles. The PCAOB is adopting these requirements as proposed. The Board discusses each of the QC roles identified in the standard in the subsections that follow. Paragraph .13 provides that individuals assigned operational responsibilities under paragraph .12 should have a direct line of communication to the individual with ultimate responsibility and accountability for the QC system. This line of communication would provide these individuals the information necessary to perform their assigned roles. One commenter supported a feedback loop between the individuals assigned responsibilities under paragraphs .11 and .12, but sought clarity regarding whether individuals in the roles in paragraph .12 are required to report to the firm’s principal executive officer. The Board has not prescribed the firm’s reporting structure related to those roles, as it may vary based on the nature and circumstances of the firm. c. Ultimate Responsibility and Accountability for the QC System as a Whole (QC 1000.14) The individual assigned ultimate responsibility and accountability for the QC system as a whole reinforces the responsibility and accountability of firm personnel by demonstrating a commitment to quality. The standard emphasizes the role of that individual— by the individual recognizing and reinforcing professional ethics, values, and attitudes through the individual’s actions, behaviors, and communications—in establishing a firm’s tone at the top and attitude towards quality. The individual assigned ultimate responsibility and accountability is responsible for establishing, or directing the establishment of, structures, reporting lines, and authorities and responsibilities for the roles involving operational responsibility for aspects of the QC system and the QC system as a whole. For each firm, the approach to fulfilling these responsibilities will be dependent on the firm’s nature and PO 00000 Frm 00033 Fmt 4701 Sfmt 4703 49619 circumstances. For example, in a smaller firm where there are fewer individuals with assigned roles, structures may be less formal. Conversely, for a larger firm, it may be necessary to have multiple individuals in roles with assigned responsibilities or to have multiple layers of personnel supporting different activities. However, ultimate responsibility and accountability cannot be delegated. Also, the individual assigned ultimate responsibility and accountability is accountable for the design, implementation, and operation of the firm’s QC system in accordance with applicable professional and legal requirements and the firm’s policies and procedures, as well as for the firm’s annual QC system evaluation. The functions performed by the individual with ultimate responsibility and accountability may vary across firms. For example, in a smaller firm, the individual assigned ultimate responsibility and accountability may be directly involved in aspects of the QC system, such as the firm’s monitoring and remediation process. In a larger firm, this person may supervise others who perform these activities. Lastly, the Board proposed requiring the individual assigned ultimate responsibility and accountability for the QC system as a whole, along with the individual assigned operational responsibility and accountability for the firm’s QC system as a whole, to certify the firm’s annual evaluation of its QC system in a report to the PCAOB. One commenter expressed concern that the certification requirements may create a barrier to firms operating in environments that do not have Sarbanes-Oxley-style reporting requirements. The same commenter also emphasized the certifications may have a disproportional impact on smaller firms that have fewer resources. One commenter suggested that certification by the firm’s CEO is an ineffective incentive and a more appropriate incentive would be compensation that was heavily weighted towards effective QC systems. As discussed further below, the Board believes such certification will lead to increased discipline in the evaluation process and reinforce the accountability of the certifying individuals, and has adopted that requirement as proposed. The Board believes certifications are commonly known among issuers within the regulatory environment and would be familiar to their auditors. The Board also believes the certification requirements will complement the revised provisions in paragraphs .25b and .44g of the final standard, which E:\FR\FM\11JNN2.SGM 11JNN2 49620 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices address compensation incentives based on an effective QC system. khammond on DSKJM1Z7X2PROD with NOTICES2 d. Operational Responsibility and Accountability for the QC System as a Whole (QC 1000.15) This requirement did not draw comment and the Board adopted it as proposed. The individual assigned operational responsibility and accountability for the QC system as a whole is accountable for supervising the design, implementation, and operation of the firm’s QC system. This includes overseeing the operation of the QC system in achieving the reasonable assurance objective. Depending on the nature and circumstances of the firm, this individual may be the same person assigned ultimate responsibility and accountability for the QC system, or may be assigned other operational responsibilities, such as for ethics and independence or monitoring and remediation. In carrying out the specified responsibilities, the individual assigned operational responsibility and accountability for the QC system as a whole may be supported by the individuals assigned operational responsibility for the firm’s compliance with ethics and independence requirements, the monitoring and remediation process, or other components of the QC system. This includes receiving information from such individuals regarding violations of ethics and independence requirements and the results of the monitoring and remediation process. Along with the individual assigned ultimate responsibility and accountability for the QC system as a whole, and for similar reasons, the Board has required the individual assigned operational responsibility and accountability for the QC system as a whole to certify the firm’s annual report to the PCAOB on the evaluation of its QC system, as discussed below.157 e. Operational Responsibility for the Firm’s Compliance With Ethics and Independence Requirements (QC 1000.16) Compliance with ethics and independence requirements is essential to the performance of engagements and, in some situations, presents challenging, novel, or complex issues. The current requirements for former SECPS member firms include designating a senior-level partner to oversee the firm’s 157 If the same person were assigned both ultimate responsibility and accountability and operational responsibility and accountability for the QC system, that person would sign the certification in both capacities. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 independence policies and consultation process, among other independencerelated activities. Like in the proposal, in the final standard the individual assigned operational responsibility for compliance with ethics and independence requirements will supervise the areas addressed by the ethics and independence component of QC 1000, which include the firm’s risk assessment process for ethics and independence and the design, implementation, and maintenance of the firm’s policies and procedures related to ethics and independence. Within the ethics and independence component, there are quality objectives and specified quality responses that address potential violations of ethics and independence requirements, including a quality objective that potential violations are communicated to the individual with operational responsibility for ethics and independence requirements. That individual is then responsible for communicating such violations to the individuals assigned operational responsibility for the monitoring and remediation process and operational responsibility and accountability for the QC system as a whole. Paragraph .16b, as well as several other requirements in the standard, refers to actions being taken on a ‘‘timely basis.’’ In each of these cases, what constitutes ‘‘timely’’ would depend on the underlying matter to which the action relates, including the matter’s nature, scope, and impact. Timely communication and action should be sufficiently prompt to achieve its objective. In some cases, for example, where there is a high risk of a severe or pervasive problem, communication and action may have to be immediate to be timely. The only commenter on this term agreed that what constitutes ‘‘timely’’ would depend on the underlying matter to which action relates. The commenter also wanted clarification that the firm’s policies and procedures assist in promoting communication such that the appropriate individuals with responsibilities over the firm’s QC system become aware of relevant matters in a timely manner, as appropriate for the size and the scale of the firm and relative nature of the matter. Insofar as the comment may be read to suggest that the size and scale of the firm, on its own, is a factor in determining timeliness, the Board disagrees. In the Board’s view, timeliness is a function of the nature and significance of the issue (appreciating that the size and scale of PO 00000 Frm 00034 Fmt 4701 Sfmt 4703 the firm may be relevant in gauging the nature and significance of an issue). One commenter expressed concern that the prescriptiveness of the communication requirements may detract from the achievement of the intended objectives. Specifically, the commenter was concerned that it may not be appropriate to require communication of all violations to the individual with operational responsibility and accountability for the QC system as a whole. The specified communications are intended to enable these individuals to take timely and appropriate actions in accordance with their responsibilities. In the Board’s view, in order to do that, they need to be apprised of ethics and independence violations. Ethics or independence violations may take a variety of forms, and therefore the nature and extent of the communication may also take a variety of forms commensurate to the severity and pervasiveness of the violation. Leaving aside the question of whether a violation of ethics or independence requirements could ever be insignificant, individual violations may evidence problems within specific areas of the firm’s policies and procedures or an overall pattern of disregard for ethics and independence requirements that requires timely intervention. The Board has adopted these requirements as proposed. f. Operational Responsibility for the Monitoring and Remediation Process (QC 1000.17) The monitoring and remediation process is a critical part of a firm’s QC system because it creates a feedback loop to inform the firm’s risk assessment process, results in an approach that drives continuous improvement, and provides the firm with information about whether the QC system is operating effectively. As proposed, the individual assigned operational responsibility for the monitoring and remediation process would be responsible for supervising the design, implementation, and operation of the monitoring and remediation process component and the evaluation of the QC system. This individual would also be responsible for overseeing actions taken to respond to identified engagement deficiencies, QC deficiencies, and major QC deficiencies. One commenter was concerned that it would be a conflict of interest for this individual to oversee both the monitoring and remediation process and the evaluation process. Another commenter recommended that the responsibility for the annual evaluation E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices be shared between the individual with operational responsibility for the QC system as a whole, who recommends the evaluation conclusion, and the individual with operational responsibility for the monitoring and remediation process, who concurs or recommends changes to the conclusion. The Board understands that in a smaller firm these roles may all be performed by the same individual. In a larger firm that assigns different individuals to the roles, the individual with operational responsibility for the monitoring and remediation process supervises the evaluation process. Although the individual overseeing the monitoring and remediation process also oversees the evaluation process, other aspects of QC 1000 drive accountability for the evaluation. Paragraph .14c makes the individual assigned ultimate responsibility and accountability for the QC system as a whole accountable for the annual evaluation. Additionally, paragraphs .14d and .15b impose certification requirements that also drive accountability for the evaluation process. The Board has adopted this requirement as proposed. The individual assigned operational responsibility for the monitoring and remediation process is also responsible for communicating, on a timely basis, matters related to monitoring and remediation to the individuals assigned ultimate responsibility and accountability for the QC system as a whole and operational responsibility and accountability for the QC system as a whole. These communications would include key aspects of the monitoring and remediation process, such as the monitoring activities performed, results of the monitoring activities, and the remedial actions taken. The communication of this information to the individual assigned ultimate responsibility and accountability for the QC system as a whole facilitates and supports that individual’s overall accountability for the evaluation of the QC system. khammond on DSKJM1Z7X2PROD with NOTICES2 2. Current PCAOB Standards QC 20.22 requires the assignment of responsibility for the design and maintenance of QC policies and procedures to appropriate individuals but does not specify the role or roles to which such responsibilities should be assigned. In addition, members of the SECPS are required to designate a senior-level partner responsible for, among other things: • Overseeing the functioning of the firm’s independence policies and consultation process; VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 • Maintaining the restricted entity list and providing it to all professionals; and • Supervising the monitoring system related to overseeing that independence violations are addressed. QC 1000 retains and expands on these concepts. However, rather than specifying that a senior-level partner be responsible for independence matters, the standard takes a more functional approach, requiring a person with the experience, competence, authority, and time needed to enable that person to carry out the assigned responsibilities. Another key difference, as discussed above, is that QC 1000 imposes specific responsibilities on the individuals assigned the specific roles, such that enforcement action could be brought against them individually if they fail to meet those responsibilities. The Firm’s Risk Assessment Process The risk assessment process is the basis for a risk-based approach to the design, implementation, and operation of the firm’s QC system. The firm’s risk assessment process, in combination with the monitoring and remediation process, creates a feedback loop to drive continuous improvement of the firm’s QC system. The proposal included a risk assessment process that would be principles-based and could be tailored to the size and complexity of the firm and the types and variety of engagements it performs. Several commenters, including firms, were generally supportive of a risk-based approach to the firm’s QC system. One commenter, an investor-related group, expressed concern that a principlesbased approach would allow audit firms too much discretion in conducting their own risk assessment. Another commenter noted that while they generally supported a risk-based, scalable approach, they supported a more prescriptive approach for the resources and monitoring and remediation components. The Board has retained the approach as proposed because it believes that applying a risk-based approach to the design, implementation, and operation of the QC system will prompt firms to identify and focus on the most relevant risks to quality in the context of their own practice and will make QC 1000 appropriately adaptable to future changes in technology, regulation, and the business environment. It will also ensure scalability, allowing firms to right-size their QC systems as their practices grow and change. As discussed above, QC 1000 contains a balance of prescriptive and risk-based elements. PO 00000 Frm 00035 Fmt 4701 Sfmt 4703 49621 One commenter requested clarity on whether QC 1000 would operate separately or in concert with other quality control standards, specifically whether the risk assessment process would apply only to engagements performed under PCAOB standards or to the firm’s overall risk assessment of all its engagements, including those performed under other standards. Consistent with the way the term ‘‘engagement’’ is defined in QC 1000,158 the requirements of QC 1000, including those regarding the firm’s risk assessment process, generally apply only to work performed under PCAOB standards. However, nothing prevents a firm from designing, implementing, and operating a single risk assessment process for its entire audit and assurance practice that satisfies both QC 1000 and the other quality control standards that apply to the firm. The risk assessment process should be familiar to firms because it is analogous to existing auditor responsibilities for identifying, assessing, and responding to risks of material misstatement of the financial statements. Audit procedures for identifying and assessing risks of material misstatement include information-gathering procedures to identify risks (e.g., obtaining an understanding of the company, its environment, and its internal control), assessment of risks based on information obtained, and design and implementation of responses to address the identified risks.159 The standard creates analogous responsibilities in relation to the QC system. Similarly, as the auditor is required by auditing standards to modify the overall audit strategy and the audit plan if circumstances change during the course of the audit,160 the firm is required by QC 1000 to monitor, identify, assess, and respond to changes in relevant conditions, events, and activities that affect the firm’s QC system. 1. QC 1000.18 The firm’s risk assessment process applies to the six components of the firm’s QC system that specify quality objectives. To design, implement, and operate this process, the firm is required to: • Establish quality objectives; • Identify and assess quality risks to the achievement of the quality objectives; and 158 See Terminology discussed above. generally AS 2110, Identifying and Assessing Risks of Material Misstatement. 160 See AS 2110.74. 159 See E:\FR\FM\11JNN2.SGM 11JNN2 49622 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 • Design and implement quality responses to address the identified quality risks. The process for establishing quality objectives, identifying, and assessing quality risks, and designing and implementing quality responses is iterative, and the requirements of the standard would not necessarily be addressed in a linear manner. For example, in identifying and assessing quality risks, the firm may determine that one or more additional quality objectives are required; in designing and implementing quality responses, the firm may identify additional quality risks. The risk assessment process is also iterative and ongoing, so that new or developing risks are identified and addressed as they emerge. For smaller and less complex firms, the risk assessment process may be centralized and involve only a few individuals. For larger and more complex firms, the risk assessment process may be more structured and decentralized, involving multiple layers and groups. The Board believes that the risk assessment approach will prompt firms to proactively identify, assess, and respond to quality risks, while at the same time allowing them to apply judgment when identifying and assessing quality risks. a. Establish Quality Objectives (QC 1000.19) The standard defines quality objectives as the desired outcomes in relation to the components of the QC system to be achieved by the firm. Establishing quality objectives is the first step in the risk assessment process and forms the basis for the identification and assessment of quality risks and the design and implementation of quality responses. The quality objectives are outcome-based and the risk assessment process provides firms the ability to determine how the quality objectives are to be achieved. One investor-related group expressed concern with the lack of specificity in the proposed standard regarding the design of an audit firm’s quality control system, suggesting that the proposed standard would enable firms to design a QC system that could too easily be certified as working properly. The Board believes that the quality objectives specified in QC 1000 will promote an appropriate level of rigor in the QC system. While QC 1000 provides some flexibility with regard to the quality risks that firms identify and the quality responses that firms develop to address those risks, it does not provide the same flexibility with regard to quality objectives. Instead, quality objectives that will apply to all firms are specified VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 in the standard. Firms can establish additional quality objectives—indeed, they are required to do so if necessary to achieve the reasonable assurance objective—but they generally cannot omit or modify any of the quality objectives set out in the standard. Therefore, firms do not determine the criteria by which their QC systems will be assessed, only the means by which they will meet those criteria. Quality objectives are specified in the standard for six of the components of the QC system: governance and leadership, ethics and independence, acceptance and continuance of engagements, engagement performance, resources, and information and communication. A firm may determine that it is necessary to establish quality objectives for its monitoring and remediation process. In those circumstances, the firm’s risk assessment process would also apply to the monitoring and remediation process. Otherwise, although monitoring and remediation would not be subject to the firm’s risk assessment process as described in the standard, it would nevertheless be carried out in a way that is informed by and responsive to quality risks.161 The Board believes that, for many firms, the quality objectives specified in the standard are likely to be comprehensive and it does not expect, in the current environment, that additional quality objectives would generally be necessary. However, the Board also recognizes that the nature and circumstances of a firm and its engagements will vary and conditions may change. Accordingly, a firm is required to establish additional quality objectives if necessary to achieve the reasonable assurance objective. The requirement for the firm to establish quality objectives necessary to achieve the reasonable assurance objective is designed to prompt ongoing reexamination of the quality objectives and modification as needed, which should enable the firm’s QC system to adapt to a changing environment and remain fit for purpose. If a firm determines that its quality objectives need to be more specific, it could establish sub-objectives to provide a more direct link to quality risks and support the development of more comprehensive or better-targeted responses. 161 See Monitoring and Remediation Process below. For example, quality risks and the reasons for their assessment are factors a firm would take into account when determining the nature, timing, and extent of its monitoring activities. PO 00000 Frm 00036 Fmt 4701 Sfmt 4703 b. Identify and Assess Quality Risks (QC 1000.20) The proposal defined quality risks as risks that, individually or in combination with other risks, have a reasonable possibility of adversely affecting the firm’s achievement of one or more quality objectives if the risks were to occur, and are either (i) risks that have a reasonable possibility of occurring or (ii) risks of intentional acts by firm personnel and other participants to deceive or to violate applicable professional and legal requirements. The ‘‘reasonable possibility’’ term in the definition of quality risks is aligned with use of the term in PCAOB standards: 162 there is a reasonable possibility of an event when the likelihood of the event is either ‘‘reasonably possible’’ or ‘‘probable,’’ as those terms are used in the FASB Accounting Standards Codification (‘‘FASB ASC’’) Topic 450, Contingencies.163 A number of commenters raised questions or made suggestions about the proposed treatment of intentional acts in the definition of quality risks. One commenter suggested that intentional misconduct should not be explicitly addressed in the definition because the necessary response, especially as it relates to colleagues’ behavior, may negatively impact the trust among colleagues and could constrain the achievement of quality objectives. Instead, this commenter suggested that the risk of intentional misconduct may be more effectively considered and responded to as part of the broader understanding of quality risks. Another firm expressed concern that requiring consideration of all illegal acts would contradict a risk-based approach. Several firms agreed that the definition of quality risks should explicitly address the risk of intentional misconduct but suggested that the definition should also address the possibility of occurrence related to acts of intentional misconduct. Several commenters, including firms, firmrelated groups, and an academic, recommended that the threshold of ‘‘reasonable possibility of occurring’’ should apply to all quality risks, including risks of intentional misconduct. Many of these commenters said that not applying the threshold of ‘‘reasonable possibility of occurring’’ to 162 See generally, e.g., AS 1105, Audit Evidence; AS 2101; AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements. 163 See FASB ASC paragraph 450–20–25–1; see also, e.g., footnote 4 to AS 1105.12, which incorporates the ASC definition. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices the risk of intentional misconduct would not be practical and could harm audit quality as this would divert time, resources, and attention from addressing more reasonably possible risks. Some commenters referenced the inclusion of the ‘‘reasonable possibility of occurring’’ threshold in AS 2110 and suggested that the same principle should apply to the risk of intentional misconduct in QC 1000. Two of these commenters suggested that not applying the threshold of ‘‘reasonable possibility of occurring’’ to the definition of quality risks would be inconsistent with AS 2401, Consideration of Fraud in a Financial Statement Audit, and could impose a threshold on firms that exceeds the current auditing standards over auditors’ identification and assessment of fraud risks. Several commenters also stated that the inclusion of other participants in addressing every conceivable risk of intentional misconduct may be impractical as firms may have limited access to information on the conduct of other participants. One firm suggested that additional guidance may be beneficial with regard to assessing and responding to risks of intentional misconduct by other participants that are not part of the firm. A firm-related group suggested that not applying the threshold of ‘‘reasonable possibility of occurring’’ to intentional misconduct appeared to go beyond the reasonable assurance objective and expressed concern that, without further clarification of how firms should deal with risks of intentional misconduct with less than a reasonable possibility of occurring, a disproportionate level of resources could be allocated to this area, to the detriment of other quality risks with more than a remote possibility of occurring. After considering the comments received, the Board revised the definition of quality risks such that the threshold of ‘‘reasonable possibility of occurring’’ applies to all risks, including risks of intentional misconduct by firm personnel and other participants. However, the Board continues to believe that firms should be explicitly prompted to consider risks of intentional misconduct in their risk assessment process, because without such a prompt, firms may discount the possibility that intentional misconduct may occur and omit or underweight these types of risks in their risk assessment process. Therefore, the final definition provides that, for all risks, whether or not related to intentional misconduct, the firm would assess the possibility of occurrence and the possibility that the VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 risks would have an adverse effect on the achievement of its quality objectives. One firm suggested that while the threshold of ‘‘adversely affecting’’ is reasonably understood, additional guidance or examples would be welcomed. Another commenter noted that more examples serve as helpful interpretive guidance to those implementing the standard. Two firms believed the threshold is sufficiently clear and did not have specific requests for further guidance. The Board will monitor the implementation of the new standard by audit firms, and, if appropriate, consider the need for additional guidance. The standard requires the firm to identify and assess quality risks for each quality objective it establishes. Most quality objectives are likely to have multiple quality risks. Some quality risks may relate to multiple quality objectives, either within a single component or across several components. The nature and extent of the firm’s risk assessment process would be commensurate with the firm’s quality risks and therefore will vary across firms in nature, scope, and complexity. In assessing risks, the firm would consider how often the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objectives. The firm would then take this information into account in determining the nature, timing, and extent of the quality response(s) needed to address the quality risk. One commenter requested clarification of whether the Board expects firms to categorize the identified risks (for example as lower, higher, or significant). While there is nothing in QC 1000 that requires such categorization, firms that find such an approach helpful could certainly use it. The standard requires the identification and assessment of quality risks annually. Requiring an assessment annually, as well as when matters come to the firm’s attention, drives a systematic, disciplined, and proactive approach to assessing the firm’s quality risks. Through the Board’s oversight activities, it has observed that many firms update their QC systems on an ad hoc basis, in response to changes in regulatory requirements or deficiencies identified by internal or external inspections, and do not have a systematic process of risk assessment. This reactive approach can result in firms taking corrective actions only after deficient audits have been identified. The annual identification and assessment requirement will instill a PO 00000 Frm 00037 Fmt 4701 Sfmt 4703 49623 regular and disciplined approach to performing the risk assessment process and to identifying new quality risks that require modifications to the firm’s quality responses or quality risks identified in a prior year that may no longer be sufficient or relevant. The standard does not specify quality risks that must be assessed and responded to by all firms; rather it includes factors for the firm to consider in its risk assessment process. The Board believes that such an approach would result in the firm identifying and assessing the quality risks that are most relevant in light of its facts and circumstances. i. Obtain an Understanding of the Conditions, Events, and Activities That May Adversely Affect the Achievement of the Firm’s Quality Objectives The standard requires the firm, as part of identifying and assessing quality risks, to obtain an understanding of the conditions, events, and activities that may adversely affect the achievement of the firm’s quality objectives. This understanding underpins the firm’s identification and assessment of the quality risks that are most relevant to the achievement of the firm’s quality objectives. Appendix B of the standard provides examples related to the nature and circumstances of the firm and its engagements that may give rise to quality risks. The considerations highlighted in paragraph .20a. and Appendix B could assist the firm in identifying one or more quality risks to the achievement of one or more quality objectives. For example, consideration of changes in a firm’s structure may be relevant for a firm that has recently completed an acquisition of another firm. This consideration may result in the identification of a number of quality risks, such as a quality risk that the audit methodology used by the acquired firm may not be compatible with the acquirer’s methodology or a quality risk that the firm is unable to retain personnel post-acquisition, which may pose risks to quality objectives in areas like engagement performance and resources. Several commenters, including firms, noted that the examples provided in Appendix B were helpful. Two commenters expressed concern with the language used in paragraph .20a., specifically, that it was not sufficiently clear that the specific examples in Appendix B are meant to be illustrative rather than a checklist for every firm to consider. As the Board stated in connection with the proposal, the list in paragraph .20a. is not intended to be E:\FR\FM\11JNN2.SGM 11JNN2 49624 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices exhaustive and the specific examples provided in Appendix B are meant to be illustrative rather than a checklist for every firm to consider. Whether particular conditions, events, and activities are relevant, and result in one or more quality risks, depends upon the nature and circumstances of the firm and its engagements and how the conditions, events, and activities relate to or affect the operation of the firm’s QC system and the performance of its engagements. The firm may also identify quality risks that do not relate to the list in paragraph .20a. or to any of the specific examples. One firm expressed concern with the inclusion of proposed paragraph B10b. in Appendix B, which discusses the extent of alignment of a third-party provider’s standards of conduct with those of the firm. The firm suggested that the example may imply that thirdparty providers from outside the public accounting profession may not be appropriate or sufficient, because they may not be subject to a centrally governed code of conduct. Nothing in the Board’s standards requires a thirdparty provider to have a centrally governed code of conduct and the Board has added the phrase ‘‘if any’’ to the example to eliminate any ambiguity in that regard. However, the Board does believe that the existence of such a code of conduct, and the extent to which it aligns with the firm’s own standards of conduct, is a relevant example that could be considered by a firm in assessing whether there exist conditions, events, or activities, as a result of its use of resources or services obtained from third-party providers, that may adversely affect the achievement of its quality objectives. khammond on DSKJM1Z7X2PROD with NOTICES2 (1) The Nature and Circumstances of the Firm The standard includes a list of considerations related to the nature and circumstances of the firm. Appendix B of the standard provides specific examples of each consideration in paragraphs .B2 through .B11. The Board continues to believe that to consistently execute quality audits, it is important that a commitment to audit quality is embedded in the firm’s culture and exists throughout the firm. In connection with this, the Board has added a new paragraph .20a.(1)(d) and paragraph .B5 to provide firms with an additional risk assessment consideration relating to the culture of the firm, and the extent to which a culture of integrity and a commitment to audit quality, including ethics and independence, is promoted within the firm and embraced VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 by firm personnel across all levels of the firm. In addition, the Board has added paragraph .B6e. to highlight that in understanding the resources of the firm, the firm may also have to consider the risks associated with technological resources, including their susceptibility to cybersecurity breaches. (2) The Nature and Circumstances of The Firm’s Engagements In obtaining an understanding of the nature and circumstances of the firm’s engagements, the firm considers the types of engagements performed by the firm as well as the types of entities for which such engagements are undertaken. Paragraph .B12 of Appendix B of the standard contains a list of examples of these considerations. For instance, a firm that conducts audits of broker-dealers may consider information from relevant authorities, like the SEC and Financial Industry Regulatory Authority (‘‘FINRA’’), in identifying risks associated with such audit engagements. The Board added an example to paragraph .B12a. to highlight that in understanding the nature and circumstances of the firm’s engagements, the firm may also consider the laws and regulations to which the companies it audits are subject. (3) Other Relevant Information Other relevant information captures other information sources that help the firm to identify quality risks. One such source is the firm’s monitoring and remediation activities. Consideration of information from those activities creates a feedback loop within the QC system by informing the firm of the results of the monitoring and remediation process that may help the firm identify quality risks. Other sources are external inspections and oversight activities by regulators, and other external reviews, such as peer reviews. For example, the results of an external inspection may identify a high rate of noncompliance with independence requirements within a specific office of the firm or within a certain employee staff level, which the firm would take into account when identifying and assessing quality risks for the ethics and independence component. ii. Identify and Assess Quality Risks Based on the Understanding Obtained Under the standard, identifying and assessing quality risks is an ongoing, iterative process. The firm assesses risks as part of the initial design and implementation of the QC system, and thereafter annually, including in PO 00000 Frm 00038 Fmt 4701 Sfmt 4703 response to new information or changes in its circumstances and environment. The standard requires the firm to identify and assess quality risks for each of the quality objectives established by the firm, based on the understanding of the relevant factors and other relevant information and taking into account whether, how, and the degree to which the achievement of the quality objectives may be adversely affected. The note clarifies that this assessment is based on inherent risk, without regard to the effect of any related quality responses. The assessment is similar to the determination made under AS 2201 as to whether an account or disclosure is significant based on inherent risk, without regard to the effect of controls.164 One commenter agreed with the clarification provided in the note that the assessment is based on inherent risk, but expressed concern that the note may not be sufficient to prompt or remind auditors of the independence of quality risks from quality responses. The Board believes that the note to paragraph .20b. provides clear direction for assessing quality risks without regard to the effect of quality responses. The Board will monitor the implementation of the new QC standard, and, if appropriate, consider the need for additional guidance. Quality risks may affect one or more quality objectives, either within a single component or across several components. For example, a quality risk that the firm may not be able to attract and retain qualified personnel would affect several quality objectives in the resources component, and may also affect quality objectives in other components, such as engagement performance or engagement acceptance and continuance. Under the definition of quality risks, the firm would not be required to identify every conceivable risk, but only those that have a reasonable possibility of occurring and, if they were to occur, a reasonable possibility of adversely affecting the firm’s achievement of one or more quality objectives. The identification of quality risks takes into account individual risks as well as combinations of risks. For example, a risk that has a reasonable possibility of occurring but individually does not have a reasonable possibility of adversely affecting the achievement of the quality objective may meet the proposed definition of a quality risk when analyzed in combination with other risks. The firm may undertake the quality risk assessment separately or 164 See E:\FR\FM\11JNN2.SGM AS 2201.A10. 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices concurrently with risk identification. Assessing the identified quality risks involves consideration of the frequency with which the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objective(s). Identifying quality risks with the appropriate degree of specificity (not too narrowly or too broadly) would help the firm design quality responses that reduce to an appropriately low level the risk that the quality objective will not be achieved. Quality risks that are defined too broadly may result in quality responses that are not sufficiently targeted to the actual quality risk. Conversely, if quality risks are defined too narrowly, the 49625 quality responses may not sufficiently address the full extent of the actual quality risk. The process of identifying and assessing quality risks is depicted below. BILLING CODE 8011–01–P Identifying and Assessing Quality Risks Start Does a risk have a reasonable possibility of adversely affecting the firm's achievement of one or more quality objectives? ludividuaUy or in combination with other risks? Not a Quality Risk Quality Risk VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4725 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.005</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 Does a risk have a reasonable possibility of occurring? 49626 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 BILLING CODE 8011–01–C c. Design and Implement Quality Responses (QC 1000.21) The standard requires the firm to design and implement quality responses that address quality risks in order to achieve the quality objectives. Quality responses are defined as policies and procedures designed and implemented by the firm to address quality risks. Under the definition, policies are statements of what should, or should not, be done to address assessed quality risks. Procedures are actions to implement and comply with policies. Under the principles-based approach of the standard, the nature, timing, and extent of quality responses depend on the underlying quality risks and the reasons why these risks were assessed as quality risks. For example, a quality risk that is tied to an event that is expected to occur multiple times per year, or that could have a very significant impact, requires a more extensive response than a quality risk tied to a specific event that is expected to occur only once and have a less significant impact. The firm may decide to implement quality responses at the firm level or the engagement level, or through a combination of responses at the firm and engagement levels, depending on the nature of the quality risk. Quality responses may address multiple quality risks related to one or more QC components. Quality responses may vary depending on to whom they apply. For example, based on the quality risks that are being addressed, the firm may develop some policies and procedures that are applicable to all firm personnel and others that apply only to firm leadership or personnel in a particular function or geographic location. Similarly, the firm’s policies and procedures regarding other participants may be different for different types of other participants (e.g., network affiliates, engaged specialists). Information obtained from the identification and assessment of quality risks enables the firm to develop quality responses that appropriately and adequately respond to the quality risks. In assessing risks, the firm would consider how often the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objectives. The firm would then take this information into account in determining the nature, timing, and extent of the quality response(s) needed to address the quality risk. In addition to the quality responses designed by the firm, the standard VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 requires certain specified quality responses for all firms. Some specified quality responses are drawn from existing PCAOB requirements 165 or from the specified responses in ISQM 1,166 and have been included either to carry existing requirements into the new standard or to create other obligations that would have to be met in designing, implementing, and operating the QC system. Other specified quality responses are new provisions that the Board believes are sufficiently important to merit an explicit requirement. The specified quality responses are not intended to be comprehensive; on the contrary, for most of the components of the firm’s QC system, QC 1000 includes only a few specified quality responses, and for the engagement performance component there are none. As a result, the specified quality responses alone would not be sufficient to enable the firm to achieve all established quality objectives, and firms must design and implement their own quality responses in addition to the specified quality responses. The specified quality responses and the quality responses the firm designs and implements on its own are critical in addressing quality risks. For example, the specified quality response requiring mandatory training 167 may address some of the quality risks related to certain quality objectives in the resources component (e.g., hiring, developing, and retaining firm personnel).168 However, mandatory training alone will not be sufficient to address all the quality risks that may be identified for that quality objective and will have to be combined with additional firm-developed quality responses. d. Modifications to the Quality Objectives, Quality Risks, or Quality Responses (QC 1000.22–.23) The standard requires firms to take proactive measures to address new quality risks that may come up between the firm’s periodic risk assessments. To the extent practical, these policies and procedures would be not just retrospective, but also forward-looking, so the firm could anticipate and plan for significant changes. For example, a new accounting standard may result in a firm identifying a new quality risk that firm personnel may misinterpret the new standard. Identifying this risk prior to the next annual risk assessment may prompt the firm to revisit its quality 165 See, e.g., QC 20.10, .13a, .13b, and .15a. paragraph .34 of ISQM 1. 167 See QC 1000.48. 168 See QC 1000.44a. 166 See PO 00000 Frm 00040 Fmt 4701 Sfmt 4703 responses that are affected by this event, and thus avoid potential problems in future engagements. One commenter suggested that it may be cost beneficial to require or encourage audit firms’ QC leaders to stay current with developments in auditing literature to put them in a better position to triage newly identified quality risks and identify engagements susceptible to those risks. Another commenter recommended that firms be required to create an individual or other entity charged with maintaining situational awareness. The Board notes that paragraph .22 of QC 1000 requires firms to establish policies and procedures for monitoring changes to conditions, events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or quality responses may be needed. In addition, the individual(s) responsible for monitoring such changes are subject to the general due professional care standard of QC 1000.10, which requires a critical assessment of the relevant information (which would include relevant literature). In light of these overarching requirements, the Board does not consider it necessary to add the specific provisions that commenters suggested. Rather, the Board believes that allowing flexibility for firms to establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities encourages firms to concentrate their efforts on the risks most relevant to them and contributes to the standard being appropriately scalable. A firm may of course determine, based on its nature and circumstances, that it is appropriate to establish specific policies and procedures for the monitoring of developments in auditing literature or to charge a specific individual with maintaining situational awareness. Policies and procedures in this area may vary, depending on the size and complexity of the firm and the types and variety of engagements it performs. For a larger firm operating in a complex environment and auditing a wide range of different types of companies, such policies and procedures would be extensive. For example, they could involve periodic meetings with teams across the firm to gather and analyze the necessary information to enable the firm to identify changes to conditions, events, and activities that may require modification of the firm’s quality objectives, quality risks, or quality responses. Smaller and less complex firms, operating in a less varied and more stable environment, may have a E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices less extensive set of policies and procedures. If the firm identifies changes to conditions, events, or activities indicating modifications to the quality objectives, quality risks, or quality responses may be needed, the standard requires the firm to determine what, if any, modifications are needed, and to make them on a timely basis. The timing depends on the nature and extent of the modification needed. In some circumstances, immediate action may be required, whereas in other cases, if the impact on risk is less urgent, immediate action is not necessary. Modifications not implemented in a timely manner may fail to prevent quality risks from occurring and adversely affecting the quality objective. For example, in the case of a new accounting standard, the firm would need to implement any necessary modifications to its quality responses in time so that, once the standard became effective, firm personnel would be able to apply it properly. 1. QC 1000 a. Governance and Leadership Quality Objectives (QC 1000.24) Under QC 1000, a firm is required to establish quality objectives for the governance and leadership component in several different areas: • The firm’s commitment to quality; • Organization and governance structure; and • Resources. i. The Firm’s Commitment to Quality (QC 1000.25.a–d) Governance and Leadership The governance and leadership component of the firm’s QC system addresses the environment that enables the effective operation of the QC system and directs the firm’s culture, decisionmaking processes, organizational structure, and leadership. A firm’s culture and tone, as set by leadership, can and should promote the importance of quality. The PCAOB has long considered firm governance and leadership to be an important aspect of firms’ QC systems. For example, PCAOB inspections have historically covered the firm’s tone at the top, a foundational aspect of governance and leadership, during the process for reviewing firms’ QC systems.170 PCAOB inspection The firm’s commitment to quality is an important factor in influencing the behavior of firm personnel and the conduct of engagements. The Board believes that the firm’s commitment to quality is most effectively demonstrated through the communications, actions, behaviors, and directives of leadership at all levels of the firm. Accordingly, the quality objectives related to commitment to quality are directed at the communications, actions, and accountability of firm leadership. Frequent and consistent communication from leadership to firm personnel regarding the commitment to quality is important in order to create an appropriate culture and tone at the top. Paragraph .25a. focuses on communicating and promoting key professional attributes by recognizing and reinforcing the firm’s role in protecting the interests of investors and the public interest by meeting the firm’s responsibilities; the importance of adhering to appropriate standards of conduct; the importance of professional ethics, values, and attitudes; and expected behavior and responsibility of firm personnel for quality both in QCrelated activities and the performance of engagements. Collectively, these attributes and expected behaviors are the foundation of an effective QC system. To achieve an appropriate tone at the top, however, it is not enough for firm 169 See, e.g., QC 20.16 (explaining that a firm’s policies and procedures should provide for obtaining an understanding with the client about the services to be performed, to minimize the risk of misunderstandings); QC 30.05 (identifying risks associated with the firm’s practice as a consideration in determining the need for and extent of internal inspection procedures in monitoring the firm’s QC system). 170 See, e.g., Report on the PCAOB’s 2004, 2005, 2006, and 2007 Inspections of Domestic Annually Inspected Firms, PCAOB Rel. No. 2008–008 (Dec. 5, 2008) at 6, available at https://pcaobus.org/ Inspections/Documents/2008_12-5_Release_2008008.pdf; Staff Inspection Brief, Vol. 2017/3: Information about 2017 Inspections (Aug. 2017) at 8, available at https://pcaobus.org/Inspections/ Documents/inspections-brief-2017-3-issuerscope.pdf. 171 See https://pcaobus.org/oversight/inspections/ inspection-procedures for information related to the PCAOB’s inspection procedures. 2. Current PCAOB Standards Under current PCAOB QC standards, firms have a responsibility to establish and maintain a QC system to provide the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm’s standards of quality. The current QC standards make few explicit statements about risk assessment.169 khammond on DSKJM1Z7X2PROD with NOTICES2 procedures focus on how firm management is structured and whether actions and communications by the firm’s leadership—the tone at the top— demonstrates a commitment to audit quality.171 VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4703 49627 leadership to ‘‘talk the talk.’’ They also have to ‘‘walk the walk.’’ Accordingly, paragraphs .25b. and .25c. establish objectives with regard to leadership’s responsibility for and commitment to quality, including through leadership’s own behavior. For example, leadership would demonstrate a commitment to quality by acting in a manner consistent with the firm’s communications described in paragraph .25a. regarding expectations of firm personnel. Conversely, repeated failure to take steps to address known quality concerns would demonstrate a lack of commitment to quality. One commenter sought clarification on the term ‘‘leadership,’’ including whether it relates only to the specified roles in paragraph .11 and .12, or to all partners and equivalents in the firm. Under QC 1000, leadership is not limited only to those in specified QC roles. While the composition of leadership may vary due to the nature and circumstances of the firm and its engagements and how the firm chooses to organize itself, it includes firm-wide leadership; the executive team; regional, office, and industry segment leadership; and any other levels of leadership the firm may establish. Not all partners or partner equivalents are necessarily leadership; it would depend on the role of the individual. Firms and firm-related groups were broadly supportive of the Board’s proposed quality objectives for governance and leadership. However, several commenters, mostly investors and investor-related groups, urged the Board to go further in stressing the role of firm leadership and the QC system as a counterbalance to the economic incentives that may drive firms to compromise on quality. Some suggested that compensation plans should weigh quality as much as, or more than, revenue generation. One investorrelated group suggested that the standard should increase accountability for the firm and firm leadership’s quality control efforts. Another investor stated that audit quality should be required to be considered at the time of the appointment of firm leadership. One commenter suggested that leadership’s accountability should not be limited to deficiencies and outcomes but extended to acknowledge positive behaviors and processes. After considering these comments, the Board revised paragraph .25b to explicitly mention performance evaluation and compensation in the context of defining leadership’s responsibility for quality and holding leadership accountable. The Board believes this will drive increased clarity E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49628 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices about the scope of leadership’s responsibilities and increased accountability for an effective QC system, and will prompt firms to focus on their expectations for leadership behavior and the incentives that drive it. Firms can use a variety of different means to define the responsibility for quality and drive accountability—from firmwide communications and policies to individualized job descriptions, performance targets, promotion criteria, compensation schemes, and sanctions— and can acknowledge both outcomebased and process-based measures and both positive and negative behaviors. The revised quality objective reflects that performance evaluation and compensation play a necessary role in that process. While the Board agrees with the commenter that quality considerations should be taken into account in the appointment of firm leadership, the Board believes other quality objectives already address that issue, such as paragraph .44g of QC 1000. Additionally, the criteria for appointing firm leadership may appropriately vary based on the size of the firm and the nature of its practice, so the Board has avoided being prescriptive in that regard. For example, a larger firm may have numerous candidates for leadership roles with many criteria considered for appointment, but smaller PCAOB audit practices may have limited personnel eligible for leadership roles. As noted in the proposal, paragraph .25d. focuses on the firm’s commitment to quality in relation to its strategic decisions and actions, which include matters such as the firm’s financial goals, growth of the firm’s market share, industry specialization, business combinations, new geographic markets, and new service offerings. The quality objective emphasizes that a firm’s strategic decisions and actions should be consistent with and support the firm’s commitment to quality. One commenter expressed concern that strategic actions may take extended periods of time to yield benefits to quality, and it may be challenging for firms to demonstrate that such actions are consistent with a commitment to quality. The Board notes, however, that this quality objective does not prescribe any specific time horizon, and the Board believes it is wholly consistent with both short-term measures and long-term investments in technology, training, knowhow, and other means of strengthening a firm’s audit practice that may take an extended period to yield measurable improvements. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Some investors and investor-related groups suggested that the Board require a clear separation of duties between those responsible for audit quality and those responsible for commercial interests. Two of those commenters cited the regulation of credit ratings agencies as an example of appropriate separation of regulated activity and commercial interests.172 Another commenter cited with approval the 2007 amendments to the AICPA QC standard, which included application material to the effect that QC leaders should have the authority to implement policies and procedures to ensure that others within the firm will not override those policies to meet short-term financial goals (a concept that does not appear in other QC standards).173 The Board considered mandating a greater degree of separation between decision-making about QC and potential commercial motivations, as these commenters suggested, but the Board does not believe such separation can be achieved by all firms, especially firms with smaller PCAOB audit practices with limited leadership roles. As discussed in more detail below, the Board is requiring firms with larger PCAOB audit practices to include an element of independent oversight of their QC system. Moreover, the Board does not believe it would be appropriate to mandate a fully separate or independent QC function. Potential conflicts of interest at the engagement level are addressed in numerous ways in the Board’s regulatory scheme: through independence requirements,174 ethical requirements of integrity and objectivity,175 and the basic requirement of professional skepticism, a critical aspect of due professional care.176 At the firm level, the Board believes that those conflicts can best be addressed by emphasizing the responsibility and accountability of firm leadership. QC 1000 requires that responsibility for QC reside at the highest levels of firm leadership, and that leaders are evaluated and compensated in a way 172 See 17 CFR 240.17g–5(c)(8), pursuant to which ratings agencies are prohibited from having any person who participates in determining or monitoring a credit rating, or developing or approving procedures or methodologies used for determining a credit rating, also participate in sales or marketing or be influenced by sales or marketing considerations. 173 See AICPA, QC Section 10, A Firm’s System of Quality Control, paragraph .A5. 174 See PCAOB Rule 3500T, Interim Ethics and Independence Standards. 175 See EI 1000, Integrity and Objectivity. 176 The general principles and responsibilities of the auditor when conducting an audit, including professional skepticism and due professional care, are being reaffirmed and combined in AS 1000, as adopted. See Auditor Responsibilities Release. PO 00000 Frm 00042 Fmt 4701 Sfmt 4703 that creates accountability. In the Board’s view, appropriately incentivized firm leadership are best positioned to set the tone and establish a quality-focused culture throughout the firm. Rather than requiring firms to segregate the governance of the firm’s audit practice from the firm’s other commercial interests, the Board believes the quality objectives described in paragraph .25 will promote responsibility for and commitment to quality, while allowing firms to develop quality responses appropriate to their particular governance structure. Lastly, one commenter suggested the governance and leadership component should promote diversity, equity, and inclusion in recruiting talented leaders, a governance body, and auditors. Another commenter suggested leadership can demonstrate its commitment to quality through providing ongoing, meaningful support of scholarly audit and accounting research. The Board has not revised the standard to reflect these specific suggestions; however, firms may identify quality risks and design and implement quality responses in these areas to achieve the quality objective in paragraph .25a or other quality objectives established by the firm. ii. Organizational and Governance Structure (QC 1000.25.e) Establishing and maintaining appropriate firm organizational structures provides an institutional framework supporting the firm’s QC system and the performance of the firm’s engagements. Organizational structures may include operating units, operational processes, divisions, and geographical locations. Firm organizational structures may differ based on the size and complexity of the firm in order to be flexible, scalable, and proportionate to the circumstances of the firm. Some firms may concentrate or centralize processes or activities and other firms may have a decentralized approach. Some firms may use internal shared service centers in the operation of the firm’s QC system or to enable the performance of its engagements. A firm’s governance structure may include a governing board or committee with representation from various service lines, or with members who are independent of the firm.177 Such a 177 When the Board refers to independence in the context of firm governance, it means the criteria typically applied to independent directors of issuers. See, e.g., New York Stock Exchange (‘‘NYSE’’) Listed Company Manual, Section 303A.01–.02; Nasdaq Rule 5605(a)(2). This is distinct from the requirements for auditor E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices governing board may have subcommittees to assist it with managing specific areas, such as strategic planning, resource planning, the firm’s risk assessment process, and the monitoring and remediation process. Paragraph .25e., which did not attract specific comment and the Board adopted as proposed, will drive a firm’s organizational and governance structure to enable the design, implementation, and operation of the QC system and support performance of the firm’s engagements in accordance with applicable professional and legal requirements. This results-oriented approach focuses on whether the QC system actually works as intended and allows firms to tailor the establishment of their governance structure. Additionally, the firm would consider the complexity and operating characteristics of the firm as part of performing its risk assessment process and identifying quality risks.178 The assignment of roles, responsibilities, and authority within the firm’s organizational structure is a key aspect of the design, implementation, and operation of the QC system. Establishing clear roles and responsibilities and clear lines of authority helps to translate the broad institutional objectives of the QC system into individual actions to be performed and monitored, and for which individuals can be held accountable. The assignment of roles and responsibilities may vary across firms depending on the nature and circumstances of the firm and its engagements.179 For example, in a smaller firm with a limited number of individuals in leadership roles, the individual with oversight of the firm may assume all of the roles and responsibilities related to the QC system. A larger firm may have multiple levels of leadership that align to the firm’s organizational structure. khammond on DSKJM1Z7X2PROD with NOTICES2 iii. Resources (QC 1000.25.f) The firm’s resources 180 enable the operation of the firm’s QC system and the performance of the firm’s engagements. Firm leadership influences the nature and extent of the resources that the firm obtains, develops, uses, and maintains, and how independence from the audit client, discussed below. 178 Appendix B includes an example regarding the existence and extent of governance structures providing oversight of leadership. See QC 1000.B2.g. 179 See Roles and Responsibilities above, for a discussion of specific roles and responsibilities that are required to be assigned. 180 See Resources below, for a discussion of the different types of resources. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 those resources are allocated or assigned, including the timing of when they are used. This quality objective, which did not draw comment and which the Board adopted as proposed, emphasizes the importance of the firm having the necessary resources, and allocating them appropriately, such that the firm’s QC system is designed, implemented, and operated effectively and the firm’s engagements are performed in accordance with applicable professional and legal requirements. b. Governance and Leadership Specified Quality Responses (QC 1000.26–29) The proposal included three specified quality responses in the governance and leadership component, discussed in greater detail below. Some firms and a firm-related group objected generally that the specified quality responses were overly prescriptive and unnecessary, and suggested they should be reformulated as risk-based quality objectives. Other firms generally supported including specified quality responses. The Board believes the specified quality responses address important risks that justify specific requirements and has retained them in the final standard. Firms are required to include these specified quality responses when designing and implementing quality responses to address the quality risks in the governance and leadership component. Proposed QC 1000 included a requirement for the firm to establish and maintain clear lines of responsibility and supervision within its QC system. A commenter argued that the quality objective in paragraph .25e is sufficient and the specified quality response was not necessary. While paragraph .27 may address a portion of the firm’s quality response to .25e, the Board believes paragraph .27 provides additional direction that is appropriate for all firms. Establishing and maintaining structures within the firm—including defining authorities, responsibilities, accountabilities, and supervisory and reporting lines for roles within the firm—will support the effective design and operation of the QC system and the performance of the firm’s engagements, regardless of the size of the firm or the types of engagements it performs. The requirement also complements the documentation requirements of QC 1000.181 181 See QC 1000.82a. for the documentation requirements related to lines of responsibility and supervision. PO 00000 Frm 00043 Fmt 4701 Sfmt 4703 49629 One commenter expressed concern that this requirement, in combination with the requirements of paragraph .12, could result in a prescriptive, hierarchical approach that would not be desirable or practical. The requirement in the final standard is intended to enhance supervision within the context of firms’ existing QC systems and supervisory structures. It does not require firms to develop or adopt any particular supervisory structure and would be compatible with a range of different approaches, including very flat structures. The commenter also expressed concern that individuals acting in a supervisory capacity could face liability beyond what exists under SarbanesOxley, which may disincentivize teaming. As discussed above, paragraphs .15, .16, and .17 of the final standard prescribe specific supervisory roles within a firm’s QC system, and the individuals who fill those roles are supervisory persons who must exercise reasonable supervision for purposes of section 105(c)(6) of Sarbanes-Oxley. Additionally, to the extent that other individuals are assigned supervisory responsibilities in light of paragraph .27’s specified quality response, those individuals, like all who are involved in the design, implementation, and operation of the QC system, must exercise due professional care as set forth in paragraph .10 of the final standard. Another commenter recommended that individuals in supervisory roles should be held liable only for knowing or reckless violations. The Board notes that paragraph .27 does not itself create responsibilities for supervisory personnel or prescribe standards of liability that apply when those responsibilities are not met. Those issues are addressed elsewhere in the PCAOB’s standards and rules, including in the roles and responsibilities component of QC 1000 and PCAOB Rule 3502,182 as well as in section 105(c)(6) of Sarbanes-Oxley.183 In the 182 See PCAOB Rule 3502. The Board has proposed to amend Rule 3502 to change the standard of conduct for associated persons’ contributory liability from recklessness to negligence and to provide that an associated person contributing to a violation need not be an associated person of the registered firm that commits the primary violation. See PCAOB Rel. No. 2023–007. 183 Under section 105(c)(6) of Sarbanes-Oxley, if an associated person of a registered public accounting firm violates any provision of law, rules, or standards referenced in section 105(c)(6), the Board may impose sanctions on the firm or its supervisory persons if the Board finds that there was a failure reasonably to supervise that associated person with a view to preventing such a violation. The Board has adopted a rule related to section E:\FR\FM\11JNN2.SGM Continued 11JNN2 49630 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 Board’s view, the requirement to establish and maintain clear lines of authority and supervision primarily serves to clarify how the QC system is structured and how it operates, by laying out clearly the authorities, responsibilities, accountabilities, supervisory and reporting lines, and who is responsible for each element of the QC system. If the requirement has consequences in terms of individual accountability and liability, that would only be because it removes any doubt about which individuals are acting in a supervisory capacity and the scope of their respective responsibilities, thereby clarifying how these other provisions should be applied. The proposal included a specified quality response to incorporate an oversight function for the audit practice including at least one person from outside the firm, which would apply to firms that issue audit reports with respect to more than 100 issuers. See Scalability above, for a discussion of the 100-issuer threshold. Comments were mixed on the need for and potential breadth of this requirement. The Board received several comments, primarily from investors and investor-related groups, suggesting that the proposed requirement did not go far enough. Some commenters stated that the oversight function should not be limited to one individual but instead a larger number (such as three) of independent non-employee members should be required, or potentially an advisory council or committee of the firm’s board of directors with multiple or even a majority of independent nonemployee members. Some of these commenters asserted that requiring only one person with undefined authority to serve in an oversight role makes it unlikely to be effective and falls short of the 2008 recommendations of the U.S. Treasury Department’s Advisory Committee on the Auditing Profession, which suggested consideration of ‘‘firms appointing independent members with full voting power to firm boards and/or advisory boards with meaningful 105(c)(6) that provides for commencing a disciplinary proceeding if it appears that a firm or its supervisory personnel have failed reasonably to supervise an associated person who has committed a violation. See PCAOB Rule 5200, Commencement of Disciplinary Proceedings, at (a)(2); see also, e.g., In the Matter of Scott Marcello, CPA, PCAOB Rel. No. 105–2022–004 (Apr. 5, 2022) (imposing sanctions under section 105(c)(6)); In the Matter of WWC, P.C., PCAOB Rel. No. 105–2022–006 (Apr. 19, 2022) (same); In the Matter of KPMG Inc., Cornelis Van Niekerk, and Coenraad Basson, PCAOB Rel. No. 105–2022–015 (Aug. 29, 2022) (same). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 governance responsibilities.’’ 184 One commenter objected that the requirement only mandates practices that are already in place at the largest firms, and so will not generate any change. Another commenter asserted that there is little merit in requiring an independent member of the firm’s oversight function without also considering the balance of the oversight function and the contribution of the independent member. Others called for more specificity about the individual’s role, including specific powers, such as the power to meet with firm management and obtain relevant information. Some investor-related groups also called for transparency on the role of the non-employee members. Many commenters, including some larger firms, supported the oversight role. Two commenters suggested that the requirement for an independent oversight function be extended to apply to all firms that issue audit reports for issuers and one of these commenters suggested having firms consider whether an independent function is an appropriate response to achieving the quality objectives. Other commenters, including some mid-sized firms, did not support the specified quality response and suggested it should be a quality objective instead. One firm suggested that the objective could be better accomplished by designating an ‘‘audit quality expert’’ on a firm’s board (similar to a ‘‘financial expert’’ on an audit committee) or by hiring independent external QC advisers. Some commenters expressed concern about the lack of specificity and clarity regarding the role, including questions regarding the individual’s authority and function. One noted that the individual was not required to be a CPA and asserted that the need for and benefits of the role had not been sufficiently articulated; on that basis, the commenter did not support it. Another commenter did not see the linkage between the specified quality response and the quality objectives and suggested that the lack of definition of the role, coupled with a lack of clarity about which quality objectives were being addressed, would make implementation challenging. Other commenters stated that finding individuals to fill this role may be challenging. Some commenters requested guidance on how to implement the requirement, including with respect to the qualifications or roles of the 184 U.S. Treasury Department, Advisory Committee on the Auditing Profession Final Report (Oct. 6, 2008) at VII.8. PO 00000 Frm 00044 Fmt 4701 Sfmt 4703 individuals. One firm sought clarity on whether supervisory liability under Sarbanes-Oxley section 105(c)(6) would apply equally to members with an oversight or advisory function. Some commenters, including firms, expressed concern about the potential scope and meaning of the terms such as ‘‘governance structure,’’ ‘‘independent judgment,’’ and ‘‘oversight function,’’ and requested confirmation that current practices such as independent advisory boards are a permissible approach. One firm requested an extended implementation period to allow time for firms to design and implement the oversight function, including identifying and onboarding appropriate individuals. Based on the comments received, the Board refined the proposed requirement to provide additional specificity and clarity. The final rule refers to an ‘‘external’’ oversight function ‘‘for the QC system composed of one or more persons,’’ none of whom has a disqualifying relationship with the firm. This more precise language clarifies that the focus is on the QC system and emphasizes that the function is to be carried out entirely by one or more persons external to the firm, who are not principals or employees of the firm and do not have any other relationship with the firm that would interfere with the exercise of independent judgment with regard to QC-related matters. The Board also added a name for the position— External QC Function, or EQCF—which it believes clarifies and underscores that the person or persons are external to the firm and serve in a QC-focused role.185 The Board also conformed the provision to the descriptions in QC 1000.12 of other specified QC system roles by providing that the EQCF should have the experience, competence, authority, and time necessary to enable them to carry out the responsibilities assigned to them by the firm. To clarify what is entailed in ‘‘an external oversight function for the QC system,’’ the final standard also specifies a baseline requirement that the EQCF’s responsibilities should include evaluating, at a minimum, the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. The Board believes this addition is responsive to commenters who requested clarification of the proposal, as well as those suggesting that the 185 Firms may assign other functions to the person or persons serving in the EQCF role so long as the specified QC function can be carried out as set forth in the standard and discussed in this release. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 standard include some specific requirements with respect to the role. The Board expects that firms will make a number of significant judgments in performing and reporting on their QC system evaluation. The Board expects that the person or persons serving in this external oversight function will evaluate judgments made by firm personnel in the firm’s evaluation of the firm QC system and the required reporting. The evaluation performed by the EQCF will be in some respects analogous to the EQR’s evaluation of significant judgments made by the engagement team and the related conclusions reached in forming the overall conclusion on the engagement and in preparing the engagement report.186 Like the EQR, the EQCF will review and evaluate work performed by others, not redo the work, and must exercise due professional care in performing their responsibilities.187 However, there are important differences between the requirements for the EQR and the EQCF. Unlike the EQR standard, QC 1000 does not impose specific limits on the length of service of the EQCF, though firms should consider the potential for arrangements relating to length of service, such as term limits and protections against removal, to prevent the creation of a relationship with the firm that impairs independent judgment. QC 1000 also does not specify the procedures the EQCF should perform to evaluate the significant judgments made and related conclusions reached. These may vary based on the circumstances of the firm and the design, implementation, and operation of its QC system, but must be sufficient to enable the EQCF to perform their evaluation with due professional care. In addition, unlike the EQR standard, QC 1000 does not require that the EQCF provide concurring approval of reporting, although firms would be free to establish such concurring approval as a matter of policy. Documentation will have to be prepared and maintained in sufficient detail to evidence how the quality response operated.188 This will form part of the QC documentation supporting the firm’s ongoing risk assessment and monitoring and remediation efforts, as well as the Board’s oversight activities. Under QC 186 See AS 1220.09. QC 1000.10; AS 1220.12. 188 QC 1000.83b. The board expects such documentation to include both (1) how the EQCF evaluated the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system and (2) the results of the EQCF’2 evaluation. 187 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 1000.65, firms will be required to consider the EQCF’s evaluation in their ongoing monitoring of the QC system (including monitoring of the evaluation process). Separately, the Board carefully considered commenter suggestions to increase the required number of independent individuals and to establish specific eligibility criteria for them. Given the oversight responsibility of an EQCF, the Board believes at least one person is always necessary and firms may determine, based on their circumstances, that more than one person is needed to appropriately carry out the function. The Board believes the requirement will respond to the quality objective in paragraph .25e by ensuring an independent perspective on QC matters, but it does not supplant firm leadership or relieve them of their fundamental responsibility to instill and maintain a firm culture that appropriately prioritizes QC. Accordingly, the Board does not believe it would be appropriate to mandate a specific number of individuals or the specific credentials they must have (besides their ability to exercise independent judgment with regard to matters related to the QC system and the general requirement that they have the experience, competence, authority, and time necessary to enable them to carry out their assigned responsibilities). Rather, the decision will be based on specific skillsets of the person or persons in this function to be able to carry out the requirements of the function. In that regard, firms may conclude that one or persons appointed to the EQCF should be non-auditors to bring a greater diversity of perspectives to the function. Beyond the minimum responsibilities specified in the standard, the Board gave firms flexibility in establishing other responsibilities of the EQCF, enabling the function to best respond to the nature and circumstances of the firm. For example, if the firm has experienced an increase in recurring engagement deficiencies, the firm may charge the EQCF with reviewing and evaluating the firm’s remediation actions and monitoring plan. As another example, a firm may assign the EQCF with strategic responsibilities, such as maintaining situational awareness through the identification and monitoring of emerging risks or trends that could potentially affect the firm’s QC system. While QC 1000 specifies that the EQCF exercise oversight over the QC system, the firm may also choose to extend its authority more broadly. The responsibilities assigned to the EQCF will in turn drive decisions about PO 00000 Frm 00045 Fmt 4701 Sfmt 4703 49631 the scope of the EQCF’s authority. At a minimum, that will entail sufficient access to information, documentation, and firm personnel to enable evaluation of the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system, but it could be broader depending on the scope of the EQCF’s responsibilities as assigned by the firm.189 Consideration of the experience, competence, and time necessary to serve in the role will likewise depend on the responsibilities assigned by the firm. The firm may consider many matters when establishing an EQCF. Such matters could include: • The responsibilities assigned by the firm to the EQCF, including those specified in QC 1000; • The qualifications required of the individual(s) assigned to fulfill those responsibilities, including those specified in QC 1000; • The scope of authority afforded to the EQCF in light of the assigned responsibilities; • Whether to establish a direct line of communication from the EQCF to the individual assigned ultimate responsibility and accountability for the QC system as a whole, or the individual assigned operational responsibility for the QC system as a whole, or both; • Whether to require that the EQCF comply with independence requirements applicable to auditors; 190 • The level of external transparency of the EQCF’s role and responsibilities; • The compensation structure for the EQCF; and • The term of service for the EQCF, including restrictions on removal and limits on length of service. In making these determinations, the firm should be mindful of the requirement that members of the EQCF not have any relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system. The EQCF could be, but would not be required to be, in the ‘‘chain of command’’ under the SEC independence rule.191 The Board does not believe that the EQCF would be a ‘‘supervisory person’’ under SarbanesOxley section 105(c)(6) solely by virtue 189 The scope of the firm policies and procedures regarding the EQCF will also depend on its role and the associated risks. For example, pursuant to QC 1000.53g, firms will have to develop policies and procedures regarding information communicated to and obtained from the EQCF. 190 See Regulation S–X Rule 2–01(b)–(c), 17 CFR 210.2–01(b)–(c), and PCAOB Rules under Section 3, Auditing and Related Professional Practice Standards, Part 5—Ethics and Independence. 191 See 17 CFR 210.2–01(f)(8). E:\FR\FM\11JNN2.SGM 11JNN2 49632 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 of having evaluated the significant judgments made and related conclusions reached by the firm when evaluating and reporting on the effectiveness of the firm’s QC system. However, depending on the nature and degree of their responsibility, ability, or authority to affect the conduct of the firm’s associated persons, as established by the firm, the EQCF could be subject to Sarbanes-Oxley section 105(c)(6). The Board has not required the results of the EQCF’s evaluation to be publicly disclosed.192 However, nothing set forth in this release would limit or prohibit firms from disclosing any information about the EQCF’s activities—including the EQCF’s practices, methods, or procedures, or the manner or results of the EQCF’s evaluation—if the firm chooses. Based on comments received and experience with inspections of firms’ systems of quality control, the Board believes that investors, audit committees, and other stakeholders will benefit from the EQCF’s evaluation even in the absence of public disclosure. An external oversight function should enhance the discipline with which the firm carries out its own QC system evaluation. As the Board observe the implementation and performance of the EQCF through its inspection activities, the PCAOB may publish observations or good practices. For these reasons, the Board believes that the EQCF will support improvements in firms’ systems of quality control, ultimately benefiting investors, audit committees, and other stakeholders. People internal and external to the firm can help a firm identify instances of noncompliance with applicable professional and legal requirements earlier than might be possible through the firm’s own monitoring.193 The proposal included a specified quality response requiring policies and procedures for addressing potential noncompliance with applicable professional and legal requirements and with the firm’s policies and procedures with respect to the QC system, the firm’s 192 For a discussion of certain legal constraints imposed by Sarbanes-Oxley on the Board’s ability to require public disclosure of certain QC-related information, see Section IV.L.1.c.ii. As part of a separate project, the Board has proposed a requirement for firms that have an EQCF to disclose the identity of the person or persons, an explanation for the basis of the firm’s determination that each such person is independent of the firm (including the criteria used for such determination), and the nature and scope of each such person’s responsibilities. See PCAOB Rel. No. 2024–003. 193 In addition, through this process information may be received regarding noncompliance with laws and regulations by companies that engage the firm. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagements, firm personnel, or other participants. This would include clearly defining channels within the firm that enable reporting of complaints and allegations by firm personnel and external parties (e.g., employees of companies or other participants) and establishing procedures for appropriately investigating and addressing such complaints and allegations, including complying with any applicable reporting or other requirements.194 The proposal sought comment on the appropriateness of this specified quality response, and whether any additional specified quality responses should be considered. Two firms that commented supported the specified quality response. Two other firms expressed concern with the prescriptiveness of other participants being included in the requirement. One investor suggested there should be an explicit requirement for a whistleblower mechanism with key protections such as confidentiality and protection against retaliation, and that the individual responsible for the firm’s QC system be responsible for the investigation of whistleblower complaints and remediation of QC issues identified by whistleblowers. The Board adopted the specified quality response with some modifications, described below. The Board believes that establishing policies and procedures that support the reporting and investigation of potential noncompliance will assist firms in complying with applicable professional and legal requirements. It will also assist them in identifying and dealing with individuals, including those in leadership, who fail to comply with applicable professional and legal requirements or the firm’s policies and procedures. Finally, it may result in firm personnel or external parties identifying and communicating deficiencies in the QC system. The final provision retains the reference to other participants, as the Board believes it is important for the firm to capture any potential noncompliance with applicable professional and legal requirements, 194 A firm’s program for addressing complaints and allegations may be subject to requirements under applicable law regarding whistleblowers (such as, for example, N.Y. Labor Law Section 740). However, such a program should not be confused with a whistleblower program established and administered by the Federal government, including the program administered by the SEC, which has its own requirements and protections. See, e.g., 17 CFR 240.21F–1 through .21F–18. To the extent a firm’s program for addressing complaints and allegations provides protective measures, such as confidentiality and non-retaliation, based only on firm policy and not on law, such protective measures may not create legally enforceable rights. PO 00000 Frm 00046 Fmt 4701 Sfmt 4703 including with regard to work performed by other participants that relates to the firm’s QC system or the firm’s engagements. The Board has expanded the requirements related to the firm’s policies and procedures for collecting and addressing complaints and allegations to explicitly require that they: • Be made available to all firm personnel and other participants; • Address processes and responsibilities for receiving, investigating, and addressing complaints and allegations; and • Include protecting persons making complaints and allegations from retaliation. The Board also expanded the specified quality response to require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to include confidentiality protections in their policies and procedures. The firm’s policies and procedures regarding complaints and allegations should be made available to all firm personnel and other participants, which could occur by posting them on an intranet site or providing such policies and procedures to other participants upon engagement. The policies and procedures should include identifying who is responsible for receiving, investigating, and addressing complaints and allegations; describing the process for submitting complaints and allegations; and describing how the firm will investigate and address complaints and allegations received. The Board also specified that the policies and procedures should explicitly address protection against retaliation of persons making complaints and allegations, which the Board believes is a critical element of any effective program for receiving complaints and allegations. The required policies and procedures regarding investigating and addressing complaints and allegations allow scalability. The process for investigating and addressing a complaint or allegation would vary, commensurate with and responsive to the significance of the complaint or allegation. For firms that issued audit reports with respect to more than 100 issuers during the prior calendar year, the policies and procedures will have to provide a confidential and anonymous submission process for complaints and allegations, similar to the requirements for audit committees under the Exchange Act.195 For example, a firm 195 See E:\FR\FM\11JNN2.SGM 15 U.S.C. 78j–1(m). 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices may have a confidential and anonymous submission process through a website, toll-free number, or mobile app, and could manage the process in-house or through a third-party provider. The firm’s policies and procedures will also have to provide for protection, during the investigation, of the confidentiality of individuals and entities who make complaints and allegations. The Board believes this requirement specifically targets and responds to potential quality risks that are more likely to arise in audit practices of a certain size and complexity. However, firms that are not subject to this express requirement may nevertheless determine that such requirements are a necessary or appropriate quality response to address their quality risks. 2. Current PCAOB Standards Existing PCAOB QC standards contain limited references to firm governance and leadership. For example: • QC 20 acknowledges that the QC system includes the firm’s organizational structure; 196 • The SECPS member requirements on independence quality controls provide that the importance of compliance with such independence standards, and the QC standards, should be reinforced by management of the member firm, thereby setting the appropriate tone at the top and instilling its importance into the professional values and culture of the member firm; 197 and • The SECPS member requirements provide that member firms should communicate to all professional firm personnel the broad principles that influence the firm’s quality control and operating policies and procedures on, at a minimum, matters related to the recommendation and approval of accounting principles, present and potential client relationships, and the types of services provided, and inform professional firm personnel periodically that compliance with those principles is mandatory.198 khammond on DSKJM1Z7X2PROD with NOTICES2 Ethics and Independence This component addresses the fulfillment of firm and individual responsibilities under relevant ethics and independence requirements. Adhering to such requirements is a foundational concept that not only promotes audit quality but also safeguards the vital role that auditors play within the capital markets. 196 See QC 20.04. SECPS 1000.46. 198 See SECPS 1000.08(l). 197 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 The ethics and independence component of the standard has been tailored to the ethics and independence requirements that apply to engagements performed under PCAOB standards. Under the standard, ethics and independence requirements include the PCAOB’s ethics and independence standards and rules, the SEC’s rule on auditor independence, and other applicable requirements regarding accountant ethics and independence, such as those arising under state law or the law of other jurisdictions (e.g., obligations regarding client confidentiality).199 The Board clarified that the reference to other applicable requirements is limited to those that are relevant to fulfilling auditor obligations and responsibilities in the conduct of engagements or in relation to the QC system. The standard requires firms to establish quality objectives related to ethics and independence requirements and design and implement specified quality responses. 1. QC 1000 a. Ethics and Independence Quality Objectives (QC 1000.31) Understanding of and compliance with ethics and independence requirements are fundamental to the auditor’s role. Adherence to standards of professional ethics is as important as adherence to requirements regarding auditor independence, and firms’ QC systems should address both. Under the standard, firms are required to establish quality objectives that address understanding of and compliance with ethics and independence requirements. While maintaining independence and adhering to ethical requirements is each individual’s responsibility, the firm also has responsibility and plays a critical role in ensuring that individuals understand those requirements and have the tools and resources they need to comply. One firm suggested that the Board clarify the ethical requirements that are subject to the responsibility of the individual assigned operational responsibility for the firm’s compliance with ethics and independence 199 Footnote 10 to QC 1000 provides: Ethics and independence requirements include PCAOB independence and ethics standards and rules, the U.S. Securities and Exchange Commission (‘‘SEC’’) rule on auditor independence, and other applicable requirements regarding accountant ethics and independence that are relevant to fulfilling their obligations and responsibilities in the conduct of engagements or in relation to the QC system, such as those arising under state law or the law of other jurisdictions. See, e.g., 17 CFR 210.2–01, and PCAOB Rules under Section 3. Auditing and Related Professional Practice Standards, Part 5— Ethics and Independence. PO 00000 Frm 00047 Fmt 4701 Sfmt 4703 49633 requirements. The firm specifically commented that competence and due care are characteristics required by both ethical standards and QC standards, and as a result, there could be confusion over whether such requirements are ethical requirements or quality control requirements when determining the responsibility of the individual assigned operational responsibility for the firm’s compliance with ethical and independence requirements. In some cases, a matter may be applicable to the responsibilities of both the individual assigned operational responsibility for the firm’s compliance with ethics and independence requirements and the individual assigned operational responsibility and accountability for the QC system as a whole. A firm could divide responsibilities based on the specific issues involved, so long as the lines of responsibility are clear (for example, duties of competence and due care in the context of the audit, codified under the PCAOB’s ethics rules, could be assigned to the individual with operational responsibility for compliance with ethics and independence requirements, while duties of competence and due care in the context of QC system activities, codified in QC 1000, could be assigned to the individual with operational responsibility for the QC system). Under the standard, the firm is required to establish a quality objective to identify conditions, relationships, events, and activities that could result in violations of ethics and independence requirements and evaluate and respond to such conditions, relationships, events, and activities on a timely basis. This will help the firm reduce the risk of noncompliance by identifying potential violations of ethics and independence requirements in time to prevent many violations and to quickly remediate violations that do occur. For example, a firm that plans to acquire another firm could identify the acquisition as an event that could result in independence violations by the personnel of the acquired entity. This could prompt the firm to develop policies and procedures that address onboarding processes for firm personnel of acquired entities around independence. These policies and procedures would assist in identifying and resolving potential independence violations before the acquisition is completed. One firm commented that as the proposed quality objectives for ethics and independence are broadly consistent with other jurisdictional and international quality control/management standards, it E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49634 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices believes that they are appropriate, and no further changes are needed. An investor-related group expressed concern that the proposal did not sufficiently address conflicts of interest, such as when an audit firm performs other services for the audited company. The investor-related group further commented that without clear separation between those responsible for quality control and those responsible for maintaining client relationships and winning consulting contracts, investors can have less than full confidence the system of quality control will ensure the necessary level of audit quality. The Board acknowledges that QC 1000 does not create new requirements regarding auditor independence. However, in relation to the commenter’s specific concern about the performance of nonaudit services, QC 1000 requires the QC system to operate over compliance with numerous restrictions on non-audit services that exist under current independence rules enacted in response to previous independence conflicts.200 QC 1000 establishes quality objectives that apply to all firms. Within the ethics and independence component, firms are required to establish quality objectives that address both personal and firmlevel compliance. Personal violations include such matters as owning stock in companies that are audit clients of the firm or its affiliated entities while a ‘‘covered person in the firm.’’ 201 Firmlevel violations include such matters as providing prohibited services or failing to obtain required audit committee preapproval. The Board has also included specified quality responses that directly address the firm’s policies and procedures for identifying and monitoring firm and personal relationships with audit clients to help mitigate the risk of potential violations. In addition, the roles and responsibilities requirements direct firms to assign an individual operational responsibility for the firm’s compliance with ethics and independence requirements to provide oversight specifically focused on this area. The quality objectives address compliance with ethics and independence requirements not just by firm personnel, but also by others who may be subject to ethics and independence requirements in relation to work they perform on behalf of the firm. These others may include, for example, ‘‘persons associated with a public accounting firm’’ as defined in 200 See, e.g., 17 CFR 210.2–01(c)(4); PCAOB Rules 3522–3526. 201 See 17 CFR 210.2–01(f)(11). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PCAOB rules 202 or ‘‘covered persons in the firm’’ under the SEC independence rule.203 The Board notes that these and other concepts used in the ethics and independence rules do not map directly to the terminology the Board generally uses in QC 1000. (For example, some ‘‘other participants,’’ such as other accounting firms, are subject to independence requirements, while others, such as engaged specialists and the company’s internal auditors, are not.) To ensure that the requirements for this component of the QC system align with, and do not go beyond, the ethics and independence requirements over which the QC system would operate, in this component the Board uses terminology that incorporates or refers back to the underlying ethics and independence requirements. For example, rather than having quality objectives address compliance by ‘‘other participants,’’ in this component the quality objective addresses compliance by ‘‘others subject to [ethics and independence] requirements.’’ One firm commented that it supported the direction of the quality objectives, but asserted that some of the terms were confusing as it related to ‘‘others subject to ethics and independence requirements.’’ The firm questioned whether these correspond to other participants as defined in the standard. The firm further commented that the terminology used for others subject to ethics and independence requirements could create operational challenges because those terms are open to interpretation and requested that the Board clarify the language the standard used. The firm suggested that the proposed requirements that contain this language could go beyond the intended applicability of the independence rules to the various parties contemplated. Again, the Board uses terminology in this component that incorporates or refers back to the terminology used in ethics and independence rules, terminology which it believes is well understood in those contexts. The Board uses it precisely to avoid going beyond the scope of existing ethics and independence requirements, and to ensure that QC 1000 addresses exactly the same population as the ethics and independence rules themselves. One firm commented that while the proposed quality objectives for ethics and independence are appropriate and important, further clarification may be 202 See PCAOB Rule 1001(p)(i). 203 For example, because the definition of ‘‘accounting firm’’ under 17 CFR 210.2–01(f)(2) includes associated entities, ‘‘covered persons in the firm’’ may include personnel of network affiliates in addition to firm personnel. PO 00000 Frm 00048 Fmt 4701 Sfmt 4703 needed of how the objectives apply to firm personnel. Specifically, the firm argued that it could be inferred that the ethics and independence requirements extend to all individuals involved in the operation of the firm’s QC system, including those individuals who are not subject to the requirements under the existing PCAOB and SEC independence rules, for example, data research teams. QC 1000 does not impose ethics and independence requirements on individuals who are not currently subject to them. References in the standard to ‘‘requirements’’ and ‘‘obligations’’ are to existing requirements and obligations which themselves specify to whom they apply. However, firms may choose to implement broader policies regarding ethical behavior that impose requirements on individuals who are not subject to the ethics and independence rules of the PCAOB and the independence rule of the SEC. With respect to the timing of communication of violations to the individual assigned operational responsibility for the firm’s compliance with applicable ethics and independence requirements, the quality objective states that such actions should take place on a timely basis. One firm agreed that timely communication of ethics and independence related matters within the firm is important for audit quality, but expressed concern that the prescriptive nature of the requirements addressing communications may detract from the achievement of the intended objectives. The firm suggested that it is important to recognize that the evaluation of certain matters would be done in accordance with the firm’s policies and procedures, which are designed to strike a balance between prematurely alerting individuals to matters for which the facts and potential impacts are not sufficiently known and making sure those with ultimate responsibility for decisions are made aware on a timely basis. The final standard does not specify that all violations need to be communicated immediately. However, the Board believes timely communication and action should be sufficiently prompt to achieve its objective. In some cases, for example, where there is a high risk of a severe or pervasive problem, communication and action may have to be immediate to be timely. b. Ethics and Independence Specified Quality Responses (QC 1000.32–.36) The specified quality responses are primarily based on existing PCAOB ethics and independence requirements and SEC independence requirements, E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices including the provisions regarding independence quality controls that currently apply to SECPS member firms.204 The Board incorporated these SECPS member requirements into QC 1000, with some refinements, and extending those requirements to all firms. The Board’s view is that the SECPS requirements address matters that are generally relevant to a QC system operating over compliance with SEC and PCAOB independence rules. Since those rules apply to all firms that perform engagements for issuers and broker dealers, the Board believes it is appropriate to extend the SECPS requirements to all firms. Under the standard, the firm is required to design, implement, and maintain policies and procedures for the following: • General ethics and independence matters; • Certain specific matters that may reasonably be thought to bear on independence; • Communication regarding ethics and independence policies and procedures; and • Mandatory training on ethics and independence. One firm commented that it generally supports the specified quality responses and believes that it is appropriate to have the same set of independence requirements apply for all firms. Another firm suggested that the specified quality responses are not necessary to achieve the objectives of QC 1000. Instead of prescriptive specified responses, the firm suggested that the standard include more specified quality objectives which would promote scalability and allow for future adaptations to technological or other innovations. Another commenter said that the proposal expanded on the independence requirements in a granular manner and suggested that the details be moved into an appendix or practice aid or provided as additional guidance to help reduce differences between QC 1000 and other standard setters. The specified quality responses for the ethics and independence component primarily carry forward existing requirements from the PCAOB’s QC standards and extend certain existing requirements to all firms. The Board believes that the specified quality responses relate to risks that apply to all firms and therefore should be addressed by all firms. The Board intends them to be obligations of all firms and have therefore codified them within the rule text rather than as guidance. 204 See SECPS 1000.46. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 i. QC Policies and Procedures About General Ethics and Independence Matters (QC 1000.33) The standard requires the adoption of policies and procedures regarding general ethics and independence matters, carrying forward current PCAOB and SEC requirements. The proposed requirement in QC 1000.33.a did not draw comment and was adopted as proposed. The phrase ‘‘may reasonably be thought to bear on independence’’ is used in PCAOB Rule 3526 205 and should be familiar to all firms. It is taken from an independence standard that predates the existence of the PCAOB,206 and, as the Board noted in connection with the adoption of Rule 3526, it focuses auditors on the perceptions of reasonable third parties when making independence determinations. It is consistent with the SEC’s general standard on independence.207 The firm’s policies and procedures are required to address all matters that may reasonably be thought to bear on the independence of the firm, firm personnel, and affiliates of the firm under SEC and PCAOB rules. In addition to the broad concept of matters that ‘‘may reasonably be thought to bear on independence,’’ SEC and PCAOB rules address certain specific matters that bear on independence. For example, 17 CFR 210.2–01(c) sets forth a non-exclusive list of circumstances that the SEC considers to be inconsistent with independence.208 Such circumstances include, among others, certain financial relationships, employment relationships, business relationships, non-audit services, contingent fees, and circumstances related to partner rotation. PCAOB rules also list certain prohibited tax transactions and tax services that would make the firm not independent of its client.209 The underlying facts and circumstances and relevant requirements will determine what actions need to be taken by the firm to address a matter that may reasonably be thought to bear on independence. For example, in some situations, it will be 205 See PCAOB Rule 3526 (requiring auditors to describe to the audit committee relationships that may reasonably be thought to bear on independence). 206 See Independence Standards Board Standard No. 1, Independence Discussions with Audit Committees. ISB No. 1 was included in the Board’s interim standards until it was superseded by the adoption of Rule 3526. 207 See 17 CFR 210.2–01(b). 208 See 17 CFR 210.2–01(c). 209 See PCAOB Rule 3522, Tax Transactions; PCAOB Rule 3523, Tax Services for Persons in Financial Reporting Oversight Roles. PO 00000 Frm 00049 Fmt 4701 Sfmt 4703 49635 sufficient to communicate the matter to the audit committee. In other situations, further action may be required. The proposed requirements in QC 1000.33.b–c did not draw comment and were adopted substantially as proposed. Integrity and objectivity are important ethical concepts currently addressed in QC 20.210 Under the existing standard, integrity requires personnel to be honest and candid within the constraints of client confidentiality, whereas objectivity imposes the obligation to be impartial, intellectually honest, and free of conflicts of interest. As discussed in more detail below, the Board rescinded the interim ethics and independence standard, ET 102, Integrity and Objectivity, and replacing it with a new standard, EI 1000, Integrity and Objectivity.211 QC 1000 includes a reference to that new rule and to PCAOB Rule 3500T, Interim Ethics and Independence Standards. The final standard clarifies that firm personnel are expected to demonstrate integrity and objectivity in carrying out all of their professional responsibilities associated with the QC system and the performance of engagements. This includes activities ranging from the design and implementation of the QC system, monitoring and remediation, and evaluation of the QC system, to training and professional development; planning, performing, and supervising engagements; and internal and external communications. The Board also believes that it is important for the firm’s policies and procedures to address obligations related to integrity and objectivity for associated persons of the firm, other than firm personnel, who perform work on behalf of the firm. The proposed requirement in QC 1000.33.d did not draw comment and was adopted as proposed. Establishing a consultation process on independence matters is an existing concept under SECPS independence requirements. Currently, SECPS member firms are required to designate a seniorlevel partner responsible for overseeing the adequate functioning of the firm’s independence policies and consultation process.212 The Board expanded this concept in QC 1000 by covering not only independence matters, but also ethics matters, and by expressly requiring the firm’s policies and procedures to address the identification of ethics and independence matters that require consultation. The Board believes the 210 See QC 20.10. Rescission of ET Section 102; adoption of EI 1000; related amendments. 212 See SECPS 1000.46 (requirement 5). 211 See E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49636 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices specific focus on identifying matters requiring consultation should prompt firm personnel and others subject to such requirements to more effectively identify ethics and independence issues that are new, challenging, or complex and that would benefit from evaluation by subject matter experts. The Board applied the requirement to all firms, not just SECPS member firms. Under existing SECPS requirements, member firms are required to establish a monitoring system to determine that corrective actions are taken on all apparent independence violations reported by firm personnel.213 Under those requirements, the monitoring system should include procedures to provide reasonable assurance that (i) investments of the firm and its benefit plans are in compliance with the firm’s policies and (ii) information received from its partners and managers is complete and accurate. The SECPS requirements do not prescribe specific activities for the monitoring system, other than stating that generally it includes auditing, on a sample basis, selected information such as brokerage statements, or alternative procedures that accomplish the same objective. One firm requested clarification of whether auditing, on a sample basis, selected information such as brokerage statements, will be mandatory under QC 1000. The standard does not prescribe specific activities to monitor compliance with ethics and independence requirements and the firm’s ethics and independence policies. This allows scalability based on the firm’s size and specific circumstances. The Board expects that firms that have developed monitoring systems to comply with SECPS requirements would continue to use these systems as one aspect of monitoring compliance under the standard. While auditing brokerage statements is not mandatory under QC 1000, the firm must design, implement, and maintain policies and procedures to monitor compliance with applicable ethics and independence requirements and related firm policies and procedures. Based on the firm’s size and specific circumstances, a firm can choose which monitoring activities are an effective response to meet the quality objective. With respect to compliance with applicable ethics and independence requirements by the firm and its affiliates, the Board understands that firms employ various manual and automated tools for evaluating whether the firm and its affiliates comply with SEC and PCAOB independence 213 See SECPS 1000.46 (requirement 7.d). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 requirements and the firm’s independence policies and procedures. Some examples of such tools include having a centralized process to monitor business relationships, establishing an independence confirmation process that includes detailed guidance and questions related to independence and prohibited non-audit services, and periodic review of the completeness and accuracy of information reported on independence confirmations. A firm may establish ethics and independence policies and procedures that are more restrictive than the rules of the SEC and PCAOB—for example, to comply with requirements of other jurisdictions or to simplify compliance with SEC and PCAOB requirements by setting bright-line policies and reducing the range for individual judgment. Under the standard, the firm’s evaluation of compliance covers applicable ethics and independence requirements as well as the firm’s policies and procedures. The proposed requirements in QC 1000.33.f were adopted substantially as proposed. As previously discussed, QC 1000 includes the existing SECPS requirement for firms to have policies and procedures that address independence violations and expands the requirement to cover all firms and to include ethics violations. Under the standard, the firm is required to establish policies and procedures addressing violations and potential violations of ethics and independence requirements. These types of policies and procedures are intended to be preventive, detective, and corrective by nature. The firm’s policies and procedures are required to address identifying conditions, events, relationships, or activities that could constitute ethics or independence violations involving the firm, firm personnel, and, with respect to work performed on behalf of the firm, others subject to such requirements. For example, if a firm or its network is contemplating a reorganization or restructuring that would affect the relationships among affiliated firms or other entities, identifying postreorganization investment activities as such an activity could assist the firm in designing and implementing appropriate policies to prevent independence violations. With respect to ethics and independence violations that do or could occur, the firm’s policies and procedures are required to address the taking of preventive and corrective actions to address violations on a timely basis. Such policies and procedures PO 00000 Frm 00050 Fmt 4701 Sfmt 4703 could specify the individuals responsible for taking preventive and corrective actions (at the engagement or firm level), the timing of preventive and corrective actions, and any potential sanctions against firm personnel or other individuals for violating ethics and independence requirements. While one firm supported bringing greater attention and accountability to the ethics and independence component, it suggested that the level of prescription may create operational challenges that could be detrimental to audit quality. Specifically, with regards to paragraph .33f.(2), the firm commented that ethical or independence violations may take a variety of forms and that dictating that preventive and corrective actions must be taken does not promote a risk-based approach. The standard requires that a firm’s policies and procedures address, with respect to violations and potential violations, the taking of preventive and corrective actions, as appropriate. Ethics or independence violations may take a variety of forms, and therefore the nature and extent of the preventive and/ or corrective actions may also take a variety of forms commensurate to the severity and pervasiveness of the violation. The firm’s policies and procedures are required to address reporting of ethics and independence violations. QC 1000 requires that firm personnel and others performing work on behalf of the firm that are subject to the ethics and independence requirements report both their own violations and other violations of which they become aware that may affect the firm. The Board revised the language in proposed paragraph .33f.(3) to clarify that the requirement applies to others performing work on behalf of the firm that are subject to the ethics and independence requirements. The standard takes a principles-based approach, which allows each firm to determine which reporting mechanisms best fit its structure and address its quality risks. Through the Board’s oversight activities, it has observed that firms employ various mechanisms for firm personnel to report violations. Some examples include direct communication lines to an ethics and independence group, designated individuals within the human resources department or the legal department, and whistleblower hotlines.214 Firms may assess each case individually and involve appropriate subject matter experts, depending on the nature of the 214 See, e.g., paragraph .29 of QC 1000, discussed above, for requirements regarding firm processes for addressing complaints and allegations. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices violation. Some firms also establish escalation protocols for certain types of ethics and independence violations (e.g., violations involving a partner in the firm). In addition, the firm’s policies and procedures are required to address any communications that need to take place as a result of a violation of ethics and independence requirements. For example, PCAOB Rule 3526 requires certain communications to the audit committee regarding matters that are thought to bear on the firm’s independence, including violations of independence requirements. ii. QC Policies and Procedures About Certain Matters That May Reasonably Be Thought To Bear on Independence: Restricted Entities, Independence and Ethics Certifications, and Matters Requiring Audit Committee PreApproval Under the standard, the firm’s policies and procedures on matters that may reasonably be thought to bear on the independence of the firm are required to address, among other things, (1) restricted entities, including the maintenance and dissemination of the list of restricted entities; (2) independence and ethics certifications; and (3) matters requiring audit committee pre-approval. (1) Restricted Entities (QC 1000.34.a–d) khammond on DSKJM1Z7X2PROD with NOTICES2 Most of the requirements related to restricted entities come from existing SECPS member requirements,215 which will now apply to all firms. Under the standard, as under current requirements, restricted entities include all audit clients (including affiliates of the audit client) of the firm and affiliates of the firm. One firm commented that the proposal did not define ‘‘affiliates’’ and recommended either referencing the definition provided in PCAOB Rule 3501 or defining the term in the standard in a manner similar to Rule 3501. ‘‘Audit client,’’ ‘‘affiliate of the audit client,’’ and ‘‘affiliate of the accounting firm’’ are terms defined in existing PCAOB and SEC rules.216 As 215 The SECPS term ‘‘restricted entities’’ includes all audit clients of the firm (and, where applicable, its foreign-associated firms) that are SEC registrants, along with other entities that the firm is required to be independent of under the applicable SEC requirements. 216 ‘‘Audit client’’ is defined for purposes of SEC rules in 17 CFR 210.2–01(f)(6), and for purposes of PCAOB rules in PCAOB Rule 3501(a)(iv). ‘‘Affiliate of the audit client’’ is defined in PCAOB Rule 3501(a)(ii) as having the same meaning as defined in 17 CFR 210.2–01(f)(4). ‘‘Affiliate of the accounting firm’’ is defined in PCAOB Rule 3501(a)(i) and, for purposes of the Note to paragraph .34a., ‘‘accounting firm,’’ which includes VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 proposed, paragraph .34 includes a footnote referring to those definitions. Existing SECPS requirements require firms that audit more than 500 SEC registrants to have an automated system to identify investment holdings of partners and managers that might impair independence.217 As proposed, the Board required an automated system for firms that issued audit reports with respect to more than 100 issuers during the prior calendar year. The Board understands that firms that audit more than 500 SEC registrants already have automated systems in place, based on the SECPS requirements to have an automated system 17 CFR 210.2– 01(d).218 Firms that issued audit reports for 100 or fewer issuers are required to consider whether the system needs to be automated, taking into account the quality risks and the nature and circumstances of the firm. For example, a firm with close to 100 issuers and a significant number of managers and partners may assess timely identification of personal investments that may impair independence as a quality risk, and a quality response to address that risk may include an automated system to help facilitate a more timely relationship-checking process. One firm commented that the specified quality response to have an automated process for identifying direct or material indirect financial interests is appropriate, and another firm commented that it did not object to the requirement. However, a firm and a firm-related group recommended that the PCAOB consider if the existing SEC requirements are sufficient such that no additional PCAOB requirements are needed, and several firms commented that the costs of implementing the requirement would be significant and instead the threshold should be increased to 500 issuers to be consistent with the SEC requirements. Some of these firms suggested that the cost may be a potential barrier to entry for firms approaching the 100-issuer audit client the firm’s associated entities, is defined in 17 CFR 210.2–01(f)(2). 217 See SECPS 1000.46 (requirement 4). 218 17 CFR 210.2–01(d) provides that a firm’s independence is not impaired solely because a covered person in the firm is not independent of an audit client, provided the covered person did not know of the circumstances giving rise to the violation, the violation was corrected as promptly as possible, and the firm maintains a quality control system meeting specified standards. 17 CFR 210.2– 01(d)(4), describes, for firms that provide audit, review, or attest services to more than 500 SEC registrants, features necessary for the firm’s QC system to meet the specified standards, including an automated system to identify investment holdings of partners and managers that might impair independence. PO 00000 Frm 00051 Fmt 4701 Sfmt 4703 49637 threshold. One of these firms commented further that some firms that audit over 100 issuers will consider decreasing the size of their practice due to the associated cost of the requirement. This firm suggested that the specified quality response be removed and instead, if necessary, implement a quality objective that firms could address through their risk assessment process. Several firms suggested that firms that audit more than 100 but no more than 500 issuers could consider implementing such a process, but it should not be required. One firm-related group suggested that the threshold for requiring an automated independence system be reduced further, given the number of repeated independence issues among all firms. One firm expressed concerns with both the proposed requirement in paragraph .34a.(1) and the suggestion in paragraph .34a.(2) to automate this process, suggesting that this would be cost prohibitive and firms should design processes that reflect their respective size, complexities and risks identified. Another firm commented that firms subject to the current SECPS requirements have likely invested significant capital and resources to implement and maintain tools that enable compliance with those requirements, and while the firm views that investment as worthwhile and believes the procedures have contributed to audit quality over the years, it expressed concerns for the cost of the requirement to firms that audit between 100 and 500 issuers. Another firm commented that it has such an automated system in place, however it suggested that the implementation of such a system within the timeframe set out in the proposed standard may be challenging and costly. One firm commented that the determination of whether or not to implement an automated process for identifying and tracking direct and material indirect financial interests should be risk-based and not include a prescriptive requirement based on an arbitrary count of greater than 100 issuers. The firm specifically commented that the size, scope, nature, and complexity of firms’ issuer practices can vary significantly among the annually inspected firms, noting for example that a large portion of its issuer client count consists of Form 11–K audits and smaller reporting companies. Another firm commented that while the size of the firm’s client base is one factor to consider in determining an appropriate quality response, the nature and circumstances of the firm and the firm’s clients are also E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49638 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices factors that should be taken into consideration, as well as the firm structure, industries served, and number of managers and partners. Some firms sought clarity as to whether an automated process would be required for other financial relationships, for example, employment relationships, business relationships, or non-audit services, and commented that the identification of certain financial relationships cannot be easily automated. Instead, the firms suggested limiting the requirement to automate the process for identifying investments in securities that might impair independence, to align with the SEC requirement. A number of firms and a firm-related group requested clarity on what ‘‘automated’’ means and what the Board’s expectations are with regards to the nature, extent and scope of automation. After consideration of the comments, the Board adopted the 100-issuer threshold as proposed. The Board believes it is important to maintain a consistent threshold for the incremental requirements in QC 1000. As discussed in more detail above, the Board believes that the 100-issuer threshold is appropriate, and while the nature of each firm’s audit client list may vary, there still exist complexities inherent to firms with a large number of issuer audit clients that may give rise to quality risks that apply to the firm’s independence, for which the automated system would be an appropriate quality response. The Board clarified in the final standard that the requirement for an automated process is limited to the process to identify investments in securities that might impair the independence of the firm or firm personnel, the same scope as required under 17 CFR 210.2–01(d). The Board has observed through its oversight activities that some firms have systems that automate the identification of their professionals’ investment holdings through direct broker feeds, but a direct broker feed is not the only type of automated process that would meet the Board’s requirement. As discussed in a December 9, 1999, letter from the SEC’s Chief Accountant,219 firms need to develop a system that tracks audit engagements and financial investments held by professionals such that the conflict verification process is automated. Such a system may rely on firm professionals accurately self219 See Letter From the Chief Accountant: Issues Related to Independence/Quality Control to SEC Practice Section (II) (Dec.9, 1999), available at https://www.sec.gov/info/accountants/staffletters/ calt129a.htm. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 reporting and entering their investments into the system in a timely manner. These holdings would automatically be compared to the list of restricted entities to identify any relationships with restricted entities. Based on the size of the firm and other characteristics, a firm may determine that a direct broker feed is an appropriate quality response (for example, if the firm’s monitoring activities found high rates of noncompliance by firm personnel with the firm’s policies and procedures for reporting financial investments), but a direct broker feed is not expressly mandated for firms subject to the requirement to implement an automated process. The Board also made a change to require that the process described in paragraph .34a.(1) must be automated to conform the degree of responsibility that the requirement imposes on the auditor to that required under paragraph .34. One firm suggested that a longer transition period be provided for firms that are not currently subject to a requirement to implement an automated system. The firm commented that if two firms merged and one or both of the firms had previously not been subject to the requirement, it is unlikely that a system of this nature could be implemented and tested for effectiveness in the time period provided. The Board believes that firms continuously monitor the size of their audit practice relative to the 100-issuer threshold, and if a firm is considering a transaction such as a merger that would increase its number of issuer audit clients significantly, then the firm could begin to implement such a system in advance of the end of the calendar year in which the firm first surpasses the 100-issuer threshold. Indeed, for a transaction such as a merger of audit firms, the Board believes that there could exist specific risks to independence as a result, which in itself may result in a firm developing an automated system as a quality response. Current SECPS requirements require timely (generally monthly) communication of additions to the Restricted Entity List.220 The proposal contemplated requiring that firms have policies and procedures for maintaining and making available the list of restricted entities to firm personnel and others performing work on behalf of the firm who are subject to independence requirements, and updating and communicating changes to the list of restricted entities at least monthly to such persons. Several firms and a firm-related group suggested the specified quality response 220 See PO 00000 SECPS 1000.46 (requirement 5). Frm 00052 Fmt 4701 Sfmt 4703 be replaced with a quality objective regarding updates to and awareness of changes in the restricted entity list. Two of these firms suggested that the requirement be amended to limit communications to additions to the restricted entity list. Another firm suggested communications be limited to firm personnel subject to independence requirements and the requirements should allow for flexibility in the nature, timing, and extent of communications. QC 1000 does not enlarge the population of individuals who are subject to ethics and independence requirements. References in the standard to ‘‘requirements’’ and ‘‘obligations’’ are to existing requirements and obligations which themselves specify to whom they apply. In addition, after consideration of the comments received, the Board amended the standard to limit the required communications to additions to the list of restricted entities, rather than all changes. Some firms did not support this communication to ‘‘others performing work on behalf of the firm,’’ and suggested that communications should be limited to potential covered persons affected by the additions. Two of these firms commented that these individuals would likely not be considered covered persons for engagements other than the engagement they are working on, and suggested that the Board allow firms to take a risk-based approach when determining the scope and frequency of the communications. Another firm suggested that QC 1000 does not need to specifically address certain communications to other participants where this is required by another standard, specifically AS 2101 (as in effect for audits of fiscal years ending on or after December 15, 2024) paragraph .06D, which includes a ‘‘written description of all relationships between the other auditor and the audit client of persons in financial oversight roles at the audit client that may reasonably be thought to bear on independence. Another firm commented that the goal of alerting others performing work on behalf of the firm to specific engagement independence requirements could be achieved through engagement-specific independence certifications. After consideration of the comments received, the Board amended the standard to require at least monthly communication of additions to the list of restricted entities to firm personnel and others performing work on behalf of the firm whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices the firm. The Board believes that it is appropriate to limit communications of additions to the list of restricted entities to firm personnel and others performing work on behalf of the firm to those additions that could reasonably be thought to bear on the independence of the firm. For example, additions to the affiliate list for an issuer would be relevant for an individual who is performing work on behalf of the firm on that issuer, or a partner who is located in the same office of the firm in which the lead audit engagement partner primarily practices in connection with the audit. This communication should be made as frequently as necessary, and on an at least monthly basis, through the period that the individual is subject to the independence requirements. Several firms and a firm-related group commented that the requirement to communicate the restricted entity list would not be more effective than the automated systems already in place at larger firms. Two firms also commented that smaller firms with infrequent changes to the restricted entity list may not need to communicate changes monthly. One of these firms suggested that many firms already have policies where individuals are required to review the restricted entities list prior to purchasing stock/during proposal/ acceptance procedures to determine whether an independence conflict would exist, and that many firms also make those restricted lists readily available to employees as part of their current QC systems. The Board believes, and has observed through its oversight activities, that such automated systems may not fully mitigate quality risks associated with the timely reporting of financial relationships by firm personnel, for example, if the automated system is not equipped to identify certain financial relationships, or if the firm is reliant on its professionals making timely reporting of these relationships into the firm systems. The Board believes that requiring the communication of additions to the list of restricted entities to firm personnel whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm on an at least monthly basis may prompt firm personnel to report a previously unreported relationship. If there are no additions, there is no required communication. One firm commented that it is unclear whether communication is intended to mean a distributed communication (e.g., email of the updated list) or communication can be made available VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 (e.g., a website that hosts such list and is readily available to access). Some firms may decide to communicate updates to the list of restricted entities on a more frequent basis, as changes are being made, or in more targeted ways (such as to particular offices or engagement teams). The standard does not prescribe the method of communication. Through the Board’s oversight activities, it have observed that some firms comply with existing SECPS requirements by communicating additions to the list of restricted entities to all firm personnel weekly via email. These firms could continue that practice to comply with the standard. However, other methods that result in an effective communication may also be acceptable; for example, a firm might communicate that there have been additions to the list of restricted entities via email, and include within the email a link to an accessible website-hosted list of additions.221 While the standard requires communications of additions to those individuals whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm, the firm may choose to extend the communications of additions more broadly. In addition, if the firm communicates additions to less than all firm personnel, then the firm must have correctly identified the group of people whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm. The standard does not prescribe a specific process for maintaining and making available the list of restricted entities to firm personnel and other individuals. Firms are able to determine the specific methods and tools needed to keep the list of restricted entities up to date and to ensure that any additions are communicated on a timely basis to firm personnel and other individuals. This determination is based on factors such as the size of the firm, the number of audit clients, and the complexity of those clients (e.g., the number of audit client affiliates). For example, a smaller firm with a small group of professionals, a stable portfolio of audit clients, and a manual process for maintaining the list of restricted entities may decide to communicate changes monthly. For a larger firm with many audit clients and firm affiliates, an automated tool could help facilitate more frequent updates to the list of restricted entities. The firm is 221 Firms are required to communicate additions to the list of restricted entities. For periods where there were no changes, no such communication would be required. PO 00000 Frm 00053 Fmt 4701 Sfmt 4703 49639 required to notify relevant professionals of additions to the list at least monthly. The Board recognizes that some firms are members of networks that may develop systems, processes, and controls to monitor network firms’ compliance with independence requirements, including maintaining a database of restricted entities. As described above, the standard does not prescribe a specific process for maintaining a database of restricted entities, so this process could potentially be performed by a network or outsourced to a third party. At the same time, the standard requires each firm to establish its own quality objective, which places responsibility on the firm with respect to resources or services provided by the network or a third-party provider.222 The Board incorporated into QC 1000 the existing SECPS requirements for firm personnel 223 to review the list of restricted entities prior to obtaining any security or other financial interest in an entity, but with the following refinements: • Require firm personnel to review the list of restricted entities, not only before they or their relevant family members 224 obtain a direct or material indirect financial interest in an entity or enter into a direct or material indirect relationship with an entity,225 but also after additions to the list of restricted entities are communicated by the firm, upon firm personnel’s employment at the firm, prior to changes in position (e.g., going into a chain of command or other covered person role 226), and prior to entering into or modifying any business or employment relationships. • Require the firm and firm personnel to take required actions on a timely basis if the review of the list of restricted entities indicates that action is required under applicable professional and legal requirements or the firm’s policies and procedures. Under this approach, the firm’s policies and procedures will require 222 See below for a discussion of the firm’s responsibilities when it uses resources or services provided by a network or third-party provider. 223 SECPS requirements use the term ‘‘professionals,’’ which means professional staff, including partners. See SECPS 1000.46 (requirement 1.a). 224 Context determines which family members would be relevant. See, e.g., 17 CFR 210.2–01(f)(9) (defining ‘‘close family members’’); 17 CFR 210.2– 01(f)(13) (defining ‘‘immediate family members’’); see generally 17 CFR 210.2–01(c) (referring to ‘‘close family member’’ or ‘‘immediate family member’’ depending on the context). 225 The Board is using the terms direct and material indirect in the same sense as 17 CFR 210.2–01(c). 226 ‘‘Covered persons in the firm’’ is defined in 17 CFR 210.2–01(f)(11). E:\FR\FM\11JNN2.SGM 11JNN2 49640 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 that the list of restricted entities be reviewed before the firm enters into any relationship, engagement to perform non-audit services, or fee arrangement that might affect compliance with independence requirements. This requirement serves the same purpose as review of the list of restricted entities by the firm personnel and helps the firm to identify relationships that may result in noncompliance with applicable professional or legal requirements. One firm commented that, rather than requiring that the list of restricted entities be reviewed before the firm enters into any relationships, engagements to perform non-audit services, or fee arrangements that might affect compliance with independence requirements, firms should be permitted to develop quality responses to identify prohibited relationships and fee arrangements that appropriately respond to quality risks, based on the firm’s facts and circumstances. The firm also suggested that the requirement for firm personnel to review the list of restricted entities after changes to the list are made should be deleted since firm personnel would already be notified of changes based on paragraph .34b. The Board believes these specified quality responses are appropriate and should be addressed by all firms, regardless of the specific facts and circumstances of the firm. In addition, the Board views the requirements of paragraph .34b for the firm to maintain and make available the list of restricted entities, and paragraph .34d for firm personnel to review the list of restricted entities, as separate. (2) Independence and Ethics Certifications (QC 1000.34.e) Certifications are intended to drive greater accountability for firm personnel’s compliance with independence requirements and to deter independence violations. The certification requirement is similar to an existing SECPS requirement, which requires each professional to certify near the time of initial employment and at least annually thereafter that he or she (1) has read the member firm’s independence policies, (2) understands their applicability to his or her activities and those of his or her spouse and dependents, and (3) has complied with the requirements of the member firm’s independence policies since the prior certification.227 The proposal contemplated obtaining certifications from firm personnel regarding familiarity and compliance with SEC and PCAOB independence 227 See SECPS 1000.46 (requirement 7.b). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 requirements and the firm’s independence policies and procedures (1) upon employment, (2) at least annually thereafter, and (3) upon any change in personal circumstances, such as firm role, geographic location, or marital status, that is relevant to independence. Several commenters, including firms, did not support the requirement to obtain additional certifications upon changes in personal circumstances, and three firms raised practical concerns when the changes involved marital status. One firm suggested that the standard should emphasize that a firm’s independence certification process should consider timeliness in addressing the quality objective, and instead encourage firms to consider the appropriateness of obtaining periodic certifications throughout the year. One firm commented that a firm should have flexibility to determine its own policies and procedures for certifications beyond requiring them at employment and annually thereafter; the firm suggested that, for example, quarterly certification accompanied by training on the impact of life events may be more effective and practicable than event-driven review and certification. Another firm recommended that firms be allowed to develop their own quality responses based on their own unique quality risks when personal circumstances change rather than requiring certification upon changes in personal circumstances as a quality response. Another firm suggested that this requirement should instead be managed through proper education and awareness of relevant independence requirements. Another firm suggested that these items would be better suited as examples of considerations included in implementation guidance. One firm suggested that the certification requirements should be applicable for firms with over 500 issuers that already have an automated independence system. The firm further commented that the requirement is onerous in terms of being able to identify the data on a timely basis and suggested a semiannual representation period instead of circumstance-driven. In addition, the proposing release sought feedback on whether the standard should require annual written certification regarding familiarity and compliance with ethics requirements and the firm’s ethics policies and procedures, in addition to those regarding independence. The proposing release further asked whether firms should be required or encouraged to adopt firm-wide codes of ethics or similar protocols. One firm did not PO 00000 Frm 00054 Fmt 4701 Sfmt 4703 support a specific quality response that includes a certification process for ethics requirements and procedures. The firm suggested that firms should be permitted to adopt a quality response that addresses the risks within their own practice, and that a certification requirement that applies to all firm practice staff could turn into a ‘‘checkthe-box’’ compliance exercise that would not benefit audit quality. One firm commented that such requirements would already be addressed by the requirement for mandatory training in paragraph .36. Other commenters, including firms, investors, and investorrelated organizations, supported the requirement to obtain a written annual certification regarding familiarity and compliance with ethics requirements and the firm’s ethics policies and procedures. One of these investors commented that the main argument against such certifications is that it imposes a cost and that it becomes a ‘‘tick-the-box exercise,’’ but in the investor’s view the cost is de minimis given other annual declarations needed by firm personnel, and firm leadership can send an appropriate signal by embracing the ethics code to stop such annual declarations becoming a perfunctory exercise. One firm and an investor-related organization supported a requirement that firms should adopt firm-wide codes of ethics. After consideration of the comments received, the Board made two changes to the final standard. First, the Board removed from the standard the requirement to obtain a certification from firm personnel regarding familiarity and compliance with SEC and PCAOB independence requirements and the firm’s independence policies and procedures upon any change in personal circumstances, and replaced this with the requirement that such a certification must be obtained for any change in professional circumstances that is relevant to independence. Rather than include examples of such changes in the text of the standard, the Board provided in this release some examples of changed professional circumstances that may be relevant to the independence of the firm’s personnel under applicable independence rules. These examples include changes within the firm such as promotions, moving offices, or changing practice groups (e.g., changes to covered person status). Although, in connection with this change, the Board removed a certification requirement with regard to changes in personal circumstances, such changes can have independence implications under SEC and PCAOB E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 independence requirements, and a firm’s QC system must provide reasonable assurance of compliance with those requirements. Secondly, the Board added a requirement for certification by firm personnel regarding familiarity and compliance with the applicable ethics requirements and the firm’s ethics policies and procedures as the Board believes such certification will enhance individual accountability and, ultimately, compliance. The Board not added a requirement for firms to adopt a firm-wide code of ethics or similar protocol, because it believes that firms should have flexibility to determine whether this would assist them in meeting the relevant quality objectives. The standard does not prescribe a checklist of specific content for the certifications, focusing instead on general concepts of familiarity and compliance. It is possible that the form of certification called for by the existing SECPS requirement would satisfy the standard. In addition, the standard expands on the existing SECPS requirement by requiring firms to obtain certifications every time firm personnel have a change in professional circumstances that is relevant to independence, such as a change in role or geographic location. Changes within the firm such as promotions, moving offices, or changing practice groups may have consequences under independence rules (e.g., changes to covered person status) and result in noncompliance. The Board continues to believe that a specified quality response requiring specific event-driven independence and ethics certifications appropriately considers timeliness in addressing the quality objective and applies to quality risks that exist in all firms. (3) Matters Requiring Audit Committee Pre-Approval (QC 1000.34.f) The proposed requirement did not draw comment and was adopted as proposed. QC 1000 contains a new requirement regarding firm policies and procedures for identifying matters that require pre-approval by the audit committee and obtaining such approval. The primary responsibility for identifying matters that require audit committee pre-approval and obtaining such pre-approval resides at the engagement level. The firm’s policies and procedures, however, provide tools and guidance that enable engagement teams to properly identify the relevant matters and obtain necessary preapprovals on a timely basis. Through the Board’s oversight activities, it has observed numerous instances where firms did not have an effective VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 mechanism in place for monitoring whether matters that require audit committee pre-approval were properly disclosed to audit committees. The new requirement should lead to more consistent compliance. iii. Communication of Changes to Ethics and Independence Policies and Procedures (QC 1000.35) The proposed requirement did not draw comment and was adopted as proposed. The final standard incorporates existing SECPS requirements regarding the dissemination of the firm’s independence policies and procedures and expands the requirements to cover ethics policies and procedures. When deciding how to make ethics and independence policies and procedures available, firms would consider how to make firm personnel and others performing work on behalf of the firm aware of where and how to find these policies and procedures in a way that supports those individuals’ ongoing compliance with certification and other requirements. The standard requires the firm to communicate any substantive changes to its ethics and independence policies and procedures on a timely basis. iv. QC Policies and Procedures About Mandatory Ethics and Independence Training (QC 1000.36) The proposed requirement did not draw comment and was adopted as proposed. The standard includes a requirement for mandatory periodic training on ethics and independence, which expands on the existing SECPS requirements that cover training on independence. The mandatory training requirement promotes awareness and understanding of the ethics and independence requirements, which should lead to better compliance with such requirements. Under existing SECPS requirements, firms are required to establish a training program for professionals to complete near the time of initial employment and periodically thereafter.228 The specific content and extent and timing of the training will be determined by the firm, but the program is required to cover both the relevant professional and legal requirements (for example, regarding financial interests, business relationships, employment relationships, proscribed services, and fee arrangements) and the firm’s related policies and procedures. 228 See PO 00000 SECPS 1000.46 (requirement 3). Frm 00055 Fmt 4701 Sfmt 4703 49641 By not specifying the content for such mandatory training, the standard allows firms the ability to develop training programs based on their circumstances. For example, a firm may develop its training to place a greater emphasis on areas with recurring ethics and independence findings across the firm, or it may target specific ethics and independence findings in different regions. Similarly, the standard does not specify how the firm would provide such training. A firm may develop and deliver its own training, contract with others to provide training, or provide access to third-party training. Under the standard, the firm is required to provide such training at least annually, or more often as needed. 2. Current PCAOB Standards QC 20 provides that policies and procedures should be established to provide the firm with reasonable assurance that personnel maintain independence (in fact and in appearance) in all required circumstances, perform all professional responsibilities with integrity, and maintain objectivity in discharging professional responsibilities.229 The SECPS member requirements regarding independence quality controls apply only to certain firms. The requirements for ethics and independence discussed above are more detailed than the existing requirements in QC 20 and Appendix L of the SECPS and would apply to all firms. Acceptance and Continuance of Engagements This component addresses the firm’s processes when considering whether to accept or continue an engagement. 1. QC 1000 a. Acceptance and Continuance of Engagements Quality Objectives (QC 1000.38) The proposal described the quality objectives related to acceptance and continuance of engagements. Several commenters, including firms, were generally supportive of the proposed quality objectives. A commenter on the AS 1000 rulemaking objected to the use of the term ‘‘client’’ in that standard to refer to the company and its management. The commenter suggested ‘‘company under audit’’ instead. The Board agrees with the commenter that the terminology used in the PCAOB standards should help to remind auditors that they work for the benefit of investors, not the management of the company. 229 See E:\FR\FM\11JNN2.SGM QC 20.09. 11JNN2 49642 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Accordingly, the Board generally replaced references to the ‘‘client’’ with references to the ‘‘company’’ or eliminated them altogether (for example, this component, called ‘‘Acceptance and Continuance of Client Relationships and Specific Engagements’’ in proposed QC 1000, is ‘‘Acceptance and Continuance of Engagements’’ in the final standard). The Board, however, retained references to the ‘‘client’’ where that aligns with other rules, such as in the area of independence. The quality objectives in this component were adopted substantially in the form proposed, with the exception of the change throughout to focus on the engagement instead of the client relationship and the other clarifications discussed below. Acceptance and continuance of engagements is an aspect of a firm’s compliance and risk management process. Each firm, depending on its nature and circumstances, may approach acceptance and continuance of engagements differently. The acceptance and continuance of engagements process assists the firm in mitigating reputational, business, and litigation risk. The quality objectives stress the importance of focusing the acceptance and continuance of engagements process on the firm’s ability to perform an engagement in accordance with applicable professional and legal requirements. khammond on DSKJM1Z7X2PROD with NOTICES2 i. Timing (QC 1000.38.a(1)) The proposed standard required the firm’s judgment about whether to accept or continue an engagement to be made as part of or before performing preliminary engagement activities. Preliminary engagement activities, which are activities the auditor should perform at the beginning of the audit, are described in AS 2101.06. One commenter stated that the proposed requirement implied that the judgment was only made during preliminary activities and not throughout the engagement. The Board clarified the quality objective in paragraph .38a(1) to specify that the initial judgment is to be made as part of or before preliminary engagement activities. QC 1000.40, discussed below, addresses the firm’s obligation to continue to address situations that could have caused it to decline the engagement had the information been known prior to acceptance and continuance. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 ii. Independence and Permissibility of Services (QC 1000.38.a(2)(a) and (b)) This proposed quality objective did not draw significant comment and was adopted as proposed. The firm’s ability to perform the engagement includes considering whether the firm is independent and whether the services are permissible. These are threshold considerations for acceptance and continuance, because in general, under PCAOB standards the firm is not allowed to accept an engagement unless it is independent of the company for which the engagement will be performed and the services are permissible under applicable professional and legal requirements (including obtaining audit committee pre-approval where that is required). The firm’s policies for acceptance and continuance in the areas of independence, permissibility of services, and pre-approval relate to and to some extent overlap with the ethics and independence component. The requirements in the ethics and independence component more generally address the ongoing evaluation of compliance with applicable professional and legal requirements relating to the independence of the firm, firm personnel, and others subject to such requirements. iii. Access to Company Information and Company Personnel (QC 1000.38.a.(2)(c)) accordance with applicable professional and legal requirements. This includes the availability of resources like the following, either internal or external to the firm: • Firm personnel or other participants with competence to perform procedures (e.g., industry experience or experience with new or specialized accounting pronouncements that apply to the company) and sufficient availability to meet audit timing requirements; • Engagement partners; • Specialists; • EQRs; • Technology to be used in the performance of the engagement, such as technology for testing the implementation and effectiveness of automated processes; and • Intellectual resources needed in the performance of the engagement (e.g., industry-specific audit programs). One commenter suggested that consideration should be given to the availability of industry-specific resources at the partner and manager level and the Board agrees that industryspecific resources are important in certain audits. However, the Board believes that issue is adequately addressed by the general reference to ‘‘resources to perform the engagement,’’ which includes industry-specific resources where those would be needed. The Board adopted this quality objective as proposed. iv. Resources (QC 1000.38.a(2)(d)) v. Other Relevant Factors (QC 1000.38.a(2)(e)) This proposed quality objective did not draw comment and was adopted as proposed. The firm’s ability to perform engagements in accordance with applicable professional and legal requirements may also be affected by other factors associated with providing professional services in the particular circumstances. Accordingly, the standard, by directing firms to consider such other relevant factors, retains the breadth and inclusiveness of QC 20.15b, which requires the firm to establish policies and procedures to provide reasonable assurance that the firm appropriately considers the risks associated with providing professional services in the particular circumstances. Another aspect of the firm’s ability to complete the engagement in accordance with applicable professional and legal requirements is the resources available to the firm. The Board believes it is important for a firm to have the right resources available so that the engagement can be performed in v. Information About the Nature and Circumstances of the Engagement, Including the Integrity and Ethical Values of the Company (QC 1000.38.a(3)) In order for the firm to make appropriate judgments about whether to accept or continue an engagement, the This proposed quality objective did not draw significant comment and was adopted substantially as proposed. The firm’s ability to perform an engagement in accordance with applicable professional and legal requirements depends on the firm’s ability to obtain information from the company and gain access to individuals at the company who can respond to the firm’s inquiries. Restricted or limited access to company information or personnel—for example, due to language differences, physical location, or local law restrictions—could impair the firm’s ability to perform the engagement in accordance with applicable professional and legal requirements. PO 00000 Frm 00056 Fmt 4701 Sfmt 4703 E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices firm needs to obtain sufficient information about the nature and circumstances of the engagement (e.g., the nature of the company and the environment in which it operates) and the integrity and ethical values of the company, including its management and audit committee.230 This information is relevant because it can help identify potential risks to performing the engagement that may result in the firm not being able to perform the engagement in accordance with applicable professional and legal requirements. The nature and circumstances of the engagement may, for example, reveal the need for specialized expertise that the firm does not have. A lack of management integrity may affect the reliability of the company’s accounting records. Designing and implementing policies and procedures that direct and standardize the collection and evaluation of such information could help the firm in consistently making appropriate judgments about whether to accept or continue an engagement. Additionally, information obtained during the firm’s acceptance and continuance process about the nature and circumstances of the engagement and the integrity of management and the audit committee would in many cases be relevant when planning and performing the engagement.231 One commenter requested clarification of whose integrity and ethical values are relevant to the consideration of ‘‘the integrity and ethical values of the company (including management and the audit committee)’’—for example, whether consideration could be limited to the audit committee chair. Since members of management and the audit committee all have influence over the company’s financial reporting, the Board believes their integrity and ethical values are important to the judgment of accepting or continuing an engagement. Therefore, consistent with the proposal, the final standard does not include such a limitation. The quality objective in QC 1000.38.b retains the concept in QC 20.16 of having policies and procedures regarding obtaining an understanding with the company about the engagement and aligns with similar requirements under PCAOB auditing and attestation 230 For a prospective engagement, this includes evaluating information obtained from a predecessor firm. See generally, e.g., AS 2610, Initial Audits— Communications Between Predecessor and Successor Auditors. 231 See, e.g., AS 2110.41–.45. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 standards.232 Achieving this objective should minimize the risk of misunderstandings regarding the nature and scope of the engagement and any limitations associated with it. c. Acceptance and Continuance of Engagements Specified Quality Response (QC 1000.39–.40) The proposal included a specified quality response regarding policies and procedures to address situations where the firm learns of information that would have caused it to decline a previously accepted engagement. Two commenters were generally supportive of the proposed specified quality response. Under this specified quality response, the firm’s policies and procedures are required to address situations in which the firm becomes aware of relevant contrary information after the firm’s decision to accept or continue an engagement. This contrary information may have existed at the time of the decision to accept or continue an engagement but not been known by the firm at the time, or it may have emerged subsequent to that decision. Depending on the circumstances, appropriate responses may include such actions as: • Consulting with legal counsel or others within the firm to determine if the firm is able to continue the engagement; • Discussing the information with management and the audit committee to determine if the firm is able to continue the engagement; • Including this information in the auditor’s risk assessment procedures so that any additional risks are responded to during the audit; and • Withdrawing from the engagement and notifying appropriate regulatory authorities as required under applicable professional and legal requirements. One commenter suggested that specific circumstances should require an immediate reconsideration of client continuance, such as illegal acts, fraud, or material omissions of fact. Existing auditing standards, such as AS 1301, include requirements related to evaluating the continuation of the client relationship. The QC system would address compliance with these requirements. Under the proposal, a firm would be deemed to have become ‘‘aware’’ of information if any partner, shareholder, member, or other principal of the firm was aware of such information, the 232 See paragraph .05 of AS 1301, Communications with Audit Committees, and paragraph .46 of AT Section 101, Attest Engagements. PO 00000 Frm 00057 Fmt 4701 Sfmt 4703 49643 same standard that applies with respect to the reporting of specified events on Form 3. One commenter stated that the concept of when a firm becomes ‘‘aware’’ should take into account the size and scale of the firm, and the nature of the matters related to the QC system, suggesting that alignment with the requirements of Form 3 may be inappropriate because of Form 3’s relatively limited scope compared to the matters addressed by QC 1000. The Board continues to believe that it would be inappropriate to differentiate among firm principals in this regard; all firm principals should be responsible for promptly communicating and acting upon relevant information. Accordingly, the class of persons whose awareness is attributed to the firm was not been narrowed. Another commenter recommended clarifying the timing of when a firm becomes ‘‘aware’’ of information subsequent to accepting or continuing a client relationship. Footnote 26 of the final standard reflects the suggested clarification that the firm is deemed ‘‘aware’’ of information when any partner, shareholder, member, or other principal of the firm ‘‘first becomes aware’’ of such information.233 2. Current PCAOB Standards The quality objectives of QC 1000 paragraph .38 do not fundamentally change a firm’s existing responsibilities regarding acceptance and continuance decisions under QC 20.234 The quality objectives expand on the requirements in QC 20 with regard to considering the necessary information and making appropriate judgments about the associated risks and the firm’s ability to mitigate those risks and perform an engagement in accordance with applicable professional and legal requirements. Engagement Performance This component addresses the firm’s processes relating to the performance of the firm’s engagements in accordance with applicable professional and legal requirements. Engagement performance encompasses the activities of firm personnel and other participants in all phases of the design and execution of the engagement—planning, performing, supervising, and documenting the engagement; conducting an engagement quality review; and making 233 This approach aligns with the instructions to Form 3, under which a firm is deemed aware of reportable facts on the first day that any partner, shareholder, principal, owner, or member of the firm first becomes aware of the facts. See Form 3, Note to Instructions to Part II. 234 See QC 20.14–.16. E:\FR\FM\11JNN2.SGM 11JNN2 49644 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices communications regarding the engagement.235 In order for the firm to consistently deliver compliant engagements, including when performing work on other firms’ engagements, firm personnel and other participants need to understand and fulfill their responsibilities in accordance with applicable professional and legal requirements. 1. QC 1000 The proposal described the quality objectives for the engagement performance component and asked if there should be any specified quality responses for this component. Firms that commented were generally supportive of the proposed quality objectives. Two commenters wanted clarity on why some concepts in auditing standards were or were not included in QC 1000. One of these commenters, an investor-related group, suggested the standard address certain areas like fraud protection, crypto assets, climate change, and critical audit matters. The Board believes these areas are engagement-level specific, whereas QC 1000 focuses on the firm-level controls over engagement responsibilities. Commenters, including firms and related groups, were also supportive of not providing specified quality responses in this component. The Board adopted these provisions substantially as proposed. Under QC 1000, a firm is required to establish quality objectives for the engagement performance component in the following areas: • Engagement responsibilities; • Consultations and differences in professional judgment; and • Engagement documentation. khammond on DSKJM1Z7X2PROD with NOTICES2 a. Engagement Responsibilities (QC 1000.42.a) This proposed quality objective did not draw comment and was adopted as proposed. The standard uses the term ‘‘engagement partner’’ with its existing meaning under PCAOB audit and attestation standards: the member of the engagement team 236 with primary responsibility for the audit, examination, or review, as the case may be.237 The definition of ‘‘engagement’’ 235 See QC 20.18. term ‘‘engagement team’’ is used as defined in the amendments to AS 2101, Audit Planning, adopted in PCAOB Rel. No. 2022–002, which takes effect for audits of financial statements for fiscal years ending on or after Dec. 15, 2024. 237 See AS 1201.A2; AT No. 1 at paragraph .07 note; AT No. 2 at paragraph .06 note. AT 101 uses the term ‘‘practitioner with final responsibility for the engagement,’’ which the Board construes as having the same meaning. 236 The VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 under QC 1000, under which substantial role work is defined as an engagement, does not change the meaning of engagement partner or affect the responsibilities of individuals involved in substantial role engagements. No comments were received on the use of this term. iii. Supervision (QC 1000.42.a.(2)(b)) i. Responsibilities of the Engagement Partner (QC 1000.42.a(1)) iv. Reporting and Other Communications (QC 1000.42.a(3)) The engagement partner is responsible for the engagement and its performance, including managing and achieving consistent compliance with applicable professional and legal requirements on the engagement. This quality objective focuses firms on partner involvement throughout the engagement, including appropriately supervising firm personnel and other participants.238 PCAOB standards and rules impose a number of requirements relating to reporting and communicating the results of the engagement.243 The engagement report and communications to the audit committee are typically prepared at the engagement level and may include information provided by the firm. For example, the firm may provide information related to independence to be communicated in accordance with PCAOB Rule 3524 or PCAOB Rule 3526. This quality objective emphasizes the importance of auditor reporting and communication in accordance with applicable requirements. ii. Due Professional Care (QC 1000.42.a(2)(a)) Due professional care means acting with reasonable care and diligence, exercising professional skepticism, acting with integrity, and complying with applicable professional and legal requirements.239 In the context of engagement performance, professional skepticism is an attitude that includes a questioning mind and critical assessment of audit evidence and other information that is obtained to comply with PCAOB standards and rules. Exercising professional skepticism improves the quality of judgments made while performing the engagement and is key to performing an engagement in good faith and with integrity. PCAOB oversight activities have suggested that the lack of professional skepticism contributes to some of the QC deficiencies identified during PCAOB inspections.240 As an example, a firm’s policies and procedures did not provide reasonable assurance that engagement partners supervised engagements with due professional care, which contributed to the failure to identify deficiencies in those engagements. The quality objective related to due professional care, including professional skepticism, enables appropriate conclusions to be reached that are supported by sufficient appropriate evidence.241 238 See generally, e.g., AS 1201. general principles and responsibilities of the auditor when conducting an audit, including professional skepticism and due professional care, are being reaffirmed and combined in AS 1000, as adopted. See Auditor Responsibilities Release. 240 See, e.g., 2022 Broker-Dealer Inspection Report, at 31. 241 See Roles and Responsibilities above. 239 The PO 00000 Frm 00058 Fmt 4701 Sfmt 4703 Proper supervision aims to ensure that work is performed as directed and supports the conclusions reached.242 The quality objective emphasizes the importance of firm personnel and other participants being supervised properly, consistent with AS 1201 and AT No. 1. b. Consultations and Differences in Professional Judgment (QC 1000.42.b– .c) Consultations are an important aspect of engagement performance, as they provide a mechanism to discuss and resolve complex, unusual, or unfamiliar matters with individuals who have the requisite knowledge, skill, and ability. Under current PCAOB standards, QC 20.19 highlights the significance of consultations, requiring appropriate policies and procedures. The quality objective should drive firms to continue to focus on the importance of consultation and resolution before the issuance of an engagement report. The quality objective in the proposed standard provided that consultations on complex, unusual, or unfamiliar accounting and auditing matters are undertaken with qualified individuals from within or outside the firm. One commenter suggested that the standard require firms to adopt policies that identify situations when national office consultation is required. The Board does not believe it is appropriate to include such prescriptiveness in the standard, as not all firms have national offices. Additionally, the quality objective provides that the firm will identify the risks specific to their 242 See AS 1201.02. generally, e.g., AS 3101, The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion; AS 2201.85–.89; AS 1301; paragraphs .34–.38 of AT No. 1; and AT 101.63–.90. 243 See E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 engagements and determine whether there are specific situations that always require consultation. Another commenter said that the reference to ‘‘unfamiliar’’ accounting and auditing matters was unclear and was concerned that it creates an unnecessary level of prescription that will be difficult to operationalize. The commenter also expressed concern that an unintended consequence could be that auditors may infer that consultations may compensate for lack of competence on the engagement team. The final standard retains the term, consistent with the use of ‘‘unfamiliar’’ in current QC 20.19. It is noted that inclusion of that term in paragraph .42 does not modify or limit auditor obligations to have the competence necessary to conduct the engagement established elsewhere in PCAOB standards. Differences in professional judgment may occur when there is a concern or disagreement regarding the application of applicable professional and legal requirements during the performance of the engagement. The quality objective underscores the importance of having and adhering to appropriate procedures for the resolution of differences in professional judgment during the performance of engagements such that the firm, firm personnel, and other participants comply with applicable professional and legal requirements. The proposed quality objective provided that differences in professional judgment related to the engagement are brought to the attention of the individual(s) with responsibility and authority for resolving such matters and are resolved before the issuance of an engagement report. One commenter suggested clarifying that if the engagement partner does not agree with the conclusions arising from the consultation (addressed above), that would be treated as a difference in professional judgment that would require compliance with the quality objective regarding differences of professional judgment. The final standard clarifies that point. c. Engagement Documentation (QC 1000.42.d) This proposed quality objective did not draw significant comment and the Board adopted as proposed. AS 1215 contains the general requirements for the documentation the auditor should prepare and retain in connection with engagements. 17 CFR 210.2–06 also addresses documentation retention requirements.244 The quality 244 17 CFR 210.2–06. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 objective regarding engagement documentation in proposed QC 1000 is meant to drive firms to focus on compliance with these requirements. 2. Appendix K Requirements Existing PCAOB standards (referred to as Appendix K requirements) require SECPS member firms that are associated with international firms or networks to seek adoption of policies and procedures by their associated international firms or network regarding filing reviews, inspection procedures, and disagreements between the engagement partner and the reviewer.245 As noted in the proposal, the Board believes that the purposes originally intended to be served by Appendix K have either been eliminated (through the elimination of the U.S. GAAP reconciliation) or otherwise addressed (through requirements for engagement quality review). Accordingly, the Board proposed to not retain requirements like those in Appendix K. The proposal asked whether the PCAOB should eliminate Appendix K and rely exclusively on a risk-based approach. Commenters had mixed views regarding the retention of Appendix K requirements. Some commenters supported the elimination of Appendix K requirements and reliance on a risk-based approach. Other commenters asserted that the Appendix K requirements are beneficial and should be retained or made even more prescriptive. The Board believes it unnecessary to retain the Appendix K requirements because under the riskbased approach, firms will have to assess and respond to quality risks including, if applicable, a relative lack of experience in performing engagements under U.S. professional and legal requirements. Some commenters expressed concern that in a risk-based approach, a person performing a limited review function similar to the current Appendix K reviewer would be considered part of the engagement team, while another commenter requested clarification that such a reviewer would not necessarily be a member of the engagement team. Under QC 1000, the firm’s assessment of quality risks will determine the nature and extent, if any, of additional resources or reviews that would need to be performed over engagements to 245 See SECPS 1000.08(n) (cross-referencing the objectives set forth in Appendix K, SECPS 1000.45). The types of SEC filings subject to review under Appendix K are registration statements, annual reports on Form 20–F and Form 10–K, and other filings that include or incorporate the foreign associated firm’s audit report on the financial statements of an SEC registrant. PO 00000 Frm 00059 Fmt 4701 Sfmt 4703 49645 ensure compliance with PCAOB and SEC requirements. In some circumstances, the response might involve adding one or more additional members to the engagement team. In other circumstances, the response might involve resources that would not constitute members of the engagement team because they perform a contemporaneous quality control function and do not perform audit procedures or help plan or supervise the audit work.246 One commenter expressed concern that reviewers’ firms would be considered ‘‘other accounting firms’’ and reviewers’ hours would be included for purposes of Form AP filings. Specific to Form AP filing requirements, firms should review the Note to Item 3.2 of the Form AP Instructions regarding the reporting of other accounting firms.247 3. Current PCAOB Standards Under current QC standards, engagement performance covers all phases of the design and execution of the engagement, and engagement quality reviews.248 QC 20 contains general requirements regarding engagement performance, including planning, performing, supervising, reviewing, documenting, and communicating the results of each engagement; referring to authoritative literature; and consulting with qualified individuals when appropriate. QC 20 provides that policies and procedures should be established to provide reasonable assurance that the engagement is performed in accordance with applicable professional standards. QC 1000 retains these concepts from the extant standards. As discussed above, QC 1000 does not contain provisions similar to the Appendix K requirements that currently apply to former SECPS member firms. Resources This component addresses the firm’s responsibilities for obtaining, developing, using, maintaining, allocating, and assigning resources— including people, financial, technological, and intellectual resources—to enable the design, implementation, and operation of the firm’s QC system and the performance of its engagements. 246 See PCAOB Rel. No. 2022–002 at A4–5. id. at A3–19. 248 See QC 20.18. 247 See E:\FR\FM\11JNN2.SGM 11JNN2 49646 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 1. QC 1000 khammond on DSKJM1Z7X2PROD with NOTICES2 a. Resources Quality Objectives (QC 1000.44) The proposal asked if the Board’s proposed quality objectives for resources were appropriate. Commenters that responded to this question generally supported the quality objectives. One commenter suggested that the risks associated with the resources component are greater and that a prescriptive approach would be warranted. The Board believes the combination of quality objectives and specified quality responses appropriately provides for scalability and prescriptiveness. Under QC 1000, a firm is required to establish quality objectives for the resources component in several different areas: • People; • Technological resources; • Intellectual resources; and • Resources from a network or thirdparty provider. i. People (QC 1000.44.a–.g) The quality objectives in QC 1000.44.a–.b are similar to the personnel management element of quality control addressed in QC 20 and QC 40, and the Board adopted them as proposed with one change. The proposed standard included a note that describes what competence comprises—knowledge, skill, and ability—which is derived from QC 40.04.249 Two commenters suggested deleting the last sentence in the note, which as proposed stated that ‘‘The measure of competence is qualitative rather than quantitative . . .,’’ on the basis that it would discourage the use of quantitative performance metrics. The Board believes that QC 40 should be understood as saying, not that quantitative measures are wholly irrelevant, but that competence is not measured exclusively on a quantitative basis because quantitative measurement alone may not accurately reflect the nature of experience gained over time. The note in the final standard has been revised to clarify that competence can be measured both qualitatively and quantitatively. These two quality objectives work together in addressing competence from the perspective of both the firm and individual. The firm and its personnel have responsibilities for developing and maintaining competence that will support the operation of the firm’s QC 249 See QC 40.04 (competencies are not measured by periods of time because such quantitative measurement may not accurately reflect the kinds of experiences gained in any given time period). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 system and the performance of the firm’s engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures. Understanding the competence needed to carry out responsibilities for the operation of the firm’s QC system and the performance of the firm’s engagements assists a firm in identifying its personnel needs. This understanding also assists a firm in identifying areas for personnel development. Competence can be developed through an appropriate combination of education, professional experience in accounting and auditing with proper supervision, and training such as CPE. A commitment to quality can be demonstrated through a person’s actions and behaviors, including consistent adherence to firm policies and procedures, demonstrating key professional attributes like objectivity, integrity, and due professional care, and taking the initiative to develop and maintain competence. Conversely, a lack of commitment to quality can be seen through actions and behaviors such as inconsistent compliance with professional standards, cheating on professional development and compliance exams, or a ‘‘check the box’’ approach to professional development. The quality objectives in QC 1000.44.c–.e address the assignment of firm personnel and individuals who are other participants, in the firm’s engagements, QC roles, and other firms’ engagements. As discussed previously, the firm’s people resources may include firm personnel (generally, employees of the firm) or resources from outside the firm (other participants). For example, EQRs or personnel at service centers may be considered either firm personnel (if employed by the firm or functioning as firm employees) or other participants (if contracted by the firm).250 One commenter was concerned that the inclusion of other participants in the firm’s QC system may create crossjurisdictional legal issues, such as employment information that may be protected by privacy laws. The Board believes it is important for the QC system to assess the competence of other participants, which may include having policies and procedures on what to do if the firm is unable to make such assessment due to legal issues. One commenter mentioned that the responsibilities related to the use of specialists engaged by the firm, other auditors, and internal auditors providing direct assistance are addressed in existing auditing standards 250 See PO 00000 QC 1000.A5 and .A7. Frm 00060 Fmt 4701 Sfmt 4703 as engagement team responsibilities and are not needed within this quality objective. While it is acknowledged that there are auditing standards that address those topics at the engagement level, the quality objectives relate to the firm’s processes for assigning the appropriate individuals to engagements and QC activities. One commenter emphasized the need for firm resources to have time to fulfill their assigned responsibilities. Another commenter suggested a prescriptive approach to human capital management, including monitoring assignments and time requirements, utilization, and engagements with high turnover and workloads. Given the wide range of firms based on their size, scope, and nature of practice, the Board does not believe prescriptive requirements in this area are appropriate. The Board clarified paragraphs .44c and .44e by adding ‘‘needed’’ to the quality objective to increase the focus on sufficient competency, objectivity, time, and when appropriate, the authority needed to fulfill their assigned responsibilities. The PCAOB has also separately proposed new reporting requirements regarding firm and engagement metrics that, if adopted by the Board and approved by the SEC, would enhance transparency about, among other things, firms’ human capital management.251 The quality objectives focus on three key aspects of the ability to fulfill the assigned role: competence, objectivity, and time. Individuals need to have competence to fulfill their assigned roles in accordance with applicable professional and legal requirements and the firm’s policies and procedures. As previously discussed, both the individual and the firm play a part in developing a person’s competence. The ability to maintain objectivity is essential to performing QC activities or engagements; a lack of objectivity may, for instance, create an unconscious bias that directly affects quality. Individuals’ ability to devote appropriate time to their assignments also affects quality. In addition to the competence, objectivity, and time needed to perform engagement and QC activities, individuals need to have the requisite authority to perform effectively. In the context of engagement activities, the auditing standards already provide authority structures with respect to, for example, supervision and the responsibilities of the engagement partner, and those standards are augmented by firm policies on matters such as consultation. For QC activities, 251 See E:\FR\FM\11JNN2.SGM PCAOB Rel. No. 2024–002. 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices the need for appropriate authority is specified in the quality objective. The QC 1000.44.f quality objective to comply with the firm’s policies and procedures did not attract comment and was adopted as proposed. This quality objective is based on a concept embedded in QC 20: that firm personnel should adhere to the firm’s own standards of quality. The Board believes that this should remain among the firm’s objectives, and also that it would play an important role in the operation of the QC system under QC 1000. The firm’s QC-related policies and procedures are essential to the proper functioning of an effective QC system. By definition, those policies and procedures are the ‘‘quality responses’’ the firm has designed and implemented to address quality risks. Firm personnel need to understand those policies and procedures and operate in compliance with them in order for the QC system to operate as designed and achieve its objectives. Additionally, firm personnel need to understand and comply with firm policies and procedures in order for the firm’s work on its own engagements and other firms’ engagements to be performed appropriately. Evaluations help support and promote the continuous development of the competence of firm personnel. Some commenters, generally investor-related groups, suggested the standard address incentives in partner compensation relative to quality control systems and weight it at least as much as revenue growth. After considering comments, the Board revised paragraph .44g to add ‘‘including through compensation plans and decisions in which quality considerations play a critical part.’’ The Board believes this change will prompt firms to appropriately weight quality concerns in their organization-wide compensation plans and individual compensation decisions. The Board believes his change, along with the change to the quality objective in paragraph .25b, should result in firms giving appropriate weight to quality in compensation plans and decisions regarding performance for both firm leadership and firm personnel. The quality objective contemplates that evaluations should be performed at least annually. Many firms currently utilize an annual performance review process in order to facilitate such evaluations. A firm may have multiple quality responses to address the quality risks associated with the different types of firm personnel. For example, nonemployee contractors and consultants, who work under the firm’s supervision VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 or direction and control and are considered firm personnel, may be evaluated through the contracting process to determine whether the firm should retain them. The quality objective does not specify the format of or approach to periodic evaluations. The quality objective in QC 1000.44.g, which refers to accountability and incentives, is principles-based, and firms will be able to design and implement incentive systems based upon their nature and circumstances. The ‘‘appropriate standards of conduct’’ identified in the quality objective include fulfilling engagement and QC responsibilities with competence, integrity, objectivity, and due professional care and complying with applicable professional and legal requirements and the firm’s policies and procedures, as described in paragraph .46 of the standard. ii. Technological Resources (QC 1000.44.h) Technological resources cover many aspects that collectively comprise a firm’s technological environment, including information technology applications, infrastructure, and processes (e.g., firm processes to manage access to the IT environment, program changes, changes to the IT environment, or IT operations). Technological resources may be developed by the firm or obtained, for example, from the firm’s network or a third-party provider. The nature and extent of the use of technological resources differs across firms. For example, some audit firms are making significant investments in technological resources and expanding their use of technology-based audit tools, such as software used to perform data analytics or to access information from a distributed ledger. Some technology facilitates the operation of firms’ QC systems, such as monitoring individual financial investments for purposes of compliance with independence rules. The availability of ‘‘off-the-shelf’’ technological resources continues to evolve, leading to an increase in firms of all sizes employing technology to assist in operating their QC systems or planning and performing engagements. The quality objective in QC 1000.44.h highlights that the proper use of technological resources, in a manner that enables the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures, is the firm’s responsibility. The proposal asked if the quality objective and specified quality PO 00000 Frm 00061 Fmt 4701 Sfmt 4703 49647 responses related to technological resources provide sufficient direction to enable the appropriate use of emerging technologies. Commenters that addressed this question, generally firms, indicated the proposed quality objectives and specified quality responses provide sufficient direction. One commenter suggested that the standard does not create incentives to use technology to improve audit quality. The technology environment is dynamic, and firms’ use of technological resources will likely continue to evolve in the future. The Board believes that principles-based standards are more adaptable to future developments, less likely to become obsolete, and less likely to discourage the use of emerging technologies. As a result, QC 1000 does not include any prescriptive requirements related to how firms address emerging technology. Instead, it includes a risk factor to prompt consideration of technology as part of the firm’s risk assessment process.252 Separately, the Board has proposed certain amendments to PCAOB auditing standards that address certain aspects of designing and performing audit procedures using technology-assisted data analysis of information in electronic format.253 The Board adopted the technological resources quality objective as proposed. The Board believes the risk-based approach creates incentives for firms to obtain or develop, implement, maintain, and use technological resources throughout the firm based on the size and nature of the firm. iii. Intellectual Resources (QC 1000.44.i) The quality objective in QC 1000.44.i related to intellectual resources did not attract comment and was adopted substantially as proposed. The Board revised the note to add ‘‘to enable the operation of the firm’s QC system,’’ consistent with the quality objective. Intellectual resources generally include the information the firm uses to promote consistency in the execution of the firm’s QC system and the performance of engagements. Intellectual resources may be made available through a variety of media, including via written manuals or technological resources (e.g., the firm’s methodology may be embedded in the information technology application that enables the operation of the firm’s QC 252 See paragraph .20a.(1)(e) and Appendix B paragraph .B6 of QC 1000. 253 See Proposed Amendments Related to Aspects of Designing and Performing Audit Procedures that Involve Technology-Assisted Analysis of Information in Electronic Form, PCAOB Rel. No. 2023–004 (June 26, 2023). E:\FR\FM\11JNN2.SGM 11JNN2 49648 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 system and facilitates the performance of the engagement). Intellectual resources may be obtained or developed internally, or acquired externally (for example, a commercially available audit or QC methodology or a subscription data feed). Regardless of how intellectual resources are acquired, the firm remains responsible for ensuring they are fit for purpose and properly implementing and maintaining them. For example, if a firm acquired its QC methodology from a vendor, the firm is responsible for choosing a methodology and implementing it (including appropriately identifying risks and designing, implementing, and operating appropriate responses) in a way that enabled the firm’s engagements to be properly performed and the firm’s QC system to operate in accordance with QC 1000. If a firm developed methodology to direct the performance of its engagements in accordance with applicable professional and legal requirements, and a new auditing standard were issued after that methodology was implemented by the firm, the methodology would need to be updated to properly address the applicable professional and legal requirements. The quality objective related to intellectual resources in the final standard is similar to the technological resources quality objective, as both objectives relate to resources enabling the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures. iv. Resources From a Network or ThirdParty Provider (QC 1000.44.j) In some circumstances, the firm may use resources provided by a network or a third-party provider. Such resources may include methodologies, applications, and tools used in the firm’s QC system or the performance of its engagements. The proposal included a quality objective in QC 1000.44.j related to the resources provided by a network or a third-party provider. One commenter requested the objective be broken into two quality objectives, as a firm’s approach to each of these groups may be significantly different. The Board agrees that a firm’s approach to resources provided by the network may be different from resources provided by a third-party provider, and that the approach to different types of thirdparty providers could also vary. But the Board does not believe that such differences compel separate quality objectives. A firm may identify multiple VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 quality risks and develop multiple quality responses related to a single quality objective. For example, a firm may use multiple third-party providers for a variety of different resources, such as an audit methodology provider or a confirmation intermediary. If these different types of third-party providers or resources present different risks, the firm would be required to develop different quality responses. In that scenario, the firm could have different policies and procedures applicable to different types of third-party providers and/or different types of resources. A firm that is not affiliated with a network is not required to establish a quality objective related to network-provided resources and therefore would not identify quality risks or related quality responses. Notwithstanding that a firm may use resources from a network or a thirdparty provider, the firm remains responsible for the use of these resources in the QC system and performance of its engagements. Consideration of the nature of the resources provided by the network or third-party providers, how and to what extent the resources will be used, and the general characteristics of the thirdparty provider will assist the firm in determining whether it needs to supplement or adapt such resources. For example, the firm may obtain its methodology from a third-party provider under an arrangement whereby the third-party provider agrees to update the methodology when new standards are issued. In this scenario, the firm remains responsible for verifying that such changes are incorporated into the methodology and supplementing the methodology if such changes are not made, so that the firm’s resources support its performance of compliant engagements. As another example, the firm may obtain a service from a thirdparty provider that provides a System and Organization Controls 1 (SOC 1) report. The firm would be responsible for verifying that the controls are designed effectively at the third-party provider and for designing and implementing any complementary user entity controls identified in the report. The firm is also responsible for taking any necessary actions in using a resource from a network or third-party provider to enable the resource to function effectively. For example, the network or third-party provider may need information related to the firm’s restricted entities so that it can facilitate independence confirmations. In addition, if the firm discovered a problem with the design or operation of the resource, it may need to PO 00000 Frm 00062 Fmt 4701 Sfmt 4703 communicate such problems to the network or third-party provider so that the resource can effectively operate. b. Resources Specified Quality Responses (QC 1000.45–.51) The proposal asked if the specified quality responses for resources were appropriate. Two commenters that addressed this question supported the specified quality responses. Two other commenters objected that the specified quality responses were too prescriptive and suggested they be rewritten as riskbased quality objectives. One commenter stated that certain of these requirements relate closely to auditing standards and requested clarity on how QC 1000 is intended to interact with engagement-related auditing standards. QC 1000 focuses on firmlevel controls over compliance with auditing standards, including those related to engagement performance. The Board adopted the specified quality responses as proposed, with one modification suggested by commenters. These specified quality responses carry provisions from the PCAOB’s existing QC standards into QC 1000 or establish firm-level requirements that align with existing engagement-level requirements. They also include new requirements that the Board believes are important to a firm’s QC system. The specified quality response related to appropriate standards of conduct did not attract comment and was adopted as proposed. The reference to ‘‘appropriate standards of conduct’’ reflects a number of concepts in existing PCAOB standards, including: • Fulfilling responsibilities with professional competence; 254 • Integrity and objectivity; 255 • Due professional care (including the exercise of professional skepticism); 256 and • Complying with applicable professional and legal requirements and the firm’s policies and procedures.257 Firm personnel are individually responsible for complying with the firm’s standards of conduct, and the firm’s policies and procedures around these standards of conduct are intended to result in firm personnel being held accountable for their behavior and actions. This includes evaluating firm personnel’s adherence to such standards 254 See, e.g., QC 20.13a, .13b, and .15a. e.g., QC 20.10. 256 The general principles and responsibilities of the auditor when conducting an audit, including professional skepticism and due professional care, are being reaffirmed and combined in AS 1000, as adopted. See Auditor Responsibilities Release. 257 See, e.g., QC 20.03. 255 See, E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices of conduct, addressing deviations, and holding personnel accountable for fulfilling their engagement and QC responsibilities, including through the firm’s incentive system. The Board believes the standards of conduct included in this specified quality response are foundational to fulfilling not only engagement responsibilities, but also QC responsibilities. QC 40 addresses requirements regarding the competencies of engagement partners and, by extension, EQRs.258 The proposed standard, in QC 1000.47, required that firms’ QC policies and procedures address certain enumerated competencies, as well as other competencies as necessary in the circumstances. Some commenters suggested that the competencies identified in proposed paragraph .47a-h be moved to a quality objective or staff guidance and argued that they were redundant to the auditing standards. The Board believes that the competencies in paragraph .47 are applicable to all firms and accordingly are appropriate as specified quality responses. One commenter asked for clarification of the expectation of ‘‘including an understanding of’’ and suggested that the standard include consideration of ‘‘other competencies as necessary in the circumstances,’’ consistent with QC 40.08. The Board believes that auditors should be familiar with the concept of obtaining an understanding, and note that the construct of QC 40 is a restrictive list whereas the list of competencies in this requirement is identified as ‘‘including’’ and not intended to be comprehensive, so the Board does not believe a reference to other competencies is necessary. One commenter indicated that the firm would not be in a position to impose the specific requirements in paragraph .47 on individuals that are not part of the firm. The Board has narrowed the requirement to apply only to firm personnel, rather than ‘‘others participating in an engagement,’’ as proposed. It is noted, however, that other quality objectives, such as those in paragraphs .44c and .44e, continue to apply with respect to individuals outside of the firm as well as firm personnel. As discussed in more detail above in the Acceptance and Continuance of Engagements discussion, the Board also revised ‘‘client’’ to ‘‘company’’ in paragraph .47. Paragraph .47 of QC 1000 both expands the required competencies for engagement partners and requires certain competencies for other firm 258 See, e.g., QC 40.08; AS 1220.05. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 personnel in engagement roles commensurate with their responsibilities. This includes applying existing requirements for engagement partners—an understanding of, among other things, the importance of exercising sound judgment, the role of the firm’s QC system in the performance of engagements, and the industry in which the company operates—to everyone in an engagement role, at a level commensurate with their responsibilities. To reflect changes in the environment since the existing QC standards were issued, the Board required competencies related to understanding the subject matter of attestation engagements, the internal control framework and technology used by the company, and the technological and intellectual resources used in performing engagement procedures. Regarding technological and intellectual resources, the Board required an understanding of how and whether it is appropriate to use these resources in performing the engagement. This specified quality response does not imply that the engagement partner or other firm personnel participating on an engagement need to be knowledgeable about how such resources are developed. QC 20 provides that policies and procedures are required to be established to provide the firm with reasonable assurance that personnel participate in CPE and other professional development activities that enable them to fulfill responsibilities assigned and satisfy applicable CPE requirements.259 In addition, SECPS member requirements provide that member firms are required to ensure that (1) all professionals in the firm residing in the United States, including CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE every year and at least 120 hours every three years and (2) professionals who devote at least 25 percent of their time to performing audit, review or other attest engagements, or who have the partneror manager-level responsibility for the overall supervision or review of any such engagements, must obtain at least 40 percent (eight hours in any one year and 48 hours every three years) of their required CPE in subjects relating to accounting and auditing.260 259 See QC 20.13; QC 40.02, .05. SECPS 1000.08(d), 8000. The SECPS member requirements provide that ‘‘accounting and auditing subjects’’ should be broadly interpreted, and include, for example, subjects relating to the business or economic environments of the entities to which the professional is assigned. 260 See PO 00000 Frm 00063 Fmt 4701 Sfmt 4703 49649 Through the PCAOB’s oversight activities, the Board has observed situations where a lack of understanding of professional standards appears to have contributed to audit deficiencies. These problems have been observed in domestic firms and international firms, including firms that were not SECPS members. One commenter requested the standard set out more specific requirements with respect to training, identify areas or categories that must be regularly addressed, and not eliminate the CPE obligation in the existing standard. Another commenter requested the standard include minimum requirements related to training of audit staff. The Board believes it is important for firms to provide training focused on areas where firm personnel need to develop or maintain their competence so that they may fulfill their QC and engagement roles. If the Board were to set specific requirements with respect to training, firms may not evolve their training over time to respond to changes in the firm or in the needs of firm personnel. The Board maintained the principles-based approach to training. Under the specified quality response in QC 1000.48, the firm is required to provide training, including training on applicable professional and legal requirements, that is mandatory for all firm personnel on an annual basis. This specified quality response provides firms the ability to determine the type and extent of training necessary based on their personnel and the nature and circumstances of the firm and its engagements. For example, a firm may determine that training is necessary on a wide array of topics for a certain level of staff within the firm. Another firm may determine that training is necessary for one or more staff in a certain area due to a new engagement or as a result of an area of development identified as part of a performance evaluation. A firm may also decide that it is necessary to repeat training as a periodic reminder of existing requirements, such as those relating to internal control over financial reporting. Ultimately, the type and extent of training should be directed at whatever is necessary to enable firm personnel to fulfill their assigned QC and engagement roles in accordance with applicable professional and legal requirements and the firm’s policies and procedures. This specified quality response in QC 1000.49 did not attract comment and was adopted as proposed. This specified quality response relates to the quality objective in paragraph .44g., which provides that firm personnel are evaluated at least E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49650 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices annually, incentivized to fulfill their assigned responsibilities and adhere to appropriate standards of conduct, including through compensation plans and performance decisions regarding performance that appropriately prioritize quality considerations, and held accountable for their actions and failures to act. Specific to the individuals assigned ultimate responsibility and accountability for the QC system as a whole and operational responsibility and accountability for the QC system as a whole, the firm’s periodic performance evaluations of these individuals are required to take into account the results of the firm’s evaluation of its QC system.261 A firm will be able to determine its approach to comply with this specified quality response. For example, the firm may set targets and measure the outcome of the evaluation of the QC system against those targets. As another example, the firm may consider the individual’s actions taken in response to identified QC deficiencies or major QC deficiencies, including the timeliness and effectiveness of such actions. The periodic performance evaluation of these individuals may be informal in a less complex firm or undertaken by a special committee in a more complex firm. No comments were received on the specified quality response in QC 1000.50 and it was adopted as proposed. Laws or regulations may establish requirements for the professional licensing or other qualifications of the firm and firm personnel. Under this specified quality response, the firm is required to have policies and procedures regarding licensure such that the firm and firm personnel hold the required licenses or qualifications. The policies and procedures address such matters as (1) the jurisdiction(s) where firm and firm personnel are required to hold licenses or other qualifications, and (2) whether the firm and such firm personnel comply with the jurisdictions’ requirements. The quality objective in paragraph .44h. provides that technological resources are obtained or developed, implemented, maintained, and used to enable the firm’s QC system and the performance of its engagements. As part of the firm’s quality response to this quality objective, the firm’s technological resources should also have the characteristics described in paragraph .51. One commenter stated 261 Evaluation of a firm’s QC system is addressed in paragraphs .77–.78 of QC 1000 and discussed below. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 that the quality objective in proposed paragraph .44h is sufficient and this specified quality response should be removed. The Board believes the firm’s policies and procedures should address its technological resources having the capacity (resource requirements for the necessary output), integrity (guarding against improper information modification), resiliency (ability to operate and recover under adverse conditions), availability (ensuring timely and reliable access to and use of information), reliability (ability to function consistently), and security (protection against intentional subversion).262 These characteristics enable the ongoing operation of the firm’s QC system and performance of its engagements. The Board believes this specified quality response provides additional direction and has retained it in the final standard. Also related to technology, the proposal asked if the standard should include a specified quality response that would require the use of technological resources by the firm to respond to the risks related to the use of certain technology by the companies for which the firm performs engagements. Several commenters did not support inclusion of such a specified quality response. One commenter requested a requirement to design and implement controls to prevent unauthorized access to data and technology. The Board did not make any changes or additions to the quality objective or specified quality responses related to technological resources because it believes the more general provisions appropriately address this issue, and more specific provisions are at risk of quickly becoming outdated as technology evolves. performance of the firm’s engagements, and for communicating information within the firm and to external parties.265 As discussed in more detail below, the Board made some changes in response to commenter input but adopted most provisions as proposed. 1. QC 1000 Information and Communication This component addresses the firm’s processes for obtaining, generating, sharing, and using information to enable the design, implementation, and operation of the QC system and the The information and communication area of the firm’s operations serves the critical function of generating, gathering, and disseminating the information needed for the firm, including the QC system, to function. The process of determining information needs is iterative and ongoing; as the nature and circumstances of the firm change, information needs also change. The information and communication component of the QC system operates over this area of the firm’s operations. One firm suggested that the information and communication component refer to ‘‘relevant and reliable’’ information to convey that not all information is intended to be obtained and disseminated to the relevant individuals or roles. The firm disagreed that relevance and reliability is implied within the context of the proposed requirements, and argued that the term ‘‘information’’ needs parameters and qualifying language to provide boundaries to the vast amount of information that exists or could be created in the context of a firm’s QC system. The firm further argued that without appropriate qualifiers, the breadth of information to be considered and/or communicated within a QC system will inhibit firm leaders from identifying and focusing on information most relevant to the successful operation of the QC system. As discussed in the proposal, in determining specific information to be communicated to firm personnel, including the nature and extent of such communication, the firm may consider the type of information that is relevant to the recipients given their roles and responsibilities within the firm. The Board continues to believe that information would have to be relevant and reliable to support the operation of the firm’s QC system and the performance of the firm’s engagements in accordance with applicable professional and legal requirements, so that a reference in the standard to ‘‘relevant and reliable’’ information is unnecessary. 262 See, National Institute of Standards and Technology Glossary, available at https:// csrc.nist.gov/glossary. 263 See QC 20.13 and .22. 264 See SECPS 1000.46 (requirement 4). 265 Other aspects of the standard also include specific provisions regarding communication (see, e.g., paragraphs 16–.17 in Roles and Responsibilities, and paragraphs .31 and .35 in Ethics and Independence). 2. Current PCAOB Standards QC 1000 largely covers the same areas addressed in QC 20 and QC 40 for personnel management and assignment of responsibilities.263 Existing PCAOB QC standards do not provide specific direction on the use of intellectual resources or technological resources, except for one application regarding independence.264 PO 00000 Frm 00064 Fmt 4701 Sfmt 4703 E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices a. Information and Communication Quality Objectives The standard requires the firm to establish a number of quality objectives for the information and communication component. These objectives are discussed in more detail below. One firm commented that, as the proposed quality objectives for information and communication are broadly consistent with other jurisdictional and international quality control/ management standards, they are appropriate, and no further changes are needed. khammond on DSKJM1Z7X2PROD with NOTICES2 i. Identifying, Capturing, Processing, and Maintaining Information (QC 1000.53.a) Identifying, capturing, processing, and maintaining information is an ongoing process necessary to support the firm’s QC activities and the performance of its engagements in accordance with applicable professional and legal requirements. Information systems vary from firm to firm and encompass various sets of activities involving people, processes, data, or technology, or some combination thereof. Some firms’ information systems may be heavily reliant on IT aspects while other information systems may require more manual intervention. Firms are able to determine the type of information systems necessary to achieve their quality objectives. One commenter suggested that the information and communication component could be enriched by explicitly integrating academic audit and accounting studies as a vital source of information to be used by firms to inform their QC system. The Board believes that the quality objectives within the information and communication component sufficiently establish the desired outcomes for the identification of external information to support the operation of the firm’s QC system. A firm may determine that the conclusions of certain academic studies inform the design or operation of its QC system. Furthermore, depending on the nature and circumstances of the firm and its engagements, the firm may consider any applicable academic studies in the firm’s risk assessment process as it obtains an understanding of the conditions, events, and activities that may adversely affect the achievement of its quality objectives. The requirement was adopted as proposed. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 ii. Exchange of Information (QC 1000.53.b–.c) Information is essential to firm personnel being able to understand and fulfill their responsibilities relating to the QC system and the performance of the firm’s engagements. For example, through the Board’s oversight activities, it observed improved audit quality when there was regular, consistent communication among members of the engagement team.266 The quality objective prompts firms to tailor the nature, timing, and extent of information communicated based on firm personnel’s responsibilities, including those related to the firm’s policies and procedures. Communication is generally an ongoing process that involves all firm personnel. For example, the firm communicates information to engagement teams, such as information obtained during the firm’s acceptance and continuance process that is relevant in performing the engagement. Engagement teams also communicate information to the firm—for example, information about the company obtained during engagement performance that may assist the firm when evaluating whether to continue the engagement. Two-way communication may also occur among firm personnel. For example, firm personnel performing engagements may exchange information directly with firm personnel performing activities within the firm’s QC system, such as information to facilitate compliance with the firm’s independence policies and procedures. The standard emphasizes the need for two-way communication within the firm and the responsibility of all firm personnel to communicate information. One commenter addressed the quality objectives set out in paragraphs .53b.– .53c. of the proposed standard related to the timely exchange of information between firm personnel and leadership, including those with responsibilities for the firm’s QC system. The commenter recommended that the final release clarify that the firm’s policies and procedures assist in promoting communication such that the appropriate individuals with responsibilities over the firm’s QC system become aware of relevant matters in a timely manner, as appropriate for the size and the scale of the firm and relative nature of the matter. As discussed above, the Board believes timely communication and action should be sufficiently prompt to 266 See, e.g., 2019 Inspection Observations Preview at 5. PO 00000 Frm 00065 Fmt 4701 Sfmt 4703 49651 achieve its objective and that timeliness is a function of the nature and significance of the issue. These requirements were adopted as proposed. iii. External Parties (QC 1000.53.d–.e) There are many circumstances in which firms communicate information about themselves and their performance to external parties. Some external communications are required by law or regulation, such as the transparency reporting that is required in some jurisdictions, and others are made by firms voluntarily, for example, in connection with marketing or recruitment efforts. The standard requires the firm to establish a quality objective that addresses communications to external parties in accordance with applicable professional and legal requirements. This quality objective focuses firms on providing the necessary communications to external parties when required. Among other things, this objective (paragraph .53d.) covers the completeness, accuracy, and timeliness of a firm’s existing annual and periodic reporting to the PCAOB (i.e., Forms 2 and 3, Form AP, and Form QC). It would also cover reporting under the Board’s proposed revised reporting requirements and metrics requirements 267 if those are ultimately adopted by the Board and approved by the SEC. An investor expressed concern with the absence of references to investors or the public from the examples of external parties, and further commented that the proposal makes no mention of the role of quality control with respect to critical audit matters. This provision relates to communications to external parties that are required under applicable professional and legal requirements. Under current requirements, the only required communication from the audit firm to investors is the audit report. Audit reporting is part of engagement performance, is covered by a separate quality objective relating to engagement performance,268 and is not addressed by this quality objective. To the extent that a communication to a regulator is ultimately available to the public (as is the case with, for example, various forms filed with the PCAOB), such communications would be covered by this quality objective, thus providing 267 See PCAOB Rel. No. 2024–002. paragraph .42a.(3): ‘‘Responsibilities are understood and fulfilled . . ., including, as applicable . . . Responsibilities for reporting and other communications with respect to the engagement.’’ 268 See E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49652 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices downstream benefits for investors and the public. A firm recommended that the scope of the requirement be limited to information or communications regarding a firm’s audit practice and engagements performed in accordance with PCAOB standards. As discussed in more detail above, the definition of applicable professional and legal requirements in the final rule has been more narrowly tailored to address engagements, as defined in QC 1000, and the QC system itself. The Board believes this change addresses the commenter’s concern about the possible overbreadth of the quality objective, and the Board adopted it as proposed. The PCAOB also observed that some firms make public communications about firm-level or engagement-level information, such as firm metrics and financial data. For example, some firms publish transparency or audit quality reports, either voluntarily or in response to the requirements of other jurisdictions, that contain data such as: • Revenue breakdown by service line, by year, or by geographic segment; • Professional staff ratios; • Staff turnover ratios; • Average training hours per professional; and • Partner workload. In addition to transparency or audit quality reports, firms may communicate these data via web pages or other media, such as promotional publications, social media, interviews, or presentations via webcast or video. Furthermore, if adopted, the Firm and Engagement Metrics proposal will require firms to publicly report certain metrics relating to their audits and their audit practices. Regardless of the form of communication and the type of information presented, the Board believes that firms’ QC systems should address the integrity of firms’ external communications about themselves and the performance of their engagements. Such information can influence the views of relevant stakeholders, including audit committees determining whether to engage or retain an auditor and investors determining whether to ratify such an appointment. The proposed standard contemplated that the firm would establish a specific quality objective that firm-level or engagement-level information communicated externally is accurate and not misleading and, with respect to any performance metrics, that the communication explains in reasonable detail how the metrics were determined and, if applicable, how the metrics or the method of determining them changed since performance metrics VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 were last communicated. The Board’s view is that a specific quality objective in this area will prompt firms to implement targeted policies and procedures that address, for example, the quality and consistency of data and the need for context or explanation. This in turn will improve the informativeness, reliability, and comparability of such communications and avoid misleading the intended audience. Several commenters, including firms and related groups, broadly supported the quality objectives or agreed that it is important to address communications to stakeholders about a firm’s or engagement’s performance, and that such communications should be accurate and not misleading. However, many of the commenters on this topic raised concerns with regard to the proposed quality objective addressing the firm’s external communications relating to metrics. Several commenters suggested that additional clarification be provided on the metrics and communications that are in scope for the quality objective. Some commenters recommended that the scope of the requirement be limited to metrics related to audit quality that are required to be communicated under applicable professional, legal, or other regulatory requirements and are communicated publicly. One firm recommended that the scope of metrics be limited to those related to the effectiveness of the firm’s QC system or audit quality, and that the scope of the communications be limited to ‘‘formal’’ external reporting such as audit quality reports, transparency reports, communications with audit committees, and other published reports. Another firm recommended that the external communications in scope for the objective should be limited to communications externally about audit quality and should not extend to other external information issued by the firm that is not specifically related to audit quality such as marketing communications or recruiting information. The firm further argued that this limitation on scope to only audit-quality-related external communications should also apply to the communication of how metrics were determined and explanations of year-onyear changes. Another firm recommended that the scope be limited to information or communications regarding a firm’s audit practice and engagements performed in accordance with PCAOB standards. One firm expressed concern regarding firms’ ability to design and implement quality responses to address the risk of PO 00000 Frm 00066 Fmt 4701 Sfmt 4703 every type and form of information communicated given the broad scope of the requirement. The firm recommended that the scope should be limited to information resulting from and regarding the evaluation of the firm’s QC system, which will allow firms to focus efforts on the information that is most meaningful to stakeholders, which in turn will enhance the reliability of such information. One firm commented that in addition to recommending limiting the quality objective to engagements performed under PCAOB standards that would be subject to the firm’s QC system, it may not be practicable to communicate in reasonable detail how a metric was determined in all situations (e.g., if the metric was provided in a speech). The firm asserted that it should be allowed to present the information about how a metric was determined and, if necessary, how it changed, in a single, publicly available location (e.g., on the firm’s website). One firm commented that the level of disclosure that would be required may create confusion or may not ultimately be necessary, in particular in instances when the metric does not relate to audit quality. Further, the firm stated that the disclosures may conflict with requirements that may apply to registered firms outside of the U.S. Another firm recommended that the words ‘‘explains in reasonable detail how the metrics were determined and, if applicable, how the metrics or the method of determining them changed since performance metrics were last communicated’’ be removed from the quality objective. The firm asserted that this requirement may discourage smaller firms from including many quality metrics in their audit quality, transparency, and similar reports given limited time and resources available to produce their voluntary report. Some commenters, including firms and a related group, recommended that considerations related to metrics in QC 1000 be taken up as part of the PCAOB’s research project on firm and engagement performance metrics. After consideration of the comments received, the Board continues to believe it is appropriate that all firm communications to external parties regarding themselves and their audit practice, in whatever medium, meet the minimum standard of being accurate and not misleading. However, in response to commenters, the Board clarified the quality objective in certain respects. It has clarified that the quality objective is limited to communications regarding the firm’s audit practice, firm personnel, or engagements and removed the word E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices ‘‘performance’’ from the phrase ‘‘performance metrics,’’ to align with the terminology use in the Board’s proposed metrics requirements.269 Additionally, the Board revised the quality objective to provide that only metrics communicated in writing require an explanation of how the metrics were determined and, if applicable, how the method of determining them changed since metrics were last communicated. The Board believes this will address commenter concerns about the feasibility of providing such explanations for metrics communicated orally. In addition, the Board removed the requirement to explain in reasonable detail, if applicable, how the metrics themselves have changed since they were last communicated. The Board believes that requiring an explanation of how the metrics were determined and, if applicable, how the method of determining the metric changed since it was last communicated will enhance the understandability and comparability of the metrics made available to external parties. However, the Board does not believe it to be necessary to require narrative discussion of numeric changes in the metric period over period if there has been no change in the underlying calculation method. These disclosures may be incremental to requirements that could apply to registered firms outside of the U.S., however, the Board does not believe that these requirements will operate in conflict. The Board has observed variation and complexities in how metrics are defined and calculated by firms, as well as changes in the calculation method over time such that it believes this quality objective is necessary to improve the informativeness, reliability, and comparability of such communications and avoid misleading the intended audience. In addition, over 100 unique qualitative disclosures and quantitative audit quality metrics have been observed by the Center for Audit Quality (‘‘CAQ’’) in its analysis of the CAQ’s eight Governing Board firms’ most recent audit quality reports.270 The Board believes this indicates both a demand for and an ability to supply metrics, which further emphasizes the need for consistency and comparability of the metrics. The Board considered whether it would be appropriate to allow for additional disclosures relating to metrics to be presented in a single 269 See PCAOB Rel. No. 2024–002. Audit Quality Reports Analysis: A Year in Review, available at https://www.thecaq.org/aqranalysis-yir/. 270 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 public location such as the firm’s website. However, the Board believes that by limiting the requirement to written communications, it has eliminated the concern about how to present such information with respect to an oral communication, and given the importance of the information to the intended audience, that this should be presented in the same written communication as the disclosed metrics. The Board received feedback from a number of commenters, including investors and related groups, criticizing the proposal for failing to include required metrics or audit quality indicators. The Board has proposed a separate standard on firm and engagement metrics 271 and it has addressed these comments in that proposal. iv. Networks (QC 1000.53.f) If the firm belongs to a network, exchange of information between the firm and the network may play an important role in supporting the operation of the firm’s QC system and the performance of its engagements. For example, if the network performs certain monitoring activities relating to the firm’s QC system, the network’s communication of information (e.g., results of its monitoring activities or any changes to its activities from the prior year) may result in the firm adjusting the nature, timing, and extent of its own monitoring activities. On the other hand, the firm may need to communicate to the network when there are changes to the firm’s QC system that may affect the network’s monitoring activities. The Board did not receive comment on the proposed quality objective relating to the exchange of information between a firm and a network and adopted it as proposed. v. Other Participants (QC 1000.53.g–.h) Many firms have increasingly involved parties outside the firm in QC functions, such as independence compliance, and engagement functions, such as performing audit procedures and evaluating audit evidence. Working with other participants can differ from working with individuals within the firm. For example, auditor-engaged specialists 272 may have different professional training and experience 271 See PCAOB Rel. No. 2024–002. 1210, establishes requirements regarding the use of a specialist engaged by the auditor’s firm (‘‘auditor-engaged specialist’’) to assist the auditor in obtaining or evaluating audit evidence with respect to a relevant assertion of a significant account or disclosure. 272 AS PO 00000 Frm 00067 Fmt 4701 Sfmt 4703 49653 and may operate under a different type of QC system, or none at all. Firms may experience differences in local norms and expectations when working with firms based in other jurisdictions. These and other factors give rise to risks in the communication between firm personnel and other participants, including the potential for misunderstandings regarding the audit effort needed to meet the objective of the other participant’s work.273 It is therefore imperative that appropriate communications take place between the firm and other participants to enable the other participants to understand and carry out their responsibilities relating to activities within the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures. The Board broadened the language of the quality objective to clarify that it applies to the use of participants in both the firm QC system and in engagements. For other participants that are firms, the Board proposed that information obtained from the other participants should include the conclusion of the most recent evaluation of its QC system and a brief overview of remedial actions taken and to be taken, as well as a footnote clarifying that the most recent evaluation of the other participant firm’s QC system refers to that firm’s evaluation under paragraph .77 of QC 1000 as of the most recent evaluation date, if such an evaluation was performed, and otherwise to the most recent QC evaluation performed by the other participant firm under any professional standard.274 One commenter stated that audit firms monitor the quality of member firms but have typically been reluctant to share negative information about a member firm, and that requiring transparency in such information would be beneficial. However, several firms and related groups expressed concerns about the impact of having other participant firms share the most recent evaluation of their QC system based on the confidentiality protections set out in Sarbanes-Oxley or other relevant local laws and regulations. Two firms commented that these concerns would be alleviated if the definition of QC deficiency was updated to align with the definition in ISQM 1 and SQMS 1. One firm commented that the proposed quality objective addressing information and communication related to other participants is appropriate, however if 273 See, e.g., PCAOB Rel. No. 2022–002. e.g., ISQM 1 paragraphs .53–.54; and SQMS 1 paragraphs .54–.55. 274 See, E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49654 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices information is to be shared at the deficiency level, the firm is concerned that this would violate the confidentiality provision within Sarbanes-Oxley. Another firm suggested limiting the extent of information shared to only what is necessary for firms to achieve the reasonable assurance objective. This firm agreed with obtaining and considering the other participant firm’s overall conclusion of the most recent evaluation of the QC system, however it argued that this should not include information regarding deficiencies, if any, and remedial actions taken and to be taken. Some commenters argued that firms should be able to take a risk-based approach in determining whether it is necessary to request specific information regarding an other participant firm’s QC system. One firm-related group argued that certain international legislation may be an issue for firms when reporting clients’ or individuals’ personal information. The commenter further expressed concerns that those firms applying QC 1000 fully and reporting thereunder may be selected in preference to those using other standards. Another firm-related group expressed concern that a firm-level QC inspection finding might result in the best firm for the component auditor role being bypassed. The commenter further suggested that guidance is needed for when the evaluation and/or overview of remedial actions is not forthcoming. Some commenters, including firms and a related group, argued practical concerns regarding the application of the requirement to other participants not registered with the PCAOB. One firm commented that, while it is not aware of any legal or regulatory concerns with other participants sharing the most recent evaluation of their QC system, it suggested that the PCAOB state that firms will not violate this requirement if local laws or regulations exist that prevent compliance. After consideration of the comments received, the Board amended the standard to limit the information that should be obtained to only the conclusion of the most recent evaluation of the QC system. The Board believes that this addresses commenter concerns relating to the risk of communicating privileged information. Furthermore, the Board continues to believe that obtaining the communication of the conclusion of the other participant’s most recent evaluation may assist a firm in determining the nature and extent of supervision of the work of other participants or deciding whether other participants are fit to participate in the VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 firm’s engagements, including ensuring that the best firm for the job is not bypassed. If necessary, the firm may discuss the conclusion with the other participant firm to seek to gain a better understanding of the basis for such conclusion. The Board believes that in practically all cases, the firm would be able to obtain the conclusion of the most recent evaluation of the other participant’s QC system. However, if a firm is unable to obtain this (for example, if the other participant has not performed an evaluation, or if local laws forbid them from sharing it), then the firm should assess what other procedures are necessary to achieve the quality objective.275 One firm commented that paragraph 53f. specifically addressed networks, while .53g. addresses other participants, and that it was unclear whether paragraph .53g. also applies to networks given their inclusion in the definition of ‘‘other participants’’ or if the Board intends for paragraph .53g. to apply to any other party defined within ‘‘other participants.’’ Paragraph .53g. applies to firms within a network to the extent that the firm is an other participant, as defined in QC 1000.A7 and discussed in more detail above. Another firm expressed concerns that it may not be able to practically apply paragraph .53g. to all ‘‘other participants.’’ Specifically, the firm requested clarification as to the expectation regarding the extent to which firms design policies and procedures to ensure other participants comply with applicable professional and legal requirements, including bifurcation of participants that are part of the engagement team as compared to participants in the firm’s quality control system. Another firm suggested it would be impractical to suggest that a firm’s QC system can be applied to other participants or that they would explicitly comply with the firm’s policies and procedures as if they were part of the firm. As discussed in more detail above, just because a quality objective or other provision of QC 1000 refers to all types of other participants in the same way, this does not mean that the firm should respond by treating all types of other participants in the same way. The firm’s policies and procedures addressing other participants should differentiate based on the types and roles of other participants to the extent necessary to be responsive to the firm’s quality risks (for example, the firm would have 275 See PO 00000 PCAOB Rule 3101(a)(2). Frm 00068 Fmt 4701 Sfmt 4703 different policies for the use of engaged specialists versus external EQRs). The proposed requirement in paragraph .53.h did not draw comment and was adopted as proposed. The firm may also participate in another firm’s engagement as an other participant. For the same reasons that apply when the firm is issuing the engagement report and using the work of other participants, it is important that there is an appropriate exchange of information in order to enable the firm serving as an other participant to fulfill its role in accordance with applicable professional and legal requirements. d. Information and Communication Specified Quality Responses (QC 1000.55–.56) One firm commented that the proposed specified quality responses for information and communication are appropriate. Other comments that are specific to each specified quality response are discussed below. The requirement in paragraph .55 carries forward an existing requirement from the PCAOB’s QC standards and extends it to cover other participants, not just firm personnel.276 One firm suggested that, as it relates to other participants, the quality objective in paragraph .53g. was sufficient, and the specified quality response was not needed. Another firm commented that it is concerned that expanding the requirement to communicate quality control policies and procedures beyond firm personnel to include other participants may not be operational due to the size, content, and methods of accessing the policies and procedures. The firm further asserted that the proposed standard may inappropriately blur the lines between a firm’s system of quality control and engagement-level requirements that are already addressed through existing PCAOB standards and rules. The Board believes that other participants play an important role in the operation of the firm’s QC system and the performance of its engagements and that it is imperative for these other participants to be aware of the firm’s policies and procedures to the extent required to enable them to carry out their responsibilities. For that reason, the Board believes it is necessary to expand the existing requirement to include other participants in a specified quality response. To address the concern about the volume of material required to be shared with other participants, the Board clarified the requirement by providing that policies and procedures should be 276 See E:\FR\FM\11JNN2.SGM QC 20.23. 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices communicated ‘‘to the extent’’ and in a manner reasonably designed to enable firm personnel and other participants to carry out their responsibilities; in other words, the requirement is to communicate what firm personnel and other participants need to know, not necessarily all of the firm’s policies and procedures. For example, a firm would communicate to an EQR contracted by the firm its policies and procedures related to EQR review and independence. In addition, although the wording of the requirement is different, the substance of the existing requirement 277 is unchanged. Reference to ‘‘reasonably designed and implemented’’ captures the existing requirement to communicate in ‘‘a manner that provides reasonable assurance that those policies and procedures are understood and complied with’’ without repeating the reasonable assurance already captured by the overarching objective of the QC standard. Another commenter requested clarification as to whether the communication of policies and procedures is required in narrative, flowchart, or other form. The Board believes that the policies and procedures should be in writing and in a manner that is reasonably designed to enable firm personnel and other participants to understand and carry out their responsibilities relating to activities within the firm’s QC system and the performance of its engagements. The format of these policies and procedures may vary depending on the specific responsibilities being addressed and how the firm wants to communicate them. Under the existing PCAOB standard, the firm is also required to make timely communications to appropriate personnel regarding changes to its established quality control policies and procedures. The Board does not think it is necessary to address changes to policies and procedures separately; the requirement is to communicate policies and procedures as in effect, which includes changes to such policies and procedures over time. If the firm needs to communicate changes to its policies and procedures to enable firm personnel and other participants to understand and carry out their responsibilities, then the specified quality response will require such communication. Given the importance of information generated from the monitoring and remediation process, paragraph .56 includes a specified quality response that requires the firm to communicate 277 See QC 20.18. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 such information to firm personnel to enable them to take timely action. In determining specific information to be communicated to firm personnel, including the nature and extent of such communication, the firm may consider the type of information that is relevant to the recipients given their roles and responsibilities within the firm. For example, information communicated to engagement teams may be focused on a description of identified engagement deficiencies and related remedial actions that are likely to be relevant to such firm personnel and their engagements. Information communicated to all firm personnel may relate to deficiencies identified through QC system-level monitoring activities, such as compliance issues in connection with the firm’s ethics and independence policies and procedures. One firm asserted that the requirement to communicate identified engagement deficiencies and QC deficiencies to firm personnel could hold firms to a higher standard than may be prudent, and that a perceived requirement to communicate each engagement deficiency seems imbalanced to appropriately influence change. The specified quality response requires that such communications be made to enable firm personnel to take timely action in accordance with their responsibilities. Based on the results of the monitoring and remediation process, the firm can assess the nature and extent of the communications to be made, and this should be commensurate with the risk that other similar unidentified engagement deficiencies exist; for example, for engagement deficiencies related to the examination of brokerdealer compliance reports, the firm may limit the communications to firm personnel working on broker-dealer engagements and adjacent industry sectors. In addition, under paragraph .57 the firm is required to communicate the results of the annual evaluation of its QC system to certain individuals in firm leadership positions. These individuals may use this information in various ways, for example, as a basis for further communications to firm personnel about the importance of quality or to address concerns about the QC system in a timely manner. The requirement reinforces firm leadership’s responsibility and accountability for the firm’s QC system. 2. Current PCAOB Standards Existing PCAOB QC standards focus principally on communication of certain information, specifically: PO 00000 Frm 00069 Fmt 4701 Sfmt 4703 49655 • Firm QC policies and procedures; 278 • Weaknesses identified in the QC system or the level of understanding or compliance therewith; 279 • Internal inspection findings; 280 • Principles that influence the firm’s policies and procedures on matters related to the recommendation and approval of accounting principles, present and potential client relationships, and the types of services provided; 281 • Additions to the Restricted Entity List; 282 and • Notification to the SEC of resignations and dismissals from audit engagements for SEC registrants.283 QC 1000, by contrast, more broadly addresses the firm’s responsibilities regarding its information system and internal and external communications. Monitoring and Remediation Process 1. QC 1000 a. Overview (QC 1000.58) The monitoring and remediation process is an integral part of an effective QC system because it creates a feedback loop to inform the firm’s risk assessment process. The feedback loop will help the firm identify and assess new and evolving quality risks and design and implement effective quality responses. It drives a firm’s focus on continuing to improve its QC system, with a view to preventing future engagement deficiencies. The monitoring and remediation process applies to the design, implementation, and operation of all QC system components, including the monitoring and remediation component, and provides the basis for a firm’s evaluation of whether its QC system is effective and for reporting on the QC system.284 The Board has observed through its oversight activities that some firms have made significant efforts to enhance their monitoring and remediation process, which has led to improvements in the firms’ QC systems and in audit quality. These efforts include increased attention to ongoing monitoring activities, internal monitoring of both in-process and completed engagements, 278 See QC 20.23. QC 30.03. 280 See QC 30.06. 281 See SECPS 1000.08(l), 1000.42. 282 See SECPS 1000.46 (requirement 5). 283 See SECPS 1000.08(m); see also Appendix 5 for a proposed new standard, AS 1310, Notification of Termination of the Auditor-Issuer Relationship, that would retain existing requirements of SECPS 1000.08(m) and apply those requirements to all firms. 284 For further discussion of the evaluation of a firm’s QC system, see below. 279 See E:\FR\FM\11JNN2.SGM 11JNN2 49656 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices root cause analysis of both positive outcomes and QC deficiencies, and remedial actions to address QC deficiencies. However, PCAOB inspections continue to identify deficiencies for some firms, suggesting that not all firms have made meaningful improvements in these areas. Under QC 1000, the monitoring and remediation process addresses the following: • General requirements; • Engagement monitoring activities; • QC system-level monitoring activities; • Monitoring activities performed by a network; • Determining whether engagement deficiencies exist; • Responding to engagement deficiencies; • Determining whether QC observations exist; • Determining whether QC deficiencies exist; • Responding to QC deficiencies; and • Monitoring the implementation and operating effectiveness of remedial actions. Under the standard, a firm performs monitoring activities to determine whether its quality responses are properly designed and operating as intended, such that the firm’s quality risks are sufficiently mitigated and its quality objectives are achieved. As described later, the results of the firm’s monitoring and remediation process are to be evaluated annually as part of the evaluation of the QC system. Therefore, the monitoring activities conducted need to be sufficient to support the conclusions reached during such an evaluation. khammond on DSKJM1Z7X2PROD with NOTICES2 b. General Requirements (QC 1000.59– .61) The standard specifies three goals for the monitoring and remediation process: • Relevant, reliable, and timely information. Monitoring and VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 remediation must provide information about the design, implementation, and operation of the firm’s QC system that is relevant, reliable, and timely. The information obtained from monitoring activities informs a firm about actions, behaviors, or conditions that contributed to issues that need to be addressed and may also provide insights as to factors that help prevent deficiencies from occurring. For example, information obtained about actions, behaviors, and conditions related to an engagement that was subject to internal or external monitoring activities where no deficiencies were identified may provide insights about good practices to use when addressing issues on similar engagements. • Reasonable basis for timely detection of engagement deficiencies and QC deficiencies. The standard uses the concept of ‘‘reasonable basis,’’ which is present throughout PCAOB auditing standards, including the standards governing the auditor’s report.285 Therefore, this concept is well understood by the profession. ‘‘Timely’’ as it relates to the detection of engagement deficiencies means that the firm’s monitoring activities are designed to identify deficiencies as promptly as practicable. For example, the Board expects that the firm’s monitoring activities will generally enable the firm to identify deficiencies in calendar yearend engagements in time to include them in its evaluation of the QC system as of the following September 30. • Timely remediation. The firm’s monitoring and remediation process must enable timely remediation of identified engagement deficiencies and QC deficiencies. What constitutes 285 See, e.g., AS 3101.09f (noting that one of the elements in the Basis for Opinion section of the auditor’s report is ‘‘[a] statement that the auditor believes that the audit provides a reasonable basis for the auditor’s opinion’’). PO 00000 Frm 00070 Fmt 4701 Sfmt 4703 ‘‘timely’’ depends on the deficiency’s nature, scope, and impact. For example, where there is a high risk of severity or pervasiveness, remedial actions may have to be immediate to be timely. The first element of monitoring and remediation is designing and performing monitoring activities for engagements and the QC system itself. The Board believes that the selected frequency and timing of the firm’s monitoring activities (e.g., a combination of ongoing and periodic monitoring activities) are important elements in achieving an overall effective monitoring and remediation process. Ongoing monitoring activities are generally those activities that are routine in nature, built into the firm’s processes, and performed on a real-time basis. Periodic monitoring activities, by contrast, are conducted from time to time at set intervals. The use of ongoing and periodic monitoring activities would vary by firm and be influenced by the nature and circumstances of the firm. The other elements of the monitoring and remediation process specified in the standard are: • Determining whether engagement deficiencies exist and responding to them. • Determining whether QC observations exist. • Determining whether QC deficiencies exist. • Performing root cause analysis of QC deficiencies. • Designing and implementing remedial actions to respond to QC deficiencies and determining whether such actions are implemented as designed and operate effectively. These other elements are discussed below, in relation to the requirements of paragraphs .61–.76. BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 BILLING CODE 8011–01–C QC 1000 requires that the firm’s QC system include both engagement monitoring activities and QC systemlevel monitoring activities. The standard differentiates engagement monitoring activities from QC system-level monitoring activities. The two types of activities would provide different kinds of information and, in the Board’s view, a firm would need both in order to have a reasonable basis for detecting engagement and QC deficiencies and evaluating its QC system. Engagement monitoring activities are monitoring procedures performed on engagements, including in-process and completed engagements. QC system-level monitoring activities are monitoring procedures regarding aspects of a firm’s QC system, including the firm’s risk assessment and monitoring and remediation processes. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Notwithstanding the differences between engagement monitoring activities and QC system-level monitoring activities, a firm could design and perform dual-purpose monitoring activities—i.e., activities directed at individual engagements that also address aspects of the firm’s QC system. For example, a firm could perform engagement monitoring activities related to acceptance and continuance of engagements that would also address the design, implementation, and operation of the acceptance and continuance of engagements component of the firm’s QC system. QC 1000 defines ‘‘engagement’’ as any audit, attestation, review, or other engagement performed under PCAOB standards (1) led by a firm or (2) in which a firm plays a substantial role in the preparation or furnishing of an PO 00000 Frm 00071 Fmt 4701 Sfmt 4703 49657 engagement report. Under the standard, substantial role engagements that the firm undertakes would be required to be included in the population of engagements on which the firm performs monitoring activities. In situations where the firm participates in another firm’s engagement but does not play a substantial role, while such work would not be treated as the firm’s own ‘‘engagement’’ for purposes of the standard, any firm that was required to implement and operate an effective QC system under the standard is required to extend its QC system to all audit, attestation, review, and other work it performs under PCAOB standards, including other firms’ engagements in which the firm plays less than a substantial role. In general, for purposes of QC 1000, engagement monitoring activities are performed only on ‘‘engagements’’ as E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.006</GPH> Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 49658 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices that term is defined in the standard. One firm suggested that audit quality should consistently be measured for all engagements, whether performed under the PCAOB standards or other auditing standards, and therefore a firm’s QC system should provide reasonable assurance of performing all such engagements in compliance with applicable laws and professional requirements. This firm urged the Board to consider whether the monitoringrelated requirements in QC 1000 that use the term ‘‘engagements’’ (as defined in QC 1000) may result in a lost opportunity to fully capitalize on the expected benefits of a more comprehensive monitoring program. Given the limits of the Board’s statutory authority under Sarbanes-Oxley, the Board does not believe it would be appropriate to expand the scope of the term ‘‘engagements’’ to include work performed under standards of other standard-setters. However, nothing prevents firms from developing a single QC system for their entire audit practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject, which could include performing the same types of monitoring activities for both PCAOB engagements and other audits. The Board also understands that firms that perform only a small number of issuer and broker-dealer engagements would be significantly affected by a requirement to perform monitoring activities over PCAOB ‘‘engagements’’ every year.286 In the extreme case, a firm that issues an audit report for only one issuer would have to monitor the same engagement every year. The prospect of annual monitoring could disincentivize partners from serving as the engagement partner and ultimately affect competitive conditions in the market. Accordingly, paragraph .61a includes a note that permits firms that issued engagement reports for five or fewer issuers, brokers, and dealers in the previous year to include audits not performed under PCAOB auditing standards in their engagement monitoring activities for purposes of QC 1000, so long as the audits are selected taking into account the factors in determining the nature, timing, and extent of engagement monitoring activities set forth in paragraph .64. This accommodation takes into consideration the structure of the SEC’s partner rotation requirements exemption for 286 Firms that issued audit opinions for between one and five issuers or broker-dealers represented 38% of all registered firms in 2022, 39% in 2021, and 43% in 2020. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 small firms,287 and is limited to audits rather than attestation work because audits are performed under more rigorous standards. These firms will still have to design, implement, and operate a monitoring and remediation process that meets the requirements of QC 1000, including the requirements regarding the objectives and elements of the monitoring and remediation process set forth in paragraphs .59 and .60, which focus on ‘‘engagements’’ as defined in the standard. The firms will also be subject to the requirement under paragraph .62b to inspect at least one completed PCAOB engagement for each engagement partner on a cyclical basis, as discussed below. Current PCAOB QC standards provide that, in some circumstances, individuals may perform monitoring procedures over the same areas for which they are responsible.288 Such monitoring procedures are a type of self-assessment and under the proposed standard, selfassessments would not have been permissible. Individuals would lack the requisite objectivity if they reviewed engagements in which they participated (or, in the case of audits, for which they performed the engagement quality review), or monitoring activities for which they participated in the design, implementation, or operation of the activity. Two commenters agreed that selfassessment should not be permitted in QC 1000. Other commenters, including firms and a related group, raised concerns regarding the proposal’s disallowance of self-assessments as part of a firm’s monitoring and remediation process. Specific concerns included the impact of this requirement on smaller firms and the resource constraint that may be very difficult for firms to overcome if individuals who may be involved in an engagement through consulting with engagement teams, evaluating engagement team progress, or monitoring turnover on the engagement team are ineligible to perform monitoring activities. While the Board appreciates the concerns around resource constraints raised by commenters, allowing individuals to review their own work is inconsistent with the quality objective in paragraph .44e that individuals assigned to perform activities within the QC system have the objectivity needed to perform such activities in accordance with applicable professional and legal requirements and the firm’s policies and 287 See 17 CFR 210.2–01(c)(6)(ii). QC 30.10, which applies to small firms with a limited number of management-level individuals. 288 See PO 00000 Frm 00072 Fmt 4701 Sfmt 4703 procedures. Taking into account commenter feedback, the Board added a note to the standard to clarify that the restriction on self-assessment is grounded in that quality objective. The note further explains the implication, in the context of the monitoring and remediation process, that individuals generally cannot perform monitoring activities over their own work, for example by performing engagement monitoring activities on an area of an engagement in which they participated. The impact of this restriction will depend on the role that the individual played in the engagement. For example, individuals who have consulted on a particular area of an engagement would be permitted to perform monitoring activities on other areas of an engagement that were unrelated to the consultation. However, individuals that served as the engagement quality reviewer on an engagement may not perform monitoring activities on that engagement, even if they did not review every area of the engagement. e. Engagement Monitoring Activities (QC 1000.62–.64) Engagement monitoring activities provide valuable information to firms on whether engagement or QC systemlevel areas may require additional attention. For example, monitoring procedures may highlight an area on an audit engagement where insufficient audit evidence was obtained to support the auditor’s opinion. More broadly, engagement monitoring activities may identify pervasive issues where a number of engagements have similar problems, possibly highlighting the need to revise methodology, provide additional training, or take other actions at the QC-system level. i. Monitoring Completed Engagements (QC 1000.62) Similar to the proposal, the final standard requires firms to perform engagement monitoring activities on completed engagements. Two commenters expressed support for the requirement to monitor completed engagements. One commenter suggested that paragraph .62 be amended to permit the legacy flexibility of QC 20 for a firm to have pre-issuance or post-issuance, or both, monitoring programs, depending on the individual firm’s risk assessment. This commenter asserted that some smaller firms, in particular, have already implemented robust preissuance quality monitoring reviews on substantially all issuer audits. The Board continues to believe that the information derived from performing inspections of completed E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices engagements provides the firm a perspective on its engagements that cannot be obtained through other monitoring activities. The Board also noted that the standard does not prescribe specific monitoring activities, so firms will be able to determine what activities to perform when monitoring completed engagements. Based on PCAOB oversight activities, the Board has observed that most firms perform engagement monitoring activities on their completed engagements as part of their existing QC practices. Requiring the inspection of completed engagements would therefore not change practice for most firms and, accordingly, seems unlikely to impose incremental costs in most instances. The proposed standard also included a requirement for firms to establish a cyclical basis for monitoring completed engagements such that each engagement partner would have at least one engagement subject to monitoring in each cycle. Some firms and a related group supported that requirement in principle. Some commenters suggested that firms should be permitted to include all of the engagements within a particular engagement partner’s portfolio of engagements, not only PCAOB engagements, since the firm operates a single QC system. One commenter stressed that if firms are not permitted to consider all engagements in an engagement partner’s portfolio, it may unnecessarily drive firms to two separate cyclical inspection programs (that is, doubling inspection program activities) based on the applicable set of professional standards. This commenter also suggested that the standard should allow firms to consider whether engagement partners have been subjected to external inspections/ reviews when determining if, and when, to subject them to an internal inspection. Similar to the proposal, the final standard requires firms to inspect at least one completed PCAOB engagement for each engagement partner over a cyclical period. Although, as discussed above, firms with five or fewer issuer and broker-dealer engagements may be permitted to include non-PCAOB engagements in their monitoring activities, inspections under this paragraph must be of ‘‘engagements’’ as defined in QC 1000. This will ensure that firms regularly evaluate the work of every partner under PCAOB standards to determine whether engagement deficiencies or QC deficiencies have occurred and can design and implement appropriate remedial actions. The note to the final standard clarifies that point. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 The proposed standard also included a note stating that if a firm uses a cycle longer than three years, the firm would be required to demonstrate how its cycle is adequate to provide the firm with a reasonable basis for detecting engagement deficiencies and QC deficiencies, taking into account the factors in paragraph .64. Several commenters, including an investorrelated group, disagreed with this aspect of the proposal, suggesting that each firm should be allowed to determine the appropriate cycle for engagement partner selection. Some of these commenters stated that requiring a set interval for engagement partner selection could actually result in a reduced ability by the firm to incorporate unpredictability into the selection process. One firm further stated that the proposed requirement regarding the engagement partner selection cycle could also decrease the frequency of other monitoring activities, such as in-process reviews, or curb investment and innovation in preissuance monitoring programs. The Board continues to believe it is appropriate to incorporate an expectation that each engagement partner will be subject to inspection at least every three years and adopted that aspect as proposed. A three-year period appears to be a norm for other standard setters and, based on PCAOB oversight activities, is common in practice.289 The Board appreciates that requiring a set interval could make the timing of selection predictable for an engagement partner, so a three-year cycle is a baseline expectation, not a requirement. Firms can of course adopt a shorter cycle, or can adopt a longer cycle if they are able to demonstrate how that cycle is adequate to provide a reasonable basis for detecting engagement deficiencies and QC deficiencies. Regardless of the cyclical period used by the firm, risks or other circumstances related to an engagement or an engagement partner may trigger the need for the firm to inspect an engagement partner’s completed engagement(s) more than once during the cyclical period. The proposed note to paragraph .62b also included language requiring firms to consider incorporating a level of unpredictability when determining when, during the cyclical period, an engagement partner has an engagement selected for monitoring and which completed engagement(s) to select. This 289 The application material accompanying the IAASB and AICPA QC standards provide an example of a three-year inspection cycle for engagement partners performing financial statement audits. See ISQM 1 paragraph A153, SQMS 1 paragraph A165. PO 00000 Frm 00073 Fmt 4701 Sfmt 4703 49659 was intended to make it less likely that engagement partners would be in a position to manage engagements with the expectation that they would or would not be inspected. However, commenters, including firms and investors and related groups, suggested that this language should be strengthened to require that the firm ‘‘should’’ incorporate unpredictability into the selection process. One of these commenters went further to suggest that the PCAOB also incorporate language requiring unpredictability in the focus areas subject to internal inspection monitoring, in addition to the timing of such monitoring. The Board agreed with the comments raised with respect to requiring firms to incorporate unpredictability into their selection process and this change is reflected in the note to paragraph .62b. Additionally, in order to allow sufficient flexibility for firms to determine how to incorporate unpredictability in the selection process, language has been added to the note to clarify that the firm should include an element of unpredictability in ‘‘at least one of’’ the elements listed in the note to paragraph .62b. The firm’s selection of completed engagements should be responsive to information obtained from various sources, including prior monitoring activities. The standard, in paragraph .64 (discussed further below), includes factors for a firm to take into account when selecting engagements for monitoring. These factors will assist a firm when determining its cyclical basis and selecting at least one engagement to inspect for each engagement partner. ii. Monitoring In-Process Engagements and Other Work (QC 1000.63) Monitoring in-process engagements can help firms detect and prevent potential engagement deficiencies before an engagement report is issued, resulting in a more proactive, preventive monitoring approach. Through its oversight activities, the PCAOB has observed a variety of different inprocess engagement monitoring activities, including: • Monitoring activities on a specific area of the audit after the engagement team has conducted certain audit procedures or used a specific tool or template (e.g., an in-process reviewer evaluates an engagement team’s testing of management’s earnings forecast used in an impairment analysis); • Engagement team coaching by an individual who is not part of the engagement team (e.g., a member of the firm’s national office works with an engagement team to review their audit E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49660 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices approach, including the nature, timing, and extent of planned audit procedures); • Evaluating an engagement team’s progress against certain defined milestones or metrics and taking appropriate action when such milestones or metrics are not achieved (e.g., if an engagement partner did not review an engagement team’s planning memo before interim audit procedures were to start, adjusting the engagement team’s schedule so that the document could be reviewed and comments addressed before starting interim work; if an engagement team’s hours exceed a certain weekly threshold, taking action by identifying the issue and adding additional resources to the team); and • Monitoring engagement team turnover during the engagement and taking appropriate action when issues arise (e.g., if more experienced or senior personnel on the engagement, such as the manager or senior manager, leaves the firm during the engagement and prior to the completion of procedures, taking actions to ensure the engagement team has the necessary resources to complete the engagement). The proposed standard contemplated that firms that issue audit reports with respect to more than 100 issuers during the prior calendar year would be required to monitor in-process engagements. The proposal noted the Board’s understanding that monitoring in-process engagements may be challenging for some firms based on their size and nature, so the proposed standard also included a ‘‘should consider’’ requirement to provide sufficient scalability for firms that issue audit reports with respect to 100 or fewer issuers. Under the proposed standard, firms that audit 100 or fewer issuers would be expected to reach a conclusion about whether to monitor inprocess engagements in light of identified quality risks and quality responses. Firms that commented on this requirement supported the concept of monitoring in-process engagements and the flexibility the standard provided for firms to design their in-process monitoring based on the nature and circumstances of the firm. Two firms stated that the purposes of in-process monitoring are clear and appropriate and that the proposed standard clearly distinguished between in-process engagement monitoring and engagement quality reviews under AS 1220. Two firms suggested that the 100-issuer threshold is not necessary, and that all firms should only be required to consider whether to monitor in-process engagements. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 The Board believes that differentiating a firm’s obligation based on the number of issuer clients is appropriate because, in its view, firms with larger, more complex audit practices generally are subject to quality risks for which inprocess monitoring is an appropriate quality response. The Board based the requirement on the size of a firm’s issuer audit practice rather than its broker-dealer audit practice, as it believes the number of a firm’s issuer clients is more indicative of the firm’s size and the complexity of its practice. And, as noted above, firms are familiar with the threshold of more than 100 issuer audit reports. The majority of firms with 100 or fewer issuers do not perform in-process engagement monitoring activities. Requiring these firms to perform such monitoring activities could significantly change current practice and is not justified by the circumstances of every firm. However, due to the benefits of this proactive engagement monitoring, the standard requires that firms that do not meet the 100-issuer threshold should consider monitoring in-process engagements. The Board believes that this approach strikes an appropriate balance between prescriptiveness and scalability, and adopted the requirement as proposed. One individual commenter suggested that audit firms would find it cost prohibitive to build in ‘‘in process’’ controls that would be akin to doing an inspection of an audit in process, with the exception of certain circumstances, but the PCAOB did not receive any specific comments from firms expressing that concern. In addition, firms with over 100 issuer clients typically have the resources to implement such procedures, and based on PCAOB oversight activities, the majority of them already monitor inprocess engagements to some extent.290 In situations where the firm participates in another firm’s engagement but does not play a substantial role, paragraph .63c provides that the firm should consider performing monitoring activities on such work. Some commenters agreed with the requirement for firms to consider performing monitoring activities on their work on other firms’ engagements. When deciding whether and when to do so, and what monitoring activities to perform, firms would take into account the factors identified in paragraph .64, such as the firm’s monitoring and external inspection 290 In 2023, 11 of the 14 annually inspected firms performed some in-process engagement monitoring activities. PO 00000 Frm 00074 Fmt 4701 Sfmt 4703 history and the risks associated with the performance of the work. In addition, if a substantial portion of the firm’s activities that are subject to the QC system relate to work performed on other firms’ engagements at less than a substantial role, the firm would have to make that decision in light of the overall objectives of the QC system.291 One commenter requested clarification as to whether the inprocess monitoring activities the Board has observed would be sufficient to meet the requirement, or whether the Board expects such activities to be expanded or enhanced. The standard does not specify any particular monitoring activities, so the firm has discretion to select activities based on the nature and circumstances of the firm and its engagements and the scope and nature of its other monitoring activities. For example, when determining which engagements to select for in-process monitoring, a firm would leverage the factors presented in paragraph .64 of the standard to identify engagements where there is a greater risk of noncompliance with applicable professional or legal requirements. Similarly, these factors will also assist a firm in determining the riskier areas of such engagements upon which to perform in-process engagement monitoring activities. i. Designing Engagement Monitoring Activities, Including Selecting Which Engagements To Monitor (QC 1000.64) Similar to the proposal, the final standard requires a firm to take into account certain factors when determining the nature, timing, and extent of engagement monitoring activities, including which completed or in-process engagements to select for monitoring. These factors reflect aspects of a firm and its engagements that could create a greater risk of noncompliance with applicable professional and legal requirements. A firm will need to tailor its monitoring activities to address the particular circumstances of the firm and select engagements for monitoring based upon their specific risks. The factors are: • Quality risks and the reason for their assessments, and quality responses. For example, the complexity of or changes to applicable professional and legal requirements and the firm’s policies and procedures may present a quality risk that the firm may not timely communicate the required use of a practice aid for planning audit procedures when certain fraud risk factors are present. In response to this risk, the firm would design its 291 See E:\FR\FM\11JNN2.SGM QC 1000.05a.(2). 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices engagement monitoring activities to verify the engagement team’s use of the practice aid. The earlier these monitoring activities are performed, the more proactive the firm could be in planning audit procedures that address audit issues as they arise. Regarding the proposed factor in paragraph .64b related to the ‘‘design of the quality responses,’’ the final standard has removed the word ‘‘design’’ from the factor and made other edits to clarify that the firm should also take into account the scope and operation of quality responses, for example related to information about how those quality responses operated in previous years. • The nature, timing, extent, and results of previous monitoring activities. This includes insights learned from previous engagements and QC systemlevel monitoring activities that are applied when determining engagement monitoring activities to perform. For example, in selecting engagements for monitoring, the firm would take into account deficiencies identified in previous engagements for the same client and other engagements where a similar deficiency may exist. As another example, engagement deficiencies related to inventory obsolescence testing identified by a firm through prior year engagement monitoring activities may prompt a firm to monitor the testing of inventory obsolescence on more engagements in the current year. One commenter recommended a clarifying revision to paragraph .64c to change the reference to ‘‘inspections of in-process engagements’’ to ‘‘monitoring of inprocess engagements.’’ The commenter explained that the characterization of in-process engagement monitoring as an ‘‘inspection’’ is not consistent with how in-process engagement monitoring was described in the proposal, as the inprocess monitoring activities observed by the PCAOB do not include inspections of in-process engagements. The Board agreed and included this revision in the final standard. • Information obtained from oversight activities by regulators, other external inspections or reviews, and, if applicable, monitoring activities performed by a network. Information obtained from network monitoring activities or external reviews provides a firm direction as to, for example, the type of procedures to perform or when to perform them. The results of network monitoring activities or information obtained from external reviews could also identify issues that may exist on other similar engagements of the firm, prompting a decision to monitor some or all of these other engagements. For example, if an engagement was recently VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 inspected through network monitoring activities or an external review, a firm may determine that selecting the same engagement for internal inspection would be unnecessary. The proposal included a note that a firm cannot rely solely on network monitoring activities or external inspections by regulators of individual engagements without performing its own inspections of completed engagements. One commenter, a firm, agreed with the proposed requirements for firms to perform their own monitoring activities rather than solely relying on the monitoring activities performed by the network. Another firm disagreed and recommended that the standard permit networks to perform monitoring activities on behalf of a member firm, including in certain circumstances as the sole source of a firm’s QC engagement monitoring. This commenter stated that monitoring of completed and in-process engagements by the network may provide member firms in the network with more objective and experienced monitoring resources, and that smaller member firms may not have the resources to perform objective monitoring on completed and/or in-process engagements without leveraging the network. Similar to what is described below as it relates to a firm’s QC system and the extent of monitoring activities performed by a network, regardless of whether a network performs engagement monitoring activities on a firm’s engagements, the firm is ultimately responsible for its QC system and for evaluating any information it obtains from the network about any engagement monitoring activities the network performs. The firm would take into account the nature and extent of activities performed by a network in designing and implementing its own activities but all firms are required to perform some level of engagement monitoring. The final standard includes a clarifying revision to this note that replaces ‘‘inspections of completed engagements’’ with ‘‘engagement monitoring activities.’’ • Characteristics of a particular engagement. Factors such as the industry, the type of engagement (e.g., issuer audit, broker-dealer audit, attestation), the location(s) or jurisdiction(s) in which the client is located or the work is to be performed, whether it is a new engagement for the firm, and the experience and competence of the engagement team could affect conduct and outcomes of the engagement. For example, if the engagement team members are all new to the engagement, their lack of PO 00000 Frm 00075 Fmt 4701 Sfmt 4703 49661 historical knowledge may present an additional risk for that engagement and provide a basis for its selection for monitoring. • Characteristics of particular engagement partners. Factors such as the experience and competence of engagement partners, the results of internal and external inspections of their work, and the firm’s cycle for inspecting their engagements could affect the quality risks associated with an engagement, whether positively or negatively. For example, an engagement partner’s lack of experience in an industry the company under audit recently entered may create additional risks to complying with applicable professional and legal requirements. Therefore, performing engagement monitoring activities on such engagements may be appropriate. • Other information relevant to the quality risks. The standard includes a non-exhaustive list of examples. For clarity, this factor was rephrased in terms of ‘‘quality risks’’ rather than ‘‘risks of noncompliance with applicable professional and legal requirements.’’ The standard also includes a footnote referencing footnote 26, which explains that the firm is deemed ‘‘aware’’ of information when any partner, shareholder, member, or other principal of the firm first becomes aware of such information. The requirement is both principlesbased and risk-centered, rather than prescriptive. It provides for scalability by including factors for firms to take into account when determining the nature, timing, and extent of engagement monitoring activities. In addition to the factors included in the standard, a firm may identify other factors that are also relevant based on the nature and circumstances of the firm and its engagements. d. QC System-Level Monitoring Activities (QC 1000.65) Similar to the proposal, the final standard requires a firm to take into account certain factors when determining the nature, timing, and extent of QC system-level monitoring activities. Due to their nature, some of the factors are consistent with the factors a firm is required to take into account when determining the nature, timing, and extent of engagement monitoring activities, such as the quality responses, including their timing, frequency, scope and operation. Regarding the proposed factor in paragraph .65b related to the ‘‘design of the quality responses,’’ conforming to the change made in paragraph .64b, the word ‘‘design’’ was E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49662 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices removed from the factor and made other edits to clarify that the firm should also take into account the scope and operation of quality responses, for example related to information about how those quality responses operated in previous years. The specific features of a firm’s quality responses are also relevant for a firm to consider when designing QC system-level monitoring activities. For example, a firm’s quality responses related to acceptance and continuance of engagements might include a policy that firm personnel complete a checklist and assemble information evaluated by the engagement partner before making a recommendation to firm leadership on whether to continue with an engagement for the upcoming year. Based on this quality response, a firm might design QC system-level monitoring activities that include a review of the checklist and documentation for a selection of engagements. Some other factors the standard requires firms to take into account when determining the nature, timing, and extent of QC system-level monitoring activities include: • The design of a firm’s risk assessment and monitoring and remediation processes. The design of these processes is relevant when designing monitoring activities to evaluate if such processes are implemented and operating effectively. For example, a firm may monitor the cyclical basis determined by the firm for inspecting engagement partners’ completed engagements. A firm’s monitoring activities in this area could include whether the firm is complying with the established period for selecting completed engagements as well as evaluating whether changes to the period may be necessary based on the results of other monitoring activities. The firm could also develop metrics for its QC system and use them in its monitoring and remediation process. • Changes in the QC system. As a firm’s QC system is continuously evolving in response to changes in risks, the firm would have to consider whether and how such changes necessitate changes to the nature, timing, and extent of QC-system level monitoring activities. For example, changes to a quality response would be an indication that changes to the activities that monitor the design, implementation, and operation of such response may be necessary. It should be noted that, even in the absence of changes in the QC system, for example in cases where the firm determines that there have been no changes related to a VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 particular quality response, the firm would still need to consider whether previous monitoring activities related to that quality response continue to provide the firm with a reasonable basis to evaluate the QC system, including the appropriateness of the firm’s monitoring activities for the current period. • When applicable, services provided by other participants in the firm’s QC system. A firm may use other participants in its QC system (for example, other participants may assist with engagement quality reviews). The firm would take that into account when deciding what QC system-level monitoring activities to undertake (for example, assessing other participants’ compliance with PCAOB standards regarding engagement quality reviews).292 A firm’s monitoring activities are likely to vary over time as a firm takes into account the factors included in the standard (see paragraphs .64–.65). Since a firm’s QC system is a continuous and iterative process, such factors will generally lead a firm to perform different monitoring activities or employ different monitoring approaches over time. Several commenters, including investor-related groups, suggested that the standard should require that the monitoring and remediation process, or more generally QC 1000, provide for use of quantitative metrics. QC 1000 does not require firms to use quantifiable metrics in their monitoring activities or suggest the use of any particular metrics. The Board has recently proposed a new set of firm reporting requirements that includes both firmlevel and engagement-level metrics, and the comments regarding metrics received in response to the QC 1000 proposal are addressed in that proposing release.293 Other than removing the word ‘‘performance’’ from the phrase ‘‘performance metrics,’’ to align with the terminology used in the PCAOB’s proposed metrics requirements, the Board adopted as proposed paragraph .65c, which requires the firm to take into account any metrics that the firm may use in its QC system when determining the nature, timing, and extent of QC system-level monitoring activities. This could include, but is not required to include, any metrics firms would be required to report if the metrics proposal is ultimately adopted by the Board and approved by the SEC, as well as any additional metrics a firm may develop. Depending on their 292 See 293 See PO 00000 generally, e.g., AS 1220. PCAOB Rel. No. 2024–002 at 12–13. Frm 00076 Fmt 4701 Sfmt 4703 circumstances, firms may find that developing metrics to monitor engagements and the QC system would enhance their ability to identify deficiencies, measure whether quality objectives have been met, and evaluate the effectiveness of remediation activities. e. Monitoring Activities Performed by a Network (QC 1000.66) The Board adopted substantially as proposed the requirements that apply when networks perform monitoring activities relating to a firm’s QC system or engagements. Networks employ a variety of different approaches to monitoring firm QC systems. Some networks perform monitoring activities either directly on the firm’s QC system, such as monitoring a firm’s compliance with QC policies and procedures established by the network and adopted by the firm, or on tools or other resources developed or purchased by the network and used by the firm, such as an independence tracking system. Other networks perform no monitoring activities. The nature and extent of a network’s monitoring activities will inform a firm’s approach to monitoring. To illustrate, if a firm used a network independence tracking system to identify matters that may bear on the independence of firm personnel, and if the network monitored the design and operation of the tracking system and provided the firm with relevant information about those activities, the firm is required to evaluate the monitoring activities performed by the network on the tracking system. In performing its evaluation, the firm needs to understand the scope of the network monitoring activities, such as whether the firm’s personnel were selected for monitoring procedures, and if so, whether the population selected was sufficient to provide a reasonable basis for detecting engagement and QC deficiencies. To the extent provided, the firm is also required to evaluate the results of the testing performed by the network, and if deficiencies were identified, the remedial actions, if any, taken or proposed to be taken by the network. Under this example, the firm would also determine its responsibilities in assisting the network with any monitoring or remediation activities related to the tracking system. Regardless of any QC monitoring activities that a network may perform on behalf of the firm, the firm is ultimately responsible for its QC system. Therefore, under the standard, the firm is responsible for evaluating any information it obtains from the network E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices about any QC monitoring activities the network performs. Some commenters, all of which were firms, supported the proposed requirements related to monitoring activities performed by a network. A firm is required to adjust its monitoring activities as necessary, based on the scope of the network’s monitoring activities and the information the firm receives (or does not receive) from the network about those activities. One commenter expressed concern that the proposal allows the firm to request certain categories of information from a network but does not require that the information actually be received. In situations where a firm does not receive information requested from the network about the monitoring activities the network performed, the firm would not be in a position to take such activities into account in planning its own activities. To illustrate, a network may provide information to a firm regarding the results of member firms’ internal engagement monitoring activities, which the firm uses to evaluate the competence of other network firm personnel and their ability to participate in the firm’s engagements. If, due to a change in a particular network firm’s local privacy laws, the network is unable to provide such information regarding that member firm, the firm will need to evaluate that member firm’s competence and ability using a different approach.294 To illustrate another case, if a firm requests but does not receive any information from the network regarding QC monitoring activities related to independence that the network performed on behalf of the firm, and the firm does not perform any monitoring activities related to its QC system in that area, the firm would have no basis for concluding that the quality objectives related to independence were achieved. khammond on DSKJM1Z7X2PROD with NOTICES2 f. Determining Whether Engagement Deficiencies Exist (QC 1000.67) The requirements for determining whether engagement deficiencies exist did not draw comment and were adopted with one modification, described below. As defined by the standard, an engagement deficiency is an instance of noncompliance with applicable professional or legal requirements by the firm, firm personnel, or other participants with respect to an 294 Irrespective of how the evaluation is performed, the engagement partner’s responsibility for the engagement and its performance would not change. See AS 1201.03. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm. Engagement deficiencies include: • Instances of noncompliance in which a firm did not adequately support its opinion—because the firm did not perform sufficient procedures, obtain sufficient appropriate evidence, or reach appropriate conclusions with respect to relevant financial statement assertions; • Instances in which the firm did not fulfill the objective of its role in the engagement, such as not performing attestation services in accordance with AT No. 2; and • Other instances of noncompliance with applicable professional and legal requirements with respect to a firm’s engagement, which may include, for example, not satisfying applicable independence requirements,295 not making required communications to the audit committee,296 or not filing Form AP.297 The standard requires a firm to evaluate a variety of information in making its determination about whether an engagement deficiency exists, including internally developed information from monitoring activities, information from external parties like regulators and peer reviewers, and other relevant information of which the firm becomes aware. Beyond the sources specified in the standard, a firm is not expected to seek out other sources of information that may indicate an engagement deficiency exists. However, if the firm becomes aware of such information, the firm is expected to evaluate it. For purposes of the standard, the firm is deemed ‘‘aware’’ of information when any partner, shareholder, member, or other principal of the firm first becomes aware of such information. The Board made a change to the proposed note in paragraph .67e item (4) to clarify that complaints the firm becomes aware of, that may indicate the existence of an engagement deficiency, could be related to either a company or the firm. The language was also broadened to clarify that complaints are not limited to those submitted through a formal whistleblower program. The standard does not specify how a firm would evaluate information to determine whether an engagement deficiency exists. Rather, it provides firms the ability to develop an approach 295 See generally, e.g., 17 CFR 210.2–01; PCAOB rules under Section 3. Auditing and Related Professional Practice Standards, Part 5—Ethics and Independence. 296 See generally AS 1301. 297 See PCAOB Rule 3211, Auditor Reporting of Certain Audit Participants. PO 00000 Frm 00077 Fmt 4701 Sfmt 4703 49663 for such evaluation. A determination that an engagement deficiency exists due to the firm not complying with a PCAOB reporting requirement may be relatively simple to make. For example, evaluating whether the firm filed a Form AP in accordance with PCAOB Rule 3211 would not require a significant amount of effort. However, evaluating information indicating the firm did not perform the necessary audit procedures for an issuer’s revenue transactions to determine whether an engagement deficiency exists could be more complex, and therefore require a more in-depth analysis. A firm’s determination that an engagement deficiency exists may pertain to an in-process engagement, a completed engagement, or work performed on other firms’ engagements. If a firm obtains information about a potential deficiency in an in-process engagement, whether from monitoring activities or other sources, the firm is expected to evaluate the information to determine whether an engagement deficiency exists before the engagement report is issued. In that regard, it should be noted that identifying a problem while an engagement is in process may enable the firm to rectify the problem before an engagement deficiency could arise. Many professional and legal requirements that apply to performing an engagement impose ongoing responsibilities that are not completed until the engagement itself is completed. In relation to such ongoing responsibilities, if a problem is identified in an in-process engagement but resolved before the engagement is completed, no engagement deficiency would arise. For example, if an engagement team initially failed to obtain sufficient appropriate audit evidence in its testing of revenue because it failed to perform a necessary procedure, the engagement team could still perform the procedure at a later time during the engagement; as long as sufficient appropriate audit evidence was obtained prior to the issuance of the report, there would be no engagement deficiency. QC 1000 does not have specific provisions to address remediation of this type of problem because the auditor’s responsibility is already addressed by applicable professional and legal requirements. However, even in instances where an engagement deficiency does not arise because a problem was identified and corrected prior to issuance of an engagement report, a firm would still need to consider whether the existence of the problem constitutes a QC observation—an observation about the design, implementation, or operation of E:\FR\FM\11JNN2.SGM 11JNN2 49664 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices the firm’s QC system that may indicate one or more QC deficiencies exist—and, ultimately, a QC deficiency. By contrast, some applicable professional and legal requirements (such as those relating to preliminary engagement activities, including engagement acceptance procedures, and certain required communications to the audit committee) are required to be complied with prior to or at the beginning of the engagement. With respect to those requirements, an engagement deficiency would arise if the required time for performance had passed and the required activities were not performed appropriately, even if the engagement was still in process. The standard requires determinations to be made on a timely basis. For completed engagements, the timeliness of the determination depends on the nature of the information subject to evaluation. For example, if the information suggested other engagements may present a similar issue, then it would be expected that determination would be made sooner so that the risk of engagement deficiencies on other engagements—whether inprocess or completed—is mitigated. The final standard was revised to clarify that the evaluation and determination of whether engagement deficiencies exist must both be done on a timely basis. khammond on DSKJM1Z7X2PROD with NOTICES2 g. Responding to Engagement Deficiencies (QC 1000.68) Under the final standard, when a firm determines an engagement deficiency exists, the firm is required to take action to address the deficiency. The action taken would depend on whether the engagement deficiency related to an inprocess engagement, a completed engagement, or work performed by the firm on other firms’ engagements. In some instances, a firm may find it beneficial to perform a root cause analysis to determine what action to take. i. Engagement Deficiency Related to an In-Process Engagement For an engagement deficiency related to an in-process engagement, the proposed standard provided that the firm take action to address the deficiency in accordance with applicable professional and legal requirements. The nature of the engagement deficiency would determine what a firm would need to do to address it and the timing of the required action. For engagement deficiencies that could affect the auditor’s report, under the proposed standard, remedial action would be required before the VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagement report is issued, such that the engagement report issued is appropriate in the circumstances. In other instances, action would still be required to address the deficiency, but the firm would have more flexibility regarding when such actions are performed; action could be performed either before the report is issued or afterwards (if afterwards, the provisions of paragraph .68b would apply). The Board adopted substantially as proposed the requirement for responding to an engagement deficiency on an in-process engagement. ii. Engagement Deficiency Related to a Completed Engagement For an engagement deficiency related to a completed engagement, the proposed standard included a requirement for firms to take action to address the engagement deficiency in accordance with applicable professional and legal requirements (discussed in more detail below in connection with paragraph .70). However, under the proposed requirement, no action would have been required if it was probable that the engagement report was not being relied upon.298 The proposed standard included a note that stated the firm must treat an auditor’s report as being relied upon if the auditor’s report is included in the most recent SEC filing on a form that requires its inclusion. Because this note also appeared in the proposed amendments to AS 2901 in paragraph .01, refer to the detailed discussion below for commenter feedback and the Board’s responses. The note to paragraph .68b. was revised to provide that, in the absence of circumstances indicating that reliance is impossible or unreasonable (e.g., cessation of a trading market for issuer securities), inclusion of an engagement report in the most recent filing on an SEC form that requires inclusion of such an engagement report generally evidences that the report is being relied upon. The Board believes this is responsive to commenter concerns and allows for sufficient flexibility for such circumstances. The note was also revised to clarify that an engagement report can be included in an SEC filing either directly or through incorporation by reference. 298 The use of ‘‘probable’’ in the note to paragraph .68 is consistent with how the term is used in FASB ASC, Contingencies Topic, paragraph 450–20–25–1, which provides that an event is ‘‘probable’’ when it is likely to occur. PO 00000 Frm 00078 Fmt 4701 Sfmt 4703 iii. Engagement Deficiency Related to Work Performed on Other Firms’ Engagements For an engagement deficiency related to work performed on other firms’ engagements, the standard requires a firm to communicate to the other firm the engagement deficiency. The communication needs to be sufficient to enable the other firm to develop a response commensurate with the extent of noncompliance. These engagement deficiencies, while there may or may not be additional remedial actions for the firm to take related to the particular work performed, should be included in the population of QC observations to be evaluated to determine whether QC deficiencies exist. The Board did not receive comment on this aspect of the proposal and adopted it as proposed. iv. Evaluating Whether Similar Engagement Deficiencies Exist The proposed standard also required a firm to evaluate whether similar engagement deficiencies exist in other in-process engagements, completed engagements (unless it is probable that the engagement report is not being relied upon), and work performed on other firms’ engagements, and if so, to take actions as required by paragraphs .68a.–c. for in-process engagements, completed engagements, and any other work performed by the firm on other firms’ engagements at less than a substantial role. Understanding the nature of the engagement deficiency will assist the firm in determining the extent of the necessary evaluation. To illustrate, if the engagement deficiency was caused by an error in the firm’s methodology for auditing a company’s loan valuation allowance, then the firm would evaluate whether similar engagement deficiencies exist on engagements that were also using that methodology. As another example, if engagement team members did not comply with PCAOB standards when auditing accounts receivable because they failed to perform certain procedures in the firm’s audit program, the firm would evaluate whether the person(s) who were responsible for performing the procedures and the person(s) supervising the work participated in any other audit engagement’s accounts receivable testing, and if so, whether similar engagement deficiencies exist. One commenter requested that the Board provide additional examples of engagement deficiencies, as the concept of applicability to other in-process engagements could be subject to different interpretations. The Board will E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices consider whether application guidance in this area would be appropriate. Another commenter stated that the expectation of what ‘‘evaluate,’’ as used in this context, may require is not clear and suggested that the evaluation be limited to certain engagements based on a risk-based assessment, taking into consideration the root cause of the identified engagement deficiency. As noted above, understanding the nature of the engagement deficiency would assist the firm in determining the extent 49665 of the actions to take in order to evaluate whether similar engagement deficiencies exist on other engagements. The Board adopted this aspect of the standard as proposed. BILLING CODE 8011–01–P Start ' Information Evaluated Determine whether engagement deficiency exists @-----+----1 Respond accordingly: 1. ln-pr«ess engagement: Take action required by APLR* such tbat the engagement report is appropriate in the circumstances. 2. Completed engagement: Take aetion required by APLR unless it is probable that the engagement report is not being relied upon. 3. Work performed on other firms' engagements: Communicate to other firm and take actinn required by other firm. No further determination Evaluate whether a similar engagement Engagement deficiency completed engagements, and referred work, and if so, take action in accordance with # 1 - 3 above "APLR = Applicable professional and legal requirements VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00079 Fmt 4701 Sfmt 4703 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.007</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 deficiency exists on other in-process engagements, 49666 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices BILLING CODE 8011–01–C khammond on DSKJM1Z7X2PROD with NOTICES2 v. Addressing Engagement Deficiencies (QC 1000.69–70) Paragraph .69 of the standard requires firms to respond to engagement deficiencies by taking into account the nature and severity of the engagement deficiency. In other words, the response should be targeted based on the nature of the problem and proportionate to the severity of the problem. Understanding the nature and severity of an engagement deficiency could assist firms in: • Developing an appropriate response to the engagement deficiency; • Determining whether an engagement deficiency could relate to other engagements; and • Assessing whether the engagement deficiency, which represents a QC observation, is also a QC deficiency. The actions taken by the firm to respond to engagement deficiencies may include preventive or corrective actions (or a combination of these actions): • Corrective actions are actions taken to rectify an identified deficiency in a current or completed engagement (for example, performing a procedure that had been omitted, designing and performing additional or alternative procedures if audit evidence is insufficient, or filing a required report). • Preventive actions are actions taken to prevent the occurrence of a deficiency in future engagements (for example, training, developing audit tools, or enhancing audit methodology). The proposed note to this requirement also appeared in the proposed amendments to AS 2901.04 and a detailed discussion of commenter feedback and the Board’s views appears below. As adopted, the note in paragraph .69 includes clarifying changes. The requirement was otherwise adopted as proposed. The proposed requirement in paragraph .70 did not draw comment and the Board adopted it as proposed. Firms should comply, as applicable, with other standards related to engagement deficiencies on completed engagements. • AS 2901 addresses auditor responsibilities with respect to engagement deficiencies on completed audit engagements. AS 2201.99 directs the auditor to comply with AS 2901 as it relates to audits of internal control over financial reporting. • AS 2905 deals with auditor responsibilities when, subsequent to the date of a report on audited financial statements, the auditor becomes aware of facts that might have affected the report had he or she then been aware of VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 such facts before issuing the report. AS 2201.98 is a similar provision relating to auditor’s reports on internal control over financial reporting. • AT No. 1 and AT No. 2 incorporate responsibilities similar to those required under AS 2901 for attestation engagements relating to certain brokerdealer reports. The amendments to AS 2901 are discussed below. h. Determining Whether QC Observations Exist (QC 1000.71) The proposed standard would have required firms to determine the existence of ‘‘QC findings,’’ defined as ‘‘[a] finding about the design, implementation, or operation of the firm’s QC system that may indicate one or more QC deficiencies exist. Engagement deficiencies are QC findings.’’ Commenter feedback on this defined term was in most instances directly related to the last sentence in the defined term, urging that engagement deficiencies should not automatically be considered QC findings. The Board was concerned that commenters may have misinterpreted ‘‘QC findings’’ as akin to ‘‘QC deficiencies,’’ whereas the intention is only to designate matters that have to be evaluated as potential QC deficiencies. To alleviate the potential confusion, the defined term was changed to ‘‘QC observation’’ and the definition reworded. The definition of a QC observation in the final standard is ‘‘(1) An engagement deficiency; or (2) Any other observation about the design, implementation, or operation of the firm’s QC system that may indicate one or more QC deficiencies exist.’’ 299 Under the definition, any information that may indicate a problem with the design, implementation, or operation of the firm’s QC system would be a QC observation. Because a QC system provides reasonable assurance that engagements are conducted in accordance with applicable professional and legal requirements, all engagement deficiencies would be QC observations. Examples of other QC observations include an error in the design or operation of a technology tool or methodology, or information suggesting that a firm may not have achieved a quality objective. The determination of QC observations involves collecting observations and related evidence that may indicate a QC deficiency exists, including information from monitoring activities, information from external parties like regulators and 299 QC deficiencies are defined and discussed in the next subsection. See below. PO 00000 Frm 00080 Fmt 4701 Sfmt 4703 peer reviewers, and other relevant information of which the firm becomes aware. Under the standard, the results of all monitoring activities performed by the firm, and if applicable, those performed by a network relating to the firm’s QC system or its engagements, are required to be analyzed by the firm to determine if there are QC observations. It is possible that a firm’s engagement monitoring activities could identify not only engagement deficiencies, but also QC observations that are not engagement deficiencies. For example, if, as part of the firm’s quality response related to technological resources, the firm’s technology leader must review and approve all software audit tools used on engagements, and if a firm’s engagement monitoring activities reveal that an engagement team did not receive the appropriate authorization to use a specific tool, that observation would be a QC observation, regardless of whether the use of the tool also gave rise to an engagement deficiency. Oversight activities by regulators and external inspections or reviews include activities of the PCAOB and other regulators. As a firm typically has one QC system for its entire audit practice, the results of the inspections, reviews, and other oversight activities performed by these external parties would likely be relevant to a firm’s determination of whether QC observations exist. Other relevant information of which the firm becomes aware would comprise information obtained from within and outside the firm. A firm would not be expected to seek out such other sources of information; however, if other relevant information came to the firm’s attention, a firm is expected to determine whether it is a QC observation. For example, the firm may become aware of an issue with a formula in a practice aid used to assist engagement teams in auditing stockbased compensation if a member of an engagement team communicates that issue to firm personnel supporting the firm’s QC system. The final standard has been revised to clarify that the evaluation and determination must both be done on a timely basis. i. Determining Whether QC Deficiencies Exist (QC 1000.72) The standard requires firms to determine whether QC deficiencies exist, and (except for the change in terminology to ‘‘QC observation’’) was adopted as proposed. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices i. Definition of QC Deficiency In response to commenter input, the Board made changes to the definition of the term ‘‘QC deficiency.’’ As proposed, the definition provided in part that a QC deficiency was a QC finding that results in ‘‘a reduced likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives,’’ and included a note providing examples of circumstances where that likelihood could be reduced. Two commenters questioned the operability of that aspect of the proposed definition of QC deficiency, in particular its linkage to the definition of an internal control deficiency under COSO in its integrated framework through the phrase ‘‘reduced likelihood.’’ Two commenters suggested that the definition of QC deficiency should incorporate the concept of ‘‘a significantly reduced likelihood.’’ Another commenter requested guidance relative to the application of the ‘‘reduced likelihood’’ model. Other commenters suggested that the definition should be more closely aligned with that of other standard setters, for example ISQM 1, by incorporating the concept of an ‘‘acceptably low level.’’ Taking into account commenter feedback, the standard defines a QC deficiency as a QC observation that, based on the evaluation under paragraph .72, individually, or in combination with one or more other QC observations, evidences: • That the likelihood of the firm not achieving the reasonable assurance objective or one or more quality objectives has not been reduced to an acceptably low level; Note: The likelihood of not achieving the reasonable assurance objective or one or more quality objectives would be above an acceptably low level if, for example, a quality objective is not established, a quality risk is not properly identified or assessed, or a quality response is not properly designed or implemented or is not operating effectively. • Noncompliance with requirements of this standard, other than those under ‘‘Documentation’’; or • Noncompliance with requirements of this standard under ‘‘Documentation’’ that adversely affects the firm’s ability to comply with any of the other requirements of this standard. The first subparagraph of the definition of QC deficiency incorporates an existing concept of ‘‘acceptably low level’’ that is currently used in PCAOB auditing standards 300 so this concept 300 See, e.g., AS 2315, Audit Sampling. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 should be familiar to firms. In addition, it aligns more closely with similar definitions of other standard setters, for example the definition of ‘‘deficiency’’ in ISQM 1. The Board made conforming changes to the note that follows subparagraph (1) of the definition. Similar to the proposal, the definition of QC deficiency in the final standard also includes noncompliance with the requirements of the proposed standard other than documentation requirements, such as the requirements related to roles and responsibilities, the firm’s risk assessment process, the monitoring and remediation process, and the evaluation of the QC system. Two commenters expressed concern with this requirement, stating that there may be instances where the firm may not comply with a requirement in the standard but the quality objectives and specified quality responses were met, and a firm should be able to apply judgment to determine whether a QC deficiency exists under those circumstances. The Board continues to believe that compliance with the requirements of QC 1000 is a baseline element of any firm’s QC system, such that failure to comply is always a QC deficiency, and adopted this aspect of the QC definition as proposed. The definition also includes noncompliance with the documentation requirements of QC 1000, to the extent that such noncompliance adversely affects the firm’s ability to comply with any of the other requirements of the proposed standard, while excluding other documentation issues. For example, a firm’s failure to document some details of its monitoring activities, in a context where the firm otherwise sufficiently documents the evaluation of the results from its monitoring activities, would not meet the definition of a QC deficiency. The Board received no comment on this aspect of the definition of QC deficiency and adopted it as proposed. Under the final standard, the determination of whether something identified as a QC observation meets the definition of a QC deficiency would be based on the nature, severity, and pervasiveness of the underlying matter; the likelihood that it could affect other component(s) of the QC system or other engagements; and the severity of such an effect if it were to occur. In the case of engagement deficiencies, this evaluation would take account of the basis for the firm’s determination of the actions required under paragraph .68 of QC 1000, including any root cause analysis performed. These considerations are discussed, in turn, in the following subsections. PO 00000 Frm 00081 Fmt 4701 Sfmt 4703 49667 The final standard has been revised to clarify that the evaluation and determination must both be done on a timely basis. ii. Nature, Severity, and Pervasiveness of the Matter That Gave Rise to the QC Observation The nature, severity, and pervasiveness of the matter that gave rise to the QC observation should be taken into account when determining whether a QC deficiency exists. For a QC observation that is also an engagement deficiency, the results of the firm’s evaluation of whether a similar engagement deficiency exists on other in-process and completed engagements would provide useful information to the firm when determining whether a QC deficiency exists. The standard explains that the nature, severity, and pervasiveness of the matter that gave rise to the QC observation includes: • The component(s) of the QC system, quality objective(s), or quality risk(s) to which the QC observation relates. Depending on the quality risks that a firm identifies, some components may play a greater role in its QC system than others. For example, for a small firm that audits one issuer and has no intention to expand its issuer audit practice, the engagement performance component would have a greater role than acceptance and continuance of engagements because the quality risks associated with the new engagement would be mitigated by the firm’s policy of not taking on new issuer audit engagements. Based on the firm’s risk assessment, certain quality risks may pose a greater threat to the firm’s QC system than others. In addition, some QC observations may relate to a single component of the QC system or a single quality objective, while others may relate to multiple components of the QC system or multiple quality objectives. For example, an engagement deficiency may relate to the resource component (e.g., competence and training of firm personnel, firm methodology), the information and communication component (e.g., failure to communicate changes to the methodology), or the engagement performance component (e.g., failure to consult when required), or all three of those components. • Whether the QC observation is in the design, implementation, or operation of the QC system. For example, a matter that gave rise to a QC observation in the design of a process has a greater likelihood of being pervasive to a firm’s practice than a E:\FR\FM\11JNN2.SGM 11JNN2 49668 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 process that did not operate as designed on one occasion. • The frequency with which the QC observation occurred. Frequency relates to the number of times the matter that gave rise to the QC observation occurred—for example, on engagements within a particular industry sector or practice group, a particular office, or firmwide. It might also relate to the number of times the observation was identified, the number of firm personnel involved, or the number of quality objectives affected. When related to the execution of a firm’s quality response, it would also include relative frequency of QC observations compared to the number of times the procedure was executed properly. The duration of time that the QC observation existed. Duration addresses how long the matter that gave rise to the QC observation existed. In order to understand duration, a firm would need to understand whether there were other instances prior to those initially identified by the firm as QC observations. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 iii. Likelihood That the Matter That Gave Rise to the QC Observation Could Affect Other Component(s) of the QC System or Other Engagements, and the Severity of Such an Effect Whether a QC observation is a QC deficiency would also depend on the likelihood that the matter that gave rise to the QC observation could affect other QC system components or other engagements. Other engagements include in-process engagements, completed engagements, engagements to be performed in the future, as well as work performed on other firms’ engagements. A firm may design and implement mitigating actions to address an engagement deficiency when such a deficiency comes to the firm’s attention. When considering the likelihood that future engagements could be affected (for purposes of determining whether a QC deficiency exists), a firm would not take into account any mitigating actions, even if they have been implemented. This is because the determination of whether a QC deficiency exists must be made based on the nature, severity, and pervasiveness of the matter that gave rise to the QC observation, viewed on its PO 00000 Frm 00082 Fmt 4701 Sfmt 4703 own. That shows the extent to which the QC system failed in allowing the underlying matter to occur. Whether the firm was subsequently able to partially or fully remediate the QC deficiency does not eliminate the fact that the failure occurred. In addition to the likelihood of a matter’s recurrence, the standard also requires a firm to evaluate the matter’s severity if it were to affect other component(s) or engagements. One commenter suggested that the standard address the concept of compensating responses as a factor when considering QC findings in proposed paragraph .72. In considering whether a QC observation is a QC deficiency (on the basis that the likelihood of the firm not achieving the reasonable assurance objective or one or more quality objectives has not been reduced to an acceptably low level) the firm could consider compensating responses that address the same quality risk. Additional discussion in response to this commenter’s feedback appears below in the context of discussion of remedial actions. BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49669 Example of Considerations Relevant to Determining QC Deficiency Engagement Deficiency (e.g., failure to obtain sufficient appropriate audit evidence) @) - QC Observation khammond on DSKJM1Z7X2PROD with NOTICES2 j. Responding to QC Deficiencies i. Root Cause Analysis (QC 1000.73–.74) The requirement to perform root cause analysis on all identified QC deficiencies did not draw comment and was adopted as proposed. Root cause analysis is a widely used concept in QC frameworks.301 301 See Spotlight: Root Cause Analysis—An Effective Practice to Drive Audit Quality (April 2024) available at https://assets.pcaobus.org/pcaobdev/docs/default-source/documents/root-casuespotlight.pdf?sfvrsn=55f82206 2. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Identifying and understanding the underlying causes of a problem supports developing solutions that address those causes, rather than just the symptoms. Proper determination of the causal factors that led to QC deficiencies is essential to developing effective remedial actions. For example, a policy or procedure could be inappropriately designed or implemented or a person may not have complied with a policy or executed a procedure as it was intended. As another example, an audit tool may not have operated as intended. Root cause analysis looks for different PO 00000 Frm 00083 Fmt 4701 Sfmt 4703 types of causes through investigating the patterns of negative effects, finding hidden flaws in the QC system, and discovering specific actions that contributed to the problem. Improvements in audit quality have generally been observed through PCAOB oversight activities where a firm has established an effective root cause analysis program.302 Many different types of causes may contribute to a problem. 302 See E:\FR\FM\11JNN2.SGM 2018 Inspection Observations Preview. 11JNN2 EN11JN24.008</GPH> BILLING CODE 8011–01–C khammond on DSKJM1Z7X2PROD with NOTICES2 49670 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices A firm might find it helpful when performing root cause analysis to leverage information obtained from its evaluation of whether a QC deficiency exists. That is, information about the nature, severity, or pervasiveness of the matter that gave rise to the QC observation and the likelihood that the matter that gave rise to the QC observation could affect other components of the QC system or other engagements may provide evidence of what caused the problem to occur. Root cause analysis procedures could take different forms depending on the circumstances, which allows for scalability. Some key elements that the PCAOB has observed that may lead to more robust and comprehensive root cause analysis include: 303 • Monitoring audit deficiencies identified and performing root cause analysis on a continual basis. This allows firms to obtain information that allows them to react more timely and implement remedial actions to reduce recurring deficiencies in other audits.304 • Process mapping at the engagement level and the firm level of the underlying work flows of how a firm conducts its practice. A well-defined process makes it easier to analyze negative events to determine what went wrong. • Consideration of both positive and negative quality events (i.e., actions, behaviors, or conditions that resulted in positive or negative outcomes) to identify whether such actions, behaviors, or conditions were present on engagements where QC deficiencies were identified. • Measuring, in real time, the effectiveness of remedial actions and audit quality improvement plans or initiatives to identify whether remedial efforts are effective. The standard does not require firms to perform root cause analysis on QC observations that are not QC deficiencies. Paragraph .74 of the standard requires that the nature, timing, and extent of the root cause analysis be commensurate with the nature, severity, and pervasiveness of the QC deficiency. This provision did not draw comment and was adopted as proposed. A QC deficiency that could affect multiple engagements may require more urgent root cause analysis, depending on the circumstances. To illustrate, a QC 303 See June 2014 SAG Briefing Paper at 2. Staff Inspection Brief, Vol. 2017/4: Preview of Observations from 2016 Inspections of Auditors of Issuers (Nov. 2017), at 16, available at https://assets.pcaobus.org/pcaob-dev/docs/defaultsource/inspections/documents/inspection-brief2017–4-issuer-results.pdf?sfvrsn=c216d8a7_0. 304 See VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 deficiency related to a firm’s approach to testing business combinations would be more urgent if a firm’s clients regularly enter into such transactions. Taking into account the nature, severity, and pervasiveness of the QC deficiency, root cause analysis may be performed at different points in time or, depending on the size and nature of the firm, operate as more of a continual process. At times, it might be effective to combine similar QC deficiencies and perform root cause analysis on them collectively rather than on an individual basis. In some instances, the causal factors may be relatively apparent and therefore require less analysis than in a situation where the cause of the deficiency is complex and requires significant investigation and analysis. As previously mentioned, there may be multiple causes contributing to a QC deficiency. Generally, the more thorough the analysis, the more likely the causal factors will be identified and the greater the likelihood that a firm could design and implement remediation efforts that will be effective in preventing similar QC deficiencies from occurring again. It is important for firms to have welldefined processes in order to perform sufficient root cause analysis. The better delineated the underlying processes, the less work that may be necessary to determine why the QC deficiency occurred. ii. Remedial Actions (QC 1000.75) The requirement to design and implement timely remedial action for QC deficiencies did not attract comment and was adopted as proposed. The timing of a firm’s efforts to design and implement remedial actions depends on the results of the firm’s root cause analysis and the nature, severity, and pervasiveness of the QC deficiency. The Board expects a firm to respond in a manner that would mitigate the occurrence of additional QC deficiencies related to similar underlying causes. In some circumstances, due to the extent of remedial actions necessary to address the QC deficiency, a firm might design and implement temporary remedial actions until permanent actions can be designed and implemented. For example, a firm could design and implement supplemental audit practice aids to address QC deficiencies until the firm is able to revise its comprehensive audit methodology. In some situations, a complex QC deficiency may result in the firm developing a multi-step plan with milestones necessary to be PO 00000 Frm 00084 Fmt 4701 Sfmt 4703 achieved as the firm designs and implements its remedial actions. In other situations, the extent of remedial actions the firm needs to take to address a particular QC deficiency may be reduced by other compensating responses that the firm has in place. If the remedial actions, including any relevant compensating responses, have been tested and found effective in addressing the issue, the firm might determine, based on the facts and circumstances, that no further remedial action is necessary. The process of identifying QC observations, determining QC deficiencies, performing root cause analysis, and designing and implementing remedial actions is iterative. For example, a firm may learn information from performing root cause analysis that may identify issues that would have been relevant when evaluating a different QC observation had such information been known at the time. If this were to occur, a firm would further evaluate the other QC observation to determine if a QC deficiency exists based on this new information. As another example, the work entailed in a root cause analysis could potentially help a firm identify other quality objectives that are not being met. To illustrate, the firm’s root cause analysis may show that a lack of training caused deficiencies in a complex audit or accounting area that is common to the firm’s engagements, and may also lead to the identification of other problems in the same area, such as inadequate audit methodology or a missed consultation due to the lack of a well-understood, robust consultation process. PCAOB oversight activities have identified that some firms evaluate positive quality events associated with engagements where no engagement deficiencies were identified. For example, certain procedures, techniques, or voluntary practice aids may have contributed to an engagement performed in accordance with applicable professional and legal requirements. These firms use the information obtained from such evaluations to assess the actions of individuals on engagements with deficiencies, ultimately highlighting potential actions to prevent future engagement deficiencies. The Board believes that evaluating positive outcomes could contribute to the success of the firm’s root cause analysis and remediation efforts. Therefore, the standard includes a note highlighting that it may be beneficial for firms to consider actions, behaviors, or conditions that resulted in positive E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 outcomes, such as where aspects of the firm’s QC system operated effectively or where no engagement deficiencies were identified for individual engagements. In some circumstances, a firm may determine the root cause of a QC deficiency is related to the use of a resource or service provided by a thirdparty provider. If this were to occur, under the standard, the firm is responsible for addressing the effect of the deficiency on its QC system. This could include, among other things, working with the third-party provider to design and implement remedial actions or deciding to end the relationship with the third-party provider and, as part of the firm’s remedial actions, revising its policies and procedures in the area affected. Irrespective of the approach taken and the extent of participation by third parties, the firm remains responsible for its QC system. If a firm belongs to a network and uses network resources or services to enable the operation of the firm’s QC system or the performance of its engagements, a root cause of a QC deficiency could be related to the network resource or service. Similar to a firm’s use of resources or services VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 provided by a third-party provider, a firm is responsible for addressing the effect of the deficiency on its QC system regardless of whether the remedial actions taken by the firm are coordinated with the network or designed and implemented exclusively by the firm. Further, the firm remains responsible for determining whether the actions taken by the network sufficiently remediate the QC deficiency. Under the standard, firms are able to design their approach to conducting root cause analysis and developing remedial actions. Firms’ approaches will vary based on the nature and circumstances of the firm and its engagements. In addition, approaches will likely change as new technologies become available and other techniques develop. k. Monitoring the Implementation and Operating Effectiveness of Remedial Actions (QC 1000.76) The requirement to monitor the implementation and operating effectiveness of remedial action for QC deficiencies did not attract comment and was adopted as proposed. PO 00000 Frm 00085 Fmt 4701 Sfmt 4703 49671 Under the final standard, a firm monitors the effectiveness of its remedial actions through engagement monitoring activities and/or QC systemlevel monitoring activities, depending on the nature of the QC deficiency. If a firm determines the remedial actions were not properly implemented or operating effectively, the firm would be required to take timely actions until the monitoring activities indicate the QC deficiency was remediated. Timely actions could include, among others, one or more of the following: • Adjusting the implemented remedial actions; • Designing and implementing additional remedial actions; or • Performing additional root cause analysis to determine if other causes exist and, if so, designing and implementing remedial actions to address such causes. Once additional actions are taken, a firm is required to perform monitoring activities on such changes to determine whether the QC deficiency was remediated. BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 49672 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Determining the Existence of and Remediating QC Deficiencies Start Unremediated QC deficiency (continue to design and implement timely remedial actions until remediated) Is QC deficiency remediated? No further action Design and implement timely remedial actions and monitor their effectiveness determination QC deficiency khammond on DSKJM1Z7X2PROD with NOTICES2 2. Current PCAOB Standards Current PCAOB QC standards require firms to establish policies and procedures to provide the firm with reasonable assurance that the policies and procedures relating to each of the other QC elements are suitably designed and are being effectively applied.305 The standards also address how a firm implements the monitoring element of a QC system in its accounting and auditing practice.306 The standards discuss various monitoring procedures that a firm may perform, such as reviewing engagements before or after the engagement reports are issued, 305 See 306 See 307 See QC 20.20. generally QC 30. VerDate Sep<11>2014 17:58 Jun 10, 2024 reviewing selected administrative and personnel records pertaining to the QC elements, considering systemic causes of findings that indicate improvements are needed, determining corrective actions, and following up to ensure that any necessary modifications are made to the firm’s QC policies and procedures on a timely basis.307 Although current PCAOB QC standards provide that monitoring procedures taken as a whole should enable firms to obtain reasonable assurance that their QC systems are effective,308 there are no express obligations for firms to perform any specific types of monitoring. 308 See Jkt 262001 PO 00000 QC 30.03; QC 30.06. QC 30.03. Frm 00086 Fmt 4701 Sfmt 4703 Evaluation of and Reporting on the QC System 1. QC 1000 a. Annual Evaluation of the Effectiveness of the QC System (QC 1000.77) A firm’s evaluation of the results of its monitoring and remediation process helps the firm identify the areas within the QC system that are designed, implemented, and operating effectively, as well as areas that require attention. This perspective will assist firm leadership in allocating resources to address QC deficiencies and provide them with a basis for communicating to others—within or outside the firm—the status of the firm’s QC system. Current PCAOB QC standards do not require such an evaluation. The Board E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.009</GPH> BILLING CODE 8011–01–C Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 understands that some firms already evaluate their QC systems, either voluntarily or in response to other requirements.309 However, not all firms evaluate their QC systems, and those that do may not apply the same degree of rigor. i. Evaluation Requirement The proposed standard included a requirement for the firm to evaluate annually whether its QC system is effective, is effective except for one or more unremediated QC deficiencies that are not major QC deficiencies, or is not effective (i.e., one or more major QC deficiencies exists). Pursuant to proposed paragraph .07c, firms that were not required to implement and operate a QC system at any time within the previous 12 months would not be subject to the requirement to evaluate and report on their QC system. Some commenters expressed support for the proposed annual evaluation requirement. However, several commenters suggested that the Board conform the terminology to ISQM 1, such that the conclusions reached in evaluating the QC system would be the same under both standards. Some commenters expressed concern about the potential for stakeholder confusion because the criteria and terminology used in QC 1000 differ from ISQM 1. One commenter expressed concern that the more stringent criteria of QC 1000 would create a competitive disadvantage. One commenter recommended that the Board eliminate the middle category (effective except for one or more unremediated QC deficiencies that are not major QC deficiencies), so that a firm’s QC system would be evaluated as either effective or not effective based on whether any unremediated major QC deficiencies exist as of the evaluation date, such that the reasonable assurance objective has not been achieved. The commenter analogized to ICFR reporting, where management is only required to report material weaknesses. The Board adopted the evaluation requirements as proposed. The Board does not believe there is any likelihood of confusion among external stakeholders arising from differences in evaluation criteria between QC 1000 and ISQM 1 because, under the final PCAOB standard, the conclusion reached about the effectiveness of a firm’s QC system is not required to be made public. The same is true under ISQM 1. Therefore, if a firm were to 309 See, e.g., NYSE Listed Company Manual, Section 303A.07(b)(iii)(A); Section 2(d) of Article 13, Regulation (EU) 537/2014. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 evaluate its QC system under both standards and reach different conclusions, market participants would be unaware of that fact unless the firm chose to make the results of its evaluation public (in which case, it could also choose to provide an explanation of the difference). Additionally, while ISQM 1 requires communication to those charged with governance about how the system of quality management supports the consistent performance of quality audit engagements, QC 1000 does not require any such communication to the audit committee.310 Firms would of course be free to discuss the evaluation of their QC system with the audit committee, potentially as part of the report required under listing standards that may apply to the issuer.311 The Board believes most audit committee members are already well acquainted with reviewing information prepared under different frameworks, e.g., financial statements prepared under U.S. GAAP and under IFRS, and could readily understand that the more stringent criteria under QC 1000 could lead to a different conclusion about the effectiveness of the QC system. Similarly, the Board believes that firms that are required to perform multiple QC system evaluations will be able to train their personnel and acquire other resources as necessary to avoid confusion among internal stakeholders and perform the evaluation under QC 1000 appropriately. A firm will be subject to both QC 1000 and other QC standards only if it is performing audits under multiple sets of auditing standards. Just as such firms manage the differences in audit requirements and methodology associated with different auditing standards, the Board believes they will be capable of managing differences in the QC system requirements under QC 1000 and other QC standards, including differences in the criteria and terminology used in evaluating the QC system. The Board also believes that requiring three categories for the QC system evaluation, as proposed—effective, effective except for one or more unremediated QC deficiencies that are not major QC deficiencies, and ineffective—will result in a more rigorous QC system evaluation, a greater incentive for firms to address QC deficiencies promptly, and more detailed and informative reporting to the PCAOB. Given that reporting is only 310 See Reporting to the audit committee, discussed below. 311 See NYSE Listed Company Manual, Section 303A.07(b)(iii)(A). PO 00000 Frm 00087 Fmt 4701 Sfmt 4703 49673 to the PCAOB, the Board does not believe an analogy to management’s public reporting regarding ICFR, where only material weaknesses are required to be reported, is appropriate. Firms will be required to perform an evaluation of their QC system annually. The firm’s evaluation is based on data and evidence provided by the firm’s monitoring and remediation activities. An annual evaluation will provide leadership with timely information to facilitate an effective feedback loop.312 This approach highlights the importance of the QC system in driving continuous improvement in firms’ ability to perform compliant engagements on a consistent basis. The evaluation requirement will drive firms to collect and analyze the results of their monitoring and remediation processes in order to identify deficiencies and will provide an additional incentive for firms to focus on areas requiring the most immediate attention and improvement. The evaluation requirement also reinforces the responsibility and accountability of leadership for the firm’s QC system.313 As discussed above, the individual charged with ultimate responsibility and accountability for the QC system as a whole will be accountable for the annual evaluation, and both that individual and the individual charged with operational responsibility and accountability for the QC system as a whole will be required to certify the firm’s annual report regarding the evaluation of its QC system.314 The Board believes this will send a clear message about the importance of the evaluation and incentivize firm leadership to take ownership of both the annual evaluation of the QC system and the results. While the Board adopted as proposed a requirement for annual evaluation of the QC system, it made some changes in response to commenter input, as described below. ii. Evaluation Frequency and Date The proposed standard would have required the firm to evaluate its QC system annually as of November 30 and conclude on whether any unremediated QC deficiencies (including major QC deficiencies) exist as of that date. 312 Firms could decide to evaluate the QC system more frequently than required under the standard. For example, a firm with one or more major QC deficiencies may decide to perform a mid-year evaluation to gauge the effectiveness of its remedial actions. 313 See QC 1000.13–.17. 314 See QC 1000.14c.–d. and .15b. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49674 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices One commenter, an investor-related group, supported the proposed November 30 evaluation date and opposed allowing firms to set their own reporting date. Many commenters, generally firms and firm-related groups, suggested that firms should be permitted to choose their own evaluation date, primarily because it would enable them to choose a date based on their own operating and business cycle or inspection cycle. These commenters also noted other considerations, such as alignment with the firm’s fiscal year end or the date already chosen for the evaluation required under ISQM 1. Several commenters suggested that firms should be able to choose a date that would allow them sufficient time to perform root cause analysis, remediate identified issues, and test the effectiveness of their remediation efforts. One commenter noted that firms could choose a date with a view to enabling real-time conversations with audit committees. Another commenter suggested that additional flexibility on the evaluation date would enhance the scalability of the standard. Some commenters stated that requiring a specific evaluation date could lead firms to perform assessments twice a year. Several commenters also raised a concern about potential resource limitations in performing the evaluation on the timetable the Board proposed. Other commenters suggested various options for potential alternative evaluation dates: • March 31, on the basis that it is better aligned with a natural business cycle for many firms or aligns with the Form 2 reporting date. (These commenters generally preferred allowing firms to choose their own evaluation date over a mandated date applicable to all firms and suggested March 31 as a second-best approach.) • September 30, which would allow firms to report to the PCAOB by November 15 and, in turn, report to audit committees before the end of the calendar year. • September 30 or October 31, if the proposed January 15th reporting date is implemented, to allow additional time to complete reporting. • February 28, to allow reporting by April 1, in advance of the April/May proxy season. • A window, for example, November to March, within which firms could choose a date. Taking into account commenter feedback on the proposed evaluation date of November 30, the evaluation date was revised to September 30 for all firms. The Board believes this earlier VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 date addresses commenter concerns that the November 30 date would have caused potential resource limitations during the traditional busy period for many firms. Further, the Board believes an evaluation date of September 30 would provide the firm with enough time to identify and potentially remediate any QC deficiencies identified from the most recent calendar year-end engagements, which might not be possible if an earlier date were selected. As summarized above, some firms expressed concern that a firm that has already chosen its evaluation date under ISQM 1 would be required to perform two QC system evaluations per year since the PCAOB’s evaluation date differs from ISQM 1’s. The Board believes firms can build on work already done for the purpose of complying with the requirements of one QC standard in performing the other, to the extent applicable. However, since the nature of the two evaluations is inherently different (e.g., the determination of major QC deficiencies, the differing definitions of QC deficiency under QC 1000 vs. deficiency under ISQM 1), the Board believes that there would always be some differences between the evaluation required under QC 1000 and the evaluation required under ISQM 1. While there could be additional costs associated with multiple evaluations if a firm chose to have separate evaluation dates for purposes of QC 1000 and other QC standards to which it is subject, firms would be free to change their evaluation date under other QC standards so that the evaluation dates coincide. The proposed standard also included a note clarifying what unremediated means in the context of this requirement: remedial actions that completely address the QC deficiency have not been fully implemented, tested, and found effective. While this note did not draw specific comment, one commenter suggested that the framework afforded by section 104(g)(2) of Sarbanes-Oxley, which the commenter said focuses on substantial good faith progress instead of complete remediation, is necessary and should be retained. The Board disagrees as, in its view, the two provisions serve fundamentally different purposes and a different approach is appropriate for firm evaluation and reporting under QC 1000. Sarbanes-Oxley section 104(g)(2) governs the circumstances under which the PCAOB is permitted to make portions of an inspection report dealing with quality control criticisms and potential defects public. It forbids PO 00000 Frm 00088 Fmt 4701 Sfmt 4703 publication if the criticisms or defects ‘‘are addressed by the firm, to the satisfaction of the Board,’’ not later than 12 months after the date of the report. In describing its process for determining whether a matter has been addressed to its satisfaction, the Board indicated that a ‘‘favorable Board determination reflects the Board’s assessment that the firm has demonstrated substantial, good faith progress toward achieving the relevant quality control objectives, sufficient to merit the result that the criticisms remain nonpublic. A favorable determination does not necessarily mean that the firm completely and permanently cured any particular quality control defect.’’ 315 By contrast, reporting on Form QC is simply factual: as of the evaluation date, has each identified QC deficiency been fully remediated or not? Under QC 1000, firms will perform a selfevaluation, based on the process and criteria set forth in the standard. This is very different from the process by which the Board determines whether a matter has been remediated to its satisfaction for purposes of section 104(g)(2),316 not least because it involves the firm’s selfassessment rather than the Board’s judgment. Moreover, the Board does not believe the consequences of a firm reporting an unremediated QC deficiency to the PCAOB would be the same as the consequences of the PCAOB publishing QC criticisms in an inspection report; in particular, the Board does not believe that the legislative policy choice reflected in section 104(g)(2), which, as the Board has said, favors ‘‘the correction of quality control problems over the exposure of them,’’ 317 applies in this context, given the nonpublic nature of the Form QC reporting. Accordingly, the Board adopted the note to paragraph .77 as proposed. b. Determining Whether Major QC Deficiencies Exist (QC 1000.78) The standard requires firms to evaluate unremediated QC deficiencies as of the evaluation date to determine whether major QC deficiencies exist. While the identification of QC deficiencies will be an ongoing process throughout the year, the determination of whether any of those QC deficiencies, alone or in combination, constitute major QC deficiencies will be required only as part of a firm’s annual evaluation of its QC system. 315 PCAOB Rel. No. 104–2006–077 at 6. PCAOB Rule 4009, Firm Response to Quality Control Defects. 317 PCAOB Rel. No. 104–2006–007 at 2. 316 See E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 i. Definition of a Major QC Deficiency The proposed standard provided that a major QC deficiency was ‘‘an unremediated QC deficiency or combination of unremediated QC deficiencies, based on the evaluation under paragraph .78, that severely reduces the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives.’’ One commenter supported the concept of major QC deficiency. However, a number of commenters expressed concern with that proposed definition: • Several commenters expressed concern that the definition could cause a firm to come to a different conclusion about its QC system during the annual evaluation process under QC 1000 than the conclusion a firm may reach under ISQM 1 and suggested that the definition be revised to include the concepts of severe and pervasive, similar to the concepts that appear in relation to the evaluation of QC deficiencies under ISQM 1. • One commenter stated that it was unclear why a new term, ‘‘major QC deficiency,’’ would be necessary and questioned the need for a reference to a threshold other than ‘‘achieving reasonable assurance.’’ • Another commenter was concerned that the concept of major QC deficiency, which other QC standards do not use, will redirect time and resources to analyzing the level of a deficiency instead of the important elements to remediate the deficiency such as root cause analysis and implementing timely changes to a firm’s system. • Another commenter stated that the phrase ‘‘severely reduces the likelihood’’ in the definition of major QC deficiency is vague and not sufficiently defined in the proposed QC standards and suggested that the phrase be replaced with the phrase ‘‘prevents the firm from concluding.’’ The Board considered the commenter feedback and determined to adopt this language as proposed. The Board agrees it is possible that firms could reach different conclusions as to the effectiveness of their QC system under QC 1000 and ISQM 1 or SQMS 1. However, the concept of severe and pervasive, which commenters suggested be incorporated in the definition, appears in the factors for firms to consider when determining the existence of a major QC deficiency (see paragraph .78b. below). The Board believes that including this concept in the factors clarifies the process firms will need to go through in making their VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 determination of whether a major QC deficiency exists. The defined term ‘‘major QC deficiency’’ is unique to QC 1000, but the concept it embodies—that the QC system does not provide the firm with reasonable assurance that the objectives of the QC system have been met—is not, and appears in both ISQM 1 and SQMS 1. Accordingly, the Board does not believe that phrasing the requirements as it has, including the use of a defined term, will require a different evaluation process than if it had simply required a determination that the QC system was ineffective. The standard does not require the determination of major QC deficiencies to be performed at any time other than the evaluation date. However, firms may choose to perform such an analysis ahead of the annual evaluation date to enable sufficient time to design, implement, and test remedial actions related to the QC deficiencies that have the greatest potential impact on the QC system. As with the defined term ‘‘QC deficiency,’’ the defined term ‘‘major QC deficiency’’ is analogous to a term in COSO’s integrated framework, major deficiency, which includes the concept of ‘‘severely reduces the likelihood.’’ The Board believes that this concept is already well-understood by firms. Another commenter expressed concern that a major QC deficiency would exist if there was a severely reduced likelihood that the firm did not achieve a single quality objective, even when the firm had in fact achieved the reasonable assurance objective. In the Board’s view, this concern is more theoretical than real. The quality objectives in QC 1000 relate to compliance with applicable professional and legal requirements in each component of the QC system and in the aspects of the firm’s practice that are addressed by each component. Failing to achieve such a quality objective implies that the reasonable assurance objective has not been achieved. Some quality objectives, particularly in the resources component, also relate to compliance with the firm’s policies and procedures. These quality objectives are directed to the QC system itself: compliance with policies and procedures is necessary for the QC system to operate as designed. While failure to comply with firm policies and procedures does not necessarily imply failure to comply with applicable professional and legal requirements, it does mean that the QC system is not operating as designed, which may raise questions about the level of assurance it provides. PO 00000 Frm 00089 Fmt 4701 Sfmt 4703 49675 In response to commenter feedback regarding the proposed concept of presumed major QC deficiencies (discussed in the next section), the leadin language of paragraph .78 was revised to clarify that the factors in paragraph .78b are to be applied by the firm both (i) when a presumption arises that a major QC deficiency exists and the firm attempts to rebut the presumption, and (ii) in instances where no presumption arises. ii. Presumed Major QC Deficiency (QC 1000.78.a) The proposed definition of a major QC deficiency provided for two circumstances that would be presumed to evidence a major QC deficiency. These circumstances included an unremediated QC deficiency or combination of unremediated QC deficiencies that: • Relates to the firm’s governance and leadership that affect the overall environment supporting the operation of the QC system. Firm governance and leadership establish the environment that determines how firm personnel carry out responsibilities for the operation of a firm’s QC system and the performance of its engagements. Because of the pervasive impact of leadership and the ‘‘tone at the top,’’ one or more unremediated QC deficiencies related to firm governance and leadership that affect the overall environment supporting the operation of the QC system would almost always severely reduce the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives. • Results in or is likely to result in one or more significant engagement deficiencies in engagements that, taken together, are significant in relation to the firm’s total portfolio of engagements conducted under PCAOB standards. A significant engagement deficiency exists when (1) the engagement team failed to obtain sufficient appropriate evidence in accordance with the standards of the PCAOB or failed to perform interim review or attestation procedures necessary in the circumstances, (2) the engagement team reached an inappropriate overall conclusion on the subject matter of the engagement, (3) the engagement report is not appropriate in the circumstances, or (4) the firm is not independent of its client.318 An unremediated QC deficiency that would likely result in one or more of these deficiencies in engagements that, taken together, are significant in relation to the firm’s total portfolio of engagements 318 See E:\FR\FM\11JNN2.SGM Notes to AS 1220.12, .17, .18B. 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49676 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices conducted under PCAOB standards would give rise to a presumption that a major QC deficiency exists. The definition included examples of quantitative and qualitative criteria that may signal such significance. One commenter argued that the proposed presumption regarding deficiencies in the governance and leadership component was unnecessary, on the basis that not every deficiency in governance and leadership was necessarily a major QC deficiency. Other commenters expressed concern that the circumstances presumed to evidence a major QC deficiency remove the auditor’s ability to apply professional judgment. Another commenter suggested that the presumptions could be replaced with indicators of a major QC deficiency, similar to how AS 2201 treats material weaknesses. Another commenter stated that it is not appropriate to include in the proposed definition circumstances when a major QC deficiency is presumed to exist because the factors provided in paragraph .78 are sufficient to make the evaluation of whether a QC deficiency is a major QC deficiency. Another commenter suggested that these presumed major QC deficiencies could be relocated from the definition and into paragraph .78 and achieve the same objective. The Board considered the commenter feedback. However, as described above, the Board continues to believe that because of the pervasive impact of leadership and the ‘‘tone at the top,’’ one or more unremediated QC deficiencies related to firm governance and leadership that affect the overall environment supporting the operation of the QC system would almost always severely reduce the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives—that is, would almost always result in a major QC deficiency. The Board also noted that, consistent with the proposal, the presumptions are not conclusive and can be rebutted by the firm in appropriate circumstances. The note to paragraph .78a clarifies that in order to rebut a presumption that a major QC deficiency exists, a firm must demonstrate, by taking into account both of the factors in paragraph .78b. (including all of the listed examples in paragraph .78b.(1)), that a major QC deficiency does not exist.319 The 319 When circumstances exist that are presumed to evidence a major QC deficiency, but the firm demonstrates that it does not have a major QC deficiency, the firm will be required to disclose the basis for its determination in its report to the PCAOB on Form QC, as discussed further below. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 standard thus allows for circumstances in which a deficiency related to one of the presumptions does not amount to a major QC deficiency, and creates an opportunity for firms to exercise professional judgment in deciding whether to attempt to rebut the presumption and, if so, how to apply the paragraph .78b factors. However— appropriately, in the Board’s view—the presumptions shift the burden of proof to the firm, which will have to demonstrate that circumstances generally reflecting a major QC deficiency do not constitute a major QC deficiency in its case. The Board believes the term ‘‘presumption’’ achieves this burden shifting more clearly than ‘‘indicators’’ or other terms would do. The Board agrees with the commenter that suggested that the presumed major QC deficiencies should not be included in the definition of major QC deficiency and have taken another commenter’s suggestion to relocate the presumption to paragraph .78. Accordingly, the Board made the following revisions to paragraph .78: • Relocated the circumstances presumed to evidence a major QC deficiency from the definition into paragraph .78a, so they are explicitly part of the process of determining whether a major QC deficiency exists. • Included a note to clarify what the firm has to demonstrate in order to rebut the presumption that a major QC deficiency exists. Importantly, the circumstances where a major QC deficiency is presumed to exist are not an exhaustive list of possible major QC deficiencies. For example, any deficiency that requires significant effort and resources to remediate may be a major QC deficiency. One firm requested clarification of the relationship between the definitions of ‘‘engagement deficiencies’’ and ‘‘significant engagement deficiencies.’’ As is evident from their respective definitions, significant engagement deficiencies are a subset of engagement deficiencies. QC 1000 defines an engagement deficiency as ‘‘an instance of noncompliance with applicable professional and legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm.’’ As the footnote to paragraph .78 of the standard provides, ‘‘A significant engagement deficiency exists when (1) the See Form QC, Report on the Evaluation of the Firm’s System of Quality Control, Item 2.5. PO 00000 Frm 00090 Fmt 4701 Sfmt 4703 engagement team failed to obtain sufficient appropriate evidence in accordance with the standards of the PCAOB or failed to perform interim review or attestation procedures necessary in the circumstances, (2) the engagement team reached an inappropriate overall conclusion on the subject matter of the engagement, (3) the engagement report is not appropriate in the circumstances, or (4) the firm is not independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.’’ iii. Factors for Consideration To help firms make the determination of whether a major QC deficiency exists, the standard provides factors on which to base the determination, which assist firms in applying the definition. Several commenters expressed general support for the proposed factors, and the Board adopted them as proposed. The Board did not receive comments on the examples that illustrated the proposed factors, and adopted this aspect of the proposal substantially as proposed, with one addition, in a renumbered paragraph .78b.(1)(d). The added example relates to the persistence of an unremediated QC deficiency or combination of unremediated QC deficiencies over time. Through its oversight activities the PCAOB has observed repeat or persistent criticisms—appearing in consecutive inspections, or occurring consistently over multiple years, even if not every year—which the Board believes may be indicative of a problem so pervasive and/or so severe that the firm has been unable to effectively remediate it, or of significant failures in the firm’s remediation process. Firms will need to consider whether and how the existence of a persistent unremediated QC deficiency or combination of unremediated QC deficiencies year over year might indicate the existence of a major QC deficiency. Under the standard, the factors for determining whether a major QC deficiency exists are: • The severity and pervasiveness of the unremediated QC deficiency or combination of unremediated QC deficiencies. A firm assesses an unremediated QC deficiency, considering both quantitative and qualitative implications. For example, a firm will assess how many of the components of its QC system, quality objectives, and quality responses are affected by the deficiency, the number of root causes, and the number of affected engagements or engagements likely to be affected in the future, as well as the impact on those engagements, including engagements E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 where the opinion was not appropriately supported or the financial statements or management’s internal control assessment had to be revised or restated. The firm would also consider the implications of the deficiency for the QC system overall, based on ways in which the design or operation of other aspects of the QC system may be affected, the pervasiveness of the root causes, and the risk of the firm issuing inappropriate engagement reports or otherwise performing deficient engagements in the future. Viewed this way, for example, an unremediated QC deficiency that affects engagements only in a single industry, where the firm has few clients and no intention to acquire more and the engagements represent an VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 insignificant portion of the firm’s total portfolio of engagements under PCAOB standards, is less likely to be severe or pervasive. The Board views the concepts of severity and pervasiveness as overlapping and the factors in paragraph .78b.(1) that indicate the severity and pervasiveness of an unremediated QC deficiency, or combination of unremediated QC deficiencies, represent both aspects. The standard does not require the firm to determine that an unremediated QC deficiency is both severe and pervasive in order for it to constitute a major QC deficiency, nor is the list of examples exhaustive. • The extent to which remedial actions have been implemented, tested, PO 00000 Frm 00091 Fmt 4701 Sfmt 4703 49677 and found to be effective. Before the annual evaluation date, a firm may implement remedial actions that reduce the severity or pervasiveness of an unremediated QC deficiency. To illustrate, if a firm identifies an issue with its audit software, it could develop a temporary ‘‘work around’’ to mitigate the unremediated QC deficiency until a permanent solution is employed. For this factor to be relevant for a firm when determining whether a major QC deficiency exists as of the annual evaluation date, the remedial actions have to be tested and the results have to show that such remedial actions are operating effectively. BILLING CODE 8011–01–P E:\FR\FM\11JNN2.SGM 11JNN2 49678 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Annual Evaluation of the Firm's QC System Start ' Effective with Unremediated QC deficiencies l Do any major QC deficiencies eust? Effective except for one or more I.Uh'emediated QC deficiencies that are not major QC deficiencies Major QC deficiencies VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00092 Fmt 4701 Sfmt 4725 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.010</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 Not effective (one or more major QC deficiencies exists) Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49679 Determine Whether a Major QC Deficiency(ies) Exists Unremediated QC Deficiency or Combination of Unremediated QC Deficiencies Relates to Governance & Leadership that affects tbe overall environment suppordng tbe operation of the QC system? (e.g., symptomatic of a broad failure by firm leadership) Results in or is it likely to result in one or more SED* in engagements that, taken together, are signil"acant in relation to tbe firm's total portfolio of engagements conducted under PCAOB standards? (e.g., affects entire industry sector for sigr,if'icant portion of revenues or prof'ltS generated from engagements) Can presumption be rebutted? (apply both factors in .78b and all of the listed examples in .78b.(1)) Major QC Deficiency ("MQCD") VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00093 Fmt 4701 Sfmt 4725 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.011</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 *SEO- Significant engagement deficiency. A sigllifiClllll engagement deficiency exists whffl {I) the engagement team faile;;I to obtain sufficient appropriate evidence i11 accordance wilh lhe standards oftbe PCAOB or failed lo pe,form interim review llf attestation ptoced11res necessary in lhe circumstances, (2} the cngagem<,'11l team rcacht.-d an inappropriate overall conclu.sion oo the subject matter of the cngagcmenl, (3) !he cngagemcnl report is not appropriate in the cireum.1tllllCCS, or (4) !he firm is not indepi:n<bll of its client. 49680 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Example Considerations Relevant to Determining Major QC Deficiency Severity antl pervasiveness of the 11nremcdiated.QC dellcicnty s.iverity and 1wrvasivcness oftlrn unriim,ediated QC deficicnh • E11gajement deficiency limited to SJ)ccific iodµ~try, wot q~use analysis identified 110 i~st1es in the :/inn's ri5k aMe!!Sment prflcess or •other relevan.t QC component$, 11,1 shnil~r engagement deficiencies. • Multtple lililures across a 1111111ber QfQC system components (e.g., : Firm', Risk Assessnient.Proces~ - poor dcsig11; Engftgetnent • Performance• st1peivi~i11n, di1e profo~~i(lnai care; lnl•.> & Co1nm -e foilme to appropriately C()!IJltlUlliC~te intemolly; M&R'"'. foillirl' to identify repeated SEil,). • • : Extent to ,vhkh rcm.cdlal actions have been impkmented; tested, • aml fonnd cffcctin • • • • Fully impl~ro\ll1t~d hut testing wa,i not yei complete for i>ne a~pcct ,>f the remedial action • 1 1 EttHt to whltll i-tiaedial actiolls have been implemented, tested, aid to.ad elftctlve •Undertaken only partial, stopgap ttn'icdial actions and hnd 110! tested . their dTectiveMsS • c. Firm Reporting on QC System Evaluation (QC 1000.79–.80) i. Reporting to the PCAOB khammond on DSKJM1Z7X2PROD with NOTICES2 (1) Annual Reporting Under the proposal, firms were to report to the Board annually the outcome of the evaluation of the firm’s QC system with respect to any period during which the firm was required to implement and operate the QC system. Many commenters supported the proposed annual reporting requirement. However, one commenter stated that this annual firm reporting would be of no meaningful incremental benefit to the PCAOB and has the potential to create an adversarial dynamic that would not promote audit quality or well serve investor protection goals. Another commenter suggested that if the required reporting on Form QC to the PCAOB would lead to follow-on requests from the PCAOB to furnish more detailed information as to specific findings, then confidentiality legislation may be an issue for firms. Other commenters argued that, because the PCAOB could obtain the same information through the inspections process, reporting to the PCAOB would be unnecessarily duplicative. Another commenter argued that all unremediated QC deficiencies should not have to be reported on Form QC, specifically commenting that the PCAOB already has the ability to access QC documentation for all registered firms to view this information. Another commenter suggested that the value of the report when not accompanied by independent attestation is likely to be limited. The Board acknowledges that it has the ability to request from firms information relating to their QC systems. However, the Board continues to believe that annual reporting to the VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Board will provide the PCAOB with important information about firm QC systems in a timely and structured way and will provide an effective and efficient means of gathering information about firm QC systems. Currently, only 14 of the approximately 1,600 registered firms are subject to annual inspection. Approximately 640 registered firms are required to be inspected on a triennial basis, of which approximately one third are inspected in any given year.320 Therefore, the Board does not believe that collecting firms’ QC information during an inspection would provide timely information regarding the majority of registered firms’ QC systems. Data collected by the PCAOB will inform its inspections process, including decisions about the selection of firms and engagements as well as focus areas to inspect and the nature and extent of its inspection procedures (both for QC processes and individual engagements), and will enable the PCAOB not only to make more refined data requests from the firms, but also to focus its inspection resources on those firms and engagements with the greatest risk. The Board believes that this will help better advance its investor protection mandate. Additionally, the Board believes that a formal reporting process will result in enhanced accountability of firm leadership for QC and an additional incentive for prompt remediation of identified QC deficiencies. While the standard does not require attestation over the firm’s evaluation process, the Board believes that the requirements regarding the form, including required certifications, will provide sufficient incentive for firms to report accurately and completely (and enforcement remedies 320 The data were obtained from Audit Analytics and publicly available data from the PCAOB’s Registration, Annual and Special Reporting (RASR) available at https://rasr.pcaobus.org. PO 00000 Frm 00094 Fmt 4701 Sfmt 4703 will be available if they do not). The incremental effort for a firm to report its evaluation to the PCAOB will not be substantial, as the firm is simply communicating the results of its evaluation process and any related remediation activities, which it is required to conduct and document under QC 1000 in any case. One firm suggested that the Board only require reporting to the PCAOB if a firm performed engagements in accordance with PCAOB standards during the one-year period ending on the evaluation date. The Board considered whether this change would be of significant benefit to firms and would further enhance the scalability of the standard. However, firms that are not currently performing engagements may have responsibilities with respect to past engagements.321 Moreover, regardless of whether they are required to report the results of the annual evaluation, firms will still be required to perform an evaluation pursuant to QC 1000 in such a circumstance. On that basis, the Board believes that reporting would be valuable even for firms that did not perform an engagement during the year preceding the evaluation date, and that reporting should not constitute an undue burden. (2) Reporting Mechanism: Form QC As proposed and under the final rules, firms are required to report their annual QC evaluation on a new form, Form QC. Several commenters supported the use of a separate Form QC, with some of these commenters asserting that because firms should be allowed to select their own evaluation date, this would necessitate the use of Form QC, rather than an existing form such as Form 2. Another commenter supported the view that expanding Form 2 to incorporate QC information 321 See, E:\FR\FM\11JNN2.SGM e.g., AS 2901; AS 2905. 11JNN2 EN11JN24.012</GPH> BILLING CODE 8011–01–C Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 was not favorable as this would make the form longer and more complex. The Board continues to believe that separate reporting on new Form QC remains appropriate. The contents of Form QC are the result of a separate evaluation process by a firm and the Board believes that it is simpler for the results of the annual evaluation to be reported on a separate form. In addition, as discussed in more detail above, QC 1000 requires firms to conduct an annual evaluation of their QC system as of September 30. The use of a separate Form QC for reporting the results of the annual evaluation will facilitate closer alignment of the timing of the reporting and the annual evaluation date. For example, the submission deadline for Form 2 is June 30, which is nine months after the annual evaluation date of September 30. Furthermore, Form 2 reporting is public and, as discussed in more detail below, Form QC will not be publicly available. The proposal asked whether Form QC should be permitted to be filed in XML or another machine-readable format. In response, one commenter supported the PCAOB permitting widely accepted formats that support usability. Another commenter supported that the webbased system for submitting the information be navigable and easy to use. Reporting to the PCAOB will be done using the same platform as its other reporting forms (currently, its web-based RASR system and, in the future, potentially new means of information exchanges as the PCAOB continues to modernize its reporting technology aimed at simplifying and automating data collection, processing, and interoperability). (3) Contents of Form QC The contents of Form QC will address the matters listed in paragraphs .79–.80. In addition, Form QC will elicit certain information about the firm and the individuals responsible for the QC system, aggregated information about the items required to be reported in paragraph .80, the areas of QC to which any unremediated QC deficiencies relate, and a certification of the evaluation of the QC system by certain designated individuals (discussed below). One firm asserted that the requirement to report unremediated deficiencies is at too granular a level to be meaningful. The Board considered several alternatives, including requiring firms to report to the Board on the outcome of the annual evaluation of the firm’s QC system only when the firm identifies a major QC deficiency. While this approach could reduce some of the costs associated with preparing the VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 annual evaluation to the PCAOB, it would also significantly reduce the value of the reporting of the firm’s annual evaluation to the PCAOB, as well as potentially affecting the rigor of the firm’s evaluation process. As noted above, reporting on all unremediated QC deficiencies will inform various aspects of the Board’s oversight activities. In addition, to the extent that reporting may increase firm leadership’s focus on their responsibility and accountability for quality, reduced reporting would be less beneficial. Therefore, the Board decided that annual reporting to the PCAOB of the results of firms’ annual evaluation of the QC system, including unremediated QC deficiencies, is the appropriate approach. One commenter supported the inclusion of Item 4.1 of Form QC on whether the Board should inform a party of a subpoena for information on Form QC, but another commenter argued that it was unnecessary, may interfere with investigations, may create a potential ground for firms to sue the Board in the event notification did not occur, or potentially involve the PCAOB in private litigation. Because Form QC will be nonpublic, the Board believes that firms should be given the opportunity to request such notification, consistent with the PCAOB’s treatment of the other nonpublic form filed with the PCAOB.322 An investor suggested firms should also affirm to the PCAOB on Form QC that any information that the firm voluntarily released (e.g., in transparency reports, audit quality reports, and CEO speeches) over the time period covered by Form QC was consistent with the state of their quality control system, as of the time of the voluntary disclosure. This commenter also suggested that the affirmation should be publicly available. An investor-related group suggested that firms should report publicly on Form QC how an independent QC board committee (established under paragraph .28 of QC 1000) carries out its responsibilities. As discussed in more detail below, Form QC will not be publicly available, so there would be no benefit to the public in adding this information to Form QC. However, the Board remains committed to finding additional ways of providing public disclosure to better inform investors about firms, and to that end, has separately proposed to amend Form 2 to identify whether the firm has an 322 See General Instructions 5 to PCAOB Form 1– WD, Request for Leave to Withdraw from Registration. PO 00000 Frm 00095 Fmt 4701 Sfmt 4703 49681 external oversight function for the audit practice (established under paragraph .28 of QC 1000) and, if so, the identity of the person or persons and an explanation for the basis of the firm’s determination that each such person is independent (including the criteria used for such determination) and the nature and scope of each such person’s responsibilities.323 Some commenters indicated that there might be circumstances in which information required by Form QC may be restricted from disclosure by the operation of legal requirements (such as data protection laws). Two of these commenters suggested that the instructions to Form QC should include a provision found in other PCAOB forms allowing firms to decline to provide information if the firm believes that providing such information would violate non-U.S. law. Another commenter, while acknowledging that it was not aware of non-U.S. laws that would prohibit reporting the information required on Form QC, suggested that the Board state that firms would not violate the requirement to file Form QC if laws or regulations exist in the jurisdiction(s) of the firm that prevent compliance with this requirement. The Board acknowledges that certain PCAOB forms include a general instruction for assertions of conflicts with non-U.S. law. In these circumstances, the instructions identify the specific parts and items within the form for which the firm may withhold responsive information on the basis that the firm could not provide such information without violating non-U.S. law. Form QC, however, calls for certain discrete information that the Board does not believe, and that no commenter has suggested, would be restricted from disclosure under non-U.S. law (e.g., the firm’s name, the evaluation date, the overall conclusion of the firm’s evaluation, the number of unremediated QC deficiencies, and for each unremediated QC deficiency, whether it is or is not major and the areas of the QC system to which it relates). Beyond that, Form QC requires firms to provide narrative information, including a description of each unremediated QC deficiency, the basis for the firm’s QC deficiency determination, a summary of remedial actions, and the firm’s major QC deficiency presumption analysis (if applicable). The Board believes that the narrative information required to be reported in Form QC can be provided at a sufficiently summarized level such that the reporting of such information 323 See E:\FR\FM\11JNN2.SGM PCAOB Rel. No. 2024–003 at 29. 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49682 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices by the firm would not require disclosure of information that could be restricted by legal requirements such as data protection laws. For example, if a firm reports an unremediated QC deficiency on Form QC, the Board believes that the firm could provide a description of the deficiency and a summary of the remedial actions taken and planned to be taken without violating non-U.S. law. Some commenters suggested that the standard should clarify that firms submit Form QC in connection with an inspection under section 104 of the Sarbanes-Oxley Act and that Form QC should receive the same confidentiality protections of section 105(b)(5)(A) of the Act that other inspections-based documents and information receive. One of these commenters further suggested that the Board should make clear that all of Form QC and its contents benefit from the privilege established by section 105(b)(5)(A), regardless of how a deficiency has come to light. Another commenter suggested that the Board consider requesting firms to provide the information proposed to be in Form QC through the inspection process, and that such requests could be made at any time to facilitate the PCAOB’s inspections. The commenter explained that under this suggested alternative approach, Part II and the related exhibits of Form QC could be removed and instead, the PCAOB could request this as part of the inspection process, to allow the information to be privileged under section 105(b)(5), while retaining the certification. The Board does not believe that it is appropriate to specify that Form QC is provided in connection with an inspection. The obligation to furnish Form QC to the PCAOB does not derive from a request from PCAOB inspection staff; instead, that obligation arises expressly from paragraph .79 of QC 1000. And while Form QC, like other forms filed with the PCAOB (such as annual reports on Form 2), may be used to inform the PCAOB inspection process, that is not the only purpose of the form; it may be used, for example, in connection with PCAOB standardsetting processes, its economic and risk analysis, and its registration program, to name a few examples. Furthermore, Form QC submissions may not directly relate to an inspection. For example, triennially inspected firms are required to report on Form QC annually, including in years in which they are not subject to inspection. Firms that are no longer performing engagements making them subject to PCAOB inspection may still be required to report on Form QC in light of their post-issuance QC responsibilities, such as their audit VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 documentation retention obligations under AS 1215. Accordingly, the Board does not believe that Form QC is received by the Board in connection with an inspection for purposes of section 105(b)(5)(A) of the Act, though it notes, as discussed further below, that certain information contained within a Form QC may be subject to the protections of section 105(b)(5)(A). (4) Reporting Date The proposal contemplated that firms would have until January 15 of the year following the November 30 evaluation date to file Form QC. This provided firms 46 days from the evaluation date to the reporting date. As adopted, the standard provides that firms have until November 30 to report on Form QC to the PCAOB. This provides firms with 61 days after the evaluation date of September 30 to file Form QC. A general instruction was added to Form QC to clarify the reporting period covered by the firm’s evaluation. The reporting period is the period beginning on October 1 of the year preceding the year in which Form QC is required to be filed (or, if a firm’s obligation to implement and operate a QC system arises under paragraph .07a after October 1 of that year, the date on which that obligation arises)) and ending September 30 of the year Form QC is required to be filed. Under this provision, the reporting period will generally be 12 months long, but will be shorter if the obligation to implement and operate the QC system arises mid-period (whether by virtue of the effective date of QC 1000 or the firm’s otherwise becoming subject to the requirement to implement and operate the QC system). Several commenters suggested a 90day period from the evaluation date to the reporting date would be appropriate because this would allow for testing of controls that operate at the evaluation date, and allow firms to perform thorough and detailed evaluations. Several commenters suggested that additional time is required for Form QC preparation beyond 45 days to be able to compile relevant information, including information on remedial actions, with some commenters supporting a 60-day period that would align with the shortest due date applicable to issuers to report on their conclusion on internal control over financial reporting. Another commenter suggested that reporting should be in advance of the April/May proxy season, suggesting a reporting date of April 1 using an evaluation date of February 28. One commenter did not support a January 15 reporting deadline, suggesting that this would be close to PO 00000 Frm 00096 Fmt 4701 Sfmt 4703 the conclusion of the audit and, if there are matters to be reported to the audit committee, would leave the audit committee with little time to consider and respond to the information before the due date of the issuer’s Form 10–K. The commenter also suggested that for firms subject to both ISQM 1 and QC 1000, having different reporting dates would create unnecessary complexities for audit committees receiving reports under different standards and different points in time. Several commenters suggested that a January 15 reporting deadline would be challenging for many firms given the proximity to year-end holidays. One commenter suggested that coinciding the reporting date of January 15 with the PCAOB’s inspection process should not be a key consideration for firms in determining the most appropriate date for their annual assessment. The Board believes that extending the number of days from the evaluation date to the reporting date to 61 days will provide firms sufficient time to complete their evaluation and report to the PCAOB. In addition, the reporting date of November 30 as adopted is prior to the calendar year end and the traditional busy period for many firms, which the Board believes will further benefit firms in performing their evaluations. ii. Form QC: Not Publicly Available The proposed standard contemplated that Form QC would be nonpublic. Many commenters, including firms, supported requiring the contents of Form QC to be nonpublic. One firm commented that to require public reporting would be inconsistent with the balance that Congress struck in sections 104(g)(2) and 105(b)(5) of Sarbanes-Oxley. One commenter asserted that the PCAOB should not use rulemaking to cause firms to disclose quality control matters that the PCAOB is prohibited by Sarbanes-Oxley from disclosing or cause firms to otherwise disclose information that would be confidential under statute. Another commenter suggested that public disclosure of unremediated QC criticisms could allow companies that have a lower demand for audit quality to select a lower quality auditor. Other commenters, generally investors and investor-related groups, objected to the lack of public disclosure. Two investors commented that the proposed disclosure to audit committees but not to the public leaves investors in the dark, and that disclosure requirements provide an effective incentive for remediation of identified quality control issues. Another E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices commenter asserted that if the PCAOB is permitted to compel firms to disclose quality control information to audit committees, then they expect that the PCAOB could also compel disclosure of such information to the public. The commenter suggested that QC disclosures only to audit committees may have unintended consequences for the public markets as companies will have more information regarding the quality of their auditors than individual investors. Some investors and investorrelated groups commented that the proposal provides little public accountability with no mandated or meaningful disclosures about the operation of the QC system. Two investors and an investor-related group commented that firms furnish a statement of the quality control policies of the firm when registering with the PCAOB, however this information is not required to be updated and can quickly become out of date. Therefore, providing the public with additional disclosure about a firm’s quality control system will act as an updating function. One firm suggested that it would be difficult for the public to synthesize in a useful manner the information in Form QC without the right level of context. However, three investor-related groups did not support the view that partial disclosure of Form QC would result in potentially incomplete or misleading picture of a firm’s QC system, and favored disclosing elements of Form QC and leaving to investors the assessment of the relative importance of the information. One of the investors further suggested a restructuring of Form QC that would allow confidential information to remain confidential while sharing decision-useful information with investors. Another investor suggested that investors would directly benefit from the disclosure of firm-identified deficiencies that omits PCAOB-identified deficiencies, further commenting that to the extent firms do not disclose any deficiencies to the public, investors may have concern that the system of quality control was not sufficient to proactively identify deficiencies. The Board continues to recognize the desire of investors and other stakeholders for information related to audit quality and the effectiveness of firms’ QC systems. But its ability to require firms to publicly disclose their QC deficiencies is subject to certain legal constraints imposed by SarbanesOxley. As a threshold matter, some or all of the unremediated QC deficiencies identified during a firm’s annual evaluation may have been identified as VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 QC criticisms or potential defects during a PCAOB inspection.324 Furthermore, the Board believes that the QC deficiencies identified during PCAOB inspections are likely to be important information from the perspective of investors and other stakeholders, especially because PCAOB inspection teams customize their QC-related procedures based on, among other things, the firm’s structure, procedures performed in prior inspections, past and current inspection observations, the size of the firm, and an assessment of risk related to each focus area. Notably, however, section 104(g)(2) of SarbanesOxley provides that if a quality control criticism or potential defect identified during a PCAOB inspection is addressed by the firm to the Board’s satisfaction within 12 months of the date of the Board’s inspection report, no portions of the inspection report that deal with that criticism or potential defect will be made public.325 Making or requiring public disclosure through a publicly available form of QC deficiencies that have been identified during a PCAOB inspection would be inconsistent with this provision of Sarbanes-Oxley, if disclosure were required before the Board has determined whether it is satisfied with the firm’s remediation efforts or after the Board has determined that the firm has satisfactorily addressed the deficiencies. The limitation imposed by section 104(g)(2) is a significant one. In light of section 104(g)(2), it appears that even if the PCAOB were to require Form QC to be publicly available, the PCAOB could not require the disclosure of information regarding the existence or nature of QC deficiencies that are still subject to the Board’s remediation determination. However, if information reported by a firm on Form QC informs a QC criticism contained within an inspection report, and if that QC criticism is not addressed to the Board’s satisfaction within 12 months of the date of that report, then the QC criticism would be made public in accordance with section 104(g)(2). The Board believes that the omission of deficiencies that are still subject to the Board’s remediation determination (or as to which the Board has made a favorable remediation determination) would result in a publicly available Form QC that supplies an incomplete and potentially misleading picture of the effectiveness of the firm’s QC system. This view is guided by the familiar principle that omitting material facts from a disclosure can cause the 324 See QC 1000.71b. section 104(g)(2) of Sarbanes-Oxley, 15 U.S.C. 7214(g)(2); see also PCAOB Rule 4009. statements that are made to be misleading.326 The Board’s decision not to mandate public disclosure of Form QC, in a context where material information (namely, the existence and nature of QC deficiencies that are still subject to the Board’s remediation determination) may often be omitted, is motivated in part by that concern, not by any lack of confidence in investors’ ability to interpret the information provided to them. For example, a firm may have self-identified a number of relatively minor QC deficiencies in its own evaluation, while QC deficiencies identified by the PCAOB are more severe or could be of greater public interest. In a partial disclosure scenario, the firm would disclose the minor matters, but not the more significant ones that are still subject to the Board’s remediation determination, creating a misleading picture of the state of its QC system. The Board was also concerned that, in certain circumstances, even such partial disclosure would conflict with section 104(g)(2) of Sarbanes-Oxley. For example, assume firms were required to disclose the conclusion of their most recent evaluation and any QC deficiencies that were self-identified, but not any PCAOB-identified QC deficiencies that remain subject to the Board’s remediation determination. Under such an approach, if a firm had PCAOB-identified QC deficiencies but no additional self-identified QC deficiencies, then the firm would not disclose any specific QC deficiencies but would disclose an overall conclusion (either ‘‘effective except for one or more QC deficiencies that are not major QC deficiencies’’ or ‘‘ineffective,’’ depending on the nature of the PCAOBidentified deficiencies) that nonetheless reveals that the firm has unremediated QC deficiencies, without specifically identifying them. In such a scenario, the Board would be indirectly requiring firms to disclose the existence of PCAOB-identified QC deficiencies that are still subject to the Board’s remediation determination, notwithstanding section 104(g)(2) of Sarbanes-Oxley. Moreover, public disclosure of portions of Form QC may in some cases be subject to other legal constraints imposed by Sarbanes-Oxley. Depending on how a QC deficiency has come to light, certain information contained within a Form QC might be confidential pursuant to section 105(b)(5)(A) of Sarbanes-Oxley, which addresses documents and information prepared or received by or specifically for the Board 325 See PO 00000 Frm 00097 Fmt 4701 Sfmt 4703 49683 326 See, E:\FR\FM\11JNN2.SGM e.g., 17 CFR 240.10b–5(b). 11JNN2 49684 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 in connection with an inspection or investigation.327 Additionally, Form QC requires firms to report on remedial actions that in certain (though likely rare) circumstances may be subject to laws relating to the confidentiality of proprietary, personal, or other information, or might reasonably be identified by a firm as proprietary. In such a scenario, the Board, in accordance with section 102(e) of Sarbanes-Oxley, would need to honor a firm’s properly substantiated request for confidential treatment of such information.328 The Board also believes that firms may be in a better position to report fully and candidly to the PCAOB about their annual evaluation—more effectively supporting both their own remediation efforts and PCAOB oversight activities—if they are confident that the information would be understood and used in the context of a broader understanding of their overall audit practice and an ongoing dialogue between the firm and the PCAOB. Accordingly, the Board adopted Form QC as a nonpublic form, as proposed. To that end, the Board adopted new PCAOB Rule 2203A, which establishes the Form QC reporting requirement and specifies that the Board will not make a filed Form QC or the contents thereof (including any amendment thereto) public.329 The rule does not, however, prohibit a firm from voluntarily disclosing its Form QC or the contents thereof to the public or to particular stakeholders. Nor does the rule prohibit the PCAOB from sharing Form QCs or their contents and related documentation with the SEC or other entities, consistent with Sarbanes327 See section 105(b)(5)(A) of Sarbanes-Oxley, 15 U.S.C. 7215(b)(5)(A). 328 See section 102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e); PCAOB Rule 2300(b). 329 Sections 102(b)(2) and (d) of Sarbanes-Oxley authorize the Board to adopt rules requiring firms to periodically update the information contained in their registration applications or provide to the Board information as necessary or appropriate in the public interest or for the protection of investors. See section 102(b)(2)(D), (b)(2)(H), and (d) of Sarbanes-Oxley, 15 U.S.C. 7212(b)(2)(D), (b)(2)(H), and (d). section 102(e) of Sarbanes-Oxley, in turn, permits the Board to designate in its rules the portions of registration applications and annual reports that will be made available for public inspection (subject to applicable laws relating to the confidentiality of proprietary, personal, or other information, and provided that the Board shall protect from public disclosure information reasonably identified by the firm as proprietary information). See section 102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e); see also PCAOB Rule 2300(a)(2) (providing that forms filed pursuant to Part 1 or Part 2 of Section 2 of the Board’s rules will be publicly available ‘‘except to the extent otherwise specified in the Board’s rules or the instructions to the form’’). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Oxley.330 The rule expressly provides that Form QCs and their contents may be publicly disclosed in enforcement proceedings.331 One commenter noted that Form QC or its contents may not be relevant to all enforcement proceedings and suggested that the Board explicitly clarify in the final standard that the Form QC may become public as part of an enforcement proceeding where Form QC or its content is relevant to the respective enforcement proceeding. The Board does not believe that such a clarification is necessary. When a Form QC or its content is relevant to an enforcement proceeding, it would be admissible, and when it is not relevant to an enforcement proceeding, PCAOB adjudication rules already specify that it shall be excluded.332 The rule also provides that the Board may publish Form QC information in summaries, compilations, or other general reports, provided that the firm or firms to which particular Form QC information relates are not identified (unless the information has previously been made public by the firm or firms involved or by other lawful means). Two commenters suggested that the Board could publish Form QC information in summaries, compilations, or other general reports, provided that the firms are not identified. However, another commenter did not support aggregated anonymized information and suggested that this would depart from the spirit and letter of the confidentiality provisions of Sarbanes-Oxley. The Board believes that summaries, compilations, or general reports that present relevant QC-related information on an aggregated and anonymized basis may provide useful insight to investors, audit committees, firms, and other stakeholders about firm QC systems, the implementation of QC 1000, and related matters. The Board also continues to believe that presenting such data on an aggregated and anonymized basis would not run afoul of any limitations of Sarbanes-Oxley.333 330 See, e.g., section 105(b)(5)(B) of SarbanesOxley, 15 U.S.C. 7215(b)(5)(B). 331 On Form QC, firms may elect to request notification from the Board if the Board is requested by legal subpoena or other legal process to disclose information contained in Form QC. The Board will make reasonable efforts to honor such a request. This notification process does not apply to the PCAOB’s or the SEC’s use of Form QC or its contents in an enforcement proceeding, because those scenarios do not involve Board disclosure of Form QC information in response to a legal subpoena or other legal process. 332 See PCAOB Rule 5441, Evidence: Admissibility. 333 For comparison, see PCAOB Rule 4010, Board Public Reports, which provides, in pertinent part, that the Board may publish summaries, PO 00000 Frm 00098 Fmt 4701 Sfmt 4703 While firm reporting on Form QC will be nonpublic due to the aforementioned legal constraints and policy considerations, the Board notes that other aspects of QC 1000 and related requirements promote transparency about firm QC systems within the confines of those constraints. For example, the PCAOB has observed the emerging practice of firm transparency reporting, including that the nature and content of these reports continues to evolve and expand in response to market demand. Advances in thinking about firm and engagement metrics could also affect what financial statement users demand and what firms could usefully provide. QC 1000 requires that the QC system operate over any public reporting that firms do provide, including any public reporting of metrics. Firms have to establish a specific quality objective with regard to their public reporting, including that any firm-level or engagement-level information with respect to the firm’s audit practice, firm personnel, or engagements communicated to external parties be accurate and not misleading, and—as with any quality objective— they have to monitor their performance in relation to that objective and remediate identified deficiencies. As part of their annual reporting on Form 2, all registered firms will also be required to provide an annual confirmation with regard to the design of their QC system under QC 1000 and whether they were required to implement and operate the QC system. The Board believes an annual confirmation will be a useful reminder to all firms of their responsibilities regarding the design, implementation, and operation of an effective QC system. The Board also believes that the public will benefit from being able to determine whether a particular firm has been required to implement and operate its QC system from year to year. Such information on Form 2 will be publicly available on the PCAOB website and will be accessible to investors and other financial statement users, audit committees, and other stakeholders. It will also inform PCAOB oversight efforts. To accompany the changes to Form 2, a similar confirmation has been added to the application for PCAOB compilations, or other general reports concerning the findings and results of its inspections, including discussion of QC criticisms or potential QC defects, provided that no such published report shall identify the firm or firms to which such criticisms relate, or at which such defects were found, unless that information has previously been made public in accordance with PCAOB Rule 4009, by the firm or firms involved, or by other lawful means. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices registration, Form 1. The Board believes such a confirmation will appropriately put applicants on notice of their obligations with respect to their QC systems, which would apply from and after the time that their registration is approved. iii. Certification of the Evaluation of the Firm’s QC System by Firm Leadership As proposed, the Board required that both the individual assigned ultimate responsibility and accountability for the QC system as a whole and the individual assigned operational responsibility and accountability for the firm’s QC system as a whole (the ‘‘QC certifiers’’) certify the firm’s report to the PCAOB on the evaluation of its QC system.334 Several commenters were supportive of the certification requirement, including a commenter that stated that individual certifications are likely to focus the mind and it seems likely that improvements will be seen as a result of such a requirement. Some commenters opposed the certification requirement, saying it adds little value to the evaluation of the QC system, may not provide a full view of the subject matter it purports to be certifying to and may create an unjust reliance by a third party on the certification, or is an ineffective incentive for making quality control a higher priority within a firm. Another suggested that while certification may sharpen an individual’s sense of accountability, this may not necessarily lead to and cannot guarantee enhanced engagement quality. Another commenter suggested that certification requirements could act as a barrier to registration for firms operating in environments in which there are no Sarbanes-Oxley style reporting requirements,335 and that it could have 334 See QC 1000.14d and .15b. SEC rules adopted pursuant to section 302 of Sarbanes-Oxley, CEOs and CFOs of issuers are required to certify, for each quarterly or annual report of the issuer, among other things, that (1) they have reviewed the report; (2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made not misleading; (3) based on the officer’s knowledge, the financial statements and other financial information included in the report fairly present in all material respects the financial condition and results of operations of the issuer; (4) they (a) are responsible for establishing and maintaining internal control over financial reporting, (b) have designed ICFR to ensure that material information is made known to them, (c) have evaluated the effectiveness of ICFR, and (d) have presented their conclusions about the effectiveness of ICFR in the report; and (5) they have disclosed to the issuer’s auditors and audit committee any significant deficiencies in ICFR and any fraud involving management or others involved with ICFR. See 17 CFR 240.13a–14(a), 240.15d14(a). khammond on DSKJM1Z7X2PROD with NOTICES2 335 Under VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 a disproportionate impact on smaller firms. The Board continues to believe that, analogous to the CEO and CFO certifications required under SarbanesOxley, certification of Form QC will lead to increased discipline in the evaluation process and will reinforce the accountability of the certifying individuals, which in turn should improve the quality of the firm’s evaluation. The text of the certification, which is unchanged from the proposal, appears in Item 3.2 of Form QC. That item requires certification of certain information regarding the design and evaluation of a firm’s QC system, including that each QC certifier reviewed the Form QC and that the disclosures made in the Form QC are complete and accurate in all material respects to the individual’s knowledge.336 As proposed, the final rules require certification from both the individual assigned ultimate responsibility and accountability for the QC system (i.e., the firm’s principal executive officer(s)) and the individual assigned operational responsibility and accountability for the QC system. One commenter suggested that certification be required only from the individual with ultimate responsibility and accountability for the firm’s QC system on the basis that, in the event of differences of opinion between the two certifiers, the individual responsible for the operational responsibility and accountability for the QC system could be subject to excessive pressure from the firm’s principal executive officer. However, under EI 1000, certifiers will be subject to a duty to act with integrity, which includes not subordinating their professional judgment, and the individual with ultimate responsibility and accountability for the firm’s QC system will have a number of obligations (for example, under QC 1000.14a.) that are inconsistent with the exercise of undue influence over a subordinate. 336 See e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys, Corporate Governance Reform and Executive Incentive: Implications for Investments and Risk Taking, 30 Contemporary Accounting Research 1298 (2013) (finding that their sample of firms significantly reduced investments in risky projects in the period following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and Birendra K. Mishra, CEOs’/CFOs’ Swearing by the Numbers: Does it Impact Share Price of the Firm?, 81 The Accounting Review 22 (2006) (concluding that the SEC order requiring filing of sworn statements by CEOs and CFOs had a positive effect on the market value of certifying firms); Gerald J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase after the Sarbanes-Oxley Act? Initial Evidence, 20 Accounting Horizons 57 (2006). PO 00000 Frm 00099 Fmt 4701 Sfmt 4703 49685 The Board does not require similar certifications from other personnel in the QC system, but firms may choose to institute policies that require levels of certification internal to the firm to assist those certifying Form QC. Some commenters raised concerns about the potential liability of the QC certifiers. Several requested clarification on whether the QC certifiers could be held personally liable for an inaccurate statement only if they made the statement knowing it was false or recklessly not knowing it was false. One of these commenters further stated it had concerns about the potential for unnecessary and excessive liability that the certification could impose upon the QC certifiers, and the effect that this could have on firms’ ability to recruit qualified professionals to serve. The commenter further suggested that the final adopting release expressly state that while the QC certifiers are responsible for exercising professional competence in connection with the design and operation of the firm’s QC system (and may face consequences for failure to do so), the QC certifiers shall not be held responsible for inevitable system errors or the wrongful acts of others which may, in limited circumstances, overcome the best of those efforts. If a QC certifier fails to certify the firm’s Form QC, such conduct would constitute a violation of the individual’s obligation under either paragraph .14d or .15b of QC 1000, as applicable to the particular individual. The Board believes this requirement is important for creating accountability within the firm to achieve the reasonable assurance objective. Beyond that, QC certifiers’ potential liability for statements contained within the Form QC certification is informed by the particular language of those statements. Certain statements in the certification reflect objective facts that the Board believes are readily knowable by the individual. Paragraph 1 of the certification, for instance, recites that the individual reviewed the firm’s report on Form QC. Paragraph 3(a) of the certification contains an acknowledgement that the individual is responsible and accountable for the firm’s QC system as a whole and has designed, or caused to be designed, the QC system to ensure that it meets QC 1000’s reasonable assurance objective. Notably, this paragraph is not tantamount to a certification that the firm’s QC system in fact meets QC 1000’s reasonable assurance objective; on the contrary, Form QC contemplates that a firm might conclude, and report on its certified Form QC, that its QC E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49686 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices system is not effective. Rather, in paragraph 3(a), the QC certifiers acknowledge their role in designing (or causing to be designed) the firm’s QC system. Paragraph 3(b) of the certification states that the individual evaluated the effectiveness of the firm’s QC system and has presented in Form QC the conclusions reached. With respect to each of these statements in the Form QC certification, the Board believes that the QC certifiers can and should reach a conclusion about their accuracy through the exercise of due professional care. In light of the nature of these statements, the Board does not agree with the commenters that a showing of recklessness or knowing misconduct is necessary to establish a violation with respect to these aspects of the Form QC certification. The other statements in the Form QC certification are subject to knowledge qualifiers. In paragraph 2, the QC certifier states that the disclosures made in Part II of Form QC regarding the evaluation of the effectiveness of the firm’s system of quality control are complete and accurate in all material respects ‘‘[b]ased on my knowledge.’’ Similarly, paragraph 3(c) states that the QC certifier has disclosed, based on the evaluation of the QC system, all unremediated QC deficiencies ‘‘of which I am aware.’’ These statements would be inaccurate, and the QC certifier’s certification would therefore constitute violative conduct, only if they were knowingly false (if the QC certifier knew that Part II was not complete and accurate in all material respects, or if the QC certifier was aware of undisclosed unremediated QC deficiencies), or if they were made recklessly not knowing they were false. One commenter suggested that the certification say ‘‘to the best of my knowledge’’ rather than ‘‘based on my knowledge,’’ and another commenter suggested that the wording of the certification be updated to ‘‘in my capacity as the individual assigned [ultimate/operational] responsibility’’ rather than ‘‘who have been assigned [ultimate/operational] responsibility.’’ After consideration of these comments, the Board believes that the proposed language is clear, appropriate, and likely to be easily understood, and does not believe that the proposed certification text requires amending. One commenter did not support the clause in the proposed certification that states that the firm has disclosed all unremediated quality control deficiencies. The commenter, while acknowledging that this statement is subject to a knowledge qualifier, suggested that this certification could VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 lead to unnecessary disputes over what the QC certifiers should have known in a particular circumstance and suggested that obtaining a certification from the firm (not the individual) may sufficiently address this item without discounting the standards to which auditors are held. As discussed above, the inclusion of ‘‘of which I am aware’’ in paragraph 3(c) of certification means that liability would arise with respect to that paragraph only if the QC certifier made the statement knowing it was false or recklessly not knowing it was false. Another commenter also suggested that the standards clarify that such certification relates to the ‘‘firm’s evaluation’’ of its QC system, and not a specific individual’s evaluation of the quality management system. As reflected in paragraph .77 of QC 1000, the annual evaluation is conducted by the firm, but the firm, as a legal entity, acts through individuals, and the QC certifiers are the individuals who, under the standard, are responsible and accountable for the QC system as a whole and are required to certify the firm’s report to the PCAOB on its annual evaluation. Another commenter asserted that the text of the certification suggests that a certifying individual should be considered to have violated QC 1000 only to the extent that the inaccuracy in a submitted certification is material to an investor’s or reasonable auditor’s understanding of the QC system as a whole, and asked that the Board confirm that is the case. The Board does not agree with this characterization of Form QC. Some statements in Form QC, such as the one in paragraph 2, are expressly conditioned on materiality, while other statements, such as that in paragraph 3(b), are not. One commenter suggested that creating a potential Sarbanes-Oxley type certification for privately held accounting firms and making this available to the public could create market confusion as to what exactly is being certified and the level of reliance users should place on such a certification. The certification does not contain the outcome of the firm’s annual evaluation of its QC system or identify any unremediated QC deficiencies, but rather certifies the completeness and accuracy of the information being reported to the PCAOB on Form QC. That information is set forth elsewhere in Form QC and, as explained above, that information is treated as nonpublic. Because the certified information is treated as nonpublic, the Item 3.2 certifications are likewise treated as nonpublic; in the Board’s view, the certifications do not present a full or PO 00000 Frm 00100 Fmt 4701 Sfmt 4703 useful picture of a firm’s QC system without the underlying information. iv. Requirement for Form QC Amendments The proposed general instructions for Form QC included provisions detailing when amendments of Form QC should be filed. Those instructions indicate that Form QC should be amended only to correct information that was incorrect at the time that the form was filed or to provide information that was omitted from the form and was required to be provided at the time the form was filed. The Board considered commenters’ feedback, and retained the language regarding amendments in the proposed general instructions for Form QC, which mirrors the standard for amending certain other PCAOB forms. Two commenters requested clarification on how firms should consider information that comes to their attention after the evaluation date or the reporting date that is relevant to the firm’s conclusion on Form QC, including how this interacts with relevant provisions in proposed EI 1000. Other commenters suggested that revisions to Form QC not be required for inconsequential matters. Other commenters requested guidance on when an amendment to Form QC would be required, and some suggested that a threshold be developed for potential amendments. QC 1000 requires firms to conduct the annual evaluation of their QC system’s effectiveness as of September 30 and to file their report on Form QC regarding that evaluation by November 30. Consequently, annual evaluations under QC 1000 should conclude sometime between October 1 and November 30 of each year. Information that relates to the firm’s QC system as of the evaluation date (September 30), and that comes to the firm’s attention after the evaluation date but before the firm has filed Form QC, should be factored into the firm’s evaluation and reflected, if and as appropriate, in Form QC. In contrast, any information that relates to the firm’s QC system as of the evaluation date, but that comes to the firm’s attention after the firm has filed its Form QC, would not need to be reflected on Form QC or on an amendment to Form QC (although it may constitute a QC observation to be considered in the next annual evaluation of the QC system). In other words, Form QC captures, and conveys to the Board, the conclusions reached by the firm as a result of its completed annual evaluation, and that evaluation cannot disregard information that comes to light before Form QC has been filed. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 Therefore, when Form QC is filed, it should be complete and accurate as of the date of its filing. Similar to PCAOB staff guidance on Form 2 reporting,337 if a firm discovers that it provided incorrect information in a filed Form QC or omitted information that should have been included based on information that the firm was aware of at the time of filing, then the firm should file an amended Form QC. That amendment obligation is not subject to any materiality or other thresholds, because the Board believes it is entitled to receive Form QCs that contain information that is correct and that do not omit information that was required to be provided. The Board does not believe that any of the information on Form QC is inconsequential. v. Reporting to the Audit Committee In connection with the proposal of QC 1000, the Board also proposed amendments to AS 1301, Communications with Audit Committees, which contemplated communication to the audit committee of certain information about the firm’s most recent evaluation of its QC system. Several commenters supported the amendments as proposed. Other commenters supported limiting the communications to the conclusion of the annual evaluation or limiting communication of deficiencies to only major QC deficiencies. One commenter expressed concern with reporting to audit committees about all unremediated QC deficiencies that exist as of the evaluation date, in part because of the interaction of such communications with the confidentiality restrictions under section 105(b)(5)(A) of Sarbanes-Oxley. The commenter further suggested that requiring all QC deficiencies to be communicated would create more extensive communication requirements for firms related to QC deficiencies than what auditors are required to communicate to audit committees in an audit of ICFR, and in addition, this approach would differ from management’s external reporting on its ICFR to its stakeholders, which solely discloses deficiencies that are material weaknesses. One commenter asserted that audit committees are likely to find more value in understanding quality matters specific to the engagement and having a broader dialogue about the firm’s approach to quality control. Two 337 See Staff Questions and Answers Annual Reporting on Form 2, at Q34, available at https:// assets.pcaobus.org/pcaob-dev/docs/default-source/ registration/rasr/documents/staff_qa-annual_ reporting.pdf?sfvrsn=5e7259ff_0. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 commenters argued that a firmwide report on audit quality would have little utility to each individual audit committee. One of these commenters suggested instead that audit committees would be more influenced by an independent verification of the QC system such as the PCAOB inspection report on their auditor, and information relating to the auditor’s performance on their engagement, including audit quality indicators. The other commenter recommended that firms report relevant human resource metrics to the audit committee and explain what was done to assure audit quality was not compromised. One commenter asserted it could be extremely challenging for audit committees to understand and reconcile the information that would be communicated to them under the proposed changes to AS 1301, especially given the considerable time period between the issuance of public portions of firm inspection reports and the potential release of nonpublic inspection findings. One commenter did not support the requirement to disclose a firm’s QC deficiencies to audit committees, and stated that QC deficiencies may have little to no impact on a given reporting issuer’s audit or that area of the firm’s practice. Another commenter questioned whether or not the audit committee would be inclined to seek a new auditor based only on a firm-wide evaluation of quality control furnished to the audit committee by the auditor. One commenter was generally supportive of the requirements but expressed concern with the timing of the required communication due to existing important year-end communications. The commenter expressed concern that not communicating QC deficiencies known at a January 15 reporting date could potentially introduce legal considerations that could place tension on the engagement team and the firm’s obligation to comply with other existing required communications under AS 1301. One commenter recommended specifying that this communication is not required to be in writing due to confidentiality concerns, and two commenters did not support any required communication of the annual evaluation of the QC system to the audit committee. One commenter asserted that requiring firms to communicate to audit committees about their most recent annual QC evaluations is inconsistent with the Congressional balance struck in Sarbanes-Oxley section 104(g)(2). In addition, the commenter suggested that the requirement indirectly regulates the PO 00000 Frm 00101 Fmt 4701 Sfmt 4703 49687 actions of audit committees and imposes a fiduciary duty of care on audit committees, regardless of whether quality control issues relate to the performance of the engagement, which is beyond the scope of the PCAOB’s jurisdiction. Another commenter asserted that the proposed communication could also be construed as contradictory to the PCAOB’s conclusion that Form QC would be treated as nonpublic. Several commenters were concerned about the proposed requirement to discuss remedial actions taken and to be taken, and suggested that some of this information may be protected by section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley. One commenter suggested that the communication of a brief overview of remedial actions taken or to be taken should only be required upon the determination that substantial good faith progress has not been made on the remedial actions. After consideration of the comments received, the Board determined not to adopt the proposed amendments to AS 1301. Although the Board continues to believe that firms could communicate the overall conclusion of their annual evaluation and their planned remedial actions to audit committees without expressly disclosing information subject to section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley, the Board recognizes that such a disclosure obligation could present implementation challenges. Specifically, and as discussed in more detail above, there may be challenges associated with compelling firms to publicly disclose certain information about their QC systems while simultaneously preserving their ability not to disclose other related information that may be subject to confidentiality protections, privileges, or prescribed disclosure procedures under SarbanesOxley. The Board believes that the same challenges could arise if firms were compelled to make disclosures to audit committees. The Board also recognizes that firms and audit committees have direct interaction, so while PCAOB standards do not require firms to make disclosures to audit committees, an audit committee may ask a firm to voluntarily disclose information about its QC system. As the Board has previously noted, such inquiries could include requesting the firm to keep the audit committee apprised of the status of the quality control remediation process (including whether the firm made a submission to the Board responding to inspection report quality control criticisms by the 12-month deadline) and whether the E:\FR\FM\11JNN2.SGM 11JNN2 49688 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Board has made a final remediation determination (including a negative determination that has not yet become public).338 2. Current PCAOB Sstandards Current PCAOB QC standards do not require firms to evaluate their QC systems or to report on any such evaluations. As previously noted, some firms conduct evaluations and share their results in published reports, either voluntarily or under other regulatory requirements. khammond on DSKJM1Z7X2PROD with NOTICES2 Documentation Documentation supports a firm’s QC system in a number of ways. It helps provide clarity around roles and responsibilities and the firm’s policies and procedures, which promotes consistent compliance by firm personnel and other participants. Documentation enables proper monitoring and supports the evaluation and continuous improvement of a firm’s QC system. It makes it easier to train firm personnel and other participants and facilitates the retention of organizational knowledge, providing a history of the basis for decisions made by the firm about its QC system. Further, documentation assists others conducting reviews of the firm’s QC system by providing evidence of the system’s design, implementation, and operation. Current PCAOB standards provide only general direction on the nature and extent of QC documentation and specific requirements for documentation of certain items.339 Through its oversight activities, the PCAOB has observed that the nature and extent of firms’ documentation of their QC systems vary greatly. Some firms have detailed documentation for all areas of their QC systems. Other firms have significantly less documentation. For example, some firms have documentation only in areas that have been subject to PCAOB inspections, such as remediation, root cause analysis, or internal inspections. QC 1000 establishes more comprehensive requirements for firms to document their QC systems. 1. QC 1000 The proposal included an overarching documentation requirement that captured the design, implementation, and operation of the firm’s QC system and the annual evaluation of the QC 338 See Information for Audit Committees about the PCAOB Inspection Process, PCAOB Rel. No. 2012–003, at 11 (Aug. 1, 2012), available at https:// pcaobus.org/Inspections/Documents/Inspection_ Information_for_Audit_Committees.pdf. 339 See, e.g., QC 20.21, .24–.25. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 system. The scope of that requirement was then specified in proposed paragraphs .82 and .83. The documentation of the design and implementation of the QC system captures decisions made regarding ‘‘the who, what, when, where, why, and how’’ of the QC system. This aspect of documentation will help firm personnel and others understand what is expected of them in fulfilling their responsibilities and support consistent implementation and operation of the firm’s QC system. For example, documentation of the design of policies and procedures regarding general and specific independence matters would enable a consistent understanding by firm personnel and others about who is responsible for what, when the responsibilities are triggered, and why certain actions are necessary.340 Such documentation will allow for consistent actions by firm personnel and others in implementing the design of those policies. The documentation of the operation of the firm’s QC system enables the firm to determine if the policies and procedures were operated in the manner that the firm intended.341 It would also provide evidence of compliance with the specified quality responses and other requirements of QC 1000. For example, it would provide evidence of how the firm complied with specific communication requirements related to the operation of the firm’s QC system and the performance of its engagements 342 and whether the quality responses implemented by the firm operated as designed. The Board received no comments on the general obligation to prepare and retain documentation regarding the QC system and paragraph .81 was adopted as proposed. The comments received regarding the scope of the proposed documentation requirement are addressed below, in connection with the discussion of paragraphs .82 and .83. The proposal included a list of specific matters that firms would be required to document. Documentation of the lines of responsibilities and supervision within the QC system should reduce operational ambiguity and provide clarity about who within the firm is accountable for various firm supervisory responsibilities within the firm’s QC system. One firm suggested that the phrase ‘‘successive senior levels’’ may not be clear. As discussed 340 See, e.g., QC 1000.33–.34. that are not required to implement and operate their QC system would not be expected to have anything to document with respect to the operation of the QC system. 342 See, e.g., QC 1000.55–.57. 341 Firms PO 00000 Frm 00102 Fmt 4701 Sfmt 4703 in more detail above, under QC 1000.27, the firm should establish and maintain clear lines of responsibility and supervision—including defining authorities, responsibilities, accountabilities, and supervisory and reporting lines for roles within the firm, up to and including the principal executive officer(s)—within the QC environment. A description of these successive lines of responsibility and supervision must be included in the documentation of the QC system, and a reference to paragraph .27 was added to clarify that point. The requirement for the firm to document aspects of its risk assessment process ensures that the firm will have adequate evidence to support its annual risk assessment. Specifically, the firm is required to document identified quality risks, reasons these risks were identified, and policies and procedures the firm had put in place in response. This documentation is valuable in subsequent risk assessments and could help to support decisions about, for example, whether to establish additional quality objectives, identify new or modified quality risks, or design and implement new quality responses. The requirements for the firm to document aspects of its monitoring and remediation process will also support its monitoring and remediation activities. For example, a firm’s documentation of engagement and QC system-level monitoring activities performed, its evaluation of the results of those monitoring activities, actions taken to address engagement deficiencies, and identified QC deficiencies would demonstrate the firm’s approach to complying with certain requirements of the standard for the monitoring and remediation process component. This documentation will also assist the firm in monitoring its monitoring and remediation process and in making its annual evaluation of the effectiveness of the QC system pursuant to paragraph .77. The standard also requires the firm to document the basis for the conclusion it reached in evaluating the effectiveness of its QC system pursuant to paragraph .77. This documentation provides evidence of the decisions made in reaching the conclusion about the effectiveness of the firm’s QC system, which may be valuable in future evaluations and in establishing compliance with the firm’s reporting obligations to the PCAOB. The standard requires the firm to document certain matters if the firm uses resources or services provided by a network or a third-party provider in the firm’s QC system or the performance E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices of the firm’s engagements. When a firm uses resources or services provided by a network or a third-party provider, the standard requires the firm to document how the resources or services are developed and maintained and, if such services or resources were supplemented or adapted, how and why they were supplemented or adapted. Firms will also have to document how the resources or services were implemented and operated. Documentation of such matters will serve as evidence of decisions made regarding resources or services used by the firm. Some networks or third-party providers may provide documentation about their services or resources to the firm. For example, the firm may obtain an understanding of how the resources were developed and maintained by the network through documentation provided by the network. This documentation may need to be supplemented by the firm depending on various factors, including the extent of the documentation provided and whether the firm supplements or adapts the resource or service. As discussed above, a reference to paragraph .27 was added to paragraph .82a. to clarify that a description of the successive lines of responsibility and supervision must be included in the documentation of the QC system. Paragraph .82 was otherwise adopted as proposed. Requiring documentation to be in sufficient detail to support a consistent understanding of the QC system by firm personnel, including an understanding of their roles and responsibilities with respect to the firm’s QC system, will help to clarify the firm’s expectations of its personnel and promote consistent compliance with the firm’s QC policies and procedures. One firm expressed concern that this ‘‘consistent understanding’’ threshold may not be easily understood. The Board believes that firms will be able to determine the nature and extent of the documentation needed to facilitate a consistent understanding by firm personnel based on the functioning of their QC system. Based on the requirements in paragraph .83a, firms would initially determine the appropriate level of detail of documentation based on the experience they already have in implementing and operating a QC system under current standards and whether their personnel understand their roles and responsibilities, and modify documentation as needed over time based on their monitoring and VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 remediation activities and the results of their QC system evaluations. As described previously, documentation supports a firm’s QC system in a number of ways. For example, it provides clarity around the firm’s policies and procedures, enables proper monitoring, and supports the evaluation and continuous improvement of a firm’s QC system. Documentation also facilitates the retention of organizational knowledge, providing a history of the basis for decisions made by the firm about its QC system. Further, it assists others conducting reviews of the firm’s QC system by providing evidence of the system’s design, implementation, and operation. In particular, the Board believes that appropriate documentation of the QC system is necessary for the PCAOB to fulfill its statutory mandate to protect investors and the public interest. Sarbanes-Oxley requires that, in conducting an inspection of a registered public accounting firm, the PCAOB evaluates the sufficiency of the quality control system of the firm and the manner of the documentation and communication of that system by the firm.343 Sarbanes-Oxley further authorizes the PCAOB to perform such other testing of quality control procedures as are necessary or appropriate in light of the purpose of the inspection and the responsibilities of the Board.344 In addition, the Board’s rules provide that a regular inspection will include, but is not limited to, the steps and procedures as specified in sections 104(d)(1) and (2) of SarbanesOxley and any other tests of the audit, supervisory, and quality control procedures of the firm as the Director of the Division of Registration and Inspections or the Board determines appropriate.345 As part of the Board’s inspection procedures, firms will be expected to provide the PCAOB with evidence relating to the effectiveness of the QC system. Given that mandate, the level of documentation that would be sufficient to enable PCAOB inspectors to evaluate the effectiveness of a firm’s QC system through an inspection may be different from the level of documentation that would be sufficient for the firm to support its annual evaluation. Under QC 1000, a firm must evaluate the effectiveness of its QC system based on the results of its monitoring and 343 See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C 7214(d)(2). 344 See section 104(d)(3) of Sarbanes-Oxley, 15 U.S.C 7214(d)(3); see also Rule 4001, Regular Inspections. 345 See Rule 4001, Regular Inspections. PO 00000 Frm 00103 Fmt 4701 Sfmt 4703 49689 remediation activities,346 and firms can determine the nature, timing, and extent of QC system-level monitoring activities taking into account a number of factors.347 There could be certain quality responses, or certain instances of the operation of quality responses, that are not monitored by the firm within a given year and not considered in connection with the firm’s annual evaluation. If the firm were required to prepare and retain documentation only to the extent related to its own annual evaluation, the firm might not prepare and retain documentation to evidence that these quality responses operated effectively. However, in light of the scope of the PCAOB’s statutory mandate, its inspection procedures cannot be limited to quality responses (and, to the extent applicable, samples of the operation of quality responses) that the firm chose to monitor in the period. On the contrary, firms will be expected to provide evidence of the operating effectiveness of any quality responses selected for inspection in connection with the PCAOB’s evaluation of the effectiveness of the firm’s QC system. Therefore, the proposed standard contemplated that, in order to effectively support the firm’s QC system, the documentation of the QC system needs to be at the level of detail to enable an experienced auditor that understands QC systems but has no experience with the design, implementation, and operation of the firm’s QC system to understand the design, implementation, and operation of the QC system, including the quality objectives, quality risks, quality responses, monitoring activities, remedial actions, and basis for the firm’s conclusions reached in the evaluation of the QC system (‘‘experienced auditor threshold’’). Incorporating the experienced auditor threshold when describing the extent of detail firms are required to document and maintain regarding their QC system is appropriate because that level of detail will facilitate the firm’s monitoring activities and external monitoring, including PCAOB inspections conducted in accordance with Sarbanes-Oxley. Two firms agreed that the experienced auditor threshold was appropriate. Several commenters, including firms and a related group, argued that the proposed documentation requirements were too broad, and suggested a variety of different limitations to narrow their scope. Some firms suggested that the standard differentiate data relating to 346 See 347 See E:\FR\FM\11JNN2.SGM QC 1000.77. QC 1000.65. 11JNN2 49690 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 the operation of the QC system from data relating to the design, implementation, and annual evaluation of the QC system, with a shorter retention period for the former. Other commenters, including firms and a related group, recommended that the documentation requirements be comparable to the documentation requirements that Sarbanes-Oxley imposes on issuers with regard to management’s assessment of the effectiveness of the issuer’s internal control over financial reporting.348 Another firm suggested that the documentation requirements be comparable and analogous to the documentation retention requirements set out in the SEC’s rules for issuer audits and related interpretive guidance.349 One firm and a related group suggested that the documentation requirements be limited to the evidence to support the annual evaluation of the QC system and related monitoring. Two firms suggested that additional guidance or clarity would be necessary in order for firms to appropriately adopt documentation retention policies related to the operation of controls that meet the expectations of the proposed standard. The Board does not believe that any of the more narrowly scoped documentation requirements suggested by commenters would be appropriate. QC 1000’s documentation requirements need to be aligned with the PCAOB’s mandate, provided by Congress, to ‘‘evaluate the sufficiency of the quality control system of a firm’’ through its inspection procedures.350 Therefore, the Board believes that it is imperative that documentation that enables the experienced auditor to evaluate the operation of the quality responses should be included in the documentation that is prepared and retained by the firm. To clarify the level of detail of the documentation relating to the operation of the QC system that is to be prepared and retained under QC 1000, paragraph 348 See 17 CFR 229.308 (requiring issuers to maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of ICFR). 349 See 17 CFR 210.2–06(a) (requiring, for audits or reviews of an issuer’s financial statements, retention of records relevant to the audit or review, including workpapers and other documents that form the basis of the audit or review, and memoranda, correspondence, communications, other documents, and records (including electronic records), which: (1) Are created, sent or received in connection with the audit or review, and (2) Contain conclusions, opinions, analyses, or financial data related to the audit or review). 350 See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C. 7214(d)(2). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 .83 was revised to include a note to .83b. stating that with respect to the operation of the QC system, the documentation must include documentation that enables the experienced auditor to evaluate the operation of the quality responses. As discussed in connection with paragraph .86 below, the Board continues to believe that all of the documentation required under the standard should be retained for seven years. Commenters also expressed concern that firms would be required to retain large volumes of documentation. Several commenters suggested that the costs associated with retaining documentation of the operation of the QC system would be burdensome, and some further commented that the data relating to the operation of the QC system could include sensitive data, and a requirement to prepare and retain all such data could also introduce heightened data security risks. One firm suggested the Board consider adding language that appears in SQMS 1 clarifying which matters require documentation, specifically referencing SQMS 1 paragraphs A224 and A227.351 In considering commenters’ concerns that the documentation to support that the quality responses operated effectively in every instance would result in a substantial volume of documentation, the Board believes that the ability to effectively monitor whether the firm’s quality responses are properly designed and operating effectively should not be restricted by the documentation requirements of the standard. Furthermore, the Board believes that the new note to paragraph .83b clarifies that the firm need not prepare and retain excessively voluminous documentation of the dayto-day operation of every action of its QC system, provided the information is not required to satisfy the requirements of paragraphs .82–.83. 351 Paragraph A224 of SQMS 1 states that it is neither necessary nor practicable for the firm to document every matter considered, or judgment made, about its system of quality management. Furthermore, compliance with this SQMS may be evidenced by the firm through its information and communication component, documents or other written materials, or IT applications that are integral to the components of the system of quality management. Paragraph A227 of SQMS 1 states that the firm is not required to document the consideration of every condition, event, circumstance, action, or inaction for each quality objective or each risk that may give rise to a quality risk. However, in documenting the quality risks and how the firm’s responses address the quality risks, the firm may document the reasons for the assessment given to the quality risks (that is, the considered occurrence and effect on the achievement of one or more quality objectives) to support the consistent implementation and operation of the responses. PO 00000 Frm 00104 Fmt 4701 Sfmt 4703 The Board believes that the extent of documentation sufficient to evidence whether the quality responses operated effectively would scale with the size of the firm’s PCAOB practice and the risks and complexities of their engagements and, in turn, the assessed quality risks and the quality responses established to address them. Therefore, the documentation requirements of the standard should be less costly and burdensome for firms with smaller PCAOB audit practices, which the Board believes is appropriate. In addition, firms are able to evaluate the nature and extent of the documentation that is necessary to evidence the operation of the quality responses. In determining the sufficiency of the detail and extent of the QC documentation, the firm may identify quality responses for which the evidence required to be able to demonstrate that the quality response operated effectively may not entail retention of all the information produced in the day-to-day operation of the QC system. For example, in the event that a large volume of automated emails sent by the firm to its employees are evidence supporting that a quality response operated, the firm could evaluate whether alternative evidence (such as email delivery reports or other aggregated data) would provide sufficient support regarding the operation of the quality response— without having to prepare and retain all of the individual emails within the QC documentation. In addition, to the extent that the operation of the firm’s QC system includes sensitive data, the firm has flexibility to not include the sensitive data fields in the documentation that is prepared and retained to the extent that they are not necessary to evidence that the quality response operated effectively. Furthermore, informed by its oversight activities, the PCAOB has observed that firms currently archive and retain documentation for extended periods of time and are able to implement processes to appropriately safeguard the information. The PCAOB has also observed instances where firms have migrated systems and still maintained the appropriate documentation through archives or through migration of the information onto the new systems. As the note to paragraph .83b makes clear, documentation of every aspect of the operation of the firm’s QC system may not be required to evidence that each quality response operated effectively. For example, there may be certain documentation, such as emails or meeting invitations that are sent as part of the day-to-day operation of the E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices QC system, that may not be necessary to enable an experienced auditor to evaluate the effective operation of the quality responses. In these circumstances, the firm may determine it is not required to prepare and retain this information within the documentation of its QC system. However, the Board also believes that there may be circumstances in which an email or meeting invitation needs to be retained because it evidences how a quality response operated to address a quality risk and is necessary to enable an experienced auditor to evaluate the operation of the quality response. Although some commenters suggested the documentation requirements be analogous to the SEC’s ICFR documentation retention guidance, the Board does not believe that is an appropriate threshold. The SEC’s guidance indicates that management’s documentation needs to provide ‘‘reasonable support’’ for its ICFR assessment and that management’s documentation need not include all controls that exist within a process that impacts financial reporting, but should be focused on those controls that management concludes are adequate to address the financial reporting risks.352 QC 1000 is not a ‘‘reasonable support’’ standard and instead requires documentation to understand how the firm’s quality responses are designed to address the quality risks and evidence the operation of the QC system. The standard’s approach to documentation requirements is principles-based and provides for scalability. When determining the form, content, and extent of documentation, the firm will consider, among other things, the nature and circumstances of the firm and the nature and complexity of the matter being documented. For example, for a large multi-office firm that performs many audits under PCAOB standards, the extent of documentation would be greater than for a small, single-office firm with a few firm personnel that audits one issuer or broker-dealer. The firm’s documentation may take the form of formal written manuals and checklists or may be informally documented (e.g., in email communications), subject to the requirement of paragraph .83 that the documentation be in sufficient detail to support a consistent understanding of the QC system by firm personnel and for an experienced auditor to understand 352 See Commission Guidance Regarding Management’s Report on Internal Control Over Financial Reporting Under section 13(a) or 15(d) of the Securities Exchange Act of 1934, SEC Rel. No. 33–8810 (June 27, 2007), available at https:// www.sec.gov/files/rules/interp/2007/33-8810.pdf. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 the design, implementation, and operation of the QC system. The firm may determine that a detailed memo is a more appropriate form of documentation for more complex matters, whereas, for less complex matters, briefer communications, such as email, may suffice. The nature and circumstances of the firm and the nature and complexity of the matter being documented are not the only factors that could drive the form, content, and extent of documentation. There may be other factors, such as the nature of the firm’s engagements or the frequency and extent of changes in the firm’s QC systems. The Board believes this principles-based approach provides for scalability and that providing specific guidelines and detailed examples of various types of documentation would potentially limit firms’ flexibility unnecessarily. The proposal contemplated that firms would have to concurrently file their Form QC and assemble their documentation for retention by the same date. As adopted, the standard provides that firms have an additional 14 days after the date that the firm is required to file Form QC to assemble their documentation. Several commenters expressed concern with having the QC documentation completion date be concurrent with the date that the firm must report annually to the PCAOB on Form QC pursuant to paragraph .79. Many of these commenters recommended a document completion date 45 days after the reporting date, with some of these commenters suggesting that 45 days would ensure consistency with the requirements of AS 1215. One firm suggested that a full 45 days to assemble a complete and final set of documentation was not necessary, but the time period needed to assemble documentation should be built into an evaluation of the length of the reporting period if the final standard retained a document completion date concurrent to the reporting date. After consideration of the comments received, the Board revised paragraph .84 to provide firms up until December 14 (a total of 75 days after the evaluation date) to complete a final set of QC documentation. This includes an additional 14 days after the date that the firm is required to report to the PCAOB on Form QC. The 14-day period aligns with the changes to PCAOB requirements for engagement documentation.353 The Board believes that larger PCAOB audit practices with more complex and scaled up QC systems will employ the use of electronic tools in the assembly of the documentation of the QC system, and therefore a 14-day period to the QC documentation completion date is feasible. In addition, for smaller PCAOB audit practices with scaled down QC systems, the Board expects that the volume of documentation to be assembled will be smaller such that a 14-day period is also feasible for those firms. Furthermore, the Board notes that, because the final rule includes a longer period from evaluation date to reporting date than proposed, under the final standard firms will have 75 days after the evaluation date to assemble their documentation, rather than 45 days as proposed. The standard permits additional documentation supporting a firm’s QC system to be added after the QC documentation completion date in a manner similar to the addition of audit evidence to audit documentation under AS 1215.16. When this occurs, the standard requires a firm to indicate the date the information was added, the name of the person who prepared the additional documentation, and the reason for adding it. The standard also requires all previously retained documentation supporting the firm’s evaluation of its QC system to remain intact and not be discarded. The proposed standard contemplated that the firm would retain QC documentation for seven years from the QC documentation completion date, unless a longer period is required by law. Two firms commented that they believed the seven-year retention period to be cost-prohibitive. One of these firms commented that if the firm changed its systems, for example, it will have to maintain additional licenses for old systems to access and use the data and pay for up to seven years’ worth of storage, and it believes that maintaining that much data would introduce unnecessary cost as well as increased cybersecurity risk. The firm also commented that the seven-year retention period goes beyond the retention requirements of the quality management standards set forth by the 353 Amendments to the engagement documentation requirements in AS 1215 are addressed in a separate release. See Auditor Responsibilities Release. PO 00000 Frm 00105 Fmt 4701 Sfmt 4703 49691 E:\FR\FM\11JNN2.SGM 11JNN2 49692 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 AICPA 354 and IAASB,355 and that this difference could cause operational challenges. The firm recommended aligning the documentation requirements with the firm’s inspection and remediation cycle or allowing the firm to use a risk-based approach based on its judgment. Two firms opposed the seven-year period and suggested that it be based on the most recent inspection (for example, one year from the most recent inspection period), or until the inspection for a particular period has been completed. As discussed in the proposal, the Board was concerned that requiring the retention period to be aligned with the PCAOB inspection cycle would be too short. A firm’s remediation activities may span multiple years and the actions taken by the firm in certain areas may be informed by prior actions. Further, the objective of the documentation requirement is much broader than providing evidence for inspection purposes or enabling proper remediation. As described in the proposal, the Board believes that the documentation may also be useful for training purposes, ensuring the retention of organizational knowledge, and providing a history of the basis for decisions made by the firm about its QC system. One firm commented on these purposes and suggested that firms should determine what documentation has continuing relevance based on the circumstances. Another firm suggested that this could be reasonably handled by firms on a case-by-case basis, and any necessary documentation that could impact or inform future periods could be specifically retained. The firm further commented that some information would become stale over time and that it does not anticipate information retained early on being used for training or the retention of organizational knowledge in later years. A firm and a related group commented that a sevenyear retention requirement is appropriate as it pertains to documentation that supports a firm’s evaluation of its system of quality control and the related testing. 354 SQMS 1 requires the firm to establish a period of time for the retention of documentation for the system of quality management that is sufficient to enable the firm and its peer reviewer to monitor the design, implementation, and operation of the firm’s system of quality management or for a longer period if required by law or regulation. See paragraph 61. Of SQMS 1. 355 ISQM 1 requires the firm to establish a period of time for the retention of documentation for the system of quality management that is sufficient to enable the firm to monitor the design, implementation and operation of the firm’s system of quality management, or for a longer period if required by law or regulation. See paragraph 60. of ISQM 1. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 After consideration of the comments received, together with the amendment made to paragraph .83. of the standard, the Board adopted the requirement to retain documentation for seven years from the QC documentation completion date, unless a longer period of time is required by law, as proposed. Paragraph .86 was amended to clarify that the documentation to be retained for this period is the documentation of its QC system required under paragraphs .81– .83 and paragraph .85. This requirement aligns the QC document retention requirement with other requirements in PCAOB standards and SEC rules (such as 17 CFR 210.2–06). Furthermore, the documentation relating to the firm’s engagements must be retained for seven years,356 and the Board believes that it is appropriate for the firm to also retain documentation of the QC system that operated over those engagements for the same time period. For consistency and practical application, the retention period is the same for all firms and applies to all documentation the firm is required to accumulate to meet the documentation requirements of the standard. 2. Current PCAOB Standards Existing QC 20 provides that: • Appropriate consideration should be given to the extent to which QC policies and procedures, and compliance with them, should be documented.357 • The form, content, and extent of documentation depends on relevant factors, including the size, structure, and nature of the firm’s practice.358 • A firm should prepare appropriate documentation to demonstrate compliance with its policies and procedures for the QC system.359 • Documentation should be retained for a period sufficient to enable those performing monitoring procedures and a peer review to evaluate the extent of the firm’s compliance with its QC policies and procedures.360 QC 30 and the SECPS membership requirements include documentation requirements for certain items such as findings from certain monitoring activities, CPE, notification of cessation of client relationships, filing reviews under Appendix K, and corrective actions to address apparent independence violations.361 356 See AS 1215.14. QC 20.21. 358 See QC 20.24–.25. 359 See QC 20.25. 360 See QC 20.25. 361 See, e.g., QC 30.08; SECPS 1000.08(m), 1000.45, 1000.46, 8000. 357 See PO 00000 Frm 00106 Fmt 4701 Sfmt 4703 Additional Amendments QC 1000 supersedes the existing PCAOB interim QC standards in their entirety. Currently, Rule 3400T requires registered firms and their associated persons to comply with the AICPA’s quality control standards as in existence on April 16, 2003, to the extent not superseded or amended by the Board. Rule 3400T identifies the AICPA’s Statements on QC Standards (QC 20, QC 30, QC 40) and certain of the AICPA’s SECPS membership requirements, which are applicable only to firms that were members of the AICPA SEC Practice Section on April 16, 2003. The Board rescinded Rule 3400T. In consequence, the interim quality control standards referenced in Rule 3400T are no longer part of PCAOB standards. Rule 3400T is replaced with Rule 3400, which describes the auditor’s responsibilities for complying with quality control standards adopted by the Board and approved by the SEC. Other amendments to PCAOB standards, rules, and forms are described below. Amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, and Related Amendments 1. Background Currently, AS 2901 applies when the auditor concludes, after issuing its report on the financial statements, that procedures ‘‘considered necessary at the time of the audit in the circumstances then existing’’ were omitted from an audit of the financial statements, but there is no indication that the financial statements are not fairly presented.362 Existing AS 2901 requires remedial action if (i) the auditor concludes that the omitted procedures impair its ability to support the previously issued opinion, and (ii) people are likely to rely on the report. If remedial action is required but the auditor is not able to perform the omitted procedures or alternative procedures that support the opinion, the standard directs the auditor to consult with counsel. Existing AS 2901 does not apply to ICFR audits or to attestation engagements. 2. Amendments to AS 2901 The Board believes that amendments to AS 2901 are appropriate to modernize the standard, incorporate the concepts and terminology introduced in QC 1000, and bring the standard into alignment 362 AS 2905, rather than AS 2901, applies if the auditor subsequently learns of facts regarding the financial statements existing at the date of its report that might have affected its opinion. Paragraph .98 of AS 2201 is an analogous provision in the context of ICFR audits. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices with the auditor’s existing responsibility to obtain sufficient appropriate audit evidence to support the opinion. QC 1000 introduces a new term, ‘‘engagement deficiency,’’ defined as an instance of noncompliance with applicable professional or legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm. For an engagement deficiency related to a completed engagement, QC 1000 requires firms to take action to address the engagement deficiency ‘‘in accordance with applicable professional and legal requirements’’ (e.g., AS 2901, AS 2905, AS 2201.98–.99). The Board broadened the scope of AS 2901 to incorporate this new terminology, so that remedial action is required for engagement deficiencies for both financial statement audits and ICFR audits unless it was probable that the engagement report is not being relied upon.363 Reflecting this broader scope, the name of the standard was also changed to ‘‘Responding to Engagement Deficiencies After Issuance of the Auditor’s Report.’’ a. Scope and Applicability (AS 2901.01– .02) Note that, under PCAOB Rule 1001(a)(xii), ‘‘auditor’’ as used in AS 2901 means both firms and their associated persons. i. Engagements Covered khammond on DSKJM1Z7X2PROD with NOTICES2 Existing AS 2901 predates ICFR audit requirements and applies only to financial statement audits. The Board proposed to extend the scope of AS 2901 to cover engagement deficiencies in ICFR audits as well. Several commenters, generally firms, agreed with the proposal to extend the scope of AS 2901 to include engagement deficiencies in ICFR audits, and the Board adopted that change in scope. Similar to the concept in existing AS 2901, the Board proposed that the revised standard would not apply to engagements where it is probable that the audit report is not being relied upon.364 The proposed standard included a note providing that the firm must treat an engagement report as being relied upon if the engagement 363 See QC 1000.68b. 364 Under current AS 2901, the test is whether the auditor believes there are persons currently relying, or likely to rely, on the audit report. Under the final standard, the test would be whether it is probable that no one is relying, without reference to the auditor’s belief. The term ‘‘probable’’ has the same meaning as described in the FASB ASC paragraph 450–20–25–1. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 report is included in the most recent SEC filing on a form that requires its inclusion. One commenter pointed out that the use of the term ‘‘must’’ in the proposed note did not allow for the auditor to take into account situations that may indicate an auditor’s report is not being relied upon even when the auditor’s report is included in the most recent filing on an SEC form. Two commenters suggested that the standard should also exclude engagements where the issuance of the subsequent year’s auditor’s report is imminent. The Board agrees that the standard should allow for circumstances where the auditor’s report is included in the most recent filing on an SEC report, but the auditor may nonetheless conclude that the auditor’s report is no longer being relied upon. However, in the Board’s view, the fact that the issuance of the subsequent year’s auditor’s report is imminent is not determinative of whether the report continues to be relied upon. The Board revised the note to paragraph .01 to provide that, in the absence of circumstances indicating that reliance is impossible or unreasonable (e.g., cessation of a trading market for issuer securities), inclusion of an auditor’s report in the most recent filing on an SEC form that requires inclusion of such an auditor’s report evidences that the report is being relied upon. The Board believes this is responsive to commenter concerns and allows for sufficient flexibility. The note has also been revised to clarify that an auditor’s report can be included in an SEC filing either directly or through incorporation by reference. The determination that an auditor’s report is not being relied upon would primarily be influenced by whether the auditor’s report and related financial statements are readily available and whether a trading market exists for the company’s securities. Circumstances that may suggest the engagement report is no longer being relied upon could include: • So much time has elapsed that the financial statements covered by the auditor’s report are no longer required to be included in SEC periodic reports. • The issuer’s or broker-dealer’s business has been dissolved or gone into liquidation. ii. Compliance With AS 2905/AS 2201.98 Under the amendments, AS 2901 points the auditor to AS 2905 or AS 2201.98 to the extent they apply. This preserves the difference in treatment that exists under current auditing standards between situations where PO 00000 Frm 00107 Fmt 4701 Sfmt 4703 49693 financial statements and potentially the audit opinion may be in doubt (AS 2905 or AS 2201), and other circumstances where remedial action is required but there is no initial indication that the financial statements might be misstated (AS 2901). iii. Deficiencies Covered Existing AS 2901 applies when the auditor concludes that procedures considered necessary at the time of the audit in the circumstances then existing were omitted. As proposed, AS 2901 was extended to cover all engagement deficiencies identified. The Board believes it is more consistent with the basic philosophy of QC 1000 and better supports the ultimate goal of improving audit quality to require remedial action for all engagement deficiencies, regardless of whether the audit opinion is unsupported. b. Activities To Address Engagement Deficiencies AS 2901 currently requires remedial action when, due to omitted procedures that were considered necessary at the time of the audit, the auditor’s opinion is not sufficiently supported. The required action is to perform the omitted procedures or alternative procedures that would support the opinion. If that is not possible, the auditor is directed to consult an attorney to determine an appropriate course of action. Under the proposal, remedial action would be required for all engagement deficiencies—both those engagement deficiencies that affect the auditor’s opinion and those that do not. Many commenters expressed concern with the proposal to require remedial actions for all engagement deficiencies, with one commenter suggesting that remedial actions should only be required for major deficiencies, and another commenter suggesting that the need for remedial actions should be assessed on a case-by-case basis, taking into account the severity of the engagement deficiency. Several commenters suggested that firms should be able to exercise judgment about whether remediation is necessary and observed that in practice most identified engagement deficiencies are remediated. Other commenters considered the proposed requirement overly prescriptive and one commenter suggested that the requirement was unnecessarily burdensome for instances where the auditor’s report is adequately supported despite an identified engagement deficiency. On the other hand, two commenters expressed support for the Board’s approach to the E:\FR\FM\11JNN2.SGM 11JNN2 49694 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices obligation to remediate engagement deficiencies, with one commenter stating that requiring remedial action for all identified engagement deficiencies, not just in situations where the auditor’s opinion may be unsupported, would contribute to improving audit quality. The Board continues to believe that requiring firms to take action to address all engagement deficiencies, whether related to an unsupported auditor’s opinion or not, is appropriate and reinforces a firm’s obligation to comply with all applicable professional and legal requirements, and adopted this requirement as proposed. As discussed below, when the opinion is appropriately supported, the firm may determine which actions to take in response to an engagement deficiency. khammond on DSKJM1Z7X2PROD with NOTICES2 i. Addressing Engagement Deficiencies Related to an Unsupported Auditor’s Opinion (AS 2901.03) Under the proposal, in cases where the auditor did not obtain sufficient appropriate audit evidence to support the opinion, the auditor would have been required to either obtain additional evidence such that the opinion is adequately supported or take action to prevent future reliance on the report. One firm suggested that further guidance regarding these requirements would assist a firm in distinguishing between the engagement deficiencies that are subject to this provision rather than paragraph .04 (discussed below), or in the alternative, explicit alignment to the PCAOB’s definition of a Part I.A or Part I.B deficiency.365 The Board is reluctant to incorporate terminology into its standards that does not have a fixed meaning under PCAOB rules and is subject to change.366 The Board also does not want to suggest that the requirements apply only to deficiencies identified by the PCAOB. However, in order to address this concern, paragraphs .03a and .03b were revised to make it explicit that the auditor’s actions in paragraph .03b relate specifically to instances where the auditor is not able to obtain sufficient appropriate audit evidence to support the auditor’s opinion. The type of procedures that the auditor performs in response should be 365 Subsequent to the date of the comment letter, the PCAOB created an additional category, Part I.C deficiencies. Definitions of Part I.A, Part I.B, and Part I.C deficiencies are available on the PCAOB website at https://pcaobus.org/oversight/ inspections/inspection-procedures. 366 As an example of how the Board’s inspection reporting framework can change over time, in May 2023, the Board introduced several transparency enhancements to its inspection reports, including a new section of the inspection report focused on independence violations (Part I.C). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 guided by the type and amount of evidence needed to support the auditor’s opinion. If the auditor is not able to obtain sufficient appropriate evidence to support the opinion, the auditor is required to take appropriate action to prevent future reliance on the audit report. The Board also amended AS 2201 as part of this rulemaking to include a reference to AS 2901 as a reminder of auditor responsibilities under that section with respect to audits of internal control over financial reporting.367 ii. Addressing All Other Engagement Deficiencies Under the proposed standard, for all other deficiencies on audit engagements, the auditor would have been required to perform remedial actions, similar to those described in QC 1000.69, based on the auditor’s determination of what action (corrective, preventive, or both) is appropriate based upon the specific facts and circumstances. The proposal described the following potential responses to engagement deficiencies: • Take corrective action to completely remediate the deficiency, where appropriate. • For deficiencies that cannot be completely remediated, remediate to the extent possible and implement measures to prevent recurrence. For example, if a Form AP was filed late, the auditor would not be able to remediate the lateness but could improve the controls over the filing process. • Determine, based on the facts and circumstances, that no further remedial action is necessary, e.g., because of remedial actions already taken to respond to other deficiencies. One commenter suggested including language in the lead-in to the note to paragraph .04 to further clarify that the actions a firm may take to remediate an engagement deficiency could be either corrective or preventive, or could be a combination of the two. The note in the final standard reflects this clarification. Additionally, the term ‘‘remedial’’ was removed from the final standard in the lead-in to the note to paragraph .04 in order to encompass all actions required under applicable professional and legal requirements, some of which (e.g., notification to the board of directors or regulatory agencies) may not be remedial in nature. c. Documentation The proposed documentation requirement did not draw comment and was adopted as proposed. 367 See PO 00000 Appendix 5, Other Amendments. Frm 00108 Fmt 4701 Sfmt 4703 When the auditor’s response to engagement deficiencies involves adding additional information to the auditor’s working papers, the requirements of AS 1215.16 will apply. Under AS 2901, the auditor should document the actions taken pursuant to paragraphs .03 and .04 to address engagement deficiencies in an audit engagement where the audit report has previously been issued. This documentation requirement is consistent with the documentation requirements in proposed QC 1000.82c for all engagement deficiencies. 3. Related Amendments The Board proposed to add provisions similar to AS 2901 to the standards for broker-dealer attestation engagements, AT No. 1 and AT No. 2, to prompt auditors of brokers and dealers to take appropriate action if they discover that the opinion or conclusion in a previously issued attestation report was not supported. Currently, those standards are silent as to the responsibilities that apply when a deficiency is identified after the engagement report is issued. One commenter, who recommended changes to proposed AS 2901 (including that remediation should be required only when the auditor’s opinion may not be supported), suggested that the same changes be incorporated into AT No. 1 and AT No. 2. For the reasons discussed above in the context of AS 2901, the Board does not believe such a limitation is appropriate. However, the Board made a conforming change, similar to a change made to AS 2901, to the note to clarify that the auditor must treat reports as being relied upon when the examination report (in the case of AT No. 1) or review report (in the case of AT No. 2) is included (either directly or through incorporation by reference) in an SEC filing on an SEC form that requires inclusion of such an examination report or review report. The Board also made revisions to the proposed requirements in AT No. 1 and AT No. 2 by removing the word ‘‘remedial’’ from the lead-in language to the notes in each of the respective standards in order to encompass all actions required under applicable professional and legal requirements, some of which (e.g., notification to the board of directors or regulatory agencies) may not be remedial in nature. With these modifications, the Board adopted the proposed amendments to AT No. 1 and AT No. 2. The Board also amended AS 2201 as part of this rulemaking to include a reference to AS 2901 as a reminder of auditor responsibilities under that E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices section with respect to audits of internal control over financial reporting.368 The Board did not propose to amend its interim attestation standards to include provisions similar to AS 2901. One commenter encouraged the Board to consider creating a separate attestation standard like AS 2901 to minimize repetition within each attestation standard, especially if the Board plans to adopt new standards beyond AT No. 1 and AT No. 2 in the future. At this time, the Board did not amend its interim attestation standards to include provisions similar to AS 2901, though it may consider doing so in the future. Rescission of ET Section 102; Adoption of EI 1000; Related Amendments 1. Rescission of ET Section 102 and Adoption of EI 1000, Integrity and Objectivity The Board rescinded an interim ethics and independence standard, ET 102, Integrity and Objectivity, replacing it with a new standard, EI 1000, Integrity and Objectivity. EI 1000 is based on existing ET 102, including its related interpretations codified as ET 102.02, .03, and .05, but reflects revisions that align PCAOB ethics requirements with the scope, approach, and terminology of QC 1000. To take one example, the new EI 1000 applies to registered public accounting firms and their associated persons rather than current AICPA ‘‘members’’ as referenced in ET 102. Integrity and objectivity are foundational to the audit and critical to the performance of engagements under PCAOB standards. They lend credibility and engender trust in financial reporting. As the U.S. Supreme Court pointed out in United States v. Arthur Young: khammond on DSKJM1Z7X2PROD with NOTICES2 By certifying the public reports that collectively depict a corporation’s financial status, the independent auditor assumes a public responsibility transcending any employment relationship with the client. The independent public accountant performing this special function owes ultimate allegiance to the corporation’s creditors and stockholders, as well as to the investing public. This ‘‘public watchdog’’ function demands that the accountant maintain total independence from the client at all times, and requires complete fidelity to the public trust.369 The responsibility to maintain integrity and objectivity is an important counterbalance to the risk that the auditor may be unduly influenced by company management or may be subject 368 See Appendix 5, Other Amendments. States v. Arthur Young, 465 U.S. 805, 817–818 (1984). 369 United VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 to cognitive or other biases in performing the audit.370 In turn, an auditor’s integrity and objectivity can help to increase investor trust in financial reporting and strengthen capital markets. Currently, paragraph .01 of ET 102 sets out three requirements that apply in the performance of a professional service: (i) maintaining integrity and objectivity, (ii) being free of conflicts of interest, and (iii) not knowingly misrepresenting facts or subordinating judgment. The remaining paragraphs of the rule and the relevant portions of ET 191 provide more detailed direction in specific contexts. The Board proposed creating two overarching requirements in EI 1000: (i) maintaining integrity, which would include being honest and candid, not knowingly or recklessly misrepresenting facts, and not subordinating judgment; and (ii) maintaining objectivity, which would include being impartial, intellectually honest, and free of conflicts of interest. The proposal incorporated descriptions of integrity and objectivity that were substantially based on existing requirements in QC 20.10.371 In addition to substantially recodifying existing requirements, the Board also proposed to clarify the scope of the rule and more closely align it with the scope, approach, and terminology of QC 1000. With two clarifications discussed below, the Board adopted EI 1000 as proposed and rescinded ET 102. a. General As proposed, the Board modernized the standard and aligned it with other PCAOB standards and rules by renumbering it in accordance with the PCAOB’s reorganized standards framework, incorporating PCAOB terminology, and eliminating outdated provisions. The final rule clarifies that the requirements of EI 1000 apply in connection with all responsibilities under ‘‘applicable professional and legal requirements’’ (as defined in QC 1000) and the firm’s related policies and procedures, whether in relation to the firm’s engagements, work the firm does 370 See, e.g., Auditing Accounting Estimates, Including Fair Value Measurements and Amendments to PCAOB Auditing Standards, PCAOB Rel. No. 2018–005 (Dec. 20, 2018), at 30– 35 (discussing auditor incentives and potential cognitive biases). 371 QC 20.10 states: ‘‘Integrity requires personnel to be honest and candid within the constraints of client confidentiality. . . . The principle of objectivity imposes the obligation to be impartial, intellectually honest, and free of conflicts of interest.’’ PO 00000 Frm 00109 Fmt 4701 Sfmt 4703 49695 on other firms’ engagements, training, independence monitoring, or other activities that are part of or subject to the firm’s QC system. In addition, EI 1000 applies to registered firms and their associated persons, rather than to ‘‘members’’ as ET 102 currently provides. The final rule also corrects a reference in EI 1000.02.b(2) from ‘‘materially false and misleading’’ to ‘‘materially false or misleading.’’ One commenter supported the replacement of ET 102 with EI 1000, but recommended labeling it ‘‘OI’’ for Objectivity and Integrity. As described in the proposal, the Board created a designation not only for its standard on objectivity and integrity, but for future standards as well. The Board intends to use ‘‘EI’’ for all ethics and independence standards, just as it uses ‘‘AS’’ to designate auditing standards. While one commenter confirmed that the terms used in EI 1000 are generally clear, another commenter recommended clarifying the expectations for the terms ‘‘being honest and candid’’ in EI 1000.02 and ‘‘being intellectually honest’’ in EI 1000.03. This language is drawn from existing QC 20.10, has a clear plain English meaning, and the Board believes should be well understood. b. Integrity EI 1000.02 notes that, as part of maintaining integrity, a firm and its associated persons must be ‘‘honest and candid.’’ This requirement is drawn from existing QC 20.10. The Board omitted the reference to ‘‘within the constraints of client confidentiality’’ in order to avoid suggesting that ‘‘client confidentiality’’ could limit a firm’s or its associated persons’ obligations to comply with the requirements of PCAOB rules or standards. This is consistent with the Board’s interpretation of QC 20.10, under which a firm or its associated persons must be honest and candid in complying with PCAOB rules and standards, including during PCAOB inspections. It also confirms, among other things, that associated persons have the ability to report wrongdoing within the firm and to the appropriate regulatory authorities without constraints of confidentiality, consistent with PCAOB rules and standards. Similar to current QC 20.10, EI 1000.02 does not address the requirements of client confidentiality beyond the requirements set forth in PCAOB rules and standards and applicable requirements of the Federal E:\FR\FM\11JNN2.SGM 11JNN2 49696 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 securities laws, including the SarbanesOxley Act.372 One commenter suggested that, rather than removing the reference to confidentiality, the Board should instead refer to IESBA Code Section 260 related to noncompliance with laws or regulations. In general, the Board does not incorporate by reference the concepts and terminology used by other standard setters. In relation to noncompliance with laws and regulations in particular, the Board has proposed its own new standard.373 If a new PCAOB standard in that area is ultimately adopted by the Board and approved by the SEC and makes it appropriate for the Board to amend EI 1000, the Board would of course intend for EI 1000 to align with its new standard rather than the IESBA code. The proposal clarified that the responsibility to avoid factual misrepresentations covers not only knowing, but also reckless behavior, and that this responsibility applies to any knowing or reckless misrepresentation of fact, including situations where documents—such as work papers and communications with the PCAOB and the SEC—containing materially false or misleading information are knowingly or recklessly signed, permitted or directed to be signed, or left uncorrected by those with authority to correct them. One commenter suggested that the concept of failing to correct a document that is materially false and misleading when having the authority to do so should be limited to circumstances in which the document was materially false and misleading ‘‘when made.’’ The Board agrees that the duty to correct is not unbounded, and generally applies at the time that a document is made (including when filed with or submitted to a regulatory authority). The Board notes, however, that while EI 1000 does not independently impose a duty to correct a document that was not materially false or misleading when made, such a duty may arise under other statutes, laws, or regulations, and the Board believes that in such a 372 As a general matter, the Uniform Accountancy Act excludes from the prohibition against voluntary disclosure, in part, ‘‘information required to be disclosed by the standards of the public accounting profession in reporting on the examination of financial statements or as prohibiting compliance with applicable laws, government regulations or PCAOB requirements.’’ AICPA, Uniform Accountancy Act (January 2018). available at https://us.aicpa.org/content/dam/aicpa/advocacy/ state/downloadabledocuments/uaa-eighth-editionjanuary-2018.pdf. 373 See Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations And Other Related Amendments, PCAOB Rel. No. 2023– 003 (June 6, 2023). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 circumstance, the failure to discharge that duty should also constitute a violation of EI 1000. The Board added language to EI 1000.02b to clarify the circumstances under which failure to correct a document would constitute a knowing or reckless misrepresentation of facts. The Board proposed to broaden the responsibility to avoid subordination of judgment so it would apply to any dispute or disagreement over applicable professional and legal requirements or how to apply them. One commenter suggested that, as part of the provision on subordination of judgment, the Board should address the risk of supervisors exercising undue influence over subordinates in the same manner as under the AICPA Code of Professional Conduct.374 The relevant interpretive provision of the AICPA Code, 1.130.020, Subordination of Judgment, identifies undue influence by a supervisor as a potential threat to compliance with the AICPA’s Integrity and Objectivity Rule 375 and provides safeguards to be applied when the threat is not at an acceptable level. The safeguards to be applied are essentially the same as the process required under EI 1000.02c, including research and consultation to determine whether the supervisor’s position is supportable, consultation with higher levels of management, and, if appropriate action is not taken, consideration of potential duties to notify third parties and consideration of the appropriateness of continuing a relationship with the firm. In addition to the provision in EI 1000, QC 1000 also addresses the risk of undue influence through a quality objective in the engagement performance component related to the appropriate resolution of differences in professional judgment,376 as well as general provisions that would apply to undue influence by a supervisor, including in the governance and leadership component,377 the ethics and independence component,378 and the resources component.379 The Board believes these provisions address the concerns raised by this commenter and have adopted the subordination of judgment provision of EI 1000 as proposed. c. Objectivity One commenter suggested that the Board could clarify the standard by including references to the AICPA or 374 AICPA Code of Professional Conduct 1.130.020, Subordination of Judgment. 375 Id. at 1.100.001. 376 QC 1000.42.c. 377 QC 1000.25. 378 QC 1000.33b, c., and f. 379 QC 1000.46a. PO 00000 Frm 00110 Fmt 4701 Sfmt 4703 IESBA concepts of conflict of interest. As noted above, it is not generally Board policy to incorporate by reference the concepts and terminology used by other standard setters. The Board also believes that a cross reference is not appropriate because EI 1000 addresses essentially the same conduct as the AICPA and IESBA provisions. d. Rescission of Certain AICPA Interpretations Additionally, the Board rescinded the former AICPA interpretations currently codified as ET 102.04, .06, and .07, which address members’ obligations to their employer’s external accountant, performance of educational services, and professional services involving client advocacy, respectively. These are generally not relevant to engagements performed under PCAOB standards. In addition, the matters addressed in paragraph .07 are either effectively superseded by 17 CFR 210.2–01 or more effectively addressed elsewhere in PCAOB standards (e.g., AS 2610, Initial Audits—Communications Between Predecessor and Successor Auditors). 2. Amendments to ET Section 191 In connection with EI 1000, the Board also proposed amending ET 191 by making a conforming amendment to paragraph .062 and rescinding paragraphs .130, .131, .170, .171, .186, .187, .198, .199, .202, and .203. The only commenter on this topic supported these amendments. The Board adopted the amendments as proposed. The interpretations the Board rescinded (addressing, respectively, use of the CPA designation by accountants not in public practice, service as a director of a bank, service on the board of directors of United Way or a similar federated fund-raising organization, providing services for company executives, and providing client advocacy services) are generally not relevant to engagements performed under PCAOB standards or are addressed elsewhere in PCAOB and SEC rules. The Board did not amend the portions of ET 191 that pertain to ET 101, which is not being substantively amended in this rulemaking. 3. Amendments to Rule 3500T, Interim Ethics and Independence Standards, and ET Section 101, Independence The Board proposed amending paragraph (a) of Rule 3500T to eliminate the introductory phrase ‘‘In connection with the preparation or issuance of any audit report,’’ which it believes may cause the rule to be read unduly narrowly. The Board also proposed eliminating references to ET 102, Integrity and Objectivity, and E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices substituting a reference to EI 1000, Integrity and Objectivity. These proposed amendments did not receive any comment and were adopted as proposed. Lastly, the Board amended paragraphs .04, .13, and .16 of ET 101, Independence, to conform the references to ET 102, which will be rescinded, to EI 1000. Other Amendments In connection with the adoption of QC 1000, the Board also adopted amendments to other professional standards, PCAOB rules, and PCAOB forms. As discussed in more detail below, these amendments: • Align terminology, concepts, and cross-references with QC 1000; • Rescind standards that are unnecessary in light of the adoption of QC 1000; • Recodify certain provisions of requirements that are rescinded into other PCAOB standards and rules; and • Make other technical and clarifying amendments. The one commenter that addressed this topic generally supported the amendments and also recommended an amendment to PCAOB Rule 1001(p)(vi) to use the term ‘‘quality control standards’’ instead of ‘‘quality control policies and procedures.’’ The language used in PCAOB Rule 1001(p)(vi) is drawn from section 110(5) of SarbanesOxley and the Board believes its rule should continue to align with that statutory provision. These amendments are discussed further below. khammond on DSKJM1Z7X2PROD with NOTICES2 1. Rescission of Rule 3400T, Interim Quality Control Standards; Adoption of Rule 3400, Quality Control Standards These rule changes did not receive any comment and were adopted as proposed. PCAOB Rule 3400T, Interim Quality Control Standards, requires registered public accounting firms and their associated persons to comply with the Board’s interim quality control standards. The Board rescinded Rule 3400T, including all current QC standards identified in the rule, which the Board adopted on an interim, transitional basis.380 The Board adopted 380 Under PCAOB Rule 3400T(a), all firms are required to comply with QC standards as described in ‘‘the AICPA’s Auditing Standards Board’s Statements on Quality Control Standards, as in existence on April 16, 2003 (AICPA Professional Standards, QC §§ 20–40 (AICPA 2002)), to the extent not superseded or amended by the Board.’’. PCAOB Rule 3400T(b) requires certain firms to comply with QC standards as described in ‘‘the AICPA SEC Practice Section’s Requirements of Membership (d), (l), (m), (n)(1), and (o), as in VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 in its place a new rule, Rule 3400, to codify the auditor’s responsibilities for complying with the Board’s quality control standards. 2. Rescission of AS 1110, Relationship of Auditing Standards to Quality Control Standards The Board received no comment on the proposed rescission of AS 1110 and rescinded it, as proposed. At the time AS 1110 was issued, it served to describe the relationship between the then already-existing auditing standards and the new set of standards that governed a firm’s system of quality control. This relationship is now well understood by firms and clarified within QC 1000. In addition, the first two paragraphs of AS 1110 merely repeat the requirements to comply with the auditing and QC standards that are addressed by other PCAOB standards and rules. Accordingly, the Board rescinded AS 1110. 3. Adoption of AS 1310, Notification of Termination of the Auditor-Issuer Relationship The Board adopted a new standard, AS 1310, which recodifies existing requirements of SECPS 1000.08(m), Notification of the Commission of Resignations and Dismissals from Audit Engagements for Commission Registrants, and applies those requirements to all firms and all issuer engagements. As noted above, the Board rescinded the QC standards that pertain only to firms that were SECPS members at the time the PCAOB was created. In lieu of the SECPS requirement, the Board adopted a new standard that requires the auditor to notify the SEC upon resignation or dismissal from an audit engagement of an issuer if the issuer does not report such change in a current report on Form 8–K. The only commenter to address this proposed standard agreed that it could provide valuable and timely information to investors to alert them when audit committees have failed to fulfill their reporting responsibilities. The Board notes, however, that notifications provided under the current SECPS requirement might not be made publicly available. Nevertheless, the Board believes that notices provided to the SEC under the standard could provide existence on April 16, 2003 (AICPA SEC Practice Section Manual 1000.08(d), (j), (m), (n)(1), and (o)), to the extent not superseded or amended by the Board.’’ PCAOB Rule 3400T(b). The note to Rule 3400T provides that those requirements ‘‘only apply to those registered public accounting firms that were members of the AICPA SEC Practice Section on April 16, 2003.’’ PO 00000 Frm 00111 Fmt 4701 Sfmt 4703 49697 valuable information to the SEC. Therefore, the Board adopted the standard substantially as proposed, with a revision to conform to the precise language on Form 8–K. This requirement applies to all issuer engagements, regardless of whether the firm was a member of the SECPS and regardless of whether the issuer is required to report on Form 8–K. 4. Amendments to AT Section 101, Attest Engagements These amendments did not receive any comment and were adopted as proposed. The amendments to AT Section 101 align with the rescission of AS 1110 discussed above, by deleting the paragraphs that address the relationship of attestation standards to QC standards. Additionally, the deletion of footnote 23 removes language related to monitoring compliance with quality control policies and procedures, which is unnecessary in light of the adoption of QC 1000. 5. Amendments to Form 1, Application for Registration The Board proposed to amend Form 1 to (i) refer to QC 1000 in the instructions in order to prompt firms to consider their obligations with respect to QC in connection with their application for registration, and (ii) add a new item whereby firms confirm whether they have designed a QC system in accordance with PCAOB standards. The only commenter to address this amendment agreed that the amendments would be appropriate. The Board adopted these amendments as proposed. 6. Amendments to Form 2, Annual Report Form The Board proposed to amend Form 2 to add a new item whereby firms would confirm (i) that they have designed a QC system in accordance with PCAOB standards; and (ii) whether they were required to implement and operate a QC system in accordance with PCAOB standards at any time during the period of time covered by Form 2. The only commenter to address this amendment agreed that the amendments would be appropriate. The Board adopted these amendments as proposed. 7. Technical and Conforming Amendments These amendments did not receive any comment and were adopted as proposed. The Board implemented a number of technical and conforming amendments to align terminology and concepts in E:\FR\FM\11JNN2.SGM 11JNN2 49698 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 existing standards and one PCAOB form with QC 1000. The Board also implemented a technical amendment to the instructions to Form AP to clarify an exclusion from disclosing the identity of, and hours incurred by, accounting firms in certain circumstances. The Board, when it adopted Form AP, stated that it intended to exclude the reporting of ‘‘hours incurred in the audit of entities in which the issuer has . . . an investment’’ using the equity method of accounting.381 Form AP currently excludes hours ‘‘of an accounting firm performing the audit of entities in which the issuer has an investment that is accounted for using the equity method,’’ but the Board is concerned that such language might be read to exclude all of the audit work performed by such an accounting firm on an audit, rather than only those hours spent performing the audit of entities in which the issuer has an investment accounted for using the equity method. The Board revised the instruction in Part IV of the form to exclude from its disclosure requirements the identity of, and hours incurred by, accounting firms ‘‘in performing’’ the audit of entities in which the issuer has an investment that is accounted for using the equity method, which clarifies that the identity of, and hours incurred by, such firms with respect to other work on the audit must be disclosed on Form AP, unless they are subject to other Form AP exclusions. Effective Date In the proposing release, the Board sought comment on the amount of time auditors would need before the proposed new quality control standard and the other proposed amendments to PCAOB standards, rules, and forms, if adopted by the Board and approved by the SEC, become effective. We proposed an effective date of December 15 of the year after approval by the SEC. One commenter agreed that the proposed effective date should be reasonable in practical terms. Another commenter asserted that the standard is not clear on the effective date as it relates to design and implementation and operating effectiveness, and recommended that the Board allow firms significant time between the release of the final standard and its effective date. One commenter suggested that an 11-month period from the effective date to the first evaluation 381 See Improving the Transparency of Audits: Rules to Require Disclosure of Certain Audit Participants on a New PCAOB Form and Related Amendments to Auditing Standards, PCAOB Rel. No. 2015–008 (Dec. 15, 2015), at 26. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 date would not be practicable, and firms would need time to consider whether and how to transition from their evaluation date previously established under ISQM 1. Several commenters suggested that if the standard is approved in 2023, and becomes effective on December 15, 2024, this would provide challenges to auditors. Some of these commenters further suggested that the proposed effective date would be particularly challenging for smaller firms that might not have already implemented ISQM 1 and do not have to implement SQMS 1 until December 15, 2025. Commenters suggested alternative effective dates such as December 15, 2025; 18 months after approval by the SEC and no sooner than December 15, 2025; the later of 12 months after approval by the SEC or December 15, 2025; or two years after SEC approval. One commenter suggested a phased approach such that the effective date would be different for firms that are annually inspected than for other firms, while other commenters suggested that firms that are required to implement incremental requirements based on the size of the firm should be provided additional time to implement the incremental requirements. One commenter suggested that an overly speedy adoption timeline could create unintended consequences such as disruption to QC systems and increased difficulty of getting buy-in on the proposed QC changes from stakeholders. Another commenter suggested that an additional one to two years may be needed for firms with less than 100 issuers, or that have not adopted ISQM 1, to develop and implement the additional monitoring, evaluation and remediation requirements. The commenter further suggested that a proposed initial evaluation date that is eleven and a half months after the effective date may not allow enough time for remediation and that the PCAOB should consider a longer onboarding process. After considering the comments received subject to approval by the SEC, the final standard and related amendments to auditing standards, rules, and forms will take effect on December 15, 2025. The Board believes that an effective date of December 15, 2025 strikes an appropriate balance between the benefits to investors of having QC 1000 take effect as promptly as practicable, while allowing sufficient time for firms to design and implement robust, QC 1000-compliant QC systems. One commenter suggested the Board consider how mergers and acquisitions of firms would impact the effective date PO 00000 Frm 00112 Fmt 4701 Sfmt 4703 for the standard, and suggested the Board consider similar guidance to the SEC that provides that issuers may exclude an acquired business’s internal control over financial reporting from its assessment of internal control for up to one year or for one assessment. After consideration of the comment received, the Board appreciates that it could take time to fully integrate a newly acquired firm’s QC system and perform an evaluation of its effectiveness. However, the Board does not believe that it is appropriate or consistent with its investor protection mandate to allow for a portion of a firm’s QC system to be excluded from the annual evaluation. The Board believes that specific quality risks could arise as the result of a merger or acquisition, and that firms should be designing, implementing, and operating quality responses to address these as part of merger planning and execution. Furthermore, if, as a result of a merger or acquisition between registered public accounting firms, the resultant firm is unable to conclude that the QC system is effective as of the evaluation date, then the Board believes that it is essential that the firm has identified and is remediating the QC deficiencies that exist as a result of the merger or acquisition and is monitoring any impact on the firm’s engagements. Unlike ISQM 1 and SQMS 1, under QC 1000, the requirements for QC system evaluation are not being implemented on a delayed basis. When QC 1000 takes effect, all provisions of QC 1000 will take effect. Because the evaluation date of September 30 builds in over a nine-month delay between the effective date of the standard and the first evaluation date, the Board does not believe further delaying the effective date of the evaluation requirements would be necessary or appropriate. However, the first evaluation period will be of the period beginning on the effective date of the standard (i.e., December 15, 2025) and ending on the next September 30, rather than the 12month period ending on that September 30. D. Economic Considerations and Application to Audits of Emerging Growth Companies Economic analysis is an important aspect of the rulemaking process. This economic analysis describes the baseline for evaluating the economic impacts of the rulemaking, the need for rulemaking, its expected economic impacts (including benefits, costs, and potential unintended consequences), and reasonable alternatives considered. Due to data limitations, much of the economic analysis is qualitative in E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 nature; however, where reasonable and feasible, the analysis incorporates quantitative information, including information from PCAOB inspections of registered firms. The Board has sought information relevant to the economic analysis over the course of this rulemaking.382 To the extent that commenters expressed views related to the economic analysis, many commenters generally agreed with the need for QC 1000, but some commenters raised concerns with certain impacts of the proposed standard. Several commenters expressed concerns about costs associated with certain key requirements, such as documentation. Some commenters suggested that the economic analysis should more explicitly consider costs that could disproportionately impact smaller and mid-size firms. Some commenters asserted potential unintended consequences with the proposed standard, including demand on staff resources and potential competitive effects, while other commenters suggested alternatives to help manage costs associated with certain proposed requirements, such as the 100-issuer threshold and evaluation and reporting dates. Some commenters offered a quantitative perspective regarding impacts. Several commenters referenced additional academic research for the Board’s consideration. The Board considered all the comments received, including the quantitative perspectives and academic research the comments referenced, and has developed the following economic analysis that evaluates the expected benefits and costs of the final requirements, discusses potential unintended consequences, and facilitates comparison to alternative actions considered. Baseline The discussion above provides an overview of current PCAOB QC standards; summarizes observations from PCAOB oversight activities; and describes developments in the auditing environment since the adoption of current PCAOB QC standards, including the actions of other standard setters. This section expands on that discussion by describing additional aspects of the economic baseline against which the economic impacts of the requirements can be considered and presenting other relevant information on the audit services market for issuers and brokerdealers. Specifically, this expanded discussion includes: 382 See PCAOB Rel. No. 2022–006; PCAOB Rel. No. 2019–003. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 • Three complementary proxies for the level of compliance with professional standards applicable to the performance of engagements, derived from PCAOB inspections data. Analysis of these proxies informs the baseline for considering the expected benefits of the requirements (e.g., improved compliance with professional standards).383 • Information on resources that U.S. global network firms (‘‘GNFs’’) invest in their QC systems. As the requirements are expected to result in changes to some firms’ QC systems, this information informs the baseline for considering the expected costs of the requirements. • Changes firms have made to their QC systems to remediate QC deficiencies identified by PCAOB inspections staff and presents QC deficiencies related to firms’ management of their audit practices. This discussion provides information on the evolution of QC systems and informs the evaluation of the need for and the economic impacts of the requirements. • A concise survey of academic literature on quality-threatening behaviors that suggest certain weaknesses in some QC systems in practice. • Key assumptions regarding how QC systems are likely to evolve absent the requirements. In describing the baseline,384 the analysis presents anonymized and aggregated summary statistics regarding deficiencies included in past PCAOB inspection reports. Since PCAOB inspection reports do not consider broker-dealer engagements, the analysis also presents anonymized and aggregated summary statistics regarding audit and attestation engagement deficiencies included in annual reports on the PCAOB’s interim inspection program related to audits of brokers and dealers. The following background 383 See below for further discussion. scope of the information on inspections and remediation efforts presented in the baseline section is limited to those firms that are subject to inspection under Sarbanes-Oxley; specifically, firms that provide one or more audit reports for an issuer, broker, or dealer and firms that play a substantial role in the preparation or furnishing of such audit reports. See section 104(a)(1), (2), and (b)(1) of Sarbanes-Oxley, 15 U.S.C. 7214(a)(1), (2), and (b)(1). In particular, PCAOB’s analysis of deficiencies included in past PCAOB inspection reports does not include registered firms that would be subject only to design requirements on the basis that they do not perform ‘‘engagements’’ as defined in QC 1000. Based on Form 2 reporting as of June 30, 2023, approximately 60% of registered firms reported that they had not issued an audit report for an audit of an issuer or broker-dealer or played a substantial role in such an engagement during the preceding 12 months. 384 The PO 00000 Frm 00113 Fmt 4701 Sfmt 4703 49699 information associated with this quantitative inspection information bears emphasizing: • QC deficiencies presented in Part II of a PCAOB inspection report 385 may relate to: (1) a firm’s management of its audit practice or (2) a firm’s performance of audit procedures.386 QC deficiencies of the first type refer to the operation of QC policies and procedures. For example, a QC deficiency related to a firm’s management of its audit practice may be identified through inspection staff’s review of how the firm considers and addresses risks in connection with engagement acceptance and continuance decisions. QC deficiencies of the second type are inferred through analysis of deficiencies identified during inspections of individual issuer audit engagements. For example, a QC deficiency related to a firm’s performance of audit procedures may be identified through inspection staff review of the performance of audit procedures related to management’s accounting estimates.387 • Deficiencies presented in Part I.A of an inspection report represent deficiencies in issuer audits selected for inspection that were of such significance that the Board believes that the firm, at the time it issued its audit report, had not obtained sufficient appropriate audit evidence to support its opinion on the issuer’s financial statements and/or internal control over financial reporting. As part of the PCAOB’s process for reviewing firms’ QC systems, PCAOB inspection teams evaluate whether identified deficiencies in individual audits indicate a defect or potential defect in a firm’s QC system. However, a Part I.A deficiency does not, on its own, necessarily imply significant defects or potential defects in a firm’s QC system. The PCAOB inspection team will consider the nature, significance, and frequency of deficiencies and related firm methodology, guidance, practices, and possible root causes when assessing whether Part I.A deficiencies in individual audits indicate significant 385 Part II of a firm’s inspection report includes any criticisms of, and potential defects in, the firm’s QC system, that were communicated to the firm as part of a PCAOB inspection. As required under Sarbanes-Oxley, any QC deficiencies observed during a PCAOB inspection are not included in the public portion of the relevant inspection report when first issued. If a firm does not address to the Board’s satisfaction criticisms of, and potential defects in, the firm’s QC system within 12 months after the issuance of the PCAOB inspection report, Part II of the report will be issued publicly to include such deficiencies. Additional information is available on the PCAOB website at https:// pcaobus.org/oversight/inspections/remediation. 386 See PCAOB Rel. No. 2012–003, at 8–9. 387 See PCAOB Rel. No. 2012–003, at 8. E:\FR\FM\11JNN2.SGM 11JNN2 49700 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices defects or potential defects in a firm’s QC system that should appear in Part II of the firm’s inspection report.388 • The Dodd-Frank Wall Street Reform and Consumer Protection Act gave the PCAOB oversight of auditors of brokerdealers registered with the SEC. In June 2011, the PCAOB established an interim program to inspect these auditors and identify and address with them any significant issues observed in their audits and related attestation engagements. This interim inspection program remains in place today. The inspection processes for audits of issuers and broker-dealers are different in many respects, including the applicable laws, rules, and professional standards; the inspection selection process; inspection focus areas; and reporting of inspection results. In particular, unlike PCAOB inspections of issuer audits, which lead to an inspection report for each inspected firm, the PCAOB issues a single annual report on the interim inspection program related to audits of brokersdealers, which summarizes the results of the PCAOB’s inspections of brokerdealer engagements performed during the previous year.389 • The analysis of QC and issuer audit deficiencies below is presented over a twelve-year period for three separate categories of firms: (1) U.S. GNFs, (2) other firms having more than five inspected issuer engagements, and (3) other firms having five or fewer inspected issuer engagements.390 khammond on DSKJM1Z7X2PROD with NOTICES2 388 Additional information on PCAOB inspection procedures is available on the PCAOB website at https://pcaobus.org/oversight/inspections/ inspection-procedures. 389 See Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers, PCAOB Rel. No. 2023–005 (Aug. 10, 2023). Additional information on the interim inspection program is available on the PCAOB website at https://pcaobus.org/resources/information-foraudit-firms/information-for-auditors-of-brokerdealer. 390 Time trends can help to identify associative relationships and may suggest how the audit market could evolve absent the requirements. However, time trends in PCAOB inspection deficiencies depend on, among other things, changes in the set of firms and engagements selected for inspection. Firms that issue 100 or fewer audit reports for issuers are, in general, inspected at least once every three years. Firms that issue audit reports for more than 100 issuers are inspected annually. Therefore, the set of inspected firms and engagements is not fixed year over year. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Categorizing inspections information among firms of different sizes helps account for the significantly skewed variation in audit firm size present in the audit market.391 The 2011 through 2022 period is used because information from earlier inspection years is less comparable and information from later inspection years was not completely available as of the date of this analysis. Information was preliminary for the 2022 inspection year as of the date of the PCAOB staff analysis. • The analysis of audit and attestation engagement deficiencies included in annual reports on the PCAOB’s interim inspection program related to audits of brokers and dealers below is presented over a 12-year period. The 2011 through 2022 period is used because 2011 was the first year of the interim inspection program and 2022 is the most recent year that data are available as of the date of this analysis. Information on deficiencies associated with attestation examinations or reviews is not available prior to 2015 because 2015 was the first full year during which the PCAOB was able to review attestation engagements of brokers and dealers. 1. Proxies Related to Compliance With Professional Standards This subsection presents analyses of three quantitative proxies for the level of compliance with professional standards and thus provides information on the baseline for considering the key expected benefit of the requirements: improved compliance with professional standards. Specifically, it presents information on Part I.A deficiencies, QC deficiencies related to audit performance, and broker-dealer engagement deficiencies, from the audits or engagements PCAOB inspected. Overall, the analyses suggest that some firms’ QC systems may not be providing the required reasonable assurance. Broker-dealer engagements and issuer audits performed by firms 391 Current PCAOB QC standards recognize that the nature, extent, and formality of a firm’s QC policies and procedures should take into account various factors, including the size of the firm. Because PCAOB QC assessments also take into account these factors, the number of QC deficiencies across each of the three categories of firms are not directly comparable. See PCAOB Rel. No. 104–2006–077, at 9–10. PO 00000 Frm 00114 Fmt 4701 Sfmt 4703 other than U.S. GNFs appear to have more room for improvement on average based on the period examined. a. Part I.A Deficiencies Figure 1 presents for categories of PCAOB-inspected audits the percentage of inspected issuer audits having at least one Part I.A deficiency. PCAOB staff calculated the Part I.A deficiency rates by dividing the number of inspected issuer audits that had at least one Part I.A deficiency by the number of inspected issuer audits for each given year. The Part I.A deficiency rate should not be equated with the rate of audit deficiencies across the whole issuer population. It may understate the true rate of issuer audit deficiencies because some deficiencies may not rise to the level of a Part I.A deficiency and because PCAOB inspectors do not inspect all aspects of inspected audits. However, it may also overstate the true rate of issuer audit deficiencies because PCAOB inspectors generally focus their attention on, among other things, audits and audit areas with a heightened risk of material misstatement. Despite these potential biases in the Part I.A deficiency rate, the Board believes that the Part I.A deficiency rates presented in Figure 1 are indicative of underlying issuer audit deficiencies. However, there are two caveats that may impact the interpretation of Figure 1. First, because the audits with deficiencies are not drawn from a random sample, the deficiencies could be driven in part by changes over time in the proportion of reviewed audits that were selected based on characteristics associated with high-risk audits. Second, PCAOB inspections staff review more focus areas during reviews of U.S. GNF issuer audits than they do during reviews of other firms’ issuer audits, increasing the opportunity for a reviewed U.S. GNF issuer audit to have at least one Part I.A deficiency. For U.S. GNFs, Figure 1 shows that the percentage of inspected issuer audits having at least one Part I.A deficiency was 37% in 2011 and 30% in 2022 For other firms, the percentage has remained in the 31% to 53% range. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49701 Figure 1. Percentage of Inspected Issuer Audits Having at Least One Part I.A Deficiency (2011-2022) 60% -U.S.GNFs 40% -Other Firms Having More Than Five Engagements Reviewed 20% -'"""""'"Other Firms Having Five or 10% Fewer Engagements Reviewed 0% 2013 2015 khammond on DSKJM1Z7X2PROD with NOTICES2 Figure 2 provides additional insight on how the percentage of inspected issuer audits having at least one Part I.A deficiency varies by firm. Each bar indicates the percentage of 2020, 2021, and 2022 firm inspections with a Part I.A deficiency rate within a given range. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 2017 2019 2021 For example, Figure 2 indicates that 22% of all 2020, 2021, and 2022 U.S. GNF inspections and 11% of all 2020, 2021, and 2022 inspections of other firms with more than five inspected engagements had a Part I.A deficiency rate below 10%. Figure 2 excludes firm PO 00000 Frm 00115 Fmt 4701 Sfmt 4703 inspections with five or fewer inspected engagements because the Part I.A deficiency rate is a less informative proxy in these cases due to the small number of inspected engagements. E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.013</GPH> 2011 49702 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices Figure 2. Percentage of Firm Inspections with a Part I.A Deficiency Rate within a Given Range (2020-2022) 60% 54% ■ US.GNFs ■ Other Finns Having More ThanFilre Engagements Re,..-iewed <lOo/o 10-200/4 20-:3()1¼ 30--40'ro >40%1 .Part IA Deficiency Rate Range b. QC Deficiencies Related to Audit Performance Figure 3 presents the average number of QC deficiencies related to audit performance per inspected firm. QC deficiencies related to audit performance are inferred through analysis of inspections of individual audits and thus represent another proxy for the level of compliance with professional standards. To prepare Figure 3, PCAOB staff counted the number of distinct QC deficiencies related to audit performance in Part II of PCAOB inspection reports. Staff assigned a zero to firm inspections that resulted in no QC deficiencies related to audit performance. Staff then calculated averages per inspected firm by year and firm group, assigning equal weight to each QC deficiency regardless of its nature or whether it was a repeat deficiency. While the total number of QC deficiencies is not readily comparable across each of the three categories of firms because of differences in inspection approach, the averages have ranged between 3.3 and 15.8 for U.S. GNFs, between 2.9 and 8.0 for other firms having more than five engagements reviewed, and between 0.9 392 Firms that issued audit reports with respect to 100 or fewer issuers during the prior calendar year (‘‘triennial firms’’) must be inspected at least once every three years. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00116 Fmt 4701 Sfmt 4703 and 2.7 for other firms having five or fewer engagements reviewed. Two caveats may impact the interpretation of Figure 3. First, starting in 2019, the PCAOB revised its approach to identifying QC deficiencies related to audit performance. The Board believes this policy change reduced the number of QC deficiencies related to audit performance for some of the inspections of non-affiliated firms (‘‘NAFs’’) but not for the U.S. GNFs. Second, the variability in the deficiency rate in the second panel may be due in part to yearover-year changes in the set of firms having more than five engagements reviewed, which may include triennial firms.392 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.014</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 Note: During the 2020, 2021, and 2022 inspection years, there were in total 18 inspections of U.S. GNFs and 35 inspections of other firms having more than five engagements reviewed. Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49703 Figure 3. Average Number of QC Deficiencies Related to Audit Performance Per Inspected Firm (2011-2022) <4 :20 --- ... --- ----- - - . - --- -Other Firms Having Five or Fewer Engagements Reviewed -Other Firms Having More Than Five Engagements Reviewed -U.S.GNFs 4 't ,o m1 mu ms m1 m, DI c. Broker-Dealer Engagement Deficiencies Figure 4 presents the percentage of broker-dealer audits with deficiencies and the percentage of attestation engagements and reviews with deficiencies, among the selected sample 2013 of PCAOB engagements. The percentages are reproduced from the PCAOB’s annual reports on the interim inspection program related to the audits of broker-dealers. The percentages are equal to the number of inspected engagements for which there were 2015 2017 deficiencies divided by the number of inspected engagements. The percentages of audits and attestation examinations with deficiencies have remained greater than 45%. The percentage of attestation reviews with deficiencies has remained in the 23% to 54% range. Figure 4. Percentages of Broker-Dealer Engagements with Deficiencies (2011-2022) 100% -Deficiencies Associated with Audits ~ Deficiencies Associated with Attestation Examinations "'''•''''' Deficiencies Associated with Attestation Reviews 80% 60% 40% 2013 EN11JN24.016</GPH> 0% 2011 VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00117 Fmt 4701 Sfmt 4725 E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.015</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 20% 49704 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 2. Resources Associated With QC systems Firms implement their QC systems through a set of policies and procedures. These policies and procedures vary across firms, reflecting both the principles-based nature of current QC standards and the variation in firms’ particular circumstances. To inform the baseline for considering the expected costs of the requirements, PCAOB staff: (1) held initial discussions with U.S. GNFs to obtain qualitative information regarding the resources associated with their QC systems and (2) conducted a voluntary survey of U.S. GNFs on the resources they employ to design, implement, and operate QC policies and procedures. Overall, the information indicates the resources that U.S. GNFs are already devoting to the design, implementation, and operation of QC policies and procedures related to the ISQM 1 requirements. The U.S. GNF survey requested both qualitative and quantitative information for each of the eight QC system components specified by ISQM 1: risk assessment, governance and leadership, independence and ethics, acceptance and continuance, engagement performance, resources (human, intellectual, and technological), information and communication, and monitoring and remediation.393 In addition, the survey requested qualitative and quantitative information related to network requirements or network services, evaluation of the QC system, and documentation.394 The request referred to ISQM 1 explicitly in order to facilitate comparability of the information gathered across firms and to the proposed QC standard. All six U.S. GNFs provided qualitative information and five provided quantitative information. Staff received completed surveys between June 23 and July 6, 2021. The respondents provided the information as of their most recently completed fiscal year-end or QC system assessment date. The qualitative information that PCAOB staff received indicates that U.S. GNFs’ QC policies and procedures are extensive and highly integrated with the audit process. Multiple groups, teams, functions, and individuals participate in the design, implementation, and operation of QC policies and procedures. Engagement teams play a key role in the operation of many QC policies and procedures. Among other QC-related responsibilities, engagement 393 See 394 See paragraphs 23–33 and 35–47 of ISQM 1. paragraphs 48–60 of ISQM 1. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 teams often assist in acceptance and continuance decisions; initiate consultations; help maintain accurate and complete information within independence systems; attend training; and initiate and complete individual performance evaluations. The U.S. GNFs’ QC systems involve multiple IT systems that support QC activities and may also serve other operational functions. These QC systems may also rely upon work or services provided by the firm’s global network and/or third-party vendors. Global network services may relate to development and maintenance of technological and intellectual resources (e.g., global audit methodology, global independence and assurance policies and procedures, etc.) or monitoring the quality of audit services performed by network affiliates. The firms report making ongoing investments in their QC systems, including implementation of new technology that supports QC activities. The quantitative portion of the survey asked the U.S. GNFs to estimate: (1) the number of firm personnel involved in designing, implementing, or operating QC policies and procedures on an annual basis (by partner vs. nonpartner); (2) the percentage of their time committed; and (3) the expected percentage change in QC resource requirements as of December 15, 2022, when ISQM 1 became effective.395 PCAOB staff asked the firms to include in their estimates only those resources directly related to the design, implementation, and operation of QC policies and procedures over audits of U.S. issuers and broker-dealers. In cases where removing time spent on QC policies and procedures related to audits of private companies was prohibitively difficult or impossible, staff asked firms to include this time in their estimates and describe the inseparable portion. Firms reported that their QC policies and procedures generally apply across their entire audit practice and thus their estimates typically included resources dedicated to QC systems over engagements 395 More specifically, staff asked U.S. GNFs to estimate the number of firm personnel who are directly involved in the design, implementation, or operation of each QC system component by commitment level (i.e., <10%, 10–40%, 40–60%, 60–90%, or >90% of the individual’s time). If an individual committed time to multiple QC system components, staff asked firms to count the individual once for each QC component and to indicate the time committed to each component. For example, if an individual committed 100% of the individual’s time to the firm’s QC system, 50% to acceptance and continuance and 50% to monitoring and remediation, firms were asked to count the individual under the 40–60% commitment level for both components. PO 00000 Frm 00118 Fmt 4701 Sfmt 4703 performed under PCAOB standards as well as audits performed under other standards. In initial discussions with the U.S. GNFs, firms reported that identifying all firm personnel hours related to their QC systems would be an enormous challenge. To make the data request feasible, PCAOB staff directed firms to exclude from their quantitative estimates time spent by engagement teams operating QC policies and procedures (e.g., performing independence procedures, planning for or engaging in consultations, executing the firm’s methodology) and facilitating internal inspections. Staff also asked firms to exclude: (1) time spent by firm personnel attending training; (2) time spent by individuals on compliance with personal independence policies and procedures; (3) time spent performing engagement quality reviews of individual engagements; and (4) any resources invested at the global network level to design, implement, or operate QC policies or procedures. The qualitative information received from the firms suggests that these aspects of their QC systems are likely resourceintensive. Table 1 summarizes the quantitative information received in aggregate form. It presents the means and standard deviations of partner, non-partner, and total full-time equivalents (FTEs) by QC system component.396 The means provide a sense of average scale while the standard deviations provide a sense of average variability across the firms. Overall, the means presented in Table 1 indicate that U.S. GNFs commit a mean of 647.9 total FTEs to designing, implementing, and operating their QC policies and procedures. QC policies and procedures related to: (1) independence and ethics utilize a mean of 189.9 total FTEs and (2) human, 396 To calculate the means presented in Table 1, staff summed the number of individuals directly involved in the design, implementation, or operation of each QC system component, weighting individuals by the mid-point of their respective commitment level and divided by the number of firms that were able to provide data for the respective QC system component. The ‘‘Total’’ row mean is equal to the number of individuals directly involved in the design, implementation, or operation of any QC system component, weighting individuals by the mid-point of their respective commitment level divided by five (i.e., the number of firms that provided quantitative information). Therefore, the ‘‘Total’’ row mean does not equal the sum of the QC component-level means. The standard deviations presented in Table 1 were calculated without Bessel corrections. The standard deviation for the ‘‘Other’’ component is equal to the geometric mean of the standard deviations of the network requirements or network services, evaluation of the system of quality management, and documentation components. The Board’s data are insufficient to account for potential covariances between these components. E:\FR\FM\11JNN2.SGM 11JNN2 49705 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices intellectual, and technological resources utilize a mean of 252.6 total FTEs. Nonpartner FTEs are roughly 3.5 times partner FTEs, but partners play a relatively larger role in the governance and leadership, engagement performance, and monitoring and remediation components of QC systems. The standard deviations presented in Table 1 indicate that the average variability across firms is 499.9 total FTEs. The average variability for the independence and ethics component is 173.9 total FTEs and for the resources component is 295.2 total FTEs. The mean ‘‘Total’’ row values presented in Table 1 may include some underestimation error for several reasons. First, some firms were unable to reasonably estimate all of the resources for certain components, most notably for the governance and leadership component. Second, firms were generally unable to reliably estimate the cost of IT infrastructure that supports the QC system. Third, firms were generally unable to reliably estimate the portion of common-pool resources attributable to the QC system that support broader operational or financial objectives of the firm. Fourth, due to estimation challenges as described above, firms were directed to exclude certain resources from their estimates, including time spent by engagement teams executing QC policies and procedures and time spent by firm personnel attending training. By contrast the mean ‘‘Total’’ row values may also include some overestimation error. For example, firms broadly reported that their QC policies and procedures apply to both issuer and non-issuer audits and it would generally be infeasible to identify firm personnel hours related to quality control over issuer audits only. In these cases, PCAOB staff asked firms to include both issuer and non-issuer QC hours in their estimates. Some firms were unable to separately break out the level of resources committed to designing, implementing, and operating QC policies and procedures for risk assessment, information and communication, network requirements or network services, evaluation of the system of quality management, and documentation. These firms distributed these resources across the remaining components. While this leads to some overestimation error to the remaining components, the information provided by the firms that were able to separately break out these components indicates that these components are relatively less resource-intensive and, therefore, the overestimation error is likely small. This overestimation error does not apply to the mean ‘‘Total’’ row values because any errors in how the firms allocated across components nets out when summing. TABLE 1—RESOURCES ASSOCIATED WITH U.S. GNFS’ QC POLICIES AND PROCEDURES Partner (FTEs) mean Total (FTEs) Non-partner (FTEs) Per firm St. dev Mean per firm St. dev Risk Assessment ............................................................ Governance and Leadership .......................................... Independence and Ethics ............................................... Acceptance and Continuance ......................................... Engagement Performance .............................................. Resources ....................................................................... Information and Communication ..................................... Monitoring and Remediation ........................................... Other * ............................................................................. 2.1 10.0 17.7 11.5 38.9 42.4 2.6 22.1 4.1 1.4 5.8 15.7 6.1 23.1 36.6 2.6 7.1 0.6 4.6 9.2 172.2 13.7 52.8 210.2 8.6 34.9 11.6 2.3 9.3 164.2 13.8 29.0 267.0 3.3 15.1 2.5 6.7 19.2 189.9 25.2 91.7 252.6 11.2 56.9 15.6 2.4 14.7 173.9 14.2 49.0 295.2 4.9 21.1 2.8 Total ......................................................................... 143.6 85.3 504.3 428.9 647.9 499.9 khammond on DSKJM1Z7X2PROD with NOTICES2 * The ‘‘Other’’ category includes network requirements or network services, evaluation of the system of quality management, and documentation. Most U.S. GNFs were unable to provide precise estimates regarding expected future changes in QC system resource requirements as of December 15, 2022, when ISQM 1 became effective. The qualitative information provided by the firms indicates that: (1) additional resources likely were required; (2) some of the U.S. GNFs had assigned teams to manage ISQM 1 implementation; and (3) the risk assessment component and the evaluation of the system of quality management component were expected to require the most additional resources. The Board also received information regarding non-GNFs through the proposal comment process that indicates that non-GNFs have devoted resources to the design, implementation, and operation of QC policies and procedures related to ISQM 1 and/or SQMS 1 requirements. One commenter VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 noted that national firms with fewer than 500 issuers have significantly fewer resources associated with QC policies and procedures.397 One commenter noted that firms have invested significant time and resources to comply with the existing quality management standards from other standard setters, and another commenter noted that, at least with respect to QC roles and responsibilities, smaller firms have already designed their processes to accord with ISQM 1 397 The commenter asserted that the mean total FTEs reported in Table 1 for GNFs represent approximately 10% of partners and employees for firms of similar size and composition to the commenter. However, the commenter also reported having approximately 90% fewer partners and employees than some U.S. GNFs and approximately 99% fewer than other U.S. GNFs, so the resources reported in Table 1 would likely be scaled down accordingly for the commenter and similar sized firms. PO 00000 Frm 00119 Fmt 4701 Sfmt 4703 and SQMS 1. One firm explained that its implementation efforts of ISQM 1 required a great deal of evaluation of risks and related responses, and another firm explained that its implementation effort was a significant undertaking that involved a number of people across the firm. Another commenter suggested that non-U.S. firms may be incorporating quality management frameworks adopted by their local regulator, such as CPAB’s Quality Management System framework. Several commenters representing non-GNF perspectives focused more generally on the provisions of QC 1000 that diverge from ISQM 1 and SQMS 1, which the Board understands as implying that these firms had expended resources to construct and operate quality control systems in compliance with those standards. However, at least one E:\FR\FM\11JNN2.SGM 11JNN2 49706 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices This subsection provides information on the evolution of firms’ QC policies and procedures. First, it describes changes firms have made to their QC policies and procedures to remediate QC deficiencies identified in inspection reports. Second, it presents analyses of QC deficiencies related to firms’ management of their audit practices. QC deficiencies related to firms’ management of their audit practice relate to the operation of QC policies and procedures. Overall, the information suggests that QC policies and procedures are advancing. Many firms have implemented a number of changes to their QC systems to remediate their QC deficiencies.401 Changes brought about through remediation are wide-ranging and can touch upon all major elements of the current QC standards. The nature, extent, and formality of changes made by a firm vary based on the size of the firm and the nature and complexity of its practice. Examples of changes made by various types of firms include: 402 • Adding in-process review and coaching programs to assist engagement teams in certain challenging areas, including ICFR and accounting estimates; • Creating a committee to evaluate partner performance in relation to audit quality and issuing an accountability framework with penalties for negative audit quality events; • Implementing a new template that includes guidance to facilitate the assessment and documentation of partner performance, including guidance related to various performance metrics (such as technical knowledge; leadership and training skills; and compliance with firm quality control policies and procedures); • Requiring audit partners to articulate specific actions they will take to achieve performance goals related to audit quality and providing additional guidance and information around partner workload management; • Implementing new policies and procedures for engagement teams to focus on obtaining a thorough understanding of how issuers initiate, record, process, and report significant classes of transactions and how that information is recorded in the financial statements; • Hiring external consultants to work with the firm to develop a new ICFR audit approach; • Adding new leadership positions to the internal inspection program, developing new analysis and reporting of internal inspection findings, and beginning to disseminate findings more broadly; • Creating a committee to provide oversight on the firm’s audit quality initiatives and a new leadership position to drive consistency across regions; and • Implementing new templates that provide guidance related to performing a root cause analysis, including identifying areas of a firm’s quality control process to perform causal analysis, collecting relevant data, and documenting the results. The Board took these observations into account in developing QC 1000. One commenter, an academic, referred to a recent unpublished study examining how firms change and manage their QC systems, which involved surveying QC leaders from eight U.S. accounting firms. The commenter reported that the three most common changes currently underway in the firms relate to: (1) engagement monitoring and use of data analytics; (2) organizational structure (e.g., a dedicated ISQM team, independent advisors); and (3) a more proactive approach to identifying QC issues.403 Figure 5 presents the average number of QC deficiencies related to firms’ management of their audit practice per inspected firm. To prepare Figure 5, PCAOB staff counted the number of distinct QC deficiencies related to firms’ management of their audit practice in Part II of PCAOB inspection reports. Staff assigned a zero to firm inspections that resulted in no QC deficiencies related to the firm’s management of its audit practice. Staff then calculated averages per inspected firm by year and firm group, assigning equal weight to each QC deficiency regardless of its nature or whether it was a repeat deficiency. While the total number of QC deficiencies are not readily comparable across each of the three categories of firms, the averages have ranged between 0.8 and 10.2 for U.S. GNFs, between 0.3 and 1.5 for other firms having more than five engagements reviewed, and between 0.3 and 0.6 for other firms having five or fewer engagements reviewed. 398 See, e.g., Richard W. Houston and Chad M. Stefaniak, Audit Partner Perceptions of Post-Audit Review Mechanisms: An Examination of Internal Quality Reviews and PCAOB Inspections, 27 Accounting Horizons 23 (2013); Denise Hanes Downey and Kimberly D. Westermann, Challenging Global Group Audits: The Perspective of US Group Audit Leads, 38 Contemporary Accounting Research 1395 (2021); Olof Bik and Reggy Hooghiemstra, Cultural Differences in Auditors’ Compliance with Audit Firm Policy on Fraud Risk Assessment Procedures, 37 Auditing: A Journal of Practice & Theory 25 (2018). 399 See, e.g., Renee Flasher and Kristy Schenck, Exploring PCAOB Inspection Results for Audit Firms Headquartered Outside of the US, 37 Journal of International Accounting, Auditing and Taxation 1 (2019); Philip Keejae Hong, David S. Kerr, and Casper E. Wiggins, PCAOB International Inspections: Updates and Extensions, 26 International Journal of Auditing 279 (2022); Matthew S. Ege, Young Hoon Kim, and Dechun Wang, Do Global Audit Firm Networks Apply Consistent Audit Methodologies across Jurisdictions? Evidence from Financial Reporting Comparability, 95 The Accounting Review 151 (2020). 400 See Flasher and Schenck, Exploring PCAOB Inspection Results 1. 401 Additional information about the PCAOB remediation process is available on the PCAOB website at https://pcaobus.org/oversight/ inspections/remediation/remediation_process. 402 Examples are drawn from firms’ Rule 4009 submissions. A Rule 4009 submission is a submission prepared by a firm, pursuant to PCAOB Rule 4009, concerning the ways in which a firm has addressed a QC criticism. For additional background, see PCAOB Rel. No. 104–2006–077. 403 The commenter also reported that the three most commonly described ideal changes relate to: (1) engagement monitoring and use of data analytics; (2) human talent-related initiatives such as changes to hiring and promotion practices; and (3) client risk assessment processes. Ideal changes are described as changes the QC leaders would make if the firms did not face resource constraints. commenter noted that for small firms that do not need to comply with ISQM 1, efforts may be ongoing to implement SQMS 1, indicating that some of these firms may be focused on resources for design and may not yet be spending resources to operate QC policies in line with SQMS 1. One commenter noted research that appears to be too tangential or unrelated to actual resources employed by firms to be useful for advancing the Board’s understanding of resources associated with the design, implementation, and operations of their QC systems. The commenter noted that most academic studies related to resources employed by NAFs or foreign affiliates of GNFs in the design, implementation, and operations of their QC systems focus on either: (1) the contributions of internal quality reviews to audit firm quality 398 or (2) the association of audit firm network arrangements, as proxies for resources, with audit quality.399 For example, one study suggests that when firms have formal connections via networks or large alliance arrangements, audits within those arrangements have similar levels of quality,400 which the commenter noted may imply that formal connections are a vehicle to share and enforce QC practices. khammond on DSKJM1Z7X2PROD with NOTICES2 3. Developments in Firms’ QC Policies and Procedures VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 PO 00000 Frm 00120 Fmt 4701 Sfmt 4703 E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49707 Figure 5. Average Number of QC Deficiencies Related to Firms' Management of Their Audit Practice per Inspected Firm (2011-2022) !12 0 """'"''""""'""'"'"'""'''"''"'""""'"''"''"" 2015 2017 20!9 202! 4. Academic Literature on QualityThreatening Behaviors and Quality Control khammond on DSKJM1Z7X2PROD with NOTICES2 This subsection discusses academic research on behaviors that suggest certain weaknesses in QC systems in practice. Over time, researchers have documented a variety of qualitythreatening behaviors, including ‘‘premature sign-off of audit procedures, failure to perform required procedures, inappropriate reductions in substantive testing or other forms of under-auditing, underreporting of time, inadequate adjustments of audit procedures in response to changing risk conditions, and over-reliance on management explanations of unusual deviations in analytical procedures.’’ 404 Some commenters provided additional specific examples of qualitythreatening behaviors. For example, one commenter reported that some academic research finds auditors may not always be objective when deciding on the acceptability of management’s accounting choices or when recommending audit adjustments that would reduce reported income or assets.405 Citing a settlement between a 404 Monika Causholli and W. Robert Knechel, An Examination of the Credence Attributes of an Audit, 26 Accounting Horizons 631, 647 (2012). 405 See, e.g., Kathryn Kadous, Jane S. Kennedy, and Mark E. Peecher, The Effect of Quality Assessment and Directional Goal Commitment on Auditors’ Acceptance of Client-Preferred Accounting Methods, 78 Accounting Review 759 (2003); Christopher Koch and Steven E. Salterio, The Effects of Auditor Affinity for Client and Perceived Client Pressure on Auditor Proposed Adjustments, 92 Accounting Review 117 (2017); Lori Shefchik Bhaskar, Patrick E. Hopkins, and Joseph H. Schroeder, An Investigation of Auditors’ Judgments When Companies Release Earnings VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 2011 2013 2015 2017 2019 2021 U.S. GNF and the Federal Deposit Insurance Corporation, another commenter asserted that one firm’s QC system failed when one of the firm’s engagement teams inappropriately assigned a responsibility to an intern. Research suggests that qualitythreatening behaviors imply a failure of QC systems to provide reasonable assurance of compliance.406 Moreover, some research suggests that, while not solely responsible, certain features of firms’ management of their audit practice may encourage qualitythreatening behaviors.407 For example, experimental research suggests that certain cognitive biases in auditor evaluation and reward systems may inadvertently deter appropriate professional skepticism 408 and other studies suggest that partner reward systems at some firms may weight revenue generation more heavily than professional competencies.409 Some research finds that reward systems before Audit Completion, 57 Journal of Accounting Research 355 (2019). 406 See, e.g., Jean C. Bedard, Donald R. Deis, Mary B. Curtis, and J. Gregory Jenkins, Risk Monitoring and Control in Audit Firms: A Research Synthesis, 27 Auditing: A Journal of Practice & Theory 187 (2008). 407 See, e.g., David P. Donnelly, Jeffrey J. Quirin, and David O’Bryan, Attitudes Toward Dysfunctional Audit Behavior: The Effects of Locus of Control, Organizational Commitment, and Position, 19 Journal of Applied Business Research 95 (2003). 408 See, e.g., Joseph F. Brazel, Scott B. Jackson, Tammie J. Schaefer, and Bryan W. Stewart, The Outcome Effect and Professional Skepticism, 91 The Accounting Review 1577 (2016). 409 See, e.g., Marie-Laure Vandenhaute, Kris Hardies, and Diane Breesch, Professional and Commercial Incentives in Audit Firms: Evidence on Partner Compensation, 29 European Accounting Review 521 (2020). PO 00000 Frm 00121 Fmt 4701 Sfmt 4703 oriented toward revenue generation are associated with lower proxies for audit quality.410 Synthesizing several recent academic studies, one commenter reported that an excessive focus on commercialism, rather than professionalism, continues to be a dominant focus within firms’ cultures and may negatively impact audit quality.411 The commenter also reported that academic research indicates quality-threatening behaviors may be negatively associated with audit team leadership characteristics.412 For 410 See, e.g., Jürgen Ernstberger, Christopher Koch, Eva Maria Schreiber, and Greg Trompeter, Are Audit Firms’ Compensation Policies Associated With Audit Quality? 37 Contemporary Accounting Research 218 (2020); Thomas Riise Johansen and Jeppe Christoffersen, Performance Evaluations in Audit Firms: Evaluation Foci and Dysfunctional Behavior, 21 International Journal of Auditing 24 (2017). 411 See, e.g., Christina Thomas Alberti, Jean C. Bedard, Olof Bik, and Ann Vanstraelen, Audit Firm Culture: Recent Developments and Trends in the Literature, 31 European Accounting Review 59 (2022); Chris Carter and Crawford Spence, Being a Successful Professional: An Exploration of Who Makes Partner in the Big 4, 31 Contemporary Accounting Research 949 (2014); Ken H. Guo, The Institutionalization of Commercialism in the Accounting Profession: An IdentityExperimentation Perspective, 35 Auditing: A Journal of Practice and Theory 99 (2016); ClaireFrance Picard, Sylvain Durocher, Yves Gendron, The Colonization of Public Accounting Firms by Marketing Expertise: Processes and Consequences, 37 Auditing: A Journal of Practice & Theory 191 (2018); Jonathan S. Pyzoha, Mark H. Taylor, and YiJing Wu, Can Auditors Pursue Firm-Level Goals Nonconsciously on Audits of Complex Estimates? An Examination of the Joint Effects of Tone at the Top and Management’s Specialist, 95 The Accounting Review 367 (2020). 412 See, e.g., Noel Harding and Ken T. Trotman, The Effect of Partner Communications of Fraud Likelihood and Skeptical Orientation on Auditors’ Professional Skepticism, 36 Auditing: A Journal of Practice & Theory 111 (2017); Sean A. Dennis and E:\FR\FM\11JNN2.SGM Continued 11JNN2 EN11JN24.017</GPH> 2013 49708 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 example, skeptical auditors may be penalized if they do not find a material misstatement,413 audit managers sometimes reward senior associates for performing the unethical act of underreporting time when the client is more desirable,414 or while internal inspections lead to increased auditor effort in the inspection year, positive internal inspection results may lead auditors to decrease effort in the future.415 An excessive focus on commercial objectives may also lead to undue focus on cost-control in the execution of audits. For example, in one study, audit staff report working, on average, five hours per week, and sometimes 20 hours per week, past the threshold where they feel audit quality begins to deteriorate.416 In another study, audit staff report working on average 72 hours per week during busy season.417 Other research finds that a heavier workload in the fieldwork phase of the audit is negatively associated with proxies for audit quality 418 and that high levels of time pressure are positively associated with audit quality-threatening behaviors.419 Referring to academic research, one commenter reported that Karla M. Johnstone, A Field Survey of Contemporary Brainstorming Practices, 30 Accounting Horizons 449 (2016); Jodi L. Gissel and Karla M. Johnstone, Information Sharing During Auditors’ Fraud Brainstorming: Effects of Psychological Safety and Auditor Knowledge, 12 Current Issues in Auditing P1 (2018). 413 See, e.g., Brazel, et al., The Outcome Effect. 414 See, e.g., Christopher P. Agoglia, Richard C. Hatfield, Tamara A. Lambert, Audit Team Time Reporting: An Agency Theory Perspective, 44 Accounting, Organizations & Society 1 (2015). Desirability in this case is determined by various situational and contextual factors that are inherent to the client, such as a client that is convenient for the audit manager’s work schedule, a client that is easy to get to, client management that the audit manager gets along particularly well with personally, a client that is within the audit manager’s industry of interest, or an engagement that involves an influential partner at the audit manager’s office. 415 See, e.g., Daniel Aobdia and Reining C. Petacchi, The Effect of Audit Firm Internal Inspections on Auditor Effort and Financial Reporting Quality, 98 The Accounting Review 1 (2023). 416 See Julie S. Persellin, Jaime J. Schmidt, Scott D. Vandervelde, and Michael S. Wilkins, Auditor Perceptions of Audit Workloads, Audit Quality, and Job Satisfaction, 33 Accounting Horizons 95 (2019). 417 See Dana R. Hermanson, Richard W. Houston, Chad M. Stefaniak, and Anne M. Wilkins, The Work Environment in Large Audit Firms: Current Perceptions and Possible Improvements, 10 Current Issues in Auditing A38 (2016). 418 See, e.g., Brant E. Christensen, Nathan J. Newton, and Michael S. Wilkins, How Do Team Workloads and Team Staffing Affect the Audit? Archival Evidence from US Audits, 92 Accounting, Organizations and Society 1 (2021). 419 See, e.g., Tobias Svanström, Time Pressure, Training Activities and Dysfunctional Auditor Behaviour: Evidence from Small Audit Firms, 20 International Journal of Auditing 42 (2016). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagement-level pressures, including meeting budgets, can affect audit quality.420 The commenter also reported that academic research finds that audit partner workload compression is negatively associated with audit quality.421 One commenter noted academic papers that study various factors that may impact audit quality but appear to be too tangential or unrelated to qualitythreatening behaviors that suggest certain weaknesses in QC systems. The commenter included academic research that studies the relationship between audit teams’ use of the work of other participants and audit quality.422 The commenter also cited research from other countries that finds evidence that partner-related characteristics influence audit quality.423 In addition, the 420 See, e.g., Mark E. Peecher, M. David Piercey, Jay S. Rich, and Richard M. Tubbs, The Effects of a Supervisor’s Active Intervention in Subordinate’s Judgments, Directional Goals, and Perceived Technical Knowledge Advantage on Audit Team Judgments, 85 Accounting Review 1763 (2010); Koch and Salterio, The Effects 117; and William F. Messier and Martin Schmidt, Offsetting Misstatements: The Effect of Misstatement Distribution, Quantitative Materiality, and Client Pressure on Auditors’ Judgments, 93 Accounting Review 335 (2018). 421 See, e.g., Jun Chen, Wang Dong, Hongling Han, and Nan Zhou, Does Audit Partner Workload Compression Affect Audit Quality? 29 European Accounting Review 1021 (2020). 422 See, e.g., Candice T. Hux, Use of Specialists on Audit Engagements: A Research Synthesis and Directions for Future Research, 39 Journal of Accounting Literature 23 (2017); Joseph F. Brazel, Tina D. Carpenter, and J. Gregory Jenkins, Auditors’ Use of Brainstorming in the Consideration of Fraud: Reports from the Field, 85 The Accounting Review 1273 (2010); J. Gregory Jenkins, Eric M. Negangard, and Mitchell J. Oler, Getting Comfortable on Audits: Understanding Firms’ Usage of Forensic Specialists, 35 Contemporary Accounting Research 1766 (2018); Emily E. Griffith, Jacqueline S. Hammersley, and Kathryn Kadous, Audits of Complex Estimates as Verification of Management Numbers: How Institutional Pressures Shape Practice, 32 Contemporary Accounting Research 833 (2015); Nathan H. Cannon and Jean C. Bedard, Auditing Challenging Fair Value Measurements: Evidence from the Field, 92 The Accounting Review 81 (2017); Steven M. Glover, Mark H. Taylor, and YiJing Wu, Current Practices and Challenges in Auditing Fair Value Measurements and Complex Estimates: Implications for Auditing Standards and the Academy, 36 Auditing: A Journal of Practice & Theory 63 (2017); J. Efrim Boritz, Natalia Kochetova-Kozloski, and Linda Robinson, Are Fraud Specialists Relatively More Effective than Auditors at Modifying Audit Programs in the Presence of Fraud Risk, 90 The Accounting Review 881 (2015); Aleksandra ‘‘Ally’’ B. Zimmerman, Dereck Barr-Pulliam, Joon-Suk Lee, and Miguel Minutti-Meza, 61 Journal of Accounting Research 1363 (2023). 423 See, e.g., W. Robert Knechel, Ann Vanstraelen, and Mikko Zerni, Does the Identity of Engagement Partners Matter? An Analysis of Audit Partner Reporting Decisions, 32 Contemporary Accounting Research 1443 (2015); Yanyan Wang, Lisheng Yu, Yuping Zhao, The Association between AuditPartner Quality and Engagement Quality: Evidence from Financial Report Misstatements, 34 Auditing: A Journal of Practice & Theory 81 (2015); W. Robert PO 00000 Frm 00122 Fmt 4701 Sfmt 4703 commenter noted academic papers that find evidence that non-audit services can negatively affect audit quality through mechanisms other than independence impairment.424 Moreover, the commenter included research that has examined the association between PCAOB inspections of audit firms and audit quality but does not appear to relate specifically to weaknesses in QC systems.425 5. Assumptions Regarding the Baseline Absent the requirements, the Board believes that many firms would continue to design and implement new QC policies and procedures or modify existing QC policies and procedures in response to evolving audit market conditions, technological advances, PCAOB oversight activities, internal monitoring, and actions of other standard setters.426 The Board believes that most firms have either implemented ISQM 1 or will implement SQMS 1 when it goes into effect. PCAOB-registered firms with an international presence or that are part of a global network will likely find it efficient to design and implement a QC system that complies with both PCAOB standards and ISQM 1 and have that Knechel, Lasse Niemi, and Mikko Zerni, Empirical Evidence on the Implicit Determinants of Compensation in Big 4 Audit Partnerships, 51 Journal of Accounting Research 349 (2013); Simon Dekeyser, Ann Gaeremynck, W. Robert Knechel, and Marleen Willekens, The Impact of Partners’ Economic Incentives on Audit Quality in Big 4 Partnerships, 96 The Accounting Review 129 (2021); Herman Van Brenk, Barbara Majoor, and Arnold M. Wright, The Effects of Profit-Sharing Plans, Client Importance, and Reinforcement Sensitivity on Audit Quality, 40 Auditing: A Journal of Practice & Theory 107 (2021). 424 See, e.g., Erik L. Beardsley, Andrew J. Imdieke, and Thomas C. Omer, The Distraction Effect of Nonaudit Services on Audit Quality, 71 Journal of Accounting and Economics 1 (2021); Dain C. Donelson, Matthew Ege, Andrew J. Imdieke, and Eldar Maksymov, The Revival of Large Consulting Practices at the Big 4 and Audit Quality, 87 Accounting, Organizations and Society 1 (2020). 425 See, e.g., Daniel Aobdia, The Impact of the PCAOB Individual Engagement Inspection Process—Preliminary Evidence, 93 The Accounting Review 53 (2018); Inder K. Khurana, Nathan G. Lundstrom, and K.K. Raman, PCAOB Inspections and the Differential Audit Quality Effect for Big 4 and Non-Big 4 US Auditors, 38 Contemporary Accounting Research 376 (2021); Lindsay M. Johnson, Marsha B. Keune, and Jennifer Winchel, U.S. Auditors’ Perceptions of the PCAOB Inspection Process: A Behavioral Examination, 36 Contemporary Accounting Research 1540 (2019); Kimberly D. Westermann, Jeffrey Cohen, and Greg Trompeter, PCAOB Inspections: Public Accounting Firms on ‘‘Trial’’, 36 Contemporary Accounting Research 694 (2019); Bradley E. Hendricks, Wayne R. Landsman, and F. Peña-Romera, The Revolving Door between Large Audit Firms and the PCAOB: Implications for Future Inspection Reports and Audit Quality, 97 The Accounting Review 261 (2022). 426 See above for additional background on the actions of other standard setters. E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices system operate over their entire assurance practice. For similar reasons, PCAOB-registered firms with a private company audit practice will likely find it efficient to design and implement a QC system that complies with both PCAOB standards and SQMS 1 and have that system operate over their entire assurance practice. Supporting that view, comment letters on the proposing release suggest that some firms have already designed and implemented, or are in the process of designing and implementing, QC policies and procedures consistent with the requirements of other QC standards. For example, one commenter said that nearly all firms are subject to multiple QC standards, including ISQM 1. Another commenter said that firms in Europe have invested heavily to implement ISQM 1. Another commenter said that nearly all firms that will need to adopt QC 1000 are also subject to other QC standards, including ISQM 1 and SQMS 1, and that firms have already invested significant time and resources to comply with them. Another commenter presented its recent survey research that finds firms have started to prepare for ISQM 1 and SQMS 1 implementation but that there is variation in their level of preparedness.427 Overall, the comments indicate that firms have made progress implementing the quality control standards of other standard setters. The Board’s view is also informed by several public information sources. First, the AICPA website indicates that most registered firms that are headquartered in the U.S. were reviewed as part of the AICPA’s Peer Review program since 2019, and therefore were required to comply with AICPA QC standards at that time.428 Second, among the U.S.-headquartered firms that signed an issuer or brokerdealer audit opinion in 2021 but were not peer reviewed since 2019, most indicate on their web page that they perform audits or tax services that require them to comply with AICPA QC standards. Third, most foreign jurisdictions require companies to have a statutory audit performed, which the Board believes suggests that most registered firms headquartered in foreign jurisdictions likely perform audits under IAASB QC standards. Finally, firms’ annual reports filed with 427 See Christie Hayne, Market E. Peecher, Jeff Pickerd, and Yuepin (Daniel) Zhou, Managing Quality Control Systems: How Audit Firms Experience and Navigate Conflicting Institutional Demands, available at https://ssrn.com/ abstract=4339512. 428 See AICPA Peer Review web page, available at https://us.aicpa.org/interestareas/peerreview. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 the PCAOB on Form 2 for the April 1, 2022, through March 31, 2023, reporting period indicate that most firms collected fees for services aside from the performance of issuer audits and therefore may have performed services subject to AICPA or IAASB QC standards during that time. Overall, the Board believes these public information sources support its view that most firms will be complying with either ISQM 1 or SQMS 1. Furthermore, most firms that will not be complying with ISQM 1 or SQMS 1 will likely be scaledapplicability firms and therefore less impacted by the requirements. Need 1. Introduction and summary This section discusses the problem that the requirements are intended to address and explains how the requirements address it. Overall, three observations suggest that there is a problem that the requirements will help to address: • Under current PCAOB QC standards, a firm’s QC system is required to provide reasonable assurance that the firm’s personnel comply with applicable professional standards, regulatory requirements, and the firm’s standards of quality.429 However, the audit market does not currently provide sufficient incentives for all firms to design, implement, and operate QC systems that achieve this requirement on a consistent basis. • Current PCAOB QC standards contain higher-level principles and do not directly address recent developments in QC. As a result, the current regulatory baseline is not rigorous enough to sufficiently support PCAOB oversight, further undermining firms’ and individuals’ incentives to provide the required reasonable assurance. • The lack of incentives to provide the required reasonable assurance is evidenced by the prevalence of audit performance deficiencies—i.e., Part I.A deficiencies and QC deficiencies related to audit performance discussed above— which, as noted in the first two observations above, suggest that some firms’ QC systems are not providing the required reasonable assurance. The requirements of QC 1000 will help address the problem by establishing three overarching features, which are discussed further below: • The requirements mandate firms’ QC systems to more proactively assess risks and monitor and remediate deficiencies. 429 See above for more discussion of current QC requirements. PO 00000 Frm 00123 Fmt 4701 Sfmt 4703 49709 • The requirements improve accountability within firms with respect to the reasonable assurance objective. • The requirements use more precise language and include more prescriptive requirements in key areas to reflect best practices. 2. The Audit Market Does Not Provide Sufficient Incentives for All Firms To Design, Implement, and Operate QC Systems That Provide Reasonable Assurance A diverse set of investors and other financial statement users need and request high quality audits. However, due to the presence of asymmetric information 430 and positive externalities 431 in the audit market, there are not sufficient incentives for all firms to design, implement, and operate QC systems that provide reasonable assurance that a firm’s personnel comply with applicable professional standards, regulatory requirements, and the firm’s standards of quality. This lack of incentives can lead to an inefficient allocation of audit services as described in the following paragraphs. Investors and other financial statement users cannot easily observe the services performed by an auditor. This information asymmetry creates a risk that, unbeknownst to investors and other financial statement users, auditors may under-audit and gather insufficient audit evidence to support their opinion or may otherwise depart from applicable requirements. Economic theory refers to this effect as moral hazard.432 While this may enable the auditor to do less work and reduce potential conflicts with company management and may therefore lead to short-run benefits for the auditor, it may also lead to a net welfare loss in the audit market as a whole.433 430 See N. Gregory Mankiw, Principles of Economics 468 (6th ed. 2008) (‘‘A difference in access to relevant knowledge is called an information asymmetry.’’). 431 See Mankiw, Principles of Economics 196 (‘‘An externality arises when a person engages in an activity that influences the well-being of a bystander but neither pays nor receives any compensation for that effect. . . If it is beneficial, it is called a positive externality.’’). 432 See, e.g., Mankiw, Principles of Economics 468 (‘‘Moral hazard is a problem that arises when one person, called an agent, is performing some task on behalf of another person, called the principal. If the principal cannot perfectly monitor the agent’s behavior, the agent tends to undertake less effort than the principal considers desirable.’’). 433 See, e.g., Mankiw, Principles of Economics 145 (‘‘Consumer surplus and producer surplus are the basic tools that economists use to study the welfare of buyers and sellers in a market. Consumer surplus is the benefit that buyers receive from participating in a market, and producer surplus is the benefit that sellers receive. It is therefore natural E:\FR\FM\11JNN2.SGM Continued 11JNN2 49710 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 A positive externality inherent to the current audit market may exacerbate this risk. The services of an auditor provide benefits to a variety of investors and financial statement users, including current shareholders, potential shareholders, investors in other companies, creditors, and regulators, among others. However, auditors do not bargain with all of these parties. Rather, Sarbanes-Oxley requires that the audit committee be responsible for the appointment, compensation, and retention of the auditor.434 In practice, company management may also play a role through its influence over the audit committee.435 This creates a de facto principal-agent relationship between the company and the auditor. Moreover, some beneficiaries of the auditor’s work (e.g., investors generally, who benefit from overall confidence in the quality of financial information provided to the market) may have no influence on the auditor at all. Economic theory suggests that, in the presence of positive externalities such as these, markets may undersupply goods or services.436 As a result, the positive externality in the audit market may create an additional risk that auditors may gather insufficient audit evidence to support their opinion or otherwise depart from applicable requirements. A firm also faces its own management challenges in implementing its desired service, economic, and regulatory compliance objectives. Individual offices or personnel may have incentives that diverge from the firm’s collective best interest. For example, some research suggests that certain partners or offices may be commercially dependent on particular clients and may be willing to take risks to retain those clients that the firm as a whole would not—a form of free riding on the firm’s reputation and capacity to absorb to use total surplus as a measure of society’s economic well-being. . .Total surplus in a market is the total value to buyers of the goods, as measured by their willingness to pay, minus the total cost to sellers of providing those goods.’’). 434 See section 301 of Sarbanes-Oxley, 15 U.S.C 78j–1. 435 See, e.g., Liesbeth Bruynseels and Eddy Cardinaels, The Audit Committee: Management Watchdog or Personal Friend of the CEO?, 89 The Accounting Review 113 (2014) (finding that social ties between management and the audit committee are present in 39% of the companies in their sample and ‘‘may reduce the quality of the audit committee’s oversight’’). 436 See, e.g., Mankiw, Principles of Economics 200, 201 (‘‘In the presence of a positive externality, the social value of the good exceeds the private value. The optimal quantity is therefore larger than the equilibrium quantity . . . Positive externalities lead markets to produce a smaller quantity than is socially desirable.’’). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 potential litigation costs.437 In addition, research suggests that an audit firm’s QC system is essential to increase audit effort and audit quality because it aligns incentives of individual partners with those of the firm.438 Even if QC systems were able to align the incentives of individual offices and personnel to the firm’s collective best interest, some research suggests that behavioral biases (e.g., confirmation bias, over-optimism, and anchoring bias) may lead offices or personnel to act in ways contrary to both their own self-interest and the firm’s collective best interest.439 One commenter presented its recent unpublished survey research regarding challenges firms face when implementing changes to their QC systems. The commenter reported that challenges include obtaining buy-in and acceptance from staff as well as managing different perspectives from various offices.440 Some firms may manage these challenges by adopting centralized control practices that may have ambiguous impacts on their QC systems. For example, academic research suggests that firms carefully screen new partners to act in the best interest of the firm441 and emphasize meeting engagement budgets—an easily monitored metric that ties directly to profitability.442 One commenter asserted that audit firms’ financial incentives to operate too lean undermine audit quality. Investors and other financial statement users may have trouble monitoring how firms incentivize, implement, and monitor compliance with applicable professional requirements. These monitoring challenges, as well as the lack of specificity in current PCAOB QC standards, give firms the flexibility to design, implement, and operate QC systems that may not fully meet the needs of investors and other financial statement users. 437 See, e.g., Robert A. Prentice, The Case of the Irrational Auditor: A Behavioral Insight into Securities Fraud Litigation, 95 Northwestern University Law Review 133 (2000). 438 See, e.g., Daniel Aobdia, The Economic Consequences of Audit Firms’ Quality Control System Deficiencies, 66 Management Science 2883 (2019). 439 See, e.g., Prentice, The Case of the Irrational Auditor 133, 162. 440 See Hayne, et al., Managing Quality Control Systems. 441 See, e.g., C. J. McNair, Proper Compromises: The Management Control Dilemma in Public Accounting and its Impact on Auditor Behavior, 16 Accounting, Organizations and Society 635 (1991). 442 See, e.g., Bernard Pierce and Breda Sweeney, Cost–Quality Conflict in Audit Firms: An Empirical Investigation, 13 European Accounting Review 415 (2004). PO 00000 Frm 00124 Fmt 4701 Sfmt 4703 In the absence of sufficient market incentives to achieve an efficient allocation of audit services,443 regulatory intervention can introduce incentives that generate changes in behavior and impact audit quality.444 For example, economic research suggests that auditing standards play a role in determining the amount of effort an auditor exerts, which ultimately impacts audit quality.445 In addition, auditing standards can introduce incentives by providing a baseline against which an auditor manages legal liability.446 Auditing standards also provide a benchmark for regulatory inspections and enforcement actions that introduce incentives for firms to initiate changes that impact audit 443 An efficient allocation of resources occurs when total surplus is maximized. Total surplus is maximized when the good or service in question is supplied until the marginal benefit is equal to the marginal cost. See Mankiw, Principles of Economics 146–148. 444 See, e.g., W. Robert Knechel, Do Auditing Standards Matter?, 7 Current Issues in Auditing A1 (2013) (explaining that auditing standards send a message to auditors that it is inappropriate to intentionally under-audit, regardless of incentives). Note that QC standards are not auditing standards but that auditing standards are a closely related form of regulatory intervention. Also, academic research suggests that a positive association among standard setting, auditor effort, and audit quality depends on a number of factors. See, e.g., Pingyang Gao and Gaoqing Zhang, Auditing Standards, Professional Judgment, and Audit Quality, 94 The Accounting Review 201 (2019) (showing that auditing standards can help align auditor incentives with investor interests by compelling the auditor to exert more effort, which improves audit quality, but that auditing standards can weaken the auditor’s incentive to acquire expertise, which reduces audit quality); Mark DeFond and Jieying Zhang, A Review of Archival Auditing Research, 58 Journal of Accounting and Economics 275 (2014) (concluding that the effectiveness of auditing standard setting is difficult to gauge since it involves broader consideration of the social welfare of all stakeholders). 445 See, e.g., Marleen Willekens and Dan A. Simunic, Precision in Auditing Standards: Effects on Auditor and Director Liability and the Supply and Demand for Audit Services, 37 Accounting and Business Research 217 (2007) (showing that decreasing the precision of auditing standards initially incentivizes auditors to produce higher audit quality by exerting more effort but that decreasing precision beyond a certain point leads auditors to decrease effort). 446 See, e.g., Ronald A. Dye, Auditing Standards, Legal Liability, and Auditor Wealth, 101 Journal of Political Economy 887 (1993) (showing that an auditor who intends to comply with standards typically prefers higher standards when the auditor’s personal wealth is observable by potential litigants but prefers lower standards when the auditor’s wealth is unobservable); Causholli and Knechel, An Examination of the Credence 631 (explaining that regulation and litigation play an important role in shaping the audit process and an auditor’s behavior); Knechel, Do Auditing Standards A1 (explaining that auditing standards can influence the likelihood and extent of underauditing by providing a basis for auditor liability that is an increasing function of the extent to which auditor effort falls short of the standard-compliant level). E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices quality.447 Moreover, research suggests that PCAOB Part II inspection findings introduce strong incentives for firms to make changes necessary to remediate QC deficiencies in order to avoid public disclosure of the deficiencies.448 3. Current PCAOB QC Standards Do Not Directly Address Recent QC Developments khammond on DSKJM1Z7X2PROD with NOTICES2 Developments in the auditing environment since the development of the current PCAOB QC standards by the AICPA and subsequent adoption of these standards on an interim basis by the Board are discussed above. In brief and as discussed above, the audit market has changed significantly since the AICPA developed the current PCAOB QC standards in 1997. At that time, the audit market was largely selfregulated by firms and QC inspections were performed through a peer review program. Since then, PCAOB oversight has led firms to address deficiencies identified during inspections, including making changes to their QC systems to remediate QC deficiencies.449 There have also been significant developments in the use of technology by firms in relation to QC activities and performing engagements. Some firm management and organizational structures have also evolved to include more focus on centralization and a globally consistent methodology. Some firms have strengthened their approaches to firm governance and leadership, incentive systems, and accountability. In addition, thought leadership in quality management has advanced,450 as have the QC standards adopted by other standard setters. The current PCAOB QC standards are based on the higher-level principles described above and do not directly address the developments described in the previous paragraph. While research suggests that PCAOB oversight is 447 See, e.g., Aobdia, The Impact of the PCAOB Individual 53 (finding that firms take corrective action on engagements with PCAOB Part I inspection findings and the effects spillover to noninspected engagements); Phillip T. Lamoreaux, Michael Mowchan, and Wei Zhang, Does Public Company Accounting Oversight Board Regulatory Enforcement Deter Low-Quality Audits?, 98 The Accounting Review 335 (2023) (finding that large audit firm offices improve audit quality following enforcement naming another office within their firm while small firm offices improve following enforcement of local small firm competitors). 448 See, e.g., Aobdia, The Economic Consequences 2883. 449 See discussion on the developments in firms’ QC policies and procedures within the baseline discussion above. 450 See, e.g., COSO, ISO 9000, and the audit firm governance codes of the UK Financial Reporting Council and Japan Financial Services Agency. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 associated with higher audit quality,451 the current PCAOB QC standards were not written with a view to inspection and enforcement by a regulator. As a result, the current PCAOB QC standards yield a regulatory baseline that is not rigorous enough to sufficiently support the Board’s ability to address audit performance deficiencies through PCAOB inspection and enforcement activities related to firms’ QC systems. For example, some firms have added external parties to oversight roles as described above, but current PCAOB QC standards contain limited references to firm governance and leadership. At the same time, the current PCAOB QC standards do not provide sufficiently specific requirements to directly incentivize firms and individuals to establish and implement QC policies and procedures that achieve the reasonable assurance objective as evidenced by the prevalence of audit performance deficiencies. 4. Prevalence of Audit Performance Deficiencies The three proxies for the level of compliance with applicable professional standards discussed above—i.e., Part I.A deficiencies, QC deficiencies related to audit performance, and deficiencies arising during inspections of brokerdealer engagements—as well as the recent PCAOB enforcement actions discussed above suggest that some firms’ QC systems are not providing reasonable assurance as required under current PCAOB QC standards.452 To be sure, this analysis of PCAOB inspection activities does suggest that some improvements in audit performance have followed from remedial changes firms have made to their QC systems 453 and that some firms have already reduced the number of QC deficiencies related to management of their audit practice.454 However, the Board continues to observe high rates of audit performance deficiencies 455 and believes that a new QC standard will address these audit performance deficiencies because the new standard 451 See, e.g., Albert L. Nagy, PCAOB Quality Control Inspection Reports and Auditor Reputation, 33 Auditing: A Journal of Practice & Theory 87 (2014) (concluding that audit firms lose market share following public disclosure of PCAOB Part II inspection findings, suggesting that disclosure provides a credible signal of auditor quality). The results from this study that suggests a positive association between PCAOB oversight and audit quality does not necessarily mean that PCAOB oversight causes higher audit quality. 452 See Background discussion above for more discussion of current regulatory requirements. 453 This point is discussed more fully in below. 454 See Figure 5 above. 455 See Figures 1 and 3 above. PO 00000 Frm 00125 Fmt 4701 Sfmt 4703 49711 will incentivize firms to design, implement, and operate effective QC systems. 5. How the Requirements Address the Need The requirements provide substantial additional direction to firms regarding the design, implementation, and operation of their QC systems that the Board believes address the need for standard-setting. Three overarching features of the requirements help address the problem. The first feature pertains to the mandate for a more integrated, proactive, and risk-based QC system. The second pertains to the enhancements to accountability within the firm to achieve the reasonable assurance objective. The third pertains to more precise language and more prescriptive requirements in several key areas. Regarding the first feature, the new risk assessment process, coupled with a detailed monitoring and remediation process, form a feedback loop designed to foster a proactive approach to QC that drives continuous improvement. For example, the risk assessment process requires the firm to obtain an understanding of the conditions, events, and activities that may adversely affect the achievement of its quality objectives; identify and assess quality risks; and then design and implement quality responses. The monitoring and remediation process will help the firm evaluate whether the QC system is working effectively in practice. This more proactive approach to QC should help address the positive externality problem in the audit market by leading firms to implement QC systems that more consistently satisfy the interests of all beneficiaries of the audit. Additionally, as discussed above, information asymmetry may cause investors and other financial statement users not to have sufficient information to understand whether their issuer’s audit firm has an effective QC system that consistently produces high-quality audits, and investors and other financial statement users may not have a sufficient voice in the financial reporting ecosystem to be able to demand or incentivize audit firms to implement one. Requiring the auditor to implement a robust QC system substitutes a compliance incentive for the insufficient market incentive. Regarding the second feature, the Board believes QC 1000 will improve accountability within the firm to achieve the reasonable assurance objective. Several of the requirements that improve accountability within the firm address the positive externality E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49712 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices problem directly by leading firms to implement QC systems that more consistently satisfy the interests of all beneficiaries of the audit. For example, QC 1000 requires the firm to document and assign roles and responsibilities; communicate information related to the monitoring and remediation process to firm personnel to enable them to take timely action in accordance with their responsibilities; and establish a quality objective to incentivize individuals to fulfill their assigned responsibilities, through means such as performance evaluations and compensation. Leadership will also be accountable for the design, implementation, and operation of the firm’s QC system, including through means such as their performance evaluation and compensation, and the firm will be required to establish a quality objective that leadership communicate and promote the firm’s role in protecting the interests of investors and the public interest. The requirements that improve accountability within the firm will help address the information asymmetry problem by requiring the firm’s QC system to operate over any public reporting regarding firm or engagement metrics that the firm provides.456 Overall, this second feature reinforces the first through an additional incentive that is personal to responsible individuals within the firm and reinforces the general incentives for the firm to comply with the standard. Regarding the third feature, while the requirements provide substantial additional guidance to firms regarding the design, implementation, and operation of their QC systems, QC 1000 also provides more precise and prescriptive requirements that will enhance the Board’s ability to inspect and enforce and incentivize firms to design, implement, and operate effective QC systems. For example, QC 1000 includes more unconditional responsibilities than current PCAOB QC standards and specifies precise conditions under which a firm must design, implement, and operate an effective QC system. Together with the features described above—i.e., a more integrated, proactive, and risk-based QC system and enhanced accountability within the firm to achieve the reasonable assurance objective—these features establish a regulatory baseline that more directly incentivizes firms and individuals to comply in order to avoid enforcement. 456 See PCAOB Rel. No. 2024–002 and PCAOB Rel. No. 2024–003. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Economic Impacts This section discusses the expected benefits and costs, and the potential unintended consequences, that may result from the requirements. The expected impacts of several key provisions are highlighted. These provisions relate to: • Scaled applicability; • In-process monitoring activities; • Firm governance structure; • The automated independence process; • Complaints and allegations policies and procedures; • Reporting the annual QC system evaluation; • Certification of the annual QC system evaluation; • Responding to engagement deficiencies identified after issuance of the audit report; and • SECPS requirements. While the analysis of economic impacts is largely qualitative in nature due to data limitations, the analysis does, in part, use PCAOB inspections data to help evaluate the expected benefits. Technical details regarding the quantitative analysis of the expected benefits are included in a separate staff white paper.457 The economic impacts of the requirements will arise out of changes firms will make to their QC systems that they would not otherwise make but for the requirements. As discussed above, the Board expects that, absent the requirements, many firms would continue to make changes to their QC systems in response to evolving audit market conditions, advances in technology, PCAOB oversight activity, internal monitoring, and the actions of other standard setters. This attenuates both the benefits and the costs attributable to the requirements. 1. Benefits The expected benefits of the requirements are described using four complementary views: (1) the benefits of quality management frameworks generally; (2) the direct benefits of the requirements in the form of improved compliance with applicable professional and legal requirements; (3) the indirect benefits of the requirements in the form of improved financial reporting quality and capital market efficiency; and (4) the benefits of key provisions. 457 See PCAOB, Staff White Paper, The Impact of Quality Control System Remediation on Audit Performance and Financial Reporting Quality (Nov. 18, 2022), (‘‘QC White Paper’’), available at https:// assets.pcaobus.org/pcaob-dev/docs/default-source/ rulemaking/docket046/qc-staff-white-papernovember-2022.pdf?sfvrsn=ddb22504_4. PO 00000 Frm 00126 Fmt 4701 Sfmt 4703 a. Benefits of Related Frameworks QC 1000 bears resemblance to existing quality management and enterprise risk management frameworks (e.g., ISO 9000 and COSO). These frameworks share several features in common with QC 1000, including embedding risk in decision making, proactive involvement of leadership, clearly defined objectives, objective-oriented processes, monitoring, and remediation. Using a variety of proxies (e.g., market reaction), academic research has found that these frameworks improve company performance.458 In particular, researchers have found that the COSO framework—the closest antecedent to QC 1000—effectively improves financial reporting.459 Similarly, research finds that markets penalize public companies with weaker internal control systems and reward the remediation of those weaknesses.460 While differences between QC 1000 and existing frameworks as well as differences between audit firms and other companies may limit the relevance of this research to some extent, this research suggests that QC 1000 may help firms design, implement, and operate more effective QC systems. b. Improved Compliance With Applicable Professional and Legal Requirements The Board expects the requirements will benefit investors and other financial statement users by improving compliance with applicable professional and legal requirements via a more detailed QC standard. As described above, the requirements are expected to achieve this through three principal mechanisms. First, they explicitly connect the components of the QC system into an integrated cycle of risk assessment, performance monitoring, and remediation. Second, several of the new requirements will support the effectiveness of QC systems by 458 See, e.g., Iñaki Heras-Saizarbitoria and Olivier Boiral, ISO 9001 and ISO 14001: Towards a Research Agenda on Management System Standards, 15 International Journal of Management Reviews 47 (2013); Robert E. Hoyt and Andre P. Liebenberg, The Value of Enterprise Risk Management, 78 Journal of Risk and Insurance 795 (2011). 459 See, e.g., Hanwen Chen, Wang Dong, Hongling Han, and Nan Zhou, A Comprehensive and Quantitative Internal Control Index: Construction, Validation, and Impact, 49 Review of Quantitative Finance and Accounting 337 (2017); Ifeoma Udeh, Observed Effectiveness of the COSO 2013 Framework, 16 Journal of Accounting & Organizational Change 31 (2020). 460 See, e.g., Hollis Ashbaugh-Skaife, Daniel W. Collins, William R. Kinney, Jr., and Ryan Lafond, The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity, 47 Journal of Accounting Research 1 (2009). E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices emphasizing accountability to the reasonable assurance objective. Third, more precise and prescriptive requirements will enhance the Board’s ability to inspect and enforce. Brokerdealer engagements and issuer audits performed by firms other than U.S. GNFs may see more improvement because they appear to have more room for improvement on average. However, the recent uptick in deficiencies for U.S. GNFs suggests that QC 1000 will also be a valuable resource for these firms to address those deficiencies and, thus, further protect investors. Some commenters described how a risk-based QC standard would improve audit quality. However, one commenter argued that the requirements are too risk-based (e.g., they could result in too little change at the larger firms) and suggested an even stronger prescriptive approach to certain aspects of the standard (e.g., training and supervision). The Board believes the standard reflects a balanced approach that includes prescriptive requirements where appropriate. PCAOB staff analysis of PCAOB inspections data supports the view that more effective QC policies and procedures will lead to improved compliance with applicable professional and legal requirements. Staff examined the historical association between satisfactory remediation of QC deficiencies and subsequent Part I.A deficiencies for triennial firms. Satisfactory remediation of a QC deficiency reflects substantial good-faith progress toward achieving a quality control objective.461 As such, an association between historical satisfactory remediation efforts and a subsequent decrease in Part I.A deficiencies would suggest that more effective QC policies and procedures lead to improved compliance with applicable professional and legal requirements. After controlling for auditor and issuer characteristics that may also drive Part I.A deficiencies using standard statistical techniques, the staff analysis indicates that, on average, satisfactory remediation is associated with reduced likelihood of subsequent Part I.A deficiencies. This suggests that more effective QC policies and procedures may lead to improved compliance with applicable professional and legal requirements.462 One commenter reported observing that satisfactory remediation of QC 461 See Staff Guidance Concerning the Remediation Process (Nov. 18, 2013), available at https://pcaobus.org/Inspections/Pages/ Remediation_Process.aspx. 462 For additional details, including definitions of all control variables, see QC White Paper. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 deficiencies results in fewer audit failures and asserted that this was in line with certain key findings of the staff analysis. The staff analysis is subject to several important caveats. First, remedial actions typically target specific aspects of a firm’s QC system. By contrast, implementation of QC 1000 may require a broader set of changes. Second, due to the transformational nature of QC 1000, the changes firms will make to their QC systems could be substantially different from firms’ historical satisfactory remedial actions. Third, U.S. GNFs were intentionally excluded from the analysis, potentially limiting its applicability to the U.S. GNFs. However, though association does not imply causation, the historical association between the number of QC deficiencies related to U.S. GNFs’ management of their audit practice 463 and U.S. GNFs’ compliance with applicable professional standards 464 suggests that, even among the U.S. GNFs, more effective QC systems could lead to improved compliance with applicable professional and legal requirements.465 Overall, the Board expects the association between satisfactory remediation and subsequent Part I.A deficiencies among triennial firms more likely understates the impact of QC 1000 due to its transformational nature. Observations from PCAOB inspections and academic research also suggest that the requirements may improve compliance with applicable professional and legal requirements. PCAOB inspectors have observed that root cause analyses, effective design and implementation of remedial actions, and appropriate governance practices related to leadership’s tone can drive audit quality,466 and one academic study reports that, as perceptions of the strength of the QC system increase, the likelihood of ‘‘reduced audit quality 463 See Figure 5 above. Figures 1 and 3 above. 465 Several nuances of smaller firms’ QC systems and the PCAOB inspections process may explain the absence of such an association for these firms. First, although there is a downward trend in QC deficiencies related to management of the audit practice (Figure 5 above), smaller firms’ QC systems may be deficient in certain important respects that render them less effective overall. Second, the roughly increasing trend in QC deficiencies related to audit performance for the smallest firms (Figure 3 above) may be driven in part by deficiencies in the application of new auditing requirements by these firms. Third, the inspection approach to QC assessments for the smaller firms is simplified and does not lend itself to such a correlation analysis. 466 See, e.g., 2018 Inspection Observations Preview 464 See PO 00000 Frm 00127 Fmt 4701 Sfmt 4703 49713 behaviors’’ decreases.467 These findings likewise support the view that the requirements, which place greater emphasis on root cause analysis, remediation, and governance practices, if successfully implemented, will lead to improved compliance with applicable professional and legal requirements. c. Improved Financial Reporting Quality and Capital Market efficiency Academic research provides evidence that compliance with auditing standards is positively associated with proxies for financial reporting quality.468 Research also finds a positive association between firms’ successful remediation of QC deficiencies—a proxy for adopting effective QC system practices—and the financial reporting quality of their issuer clients.469 PCAOB staff analysis also provides some evidence that successful remediation may be associated with improved financial reporting quality.470 The fact that the results from each of these studies that suggest a positive association with financial reporting quality does not necessarily mean that auditing standards or remediation of deficiencies cause better financial reporting quality. Investors and other financial statement users may benefit from improved issuer financial reporting quality because it helps solve information asymmetries and agency problems inherent to capital markets. Economic theory suggests that investors face a separation-of-ownership-andcontrol problem whereby issuer management may misappropriate investors’ capital.471 Relevant and accurate financial reporting can alleviate these problems by providing investors and other financial statement users with more accurate information regarding the financial position and operating results of companies. Investors may use this information to improve the efficiency of their capital 467 See, e.g., Charles F. Malone and Robin W. Roberts, Factors Associated with the Incidence of Reduced Audit Quality Behaviors, 15 Auditing: A Journal of Practice & Theory 49 (1996). 468 See, e.g., Daniel Aobdia, Do Practitioner Assessments Agree with Academic Proxies for Audit Quality? Evidence from PCAOB and Internal Inspections, 67 Journal of Accounting and Economics 144 (2019); Katherine A. Gunny and Tracey Chunqi Zhang, PCAOB Inspection Reports and Audit Quality, 32 Journal of Accounting and Public Policy 136 (2013). 469 See, e.g., Aobdia, The Economic Consequences 2883. 470 See QC White Paper. 471 See, e.g., Michael C. Jensen and William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure, 3 Journal of Financial Economics 305 (1976); Adolf Augustus Berle and Gardiner Coit Means, The Modern Corporation and Private Property (1991). E:\FR\FM\11JNN2.SGM 11JNN2 49714 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 allocation decisions (e.g., investors may more accurately identify companies with the strongest prospects for generating future risk-adjusted returns and allocate their capital accordingly). Investors may also perceive less risk in capital markets generally, leading to an increase in the supply of capital. An increase in the supply of capital could increase capital formation while also reducing the cost of capital to companies.472 While some uncertainty remains regarding the economic impacts of financial reporting,473 empirical academic research has affirmed this basic premise under certain conditions.474 Moreover, some studies have identified a direct association between auditors’ compliance with PCAOB standards and capital market efficiency.475 The requirements may also lead to improved compliance with applicable professional and legal requirements on broker-dealer audit engagements and, in turn, improved financial reporting quality and investor protection. An 472 See, e.g., Richard Lambert, Christian Leuz, and Robert E. Verrecchia, Accounting Information, Disclosure, and the Cost of Capital, 45 Journal of Accounting Research 385, 387 (2007) (discussing how increasing the quality of mandated disclosures should in general move the cost of capital to the risk-free rate for all firms in the economy); William Robert Scott and Patricia C. O’Brien, Financial Accounting Theory (2003), 412 (explaining that regulation is intended to improve the operation of capital markets by enhancing public confidence in their fairness). 473 See, e.g., Christian Leuz and Peter D. Wysocki, The Economics of Disclosure and Financial Reporting Regulation: Evidence and Suggestions for Future Research, 54 Journal of Accounting Research 525 (2016) (explaining the relative rarity of evidence on causal effects of disclosure and reporting regulation); Matthias Breuer, Christian Leuz, and Steven Vanhaverbeke, Mandated Financial Reporting and Corporate Innovation, No. w26291. National Bureau of Economic Research (2020), at 41 (reporting evidence consistent with the notion that mandatory reporting deters firms’ incentives to innovate and generate proprietary know-how because of concerns about the loss of proprietary information). 474 See, e.g., Christian Leuz and Robert E. Verrecchia, The Economic Consequences of Increased Disclosure, 38 Journal of Accounting Research 91 (2000) (finding that German companies that elect to commit to International Accounting Standards or U.S. GAAP exhibit lower percentage bid-ask spreads and higher share turnover than firms using German GAAP); Utpal Bhattacharya, Hazem Daouk, and Michael Welker, The World Price of Earnings Opacity, 78 The Accounting Review 641 (2003) (finding that an increase in overall earnings opacity in a country is linked to an economically significant increase in the cost of equity and an economically significant decrease in trading in the stock market of that country based on financial statements from 34 countries for the period 1984–1998). Because U.S. institutions differ from other countries and the studies pre-date Sarbanes-Oxley, the results may not be directly relevant to all PCAOB-registered firms. 475 See, e.g., Nemit Shroff, Real Effects of PCAOB International Inspections, 95 The Accounting Review 399 (2020). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 auditor’s work on these engagements, if appropriately performed, should make it more likely that a broker-dealer will maintain appropriate controls over compliance and less likely that there will be material reporting errors. The auditor’s work also has the potential to make it more difficult for broker-dealers to engage in fraud and other misconduct. Improved broker-dealer financial reporting quality also gives industry overseers, such as the SEC and FINRA, as well as other users of brokerdealer financial information, such as the Securities Investor Protection Corporation, more accurate information relevant to a broker-dealer’s financial condition, its ability to continue as a going concern, and its handling of customer securities and cash. This, in turn, enhances the ability of these organizations to carry out their responsibilities in ways that protect investors. Compliance with applicable professional and legal requirements may also contribute to the early identification or prevention of brokerdealer failures. Failures of large brokerdealers can have a negative impact on the stability and liquidity of financial markets, and failures caused by misconduct may damage investor confidence. A reduction in such failures could help improve the strength and safety of the financial system. d. Benefits of Key Provisions i. Scaled Applicability QC 1000 will require that a firm implement and operate an effective QC system at all times when the firm is required to comply with applicable professional and legal requirements with respect to any of the firm’s engagements, and thereafter through the next September 30.476 The discussion above provides further information on this provision. As of June 30, 2023, up to 60% of firms may not meet this criterion but will be required to design a QC system in compliance with QC 1000.477 Because registering with the 476 See QC 1000.07. 60% reported here is based on Form 2 reporting as of June 30, 2023, and reflects registered firms that reported they had not issued an audit report for an audit of an issuer or broker-dealer or played a substantial role in such an engagement during the preceding 12 months. As noted above, approximately 51% of firms have not performed an engagement under PCAOB standards for an issuer or broker-dealer in the past five years. The PCAOB does not collect information about whether registered firms perform engagements under PCAOB standards other than for issuers and brokerdealers. Firms may be engaged, for example, in connection with the audit of a reporting company that does not meet the Sarbanes-Oxley definition of ‘‘issuer’’ described in footnote 2 above, in connection with certain offerings of securities that are exempt from registration under the Securities 477 The PO 00000 Frm 00128 Fmt 4701 Sfmt 4703 PCAOB enables a firm to issue audit reports or play a substantial role on audits performed under PCAOB standards for issuers and broker-dealers, and because investors and companies considering engaging the firm could reasonably expect that any firm that could pursue such an engagement would already have a PCAOB-compliant QC system designed and ready for implementation and operation, the Board believes that imposing a design requirement on all registered firms promotes its mission of protecting investors and promoting the public interest. The Board also believes that designing the QC system will better position these firms to accept and perform engagements in compliance with applicable professional and legal requirements to the extent that the firm will have a PCAOB-compliant QC system ready for implementation and operation. ii. In-Process Monitoring Activities QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to monitor in-process engagements and will require all other firms to consider monitoring in-process engagements.478 The discussion above provides further information on this provision. Monitoring in-process engagements can help firms detect and prevent engagement deficiencies before the engagement report is issued, resulting in a more proactive and preventive monitoring approach that has the potential to benefit investors through improved audit quality. The benefits will depend on the extent to which firms already have in-process monitoring activities in place. Information gathered through PCAOB inspection activities indicates that 11 out of 14 annually inspected firms perform some in-process engagement monitoring activities. iii. Firm Governance Structure QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to incorporate into their governance structure an external oversight function for the QC system composed of one or more persons who are not principals or employees of the firm and do not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of Act (e.g., offerings under Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to a contractual obligation such as a loan covenant, or on an entirely voluntary basis. 478 See QC 1000.63. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices independent judgment with regard to matters related to the QC system (i.e., EQCF).479 The final standard specifies a baseline requirement that the EQCF’s responsibilities should include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. The discussion above provides further information on this provision. Such an oversight function could reduce negative impacts of commercial considerations on decision making by firms about their QC system and thereby improve incentives to implement QC systems that more fully meet the interests of investors and other financial statement users. Some academic research finds that the level of board of directors independence is associated with certain benefits, such as improved operating performance and company value, which implies independent oversight in a firm‘s governance structure could potentially improve the quality of audit services provided by the firm.480 iv. The Automated Independence Process QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to automate the process to identify investments in securities that might impair the independence of the firm or firm personnel that are managerial employees or partners, shareholders, members, or other principals.481 The discussion above provides further information on this provision. Automating this process should help firms more effectively and efficiently identify such investments. The automated process could also indirectly improve compliance with other relevant independence requirements. For example, automating this process may lead firms to maintain and make available the list of restricted entities more efficiently and effectively. v. Complaints and Allegations Policies and Procedures vi. Reporting the Annual QC System Evaluation QC 1000 will require firms to design, implement, and maintain policies and procedures that address processes and responsibilities for receiving, investigating, and addressing complaints and allegations and include protecting persons making complaints and allegations from retaliation.482 Firms that issued audit reports with respect to more than 100 issuers during the prior calendar year will be required to include confidentiality protections in their policies and procedures. The discussion above provides further information on this provision. Overall, the Board expects the policies and procedure regarding complaints and allegations will help reduce information asymmetry within the firm by alerting responsible individuals to instances of non-compliance of which they may otherwise be unaware. Some academic research suggests that the complaints and allegations provisions will increase the likelihood that individuals will submit complaints and allegations related to potential non-compliance. For example, one survey of public company auditors finds that (1) greater protection of individual identity and (2) trust that the firm would investigate and act on a report are both positively associated with intention to report non-compliance with auditing standards.483 A survey of accounting students finds that a weaker threat of retaliation is positively associated with the propensity to submit a complaint.484 The Board acknowledges that some experimental research finds that explicit protections may unintentionally deter internal complaints and allegations because the protections signal to potential persons making complaints that retaliation is a risk.485 However, overall, the Board expects the complaints and allegations provisions will benefit investors by reducing non-compliance with auditing standards and, thus, improving audit quality. QC 1000 will require firms to report to the PCAOB about the annual evaluation of their QC system.486 The discussion above provides further information on this provision. This requirement will help the Board obtain more timely, structured, and consistent information regarding the effectiveness of firms’ QC systems relative to what could be gathered through the inspections process, especially for the triennial firms. The Board will use this information to support its oversight activities (e.g., to select firms, audits, or focus areas for review). Reporting to the PCAOB will also improve incentives within a firm to design, implement, and operate an effective QC system. 482 See khammond on DSKJM1Z7X2PROD with NOTICES2 479 See QC 1000.28. 480 See, e.g., Anzhela Knyazeva, Diana Knyazeva, and Ronald W. Masulis, The Supply of Corporate Directors and Board Independence, 26 The Review of Financial Studies 1561 (2013). Other academic research indicates that a tradeoff of more independent board of directors may be less efficient monitoring by directors. See, e.g., Praveen Kumar and K. Sivaramakrishnan, Who Monitors the Monitor? The Effect of Board Independence on Executive Compensation and Firm Value, 21 The Review of Financial Studies 1371 (2008). 481 See QC 1000.34a. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 49715 QC 1000.29. Mary B. Curtis and Eileen Z. Taylor, Whistleblowing in Public Accounting: Influence of Identity Disclosure, Situational Context, and Personal Characteristics, 9 Accounting and the Public Interest 191 (2009). 484 See Gregory Liyanarachchi and Chris Newdick, The Impact of Moral Reasoning and Retaliation on Whistle-Blowing, 89 Journal of Business Ethics 37 (2009). 485 See James Wainberg and Stephen Perreault, Whistleblowing in Audit Firms: Do Explicit Protections from Retaliation Activate Implicit Threats of Reprisal?, 28 Behavioral Research in Accounting 83 (2016). 483 See PO 00000 Frm 00129 Fmt 4701 Sfmt 4703 vii. Certification of the Annual QC System Evaluation QC 1000 will require certain individuals in firms’ leadership to certify the annual evaluation of their firm’s QC system.487 The discussion above provides further information on this provision. This requirement will help address the positive externality problem in the audit market by creating greater accountability within firm leadership to implement an effective QC system. As noted in the proposal, PCAOB staff reviewed academic literature on the impacts of CEO and CFO certification requirements in the U.S. and engagement partner signature requirements in the United Kingdom and found both supportive and unsupportive findings.488 One commenter noted academic research that has found there is little, if any, effect of CEO and CFO certifications 486 See QC 1000.79. QC 1000.14d. and .15b. 488 See, e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys, Corporate Governance Reform and Executive Incentive: Implications for Investments and Risk Taking, 30 Contemporary Accounting Research 1298 (2013) (finding that their sample of firms significantly reduced investments in risky projects in the period following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and Birendra K. Mishra, CEOs’/CFOs’ Swearing by the Numbers: Does it Impact Share Price of the Firm?, 81 The Accounting Review 1, 22 (2006) (concluding that the SEC order requiring filing of sworn statements by CEOs and CFOs had a positive effect on the market value of certifying firms); Jeffrey R. Cohen, Colleen Hayes, Ganesh Krishnamoorthy, Gary S. Monroe, and Arnold M. Wright, The Effectiveness of SOX Regulation: An Interview Study of Corporate Directors, 25 Behavioral Research in Accounting 61 (2013) (discussing that CEO certification was viewed as having led to heightened ownership and diligence on the part of decision agents throughout the financial reporting decision hierarchy but was also identified as a source of the costly resource-intensive reaction to Sarbanes-Oxley). 487 See E:\FR\FM\11JNN2.SGM 11JNN2 49716 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 required under Sarbanes-Oxley.489 Citing academic literature on accountability frameworks, the same commenter noted that imposition of accountability is largely positive 490 but that the increased accountability that would result from the certification requirement could have negative consequences.491 As discussed below, the Board acknowledges that increased accountability could lead to potential unintended consequences. However, the Board continues to believe that the certification requirement will benefit investors by increasing discipline in the 489 See, e.g., Paul A. Griffin and David H. Lont, Taking the Oath: Investor Response to SEC Certification Under Sarbanes-Oxley, 1 Journal of Contemporary Accounting & Economics 27 (2005); Gerald J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase after the SarbanesOxley Act? Initial Evidence, 20 Accounting Horizons 57 (2006); Utpal Bhattacharya, Peter Groznik, and Bruce Haslem, Is CEO Certification of Earnings Numbers Value-Relevant?, 14 Journal of Empirical Finance 611 (2007). 490 See, e.g., Andrew Quinn and Barry R. Schlenker, Can Accountability Produce Independence? Goals as Determinants of the Impact of Accountability on Conformity, 28 Personality and Social Psychology Bulletin 472 (2002); Virginia R. Stewart, Deirdre G. Snyder, and Chia-Yu Kou, We Hold Ourselves Accountable: A Relational View of Team Accountability, 183 Journal of Business Ethics 691 (2023); Angela T. Hall, Michael G. Bowen, Gerald R. Ferris, M. Todd Royle, Dale E. Fitzgibbons, The Accountability Lens: A New Way to View Management Issues, 50 Business Horizons 405 (2007); Marko Pitesa and Stefan Thau, Masters of the Universe: How Power and Accountability Influence Self-Serving Decisions under Moral Hazard, 98 Journal of Applied Psychology 550 (2013); Constantine Sedikides, Deletha Hardin, Kenneth Herbst, and Gregory Dardis, Accountability as a Deterrent to Self-Enhancement: The Search for Mechanisms, 83 Journal of Personality & Social Psychology 592 (2002). 491 See, e.g., Jennifer J. Dose and Richard J. Klimoski, Doing the Right Thing in the Workplace: Responsibility in the Face of Accountability, 8 Employee Responsibilities & Rights Journal 35 (1995); Jennifer S. Lerner and Philip E. Tetlock, Accounting for the Effects of Accountability, 125 Psychological Bulletin 255 (1999); Randall A. Gordon, Richard M. Rozelle, and James C. Baxter, The Effect of Applicant Age, Job Level, and Accountability on Perceptions of Female Job Applicants, 123 Journal of Psychology 59 (1989); Philip E. Tetlock, The Impact of Accountability on Judgment and Choice: Toward a Social Contingency Model, 25 Advances in Experimental Social Psychology 331 (1992); Angela T. Hall, Dwight D. Frink, and M. Ronald Buckley, An Accountability Account: A Review and Synthesis of the Theoretical and Empirical Research on Felt Accountability, 38 Journal of Organizational Behavior 204 (2017); Sheldon Adelberg and Daniel C. Batson, Accountability and Helping: When Needs Exceed Resources, 36 Journal of Personality and Social Psychology 343 (1978); Mark E. Peecher, Ira Solomon, and Ken T. Trotman, An Accountability Framework for Financial Statement Auditors and Related Research Questions, 38 Accounting, Organizations and Society 596 (2013); Angela T. Hall, M. Todd Royle, Robert A. Brymer, Pamela L. Perrewé, Gerald R. Ferris and Wayne A. Hochwarter, Relationships Between Felt Accountability as a Stresser and Strain Reaction: The Neutralizing Role of Autonomy Across Two Studies, 11 Journal of Occupational Health Psychology 87 (2006). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 evaluation process and reinforcing the accountability of the certifying individuals. viii. Responding to Engagement Deficiencies Identified After Issuance of the Audit Report The amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, include: (1) addressing engagement deficiencies in addition to omitted procedures and (2) including the ICFR audit within its scope. Relatedly, the amendments to AT No. 1 and AT No. 2 mirror the amendments to AS 2901. The discussion above provides further information on this provision. The Board expects these amendments will lead auditors to perform additional procedures to obtain sufficient appropriate evidence or take additional action to prevent future reliance on insufficiently supported audit opinions (or review reports in the case of review engagements) that are being relied on. In such cases, PCAOB standards will require firms to advise their client to make appropriate disclosure of the newly discovered facts and their impact on the financial statements (or examination or review reports in the case of attestation engagements) to persons who are known to be currently relying or who are likely to rely on the financial statements and the related auditor’s report (or review report in the case of a review engagement). Academic research on ICFR suggests that such disclosures will be valuable to capital market participants with improvements in company performance and financial reporting.492 ix. SECPS Requirements The requirements will refine, integrate into QC 1000, and extend to all firms the SECPS member requirements currently required under PCAOB Rule 3400T. Based on current registration data, approximately 13% of PCAOBregistered firms are already subject to these requirements under PCAOB Rule 3400T. The discussion above provides an overview of these requirements. The Board expects that this feature of the rulemaking will benefit investors by enhancing audit quality through improved compliance with SEC and PCAOB independence rules on engagements performed by firms not already subject to these requirements under PCAOB Rule 3400T. 492 See discussion on economic impacts above and the research cited therein. PO 00000 Frm 00130 Fmt 4701 Sfmt 4703 2. Costs The Board expects the requirements will result in additional direct and indirect costs to auditors and, potentially, indirect costs to the companies that they audit. The extent of these costs will depend on the degree to which firms otherwise have QC systems in place designed to comply with other QC standards and the specific policies and procedures adopted by the firm. The information presented above suggests that U.S. GNFs commit hundreds of partner and non-partner FTEs to their QC systems, including, individually, each of the major QC system components specified in ISQM 1. Resources are particularly utilized in the areas of independence, ethics, and resources. As discussed above, the Board believes most firms are subject to other QC standards. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and other QC standards can leverage the investments they make to comply with the requirements of the other standards. Therefore, the Board expects that a portion of the overall costs of designing, implementing, and operating policies and procedures to comply with QC 1000 have been or will be incurred by most firms regardless of whether QC 1000 is adopted. As a consequence, for most firms, the Board expects the costs discussed below will derive primarily from the provisions in QC 1000 that go beyond the requirements of other QC standards. Several commenters noted there will be costs and challenges to implement and operate features of QC 1000 that are incremental to the systems firms have established to comply with other QC standards. One commenter said that the need to accommodate nuances among different standards results in firms maintaining different methodologies, practices, and procedures that puts pressure on limited firm resources. Several commenters asserted that firms that audit between 100 and 500 issuers will be significantly impacted by costs associated with some or all of QC 1000’s incremental requirements for firms that issue audit reports for more than 100 issuers, and some of the commenters noted resource differences between GNFs and annually inspected NAFs. Since QC systems are resourceintensive, the efforts required to respond to the additional provisions in QC 1000 or to otherwise adapt the QC system to the auditing environment for issuers and SEC-registered brokerdealers could be significant. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 While the PCAOB lacks data to quantify the costs that could result from QC 1000, some studies have estimated costs associated with ICFR under Sarbanes-Oxley section 404.493 The Board acknowledges differences between section 404 and QC 1000, but section 404 is similar to QC 1000 in that section 404 was a policy shock that led large public companies to improve their internal control practices. In addition, while QC 1000 is not an internal control framework per se, it does reflect similar principles as COSO, the industry standard control framework that was widely relied upon to implement section 404. One commenter observed that the requirements under QC 1000 are similar in certain ways to the requirements related to ICFR under Sarbanes-Oxley for companies and suggested that the impacts of QC 1000 on auditors will be similar to the impact Sarbanes-Oxley had on companies notwithstanding key differences between a company’s ICFR and an audit firm’s QC system. 493 Based on a sample of companies that voluntarily disclosed Section 404 cost information in their SEC filings during the period Jan. 2003 to Sept. 2005, one study found that the mean total compliance costs for Section 404 was $2.2 million ($3.7 million adjusted for inflation), and the median was $1.2 million ($2.0 million adjusted for inflation). See Jagan Krishnan, Dasaratha Rama, and Yinghong Zhang, Costs to Comply with SOX Section 404, 27 Auditing: A Journal of Practice & Theory 169 (2008). Using a sample of Fortune 1000 companies, another study estimated the companies spent an average of $5.9 million ($9.6 million adjusted for inflation) to comply with Section 404 in the first year of implementation. See Charles River Associates, Sarbanes-Oxley 404 Costs and Remediation of Deficiencies: Estimates from a Sample of Fortune 1000 Companies (2005). Another study found that direct costs of Section 404 fell by as much as 40% by the second year after implementation and varied significantly by company size. See John C. Coates IV, The Goals and Promise of the Sarbanes-Oxley Act, 21 Journal of Economic Perspectives 91 (2007). Another study reported an SEC survey sample that showed an overall average Section 404 compliance expense of $1.2 million ($1.7 million adjusted for inflation) in the latest fiscal year before the survey (Dec. 2008 to Jan. 2009) and respondents reported a decline over time in such costs. See Cindy R. Alexander, Scott W. Bauguess, Gennaro Bernile, Yoon-Ho Alex Lee, and Jennifer Marietta-Westberg, Economic Effects of SOX Section 404 Compliance: A Corporate Insider Perspective, 56 Journal of Accounting and Economics 273 (2013). To adjust results from the studies for inflation, PCAOB staff used an inflationary factor as of the third quarter 2023 from the current dollar index number of the Employment Cost Index for private workers employed in the professional, scientific, and technical services industry published by the U.S. Bureau of Labor Statistics (available at https:// www.bls.gov/eci/data.htm). This inflationary adjustment does not account for any potential differences between QC 1000 costs and Section 404 costs or any potential structural changes over time. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 a. Direct and Indirect Costs of the Proposed Requirements The Board expects the requirements will lead to several direct and indirect costs. There will be a direct cost to audit firms to design a QC system that complies with QC 1000. For example, firms will likely spend time reviewing QC 1000; assigning roles and responsibilities; identifying staffing and training needs; and developing a set of quality objectives, quality risks, and quality responses. Once a QC system is designed, firms will incur costs to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or quality responses may be needed. Some firms may outsource certain aspects of QC system design. The Board also expects that customization will be necessary to ensure that each QC system design appropriately addresses each firm’s circumstances. The extent of the design costs will likely depend on facts and circumstances unique to each firm. Among firms that will be subject to other QC standards, which the Board believes represents most firms, the design costs will likely be reduced and limited to incremental requirements around ethics, independence, monitoring, and remediation. For full applicability firms—those that will be required to implement and operate an effective QC system—there will likely be additional costs. Firms may need to implement fixed resources (e.g., people, financial, technological, or intellectual) prior to operating their QC system. For example, a firm may need to invest in an IT system or train individuals having QC roles or responsibilities. Several commenters identified significant implementation costs and called for an extended implementation period due to these costs. Describing the results of its recent survey of assurance service QC leaders, one commenter reported that obtaining ‘‘buy in’’ and acceptance from organizational members is the most common challenge firms face when implementing changes to their QC systems.494 As discussed, the Board agrees there will be implementation costs; however, these implementation costs will be reduced to the extent that firms already implement the requirements to comply with the actions of other standard setters or due to other developments. Furthermore, the Board expects the design and implementation 494 See Hayne, et al., Managing Quality Control Systems. PO 00000 Frm 00131 Fmt 4701 Sfmt 4703 49717 costs will be largely fixed in nature and will decline over time. Firms may also incur new operating costs, at the firm level and the engagement level. At the firm level, firms may require additional resources to administer new or revised quality responses after they are implemented, execute the annual risk assessment, perform the annual evaluation of the QC system, report the results of the evaluation to the PCAOB using the same PCAOB platform as the other reporting forms, and prepare and retain the required documentation. Several commenters identified significant operating costs. For example, one commenter argued that the proposed independent oversight function could entail insurance costs. At the engagement level, engagement team time may be required to execute new or revised quality responses. For example, an engagement team may carry out procedures regarding continuance of the firm’s relationship with the client served by that engagement team. These operating costs will be reduced for firms that would be subject to other standard setters or other developments. Several commenters asserted that the documentation costs, as originally proposed, could be particularly onerous. For example, several commenters asserted that firms would be required to retain large volumes of documentation to support the operation of the firm’s quality responses for each instance related to all years for which firms are required to maintain such documentation. One commenter noted that information evidencing the operation of a firm’s QC system can vary in size, type, and storage requirements and that the costs of modifying the firm’s existing IT systems to comply with the documentation requirement could be significant. Some commenters noted that the amount of documentation to be retained is expected to require considerably more storage space for each evaluation period, which the commenters suggested translates to a need for new servers and extended licensing agreements. One commenter said that firms that change their systems will have to maintain licenses for old systems for up to seven years. The same commenter said the seven-year retention period goes well beyond the retention requirements of ISQM 1 and SQMS 1 and asserted that firms with a significant private company client base would be challenged to have different documentation retention policies since many aspects of quality control relate to the firm as a whole. Some commenters suggested that retaining sensitive information introduces heightened E:\FR\FM\11JNN2.SGM 11JNN2 khammond on DSKJM1Z7X2PROD with NOTICES2 49718 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices cybersecurity risks for firms, firm personnel, clients, and other stakeholders. The Board acknowledges that the documentation requirement could create costs for firms, including costs related to retention and cybersecurity infrastructure. To clarify the expected cost burden, the discussion above notes that documentation of every aspect of the operation of the firm’s QC system may not be required to evidence that each quality response operated effectively. Several commenters asserted that smaller firms may be especially affected by the new QC requirements, including requirements incremental or alternative to ISQM 1 and SQMS 1. One commenter said that smaller firms will need to hire consultants or additional staff for the monitoring, remediation, and evaluation functions, notwithstanding the scalability of QC 1000. Another commenter asserted that QC 1000 will impose disproportionate costs on smaller firms but noted that the commenter did not analyze in detail the cost of each incremental requirement and therefore did not have an estimate of the disproportionate costs. Relatedly, research finds that implementation and operating costs of internal control frameworks precipitated by SarbanesOxley are proportionally greater for smaller companies.495 The Board acknowledges that the direct costs will likely vary depending on the size of the firm and the nature of its audit practice. Larger PCAOB audit practices that already have extensive QC systems in place may benefit from economies of scale or scope when incorporating the new requirements into their existing systems, which would decrease the cost of QC 1000 per engagement. Larger PCAOB audit practices will be able to distribute fixed implementation costs over a larger number of engagements, while smaller practices will distribute fixed implementation costs over a smaller number of engagements. On the other hand, it may also be difficult for firms with more complex clients and diverse client portfolios—characteristics of larger PCAOB audit practices—to implement effective QC systems. To the extent that smaller firms may be disproportionately impacted as commenters have suggested, the Board continues to believe that the principlesbased features and scalable nature of QC 1000, described in greater detail above, as well as the 100-issuer threshold for some provisions, help to mitigate their 495 See, e.g., John C. Coates and Suraj Srinivasan, SOX after Ten Years: A Multidisciplinary Review, 28 Accounting Horizons 627 (2014). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 costs because smaller firms will rely on proportionally fewer resources for design, implementation, and operation of their QC systems. In addition to the direct costs to auditors to comply with the requirements, indirect costs may arise. To the extent that compliance with the requirements will improve compliance with applicable professional and legal requirements at the engagement level, costs may increase for the affected engagements. For example, in bringing their work into compliance with PCAOB auditing standards, some engagement teams may gather additional or more persuasive audit evidence and prepare more documentation than they previously did. However, firms should be incurring these costs already. Audited companies may also incur indirect costs related to the requirements. For example, some commenters asserted that the 100-issuer threshold could deter triennially inspected firms from accepting new public company audit engagements or encourage firms to resign from existing audit engagements to avoid crossing the 100-issuer threshold. Although the Board recognizes this possibility, for context regarding the number of firms currently around the 100-issuer threshold, PCAOB staff analysis of audit reports included in SEC filings indicates that, during the 2022 calendar year, two NAFs audited between 80 and 100 issuers and two NAFs audited between 100 and 120 issuers. Firms may pass on part of any increased costs they incur at the firm or engagement level by raising the fees they charge their clients. In addition, to the extent that the requirements improve compliance with applicable professional and legal requirements, some audited companies could face additional costs to respond to their auditors’ requests for additional or more extensive audit evidence. Audited companies may incur other costs due to changes in audit firm QC policies and procedures. For example, if QC 1000 results in changes to firms’ client acceptance and continuance practices, firms may require greater fees or refuse to accept or retain high-risk clients. While this outcome would represent a cost to audited companies, the result could be a more efficient audit market if riskier companies pay more. These indirect costs will be reduced to the extent that firms will have already implemented the requirements in response to similar actions of other standard setters or due to other developments. PO 00000 Frm 00132 Fmt 4701 Sfmt 4703 b. Costs of Key Provisions i. Scaled Applicability Scaled-applicability firms will incur the design costs discussed above. Should a scaled-applicability firm ever become subject to the implementation and operation requirements, the firm will then incur the implementation and operation costs discussed above. As with other registered firms, the costs to scaled-applicability firms will be less to the extent they will already be complying with ISQM 1 or SQMS 1. Firms and a related group suggested allowing firms that do not perform engagements the flexibility to design their QC system in accordance with another QC standard, such as ISQM 1 or SQMS 1, to help manage costs. However, the Board expects the design costs for those firms to be limited to incremental requirements around ethics, independence, monitoring, and remediation. Furthermore, scaledapplicability firms may choose to avoid the design costs by withdrawing from PCAOB registration given that they are not required to be registered. ii. In-Process Monitoring Activities The Board believes the in-process monitoring requirement may contribute to the direct and indirect costs discussed above such as: (1) developing documentation, (2) providing training, (3) gathering additional audit evidence, and (4) other potential indirect costs such as the time required of issuers to provide their auditor with additional or more extensive audit evidence. The costs will depend on the extent to which firms already have in-process monitoring activities in place. In addition, in-process monitoring may result in increased audit fees. Information gathered through PCAOB inspection activities indicates that 11 out of 14 annually inspected firms perform some in-process engagement monitoring activities. iii. Firm Governance Structure The Board believes there could be costs to design, implement, and operate the oversight function (i.e., EQCF). For example, firms that are required to incorporate the oversight function into their governance structure for the first time may incur costs when retaining appropriate individuals from outside of the firm.496 Firms with an existing 496 According to Spencer Stuart, the average compensation per non-employee director was $327,764 in 2023. See 2023 U.S. Spencer Stuart Board Index (2023), available at https:// www.spencerstuart.com/-/media/2021/october/ ssbi2021/us-spencer-stuart-board-index-2021.pdf (analyzing 489 DEF–14A proxy statements filed by E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 oversight function may incur costs to find different individuals to fill the role. In addition, firms with an existing oversight function may incur incremental costs to incorporate the baseline requirement to evaluate, at a minimum, significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. Several commenters expressed concern that the oversight function would be costly or difficult to fulfill, especially for firms that audit between 100 and 500 issuers. One commenter suggested the oversight function could add costs that ultimately have to be passed on through higher audit fees, which investors in smaller issuers are unlikely to support, particularly when the costs are spread over a small amount of invested public capital in a firm’s issuer audits clients. Conversely, one commenter said that the costs of the oversight function could be reduced by engaging an independent accounting firm to provide weekly advisory services. To help address these cost concerns, the requirement will allow firms to implement an oversight function into their QC system suitable for their circumstances. Costs, as well as the associated benefits, could be attenuated for U.S. GNFs by the fact that all of the U.S. GNFs indicate, as of the 2020 inspection cycle, that they already have a governance structure that includes a non-employee. iv. The Automated Independence Process The Board believes there could be costs to design, implement, and operate the required automated process to identify investments in securities that might impair independence. The costs will depend on the extent to which firms already have such an automated process in place. Information gathered through PCAOB inspection activities indicates that nine out of 14 annually inspected firms already have one in place. The remaining five have processes in place that are not fully automated. Firms will be able to automate the process in a way that is suitable to their unique facts and circumstances. Most firms will likely need to: (1) convert their restricted entity list into a searchable electronic form; (2) maintain the electronic restricted entity list; and (3) develop S&P 500 companies with the SEC between May 1, 2022, and Apr. 30, 2023). PCAOB staff notes that variation between the responsibilities of an oversight function and a non-employee director function may limit the relevance of this cost reference to some extent. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 queries that can compare a manager’s or partner’s relevant investments in securities to the electronic restricted entity list. Some firms may choose to integrate the automated process with existing systems related to client acceptance or time and expense. Firms with simple restricted entity lists (e.g., fewer clients, fewer subsidiaries) or simpler QC policies and procedures for restricted entities (e.g., any investment in any security of a restricted entity is restricted) may require less investment in software and expertise than other firms. Several commenters said that the proposed automated process will entail significant costs. One commenter emphasized that there will be upfront and ongoing investments in technology and other overhead to operate such a process. Another commenter noted that implementing and maintaining an automated independence monitoring system is costly for smaller firms, which audit predominantly privately held companies and have not previously been subject to the automated independence system requirement under SEC rules. One commenter said it was unaware of any truly off-the-shelf system responsive to the proposed requirement. One commenter emphasized that for firms that audit between 100 and 500 issuers, the main potential downside of an automated process is the associated time and incremental cost to develop an efficient and effective system. The commenter noted that, in addition to software costs, there will be costs to oversee the system to ensure the data entered are correct and firm personnel are trained to use the system. Another commenter noted that the six largest firms represent 60% of issuers and approximately 98.7% of the capital markets and asserted that the automated independence process will nearly triple the number of firms required to implement automated investment tracking systems but pick up less than 15% of issuers, which represent less than 1% of the capital markets. The same commenter also asserted that the differences in size, scope, nature, and complexity between the six largest annually inspected firms and other annually inspected firms can be immense and that more than 80% of the commenter’s issuer client count consists of either Form 11–K audits or audits of smaller companies, which have less impact on capital markets. While the commenter provided these figures in response to costs of the automated independence process, the same figures could apply to the costs and benefits of each of the key policy PO 00000 Frm 00133 Fmt 4701 Sfmt 4703 49719 provisions that invoke the 100-issuer threshold. To help address these views, the final standard clarifies that the required automated process: (1) will apply only to the identification of relevant investments in securities and (2) will permit firms to rely on firm professionals accurately self-reporting and entering their investments into the system (e.g., direct brokerage feeds will not be expressly mandated). In addition, the Board believes that existing software products likely could be adapted to respond to the requirements. Furthermore, off-the-shelf systems more tailored to the requirements may enter the market in the future. Notwithstanding the commenters’ views, the Board retained the automated independence process requirement, and acknowledges there will be costs to design, implement, and operate it. v. Complaints and Allegations Policies and Procedures The Board expects the policies and procedures regarding complaints and allegations will entail direct costs to firms to design, implement, and maintain. Most notably, firms will incur additional variable costs to receive, investigate, and address complaints and allegations. Firms that issued audit reports with respect to more than 100 issuers during the prior calendar year will incur costs to implement confidentiality protections. The costs will depend on the extent to which firms already have policies and procedures regarding complaints and allegations in place. Information gathered through PCAOB inspection activities indicates that 10 out of 14 annually inspected firms already have hotlines in place that may satisfy certain of the complaints and allegations requirements.497 vi. Reporting the Annual QC System Evaluation The Board expects the requirement to report the annual QC system evaluation to the PCAOB will entail an additional annual cost to firms to prepare Form QC. However, since firms will already be required to perform and document the evaluation, any additional costs associated with preparing Form QC should be minimal. The requirement may also result in some increased 497 According to one hotline vendor that posted their service prices online, the annual fee for a hotline that covers up to 75 employees starts at $1,200 and the annual fee for a hotline that covers more than 5,000 employees starts at $7,000 (see https://www.allvoices.co/basic-purchase). The Board notes that the complaints and allegations provisions include more than having a hotline. E:\FR\FM\11JNN2.SGM 11JNN2 49720 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices litigation risk to the extent that information reported to the PCAOB is not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, and to the extent that reporting of this information to a third party may vitiate other privileges that otherwise could have been used to protect the information from compelled disclosure in thirdparty actions. Non-protected material may become subject to compulsory production, which could impose indirect costs on firms to the extent that legal or other consequences may flow from that production. khammond on DSKJM1Z7X2PROD with NOTICES2 vii. Certification of the Annual QC System Evaluation The certification requirement itself may not impose much direct cost on firms because the evaluation activities precede certification. However, to the extent that firms choose to implement a more robust internal compliance infrastructure (e.g., by requiring subcertifications from personnel with direct responsibility for certain functions), those costs could also be attributable to the certification requirement. Moreover, firms may be exposed to litigation costs because the certifications in Form QC are not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, meaning that third parties may be able to compel production of the certifications, and the certifications may have an impact in third-party litigation. For example, the threat of liability for negligent conduct could lead to costs if individuals demand additional remuneration or take additional steps to act reasonably and demonstrate that they have acted reasonably (e.g., assuring themselves that the QC system is appropriately designed) or to defend against enforcement allegations. The Board believes, however, that the internal compliance exercise, and even potentially the threat of third-party litigation, can reinforce the importance of the firm’s QC system within the firm, which in turn can help produce the benefits the Board expects this provision will generate. viii. Responding to Engagement Deficiencies Identified After Issuance of the Audit Report The amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, and related amendments to AT No. 1 and AT No. 2 will contribute to the engagement-level costs discussed above to the extent auditors will perform additional procedures to obtain sufficient appropriate evidence or take additional action to prevent future reliance on insufficiently supported audit opinions VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 (or review reports in the case of review engagements) that are being relied on. The Board expects the requirement to extend the scope of AS 2901 to include the ICFR audit within its scope will be particularly impactful because the audit of internal control over financial reporting is both resource-intensive 498 and a common and recurring area of deficiency.499 vii. SECPS Requirements The requirements will refine, integrate into QC 1000, and extend to all firms the SECPS member requirements currently required under PCAOB Rule 3400T. The Board expects this will increase development, implementation, and operating costs for firms not already subject to these requirements. However, the Board believes the costs should be minimal because, based on its oversight activities, the Board believes these firms already have in place policies and procedures related to compliance with SEC and PCAOB independence rules. 3. Unintended Consequences The requirements could give rise to unintended consequences. Overall, however, the Board expects any potential unintended consequences will be mitigated by other factors. a. Human Capital Some firms may require additional staff resources to implement the requirements. To meet this demand, firms may transfer personnel from engagement-level roles to QC roles. This could create a risk that engagements are insufficiently staffed. Alternatively, some firms may assign more junior staff to QC roles or to new openings on engagements. This could create a risk that QC system or engagement personnel lack sufficient training or experience. One commenter reported the commenter’s own analysis to demonstrate that audits are largely conducted by non-CPAs with limited experience in the field of auditing. QC 1000 includes quality objectives that mitigate these risks. For example, firms will be required to establish quality objectives that individuals who are assigned to engagements or perform QC system activities have the competence, objectivity, authority (in the case of activities within the QC system), and time to perform their responsibilities in 498 See, e.g., U.S. Securities and Exchange Commission Office of Economic Analysis, Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements (Sept. 2009), at Table 8 (reporting that roughly one-third of total audit fees may be attributable to the ICFR audit). 499 See, e.g., 2020 Inspection Observations Preview. PO 00000 Frm 00134 Fmt 4701 Sfmt 4703 accordance with applicable professional and legal requirements and the firm’s policies and procedures.500 Some commenters argued that the costs of QC 1000 would be especially significant due to labor shortages. One commenter asserted that an aggressive enforcement atmosphere may create disincentives for individuals to join the profession, harming the talent pipeline that is necessary for the production of high-quality audits. Another commenter raised concerns that recruiting and retaining partners and employees for a firm’s QC system will be a tremendous challenge for firms willing and able to absorb additional costs to properly implement the requirements of QC 1000 given the tight labor market. One commenter reported that some market research indicates significant declines in the number of new CPA candidates and annual accounting degree completions.501 The commenter also reported commentary from a survey that reveals the largest accounting firms regularly score low along dimensions that are most indicative of their desirability as places to work.502 Another commenter cited news articles 503 and academic research 504 that suggest attracting and retaining talent is a serious concern for accounting firms and university accounting programs. However, based on its preliminary survey research, another commenter reported that some QC leaders do not feel resource constrained.505 The Board acknowledges the commenters’ concerns about the potential impact on staff resources. However, the potential impact on staff resources is likely the result of the interplay among numerous factors in the labor market, such as the rigor of qualifying for and completing the requirements for CPA licensure and the relatively low starting salaries being cited by college students as one of the main hurdles to choosing accounting as a major. To meet increased demand for staff resources, some firms may choose to hire additional experienced staff. It is 500 See QC 1000.44c. and e. AICPA Trends Report. 502 See Mark Kolakowski, Best Accounting Firms (Vault Top 50 Accounting Firms) (Jan. 14, 2020). 503 See, e.g., Lindsay Ellis, Why so Many Accountants are Quitting, Wall St. J. (Dec. 28, 2022); Stephen Foley, Accountants Work to Shed ‘‘Boring’’ Tag Amid Hiring Crisis, Financial Times (Oct. 3, 2022). 504 See, e.g., Hermanson, et al., The Work Environment in Large Audit Firms A38; Dana R. Hermanson, Heather M. Hermanson, Susan D. Hermanson, Where is Public Company Auditing Headed?, 90 CPA Journal 54 (2020); Westermann, et al., PCAOB Inspections 694. 505 See Hayne, et al., Managing Quality Control. 501 See E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices possible that the labor demand shock could result in increased wages and potentially higher audit fees, which could be exacerbated by the concentration of large firms in the audit market. Higher wages could in turn help firms attract and retain a skilled workforce or encourage qualified individuals to take essential roles at firms.506 The principles-based features and scalable nature of QC 1000 described above, as well as the 100issuer threshold for some provisions, help mitigate this risk because fewer resources will be required for firms based on those features. khammond on DSKJM1Z7X2PROD with NOTICES2 b. Competition The requirements could also cause firms to exit the public company audit market or deter other firms from future entry. Entry deterrence could be exacerbated by the fact that being registered with the PCAOB will subject firms to certain QC requirements even if they do not perform engagements. Several commenters agreed that the proposed requirements, if adopted, could impact competition. One commenter expressed concern that the incremental requirements of QC 1000 relative to other QC standards could lead smaller high-quality firms to exit the market. One commenter asserted that the certification requirement would be an especially significant driver of exit, particularly for smaller firms. Some commenters suggested that the design requirement for scaled-applicability firms could lead some scaledapplicability firms to deregister with the PCAOB or create a barrier to entry. One commenter added that the design requirement for scaled-applicability firms could impact audit markets beyond the U.S. by creating a disincentive for foreign firms to serve specific audit markets. Another commenter suggested that further enhancing the scalability of QC 1000 may be helpful for smaller firms to stay competitive. One commenter noted that QC 1000 requirements may serve as an impediment to audit firm mergers and acquisitions and otherwise perturb market activity. Correspondingly, less consolidation could mitigate concentration or help preserve a competitive dynamic amongst firms. Nevertheless, the presence of fewer 506 There are some indications that retention and recruitment of staff is currently a challenge for audit firms. See, e.g., Persellin, et al., Auditor Perceptions 95; AICPA Private Companies Practice Section, 2021 PCPS CPA Top Issues Survey; AICPA, 2021 Trends: A Report on Accounting Education, the CPA Exam and Public Accounting Firms’ Hiring of Recent Graduates (‘‘AICPA Trends Report’’) (Apr. 2022). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 firms could reduce competition in the public company audit market even in light of additional scalability or fewer mergers and acquisitions. Some commenters said that some firms may resign existing issuer clients or decline new ones to avoid incremental QC 1000 requirements for firms that issue more than 100 audit reports. This could lead to a further reduction in competition for engagements that these firms would otherwise compete. This reduction in competition would likely only apply to actual or potential issuer clients of firms that are close to the 100-issuer threshold. As noted above, PCAOB staff analysis of audit reports included in SEC filings indicates that, during the 2022 calendar year, the number of firms currently around the 100-issuer threshold includes two NAFs that audited between 80 and 100 issuers and two NAFs that audited between 100 and 120 issuers. Confirming the widely held view that audit firms compete on price, some research suggests that reduced competition is indeed associated with higher audit fees.507 However, any exit would likely be limited primarily to firms with small market shares and to the smaller issuer or broker-dealer audit markets, which research suggests tend to be competitive.508 For example, firms 507 See, e.g., Joshua L. Gunn, Brett S. Kawada, and Paul N. Michas, Audit Market Concentration, Audit Fees, and Audit Quality: A Cross-Country Analysis of Complex Audit Clients, 38 Journal of Accounting and Public Policy 1 (2019). 508 While research generally has focused on competition for the largest public company audits and the corresponding concentration amongst the largest audit firms, less is known about market forces within the smaller audit firm market. However, some research has studied competitive aspects of the smaller firm market. See, e.g., Tracy Ti Gu, Dan A. Simunic, Michael T. Stein, Minlei Ye, and Ping Zhang, The Market for Audit Services: The Role of Market Power, 19 Journal of International Accounting Research 3 (2020) (concluding that small public companies can potentially purchase audit services from any audit firm and that the number of suppliers to small public companies is relatively higher than the number of suppliers to large public companies); Kenneth L. Bills and Nathaniel M. Stephens, Spatial Competition at the Intersection of the Large and Small Audit Firm Markets, 35 Auditing: A Journal of Practice and Theory 23 (2016) (concluding that smaller and larger firms compete locally in some cases); Andrew Kitto, Phillip T. Lamoreaux, and Devin Williams, Do Entry Barriers Allow Low Quality Audit Firms to Enter the Public Company Audit Market?, available on SSRN: https://ssrn.com/abstract=3572688(2023) (concluding that current barriers to entry likely deter some audit firms from entering the audit market but that current barriers fail to prevent entry by firms that are significantly lower quality compared to incumbent firms); Brant Christensen, Kecia Williams Smith, Dechun Wang, and Devin Williams, The Audit Quality Effects of Small Audit Firm Mergers in the United States, 42 Auditing: A Journal of Practice & Theory 75 (2023) (concluding that audit quality decreases post-merger based on data regarding mergers of very small audit firms). PO 00000 Frm 00135 Fmt 4701 Sfmt 4703 49721 that would manage their client portfolio to avoid incremental QC 1000 requirements would likely prefer to resign (or decline to accept) smaller issuer clients than larger issuer clients. Moreover, some research suggests that reduced competition may have a positive impact on audit quality because it curtails issuers’ opportunity to opinion shop.509 Compounding this effect, the requirements may further deter opinion shopping as a basis for competition to the extent they would improve auditors’ compliance with professional standards. One commenter argued that opinion shopping is not prevalent and any reduction in opinion shopping would be minimal. c. Network Resources Some commenters expressed concern that the requirements could diminish the availability of global network resources and that smaller firms around the world could decline to assist U.S. firms in their global audits. One commenter added that this could be detrimental to overall engagement quality. Several factors could mitigate this potential unintended consequence. First, staff analysis of 2021 Form AP filings finds that 74% of all audits (32% of Fortune 500 audits) do not use other auditors.510 Second, this potential unintended consequence would likely be limited primarily to firms that lack the network resources to implement QC 1000. One academic study finds that 94% of component auditors identified on Form AP are affiliated with the principal auditor (99% when the principal auditor is a GNF).511 Third, other auditors that do not play a substantial role on any PCAOB engagement would be able to deregister with the PCAOB and continue to perform their existing roles on the engagements. Fourth, the competitiveness of the smaller issuer audit market suggests that principal auditors would be able to retain a different component auditor of comparable quality. Finally, to the extent the requirements would lead a firm to retain a lower-quality 509 See, e.g., Nathan J. Newton, Julie S. Persellin, Dechun Wang, and Michael S. Wilkins, Internal Control Opinion Shopping and Audit Market Competition, 91 The Accounting Review 603 (2016); Nathan J. Newton, Dechun Wang, and Michael S. Wilkins, Does a Lack of Choice Lead to Lower Quality? Evidence From Auditor Competition and Client Restatements, 32 Auditing: A Journal of Practice & Theory 31 (2013). 510 See PCAOB Rel. No. 2022–002, at Figure 2. 511 See William M. Docimo, Joshua L. Gunn, Chan Li, and Paul N. Nichas, Do Foreign Component Auditors Harm Financial Reporting Quality? A Subsidiary-Level Analysis of Foreign Component Auditor Use, 38 Contemporary Accounting Research 3113 (2021). E:\FR\FM\11JNN2.SGM 11JNN2 49722 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices component auditor, existing PCAOB standards related to audits involving other auditors could help mitigate the risk that the new component auditor performs a low-quality component audit.512 It is possible that, despite the requirements, firms may not improve compliance with applicable professional and legal requirements when performing their engagements. For example, personnel assigned to QC roles may adopt a perfunctory, ‘‘check the box’’ attitude toward compliance. The firm’s risk assessment process and monitoring and remediation process requirements, which require personnel assigned to QC roles to think proactively about the reasonable assurance objective, could help to mitigate this risk. As another example, engagement partners may overestimate the ability of their firm’s QC system to support achievement of the reasonable assurance objective and relax their efforts to selfmonitor or monitor others. While QC 1000 centralizes responsibility for QC to a degree, other requirements could mitigate this risk. For example, individual responsibility features prominently in QC 1000 and PCAOB auditing standards emphasize the responsibility of the engagement partner for the engagement and its performance.513 d. Accountability khammond on DSKJM1Z7X2PROD with NOTICES2 Some commenters expressed concern that the accountability provisions of QC 1000 could have potentially harmful unintended consequences. For example, one commenter asserted that good faith actions with regard to supervisory responsibilities could become subject to PCAOB enforcement. Some commenters suggested that the roles and responsibilities requirements could reduce audit quality or increase costs by creating a disincentive for the most qualified individuals to take on the specified roles. One commenter noted that individual certification poses a potential threat of additional liability and could affect the recruitment of talented individuals needed to fill critical roles within firms. Another commenter noted that for firms with an issuer practice that makes up a small portion of the overall practice, it can be difficult to find partners to fill lead and 512 See, e.g., PCAOB Rel. No. 2022–002. e.g., QC 1000.42a.(1); AS 1201.03. The Board has also proposed to clarify the engagement partner’s existing responsibilities for supervision and review in AS 1201, AS 1215, and AS 2101 to provide more specificity about the engagement partner’s responsibility to exercise due professional care related to supervisory and review activities required to be performed under existing auditor requirements. See PCAOB Rel. No. 2023–001 at 15. 513 See, VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 engagement quality reviewer roles on engagements when those roles are subject to a higher risk of individual enforcement actions. The Board acknowledges that, in addition to positive consequences, accountability can have negative consequences, such as disincentives from taking on QC roles with greater accountability. One commenter suggested that the incorporation of rewards into the firms’ accountability model could mitigate this potential unintended consequence. QC 1000 contemplates that the firm’s compensation plans and performance evaluations will appropriately incentivize firm personnel to fulfill their assigned responsibilities 514 and that firm leadership will be held accountable for quality, including through their performance evaluations and compensation.515 Depending on the firm’s specific quality risks, including the risk that qualified individuals may be unwilling to take on QC roles, firms can incorporate both positive incentives (‘‘carrots’’) and negative incentives (‘‘sticks’’) in the design of their incentive plans. e. Scalability One commenter expressed concern based on academic research that limiting the applicability of certain requirements to firms of a certain size could give rise to audit quality differences between larger and smaller firms. In general, the incremental requirements for larger PCAOB audit practices are less suitable to smaller PCAOB audit practices’ QC systems. For example, a smaller firm may not need an automated system to track investments if it has a stable number of issuer clients and a small group of persons subject to independence requirements. But if a smaller firm does not achieve its quality objectives or the reasonable assurance objective, it will have to take remedial action, which could include implementing some or all of the incremental QC system features that are expressly required for larger PCAOB audit practices. f. Design Requirements Under Scaled Applicability Some commenters expressed concern that scaled-applicability firms could design QC systems inappropriate for the future circumstances that would arise should the firm eventually become a full-applicability firm. One commenter cited research that suggests audit firm personnel designing a QC system to 514 See 515 See PO 00000 QC 1000.44g. QC 1000.25b. Frm 00136 Fmt 4701 Sfmt 4703 address hypothetical future circumstances will need to overcome numerous cognitive biases.516 The Board believes this potential unintended consequence is mitigated by QC 1000’s proactive approach. For example, the firm will be required to establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or quality responses may be needed. When such changes are identified, the firm will be required to determine what, if any, modifications are needed to make them on a timely basis. In effect, a scaled-applicability firm’s QC system design should be appropriate for its circumstances in the event it becomes a full-applicability firm. g. Other Potential Unintended Consequences Because firms’ QC systems will likely operate over all of their engagements, including those that are not subject to PCAOB standards, the engagement-level costs discussed above could apply to those engagements as well. Moreover, one commenter asserted that firms with a significant private company client base will be challenged by different documentation retention policies based on client base since many aspects of QC relate to the firm as a whole. Correspondingly, the requirements could improve compliance on those engagements because they would be governed by more effective QC policies and procedures. Indeed, one commenter said that requiring all firms to design a QC system that complies with QC 1000 516 See, e.g., Paul J.H. Schoemaker, Forecasting and Scenario Planning: The Challenges of Uncertainty and Complexity, in Blackwell Handbook of Judgment & Decision Making, eds. D.J. Koehler and N. Harvey, 274 (2004); Edward J. Joyce and Gary C. Biddle, Anchoring and Adjustment in Probabilistic Inference in Auditing, 19 Journal of Accounting Research 120 (1981); Noel Harding and Ken T. Trotman, Improving Assessments of Another Auditor’s Competence, 28 Auditing: A Journal of Practice & Theory 53 (2009); Byron J. Pike, Mary B. Curtis, and Lawrence Chui, How Does an Initial Expectation Bias Influence Auditors’ Application and Performance of Analytical Procedures?, 88 The Accounting Review 1413 (2013); Amos Tversky and Daniel Kahneman, Judgment under Uncertainty: Heuristics and Biases, 185 Science 1124 (1974); Steven M. Glover, James Jiambalvo, and Jane Kennedy, Analytical Procedures and AuditPlanning Decisions, 19 Auditing: A Journal of Practice & Theory 27 (2000); Vicky B. Hoffman and Mark F. Zimbelman, Do Strategic Reasoning and Brainstorming Help Auditors Change their Standard Audit Procedures in Response to Fraud Risk?, 84 The Accounting Review 811 (2009); Tim D. Bauer, Sean M. Hillison, Mark E. Peecher, and Bradley Pomeroy, Revising Audit Plans to Address Fraud Risk: A Case of ‘‘Do as I Advise, Not as I Do’’?, 37 Contemporary Accounting Research 2558 (2020). E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices could have a beneficial impact on private company audits. Research on other quality management and enterprise risk management systems suggests other potential unintended consequences. For example, research on ISO 9000 adoption indicates that it may reduce staff morale, stifle innovation, and require excessive levels of documentation.517 The principles-based features and scalable nature of QC 1000 described above, as well as the 100-issuer threshold for some provisions, help mitigate these concerns by providing firms the ability to design, implement, and operate policies and procedures to support achievement of the reasonable assurance objective based on their facts and circumstances. Alternatives Considered During the development of the requirements, the Board considered a number of alternative approaches to address the need described above. This section explains: (1) why standard setting is preferable to other policymaking approaches, such as providing interpretive guidance or enhancing inspection or enforcement efforts; (2) why the chosen standard-setting approach is preferable to other standardsetting approaches; and (3) key policy choices made in determining the details of the standard-setting approach. khammond on DSKJM1Z7X2PROD with NOTICES2 1. Why Standard Setting Is Preferable to Another Approach As potential alternatives to standard setting, the Board considered whether interpretive guidance or greater focus on inspections or enforcement could better address the need described above. Interpretive guidance assists firms in the implementation of existing PCAOB standards and rules and can advance audit quality by establishing a common understanding of a firm’s obligations under PCAOB standards and rules. For example, interpretive guidance may address, among other things, specific, common audit deficiencies identified during PCAOB inspections and the applicable requirements under PCAOB standards and rules. By contrast, as discussed above, some firms’ QC systems appear to not be providing reasonable assurance of compliance generally. Moreover, current PCAOB QC standards were developed decades ago 517 See, e.g., John Seddon, Ten Arguments Against ISO 9000, 7 Managing Service Quality: An International Journal 162 (1997); Bozena Poksinska, Jörgen AE Eklund, and Jens Jörn Dahlgaard, ISO 9001:2000 in Small Organisations Lost Opportunities, Benefits and Influencing Factors, 23 International Journal of Quality & Reliability Management 490 (2006). VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 in a very different audit environment and have not been updated to reflect the risk-based, proactive approach to QC that the Board believes would be most effective. Therefore, the Board believes revisions to the current PCAOB QC standards are needed to require firms to make the necessary enhancements to their QC systems to help drive compliance with professional standards. While the PCAOB will continue to address firms’ compliance with PCAOB standards and rules through inspection and enforcement activities, QC standard setting provides certain unique benefits. Firms’ QC systems operate over all aspects of all issuer audits and brokerdealer engagements, whereas PCAOB inspections assess compliance with only certain aspects of the issuer audits and broker-dealer engagements selected for review. In addition, inspection and enforcement efforts take place after the engagement has occurred and after investors and other financial statement users have potentially suffered harm. Therefore, greater focus on inspecting and enforcing compliance with PCAOB standards and rules may not be as effective as updating the QC standards and amending other related standards. 2. Why the Chosen Standard-Setting Approach Is Preferable to Other Standard-Setting Approaches QC 1000 shares the same basic structure as ISQM 1 and SQMS 1. The Board also considered basing QC 1000 on a different quality management framework, such as COSO or ISO 9001, or developing its own risk-based approach. The essential features of these other quality management frameworks are broadly similar to ISQM 1 and SQMS 1. For example, they typically are risk-based and focus on monitoring and remediating deficiencies. However, ISQM 1 and SQMS 1 have the further advantage of being specifically tailored to audit firms. Furthermore, an original risk-based approach would likely include the same essential features as ISQM 1 and SQMS 1. Overall, the Board believes that the benefits of basing QC 1000 on a different quality management framework or an original PCAOB riskbased approach (e.g., improved compliance with applicable professional and legal requirements) would be similar to the benefits of using a structure similar to ISQM 1 and SQMS 1. Basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach would likely be more costly. As highlighted above, the Board expects that many firms are familiar with ISQM 1 or SQMS 1 and have made, or will make, PO 00000 Frm 00137 Fmt 4701 Sfmt 4703 49723 investments in their QC systems to comply with those requirements. Firms may be less familiar with other quality management frameworks than they are with ISQM 1 and SQMS 1. Basing QC 1000 on a different quality management framework or an original PCAOB riskbased approach therefore would likely require additional effort by firms to understand and apply the standard. Some firms may be required to employ or engage persons with the necessary expertise in the particular quality framework to facilitate appropriate implementation. While the largest firms may employ consultants with this expertise, smaller firms may not, and acquiring or engaging the necessary consultants could be costly. In addition, basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach may introduce an element of regulatory complexity, which could both increase cost and detract from audit quality for firms that would be required to comply with ISQM 1 or SQMS 1.518 3. Key Policy Choices This section discusses several potential provisions that the Board decided against including in QC 1000. These provisions relate to: (1) applicability; (2) the threshold for incremental requirements; (3) firm governance structure; (4) selfassessment monitoring; (5) in-process monitoring activities; (6) the evaluation and reporting dates; (7) reporting the annual QC system evaluation; (8) certification of the annual evaluation; (9) public reporting; and (10) audit committee communications. a. Applicability The discussion above explains the distinction between scaled applicability and full applicability. The Board considered requiring all firms to design, implement, and operate a QC system that meets the requirements only upon being required to comply with applicable professional and legal requirements with respect to a firm 518 One commenter suggested that the Board look at any lessons learned or studies published by the IAASB or the AICPA related to their quality management standards to help inform any refinements that might be needed or additional implementation guidance that might be useful for adoption of QC 1000. As discussed above, the Board took into consideration actions by other standard setters and requirements of their quality management standards in the development of QC 1000. PCAOB staff searched for studies but did not find any available. The recent effective date of ISQM 1 on Dec. 15, 2022, and the forthcoming effective date of SQMS 1 on Dec. 15, 2025, may explain a dearth of lessons learned or postimplementation studies published by IAASB or the AICPA to date. E:\FR\FM\11JNN2.SGM 11JNN2 49724 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices engagement. This approach would reduce the costs of the requirements to firms not performing engagements by allowing them to defer the costs of designing their QC system. However, scaled-applicability firms may reduce their costs under the approach by withdrawing from PCAOB registration. Furthermore, any reduced costs would not address the risk that firms could be unprepared to accept and perform engagements in compliance with applicable professional and legal requirements. The discussion above also addresses commenters’ views on alternative approaches to this key policy choice. For example, several commenters suggested allowing scaled applicability firms to design a QC system that complies with ISQM 1. One commenter suggested limiting the design requirements to acceptance and continuance policies. One commenter suggested limiting the design requirement to firms that satisfy an issuer client market capitalization criterion. While these alternative approaches could reduce some of the costs to scaled-applicability firms associated with designing their QC systems, they could also reduce the benefit of firms having a PCAOBcompliant QC system ready for implementation and operation. Furthermore, as discussed above, firms could avoid the costs of designing a QC system that complies with QC 1000 by deregistering. khammond on DSKJM1Z7X2PROD with NOTICES2 b. Threshold for Incremental Requirements The incremental requirements that will apply only to firms that issued audit reports for more than 100 issuers in the prior calendar year (e.g., requirements related to firm governance structure) are discussed above. Several commenters suggested alternative thresholds. For example, some commenters suggested the threshold should consider the market capitalizations of issuer clients. One commenter suggested that the threshold should consider the types of financial statements being audited.519 These alternative approaches could help ensure QC 1000 is appropriately scalable to the facts and circumstances of all firms. However, the Board believes there could be practical challenges with implementing a more complex threshold. For example, market capitalization can be volatile and would 519 The commenter noted that a large percentage of their issuer audit counts consist of Form 11–K audits, which have limited impact on the capital markets. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 require PCAOB and firm resources to track. Some firms may cross an issuer market capitalization threshold multiple times within a short period of time. Issuer count, by contrast, aligns with Rule 4003, Frequency of Inspections, is easier to track, and may not be as volatile as market capitalization. Finally, while market capitalization may be a useful proxy for investor exposure to the issuers audited by the firm, it would be a less useful proxy for the complexity of a firm’s QC system. c. Firm Governance Structure Specified quality responses related to governance and leadership are discussed above. The Board considered extending to all firms the requirement to incorporate into their governance structure an external oversight function for the QC system composed of one or more persons who are not principals or employees of the firm and do not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of independent judgment regarding matters related to the QC system. However, in light of the direct cost of such an oversight function, which could disproportionately impact smaller PCAOB audit practices, and reflecting the Board’s view that the public interest in such independent oversight is strongest in relation to the largest firms, the requirement applies only to firms that issued audit reports with respect to more than 100 issuers during the prior calendar year. Some commenters suggested that more than one independent member of the oversight function should be required. In support of this view, one commenter noted that the independent member(s) would be in the minority and cited academic research regarding audit committees that suggests oversight functions are more effective with a greater proportion of independent members.520 Another commenter referred to a report that cites survey research that suggests female directors improve corporate governance and that the positive influence is most significant when there are three or more female 520 See, e.g., F. Todd DeZoort, Dana R. Hermanson, Deborah S. Archambeault, and Scott A. Reed, Audit Committee Effectiveness: A Synthesis of the Empirical Audit Committee Literature, 21 Journal of Accounting Literature 38 (2002); Jean Bédard and Yves Gendron, Strengthening the Financial Reporting System: Can Audit Committees Deliver?, 14 International Journal of Auditing 174 (2010); Joseph V. Carcello, Dana R. Hermanson, and Zhongxia (Shelly) Ye, Corporate Governance Research in Accounting and Auditing: Insights, Practice Implications, and Future Research Directions, 30 Auditing: A Journal of Practice & Theory 1 (2011). PO 00000 Frm 00138 Fmt 4701 Sfmt 4703 directors.521 The same commenter suggested that the oversight function should have public reporting responsibilities. Some commenters suggested that the independent oversight member should have more control. The Board acknowledges the commenters’ views on the potential additional benefits of additional independent oversight requirements. However, the Board is also sensitive to the costs of any additional requirements, which several commenters suggested may be costly or difficult to fulfill.522 d. Self-Assessment Monitoring The Board considered permitting individuals to perform monitoring procedures over the same areas for which they are responsible. It decided against this approach because the Board feels it would be inconsistent with the quality objective that individuals who are assigned to perform activities within the QC system have the objectivity to monitor work in accordance with applicable professional and legal requirements and the firm’s policies and procedures.523 As emphasized above, this quality objective is important for creating accountability within the firm to achieve the reasonable assurance objective. Information gathered through PCAOB inspection activities indicates that roughly 3% of firms inspected between 2018 and 2020 performed selfassessments. This suggests that relatively few firms would be impacted by this policy choice. The Board considered allowing self-assessment monitoring under certain conditions to reduce costs for impacted firms but ultimately decided against it out of concern that individuals may not be able to objectively assess their own work. In these circumstances, the firm may use other participants or thirdparty providers to perform monitoring activities. e. In-Process Monitoring Activities In-process monitoring activities are discussed above. The Board considered extending the requirement to monitor in-process engagements to all firms but decided to limit the requirement to firms that issue audit reports with respect to more than 100 issuers. The Board believes that differentiating a 521 See The Conference Board, Maximizing the Benefits of Board Diversity: Lessons Learned from Activist Investing at 13 (June 2020); Alison M. Konrad, Vicki W. Kramer, and Sumru Erkut, Critical Mass: The Impact of Three or More Women on Corporate Boards, 37 Organizational Dynamics 145 (2008). 522 See previous discussion on economic impacts above. 523 See QC 1000.44e. E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices khammond on DSKJM1Z7X2PROD with NOTICES2 firm’s obligation based on the number of issuer clients may be appropriate because, in the Board’s view, firms with larger, more complex audit practices are generally subject to quality risks for which in-process monitoring is an appropriate quality response. The Board also understands through PCAOB oversight activities that the majority of smaller PCAOB audit practices do not perform in-process monitoring activities and may lack the resources to do so. Therefore, to balance these concerns, QC 1000 includes a ‘‘should consider’’ requirement to provide sufficient scalability for firms that issue audit reports with respect to 100 or fewer issuers. f. Evaluation and Reporting Dates Several commenters suggested that QC 1000 should allow firms to choose their own evaluation date. This alternative could reduce the cost of QC 1000 by allowing firms to perform the evaluation when most convenient. For example, some firms could set their QC 1000 evaluation date near their ISQM 1 evaluation date and use parts of their ISQM 1 evaluation for their QC 1000 evaluation. However, the information reported to the PCAOB on Form QC would be less current and therefore less informative to the PCAOB when it selects firms and engagements for inspection, inspection focus areas, and inspection procedures. Tracking firms’ compliance with the evaluation requirements could also be more challenging. In addition, the inherent differences between the QC 1000 and ISQM 1 evaluations will require incremental effort from firms to comply with QC 1000. The Board initially proposed a November 30 evaluation date followed by 46 days from the evaluation date to both report and document the QC system evaluation. This timeline would provide the PCAOB with timely information to inform PCAOB oversight activities. Some commenters expressed concern that a November 30 evaluation date could present costs and other challenges because some firms have already chosen an alternative evaluation date under ISQM 1 or because the timeframe for the evaluation could conflict with some firms’ inspection cycles or business cycles and can encompass holidays and religious observances. The Board was persuaded that a November 30 evaluation date could have led to unnecessary incremental resource demands during the busy and holiday seasons. Accordingly, the Board instead required firms to adopt a September 30 evaluation date as discussed above. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Some commenters expressed concern that 46 days would be insufficient to report on and document their evaluation. The Board was persuaded that 46 days to report on and document the QC system evaluation could have created unnecessary costs to firms. Therefore, under the final standard, a firm will have 61 days to evaluate their QC system and an additional 14 days after the evaluation to assemble their documentation. g. Reporting the Annual QC System Evaluation Firm reporting on the QC system evaluation is discussed above. One commenter asserted that an explicit reporting requirement is unnecessary because the PCAOB inspection process provides the Board and staff with any relevant contemporaneous quality control information for both annual and triennially inspected firms. The Board considered obtaining the annual QC system evaluation as part of the PCAOB inspection process rather than an explicit reporting requirement. Under this alternative approach, the evaluation would be less timely, structured, and consistent and likely would not inform the PCAOB’s inspection approach as effectively, especially for triennial firms. It could also diminish the beneficial incentive effect of mandatory reporting to the PCAOB. This alternative approach could eliminate or reduce the costs to firms associated with preparing a summary report of the firm’s QC system evaluation. In addition, if, under this alternative approach, the privilege protections of section 105(b)(5) were determined to apply to some or all of the information generated by the firm pursuant to QC 1000, that could diminish the discoverability of such information in litigation, thereby decreasing third-party litigation risk. However, this alternative approach would not address the lost information value, particularly for the triennial firms. The Board also considered requiring firms to report to the Board on Form QC only when the firm identifies a major QC deficiency. This approach would reduce some of the variable costs associated with preparing and transmitting Form QC to the PCAOB. However, this approach would also reduce the value of Form QC to the PCAOB. For example, reporting on unremediated QC deficiencies would inform various aspects of PCAOB oversight activities, including focusing inspection resources on higher risk firms, engagements, and focus areas; designing the nature and extent of inspection procedures, both for QC PO 00000 Frm 00139 Fmt 4701 Sfmt 4703 49725 processes and individual engagements; and making more refined data requests from the firms. This alternative approach could also diminish the beneficial incentive effect of mandatory reporting to the PCAOB. Several commenters suggested that the PCAOB clarify that Form QC is submitted under the PCAOB’s inspections authority, as a way of bestowing the confidentiality protections of section 105(b)(5) upon the information provided therein. This would, according to commenters, alleviate uncertainty about the extent to which information submitted thereon may be subject to discovery or other disclosures, diminish a risk of unwarranted legal exposure, and help place the information in the context of the ongoing inspections dialogue. The Board acknowledges the commenters’ concerns about these issues. However, as discussed above, QC 1000 is not an inspections rule; it is a QC standard that places obligations on all registered firms regardless of their inspection status (annual, triennial, or exempt), and as such the Board is not able to say that Form QC information is necessarily submitted ‘‘in connection with an inspection’’ as would be necessary to trigger the confidentiality protections of section 105(b)(5) of Sarbanes-Oxley. h. Certification of the Annual Evaluation Some commenters requested that the Board specify a heightened legal standard (e.g., recklessness) at which liability could be imposed on individuals for making a certification that is later determined to be false, or create safe harbors for inevitable system errors or the wrongful acts of others. As discussed above, the standard for liability turns on the particular language of each statement in the certification: some statements are subject to a negligence standard, while others (namely those with knowledge qualifiers) give rise to liability only if the certifier knew that the statement was false or recklessly did not know it was false. The Board acknowledges that alternative approaches urged by commenters could have saved some costs. Specifically, limiting liability to recklessness in all circumstances would provide individuals with comfort that their decisions would not be secondguessed in litigation. This result may make the performance of those services more efficient by removing an incentive to perform tasks that are not directly related to quality. For example, individuals may be less incentivized to engage in self-protective behaviors if a heightened legal standard (e.g., E:\FR\FM\11JNN2.SGM 11JNN2 49726 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices recklessness) is imposed. In addition, more staff may be willing to take these roles (or to take them at a lower price) if liability or workload would have been more limited by a heightened legal standard.524 However, that approach would have attenuated the benefits sought to be achieved by the certification requirement by removing the Board’s ability to hold individuals accountable for conduct that fails to meet a reasonable person standard of care. i. Public Reporting khammond on DSKJM1Z7X2PROD with NOTICES2 The discussion above summarizes commenters’ views on public reporting about firms’ QC systems and legal constraints on public disclosure that are imposed by Sarbanes-Oxley. Some commenters suggested that the nonconfidential portions of Form QC could be made publicly available. Such public reporting could in principle provide investors with additional information on audit quality and thereby help address the problem discussed above. However, the Board believes that significant portions of Form QC may be confidential. As a result, the nonconfidential portions of Form QC could have been misleading and difficult to compare across firms. Public reporting of non-confidential portions of Form QC could also lead firms to be less candid in their Form QC reporting and thereby diminish its value to the PCAOB. Some commenters also expressed concern that any public reporting could be contrary to Sarbanes-Oxley. After considering the benefits and costs of alternative approaches, including those identified by commenters, the Board believes that firm reporting on Form QC should be nonpublic. Several commenters suggested that QC 1000 should require firms to 524 See Economic benefits—improved compliance with applicable professional and legal requirements—above for a discussion of commenters’ concerns regarding increased liability or workload associated with the roles as potential disincentives that may keep qualified individuals from accepting the roles. 525 See PCAOB Rel. No. 2024–002 and PCAOB Rel. No. 2024–003. 526 See, e.g., Melissa Carlisle, Wei Yu, and Bryan K. Church, The Effect of Small Audit Firms’ Failure to Remediate the PCAOB’s Quality Control Criticisms on Audit Market Segmentation, 41 Journal of Accounting and Public Policy 1 (2022). 527 See Public Law 112–106 (Apr. 5, 2012). Section 103(a)(3)(C) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(3)(C), as added by section 104 of the JOBS Act, also provides that any rules of the Board requiring (1) mandatory audit firm rotation or (2) a VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 publicly disclose information related to audit quality. As discussed above, the Board has proposed separate rules related to firm and engagement metrics as well as firm reporting.525 Special Considerations for Emerging Growth Companies Pursuant to section 104 of the Jumpstart Our Business Startups (‘‘JOBS’’) Act, rules adopted by the Board subsequent to April 5, 2012, generally do not apply to the audits of emerging growth companies (‘‘EGCs’’), as defined in section 3(a)(80) of the Exchange Act, unless the SEC ‘‘determines that the application of such additional requirements is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation.’’ 527 As a result of the JOBS Act, the rules and related amendments to PCAOB standards that the Board adopts are generally subject to a separate determination by the SEC regarding their applicability to audits of EGCs. To inform consideration of the application of PCAOB standards to audits of EGCs,528 PCAOB staff prepares a white paper annually that provides general information about characteristics of EGCs.529 As of the November 15, 2022, measurement date, there were 3,031 companies 530 that selfidentified as EGCs and filed audited financial statements with the SEC between May 16, 2021, and November 15, 2022, that included an audit report signed by a firm. Of the 263 registered firms that audited EGCs, 227 firms (or 86%) performed audits for both EGC and non-EGC issuers.531 Approximately 98% of EGCs were audited by these 227 firms.532 PCAOB staff also gathered information on Part I.A deficiencies for the audits of EGCs between 2013 and 2022. Figure 6 presents the percentage of inspected EGC and non-EGC issuer audits having at least one Part I.A deficiency. The data suggest that Part I.A deficiencies are even more common among audits of EGCs, raising questions about whether QC systems of firms that audit EGCs are effective in preventing audit deficiencies for these types of audit engagements. supplement to the auditor’s report in which the auditor would be required to provide additional information about the audit and the financial statements of the issuer (auditor discussion and analysis) shall not apply to an audit of an EGC. None of the rules and amendments would fall within either of these two categories. 528 This analysis of the impact on EGCs is provided to assist the SEC in making the determination required under section 104 to the extent that the requirements apply to ‘‘the audit of any emerging growth company’’ within the meaning of section 104 of the JOBS Act. 529 See PCAOB, Characteristics of Emerging Growth Companies and Their Audit Firms at November 15, 2022 (Feb. 20, 2024) (‘‘EGC White Paper’’), available at https://assets.pcaobus.org/ pcaob-dev/docs/default-source/ economicandriskanalysis/projectsother/documents/ white-paper-on-characteristics-of-emerging-growth- companies-as-of-nov-15–2022.pdf?sfvrsn=a8294f3_ 2. 530 The EGC White Paper uses a lagging 18-month window to identify companies as EGCs. Please refer to the ‘‘Current Methodology’’ section in the EGC White Paper for details. Using an 18-month window enables PCAOB staff to analyze the characteristics of a fuller population in the EGC White Paper but may tend to result in a larger number of EGCs being included for purposes of the present EGC analysis than would alternative methodologies. For example, an estimate using a lagging 12-month window would exclude some EGCs that are delinquent in making periodic filings. An estimate as of the measurement date would exclude EGCs that have terminated their registration or that have exceeded the eligibility or time limits. 531 See EGC White Paper, at 17. 532 See id. j. Audit Committee Communications Commenters’ views on potential required reporting to audit committees are discussed above. The Board initially proposed to require the firm to discuss with the audit committee the conclusion of the firm’s most recent annual evaluation of its QC system and a brief overview of remedial actions taken and to be taken. This information could give audit committees greater insight into the quality of their auditor. Several commenters were supportive of the proposed requirement. However, several other commenters asserted that the information could be largely difficult to understand, irrelevant to an individual audit committee, and potentially inconsistent with Sarbanes-Oxley. Furthermore, one commenter noted research and expressed concern that disclosure regarding the annual QC system evaluation to the audit committee only could enable audit committees to shop for lower-quality auditors.526 Similarly, another commenter expressed concern with an approach that would provide mandatory disclosure to audit committees but not to investors and the public. As discussed above, the Board determined not to adopt the proposed amendments to AS 1301 after consideration of the comments received. PO 00000 Frm 00140 Fmt 4701 Sfmt 4703 E:\FR\FM\11JNN2.SGM 11JNN2 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 49727 Figure 6. Percentage of Inspected EGC and Non-EGC Issuer Audits Having at Least One Part I.A Deficiency (2013-2022) 60% -EGC 30% -Non-EGC 10% 0% --,~"~--•-~~~, - • " • ~ • ~ - . , , . , •• ~~•>.,,- ~ In general, any new PCAOB standards and amendments to existing standards determined not to apply to the audits of EGCs would require auditors to address differing requirements within their methodologies or policies and procedures with respect to audits of EGCs and non-EGCs, which would create the potential for confusion. This may not be practical in the context of the QC standards; while some components of the QC system (such as engagement monitoring) may enable different approaches for audits of EGCs compared to audits of other companies, other elements (for example, resources and governance and leadership) are necessarily firm-wide and cannot easily be differentiated for different types of audits. Even where differentiation is possible, maintaining separate QC system components for EGC and nonEGC audits and separate methodologies with respect to, for example, auditor obligations with respect to deficiencies in completed engagements and foundational ethics requirements, may add cost or lead to confusion, and could run counter to the objective of integrating QC practices into a single virtuous cycle of risk assessment, monitoring, and remediation. These methodology and QC system differentiation costs would affect at least the 227 registered firms that audit both EGCs and non-EGCs and that, collectively, audit approximately 98% of EGCs. The discussion of economic impacts of the requirements is generally VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 applicable to the audits of EGCs. In particular, the benefits to financial reporting quality articulated above may be especially pertinent for EGCs, including improved efficiency of capital allocation, lower cost of capital, and enhanced capital formation. EGCs tend to be smaller 533 and have a shorter SEC financial reporting history than the broader population of public companies. Academic research suggests that, for several reasons, smaller public companies tend to exhibit greater information asymmetry between management and investors.534 Accordingly, EGCs are likely to exhibit greater information asymmetry between management and investors and hence the importance of the external audit to investors in enhancing the credibility of EGC financial reporting may be more pronounced. The requirements could impact competition in an EGC product market if the indirect costs to audited companies of the requirements disproportionately impact the EGCs relative to their competitors. EGCs may be forced to raise prices, thereby 533 See EGC White Paper, at Figure 9 and Figure 12 (indicating that exchange-listed EGCs have lower market capitalization and revenue than exchangelisted non-EGCs). 534 For example, smaller public companies tend to have less analyst coverage and a greater share of insider holdings. See, e.g., Raymond Chiang and P. C. Venkatesh, Insider Holdings and Perceptions of Information Asymmetry: A Note, 43 Journal of Finance 1041 (1988); Ravi Bhushan, Firm Characteristics and Analyst Following, 11 Journal of Accounting and Economics 255 (1989). PO 00000 Frm 00141 Fmt 4701 Sfmt 4703 diverting market share toward their competitors. This could increase competition in markets where EGCs have a dominant market share and decrease competition in markets where EGCs have a less than dominant market share. The potential impact to competition in EGC product markets would be reduced to the extent EGC auditors will already be required to comply with ISQM 1 or SQMS 1 or otherwise would choose not to pass on incremental costs arising from the requirements in the form of higher audit fees. The proposal sought comment on the applicability of the proposed requirements to audits of EGCs. Some commenters agreed that the proposed requirements should apply to the audits of EGCs. Accordingly, and for the reasons explained above, the Board requests that the Commission determine that it is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation, to apply QC 1000 and the related amendments to Board standards, rules, and forms to audits of EGCs. III. Date of Effectiveness of the Proposed Rules and Timing for Commission Action Within 45 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to E:\FR\FM\11JNN2.SGM 11JNN2 EN11JN24.018</GPH> khammond on DSKJM1Z7X2PROD with NOTICES2 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 49728 Federal Register / Vol. 89, No. 113 / Tuesday, June 11, 2024 / Notices 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding; or (ii) as to which the Board consents, the Commission will: (A) By order approve or disapprove such proposed rules; or (B) Institute proceedings to determine whether the proposed rules should be disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rules are consistent with the requirements of Title I of the Act. Comments may be submitted by any of the following methods: khammond on DSKJM1Z7X2PROD with NOTICES2 Electronic Comments • Use the Commission’s internet comment form (https://www.sec.gov/ rules/pcaob); or • Send an email to rule-comments@ sec.gov. Please include PCAOB–2024– 02 on the subject line. VerDate Sep<11>2014 17:58 Jun 10, 2024 Jkt 262001 Paper Comments • Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090. All submissions should refer to PCAOB–2024–02. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s internet website (https://www.sec.gov/ rules/pcaob). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rules that are filed with the Commission, and all written communications relating to the proposed rules between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the PO 00000 Frm 00142 Fmt 4701 Sfmt 9990 Commission’s Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the PCAOB. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to PCAOB–2024–02 and should be submitted on or before July 2, 2024. For the Commission, by the Office of the Chief Accountant.535 Vanessa A. Countryman, Secretary. [FR Doc. 2024–12692 Filed 6–10–24; 8:45 am] BILLING CODE 8011–01–P 535 17 E:\FR\FM\11JNN2.SGM CFR 200.30–11(b)(1) and (3). 11JNN2

Agencies

SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 89, Number 113 (Tuesday, June 11, 2024)]
[Notices]
[Pages 49588-49728]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-12692]

[[Page 49587]]

Vol. 89

Tuesday,

No. 113

June 11, 2024

Part III

Securities and Exchange Commission

-----------------------------------------------------------------------

Public Company Accounting Oversight Board; Notice of Filing of Proposed
Rules on a Firm's System of Quality Control and Related Amendments to
PCAOB Standards; Notice

Federal Register / Vol. 89 , No. 113 / Tuesday, June 11, 2024 /
Notices

[[Page 49588]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-100277; File No. PCAOB-2024-02]

Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on a Firm's System of Quality Control and Related
Amendments to PCAOB Standards

June 5, 2024.
Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the
``Act''), notice is hereby given that on May 24, 2024, the Public
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'')
filed with the Securities and Exchange Commission (the ``Commission'')
the proposed rules described in items I and II below, which items have
been prepared by the Board. The Commission is publishing this notice to
solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

On May 13, 2024, the Board adopted A Firm's System of Quality
Control and Other Amendments to PCAOB Standards, Rules, and Forms
(collectively, the ``proposed rules''). The text of the proposed rules
appears in Exhibit A to the SEC Filing Form 19b-4 and is available on
the Board's website at Docket 046 [verbar] PCAOB (pcaobus.org) and at
the Commission's Public Reference Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules

In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed any comments it received on the proposed rules. The text of
these statements may be examined at the places specified in Item IV
below. The Board has prepared summaries, set forth in sections A, B,
and C below, of the most significant aspects of such statements. In
addition, the Board is requesting that the Commission approve the
proposed rules, pursuant to section 103(a)(3)(C) of the Sarbanes-Oxley
Act, for application to audits of emerging growth companies (``EGCs''),
as that term is defined in section 3(a)(80) of the Securities Exchange
Act of 1934 (``Exchange Act''). The Board's request is set forth in
section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules

(a) Purpose
The Board adopted a new PCAOB quality control (``QC'') standard
that it believes will lead registered public accounting firms
(``firms'') to significantly improve their QC systems. An effective QC
system protects investors by facilitating the consistent preparation
and issuance of informative, accurate, independent, and compliant
engagement reports. Properly conducted audits and other engagements
enhance the confidence of investors and other market participants in
the information firms report on.
The Board adopted an integrated, risk-based standard, QC 1000, A
Firm's System of Quality Control, that mandates quality objectives and
key processes for all firms' QC systems, with a focus on accountability
and continuous improvement. The Board has designed QC 1000 to be
applied by firms of varying size and complexity. If approved by the
U.S. Securities and Exchange Commission (the ``SEC''), the Board
believes this new standard will lead firms to better serve investors by
more consistently complying with the professional and legal
requirements that apply to PCAOB engagements.
In connection with the adoption of QC 1000, the Board also adopted
other changes to its standards, rules, and forms. QC 1000 and the other
changes adopted substantially reflect the Board's November 2022
proposal,\1\ but have been modified in response to commenter input.
---------------------------------------------------------------------------

\1\ See A Firm's System of Quality Control and Other Proposed
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No.
2022-006 (Nov. 18, 2022) (``proposal'' or ``proposed standards''),
available on the Board's website in Docket 046.
---------------------------------------------------------------------------

In a separate release, the Board also adopted a new auditing
standard, AS 1000, General Responsibilities of the Auditor in
Conducting an Audit, that addresses the general principles and
responsibilities of the auditor.\2\ This release includes references to
AS 1000, where appropriate
---------------------------------------------------------------------------

\2\ See General Responsibilities of the Auditor in Conducting an
Audit and Amendments to PCAOB Standards, PCAOB Rel. No. 2024-004
(May 13, 2024) (``Auditor Responsibilities Release'').
---------------------------------------------------------------------------

Improving the Board's QC Standards
The Board strongly believes that an effective quality control
system facilitates continuous improvement. Over time, the PCAOB's
oversight experience suggests that firm QC systems fall short. For
example, PCAOB inspectors observed that approximately 40% of the issuer
audits they reviewed in 2022 had one or more deficiencies where the
auditor failed to obtain sufficient appropriate audit evidence to
support its opinion, an increase of six percentage points over the
deficiency rate in 2021 and 11 percentage points over the rate in
2020.\3\ In all those cases, auditors issued audit opinions without
completing the audit work that PCAOB standards require for them to
obtain reasonable assurance about whether the financial statements were
free of material misstatement and/or whether the issuers maintained, in
all material respects, effective internal control over financial
reporting.
---------------------------------------------------------------------------

\3\ See Spotlight: Staff Update and Preview of 2022 Inspection
Observations (July 2023) (``2022 Inspection Observations Preview''),
at 3, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/spotlight-staff-preview-2022-inspection-observations.pdf?sfvrsn=1b116d49_4.
---------------------------------------------------------------------------

Every step of this rulemaking--from the December 2019 concept
release,\4\ to the proposal, to adoption--has been informed by
extensive research and outreach, as well as by PCAOB inspections and
enforcement activities. The PCAOB's current QC standards were developed
decades ago and issued by the American Institute of Certified Public
Accountants (``AICPA'') before the PCAOB was established. The auditing
environment has changed significantly since that time, including
evolving and greater use of technology, and increasing auditor use of
outside resources, such as other accounting firms and providers of
support services. Firms themselves have also changed significantly, as
has the role of firm networks. And advances in internal control,
quality management, and enterprise risk management suggest that factors
such as active involvement of leadership, focus on risk, clearly
defined objectives, objective-oriented processes, monitoring, and
remediation of identified issues can contribute to more effective QC.
These developments have, in part, led to PCAOB advisory groups' general
support for strengthening the QC standards, including through risk-
based elements and enhanced requirements for firm governance and
leadership.
---------------------------------------------------------------------------

\4\ See Concept Release, Potential Approach to Revisions to
PCAOB Quality Control Standards, PCAOB Rel. No. 2019-003 (Dec. 17,
2019) (``concept release''), available on the Board's website in
Docket 046.
---------------------------------------------------------------------------

Taking into account those considerations, as well as the comments
the Board received on the concept release and proposal, the Board
believes that improving PCAOB standards will lead firms to improve
their QC systems. This should result in more consistent

[[Page 49589]]

compliance with applicable requirements, which ultimately better serves
and protects investors. The specific improvements the Board adopted
include:
Emphasizing accountability, firm culture and the ``tone at
the top,'' and firm governance through requirements for specified roles
within and responsibilities for the QC system, including at the highest
levels of the firm; quality objectives that link compensation to
quality; and, for the largest firms, the requirement of an independent
perspective in firm governance;
Striking the right balance between a risk-based approach
to QC--which should drive firms to proactively identify and manage the
specific risks associated with their practice--and a set of mandates,
including required risk assessment and other QC-related processes,
quality objectives, and quality responses--which should assure that the
QC system is designed, implemented, and operated with an appropriate
level of rigor;
Addressing changes in the audit practice environment,
including the increasing participation of other firms and other outside
resources, the role of firm networks, the evolving use of technology
and other resources, and the increasing importance of internal and
external firm communications;
Broadening responsibilities for monitoring and remediation
of deficiencies to create a more effective ongoing feedback loop that
drives continuous improvement; and
Requiring a rigorous annual evaluation of the firm's QC
system and related reporting to the PCAOB, certified by key firm
personnel, to underscore the importance of the annual evaluation of the
QC system, reinforce individual accountability, and support PCAOB
oversight.
Framework of the QC Standard
The Board carefully considered the characteristics of an
appropriate framework for a PCAOB QC standard that could accomplish its
regulatory goals. As a threshold issue, section 103 of the Sarbanes-
Oxley Act of 2002 (``Sarbanes-Oxley'') provides that PCAOB QC standards
must include requirements regarding certain specified matters, and also
grants the Board broad authority to include such other requirements as
it may prescribe in carrying out its investor protection mandate. The
Board also considered how best to capture areas it had identified for
improvement and how best to foster consistent, compliant implementation
by the firms it regulates. Because the Board believes it is the best
structure for accomplishing its goals, the Board adopted the QC 1000
framework as proposed.
The Board notes that the framework has commonalities with other
international and domestic standards for firm QC systems, though it
goes beyond those requirements in a number of areas, including with
regard to firm governance of the largest firms, more specific
requirements for monitoring and remediation and the evaluation of the
QC system, an ethics and independence component aligned with SEC and
PCAOB requirements, and more specific provisions addressing technology
and externally communicated firm-level and engagement-level information
and metrics. The Board believes that building on a well-understood
basic framework, appropriately tailored and strengthened to address its
legal and regulatory environment and its investor protection mandate,
will enable firms to implement and comply with QC 1000 more
effectively. In designing, implementing, and operating their QC
systems, firms that are subject to both PCAOB standards and other
international or domestic QC standards--which the Board believes
constitute a very substantial majority of the firms that perform
engagements under PCAOB standards--can leverage the work they have
already done and the investments they have already made to comply with
those other requirements.
QC 1000
The Board developed QC 1000 with a view to its statutory mandate to
protect the interests of investors and the public interest, and the
Board believes the new standard will facilitate the consistent
preparation and issuance of informative, accurate, and independent
engagement reports. The final standard provides a framework for a QC
system that is grounded in an ongoing process of proactively
identifying and managing risks to quality, with a feedback loop from
ongoing monitoring and remediation that should drive continuous
improvement, an explicit focus on firm governance and leadership, firm
culture, and individual accountability, and specific direction in a
number of areas that current PCAOB standards do not address directly.
QC 1000 primarily consists of:

Two process components
The firm's risk assessment process
The monitoring and remediation process
Six components that address aspects of the firm's organization and
operations
Governance and leadership
Ethics and independence
Acceptance and continuance of engagements
Engagement performance
Resources
Information and communication
Requirements for evaluation of and reporting on the QC system
Annual evaluation of the effectiveness of the QC system
Reporting to the PCAOB on the QC system evaluation

The standard also includes requirements regarding individual roles
and responsibilities in the QC system and documentation requirements.
Scalability
In the Board's view, the basic objectives of the QC system should
be the same for all firms, but the scope of the QC standard and how it
applies should take into account the wide disparities in nature and
circumstances across registered firms, in particular the extent to
which their practices include engagements required to be performed
under PCAOB standards and the complexity of such engagements. The risks
that firms face, and therefore the specific policies and procedures
necessary to appropriately serve investor interests through an
effective QC system, vary significantly from the largest firms,
operating as part of global networks, to local firms or sole
proprietorships. QC 1000 establishes a uniform basic structure to be
used by all firms, within which firms will be required to pursue an
approach to quality control that is appropriate in light of the risks
associated with their particular PCAOB audit practice. Aspects of the
new standard are risk-based, and to that extent inherently scalable. In
addition, it imposes more stringent requirements for the largest firms
in some areas, while enabling smaller firms to comply with the core
requirements in ways that take into account these firms' size and the
complexity of audits performed by them.
Scalability: Larger PCAOB Audit Practice
The Board believes that firms with a particularly extensive PCAOB
audit practice (i.e., those that issue audit reports for more than 100
issuers per year) should be subject to enhanced requirements, given
such firms' greater complexity and the relatively greater public
interest implicated by the fact that they audit companies that make up

[[Page 49590]]

a substantial majority of U.S. public market capitalization. The
incremental requirements under QC 1000 for such firms include:
An external oversight function for the QC system compose
of one or more persons who can exercise independent judgment related to
the QC system;
A program for collecting and addressing complaints and
allegations that includes confidentiality protections;
An automated system to track investments that may bear on
independence; and
Required monitoring of in-process engagements.
Scalability: Smaller PCAOB Audit Practice
Many firms perform only a small number of PCAOB engagements per
year and are subject to resource constraints that larger PCAOB audit
practices do not face. The Board has addressed the particular needs of
these firms in a number of ways, including:
Providing that a single individual may be assigned more
than one of the QC system oversight roles required under the standard;
and
Allowing firms that issue five or fewer engagement reports
for issuers or broker-dealers in a year to include audits not performed
under PCAOB auditing standards in some of their monitoring activities.
Scalability: Firms That Do Not Have Responsibilities in Relation to a
PCAOB Engagement
All registered firms will be required to design a QC system that
meets the requirements of QC 1000. Firms will be required to implement
and operate the QC system in compliance with QC 1000 when they lead an
engagement under PCAOB standards, play a substantial role in the
preparation or furnishing of an audit report (as defined in PCAOB
rules), or have current responsibilities under applicable professional
and legal requirements regarding any such engagement. This approach
reflects the Board's view that all firms that register with the PCAOB
should be appropriately prepared to perform a PCAOB engagement,
regardless of whether they are currently subject to requirements with
respect to one, while limiting the costs of compliance in circumstances
where the risk to investor protection is minimal.
Key Changes From the QC 1000 Proposal
Key changes from the proposal include:
For the firms with larger PCAOB audit practices, the
requirement to include an independent oversight function for their QC
system has been refined. Under the final rule, the external quality
control function (``EQCF'') will be composed of one or more persons who
are not principals or employees of the firm and do not otherwise have a
relationship with the firm that would interfere with the exercise of
independent judgment with regard to matters related to the QC system.
The responsibilities of the EQCF may vary across firms but include, at
a minimum, evaluating the significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system.
The final rule requires firms to report on their QC system
evaluation to the PCAOB, but not to the audit committee, as proposed.
Legal constraints limit our ability to require public disclosures about
the effectiveness of firms' QC systems at the level that some investors
have requested. While the final rule recognizes the impediments to
requiring public disclosure of QC system evaluation, the Board remains
committed to finding additional ways of providing public disclosure to
better inform investors about firms and PCAOB audit engagements. To
that end, we have separately proposed a set of firm-level and
engagement-level metrics across 11 areas that would be reported
publicly.
The timing of the QC system evaluation and reporting has
changed. Under the final rule, the evaluation date for the annual
evaluation of the QC system is September 30, rather than November 30 as
proposed, with Form QC due by November 30 rather than January 15 of the
following year. This shift allows more time between the evaluation date
and the filing date than we proposed, but still allows sufficient time
to generally enable the firm's monitoring activities to identify
deficiencies in calendar year-end engagements and the results of that
monitoring to be included in the evaluation.
Other Changes to PCAOB Standards, Rules, and Forms
In connection with the adoption of QC 1000, the Board also adopted
other changes to PCAOB standards, rules, and forms. These include,
among other changes, expanding the auditor's responsibility to respond
to deficiencies on completed engagements under an amended and retitled
AS 2901, Responding to Engagement Deficiencies After Issuance of the
Auditor's Report, and related amendments to AT No. 1, Examination
Engagements Regarding Compliance Reports of Brokers and Dealers, and AT
No. 2, Review Engagements Regarding Exemption Reports of Brokers and
Dealers; and replacing the existing standard ET 102, Integrity and
Objectivity, with a new standard, EI 1000, Integrity and Objectivity,
to better align PCAOB ethics requirements with the scope, approach, and
terminology of QC 1000.
Effective Date
If approved by the SEC, the final standard and related amendments
to auditing standards, rules, and forms will take effect on December
15, 2025, with the initial evaluation of the QC system to be performed
as of September 30, 2026, and initial reporting to the PCAOB by
November 30, 2026. Firms will be permitted to elect to comply with the
requirements of QC 1000, except reporting to the PCAOB on the annual
evaluation of the QC system, before the effective date, at any point
after SEC approval of the final standard and related amendments.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of Sarbanes-
Oxley.

B. Board's Statement on Burden on Competition

Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others

The Board issued a concept release regarding potential changes to
quality control standards for public comment in PCAOB Release No. 2019-
003 (Dec. 17, 2019). The Board received 36 written comment letters on
the concept release. The Board released the proposed rule amendment for
public comment in PCAOB Release No. 2022-006 (Nov. 18, 2022). The Board
received 43 written comment letters on its proposal. The Board has
carefully considered all comments received. The Board's response to the
comments it received and the changes made to the rules in response to
the comments received are discussed below.

Background

This section presents background information on this rulemaking,
including an overview of existing PCAOB QC requirements and current
practice, a review of other developments

[[Page 49591]]

since the current QC requirements were adopted, a summary of relevant
actions taken by other standard setters, a discussion of PCAOB research
and outreach efforts related to QC, the December 2019 concept release
and 2022 proposal, and a summary of the key areas the Board has
identified for improvement of the QC standards.

Overview of Existing Requirements and Current Practice

1. Requirements of the Sarbanes-Oxley Act of 2002
Sarbanes-Oxley requires the Board to establish certain professional
standards, including quality control standards, to be used by
registered public accounting firms in the preparation and issuance of
audit reports for issuers, brokers, and dealers.\5\ Furthermore,
Sarbanes-Oxley requires the PCAOB's QC standards to address:
---------------------------------------------------------------------------

\5\ See sections 101(c)(2) and 103(a)(1) of Sarbanes-Oxley, 15
U.S.C. 7211(c)(2), 7213(a)(1). This release uses the terms
``issuer,'' ``broker,'' and ``dealer'' as defined in Sarbanes-Oxley.
See section 2(a)(7) of Sarbanes-Oxley, 15 U.S.C. 7201(7) (defining
``issuer''); Sections 110(3) and (4) of Sarbanes-Oxley, 15 U.S.C.
7220(3), (4) (defining ``broker'' and ``dealer''); see also PCAOB
Rules 1001(b)(iii), (d)(iii), (i)(iii) (defining ``broker,''
``dealer,'' and ``issuer,'' respectively). Entities that are brokers
or dealers or both are sometimes referred to herein as ``broker-
dealers.''
---------------------------------------------------------------------------

Monitoring of professional ethics and independence from
issuers, brokers, and dealers on behalf of which the firm issues audit
reports;
Consultation within the firm on accounting and auditing
questions;
Supervision of audit work;
Hiring, professional development, and advancement of
personnel;
Acceptance and continuation of engagements;
Internal inspection; and
Such other requirements as the Board may prescribe.\6\
---------------------------------------------------------------------------

\6\ See section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(2)(B).
---------------------------------------------------------------------------

2. Current PCAOB QC Standards
Under current PCAOB standards, a QC system is a process to provide
a firm with reasonable assurance that its personnel comply with
applicable professional standards and the firm's standards of
quality.\7\ The QC system encompasses the firm's organizational
structure and the policies adopted and procedures established to
provide that reasonable assurance.\8\
---------------------------------------------------------------------------

\7\ See paragraph .03 of QC 20, System of Quality Control for a
CPA Firm's Accounting and Auditing Practice.
\8\ See QC 20.04.
---------------------------------------------------------------------------

Current PCAOB QC standards were adopted on an interim, transitional
basis in 2003 from QC standards originally developed and issued by the
AICPA.\9\ They include three general QC standards that apply to all
firms.\10\ Beyond that, they also include certain requirements of
membership in the AICPA's former SEC Practice Section (``SECPS''),
which apply only to firms that were SECPS members immediately prior to
the adoption of the PCAOB's interim QC standards. Below is an overview
of the general QC standards and the SECPS member requirements.
---------------------------------------------------------------------------

\9\ See PCAOB Rule 3400T, Interim Quality Control Standards; see
also Establishment of Interim Professional Auditing Standards, PCAOB
Rel. No. 2003-006 (Apr. 18, 2003).
\10\ Under PCAOB Rule 3400T(a), all firms are required to comply
with QC standards as described in ``the AICPA's Auditing Standards
Board's Statements on Quality Control Standards, as in existence on
April 16, 2003 (AICPA Professional Standards, QC Sec. Sec. 20-40
(AICPA 2002)), to the extent not superseded or amended by the
Board.''
---------------------------------------------------------------------------

a. General QC Standards
i. QC 20, System of Quality Control for a CPA Firm's Accounting and
Auditing Practice
QC 20 provides that a firm should have a system of quality control
that provides the firm with reasonable assurance that its personnel
comply with applicable professional standards and the firm's standards
of quality.\11\ In the context of engagement performance, the system of
quality control should also provide reasonable assurance that the work
performed meets applicable regulatory requirements.\12\
---------------------------------------------------------------------------

\11\ See QC 20.03.
\12\ See QC 20.17.
---------------------------------------------------------------------------

The firm's quality control policies and procedures should address
the following elements:
Independence, integrity, and objectivity;
Personnel management;
Acceptance and continuance of clients and engagements;
Engagement performance; and
Monitoring.\13\
---------------------------------------------------------------------------

\13\ See QC 20.07.
---------------------------------------------------------------------------

These elements of quality control are interrelated.\14\ Policies
and procedures should be established to provide the firm with
reasonable assurance with respect to each of these elements of QC. An
appropriate individual or individuals in the firm should be assigned
responsibility for the design and maintenance of the various quality
control policies and procedures.\15\ These policies and procedures
should be communicated in a manner that provides reasonable assurance
that personnel will understand and comply.\16\ Additionally,
documentation should be prepared to demonstrate compliance with the
firm's policies and procedures for the elements of quality control.\17\
---------------------------------------------------------------------------

\14\ See QC 20.08.
\15\ See QC 20.22.
\16\ See QC 20.23.
\17\ See QC 20.25.
---------------------------------------------------------------------------

ii. QC 30, Monitoring a CPA Firm's Accounting and Auditing Practice
QC 30 addresses how a firm should implement the monitoring element
of quality control discussed in QC 20. Monitoring involves an ongoing
consideration and evaluation of the following:
The relevance and adequacy of the firm's policies and
procedures;
The appropriateness of the firm's guidance materials and
any practice aids;
The effectiveness of professional development activities;
and
Compliance with the firm's policies and procedures.\18\
---------------------------------------------------------------------------

\18\ See QC 30.02.
---------------------------------------------------------------------------

Under QC 30, monitoring procedures should enable the firm to obtain
reasonable assurance that its system of quality control is
effective.\19\ A firm's monitoring procedures may include:
---------------------------------------------------------------------------

\19\ See QC 30.03.
---------------------------------------------------------------------------

Inspection procedures;
Pre-issuance or post-issuance review of selected
engagements;
Analysis and assessment of:
New professional pronouncements;
Results of independence confirmations;
Continuing professional education (``CPE'') and other
professional development activities undertaken by firm personnel;
Decisions related to acceptance and continuance of client
relationships and engagements;
Interviews of firm personnel;
Determination of any corrective actions to be taken and
improvements to be made in the quality control system;
Communication to appropriate firm personnel of any
weaknesses identified in the quality control system or in the level of
understanding or compliance therewith; and
Follow-up by appropriate firm personnel to ensure that any
necessary modifications are made to the quality control policies and
procedures on a timely basis.\20\
---------------------------------------------------------------------------

\20\ See QC 30.03.
---------------------------------------------------------------------------

The nature and extent of monitoring procedures generally depends on
the firm's size and the nature and complexity of the firm's
practice.\21\ QC 30 provides that individuals in a small firm may
perform monitoring procedures, including post-issuance review of
engagement working papers, reports, and clients' financial

[[Page 49592]]

statements, with respect to their own compliance with the firm's QC
policies and procedures, but only if such individuals are able to
critically review their own performance, assess their own strengths and
weaknesses, and maintain an attitude of continual improvement.\22\
---------------------------------------------------------------------------

\21\ See, e.g., QC 30.05, .10, .11.
\22\ See QC 30.09, .10.
---------------------------------------------------------------------------

iii. QC 40, The Personnel Management Element of a Firm's System of
Quality Control--Competencies Required by a Practitioner-in-Charge of
an Attest Engagement
QC 40 addresses the personnel management element of the quality
control system. Personnel management includes hiring, assigning
personnel to engagements, professional development, and advancement
activities. Policies and procedures should be established to provide
the firm with reasonable assurance that:
Those hired possess the appropriate characteristics to
enable them to perform competently.
Work is assigned to personnel having the degree of
technical training and proficiency required in the circumstances.
Personnel participate in general and industry-specific continuing
professional education and other professional development activities
that enable them to fulfill responsibilities assigned, and satisfy
applicable professional education requirements of the AICPA, and
regulatory agencies.
Personnel selected for advancement have the qualifications
necessary for fulfillment of the responsibilities they will be called
on to assume.\23\
---------------------------------------------------------------------------

\23\ See QC 40.02.
---------------------------------------------------------------------------

A firm's policies and procedures related to personnel management
should be designed to provide a firm with reasonable assurance that
practitioners-in-charge of engagements (i.e., engagement partners)
possess the kinds of competencies that are appropriate given the
circumstances of the client engagement.\24\ Competencies are the
knowledge, skills, and abilities that enable an engagement partner to
be qualified to perform an engagement.\25\ Competencies may be gained
in various ways, including through relevant industry, governmental, and
academic positions.\26\ A firm's policies and procedures should
ordinarily address the following competencies for an engagement
partner:
---------------------------------------------------------------------------

\24\ See QC 40.03.
\25\ See QC 40.04.
\26\ See QC 40.05.
---------------------------------------------------------------------------

Understanding of the role of a system of quality control
and a code of professional conduct;
Understanding of the service to be performed;
Technical proficiency;
Familiarity with the industry;
Professional judgment; and
Understanding the organization's information technology
systems.\27\
---------------------------------------------------------------------------

\27\ See QC 40.08.
---------------------------------------------------------------------------

Under QC 40, these competencies are interrelated.\28\ When
establishing policies and procedures related to competencies needed by
an engagement partner, a firm may need to consider the requirements of
policies and procedures established for other elements of quality
control.\29\
---------------------------------------------------------------------------

\28\ See QC 40.09.
\29\ See QC 40.10.
---------------------------------------------------------------------------

b. SECPS Member Requirements
The SECPS was a division of the AICPA for U.S. firms that audited
public companies, which established incremental quality control
requirements for its members. The SECPS requirements originally applied
to all U.S. firms that audited public companies under AICPA standards.
The SECPS ceased to exist following the establishment of the PCAOB.
Under PCAOB rules, certain SECPS requirements still apply to firms
that were members of the SECPS as of April 16, 2003.\30\ Based on
current registration data, the SECPS member requirements apply to 201
(approximately 12% of) PCAOB-registered firms, including 11 of the 14
annually inspected firms in 2023.
---------------------------------------------------------------------------

\30\ PCAOB Rule 3400T(b) requires certain firms to comply with
QC standards as described in ``the AICPA SEC Practice Section's
Requirements of Membership (d), (l), (m), (n)(1) and (o), as in
existence on April 16, 2003 (AICPA SEC Practice Section Manual
1000.08(d), (j), (m), (n)(1) and (o)), to the extent not superseded
or amended by the Board.'' The note to Rule 3400T provides that
those requirements ``only apply to those registered public
accounting firms that were members of the AICPA SEC Practice Section
on April 16, 2003.'' One of the SECPS member requirements,
concerning concurring partner review, was superseded in 2009 by the
PCAOB's adoption of AS 1220, Engagement Quality Review.
---------------------------------------------------------------------------

i. Section 1000.08(d)--Continuing Professional Education of Audit Firm
Personnel
Section 1000.08(d) requires SECPS member firms to ensure that all
professionals residing in the United States, both CPAs and non-CPAs,
participate in at least 20 hours of qualifying CPE every year and at
least 120 hours every three years.\31\ Professionals who devote at
least 25% of their time to performing audit, review, or other attest
engagements, or who have responsibility for supervision or review of
such engagements, must obtain at least 40% of their CPE hours in
subjects related to accounting and auditing.\32\
---------------------------------------------------------------------------

\31\ See SECPS 1000.08(d).
\32\ See SECPS 1000.08(d).
---------------------------------------------------------------------------

Additional information on Section 1000.08(d)'s CPE requirements
appears in SECPS Section 8000, Continuing Professional Education
Requirements Effective for Educational Years Beginning After May 31,
2002.\33\ That information is summarized into three categories: (1)
record-keeping for each professional to ensure that each professional
adheres to all CPE requirements; (2) adherence to standards for CPE
program sponsors for each program sponsored by the member firm; and (3)
compliance with additional CPE requirements of the SECPS.\34\ Appendix
A to Section 8000 includes the AICPA policies related to CPE.
---------------------------------------------------------------------------

\33\ See SECPS 1000.08(d) (referring, in a footnote, to Section
8000).
\34\ See SECPS 8000.
---------------------------------------------------------------------------

ii. Section 1000.08(l)--Communication by Written Statement to All
Professional Personnel of Firm Policies and Procedures on the
Recommendation and Approval of Accounting Principles, Present and
Potential Client Relationships, and the Types of Services Provided
Section 1000.08(l) requires SECPS member firms to communicate,
through a written statement, to all professional firm personnel the
broad principles that influence the firm's quality control and
operating policies and procedures.\35\ Periodic communication also must
inform professional firm personnel that compliance with those
principles is mandatory.\36\
---------------------------------------------------------------------------

\35\ See SECPS 1000.08(l). Section 1000.08(l) includes a cross-
reference to Appendix H SECPS Section 1000.42, Illustrative
Statement of Firm Philosophy, which provides an illustration of such
a statement.
\36\ See id.
---------------------------------------------------------------------------

iii. Section 1000.08(m)--Notification of the Commission of Resignations
and Dismissals From Audit Engagements for Commission Registrants
Section 1000.08(m) requires that, if an SECPS member firm has
resigned, declined to stand for reelection, or been dismissed as the
auditor of an SEC registrant and the registrant has not reported the
change in auditors to the SEC in a timely filed Form 8-K, the member
firm is to report that the client-auditor relationship has ceased
directly, in writing, to the former SEC client and the SEC within five
business days.\37\
---------------------------------------------------------------------------

\37\ See SECPS 1000.08(m). Section 1000.08(m) cross-references
Appendix D SECPS Section 1000.38, Revised Definition of an SEC
Client, which provides the definition of an SEC client, as well as
Appendix I SECPS Section 1000.43, Standard Form of Letter Confirming
the Cessation of the Client-Auditor Relationship, which provides a
standard form of such report.

---------------------------------------------------------------------------

[[Page 49593]]

iv. Section 1000.08(n)--Audit Firm Obligations With Respect to the
Policies and Procedures of Correspondent Firms and of Other Members of
International Firms or International Associations of Firms
Section 1000.08(n) requires SECPS member firms that are members of,
correspondents with, or similarly associated with international firms
or international associations of firms to seek adoption of policies and
procedures that are consistent with the objectives in Appendix K (SECPS
Section 1000.45), SECPS Member Firms With Foreign Associated Firms That
Audit SEC Registrants.\38\
---------------------------------------------------------------------------

\38\ See SECPS 1000.08(n).
---------------------------------------------------------------------------

Appendix K was adopted with the intention of enhancing the quality
of SEC filings by issuers whose financial statements are audited by
foreign associated firms of SECPS member firms.\39\ It requires SECPS
member firms to seek adoption by their international organizations or
individual foreign associated firms of certain policies and procedures,
including:
---------------------------------------------------------------------------

\39\ See SECPS 1000.45.01.
---------------------------------------------------------------------------

Procedures to be performed on certain SEC filings by a
filing reviewer who is knowledgeable in applicable accounting and
auditing standards, independence requirements, and SEC rules and
regulations;
Inspection procedures for a sample of audit engagements
performed by foreign associated firms for issuer clients, to be
performed by inspection reviewers who are knowledgeable in the same
areas as filing reviewers; and
Policies and procedures under which disagreements between
the filing or inspection reviewer and the audit partner-in-charge
should be resolved in accordance with the policy of the international
organization or the filing or inspection reviewer's firm.\40\
---------------------------------------------------------------------------

\40\ See id.
---------------------------------------------------------------------------

v. Section 1000.08(o)--Policies and Procedures To Comply With
Independence Requirements
Section 1000.08(o) requires SECPS member firms to have policies and
procedures in place to comply with applicable independence
requirements.\41\ Section 1000.08(o) cross-references Appendix L, SECPS
Section 1000.46, Independence Quality Controls, which requires firms to
establish written policies \42\ covering relationships with
``restricted entities,'' for example, relationships between the
restricted entity and the member firm, its benefit plans, and its
professionals.\43\ These relationships include investments, loans,
brokerage accounts, business relationships, employment relationships,
proscribed services, and fee arrangements.\44\ Firms should maintain a
database that includes all restricted entities (``restricted entity
list'') and make the restricted entity list available to the firm's
professionals and to foreign associated firms.\45\
---------------------------------------------------------------------------

\41\ See SECPS 1000.08(o).
\42\ PCAOB rules do not mandate that writings be paper-based.
See, e.g., paragraph .04 of AS 1215, Audit Documentation (audit
documentation may be in the form of paper, electronic files, or
other media).
\43\ See SECPS 1000.46 (requirement 1).
\44\ See id.
\45\ See SECPS 1000.46 (requirements 4, 5, and 6).
---------------------------------------------------------------------------

A senior-level partner should be designated to oversee the
independence policies and maintain and communicate the restricted
entity list.\46\ The policies and procedures also should require:
---------------------------------------------------------------------------

\46\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

Reviewing the restricted entity list prior to obtaining
any security;
Obtaining independence certifications from the firm's
professionals;
Reporting violations of policies;
Establishing a monitoring system; and
Developing policies for potential sanctions for violations
of the firm's policies and procedures or professional independence
requirements.\47\
---------------------------------------------------------------------------

\47\ See SECPS 1000.46 (requirement 7).
---------------------------------------------------------------------------

The policies and procedures should be made available to all
professionals and a training program should be established to provide
reasonable assurance that professionals understand the policies.\48\
---------------------------------------------------------------------------

\48\ See SECPS 1000.46 (requirement 3).
---------------------------------------------------------------------------

3. Observations From Oversight Activities
In the course of conducting inspections of registered public
accounting firms \49\ and investigating potential violations of PCAOB
standards and other related laws and rules governing audits of public
companies and audits and attestation engagements of broker-dealers, the
PCAOB may identify deficiencies in firms' execution of engagements and
in firms' QC systems. Oversight activities also help the PCAOB to
identify good practices, both for engagements and for QC systems. The
PCAOB also considers information derived from the SEC's enforcement
program.
---------------------------------------------------------------------------

\49\ The information on inspections and remediation efforts is
limited to those firms that are subject to inspection by the PCAOB.
---------------------------------------------------------------------------

Over time, firms have implemented a number of changes to their QC
systems to remediate deficiencies identified through the PCAOB's
inspections program.\50\ Examples of changes firms have made in
response to the Board's inspections include: \51\
---------------------------------------------------------------------------

\50\ Additional information about the PCAOB remediation process
is available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation/remediation_process.
\51\ Examples are drawn from firms' Rule 4009 submissions. A
Rule 4009 submission is a confidential submission prepared by a
firm, pursuant to PCAOB Rule 4009, Firm Response to Quality Control
Defects, concerning the ways in which a firm has addressed a QC
criticism. For additional background, see The Process for Board
Determinations Regarding Firms' Efforts to Address Quality Control
Criticisms in Inspection Reports, PCAOB Rel. No. 104-2006-077 (Mar.
21, 2006).
---------------------------------------------------------------------------

Independence--Creating automated links between the firm's
tools for tracking subcontractors and evaluating and tracking business
relationships to ensure that independence evaluations are complete and
timely;
Engagement Performance--Implementing new policies and
procedures for engagement teams to focus on obtaining a thorough
understanding of how issuers initiate, record, process, and report
significant classes of transactions and how that information is
recorded in the financial statements;
Resources--Creating a committee to evaluate partner
performance in relation to audit quality and establishing an
accountability framework with penalties for negative audit quality
events;
Monitoring and Remediation--Adding new leadership
positions to the internal inspection program, developing new analysis
and reporting of internal inspection findings, and disseminating such
findings more broadly; and
Monitoring and Remediation--Adding in-process review and
coaching programs to assist engagement teams in certain challenging
areas, including internal control over financial reporting (``ICFR'')
and accounting estimates.
Observations from PCAOB oversight activities have shown that
improvements in quality controls can enhance the quality of
engagements.\52\ However, PCAOB inspections continue to identify
deficiencies related to engagements and the operation of firm QC
systems, suggesting that not all firms have made meaningful
improvements in these areas. Moreover, the pervasiveness of recent
findings regarding such

[[Page 49594]]

deficiencies--both in terms of the number of firms affected and the
percentage of deficient engagements--suggests that an updated QC
standard is needed to drive proactive, systemic, and consistent
improvements in audit quality rather than just case-by-case
improvements in response to firm-specific findings.
---------------------------------------------------------------------------

\52\ See, e.g., Spotlight: Staff Update and Preview of 2021
Inspection Observations (Dec. 2022) (``2021 Inspection Observations
Preview''), at 20-22, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_4; Staff Inspection
Brief: Staff Preview of 2018 Inspections Observations (May 6, 2019)
(``2018 Inspection Observations Preview''), at 1-4, available at
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/staff-preview-2018-inspection-observations.pdf?sfvrsn=b5f8cb09_0.
---------------------------------------------------------------------------

The following discussion summarizes recent observations from PCAOB
inspections \53\ and investigations of QC systems, including
deficiencies and violations--instances of noncompliance with PCAOB
requirements--and good practices that the Board believes support and
strengthen QC systems. The Board has taken these observations into
account in developing the final QC standard and related amendments,
rules, and forms.
---------------------------------------------------------------------------

\53\ PCAOB inspections are designed to assess a firm's
compliance with PCAOB standards and rules and other applicable
regulatory and professional requirements with respect to the firm's
QC system and in the portions of engagements selected for review. An
inspection does not involve a review of all aspects of a firm's QC
system. An inspection also does not necessarily involve a review of
all of a firm's engagements, nor is it designed to identify every
deficiency in the reviewed engagements. The inspection data are
derived from PCAOB inspection reports. Part II of PCAOB inspection
reports include criticisms of, and potential defects in, a firm's QC
system, to the extent any are identified. The PCAOB includes, in
Part II of its inspection reports, deficiencies observed in
inspections of individual engagements when the results indicate that
the firm's QC system does not provide reasonable assurance that firm
personnel will comply with applicable professional standards and
regulatory requirements. In evaluating whether engagement
observations are indicative of QC deficiencies, PCAOB staff consider
the nature, significance, and frequency of deficiencies; related
firm methodology, guidance, and practices; and possible root causes.
---------------------------------------------------------------------------

a. QC Deficiencies and Violations Observed From Oversight Activities
PCAOB observations have generally revealed that while some firms
have made improvements to their QC systems, the progress has been
uneven. Even taking that progress into account, in roughly a third of
the issuer audits the PCAOB inspected from 2020 to 2022, the auditor's
opinion was not adequately supported.\54\ This suggests that there is
significant room for improvement in QC systems' ability to provide
reasonable assurance that firm engagements are performed in accordance
with applicable professional standards and regulatory requirements.
---------------------------------------------------------------------------

\54\ See Figure 1 below, and accompanying text for an analysis
of 2011-2022 inspections data.
---------------------------------------------------------------------------

As described below, the PCAOB's observations all too frequently
indicate that firms' QC systems did not appear to provide reasonable
assurance that firm personnel will comply with applicable professional
standards in, among others, the areas of: (1) acceptance of
engagements; (2) engagement performance; (3) independence, integrity,
and objectivity; (4) personnel management; (5) monitoring; and (6)
engagement quality reviews. Below are examples of the PCAOB's
observations in these areas.
i. Acceptance of Engagements
A firm's QC system should provide the firm with reasonable
assurance that it undertakes only those engagements that the firm can
reasonably expect to be completed with professional competence.\55\
This includes taking into consideration, among other things, the
availability of resources to perform an engagement and the competence
of those resources. The PCAOB has observed instances where a firm's
lack of policies and procedures in the area of engagement acceptance
and continuance resulted in accepting new engagements that were not
completed with professional competence and resulted in numerous
violations of PCAOB auditing standards.\56\
---------------------------------------------------------------------------

\55\ See QC 20.15.
\56\ See, e.g., In the Matter of WithumSmith+Brown, PC, PCAOB
Rel. No. 105-2024-010 (Feb. 20, 2024); In the Matter of Jack Shama
and Jack Shama, CPA, PCAOB Rel.e No. 105-2024-004 (Jan. 23, 2024);
In the Matter of Shandong Haoxin Certified Public Accountants Co.,
Ltd., LIU Kun, MA Yao, SUN Penghuan, and ZHU Dawei, PCAOB Rel. No.
105-2023-045 (Nov. 30, 2023); In the Matter of Alfonse Gregory
Giugliano, CPA, SEC Accounting and Auditing Enforcement Release
(``AAER'') No. 4458 (Sept. 12, 2023); In the Matter of Marcum LLP,
PCAOB Rel. No. 105-2023-005 (June 21, 2023); In the Matter of Marcum
LLP, SEC AAER No. 4423 (June 21, 2023).
---------------------------------------------------------------------------

ii. Engagement Performance
A properly functioning QC system should provide the firm with
reasonable assurance that the work performed by engagement personnel
meets applicable professional standards, regulatory requirements, and
the firm's standards of quality.\57\ A QC system cannot provide
reasonable assurance if, for example, there are severe, frequent, or
widespread deficiencies, or recurring instances of similar types of
deficiencies at the engagement level. The PCAOB has observed
deficiencies and violations in a range of areas of engagement
performance, including, for example:
---------------------------------------------------------------------------

\57\ See QC 20.17.
---------------------------------------------------------------------------

Failure to identify and test controls that address risks
of material misstatement or sufficiently evaluate review controls;
Insufficient evaluation of significant assumptions or data
used in developing an estimate; \58\
---------------------------------------------------------------------------

\58\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010.
---------------------------------------------------------------------------

Unwarranted reliance on data or reports used in testing an
issuer's financial reporting controls or in substantive testing; \59\
---------------------------------------------------------------------------

\59\ See, e.g., PKF O'Connor Davies, LLP, PCAOB Rel. No. 105-
2022-001.
---------------------------------------------------------------------------

Engagement partners' failure to adequately supervise the
engagement with due professional care, which contributed to not
identifying deficiencies; \60\
---------------------------------------------------------------------------

\60\ See, e.g., Alfonse Gregory Giugliano, CPA, SEC AAER No.
4458; In the Matter of Deloitte Touche Tohmatsu Certified Public
Accountants, LLP, SEC AAER No. 4342 (Sept. 29, 2022); In the Matter
of RSM, SEC AAER No. 4346 (Sept. 30, 2022); In the Matter of
Mancera, S.C., Alejandro Valdez Mendoza, C.P., and Angel Radames
Corral Nieblas, C.P., SEC AAER No. 4198 (Dec. 17, 2020); In the
Matter of Whitley Penn LLP, Susan Lunn Powell, CPA, Jeffry Shannon
Lawlis, CPA, and John Griffin Babb, CPA, PCAOB Rel. No. 105-2020-002
(Mar. 24, 2020); In the Matter of David M. Burns, CPA, PCAOB Rel.
No. 105-2017-055 (Dec. 19, 2017); In the Matter of BDO Auditores,
S.L.P., Santiago Sa[ntilde][eacute] Figueras, and Jos[eacute]
Ignacio Alg[aacute]s Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039
(Sept. 26, 2017); In the Matter of KPMG LLP and John Riordan, CPA,
SEC AAER No. 3888 (Aug. 15, 2017).
---------------------------------------------------------------------------

Failure to implement and maintain adequate policies and
procedures to provide reasonable assurance that work is performed and
documented; \61\ and
---------------------------------------------------------------------------

\61\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010; In the Matter of SW Audit, PCAOB Rel. No. 105-2024-009 (Feb.
20, 2024); Shama, PCAOB Rel. No. 105-2024-004; In the Matter of
Haynie & Company, PCAOB Rel. No. 105-2024-001 (Jan. 23, 2024);
Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel.
No. 105-2023-045; In the Matter of Deloitte & Touche S.A.S., PCAOB
Rel. No. 105-2023-025 (Sept. 26, 2023); Marcum LLP, SEC AAER No.
4423 ; Deloitte Touche Tohmatsu Certified Public Accountants, LLP,
SEC AAER No. 4342; In the Matter of HLB Mann Judd, Darryl Swindells,
and Aidan Smith, PCAOB Rel. No. 105-2020-008 (June 29, 2020); In the
Matter of Castillo Miranda y Compa[ntilde][iacute]a, S.C., Ignacio
Garc[iacute]a Pareras, Juan Mart[iacute]n Gudi[ntilde]o Casillas,
Luis Ra[uacute]l Michel Dom[iacute]nguez, Juan Francisco Olvera
D[iacute]az, Carlos Rivas Ramos, and Bernardo Soto Pe[ntilde]afiel,
PCAOB Rel. No. 105-2019-028 (Oct. 31, 2019); In the Matter of
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 (Oct. 31, 2019); In
the Matter of Deloitte Touche Tohmatsu Auditores Independentes,
PCAOB Rel. No 105-2016-031 (Dec. 5, 2016).
---------------------------------------------------------------------------

Failure to ensure audits are performed under PCAOB
standards and not another framework.\62\
---------------------------------------------------------------------------

\62\ See, e.g., In the Matter of Dale Matheson Carr-Hilton
LaBonte LLP, PCAOB Rel. No. 105-2021-021 (Dec. 14, 2021); In the
Matter of WDM Chartered Professional Accountants and Mike Kao, PCAOB
Rel. No. 105-2021-016 (Sept. 30, 2021).
---------------------------------------------------------------------------

iii. Independence, Integrity, and Objectivity
A firm's QC system should also provide the firm with reasonable
assurance that personnel maintain independence--in fact and in
appearance--in all required circumstances.\63\ Observations relating to
auditor independence have been recurring over the last several
years.\64\

[[Page 49595]]

Examples of these observations frequently have included:
---------------------------------------------------------------------------

\63\ See QC 20.09.
\64\ See, e.g., 2022 Inspection Observations Preview at 18; 2021
Inspection Observations Preview at 19; PCAOB, Spotlight: Staff
Update and Preview of 2020 Inspection Observations (Oct. 2021)
(``2020 Inspection Observations Preview''), at 12, available at
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2020-inspection-observations-spotlight.pdf?sfvrsn=10819041_4; Spotlight: Staff Update and Preview
of 2019 Inspection Observations (Oct. 8, 2020) (``2019 Inspection
Observations Preview''), at 7, available at https://pcaobus.org/Inspections/Documents/Staff-Preview-2019-Inspection-Observations-Spotlight.pdf; Staff Inspection Brief: Inspections Outlook for 2019
(Dec. 6, 2018) (``2019 Inspections Outlook''), at 2, available at
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/inspections-outlook-for-2019.pdf?sfvrsn=538b8bb7_2.
---------------------------------------------------------------------------

Violations of independence, including financial
relationship and partner rotation requirements of 17 CFR 210.2-01; \65\
---------------------------------------------------------------------------

\65\ See, e.g., In the Matter of Ernst & Young LLP, James G.
Herring, Jr., CPA, James A. Young, CPA, and Curt W. Fochtmann, CPA,
SEC AAER No. 4239 (Aug. 2, 2021); In the Matter of Raich Ende Malter
& Co., PCAOB Rel. No. 105-2019-009 (Apr. 9, 2019); In the Matter of
Marcum LLP and Alfonse Gregory Giugliano, CPA, PCAOB Rel. No. 105-
2019-022 (Sept. 10, 2019); In the Matter of Marcum Bernstein &
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 (Sept. 10, 2019).
---------------------------------------------------------------------------

Noncompliance by firm personnel in reporting their
financial relationships during the independence confirmation process;
Independence violations related to the firm providing
impermissible non-audit services; \66\
---------------------------------------------------------------------------

\66\ See, e.g., In the Matter of Pricewaterhousecoopers LLP, SEC
AAER No. 4084 (Sept. 23, 2019); In the Matter of RSM US LLP (f/k/a
McGladrey LLP), SEC AAER No. 4066 (Aug. 27, 2019).
---------------------------------------------------------------------------

Noncompliance with PCAOB Rule 3524, Audit Committee Pre-
approval of Certain Tax Services, and PCAOB Rule 3526, Communication
with Audit Committees Concerning Independence; \67\
---------------------------------------------------------------------------

\67\ See, e.g., In the Matter of PricewaterhouseCoopers, S.C.,
PCAOB Rel. No. 105-2019-017 (Aug. 1, 2019); In the Matter of BDO
Magyarorszag Konyvvizsgalo Kft., PCAOB Rel. No. 105-2017-024 (Apr.
12, 2017).
---------------------------------------------------------------------------

Improper inclusion of indemnification clauses in
engagement letters, which impaired independence based on the general
standard of independence prescribed by 17 CFR 210.2-01(b); and
Failure to implement and maintain adequate policies and
procedures to provide reasonable assurance that firm personnel timely
consult on complex, unusual, or unfamiliar independence issues.\68\
---------------------------------------------------------------------------

\68\ See, e.g., In the Matter of PricewaterhouseCoopers LLP,
PCAOB Rel. No. 105-2024-014 (Mar. 28, 2024).
---------------------------------------------------------------------------

The PCAOB has also observed highly concerning, widespread instances
where firm personnel have improperly shared answers on examinations
required to obtain or maintain professional licenses.\69\ The Board has
acted decisively in responding to this conduct, which was prevalent
both domestically and internationally.\70\ The PCAOB has also observed
instances where firm personnel have not acted with integrity by
altering work papers \71\ or failing to cooperate with the Board.\72\
---------------------------------------------------------------------------

\69\ See, e.g., In the Matter of Navarro Amper & Co., PCAOB Rel.
No. 105-2024-025 (Apr. 10, 2024); In the Matter of Imelda & Rekan,
PCAOB Rel. No. 105-2024-024 (Apr. 10, 2024); In the Matter of KPMG
Accountants N.V., PCAOB Rel. No. 105-2024-022 (Apr. 10, 2024); In
the Matter of KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032
(Dec. 6, 2022); In the Matter of Ernst & Young LLP, SEC AAER No.
4313 (June 28, 2022); In the Matter of PricewaterhouseCoopers LLP,
PCAOB Rel. No. 105-2022-002 (Feb. 24, 2022); In the Matter of KPMG,
PCAOB Rel. No. 105-2021-008 (Sept. 13, 2021); In the Matter of KPMG
LLP, SEC AAER No. 4051 (June 17, 2019).
\70\ See, e.g., In the Matter of PricewaterhouseCoopers Zhong
Tian LLP, PCAOB Rel. No. 105-2023-044 (Nov. 30, 2023); In the Matter
of PricewaterhouseCoopers, PCAOB Rel. No. 105-2023-043 (Nov. 30,
2023); KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032
PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2022-002 KPMG, PCAOB
Rel. No. 105-2021-008.
\71\ See, e.g., In the Matter of Jose Daniel Melendez Gimenez,
PCAOB Rel. No. 105-2022-035 (Dec. 6, 2022); In the Matter of Edgar
Mauricio Ramirez Rueda, PCAOB Rel. No. 105-2022-036 (Dec. 6, 2022);
In the Matter of Marco Alexander Rodriguez Ramirez, PCAOB Rel. No.
105-2022-037 (Dec. 6, 2022); In the Matter of KPMG S.A.S., PCAOB
Rel. No. 105-2022-034 (Dec. 6, 2022); In the Matter of Jonathan B.
Taylor, CPA, PCAOB Rel. No. 105-2022-025 (Oct. 18, 2022); Castillo
Miranda y Compa[ntilde][iacute]a, S.C.PCAOB Rel. No. 105-2019-028
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 Deloitte Touche
Tohmatsu Auditores Independentes, PCAOB Rel. No 105-2016-031.
\72\ See, e.g., Shandong Haoxin Certified Public Accountants
Co., Ltd., PCAOB Rel. No. 105-2023-045 Jose Daniel Melendez Gimenez,
PCAOB Rel. No. 105-2022-035 Edgar Mauricio Ramirez Rueda, PCAOB Rel.
No. 105-2022-036 Marco Alexander Rodriguez Ramirez, PCAOB Rel. No.
105-2022-037 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-
035 Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No.
105-2019-028 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB
Rel. No 105-2016-031.
---------------------------------------------------------------------------

These recurring deficiencies and violations suggest that some firms
and their personnel either do not have the requisite understanding of
applicable independence and ethics requirements, or, as evidenced by
the systemic nature of certain of these violations, do not have
appropriate controls in place to prevent violations.\73\
---------------------------------------------------------------------------

\73\ See 2021 Inspection Observations Preview at 19; 2019
Inspections Outlook at 2.
---------------------------------------------------------------------------

iv. Personnel Management
The quality of a firm's work ultimately depends on the integrity,
objectivity, intelligence, competence, experience, and motivation of
personnel who perform, supervise, and review the work.\74\ A firm's QC
system should provide the firm with reasonable assurance that personnel
participate in general and industry-specific CPE and other professional
development activities that enable them to fulfill responsibilities
assigned and satisfy applicable CPE requirements.\75\ A firm's QC
system also should provide the firm with reasonable assurance that
personnel possess the appropriate characteristics to enable them to
perform competently and that work is assigned to personnel having the
degree of technical training and proficiency required in the
circumstances.\76\
---------------------------------------------------------------------------

\74\ See QC 20.12.
\75\ See QC 20.13c.
\76\ See QC 20.13a. and b.
---------------------------------------------------------------------------

The PCAOB has observed deficiencies related to compliance with the
firm's auditing policies and procedures.\77\ The PCAOB also has
observed deficiencies and violations where the firm did not assign
personnel to engagements who had the training and proficiency required
to perform audit work in accordance with PCAOB standards.\78\
---------------------------------------------------------------------------

\77\ See 2022 Inspection Observations Preview at 18.
\78\ See, e.g., Jack Shama PCAOB Rel. No. 105-2024-004 ; In the
Matter of Hall & Company Certified Public Accountants & Consultants,
Inc., and Anthony J. Price, CPA, PCAOB Rel. No. 105-2022-029 (Nov.
3, 2022); In the Matter of PKF O'Connor Davies, LLP, PCAOB Rel. No.
105-2022-001 (Jan. 25, 2022); In the Matter of WDM Chartered
Professional Accountants, PCAOB Rel. No. 105-2021-016 (Sept. 30,
2021); In the Matter of Grant Thornton LLP, PCAOB Rel. No. 105-2017-
054 (Dec. 19, 2017); BDO Auditores, S.L.P., Santiago
Sa[ntilde][eacute] Figueras, and Jos[eacute] Ignacio Alg[aacute]s
Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039.
---------------------------------------------------------------------------

v. Monitoring
A firm's QC system should provide the firm with reasonable
assurance that its policies and procedures are suitably designed and
effectively applied.\79\ The PCAOB has observed situations where a
firm's internal inspection procedures did not detect significant audit
deficiencies or the firm did not make changes to address repeated
identified audit deficiencies.\80\ These deficiencies and violations
were subsequently identified through SEC and PCAOB oversight.\81\
---------------------------------------------------------------------------

\79\ See QC 20.20.
\80\ See, e.g., 2022 Inspection Observations Preview at 19.
\81\ See, e.g., In the Matter of KPMG Assurance and Consulting
Services LLP and Sagar Pravin Lakhani, PCAOB Rel. No. 105-2022-033
(Dec. 6, 2022); In the Matter of Friedman LLP, SEC AAER No. 4339
(Sept. 23, 2022); In the Matter of BMKR LLP and Joseph Mortimer,
CPA, PCAOB Rel. No. 105-2022-003 (Feb. 24, 2022); PKF O'Connor
Davies, LLP, PCAOB Rel. No. 105-2022-001 WDM Chartered Professional
Accountants, PCAOB Rel. No. 105-2021-016 ; In the Matter of Haskell
& White LLP, PCAOB Rel. No. 105-2021-006 (Aug. 13, 2021); In the
Matter of RBSM LLP, PCAOB Rel. No. 105-2021-004 (Aug. 9, 2021);
Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No. 105-
2019-028 Marcum LLP, PCAOB Rel. No. 105-2019-022 Marcum Bernstein &
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 PricewaterhouseCoopers,
S.C., PCAOB Rel. No. 105-2019-017; In the Matter of Bharat Parikh &
Associates Chartered Accountants, Bharatkumar Balmukund Parikh, FCA,
and Anuj Bharatkumar Parikh, PCAOB Rel. No. 105-2019-003 (Mar. 19,
2019); Grant Thornton, PCAOB Rel. No. 105-2017-054.

---------------------------------------------------------------------------

[[Page 49596]]

vi. Engagement Quality Reviews
Both the PCAOB and SEC have identified deficiencies and violations
in audit areas that require evaluation by the engagement quality
reviewer (``EQR''),\82\ which suggests the EQR did not perform the
evaluation with due professional care.\83\ Additionally, for certain
broker-dealer audit and attestation engagements, the PCAOB has observed
instances where engagement quality reviews were not performed or
sufficiently documented \84\ and policies and procedures did not
provide reasonable assurance that engagement quality reviews were
performed with due professional care.\85\
---------------------------------------------------------------------------

\82\ See, e.g., Spotlight: Inspection Observations Related to
Engagement Quality Reviews (Oct. 2023), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/eqr-spotlight.pdf?sfvrsn=95a345e6_4; 2022 Inspection Observations
Preview at 19; 2021 Inspection Observations Preview at 20; 2018
Inspection Observations Preview, at 4; 2020 Inspection Observations
Preview at 12.
\83\ See, e.g., In the Matter of RAM Associates & Company LLC
and Parameswara K. Ramachandran, PCAOB Rel. No. 105-2023-021 (Aug.
8, 2023); In the Matter of Total Asia Associates PLT, PCAOB Rel. No.
105-2023-007 (June 23, 2023); In the Matter of RT LLP, PCAOB Rel.
No. 105-2023-002 (Apr. 11, 2023); In the Matter of Donald R. Burke,
CPA, PCAOB Rel. No. 105-2021-012 (Sept. 29, 2021); RBSM LLP, PCAOB
Rel. No. 105-2021-00; In the Matter of Cheryl L. Gore, CPA and
Stanley R. Langston, CPA, PCAOB Rel. No. 105-2021-020 (Dec. 14,
2021); Whitley Penn LLP, PCAOB Rel. No. 105-2020-002; In the Matter
of Helen R. Liao, CPA, PCAOB Rel. No. 105-2020-014 (Sept. 24, 2020);
In the Matter of Crowe Horwath LLP, Joseph C. Macina, CPA, and Kevin
V. Wydra, CPA, SEC AAER No. 4007 (Dec. 21, 2018); In the Matter of
BDO Auditores, S.L.P., PCAOB Rel. No. 105-2017-039.
\84\ See, e.g., In the Matter of Alvarez & Associates, Inc.,
Certified Public Accountants, and Vicente Alvarez, CPA, PCAOB Rel.
No. 105-2022-039 (Dec. 21, 2022); In the Matter of Citrin Cooperman
& Company, LLP, Joseph Puglisi, CPA, Mark Schniebolk, CPA, and John
Cavallone, CPA, PCAOB Rel. No. 105-2022-007 (May 11, 2022).
\85\ See Annual Report on the Interim Inspection Program Related
to Audits of Brokers and Dealers, PCAOB Rel. No. 2023-005 (Aug. 10,
2023) (``2022 Broker-Dealer Inspection Report''), at 31.
---------------------------------------------------------------------------

b. Good Practices Observed From Inspections
The following observations regarding good QC practices are based on
inspections in recent years.\86\ A good QC practice could be a
procedure, technique, or methodology that is appropriately
comprehensive and suitably designed in relation to a firm's size and
the nature and complexity of the firm's practice. The Board has taken
these observations into account in its consideration of QC 1000, while
recognizing that the nature, extent, and formality of the design,
implementation, and operation of QC systems can vary across firms.
---------------------------------------------------------------------------

\86\ See, e.g., 2022 Inspection Observations Preview; 2021
Inspection Observations Preview; 2020 Inspection Observations
Preview; 2019 Inspection Observations Preview; and 2018 Inspection
Observations Preview.
---------------------------------------------------------------------------

i. Well-Defined QC System
A well-defined QC system includes all key elements of quality
control and is supported by documentation that helps to promote firm
personnel's understanding and consistent application of the firm's QC
system. Helpful characteristics that the PCAOB has observed in some
firms' QC systems include:
Narratives and process flows that articulate how and where
quality objectives fit within the QC processes and define risks posed
to those quality objectives, including considering what could go wrong
along the way;\87\ and
---------------------------------------------------------------------------

\87\ See 2021 Inspection Observations Preview at 22; 2019
Inspection Observations Preview at 4.
---------------------------------------------------------------------------

Developing risk and control matrices that include well-
defined controls.
ii. Accountability for Audit Quality
Leadership involvement in and commitment to a firm's QC system sets
the tone at the top and drives clear expectations regarding the
importance of audit quality. The PCAOB observed positive behaviors
where firms have placed an emphasis on the importance of audit quality
through extending accountability beyond engagement partners to other
key leaders at the firm, such as audit quality leaders, technical
experts, and office leaders, through performance management
processes.\88\
---------------------------------------------------------------------------

\88\ See 2018 Inspection Observations Preview at 2.
---------------------------------------------------------------------------

iii. Root Cause Analysis of Identified Deficiencies
Identifying causal factors for engagement and QC deficiencies
(i.e., root cause analysis) can enable a firm to determine the
appropriate response to and remediation of deficiencies and modify
policies and procedures to prevent similar occurrences in the future.
The PCAOB has observed that thorough root cause analyses drive better
remediation of identified deficiencies. If root cause analysis is
performed by a centralized team, having a defined process to share data
and lessons learned outside of the root cause analysis team may further
enhance the performance of a firm's QC system.
Through its inspection activities the PCAOB has observed that some
firms' root cause analysis programs have significantly evolved since
the PCAOB was formed. The PCAOB has observed that some firms' approach
to root cause analysis includes one or more of the following:
Interviews with engagement teams and firm leadership;
Use of proprietary tools to analyze large amounts of data;
Root cause analysis training and the use of templates to
facilitate consistency;
Consideration of available performance metrics, such as
engagement hours, training records, audit milestone dates, and partner
experience years; and
Consideration of positive quality events (i.e., actions,
behaviors, or conditions that resulted in positive outcomes, such as
where aspects of the firm's QC system operated effectively or where no
engagement deficiencies were identified for individual engagements) to
identify whether such actions, behaviors, or conditions were present on
engagements where QC deficiencies were identified.
iv. Timely Monitoring and Evaluation Activities
Timely and effective monitoring activities drive high-quality
audits. The PCAOB has observed several good practices followed by some
firms in their monitoring activities, including:
Increased real-time monitoring of in-process audit
engagements, for example, through pre-issuance reviews or coaching
programs; \89\
---------------------------------------------------------------------------

\89\ See 2020 Inspection Observations Preview at 4, 13.
---------------------------------------------------------------------------

Formalized monitoring processes and actions for defined
triggering events, including restatements, internal and external
inspection results, and results of peer reviews; and
Mature QC processes including internal self-certifications
of the effectiveness of QC components and sub-components.

Other Developments Since the Adoption of Current PCAOB QC Standards

Since the PCAOB's current QC standards were first developed and
issued, the auditing environment has changed significantly. The current
QC standards were developed in the context of the self-regulatory peer-
review system that existed before the establishment of the PCAOB.
Therefore, they were not written with a view to inspection and
enforcement by a regulator and do not address the current regulatory
environment, including firms' responsibilities with respect to

[[Page 49597]]

information brought to their attention through the PCAOB inspection
process.
Since the QC standards were established, there have been
significant developments in the availability and use of technologies
and data analytic techniques, the organizational structure and
management of firms have changed, and some firms have significantly
increased their focus on governance and quality control.
For example, there have been significant developments in the use of
technology by firms in relation to QC activities and performing
engagements. Some firms have made significant investments in internally
developed tools for use in the audit. The increased availability of
``off-the-shelf'' technologies, such as analytical software packages,
has made some tools more readily available for use by firms. Firms
developing or acquiring new technology-based tools, making changes to
existing tools, and training firm personnel on how and when to use such
tools have had impacts on QC. Many of these tools may reduce risk, for
example by reducing the possibility of human error and enabling the
analysis of whole populations of transactions rather than samples. But
they may also create new risks if they do not work as intended or are
used incorrectly.
Furthermore, some firm management and organizational structures
have evolved to include more focus on centralization and a globally
consistent methodology. Some firms have increased their use of services
and resources supplied by firm networks, affiliates, and third-party
providers. For example, some global networks are increasingly imposing
requirements on member firms regarding the use of methodologies,
technology, and policies and procedures that are developed or
established at the network level. Some firms have also increased their
use of shared service centers to assist with QC activities or
performing engagements. In addition, some firms have changed their
governance structures either voluntarily or due to changes in legal
requirements.\90\ At the same time, some firms have begun to publish
``transparency reports'' that seek to inform the public about the
firm's operations and quality control systems and practices.
---------------------------------------------------------------------------

\90\ See, e.g., the UK Financial Reporting Council, Audit Firm
Governance Code (Apr. 2022) available at https://www.frc.org.uk/getattachment/5af7cdb7-a093-4da8-94d7-f4486596e68c/FRC-Audit-Firm-Governance-Code_April-2022.pdf, and the Japan Financial Services
Agency, Audit Firm Governance Code (Mar. 2017) available at https://www.fsa.go.jp/news/28/sonota/20170331-auditfirmgc/3.pdf.
---------------------------------------------------------------------------

Additionally, some firms have strengthened their approaches to firm
governance and leadership, incentive systems, culture, and
accountability. For example, some firms have added external parties to
oversight roles. Some firms have also augmented their monitoring and
remediation processes, including through implementing or enhancing
ongoing monitoring activities and internal inspection processes,
establishing processes for considering PCAOB inspection findings,
performing root cause analysis, and increasing remediation efforts.
Observations from PCAOB oversight activities have shown that
improvements in quality controls can enhance the quality of audits.\91\
However, as noted above, PCAOB oversight activities continue to
identify pervasive deficiencies, suggesting that many firms have
meaningful improvements to make.
---------------------------------------------------------------------------

\91\ See, e.g., 2018 Inspection Observations Preview at 1-4.
---------------------------------------------------------------------------

There have also been notable advances in internal control, quality
management, and enterprise risk management frameworks and approaches,
including the Committee of Sponsoring Organizations of the Treadway
Commission (``COSO'') framework for internal control\92\ and the
International Organization for Standardization (``ISO'') quality
control standard ISO 9000:2015.\93\ Many of these share important
commonalities, stressing active involvement of leadership, focus on
risk, clearly defined objectives, objective-oriented processes,
monitoring, and remediation of identified issues. Academic research
suggests that these frameworks improve company performance.\94\
---------------------------------------------------------------------------

\92\ See, e.g., COSO, Internal Control-Integrated Framework (May
2013). An executive summary of COSO's internal control framework is
available at https://www.coso.org/_files/ugd/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf.
\93\ More information about ISO 9000:2015 is available at
https://www.iso.org/standard/45481.html.
\94\ See Benefits of related frameworks below.
---------------------------------------------------------------------------

Actions by Other Standard Setters

Following is a brief description of the quality control standards
adopted by the IAASB and the AICPA.
1. IAASB
The IAASB identified concerns related to its then effective QC
standard, International Standard on Quality Control (ISQC) 1, Quality
Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements, and
decided to take steps to improve the standard. In December 2020, the
IAASB released a suite of new quality management standards, including
International Standard on Quality Management 1, Quality Management for
Firms that Perform Audits or Reviews of Financial Statements, or Other
Assurance or Related Services Engagements (``ISQM 1''),\95\ which
became effective on December 15, 2022.\96\
---------------------------------------------------------------------------

\95\ In addition to ISQM 1, the IAASB adopted two other
standards, International Standard on Quality Management 2,
Engagement Quality Reviews (``ISQM 2''), and International Standard
on Auditing 220 (Revised), Quality Management for an Audit of
Financial Statements (``ISA 220 (Revised)''). ISQM 2 operates at the
firm level, and is analogous to PCAOB AS 1220, Engagement Quality
Review. ISA 220 (Revised) operates at the engagement level and deals
with the engagement partner's and the engagement team's
responsibilities for quality management for an audit of financial
statements. Similar topics are addressed in PCAOB standards in AS
1201, Supervision of the Audit Engagement.
\96\ ISQM 1 sets forth eight components of a QC system that
operate in an iterative and integrated manner, as well as other
requirements. See IAASB Fact Sheet, Introduction to ISQM 1, Quality
Management for Firms that Perform Audits or Reviews of Financial
Statements, or Other Assurance or Related Services Engagements (Dec.
2020), available at https://www.ifac.org/system/files/publications/files/IAASB-ISQM-1-Fact-Sheet.pdf.
---------------------------------------------------------------------------

2. AICPA
In May 2022, the Auditing Standards Board of the AICPA adopted new
quality management standards designed to improve a firm's risk
assessment and audit quality, including Statement on Quality Management
Standards (SQMS) No. 1, A Firm's System of Quality Management (``SQMS
1'').\97\ The AICPA's quality management standards closely align with
the IAASB's quality management standards, adapted for private companies
in the United States. The new AICPA standards will become effective on
December 15, 2025.
---------------------------------------------------------------------------

\97\ The AICPA's other QC standards are SQMS No. 2, Engagement
Quality Reviews; Statement on Auditing Standards (SAS) No. 146,
Quality Management for an Engagement Conducted in Accordance With
Generally Accepted Auditing Standards; and Statement on Standards
for Accounting and Review Services (SSARS) No. 26, Quality
Management for an Engagement Conducted in Accordance With Statements
on Standards for Accounting and Review Services.
---------------------------------------------------------------------------

PCAOB Outreach and Research

The Board and its advisory groups have long considered the
potential for improvements to PCAOB QC standards. For example, in 2010,
the Standing Advisory Group (``SAG'') discussed a potential QC
rulemaking project, including considerations and potential challenges
in designing and implementing a QC system.\98\ In 2014,

[[Page 49598]]

the SAG discussed how QC standards may benefit from stronger
requirements and other enhancements with respect to, for example, firm
culture and tone at the top, firm risk assessment, and monitoring of
the quality control system, including use of root cause analyses.\99\
In 2018, the SAG discussed whether additional or more specific
direction in the quality control standards with respect to governance
and leadership would lead to enhancements in firm quality control
systems.\100\ Advisory group members have generally supported including
requirements concerning firm governance and leadership in PCAOB QC
standards.
---------------------------------------------------------------------------

\98\ See Briefing Paper for the Standing Advisory Group,
Designing and Implementing a System of Quality Control (Oct. 13,
2010). An archive of SAG meeting agendas, briefing papers, and
webcasts is available at https://pcaobus.org/about/advisory-groups/archive-advisory/standing-advisory-group/sagmeetingarchive. The
materials for the Oct. 13-14, 2010, SAG meeting are available at
https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_476.
\99\ See Briefing Paper for the Standing Advisory Group,
Initiatives to Improve Audit Quality--Root Cause Analysis, Audit
Quality Indicators, and Quality Control Standards (June 24, 2014)
(``June 2014 SAG Briefing Paper''). The materials for the June 24-
25, 2014, SAG meeting are available at https://pcaobus.org/news-events/events/event-details/pcaob-standing-advisory-group-meeting_772.
\100\ See Briefing Paper for the Standing Advisory Group,
Quality Control: Governance and Leadership (Nov. 29, 2018). The
materials for the Nov. 29, 2018, SAG meeting are available at
https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_1137.
---------------------------------------------------------------------------

Rulemaking History

On December 17, 2019, the Board issued the concept release to
explore the possibility of revising PCAOB QC standards. The concept
release described an approach similar to the approach taken by the
then-proposed ISQM 1, with certain differences and alternative
requirements to specifically address the PCAOB's objectives, including
establishing requirements that:
Align with U.S. Federal securities law, SEC rules, and
other PCAOB standards and rules;
Retain important topics in current PCAOB QC standards;
Address specific emerging risks and problems observed
through PCAOB oversight activities; and
Provide more definitive direction to prompt appropriate
implementation of certain requirements.\101\
---------------------------------------------------------------------------

\101\ See Concept Release at 6.
---------------------------------------------------------------------------

The Board received 36 comment letters in response to the concept
release.\102\ Commenters included firms and related groups, investors
and related groups, academics, trade groups, and others.
---------------------------------------------------------------------------

\102\ The comment letters received in response to the concept
release are available on the Board's website in Docket 046.
---------------------------------------------------------------------------

On November 18, 2022, the Board issued a proposal to supersede
current PCAOB QC standards with an integrated, risk-based standard, QC
1000, A Firm's System of Quality Control, that would apply to all
registered firms. The Board received 42 comment letters in response to
the proposal.\103\ Commenters included firms and related groups,
investors and related groups, academics, trade groups, and others. The
Board has considered all comments in developing the final standard and
related amendments, and commenter input is included where relevant in
the discussion that follows.
---------------------------------------------------------------------------

\103\ The comment letters received in response to the proposal
are available on the Board's website in Docket 046. In addition to
42 letters received from commenters, Docket 046 includes an analysis
prepared by the PCAOB Office of Economic and Risk Analysis.
---------------------------------------------------------------------------

Areas of Improvement to the QC Standards

Taking into account the foregoing considerations, as well as
careful consideration of comments received, the Board adopted changes
to its QC standards that it believes will drive significant
improvements in firms' QC systems, by:
Emphasizing accountability, firm culture and the ``tone at
the top,'' and firm governance through requirements for specified roles
within and responsibilities for the QC system, including at the highest
levels of the firm; quality objectives that link compensation to
quality; and, for the largest firms, the requirement of an independent
perspective on firm governance;
Striking the right balance between a risk-based approach
to QC--which should drive firms to proactively identify and manage the
specific risks associated with their practice--and a set of mandates,
including mandatory quality objectives; mandatory processes for risk
assessment, monitoring and remediation, and QC system evaluation; and
specific requirements in key areas--which should assure that the QC
system is designed, implemented and operated with an appropriate level
of rigor;
Addressing changes in the audit practice environment,
including the increasing participation of other firms and other outside
resources, the role of firm networks, the evolving use of technology
and other resources, and the increasing importance of internal and
external firm communications;
Broadening responsibilities for monitoring and remediation
of deficiencies to encourage an ongoing feedback loop that drives
continuous improvement; and
Requiring a rigorous annual evaluation of the firm's QC
system and related reporting to the PCAOB, certified by key personnel,
to underscore the importance of the annual evaluation of the QC system,
reinforce individual accountability, and support PCAOB oversight.
In the Board's view, the basic objectives of the QC system should
be the same for all firms, but the scope of the QC standard and how it
applies should take into account wide disparities in nature and
circumstances across registered firms, in particular the extent to
which their practices include engagements required to be performed
under PCAOB standards, and the complexity of such engagements. The
risks that firms face, and therefore the specific policies and
procedures necessary to appropriately serve investor interests through
an effective QC system, vary significantly from the largest firms,
operating as part of global networks, to local firms or sole
proprietorships. The scalability of the new QC standard is discussed in
greater detail below.

QC 1000: Basic Structure, Terminology, and Scalability

Basic Structure

1. Considerations Informing the Structure of QC 1000
Informed by its observations and assessment of changes to auditing
practice, the Board believes it is critical that its new QC standard
strikes an appropriate balance between risk-based elements, which
should drive firms to proactively identify and manage the specific
risks associated with their practice, and a set of mandates to assure
that the QC system is designed, implemented, and operated with an
appropriate level of rigor. Moreover, the Board believes the new QC
standard should foster a proactive approach to QC that drives
continuous improvement. Based in part on its observations, the Board
also believes its new standard should include specific requirements for
some important areas of the QC system that are addressed more generally
in current PCAOB QC standards, such as firm governance and leadership,
technology and other firm resources, and firm communications.
QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires
PCAOB QC standards to address, which the Board believes will provide a
robust framework for a firm's QC system. It incorporates eight
components, which are based on mandatory elements and

[[Page 49599]]

mandatory processes that create a basic structure applicable to all
firms. For example, as discussed in more detail below, QC 1000
establishes mandatory, outcome-based quality objectives and mandatory
processes for risk assessment and monitoring and remediation. Within
the structure created by these mandates, firms will develop their own
policies and procedures based on the specific risks created by their
circumstances and practice. QC 1000 also includes requirements for
annual evaluation of the QC system and reporting to the PCAOB on that
evaluation, which the Board believes will add rigor and accountability
to the firm's evaluation of whether the QC system has met its
objectives, and will strengthen the feedback loop that drives
continuous improvement.
The structure itself addresses areas that current PCAOB standards
do not directly address, such as firm governance and leadership,
technology and other firm resources, and firm communications. In
addition, to the extent it is principles-based and focused on the
specific risks faced by the firm, the structure is inherently scalable
and can be applied to firms of all sizes and circumstances.
The structure of QC 1000 has commonalities with the structure of
ISQM 1 and SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has
informed the Board's thinking, the Board has carefully analyzed every
aspect of that approach and considered where to align and where to
further strengthen the PCAOB standard by including alternative or
incremental provisions that the Board believes will better serve
investor protection and the public interest. The Board believes that
building on a well-understood basic framework, appropriately tailored
and strengthened to address its legal and regulatory environment and
its investor protection mandate, will enable firms to implement and
comply with QC 1000 more effectively. In designing, implementing, and
operating their QC systems, firms that are subject to both PCAOB
standards and IAASB or AICPA QC standards--which the Board believes
constitute a very substantial majority of firms that perform
engagements under PCAOB standards \104\--can leverage the work they
have already done and the investments they have already made to comply
with those other requirements.
---------------------------------------------------------------------------

\104\ See below for a discussion of the assumptions regarding
the baseline.
---------------------------------------------------------------------------

Many commenters, including firms and related groups, were generally
supportive of structuring QC 1000 in a manner similar to the structure
of ISQM 1 and SQMS 1. However, several commenters, including firms and
related groups, suggested that further alignment should be considered,
and any differences should be minimized. Several commenters suggested
that firms would be subject to at least two different quality
management/quality control systems, and commented that this would be
impractical for firms to operate. The Board does not believe that QC
1000 conflicts with the requirements of other standard setters or that
anything prevents firms from developing a single QC system for their
entire practice that satisfies both PCAOB requirements and other
professional standards to which the firm is subject. The Board
acknowledges certain differences between QC 1000 and the quality
management standards set by other standard setters, in particular areas
where QC 1000 establishes additional or more stringent requirements.
However, the Board believes that quality responses developed by firms
under QC 1000 can be considered by firms for the purposes of other
quality management standards to which they are subject, reducing the
need for two or more separate QC systems.
One investor-related group did not support the framework of the
standard, arguing that ISQM 1 is a process-driven and compliance-
oriented framework that does not encourage firms to meaningfully
enhance their QC systems for the benefit of investors. Another investor
expressed concern regarding the reliance on ISQM 1 in the development
of QC 1000 on the basis that it does not always reflect the best
interests of investors. The Board continues to believe that a common
basic structure among quality control standards is beneficial. This is
not only cost beneficial, but it also supports a firm's ability to
operate a single, consistent QC system over its whole practice, which
the Board believes ultimately supports audit quality. Where
appropriate, QC 1000 goes beyond ISQM 1 to incorporate more detailed or
more stringent provisions that are specifically relevant to the U.S.
regulatory environment and investors.
Several commenters supported a principles-based approach to QC
1000. However, some commenters suggested that the specified quality
responses throughout the standard impose prescriptive requirements that
are not consistent with maintaining a principles-based approach. Others
expressed a different perspective, suggesting that the standard was too
principles-based, providing the firms with too much flexibility in
designing, implementing, and operating their QC systems. For example,
an investor expressed concern that a principles-based approach does not
always reflect the best interests of investors. Other investor-related
groups expressed concerns that a principles-based approach allows audit
firms to conduct their own risk assessment and design their own
controls to manage risks, including making the determination of whether
QC deficiencies exist and are remediated without any public awareness
or accountability. One of these investor-related groups suggested that
an emphasis on a risk-based approach will result in little to no change
at the largest auditing firms as they believe that this approach is
already embedded in their QC systems. Another investor-related group
commented that the proposed standard set the bar too low and failed to
focus on audit quality and accountability such that it would only
perpetuate the status quo.
The Board has retained the approach as proposed. The Board believes
that QC 1000 strikes the right balance between mandatory and risk-based
elements. As discussed in more detail below, QC 1000 establishes a
mandatory minimum set of outcome-based quality objectives that apply to
all firms. Firms generally cannot omit or modify any of the quality
objectives set out in the standard. Therefore, firms do not determine
the criteria by which their QC systems will be assessed, only the means
by which they will meet those criteria. Moreover, QC 1000 establishes
requirements with which all firms will have to comply for roles and
responsibilities within the QC system and the firm's risk assessment
process, monitoring and remediation process, and evaluation process, as
well as specified quality responses applicable to all firms in areas
that the Board believes justify a more prescriptive approach. It also
includes evaluation and reporting requirements that the Board believes
will add accountability and rigor to the annual evaluation.
Within that framework, QC 1000 requires firms to develop the
policies and procedures they need to achieve the quality objectives and
the overall objective of the QC system. The Board believes this more
principles-based aspect of the standard will prompt firms to identify
and focus on the most relevant risks to quality in the context of their
own practice and will make QC 1000 appropriately scalable. This
approach also allows for the standard to be operable by firms of all
sizes. Smaller PCAOB audit practices can scale down their responses to
fit the risks associated

[[Page 49600]]

with a small practice, and as the practice grows, the firm can scale up
to respond to new quality risks. In addition, the Board believes that
this approach will make it less likely that the standard will need to
be amended in the future in response to changes in the auditing
environment, including the use of technology.
2. Components of the QC System
Under QC 1000, the QC system consists of eight components that are
designed to be highly integrated:

Two process components:
The firm's risk assessment process
The monitoring and remediation process
Six components that address aspects of the firm's organization and
operations:
Governance and leadership
Ethics and independence
Acceptance and continuance of engagements
Engagement performance
Resources
Information and communication

The risk assessment process applies to these six components,
requiring firms to:
Establish outcome-based ``quality objectives,'' including
those specified throughout the standard (i.e., the desired outcomes to
be achieved by the firm with respect to that component);\105\
---------------------------------------------------------------------------

\105\ ``Quality objectives'' are defined in QC 1000.A10.
---------------------------------------------------------------------------

Identify and assess ``quality risks'' to the quality
objectives;\106\
---------------------------------------------------------------------------

\106\ ``Quality risks'' are defined in QC 1000.A12.
---------------------------------------------------------------------------

Design and implement ``quality responses'' (i.e., policies
and procedures to address quality risks);\107\ and
---------------------------------------------------------------------------

\107\ ``Quality responses'' are defined in QC 1000.A11.
---------------------------------------------------------------------------

Establish policies and procedures to monitor internal and
external changes that may require modifications to the quality
objectives, quality risks, or quality responses.
The monitoring and remediation process applies to all of the
components of the QC system, including monitoring and remediation
itself (i.e., firms are required to identify and remediate deficiencies
that are observed in their monitoring and remediation activities).
The firm is also required to evaluate and report on its QC system
annually, based on the results of its monitoring and remediation
activities.
The following diagram illustrates the structure of the firm's QC
system under QC 1000:
BILLING CODE 8011-01-P

[[Page 49601]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.000

BILLING CODE 8011-01-C
3. Quality Objectives, Quality Risks, and Quality Responses, Including
Specified Quality Responses
For each of the six components to which the risk assessment process
applies, QC 1000 specifies required quality objectives. While QC 1000
provides some flexibility with regard to the quality risks that firms
are required to identify and the quality responses that firms are
required to develop to address those risks, it does not provide the
same flexibility with regard to quality objectives. Instead, quality
objectives that will apply to all firms are specified in the standard.
Firms can establish additional quality objectives--indeed, they are
required to do so if necessary to achieve the objective of the QC
system--but they generally cannot omit or modify any of the quality
objectives set out in the standard. The Board believes that, for many
firms, the quality objectives specified in the standard are likely to
be comprehensive, and does not expect in the current environment that
additional quality objectives would generally be necessary. However,
the Board also recognizes that the nature and circumstances of a firm
and its engagements will vary and the environment may change.
Accordingly, firms are required to establish additional quality
objectives, if necessary.\108\ The quality objectives established by
this standard set forth a floor rather than a ceiling.
---------------------------------------------------------------------------

\108\ See ``The Firm's Risk Assessment Process'' below.
---------------------------------------------------------------------------

Firms are required to identify and assess quality risks to the
achievement of the established quality objectives. They are required to
develop quality responses to address the assessed quality risks.
Quality responses are defined as policies and procedures

[[Page 49602]]

designed and implemented by the firm to address quality risks; policies
are statements of what should, or should not, be done to address an
assessed quality risk, and procedures are actions to implement and
comply with policies. As proposed, the definition of quality responses
provided that policies ``may be documented or explicitly stated in
communications.'' In the final rule, that sentence was eliminated to
avoid confusion or potential conflict with the documentation
requirements set out in QC 1000.81-83.
The correspondence across quality objectives, quality risks, and
quality responses is generally not one-to-one. Most quality objectives
are likely to have multiple quality risks. Some quality risks may
affect one or more quality objectives, either within a single component
or across several components, and may require multiple quality
responses. Some quality responses may address multiple quality risks.
Quality responses would typically be specific to the firm, to
respond to its particular assessed quality risks. QC 1000 also includes
some specified quality responses, which are mandatory for the firms to
which they apply. Specified quality responses carry requirements from
current PCAOB standards into QC 1000 or provide new requirements that
the Board believes are important to a firm's QC system. The specified
quality responses are not intended to be comprehensive; on the
contrary, for most of the components of the firm's QC system, the
standard includes only a few specified quality responses, and for the
engagement performance component there are none. As a result, the
specified quality responses alone will not be sufficient to enable the
firm to achieve all established quality objectives; firms are required
to design and implement their own quality responses. Both the specified
quality responses and the quality responses the firm designs and
implements on its own are critical in addressing quality risks. The
following graphic illustrates the relationship between all quality
responses (i.e., the quality responses necessary to achieve all
established quality objectives) and the specified quality responses
established in QC 1000:
[GRAPHIC] [TIFF OMITTED] TN11JN24.001

Terminology

This section discusses some of the terminology used throughout QC
1000. Appendix A to QC 1000 defines several terms used in the standard.
Two commenters indicated that the proposed terminology was
understandable and appropriate, but most commenters on the topic
requested that the terminology used in QC 1000 be consistent with the
terminology used by other standard setters, primarily to avoid
potential confusion and ensure that the process of evaluating the QC
system and the conclusion reached as to its effectiveness would be the
same under both standards. The Board continues to believe that its
proposed terminology is necessary to capture the basic concepts used in
QC 1000, which differ in some respects from the concepts used by other
standard setters, particularly as regards ``other participants,'' as
the Board has defined that term, and the annual QC system evaluation
process, which is grounded in the concepts of ``engagement
deficiency,'' ``QC deficiency,'' and ``major QC deficiency.'' While
this

[[Page 49603]]

approach will result in an incremental burden for firms that seek to
comply with other QC standards as well as QC 1000, the Board believes
that the burden is justified. The Board also believes that, just as
firms can perform audits under different auditing standards, they can
learn to implement and operate a QC system under different QC
standards. Accordingly, with the clarifications described below, the
Board adopted the terminology substantially as proposed.
1. Applicable Professional and Legal Requirements
As discussed in more detail below, compliance with applicable
professional and legal requirements is a fundamental concept under QC
1000, driving the objective of the QC system as well as many quality
objectives and specified quality responses. The proposed standard
defined ``applicable professional and legal requirements'' as
Professional standards, as defined in PCAOB Rule
1001(p)(vi);
Rules of the PCAOB that are not professional standards;
and
To the extent related to the obligations and
responsibilities of accountants or auditors or to the conduct of
engagements, rules of the SEC, other provisions of U.S. Federal
securities law, and other applicable statutory, regulatory, and other
legal requirements.
Two commenters supported the definition as proposed. One commenter
recommended including the profession's ethical standards explicitly.
Two commenters stated the phrase ``other applicable statutory,
regulatory, and other legal requirements'' could be read broadly and
extend beyond regulations that directly bear on the conduct of audit
engagements. Another commenter suggested amending the definition of
``professional standards'' in PCAOB Rule 1001(p)(vi) to refer to
``quality control standards'' rather than ``quality control policy and
procedures.''
In response to comments, the Board made changes to the third, more
general clause of the definition. As one commenter suggested, the Board
expanded the definition to explicitly mention ethics laws and
regulations.\109\ While the definition as proposed encompassed
applicable ethics requirements, the Board believes an express reference
will help to remind firms and individuals of the centrality of ethics
considerations. The Board also refined the definition to make clear
that it encompasses statutory, regulatory, and other legal requirements
beyond professional standards and other PCAOB rules ``[t]o the extent
related to the obligations and responsibilities of accountants or
auditors in the conduct of engagements or in relation to the QC
system.'' This change is designed to limit the breadth of the
definition to the relevant circumstances.
---------------------------------------------------------------------------

\109\ These include those arising under state law or the law of
other jurisdictions (e.g., obligations regarding client
confidentiality). See QC 1000 footnote 10.
---------------------------------------------------------------------------

The phrase ``quality control policies and procedures,'' used in
PCAOB Rule 1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley.
The Board believes its rule should continue to align with that
statutory provision.
This definition captures all professional and legal requirements
specifically related to engagements under PCAOB standards of issuers
and SEC-registered broker-dealers, including relevant accounting,
auditing, and attestation standards, PCAOB and SEC rules, other
provisions of Federal securities law, other relevant laws and
regulations (e.g., state law and rules governing accountants),
applicable ethics law and rules, and other legal requirements related
to the obligations and responsibilities of accountants or auditors in
the conduct of the firm's engagements or in relation to the QC
system.\110\ It does not encompass requirements that apply to
businesses generally, such as tax laws, safety regulations, and
employment law.
---------------------------------------------------------------------------

\110\ For avoidance of doubt, the requirements relating to
compliance with applicable professional and legal requirements are
meant to make clear that, as relates to engagements subject to PCAOB
standards, all applicable professional and legal requirements must
be followed. The requirement does not suggest that application of
``other applicable statutory, regulatory, and other legal
requirements'' could supersede rules of the SEC, other provisions of
U.S. Federal securities law, rules of the PCAOB that are not
professional standards, or PCAOB professional standards. On the
contrary, requirements relating to ``applicable professional and
legal requirements'' are meant to highlight the importance of
adhering to other requirements when those requirements do not
conflict with or abridge requirements of Federal securities laws,
PCAOB rules, or PCAOB standards.
---------------------------------------------------------------------------

2. Engagement
The proposed standard defined ``engagement'' as (1) any audit,
attestation, review, or other engagement under PCAOB standards
performed by a firm, or (2) any engagement in which a firm ``play[s] a
substantial role in the preparation or furnishing of an audit report''
as defined in PCAOB Rule 1001(p)(ii).\111\ In the final standard, the
term ``engagement'' encompasses the same scope as it did in the
proposal--when the firm leads an engagement as lead auditor or
practitioner, or plays a substantial role--but the definition has been
restructured for clarity.
---------------------------------------------------------------------------

\111\ Generally, and as described in more detail in Rule
1001(p)(ii), a firm plays a substantial role in the preparation or
furnishing of an audit report if (1) its engagement hours or fees
constitute 20% or more of the total engagement hours or fees or (2)
it performs the majority of the audit procedures with respect to a
subsidiary or component whose assets or revenues constitute 20% or
more of the consolidated assets or revenues of the issuer, broker,
or dealer.
---------------------------------------------------------------------------

The final standard defines ``engagement'' as any audit,
attestation, review, or other engagement performed under PCAOB
standards:
Led by a firm; or
In which a firm ``play[s] a substantial role in the
preparation or furnishing of an audit report'' as defined in PCAOB Rule
1001(p)(ii).
The definition covers not only circumstances in which the firm
serves as the lead auditor or the ``practitioner'' for an attestation
engagement, which is what is customarily meant by the term engagement,
but also any substantial role work the firm undertakes. The Board's
view is that this additional breadth is appropriate because playing a
substantial role in an engagement for an issuer or broker-dealer is
sufficient to require a firm to register with the PCAOB. The definition
covers all engagements under PCAOB standards performed by the firm,
whether the application of PCAOB standards is legally required (e.g.,
for audits of issuers and broker-dealers) or undertaken pursuant to
contractual agreement, where permitted but not required under SEC
rules, or for any other reason.
Commenters on the definition of ``engagement'' generally supported
it. One commenter requested clarification as to why the definition does
not include work performed at less than a substantial role, given that
the standard includes requirements regarding such work.
The Board defined ``engagement'' to exclude work performed on other
firms' PCAOB engagements at less than a substantial role because it
believes the auditor responsibilities associated with such work, and
the risks posed by it, are materially different than the
responsibilities and risks associated with a firm leading an engagement
or playing a substantial role.\112\ QC 1000 contains provisions
specifically applicable to work performed on other firms' PCAOB
engagements at less than

[[Page 49604]]

a substantial role, which have been tailored to reflect those
responsibilities and risks. The Board believes this tailored approach
is appropriate.
---------------------------------------------------------------------------

\112\ PCAOB registration rules reflect this difference in risk
profile: PCAOB registration is required for firms that lead
engagements or play a substantial role in audits of issuers and
broker-dealers, but not for work performed on other firms'
engagements at less than a substantial role. See PCAOB Rule 2100,
Registration Requirements for Public Accounting Firms.
---------------------------------------------------------------------------

Also grounded in the Board's views on relative risk and the
investor interests at stake, the concept of ``engagement'' marks an
important distinction in the level of responsibility created under QC
1000: while all registered firms are required to design a QC system
that complies with QC 1000, the threshold for a firm to implement and
operate the QC system is when the firm has responsibilities under
applicable professional and legal requirements with respect to a firm
engagement. The distinction between scaled applicability under QC 1000
(for firms that do not have responsibilities with respect to
engagements) and full applicability of QC 1000 (for firms that do
perform engagements) is discussed in more detail below.
The Board notes, however, that just because work performed on other
firms' PCAOB engagements at less than a substantial role is not
considered an ``engagement'' does not mean it is disregarded under the
QC system. This work, by itself, does not trigger the requirement to
implement and operate the QC system under QC 1000. However, once a firm
is required to implement and operate the QC system, the system will
operate over all work performed by the firm under PCAOB standards,
including work performed on other firms' PCAOB engagements at less than
a substantial role. If a firm is required to implement and operate a QC
system under QC 1000, the Board believes that the QC system should
address every engagement under PCAOB standards in which the firm
participates.
3. Firm Personnel
The proposed standard defined ``firm personnel'' as individual
proprietors, partners, shareholders, members or other principals,
accountants, and professional staff of a registered public accounting
firm whose responsibilities include assisting with: (1) the performance
of the firm's engagements; or (2) the design, implementation, or
operation of the firm's QC system, including engagement quality
reviews. Professional staff refers not only to employees, but also to
other individuals who work under the firm's supervision or direction
and control and function as the firm's employees. For example,
secondees and leased staff would fall under the definition of ``firm
personnel.''
Two commenters agreed with the definition as proposed. Some firms
and related groups objected to including non-employee contractors and
consultants as firm personnel, in particular because they are not
subject to the firm's performance evaluation or promotion process.
These commenters suggested that such persons be classified as other
participants instead. One commenter expressed concern about potential
exposure due to the differences between QC 1000 and the definitions of
employees with Federal, State, and local tax and labor laws.
The Board continues to believe it is appropriate for the definition
of firm personnel to include individuals, such as non-employee
contractors and consultants, who work under the firm's supervision or
direction and control and function as the firm's employees. In light of
the range of legal structures and arrangements used by firms in
acquiring and deploying staff, the Board believes a definition based
exclusively on legal employment would be too narrow. Instead, the final
rule retains an approach based on the functional role played by the
individual rather than a specific legal relationship.
When the firm is identifying quality risks to quality objectives
that include firm personnel, it may identify different risks associated
with non-employee contractors and consultants than other firm
personnel, and accordingly would have to develop different policies and
procedures for them. For example, non-employee contractors and
consultants may be evaluated through the contracting process to
determine whether the firm should retain them instead of through the
firm's formal evaluation framework.
While the Board expresses no view on any tax or labor law
consequences, it notes that the definition does not conflate ``firm
personnel'' with employees. On the contrary, the Board acknowledges
that firm personnel includes some non-employees.
Some commenters, generally firms and related groups, were opposed
to the definition including anyone who ``assists with'' engagements or
the quality control system, as it may include administrative staff. The
Board revised the definition of firm personnel to clarify that
``professional staff does not include persons engaged only in clerical
or ministerial tasks,'' which aligns with the definition of ``Person
Associated With a Public Accounting Firm (and Related Terms)'' in PCAOB
Rule 1001(p)(i).\113\
---------------------------------------------------------------------------

\113\ By aligning the QC 1000 definition of ``firm personnel''
with the definition of ``Person Associated with a Public Accounting
Firm (and Related Terms)'' in this regard, the Board does not mean
to suggest that only ``firm personnel'' can be associated persons.
``Other participants'' can also be associated persons.
---------------------------------------------------------------------------

4. Other Participants
Over the years, audits of issuers have increasingly involved the
use of entities and individuals outside the firm in performing audit
procedures and evaluating audit evidence. In the context of amending
the standards governing the involvement of other auditors in an audit,
the Board discussed the increasing prevalence and importance of the use
of other audit firms and individual accountants outside the firm, such
as an EQR not employed by the firm, and the use of auditor-engaged
specialists.\114\ While it may be beneficial, and in many cases
essential, to use other participants in some engagements, these
arrangements can pose risks because other participants may not be
subject to the same quality controls as firm personnel (for example,
with regard to personnel assignments, training, supervision, and
monitoring).
---------------------------------------------------------------------------

\114\ See Planning and Supervision of Audits Involving Other
Auditors and Dividing Responsibility for the Audit with Another
Accounting Firm, PCAOB Rel. No. 2022-002 (June 21, 2022), at 13;
Amendments to Auditing Standards for Auditor's Use of the Work of
Specialists, PCAOB Rel. No. 2018-006 (Dec. 20, 2018), at 10-15.
---------------------------------------------------------------------------

With respect to work performed in connection with the firm's QC
system or the performance of its engagements, QC 1000 defines ``other
participants'' as accounting firms (foreign or domestic, registered or
unregistered), accountants, and other professionals \115\ or
organizations, other than firm personnel, whose responsibilities
include assisting with the performance of the firm's engagements or the
design, implementation, or operation of the firm's QC system, including
engagement quality reviews.\116\
---------------------------------------------------------------------------

\115\ In this context, ``professionals'' refers broadly to
workers who perform other than clerical or ministerial tasks.
\116\ It should be noted that ``referred-to auditors,'' as that
term is defined in the amendments to AS 2101, Audit Planning,
adopted in PCAOB Rel. No. 2022-002, are not ``other participants''
under QC 1000 because the referred-to auditor performs its own
engagement and does not participate in the engagement of the lead
auditor.
---------------------------------------------------------------------------

Some commenters expressed concerns with the use of ``other
participants'' throughout the standard. Many commenters said the
proposed responsibilities of the firm with regard to other participants
were too broad. A few commenters suggested removing the reference to
other participants from certain specified quality responses and
allowing firms to tailor their responses to quality objectives for
other participants. Some commenters were

[[Page 49605]]

specifically concerned about the inclusion of internal auditors and
external specialists in the standard through other participants, and
believe they are adequately addressed in other standards. Some
commenters argued that other participants should not be included in
another firm's quality control system because they are covered by their
own firm's quality control system.
Some commenters suggested bifurcating the definition into other
participants whose responsibilities include assisting with the
performance of the firm's engagements and other participants whose
responsibilities include assisting with the design, implementation, and
operation of the firm's QC system, on the basis that this would enhance
clarity regarding to whom the requirements apply. One commenter said
the policies and procedures related to other participants would differ
depending on the type of other participant (for example, an internal
auditor providing direct assistance differs from an auditor,
specialist, or engagement quality reviewer) and QC 1000 imposes the
same requirements for each type. One commenter supported the
definition. One commenter agreed with separately defining ``other
participants'' and ``third-party providers.''
The final standard reflects the Board's view that, in designing,
implementing, and operating its QC system, the firm will have to
address not only firm personnel but also other auditors \117\ and other
professionals or organizations that the firm uses in connection with
the firm's QC system or the performance of its engagements. References
to other participants are included throughout QC 1000 in a tailored and
context-specific way that recognizes the key roles that other
participants play.
---------------------------------------------------------------------------

\117\ See AS 1205, Part of the Audit Performed by Other
Independent Auditors, and AS 1201 (which takes effect for audits of
financial statements for fiscal years ending on or after Dec. 15,
2024).
---------------------------------------------------------------------------

The Board recognizes that some other participants may be covered by
their own firm's quality control system, and that fact may inform the
firm's risk assessment with respect to their participation. But the
firm's own QC system must address all the work done on the firm's
engagements and in connection with the design, implementation, and
operation of the firm's QC system itself, regardless of who does it.
Commenters correctly pointed out that specific performance
standards exist related to the use of certain types of other
participants in an audit, such as other auditors,\118\ internal
auditors,\119\ and specialists,\120\ but that does not mean that QC
over their use in the firm's engagements is unnecessary. In part, the
QC system operates to assure compliance with those specific audit
standards. But it must also provide more general assurance about the
performance of audits in which those types of other participants are
involved. For example, the Board expects that the firm's policies and
procedures would cover, if applicable, engaging specialists,
determining their compliance with ethics and independence requirements,
and communicating with them as part of the firm's quality control
system.
---------------------------------------------------------------------------

\118\ See, e.g., AS 1201, and AS 1206, Dividing Responsibility
for the Audit with Another Accounting Firm.
\119\ See, e.g., AS 2605, Consideration of the Internal Audit
Function.
\120\ See, e.g., AS 1210, Using the Work of an Auditor-Engaged
Specialist.
---------------------------------------------------------------------------

The Board does not believe it is necessary for QC 1000 to bifurcate
other participants between those that participate in engagements and
those that are involved with the QC system. Just because a quality
objective or other provision of QC 1000 refers to all types of other
participants in the same way does not mean that the firm should respond
by treating all types of other participants in the same way. On the
contrary, the firm's policies and procedures addressing other
participants should differentiate based on the types and roles of other
participants to the extent necessary to be responsive to the firm's
quality risks. When designing quality responses, the firm will address
the specific risks posed by the other participants and their
responsibilities within the firm's engagements and QC system. For
example, a firm that uses a network as a resource in many areas, such
as independence tracking and monitoring, engagement performance,
information and communication, and monitoring and remediation, would
have many quality risks and quality responses related to their use of
the network. A smaller firm that only uses one individual from outside
the firm as an engagement quality reviewer may have fewer quality risks
and quality responses related to other participants to address in its
quality control system.
The following diagram provides QC 1000's definitions of ``firm
personnel'' and ``other participants'' and provides examples of each
type:
BILLING CODE 8011-01-P

[[Page 49606]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.002

[[Page 49607]]

BILLING CODE 8011-01-C
As noted in the diagram, the persons performing some roles, such as
an EQR or personnel at shared service centers, may be firm personnel or
other participants, depending on their relationship to the firm. For
example, an EQR employed by the firm would be considered firm
personnel, whereas an EQR contracted from outside the firm that is not
functioning as a firm employee would be an other participant.
Similarly, personnel at shared service centers may be firm personnel
(if they are employed by the firm or function as firm employees) or
other participants (if they are personnel of another organization, such
as a network affiliate).
5. Networks
QC 1000 acknowledges that networks of firms may be structured in a
variety of ways and could include arrangements between firms for
sharing knowledge; developing and implementing consistent policies,
tools, and methodologies; conducting multi-location engagements; or
executing other types of business or administrative matters. Through
its oversight activities, the PCAOB has observed that some networks
provide or require use of a wide range of resources and services and
may involve various levels of personnel, composed of a mix of the
firm's national and local office personnel. Some examples of resources
and services that networks provide include:
Audit methodologies;
Technology tools;
Training;
Risk management activities;
Consultations on accounting, auditing, and SEC matters;
Preventive engagement-level monitoring and coaching;
Support for inspections; and
Root cause analysis and remediation.
Since networks may involve a wide variety of different arrangements
and different degrees of coordination and cooperation across firms,
rather than attempting to define the term ``network,'' QC 1000
describes these types of arrangements in more general terms.\121\ Under
the standard, networks may include a combination of registered and
unregistered accounting firms and other entities.
---------------------------------------------------------------------------

\121\ In the standard, references to a ``network'' encompass all
of the memberships and affiliations that registered firms must
report to the PCAOB in Item 5.2 of their annual report on Form 2,
including certain networks, arrangements, alliances, partnerships,
and associations. See Item 5.2, PCAOB Form 2 (describing reporting
requirements for memberships, affiliations, and similar
arrangements).
---------------------------------------------------------------------------

6. Third-Party Providers
Commenters on this topic supported the definition of third-party
providers as proposed.
The standard addresses resources used by the firm that are sourced
from third-party providers. Third-party providers are individuals or
organizations, other than other participants, as defined above, that
provide resources to the firm that are specifically designed for use in
the performance of engagements or to assist in the operation of its QC
system.\122\ The following diagram provides QC 1000's definition of
``third-party providers'' and several examples of them:
---------------------------------------------------------------------------

\122\ Providers of resources that are not specifically designed
for use in the performance of engagements or to assist in the
operation of firms' QC systems (e.g., general word processing and
spreadsheet software) are not ``third-party providers'' as the Board
has defined that term.
[GRAPHIC] [TIFF OMITTED] TN11JN24.003

[[Page 49608]]

Scalability

The approximately 1,600 firms registered with the PCAOB differ
significantly based on their nature and circumstances:
Approximately 53% of firms are located in foreign
jurisdictions, representing 89 foreign jurisdictions;
Approximately 20% of total firms, and 40% of firms located
in foreign jurisdictions, belong to one of six global networks that
contain the largest number of registered, non-U.S. firms that share
resources such as methodology and monitoring activities; \123\
---------------------------------------------------------------------------

\123\ The six global networks that contain the largest number of
registered, non-U.S. firms as reported on Form 2s filed in 2023 are:
BDO International Limited, Deloitte Touche Tohmatsu Limited, Ernst &
Young Global Limited, Grant Thornton International Limited, KPMG
International Cooperative, and PricewaterhouseCoopers International
Limited (the member firms of these networks are collectively
referred to herein as ``GNFs'').
---------------------------------------------------------------------------

Approximately 60 firms are sole proprietorships;
Approximately 650 firms, or 41% of firms, performed an
engagement under PCAOB standards for an issuer or broker-dealer during
the 12 months ended June 2023;
Approximately 70 only played a substantial role in such
engagements in the past year;
Approximately 140 performed audits of only broker-dealers
in the past year;
Approximately 130 firms that did not perform an engagement
under PCAOB standards for an issuer or broker-dealer in 2022 did
perform such an engagement in the past five years; and
Approximately 51% of firms have not performed an
engagement under PCAOB standards for an issuer or broker-dealer in the
past five years.\124\
---------------------------------------------------------------------------

\124\ The data were obtained from Audit Analytics and publicly
available data from the PCAOB's Registration, Annual and Special
Reporting (RASR) available at https://rasr.pcaobus.org. The PCAOB
does not collect information about whether registered firms perform
engagements under PCAOB standards other than for issuers and broker-
dealers. Firms may be engaged, for example, in connection with the
audit of a reporting company that does not meet the Sarbanes-Oxley
definition of ``issuer'' described in footnote 2 above, in
connection with certain offerings of securities that are exempt from
registration under the Securities Act (e.g., offerings under
Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to
a contractual obligation such as a loan covenant, or on an entirely
voluntary basis.
---------------------------------------------------------------------------

While the Board believes the basic objectives of the QC system
ought to be the same across all firms, the Board believes the QC
standard needs to be appropriately scalable, so that firms of different
sizes and characteristics can appropriately design their QC system to
address the risks associated with their own practice.
The specific policies and procedures necessary to achieve the
objectives of the QC system may vary significantly across firms,
depending on their size, the types of engagements they perform, and
other factors. The Board believes that QC 1000 is sufficiently
principles-based and scalable that firms will be able to pursue an
approach to QC that is appropriate in light of their specific
circumstances.
In the Board's view, firms that perform engagements under PCAOB
standards should generally be subject to the same QC requirements. In
particular, the Board does not believe the historical distinction
between firms that were members of the SECPS in 2003 and those that
were not has continuing relevance in determining the QC standards that
should apply today. Accordingly, the Board eliminated that distinction.
As discussed in more detail below, QC 1000 incorporates certain SECPS
requirements, making them applicable to all firms, and eliminates
others. However, the Board also believes there are specific areas, such
as firm governance, where firms with larger PCAOB audit practices
should be subject to enhanced requirements. QC 1000 includes several
requirements that apply only to the firms that meet the statutory
threshold for annual PCAOB inspection.
The Board is aware that there is a significant number of registered
firms that do not perform engagements under PCAOB standards every
year--they only participate in other firms' engagements at less than
the level of a substantial role or have no involvement in issuer or
broker-dealer engagements. The Board believes that the risk to investor
protection is minimal if the firm is not performing engagements under
PCAOB standards for issuers and SEC-registered broker-dealers, and that
it is appropriate to provide for more limited QC obligations in those
circumstances. Under QC 1000, all registered firms are required to
design a QC system but only firms that are subject to applicable
professional and legal requirements with respect to a PCAOB engagement
are required to implement and operate the QC system.
1. Scaled Applicability vs. Full Applicability
The Board created a fundamental distinction in QC 1000 between the
obligation to design a QC system in compliance with the standard, which
will apply to all firms,\125\ and the obligation to implement and
operate an effective QC system, which, broadly speaking, will apply
only to firms that perform engagements under PCAOB standards.
---------------------------------------------------------------------------

\125\ QC 1000.06, discussed below, sets out the requirements for
QC system design.
---------------------------------------------------------------------------

Under the standard, firms are required to implement and operate an
effective QC system--that is, comply with all provisions of QC 1000--at
all times that the firm is required to comply with applicable
professional and legal requirements with respect to any of the firm's
engagements.\126\
---------------------------------------------------------------------------

\126\ QC 1000.07.
---------------------------------------------------------------------------

As noted above, many registered firms do not perform engagements
every year. However, a firm that is not currently performing any
engagements may nevertheless have to comply with applicable
professional and legal requirements with respect to a previous or
future firm engagement. For example, procedures for the acceptance of a
new engagement have to be performed before the engagement is conducted.
Responsibilities may also arise with respect to completed engagements
long after the issuance of the auditor's report--for example, if the
issuer requests the auditor's consent to include its report in a
registration statement, if an engagement deficiency is identified that
requires remediation, or if the auditor becomes aware of facts that may
have existed at the date of the auditor's report which may have
affected the report. In the Board's view, whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to an engagement, those responsibilities should be
performed under a QC system that is implemented, is operating, and
complies with PCAOB standards.
Importantly, if a firm is required to implement and operate an
effective QC system, the firm would not necessarily have to implement
and operate every QC policy or procedure that it has designed. An
effective QC system provides reasonable assurance that the firm is
complying with ``applicable'' professional and legal requirements. The
extent of ``applicable'' requirements could change depending on the
firm's circumstances, and the QC system policies and procedures that
the firm would have to implement and operate could change in response.
For example, if a firm last performed an engagement (as defined in the
standard) five or six years ago and has no current responsibilities
with respect to any other firms' engagements, it might be subject only
to requirements regarding

[[Page 49609]]

the retention of certain engagement-related documentation.\127\ In such
a circumstance, an effective QC system--i.e., a system that provides
reasonable assurance that the firm is complying with applicable
professional and legal requirements regarding such documentation--could
be scaled back to address only engagement-related documentation
retention, as well as ongoing evaluation, reporting, and documentation
requirements with respect to the QC system itself. The Board asked in
the proposing release whether it was clear how a firm's
responsibilities under QC 1000 may change depending on the extent of
applicable professional and legal requirements to which the firm is
subject at a particular time, and commenters that responded on the
issue were generally supportive.
---------------------------------------------------------------------------

\127\ See AS 1215; 17 CFR 210.2-06.
---------------------------------------------------------------------------

If the firm has no more responsibilities with respect to any
engagement, the firm is required to continue operating the QC system
until the next September 30 (the annual evaluation date). This would
ensure that the firm would be required to evaluate and report on the QC
system for any year during which the QC system was required to
operate.\128\
---------------------------------------------------------------------------

\128\ QC 1000.07. The proposed requirements for evaluation of
and reporting on the QC system are discussed below.
---------------------------------------------------------------------------

Firms that are not subject to the requirement to implement and
operate the QC system are still subject to the requirement to design a
QC system that complies with QC 1000.\129\ Paragraph .06 of QC 1000,
discussed below, sets out the requirements for design of the QC system
in more detail.
---------------------------------------------------------------------------

\129\ The standard makes clear that any existing obligations
under QC 1000 (for example, reporting obligations with respect to
prior periods when the firm was required to implement and operate
the QC system) would continue.
---------------------------------------------------------------------------

The Board believes it is appropriate to limit the application of
the requirements of QC 1000 for firms that have no obligations under
applicable professional and legal requirements with respect to firm
engagements. Indeed, in those situations it is hard to see how a firm
could, as a practical matter, ``implement'' or ``operate'' its QC
system. Implementation and operation contemplate, among other things,
the application of QC policies and procedures to the firm's
engagements, monitoring of work performed on engagements, and
identification and remediation of engagement deficiencies. Without
``engagements,'' as the standard defines that term, implementation and
operation of a QC system would be largely hypothetical. Moreover, the
population of firms that are subject only to the design requirements of
QC 1000 is comprised entirely of firms that are not required to be
registered with the PCAOB--because they do not participate in
engagements under PCAOB standards or do so only below the level of a
substantial role.\130\
---------------------------------------------------------------------------

\130\ If a firm requests leave to withdraw from PCAOB
registration and is permitted to do so, the firm, upon its
withdrawal from registration, would no longer be subject to an
obligation to design, implement, or operate a QC system in
accordance with QC 1000.
---------------------------------------------------------------------------

Many commenters, including firms and related groups, investor-
related groups, academics, and others, did not support requiring firms
that are not required to comply with applicable professional and legal
requirements to design a QC system under QC 1000. Several of these
commenters expressed concerns that this would be unnecessarily costly
to those firms, or suggested that there could be challenges associated
with implementing and operating a QC system based on hypothetical risks
that could differ from the actual risks at the time the firm accepts
and performs engagements pursuant to PCAOB standards. Some commenters
suggested that this requirement may cause firms to deregister with the
PCAOB, decline to assist U.S. firms in executing their global audits,
or create a potential barrier to entry for new firms in the
marketplace. One firm-related group commented that as this aspect of
the proposal affects such a large number of firms, the potential
political impacts deserve further consideration. The firm-related group
further commented that foreign firms could see this as an accelerator
to a decision to not service specific audit markets, which potentially
impacts audit markets beyond the U.S., and that policy makers in other
countries may view the potential for further market concentration more
significantly.
Firms and a related group raising cost concerns with the proposed
QC system design requirements suggested allowing firms that do not
perform engagements the flexibility to design their QC system in
accordance with another QC standard, such as ISQM 1 or SQMS 1. One of
these firms further suggested that firms transitioning to performing
engagements under PCAOB standards be given an additional six months to
one year from their annual evaluation date to file their Form QC for
the transition period. The firm asserted that even if a firm has
complied with the design requirements, implementing and operating a QC
system that complies with the standard would involve significant
effort. Another firm suggested that it would be more appropriate to
have a transition period for the registered public accounting firm to
update their system of quality control to adhere to the incremental
requirements of the PCAOB. An academic suggested that the design
requirements for firms that have not performed and do not plan to
perform engagements pursuant to PCAOB standards should be limited to
client acceptance components. One firm suggested that the standard
could include a requirement that firms are not allowed to perform an
engagement under PCAOB standards until they have designed and
implemented QC 1000. Other commenters suggested that registered firms
that do not intend to conduct PCAOB audits should not be required to do
anything under QC 1000.
Other commenters suggested a variety of approaches for when firms
should be required to implement and operate a QC 1000-compliant QC
system. One firm suggested that firms that only perform a substantial
role in more than a certain threshold (presumably to be specified by
the PCAOB) of PCAOB engagements could be permitted to comply with ISQM
1 instead of being subject to full applicability of QC 1000. Another
commenter suggested that smaller firms (e.g., triennially inspected
firms with fewer than 100 issuer engagements) be permitted the option
of complying with ISQM 1 or SQMS 1 as an alternative to QC 1000.
Another firm suggested that the PCAOB should permit non-U.S. firms to
comply with ISQM 1 rather than adopting QC 1000. Another commenter
suggested that the criteria for full applicability of the standard
should be based on whether the engagements individually or in the
aggregate involve a material amount of market capitalization. The
commenter suggested that under such an approach, the requirement to
operate the QC system could be optional for registered firms auditing
companies with a smaller market capitalization.
Some commenters, including a firm, a firm-related group, and an
investor, commented that the requirement to design a QC 1000-compliant
QC system is appropriate for any registered firm, even if it is not
performing engagements or playing a substantial role in other firms'
engagements. One firm-related group agreed that whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to an engagement, those responsibilities should be
performed under a fully implemented and operating QC system that
complies with

[[Page 49610]]

PCAOB standards. However, the commenter asked for clarification on the
circumstances that trigger the need for a firm to implement and operate
a QC system in compliance with QC 1000, and suggested targeted guidance
in that area would be helpful.
The Board continues to believe that requiring all registered firms
to design a QC system that complies with the standard, regardless of
whether they have obligations with respect to engagements, is
consistent with the PCAOB's statutory mandate and historical practice.
Sarbanes-Oxley directs the PCAOB to include in its QC standards
requirements related to numerous topics for ``every'' registered public
accounting firm.\131\ The statute also directs the PCAOB that
applications for registration with the PCAOB must contain ``a statement
of the quality control policies of the [applicant] for its accounting
and auditing practices.'' \132\ Consistent with that directive, as a
condition to registration, applicants are required to furnish ``a
narrative, summary description, in a clear, concise and understandable
format, of the quality control policies of the applicant for its
accounting and auditing practices, including procedures used to monitor
compliance with independence requirements,'' \133\ and that description
must provide an overview of the applicant's quality control policies
regarding each element of quality control.\134\ Therefore, firms that
register with the Board are already required to provide a summary of
the design of their QC system regardless of whether they have
obligations with respect to engagements.\135\
---------------------------------------------------------------------------

\131\ Section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(2)(B).
\132\ Section 102(b)(2)(D) of Sarbanes-Oxley, 15 U.S.C.
7212(b)(2)(D).
\133\ Item 4.1 of PCAOB Form 1 (``Applicant's Quality Control
Policies''). The Board modified the information about QC required in
Form 1. See below.
\134\ See Frequently Asked Questions Regarding Registration with
the Board, PCAOB Rel. No. 2003-011F (Dec. 4, 2017) (Question #32),
available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/registration/information/documents/registration_faq.pdf?sfvrsn=c50d7356_0. As part of this rulemaking
the requirements in Form 1 are being amended.
\135\ In a separate rulemaking, the Board proposed to create a
new form, Form QC--Policies and Procedures (``Form QCPP''), to
require that, once QC 1000 becomes effective, any firm that
registered with the Board prior to the date that QC 1000 becomes
effective must submit an updated statement of the firm's quality
control policies and procedures pursuant to QC 1000. See Firm
Reporting, Rel. No. 2024-003 (Apr. 9, 2024) at 41.
---------------------------------------------------------------------------

The Board also believes that requiring all firms to design a QC
system that complies with all provisions of QC 1000, and not just
limiting the requirement to certain components such as acceptance and
continuance of engagements, is consistent with its investor protection
mandate. While the Board acknowledges that there could be challenges
associated with implementing and operating a QC system based on
hypothetical risks, it continues to believe that it is important for
registered firms to design a QC system based on the quality risks the
firm likely would face if it were to perform engagements. Because
registering with the PCAOB enables a firm to issue audit reports or
play a substantial role on audits performed under PCAOB standards for
issuers and broker-dealers, and because investors and companies
considering engaging the firm could reasonably expect that any firm
that could pursue such an engagement would already have a PCAOB-
compliant QC system designed and ready for implementation and
operation, the Board believes that imposing a design requirement on all
registered firms promotes its mission of protecting investors and
promoting the public interest.
As discussed in more detail below, QC 1000 includes requirements
that do not appear in other QC standards or that are more prescriptive
or more specifically tailored to the PCAOB's legal and regulatory
environment than the provisions of ISQM 1 or SQMS 1. Because of these
key differences, the Board does not believe that a QC system design
based on ISQM 1 or SQMS 1, as suggested by some commenters, would be
sufficient. Furthermore, the Board believes that compliance with ISQM 1
may not be the regulatory baseline within certain jurisdictions. The
PCAOB has observed other standard setters and regulators adopt
variations of ISQM 1, which typically include more detailed and
stringent requirements.\136\ Therefore, the Board believes that audit
firms within some jurisdictions will already have to design and operate
a QC system that goes beyond the requirements of ISQM 1, and it would
not be appropriate for the Board to permit compliance with a less
stringent quality system than the one required in the local regulatory
environment. Similarly, the Board does not believe that it would be
appropriate for it to permit firms to comply with their locally
applicable variation of ISQM 1 as this would result in the PCAOB
requiring and managing compliance with a multitude of different QC
standards.
---------------------------------------------------------------------------

\136\ See, e.g., International Standard on Quality Management
(UK) 1, adopted by the Financial Reporting Council (March 2023).
---------------------------------------------------------------------------

The Board also continues to believe that, whenever a firm has
responsibilities under applicable professional and legal requirements
with respect to a firm engagement, those responsibilities should be
performed under a QC system that is implemented, is operating, and
complies with PCAOB standards. Given the unique features of QC 1000,
compliance with ISQM 1 or SQMS 1 would not, in the Board's view, be an
adequate substitute, nor would the Board's regulatory purposes be
served by providing firms with an extended compliance period after they
take on an engagement.
The Board does not believe that this requirement will result in
disruption to competition in the audit market. Firms that are subject
to applicable professional and legal requirements with respect to
engagements, including substantial role engagements, are required to
implement and operate a QC 1000-compliant QC system. If a registered
firm that has not led an engagement or played a substantial role in the
past anticipates the possibility of transitioning to performing
engagements, the Board believes the requirement to design a QC system
that complies with QC 1000 will facilitate timely implementation and
operation of their QC 1000 QC system, which will in turn facilitate
appropriate performance of the engagements; appropriate monitoring and,
if necessary, remedial action; and timely evaluation and reporting on
Form QC.\137\ QC 1000 shares a basic structure and approach with ISQM 1
and SQMS 1, so designing for the incremental features unique to QC 1000
should not be unduly burdensome for firms that are subject to either or
both of those other QC standards (which the Board believes will be the
case for a very substantial majority of firms that are in a position to
perform PCAOB engagements).\138\
---------------------------------------------------------------------------

\137\ The Board understands that the actual quality risks the
firm faces when it takes on an engagement may differ from the
hypothetical risks considered in designing the QC system. QC 1000
requires the firm to establish policies and procedures to monitor,
identify, and assess changes to conditions, events, and activities
that indicate modifications to the firm's quality objectives,
quality risks, or quality responses may be needed, and to make
timely modifications as needed. See QC 1000.22-23.
\138\ See Section D.
---------------------------------------------------------------------------

The Board does not believe that QC 1000 conflicts with the
requirements of other standard setters or that anything prevents firms
from developing a single QC system for their entire practice that
satisfies both PCAOB requirements and other professional standards to
which the firm is subject. The Board

[[Page 49611]]

acknowledges certain differences between QC 1000 and the quality
management standards set by other standard setters, in particular areas
where QC 1000 establishes additional or more stringent requirements.
However, the Board believes that quality responses developed by firms
under QC 1000 can be considered by firms for the purposes of other
quality management standards to which they are subject, reducing the
need for two or more separate QC systems.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.004

BILLING CODE 8011-01-C
Firms participating in a PCAOB engagement below the level of a
substantial role do not require registration with the PCAOB. If such a
firm does not lead and does not plan to lead engagements or play a
substantial role in engagements pursuant to PCAOB standards, then the
Board believes that the firm should assess whether the costs of
complying with the design requirement are commensurate with their
perceived benefit of being registered with the PCAOB.
2. Other Scalability Considerations
Aspects of QC 1000 are risk-based, which makes them inherently
scalable. Firms are required to apply a risk-based approach to the
design, implementation, and operation of the QC system in the context
of their own audit practice. The standard provides that the firm will
tailor the design of its QC system to its specific facts and
circumstances, such as:
The size and complexity of the firm;
The types and variety of engagements it performs;
The types of companies for which it performs engagements;
and

[[Page 49612]]

Whether it is a member of a network and, if so, the nature
and extent of the network relationship.
Several commenters, including firms and a firm-related group,
suggested that the proposed standard was too prescriptive. Many of
these commenters suggested that, to promote further scalability,
specified quality responses could be replaced with quality objectives
to allow each firm to develop quality responses appropriate to the
circumstances and risks for their firm. One of these firms stated that
it disagreed with the notion in the proposing release that a specified
quality response suggests that every firm has the same or similar
quality risks and that the responses to those risks will also be the
same or similar. Another firm suggested that the specified quality
responses make the standard inherently less scalable and could be a
barrier to entry for smaller firms. The firm further suggested that an
overreliance on specified quality responses could discourage firms from
performing robust risk assessments and developing tailored quality
responses. Other commenters also suggested that more scalability could
be incorporated into the standard through consideration of concepts
such as professional judgment, relevance, or reliability. Some
commenters suggested that further alignment of QC 1000 to ISQM 1 or
SQMS 1 would promote further scalability. One firm stated that the
standard was overly prescriptive and suggested that specific guidance
be provided to small and medium-sized firms focused on operationality
of the standard. Several commenters expressed concern that the
prescriptive nature of QC 1000 would negatively affect smaller firms.
As discussed above, some specified quality responses carry
requirements from current PCAOB standards into QC 1000, while others
provide new requirements that the Board believes are important to a
firm's QC system. The Board believes that this approach is appropriate
and that the specified quality responses are required to address
certain quality risks that are present in all firms that perform PCAOB
engagements and to assure that the QC system is designed, implemented,
and operated with an appropriate level of rigor. The inclusion of
specified quality responses in the standard should not be interpreted
to suggest that the Board believes all firms have the same or similar
quality risks overall; the specific risks addressed by specified
quality responses are likely a small subset of the overall population
of quality risks identified by a firm, and the Board expects
potentially wide variation in the full set of risks faced by different
firms.
The Board believes that the standard incorporates the concepts of
professional judgment, relevance and reliability where it is
appropriate, for example, in the ability to exercise professional
judgment in the determination of whether a major QC deficiency exists,
or the discussion in the information and communication component noting
that information would have to be both relevant and reliable such that
it supports the operation of the firm's QC system and the performance
of the firm's engagements in accordance with applicable professional
and legal requirements. The Board continues to believe that the
inclusion of prescriptive requirements in certain areas promotes its
mission of protecting investors and promoting the public interest.
An investor-related group commented that it supports a risk-based
approach up to a point, but it expressed concern that the standard
placed too much emphasis on scalability and recommended the development
of a set of minimum requirements for the establishment of quality
control systems. Another commenter stated that the PCAOB should not let
scalability concerns get in the way of driving change and improving
quality, further suggesting that smaller-firm considerations should not
get in the way of doing the right thing for the largest audit firms.
One commenter suggested more specific requirements relating to the
audits of broker-dealers, commenting that a high deficiency rate in
broker-dealer audits suggests the need for more specific requirements
with respect to audits of broker-dealers, such as requirements for
specific expertise in the conduct of broker-dealer audits, or, to the
extent that the broker-dealer is a subsidiary of an issuer,
requirements relating to coordination between the broker-dealer audit
team and the audit team of the issuer parent company.
The final standard establishes a set of minimum requirements that
all firms must follow in the establishment of their QC system. As
discussed in more detail below, while QC 1000 provides some flexibility
with regard to the quality risks that firms identify and the quality
responses that firms develop to address those risks, it does not
provide the same flexibility with regard to quality objectives or
specified quality responses. Instead, quality objectives and specified
quality responses that will apply to all firms are specified in the
standard. Firms can establish additional quality objectives--indeed,
they are required to do so if necessary to achieve the reasonable
assurance objective--but they generally cannot omit or modify any of
the quality objectives or specified quality responses set out in the
standard.
Within a uniform basic structure to be used by all firms, QC 1000
reflects a risk-based, scalable approach, particularly in the risk
assessment process and the monitoring and remediation process. The
nature and extent of these processes would be commensurate with the
firm's quality risks and would therefore vary across firms in nature,
scope, and complexity. The Board believes it is crucial that the
standard be scalable so that firms of different sizes and
characteristics can appropriately design their QC system to address the
risks associated with their own practice, including specific risks
relating to the types of companies that they audit, such as broker-
dealers. The Board believes that an appropriate balance between quality
objectives and specified quality responses is the best approach to
improve quality across firms of all sizes that perform engagements
pursuant to PCAOB standards, whether these be issuer or broker-dealer
engagements. Similarly, the form, content, and extent of required
documentation related to the QC system will be driven by a firm's
nature and circumstances. QC 1000 contains both provisions that scale
down, by tailoring for smaller PCAOB audit practices, and provisions
that scale up, by focusing on risks faced by the largest firms.
Some provisions of QC 1000 focus particularly on firms with a
smaller PCAOB audit practice. These include:
Depending on the nature and circumstances of the firm
(including its size and structure), a single individual may be assigned
more than one of the QC system oversight roles required under the
standard; and
If the firm issued engagement reports with respect to five
or fewer engagements for issuers, brokers, and dealers during the prior
calendar year, engagement monitoring activities may include monitoring
audits not performed under PCAOB auditing standards. For firms with
this number of engagements performed under PCAOB standards, the Board
understands that requiring a firm to annually monitor its engagements
that are performed under PCAOB standards increases the likelihood of
the same partner being inspected every year under QC 1000. The Board
believes this could disincentivize partners from serving as the
engagement partner and ultimately affect competitive conditions in the
market.

[[Page 49613]]

Other provisions of QC 1000 impose incremental requirements on
firms that issued audit reports for more than 100 issuers in the prior
calendar year, including:
An external oversight function for the QC system composed
of one or more persons who are not partners, shareholders, members,
other principals, or employees of the firm;
A program for collecting and addressing complaints and
allegations that includes confidentiality protections;
An automated system for identifying investments in
securities that might impair independence; and
A requirement to perform in-process monitoring of
engagements.
These incremental requirements specifically target and respond to
potential quality risks that the Board believes are more likely to
arise in audit practices of a certain size and complexity. Firms that
audit fewer than 100 issuers may still determine that the incremental
requirements are an appropriate quality response for quality risks that
they have identified specific to their firm, but these are not
mandatory for these smaller PCAOB audit practices to promote
scalability of the standard.
Several commenters, including firms, suggested that the threshold
for any incremental requirements be raised to 500 issuers, to align
with the existing SECPS requirement that firms that audit more than 500
SEC registrants have an automated system to identify investment
holdings of partners and managers that might impair independence.\139\
One of these firms also suggested a dual-threshold approach that would
consider both the number of issuers audited and the market
capitalization of the issuers. Two commenters, including an investor-
related group and an academic, suggested that there should not be a
threshold for incremental requirements, and all requirements of the
standard should apply to all firms regardless of the size of the firm.
The academic suggested that the incremental requirements may give rise
to actual or perceived differences in audit quality between larger
audit firms that issue audit reports for more than 100 issuers and
smaller audit firms that issue audit reports for fewer than 100
issuers. One firm suggested that the incremental requirements only
apply to those firms subject to annual inspection under the PCAOB's
rules (in case the 100-issuer threshold for regular inspection in Rule
4003, Frequency of Inspections, ever were changed), and another firm
suggested that these should only apply to the top six firms.
---------------------------------------------------------------------------

\139\ See SECPS 1000.46 (requirement 4).
---------------------------------------------------------------------------

Two investor-related groups suggested that if the final standard
does include a threshold for certain incremental requirements, the
threshold should relate to the market capitalization of the issuers
that the firm's audit practice covers rather than the number of issuer
audit reports the firm issues. Other commenters were also supportive of
a market capitalization-based threshold.
Several commenters suggested that the nature of the firm's audit
practice be taken into consideration when determining the applicability
of the incremental requirements, and that just looking to the number of
issuers may not be an appropriate measure for the size or complexity of
the audit practice. One commenter suggested that the proportion of the
PCAOB audits to the size of the practice within a firm is also a
relevant factor to consider. Some commenters suggested that imposing a
threshold of 100 issuers could impose a barrier to entry for firms that
wish to expand their audit practices beyond 100 issuers and, as a
result, firms may manage their practice to stay below the 100-issuer
threshold.
The Board believes that requiring certain incremental requirements
of firms with larger PCAOB audit practices is appropriate and that the
complexities inherent to large and complex firms are likely to give
rise to quality risks for which the incremental requirements would be
appropriate quality responses. Based on the comments received, the
Board considered whether alternative measures could be used that looked
to the nature and complexity of the issuers being audited, for example,
through a market capitalization-based threshold. The Board believes it
is appropriate to retain the threshold as proposed, based on the size
of a firm's issuer audit practice rather than referencing the size of
the companies subject to audit by the firm.
In general, the Board believes that the number of issuers is the
most indicative measure of a firm's size and the complexity of its
audit practice. Under a market capitalization measure, a firm that
audits a single very large issuer could look like a large firm, but its
practice may well be less complex than a firm that audits a large
number of small issuers. The incremental requirements in QC 1000
respond to specific issues or risks--firm governance, confidential
handling of complaints and allegations, tracking investments that may
bear on independence, and monitoring of in-process engagements--that
the Board believes are more significant in complex practices handling
large numbers of engagements. Therefore, the threshold was adopted as
proposed.
In addition, the Board believes that larger PCAOB audit practices
that audit a greater number of issuers are more likely to have the
resources to be able to effectively comply with the incremental
requirements at a level commensurate to the risk.
The Board also believes that firms are familiar with the proposed
threshold of issued audit reports for more than 100 issuers, because it
is used to determine which firms are subject to annual PCAOB
inspection.\140\ The Board does not believe it to be appropriate to
increase the threshold to 500 issuers or to specifically limit the
requirements to certain firms. The Board believes that firms that audit
between 100 and 500 issuers are sufficiently large such that potential
quality risks may arise as a result, and that the incremental
requirements would be responsive to these risks.
---------------------------------------------------------------------------

\140\ See section 104(b)(1)(A) of Sarbanes-Oxley, 15 U.S.C.
7214(b)(1)(A); PCAOB Rule 4003, Frequency of Inspections.
---------------------------------------------------------------------------

Several commenters suggested that a cut-off date for the
measurement of the size of the firm's issuer practice relative to the
100-issuer threshold, and a related transition period after a firm
passes the 100-issuer threshold, be specified in the standard to allow
time for firms to implement the incremental requirements. One of these
commenters specifically requested consideration of the effective date
for the implementation and operation of the incremental requirements
if, because of a merger or acquisition, the resultant firm performs
audits of more than 100 issuers.
The standard specifies a measurement cut-off date for the 100-
issuer threshold of the prior calendar year-end. Therefore, if a firm
has issued audit reports with respect to more than 100 issuers in the
period January 1 to December 31, in any given year, the firm must
implement the incremental requirements beginning the following January
1 and evaluate compliance with the incremental requirements as of the
following September 30. The Board believes that firms continuously
track the size of their issuer audit practice for the purpose of
monitoring the threshold for annual inspection by the PCAOB. Therefore,
prior to the calendar year-end measurement cut-off date, the Board
expects that firms should have an informed view as to whether they will
need to design, implement, and operate the incremental requirements for
the

[[Page 49614]]

following year. Similarly, the Board believes that a merger or
acquisition between firms would take time to finalize such that the
firms would have an informed view of whether the incremental
requirements would be applicable to the successor firm, providing
additional time for the firms to design, implement, and begin operating
the incremental requirements. In addition, the Board does not believe
that it is appropriate or consistent with its investor protection
mandate to allow a firm that audits over 100 issuers to not operate the
incremental requirements beginning the calendar year following the date
of the merger or acquisition if that merger or acquisition resulted in
the firm auditing more than 100 issuers. The Board believes that
specific quality risks could arise as the result of a merger or
acquisition; for example, a sudden increase in the size of the firm
could exacerbate the potential quality risks that exist as a result of
a firm's size, to which the incremental requirements would be
responsive. Furthermore, there is nothing in the standard that prevents
firms from implementing the incremental requirements earlier than
required, if they believe it to be likely that the threshold will be
met.

QC 1000: A Firm's System of Quality Control

Introduction

This section describes the requirements of QC 1000 and highlights
the key differences between the final standard and current QC
standards. Terms defined in Appendix A to QC 1000, Definitions, are
italicized throughout QC 1000.
The introduction section of the standard sets up the structure for
providing the standard's requirements. Paragraphs .01-.02 describe the
risk-based approach to the firm's QC system and acknowledge the
important role of the QC system--supporting consistent performance of
engagements in accordance with applicable professional and legal
requirements--in protecting investors through the preparation of
informative, accurate, and independent engagement reports. To emphasize
the auditor's role in investor protection, the Board added language to
the final standard reminding auditors that the firm's QC system
enhances investors' ability to rely on engagement reports. The Board
also reversed the order of paragraphs .01 and .02 to improve flow.
One commenter suggested a risk-based approach to quality control
with minimum requirements integrated into it, instead of a purely risk-
based approach. The Board agrees that a purely risk-based approach
would be inappropriate. As proposed and as adopted, QC 1000 is not a
purely risk-based standard. It establishes mandatory quality objectives
that every firm is required to achieve; lays out detailed, required
processes for risk assessment, monitoring and remediation, and annual
evaluation of the QC system; requires specified quality responses in
many areas; and fosters accountability and rigor through mandated key
roles for the QC system with specified individual responsibility and
accountability and required reporting to the PCAOB.

The Firm's QC System

1. QC 1000
a. Objective of the QC System (QC 1000.05)
The proposal asked if the reasonable assurance objective was
appropriate and if there were additional objectives that the QC system
should achieve. Many commenters, including firms, supported the
reasonable assurance objective and did not support additional
objectives for the QC system.
Some commenters, including investors and investor-related groups,
said there should be an explicit acknowledgement that auditing serves a
public purpose and that the system of quality control therefore should
serve investors. Other investors and investor-related groups suggested
that the quality control system should seek a higher performance
standard than mere compliance. Two commenters suggested that the
objective should be expanded, so that in addition to complying with
applicable professional and legal requirements, engagements should be
performed in a manner that is responsive to the needs of investors by
ensuring high-quality financial reporting. Another suggested that the
foundation of the system should promote high-quality and ``useful''
financial and non-financial information and achieve a high level of
transparent financial reports. The commenter also suggested removing
the qualifier ``reasonable'' and emphasizing that the term
``assurance'' refers to a high level of assurance.
The Board agrees with these commenters that QC 1000 should frame
auditor responsibilities in terms of investor protection, and revised
paragraph .05 to reinforce that, as discussed in more detail below. The
Board also considered broadening the objective of the QC system beyond
compliance in a number of ways, as suggested by commenters.
For example, the Board considered adding explicit references to
``investor needs'' to the QC system objective. However, the Board are
concerned that the concept of ``investor needs'' is too vague and
indefinite to be interpreted consistently as an objective of the QC
system. Consistent with the reasonable assurance objective, the Board
believes that all investors want informative, accurate, and independent
engagement reports. But beyond that, investors are not monolithic and
may have different preferences. For example, the needs of a large
institutional investor with an actively managed portfolio are different
from those of a retail investor holding index funds. Investor needs
could also vary across issuers and different types of financial
instruments, as well as with changes in market conditions. As a result,
the Board does not believe that a QC system objective that was
expressly phrased in terms of satisfying ``investor needs'' would be
capable of consistent interpretation or would provide firms with
sufficient notice or direction about the conduct required of them.
The Board believes that ``high-quality'' and ``useful'' financial
reporting suffer from the same issues. These terms are subjective,
indefinite, and would mean different things to different financial
statement users and in different situations. In addition, grounding
auditor obligations in the quality or utility of financial reporting
risks conflating the role of the auditor with the role of the preparer.
The fundamental responsibility for financial reporting lies with the
company. The auditor enhances investors' ability on company financial
information through the preparation and issuance of informative,
accurate, and independent engagement reports, but the company prepares
the financial statements and retains ultimate responsibility for them.
The Board considered one commenter's suggestion of phrasing the
objective in terms of ``assurance,'' rather than ``reasonable
assurance.'' However, the Board believes that this would weaken, rather
than strengthen, the standard, in that it could be read to suggest that
any level of assurance, even if less than reasonable assurance, would
be appropriate. As proposed, the final standard includes a note
emphasizing that reasonable assurance is a high level of assurance.
Accordingly, the Board has not revised the objective of the QC
system as these commenters suggested. The Board continues to believe
that investor needs will be best served through an objective that is
grounded in auditors' existing obligations and can be

[[Page 49615]]

interpreted clearly and applied consistently. Auditor obligations under
applicable professional and legal requirements address investors'
fundamental priority: that the financial statements be free of material
misstatement. They also clearly delineate what conduct is required,
which enables both the Board and the firms that the Board regulates to
interpret and apply them on a consistent basis.
The Board has, however, made revisions to paragraph .05 that the
Board believes will be clarifying. The final rule specifies expressly
that the firm's objective is to design, and if applicable, implement
and operate an effective QC system. Further, although the Board
concluded that it could not express the objective of the QC system in
such terms, the Board does believe firms should be prompted to remember
their critical role in investor protection. With that in mind, the
Board revised paragraph .05 to explicitly acknowledge that a properly
conducted engagement and related report enhance the confidence of
investors and other market participants in the company's information to
which the firm's report relates. The Board also revised the paragraph
to remind auditors that an effective QC system protects investors by
facilitating the consistent preparation and issuance of informative,
accurate, and independent engagement reports in accordance with
applicable professional and legal requirements.
Paragraph .05 specifies that an effective QC system consistently
provides a firm with reasonable assurance that the firm, each member of
firm personnel, and each other participant conduct each engagement and
fulfill their other responsibilities in compliance with applicable
professional and legal requirements, and that each engagement report
issued by the firm complies with applicable professional and legal
requirements. The Board revised the provision to refer to ``each member
of'' firm personnel, ``each'' other participant, ``each'' engagement,
and ``each'' engagement report. This change clarifies that the QC
system provides reasonable assurance, not just over the pool of firm
personnel, the pool of other participants, and the portfolio of
engagements, but over each individual and each engagement. The
objective is still reasonable assurance, not absolute assurance. But an
effective QC system has to be designed, implemented, and operate in
such a way that the firm has reasonable assurance that each individual
who performs work on behalf of the firm and each engagement the firm
undertakes will comply with applicable professional and legal
requirements.
One commenter asserted that some prescriptive aspects of the
standard result in absolute assurance instead of reasonable assurance.
The Board disagrees, as it believes this is a misunderstanding of the
standard. Specifically, the reasonable assurance objective under QC
1000 is broadly consistent with the Board's current QC standards, as
well as ISQM 1 and SQMS 1, all of which contemplate that the system of
QC should provide reasonable assurance.\141\ The Board believes that
the combination of quality objectives and specified quality responses
in QC 1000 establishes a balance between prescriptive requirements and
a risk-based approach that contributes to the firm obtaining reasonable
assurance, but does not require absolute assurance. Of course, nothing
precludes a firm from going beyond the requirements in QC 1000 when
designing its QC system.
---------------------------------------------------------------------------

\141\ See ISQM 1.14; SQMS 1.15.
---------------------------------------------------------------------------

One commenter suggested that the concept of reasonable assurance
was not clear and could be clarified by retaining a footnote from QC 20
that reinforces that deficiencies in individual engagements do not, in
and of themselves, indicate a firm's quality control system is
insufficient to provide reasonable assurance. The Board has not
retained that footnote. The concept of reasonable assurance should be
familiar to auditors; it is a basic concept under the Board's current
standards and the Board believes it can be interpreted and applied
consistently. In addition, in light of QC 1000's detailed process for
the evaluation of the QC system, including the new defined terms ``QC
deficiency'' and ``major QC deficiency,'' discussed below, the Board
does not believe such a footnote is necessary. Under QC 1000, firms
will determine whether the QC system meets the reasonable assurance
objective by determining whether any ``major QC deficiencies'' exist.
The existence of major QC deficiencies indicates that the QC system
does not provide reasonable assurance, whereas the existence of QC
deficiencies that do not meet the definition of major QC deficiency
does not. Since that conclusion is apparent from the definitions, the
Board does not believe that the existing footnote is needed.
The ``reasonable assurance objective'' of the firm's QC system is
similar to the objective of the QC system under existing PCAOB
standards, except that the current standard requires reasonable
assurance as to compliance with applicable requirements and ``the
firm's standards of quality'' (i.e., the firm's policies and
procedures),\142\ whereas QC 1000's reasonable assurance objective
refers only to applicable requirements. This change reflects the
different role played by firm policies and procedures under the Board's
current QC standards compared to QC 1000. Firm policies and procedures
are the linchpin of current PCAOB QC standards: Most of the Board's
current QC standards simply require firms to establish, communicate,
document, and monitor specified policies and procedures. Policies and
procedures also play an important role under QC 1000, but they would
have a different context because of the significant differences in the
way in which the standard is structured.
---------------------------------------------------------------------------

\142\ See QC 20.03; QC 20.17.
---------------------------------------------------------------------------

QC 1000 is grounded in the firm's risk assessment process, whereby
the firm's quality objectives and the risks to achieving them are
identified and addressed by the firm in an ongoing, structured fashion.
This risk assessment process drives how the firm develops and refines
its policies and procedures; the ``quality responses'' are designed and
implemented to address quality risks. As such, policies and procedures
are a means to an end--addressing quality risks--rather than an end in
themselves. QC 1000 provides more detailed requirements regarding the
structure, scope, and functioning of the firm's QC system, particularly
in the monitoring and remediation component, than the Board's current
QC standards.
This does not mean that firms' QC policies and procedures are no
longer important. On the contrary, they are critical to addressing
quality risks and thereby achieving quality objectives and the
reasonable assurance objective. However, firms may no longer rely on
simply promulgating policies and procedures as the central, and
sometimes only, component of their QC system. Compliance with the QC
standard ultimately is based on whether the firm has met its quality
objectives and the reasonable assurance objective--which are driven by
whether the firm's policies and procedures have in fact been effective
in addressing quality risks--and on whether the firm has complied with
the requirements of the standard in the design, implementation, and
operation of the QC system. Another commenter suggested that the QC
system should not address firm policies and procedures that go beyond
applicable professional and legal requirements, on the basis that it
might undermine investor protection by disincentivizing firms from
developing policies and procedures that

[[Page 49616]]

go beyond what is required. For the reasons discussed above, the Board
has not included policies and procedures in the reasonable assurance
objective. However, because policies and procedures play an important
role in the firm achieving the reasonable assurance objective, the
Board has determined that some quality objectives have to incorporate
compliance with firm policies and procedures as well as applicable
professional and legal requirements.
The reasonable assurance objective also reflects the view that the
purpose of the QC system is to drive overall compliance by the firm,
each member of firm personnel, and each other participant with
applicable professional and legal requirements, and not necessarily to
drive more narrow compliance with firm policies and procedures.
Under QC 1000, the reasonable assurance objective of the firm's QC
system is generally consistent with the objective of the QC system
under the Board's existing QC standards but, in addition to the changes
discussed above, it places more emphasis in three key areas:
Expressly reminding auditors that an effective QC system
protects investors by facilitating the consistent preparation and
issuance of informative, accurate, and independent engagement reports;
Specifying that responsibilities be fulfilled not only
with respect to professional standards, but also with respect to legal
requirements to the extent they apply (e.g., SEC and PCAOB rules, other
provisions of U.S. Federal securities law, and other applicable legal
and regulatory requirements); and
Expressly mentioning compliant engagement reporting (an
existing responsibility under PCAOB standards), given the explicit
reference to audit reports in Sarbanes-Oxley.\143\
---------------------------------------------------------------------------

\143\ See, e.g., section 103(a)(1) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(1); section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(2)(B).
---------------------------------------------------------------------------

Responsibilities in this context include all responsibilities that
are subject to applicable professional and legal requirements--for
example, in relation to the firm's engagements, work the firm does on
other firms' engagements, training, independence monitoring, and other
activities that are part of or subject to the firm's QC system.
In addition, the objective covers the activities of a broader group
than current standards. It applies not only with respect to firm
personnel and other auditors, but also to other participants involved
in the firm's engagements and QC activities whose work is performed at
the direction of the firm. As discussed above, the Board believes that
QC 1000 should reach such other participants in light of, among other
things, the increasing prevalence and importance of the use of
professionals and organizations outside the firm, such as auditor-
engaged specialists and service centers, in audits performed under
PCAOB standards. Many commenters, generally firms and related groups,
expressed concern about the inclusion of other participants in the
reasonable assurance objective. The Board believes that the firm's own
QC system must address all the work done on the firm's engagements and
in connection with the design, implementation, and operation of the
firm's QC system, regardless of who does it. The reasonable assurance
objective in QC 1000 appropriately reflects that scope.
b. Requirements To Design, Implement, and Operate a QC System (QC
1000.06-.07)
QC 1000 requires all firms to design a QC system that complies with
the standard. This entails assigning QC-related roles and
responsibilities as provided in paragraphs .10-.17; establishing
quality objectives, at least annually identifying and assessing quality
risks to the achievement of those objectives, and designing quality
responses to address those risks, as provided in paragraphs .18-.57;
designing a monitoring and remediation process that, upon
implementation, would comply with paragraphs .58-.76; and documenting
the design of the QC system as provided in paragraphs .81-.86. The
design of the QC system is based on the quality risks the firm likely
would face if it performed engagements.
The PCAOB received a significant volume of comments on this aspect
of the proposal, which is discussed above. In addition, one commenter
suggested emphasizing the concept of professional judgment by
incorporating it in paragraph .06 or .07 and defining it in Appendix A
of QC 1000. It is true that under QC 1000, judgment may have to be
exercised in areas of the QC system, such as assessing risk and
evaluating QC deficiencies. However, the basic approach of QC 1000,
which specifies quality objectives to be achieved through specified
risk assessment and monitoring and remediation processes, is outcome-
based and not simply a matter of professional judgment. Moreover, under
paragraph .10, all activities related to the QC system must be
performed with due professional care. This means that even in
judgmental areas, professional judgment is not unbounded; individuals
must exercise professional skepticism and use the requisite knowledge,
skill, and ability to diligently (and in good faith and with integrity)
obtain and objectively evaluate information. Accordingly, the Board
adopted these requirements as proposed.
In addition to the obligation to design the QC system, firms are
required under paragraph .07 to implement and operate an effective QC
system (i.e., comply with all provisions of the standard) at all times
that the firm is required to comply with applicable professional and
legal requirements with respect to any of the firm's engagements.\144\
This would occur, for example, whenever the firm has responsibilities
with respect to the acceptance of an engagement, the performance of an
engagement, remediation of deficiencies in an engagement, or matters
associated with an engagement that arise or continue after issuance of
the engagement report, such as retention of audit documentation,
issuance of reports included in Securities Act filings (including
consent to the inclusion of such reports),\145\ other engagement
deficiencies,\146\ and subsequently discovered facts.\147\ Once a firm
no longer has any responsibilities under applicable professional and
legal requirements with respect to any firm engagements, the firm will
be required to continue operating the QC system until the next
September 30 (the next date as of which the firm is required to
evaluate the QC system). This ensures that the firm will evaluate and
report on the QC system for any year during which the QC system was
required to operate.\148\
---------------------------------------------------------------------------

\144\ Note, however, that the firm would not necessarily have to
implement and operate every QC policy and procedure it has designed.
See Scalability above.
\145\ See AS 4101, Responsibilities Regarding Filings Under
Federal Securities Statutes.
\146\ See AS 2901. The Board amended AS 2901 in connection with
this rulemaking to expand auditor responsibilities with respect to
engagement deficiencies. See Amendments to AS 2901, Consideration of
Omitted Procedures After the Report Date, and Related Amendments
below for additional discussion.
\147\ See AS 2905, Subsequent Discovery of Facts Existing at the
Date of the Auditor's Report.
\148\ The requirements for evaluating and reporting on the QC
system are discussed below.
---------------------------------------------------------------------------

Note that firms may not have lengthy advance notice before
responsibilities arise under applicable professional and legal
requirements with respect to an engagement. For example, a firm may be
contacted by an affiliated firm to play a substantial role in an
engagement or may be asked to consent to the inclusion of a previously
issued audit report in

[[Page 49617]]

the registration statement of a company previously audited by the firm.
Under the standard, registered firms will have to stand ready to have
their QC system implemented and operating over such responsibilities
whenever they arise.
Although all PCAOB-registered firms are required to design a QC
system that complies with the standard, the obligation to implement and
operate that system applies only when the firm is required to comply
with applicable professional and legal requirements with respect to the
firm's engagements. Implementing and operating a QC system means that
assigned personnel are fulfilling their QC-related roles and
responsibilities under QC 1000, the relevant quality responses (i.e.,
policies and procedures) and monitoring and remediation process that
the firm has designed are operational, and the firm is documenting the
implementation and operation of its QC system. As noted above in the
discussion of scalability, the scope of the QC system is driven by the
professional and legal requirements that apply to the firm and its
engagements and the relevant risks, which may vary depending on the
nature and extent of the firm's practice.
The standard also makes clear that existing obligations under QC
1000, such as the obligation to evaluate and report on the QC system
for periods in which the QC system was required to be implemented and
operating, are not extinguished when a firm transitions from full
applicability to scaled applicability.
As discussed in more detail above, the Board's view is that
requiring all registered firms to design a QC system that complies with
QC 1000 is consistent with the PCAOB's statutory mandate, historical
practice, and investor protection mission, and that scaling back
obligations under QC 1000 to the design of the QC system, as described
under paragraph .06, is justified in cases where a firm is not subject
to any obligations under applicable professional and legal standards
with respect to any firm engagement.
b. Risk-Based Approach (QC 1000.08-.09)
The Board did not receive comments specifically on these paragraphs
and adopted them as proposed. These paragraphs require a firm to employ
a risk-based approach to quality control, such that the firm
proactively manages its QC system and the quality of the work it
performs on engagements.
Under the standard, the firm is required to design, implement, and
operate a QC system that reflects and responds to the firm's particular
risks through two process components.
The firm's risk assessment process--establishing quality
objectives, identifying, and assessing quality risks to the achievement
of those objectives, and designing and implementing quality responses
to address the identified quality risks--is applied to all of the
aspects of the firm's organization and operations that are covered by
the QC system and thus is tailored to each firm's specific facts and
circumstances.
The monitoring and remediation process is carried out in a
way that is informed by and responsive to risks--for example, quality
risks influence both the selection of engagements to monitor and the
design and extent of monitoring activities.
The requirement to evaluate the effectiveness of the QC system
supports continued improvement in these risk assessment and monitoring
and remediation processes by requiring the firm to evaluate and report
on whether the quality objectives and the reasonable assurance
objective have been achieved. These requirements are discussed in more
detail below.
The aspects of QC 1000 that are risk-based are inherently scalable.
In applying a risk-based approach, the firm is required to tailor its
QC system to the firm's specific facts and circumstances, including the
size and complexity of the firm, the types and variety of engagements
it performs, the types of companies for which it performs engagements,
and whether it is a member of a network (and if so, the nature and
extent of the relationship between the firm and the network).
Accordingly, a large, complex firm that performs a wide variety of
engagements will likely be required to have a more complex QC system
than a small firm that performs a small number of less complex
engagements.
2. Current PCAOB Standards
As described above, under current QC standards, a QC system is
broadly defined as a process to provide a firm with reasonable
assurance that its personnel comply with professional standards
applicable to its accounting and auditing practice and the firm's
standards of quality.\149\ The QC system encompasses the firm's
organizational structure, policies adopted, and procedures established
to provide that reasonable assurance.\150\ Registered firms are
required to design, implement, and operate a system of quality control
to provide this reasonable assurance.
---------------------------------------------------------------------------

\149\ See QC 20.03.
\150\ See QC 20.04.
---------------------------------------------------------------------------

Roles and Responsibilities

Expectations of individuals within the QC system are established
through the assignment of roles and responsibilities that are essential
to a well-functioning QC system. This aspect of the QC system creates
clearer lines of communication and decision-making authority and
greater accountability for those assigned to such roles. One commenter
on the overall requirements supported them as proposed. Some firm
commenters also supported the proposed roles and offered operational
suggestions, while other firm commenters asserted that the proposed
roles and responsibilities were not clear and appropriate for the
reasons described in the following subsections.
1. QC 1000
a. Due Professional Care (QC 1000.10)
Paragraph .10 of the standard addresses due professional care in
performing responsibilities in relation to the QC system. Due
professional care, applicable to all firm personnel and other
participants, includes professional skepticism. The concept of due
professional care imposes a responsibility upon firm personnel and
other participants to observe relevant professional standards
including, in the context of quality control, QC 1000. The Board
believes that this provision is a helpful clarification because the
PCAOB standards describing due professional care do not specifically
mention QC activities.\151\
---------------------------------------------------------------------------

\151\ A new auditing standard, AS 1000, is being adopted to
combine and update the four standards that set forth the general
principles and responsibilities of the auditor, including AS 1015,
Due Professional Care in the Performance of Work. See Auditor
Responsibilities Release.
---------------------------------------------------------------------------

One commenter urged the PCAOB to clarify the need for professional
skepticism by leadership in quality control roles. The Board does not
believe specific provisions are needed in that regard, because
paragraph .10 applies to all individuals performing QC roles, including
those in leadership roles.
The Board has adopted this provision with modifications to align
with the descriptions of due professional care and professional
skepticism being adopted in AS 1000.\152\
---------------------------------------------------------------------------

\152\ Id.
---------------------------------------------------------------------------

b. Assignment of Roles and Responsibilities (QC 1000.11-13)
The Board proposed to require the highest-ranking executive in the
firm to bear ultimate responsibility and

[[Page 49618]]

accountability for the QC system as a whole. If a firm has co-principal
executive officers, each of them would bear such ultimate
responsibility and accountability. The PCAOB did not prescribe the
substantive qualifications the highest-ranking executive in the firm
should have; the proposal did not include any such criteria (unlike the
assigned roles under paragraph .12, which only may be assigned to
personnel who have the experience, competence, authority, and time to
carry out their responsibilities). The Board's intention was to
establish accountability for QC at the highest level within the firm
and underscore the critical importance of the QC system. One commenter
supported this requirement, as it is analogous to the CEO being jointly
responsibly for the SEC certifications with respect to the financial
statements and internal controls. One commenter requested clarification
on the structure of smaller firms where the firm's CEO may not be an
audit practitioner and may rely on others to fulfill the requirements
of the QC system. The Board believes it is important for the firm's
principal executive officer, irrespective of whether that person is an
audit practitioner, to be ultimately responsible and accountable for
the firm's QC system, because the Board believes that this will lead to
more vigorous oversight of the audit practice; benefiting investors and
other stakeholders that rely on the firm's work.
The requirement in paragraph .12 of QC 1000 is limited to roles
that are expected to exist in any firm and allows each firm to assign
these roles based on the nature and circumstances of the firm, provided
that those assigned have the experience, competence, authority, and
time to enable them to carry out their assigned responsibilities. This
approach also addresses scalability; as the note to paragraph .12 makes
clear, depending on the nature and circumstances of the firm, one
individual may be assigned to more than one of the roles in paragraphs
.11 and .12.
A number of commenters suggested that the roles in paragraph .12
should be able to be split into multiple roles or assigned to multiple
people. Commenters asserted that the roles, such as operational
responsibility for the ethics and independence component, are complex
enough to require two individuals. Several of the same commenters
expressed that the requirement is generally too prescriptive. Several
firms indicated that many firms in larger networks may commonly have
these specified roles filled by individuals outside of the firm and the
restriction of these roles to firm personnel may be problematic
operationally.
For the roles specified in paragraph .12, the final standard
retains the requirement that only one individual may be assigned
responsibility for each role. A firm may have multiple individuals or
multiple layers of personnel supporting these roles, but the
responsibility for the assigned role may not be delegated and will
remain with the one assigned individual. For example, a firm could
assign one person to ethics-related matters and another person to
independence-related matters, as long as both of these individuals
report to the person with operational responsibility for the firm's
compliance with ethics and independence requirements. The Board
acknowledges that some firms may seek assistance from their network or
other participants in performing some of their QC-related activities,
but the Board believes a single individual within the firm should
remain responsible for the operational responsibilities of the assigned
roles. Regardless of whether specific tasks are delegated to others,
the individual assigned to a specified role remains responsible and
accountable for the role's related responsibilities.
Commenters generally supported allowing one person to hold multiple
responsibilities under certain circumstances, such as smaller firms
with limited resources. Two commenters supported the roles as proposed
and one commenter suggested the firm's head of audit practice also be
included as a role.
The Board's view is that the roles specified in paragraph .12 would
be appropriate for every firm. Provided that the criteria in paragraph
.12 of QC 1000 are met, the individual assigned ultimate responsibility
and accountability for the QC system also may assume responsibility for
all aspects of the QC system, including operational responsibility for
the QC system, the firm's compliance with ethics and independence
requirements, and the monitoring and remediation process. The Board has
not been specific about who should be assigned the roles identified in
paragraph .12. A firm may determine, based on its nature and
circumstances, that it is appropriate to assign already established
leaders to one or more of these roles, such as the head of audit
practice as suggested by a commenter.
One commenter requested clarification of the intended role in .12d.
The role in paragraph .12d allows firms to assign operational
responsibility for other components (e.g., the resources component)
based on the nature and circumstances of the firm. The standard
provides firms the ability to add additional roles and
responsibilities, if appropriate, and the flexibility to assign one
individual to more than one of the roles specified.
The proposal asked if firms would have difficulty filling the
assigned roles. Two commenters were optimistic these roles could be
filled in light of the requirements. Commenters cited increased
liability or workload associated with these roles as potential
disincentives that may keep qualified individuals from accepting these
roles. Specifically, some commenters asserted that the proposal would
lower the threshold for individual liability compared to current
requirements, and that the threat of enforcement sanctions would deter
individuals from accepting the roles.\153\ One commenter sought
clarification on the supervision obligations prescribed under QC 1000
and the Board's authority to bring enforcement actions for failure to
reasonably supervise under section 105(c)(6) of Sarbanes-Oxley. One
commenter recommended amending paragraph .11 to acknowledge that
individuals assigned ultimate responsibility for the QC system as a
whole can rely on information provided to them and their responsibility
is governed by a good faith standard. Two commenters expressed concern
that firms, especially smaller issuer or broker-dealer practices, would
have difficulty filling the specified roles. One commenter was
concerned with increased accountability and suggested balancing
accountabilities such that processes and outcomes, as well as rewards
and penalties, are more appropriately weighted.
---------------------------------------------------------------------------

\153\ Analogous concerns were also raised by commenters in
relation to the separate rulemaking Proposed Amendments to PCAOB
Rule 3502 Governing Contributory Liability, available on the Board's
website in Docket 053.
---------------------------------------------------------------------------

Current QC standards generally impose responsibilities directly on
the firm rather than on individuals. Enforcement actions related to the
failure to comply with current QC standards can be brought against
individuals for contributing to violations by the firm\154\ or for
failing to

[[Page 49619]]

reasonably supervise an associated person of the firm who commits
certain violations.\155\
---------------------------------------------------------------------------

\154\ See PCAOB Rule 3502, Responsibility Not to Knowingly or
Recklessly Contribute to Violations. The Board has proposed to amend
Rule 3502 in certain ways, including by changing the standard of
conduct for associated persons' contributory liability from
recklessness to negligence. See Proposed Amendments to Rule 3502
Governing Contributory Liability, PCAOB Rel. No. 2023-007 (Sept. 19,
2023).
\155\ See Sarbanes-Oxley sec. 105(c)(6), 15 U.S.C. 7215(c)(6).
---------------------------------------------------------------------------

Under QC 1000, the individuals who are assigned specific
responsibilities with respect to the QC system could be charged with
violations if they fail to comply with those enumerated
responsibilities, as well as for contributing to firm violations or
failing reasonably to supervise.\156\ As discussed further in the
sections that follow, the individuals who fill the roles specified in
paragraphs .11 and .12 of QC 1000 have specified responsibilities
spelled out in paragraphs .14 through .17 of the final standard. Those
individuals must exercise due professional care (see paragraph .10),
and their failure to properly discharge their duties--for example, to
establish or direct the establishment of certain QC-system reporting
lines (see paragraph .14b), to certify the firm's Form QC report to the
PCAOB (see paragraphs .14d and .15b), or to timely communicate certain
information to others (see paragraphs .16b and .17b)--would constitute
violations of QC 1000. So while current QC standards generally require
either a primary violation by the firm to trigger an individual's
potential liability under Rule 3502 or a primary violation by another
associated person to trigger a supervisory person's potential liability
under section 105(c)(6) of Sarbanes-Oxley, QC 1000 creates a framework
in which an individual's failure to discharge prescribed
responsibilities could give rise to individual liability without regard
to whether primary violations were committed by another.
---------------------------------------------------------------------------

\156\ See PCAOB Rel. No. 2023-007.
---------------------------------------------------------------------------

That is not to say, however, that the individuals filling the roles
specified in paragraphs .11 and .12 of QC 1000 no longer can be charged
with contributing to violations by the firm or for failing to
reasonably supervise an associated person who commits certain
violations. Because of the important role played by the individuals
filling those roles, their failure to properly fulfill their
responsibilities may contribute to violations by their firm.
Furthermore, paragraphs .15a, .16a, and .17a of the final standard make
clear that the individuals who fill the roles discussed therein are
supervisory persons who have supervisory responsibilities under the
Board's QC standards, for purposes of section 105(c)(6) of Sarbanes-
Oxley.
The Board believes that providing another basis for enforcement
against responsible individuals could enhance their accountability for
the QC system. Enhanced accountability emphasizes the importance of the
firm assigning roles to firm personnel who have the experience,
competence, authority, and time needed to carry out their assigned
responsibilities. Although the Board recognizes that some commenters
expressed concern about whether individuals would be willing to assume
these specified roles, the Board believes that these roles are
necessary and appropriate for every firm. The Board also believes that,
with appropriate incentives, firms should be able to fill these roles.
The PCAOB is adopting these requirements as proposed.
The Board discusses each of the QC roles identified in the standard
in the subsections that follow. Paragraph .13 provides that individuals
assigned operational responsibilities under paragraph .12 should have a
direct line of communication to the individual with ultimate
responsibility and accountability for the QC system. This line of
communication would provide these individuals the information necessary
to perform their assigned roles. One commenter supported a feedback
loop between the individuals assigned responsibilities under paragraphs
.11 and .12, but sought clarity regarding whether individuals in the
roles in paragraph .12 are required to report to the firm's principal
executive officer. The Board has not prescribed the firm's reporting
structure related to those roles, as it may vary based on the nature
and circumstances of the firm.
c. Ultimate Responsibility and Accountability for the QC System as a
Whole (QC 1000.14)
The individual assigned ultimate responsibility and accountability
for the QC system as a whole reinforces the responsibility and
accountability of firm personnel by demonstrating a commitment to
quality. The standard emphasizes the role of that individual--by the
individual recognizing and reinforcing professional ethics, values, and
attitudes through the individual's actions, behaviors, and
communications--in establishing a firm's tone at the top and attitude
towards quality.
The individual assigned ultimate responsibility and accountability
is responsible for establishing, or directing the establishment of,
structures, reporting lines, and authorities and responsibilities for
the roles involving operational responsibility for aspects of the QC
system and the QC system as a whole. For each firm, the approach to
fulfilling these responsibilities will be dependent on the firm's
nature and circumstances. For example, in a smaller firm where there
are fewer individuals with assigned roles, structures may be less
formal. Conversely, for a larger firm, it may be necessary to have
multiple individuals in roles with assigned responsibilities or to have
multiple layers of personnel supporting different activities. However,
ultimate responsibility and accountability cannot be delegated.
Also, the individual assigned ultimate responsibility and
accountability is accountable for the design, implementation, and
operation of the firm's QC system in accordance with applicable
professional and legal requirements and the firm's policies and
procedures, as well as for the firm's annual QC system evaluation. The
functions performed by the individual with ultimate responsibility and
accountability may vary across firms. For example, in a smaller firm,
the individual assigned ultimate responsibility and accountability may
be directly involved in aspects of the QC system, such as the firm's
monitoring and remediation process. In a larger firm, this person may
supervise others who perform these activities.
Lastly, the Board proposed requiring the individual assigned
ultimate responsibility and accountability for the QC system as a
whole, along with the individual assigned operational responsibility
and accountability for the firm's QC system as a whole, to certify the
firm's annual evaluation of its QC system in a report to the PCAOB. One
commenter expressed concern that the certification requirements may
create a barrier to firms operating in environments that do not have
Sarbanes-Oxley-style reporting requirements. The same commenter also
emphasized the certifications may have a disproportional impact on
smaller firms that have fewer resources. One commenter suggested that
certification by the firm's CEO is an ineffective incentive and a more
appropriate incentive would be compensation that was heavily weighted
towards effective QC systems.
As discussed further below, the Board believes such certification
will lead to increased discipline in the evaluation process and
reinforce the accountability of the certifying individuals, and has
adopted that requirement as proposed. The Board believes certifications
are commonly known among issuers within the regulatory environment and
would be familiar to their auditors. The Board also believes the
certification requirements will complement the revised provisions in
paragraphs .25b and .44g of the final standard, which

[[Page 49620]]

address compensation incentives based on an effective QC system.
d. Operational Responsibility and Accountability for the QC System as a
Whole (QC 1000.15)
This requirement did not draw comment and the Board adopted it as
proposed. The individual assigned operational responsibility and
accountability for the QC system as a whole is accountable for
supervising the design, implementation, and operation of the firm's QC
system. This includes overseeing the operation of the QC system in
achieving the reasonable assurance objective. Depending on the nature
and circumstances of the firm, this individual may be the same person
assigned ultimate responsibility and accountability for the QC system,
or may be assigned other operational responsibilities, such as for
ethics and independence or monitoring and remediation.
In carrying out the specified responsibilities, the individual
assigned operational responsibility and accountability for the QC
system as a whole may be supported by the individuals assigned
operational responsibility for the firm's compliance with ethics and
independence requirements, the monitoring and remediation process, or
other components of the QC system. This includes receiving information
from such individuals regarding violations of ethics and independence
requirements and the results of the monitoring and remediation process.
Along with the individual assigned ultimate responsibility and
accountability for the QC system as a whole, and for similar reasons,
the Board has required the individual assigned operational
responsibility and accountability for the QC system as a whole to
certify the firm's annual report to the PCAOB on the evaluation of its
QC system, as discussed below.\157\
---------------------------------------------------------------------------

\157\ If the same person were assigned both ultimate
responsibility and accountability and operational responsibility and
accountability for the QC system, that person would sign the
certification in both capacities.
---------------------------------------------------------------------------

e. Operational Responsibility for the Firm's Compliance With Ethics and
Independence Requirements (QC 1000.16)
Compliance with ethics and independence requirements is essential
to the performance of engagements and, in some situations, presents
challenging, novel, or complex issues. The current requirements for
former SECPS member firms include designating a senior-level partner to
oversee the firm's independence policies and consultation process,
among other independence-related activities. Like in the proposal, in
the final standard the individual assigned operational responsibility
for compliance with ethics and independence requirements will supervise
the areas addressed by the ethics and independence component of QC
1000, which include the firm's risk assessment process for ethics and
independence and the design, implementation, and maintenance of the
firm's policies and procedures related to ethics and independence.
Within the ethics and independence component, there are quality
objectives and specified quality responses that address potential
violations of ethics and independence requirements, including a quality
objective that potential violations are communicated to the individual
with operational responsibility for ethics and independence
requirements. That individual is then responsible for communicating
such violations to the individuals assigned operational responsibility
for the monitoring and remediation process and operational
responsibility and accountability for the QC system as a whole.
Paragraph .16b, as well as several other requirements in the
standard, refers to actions being taken on a ``timely basis.'' In each
of these cases, what constitutes ``timely'' would depend on the
underlying matter to which the action relates, including the matter's
nature, scope, and impact. Timely communication and action should be
sufficiently prompt to achieve its objective. In some cases, for
example, where there is a high risk of a severe or pervasive problem,
communication and action may have to be immediate to be timely. The
only commenter on this term agreed that what constitutes ``timely''
would depend on the underlying matter to which action relates. The
commenter also wanted clarification that the firm's policies and
procedures assist in promoting communication such that the appropriate
individuals with responsibilities over the firm's QC system become
aware of relevant matters in a timely manner, as appropriate for the
size and the scale of the firm and relative nature of the matter.
Insofar as the comment may be read to suggest that the size and scale
of the firm, on its own, is a factor in determining timeliness, the
Board disagrees. In the Board's view, timeliness is a function of the
nature and significance of the issue (appreciating that the size and
scale of the firm may be relevant in gauging the nature and
significance of an issue).
One commenter expressed concern that the prescriptiveness of the
communication requirements may detract from the achievement of the
intended objectives. Specifically, the commenter was concerned that it
may not be appropriate to require communication of all violations to
the individual with operational responsibility and accountability for
the QC system as a whole.
The specified communications are intended to enable these
individuals to take timely and appropriate actions in accordance with
their responsibilities. In the Board's view, in order to do that, they
need to be apprised of ethics and independence violations. Ethics or
independence violations may take a variety of forms, and therefore the
nature and extent of the communication may also take a variety of forms
commensurate to the severity and pervasiveness of the violation.
Leaving aside the question of whether a violation of ethics or
independence requirements could ever be insignificant, individual
violations may evidence problems within specific areas of the firm's
policies and procedures or an overall pattern of disregard for ethics
and independence requirements that requires timely intervention. The
Board has adopted these requirements as proposed.
f. Operational Responsibility for the Monitoring and Remediation
Process (QC 1000.17)
The monitoring and remediation process is a critical part of a
firm's QC system because it creates a feedback loop to inform the
firm's risk assessment process, results in an approach that drives
continuous improvement, and provides the firm with information about
whether the QC system is operating effectively. As proposed, the
individual assigned operational responsibility for the monitoring and
remediation process would be responsible for supervising the design,
implementation, and operation of the monitoring and remediation process
component and the evaluation of the QC system. This individual would
also be responsible for overseeing actions taken to respond to
identified engagement deficiencies, QC deficiencies, and major QC
deficiencies.
One commenter was concerned that it would be a conflict of interest
for this individual to oversee both the monitoring and remediation
process and the evaluation process. Another commenter recommended that
the responsibility for the annual evaluation

[[Page 49621]]

be shared between the individual with operational responsibility for
the QC system as a whole, who recommends the evaluation conclusion, and
the individual with operational responsibility for the monitoring and
remediation process, who concurs or recommends changes to the
conclusion. The Board understands that in a smaller firm these roles
may all be performed by the same individual. In a larger firm that
assigns different individuals to the roles, the individual with
operational responsibility for the monitoring and remediation process
supervises the evaluation process. Although the individual overseeing
the monitoring and remediation process also oversees the evaluation
process, other aspects of QC 1000 drive accountability for the
evaluation. Paragraph .14c makes the individual assigned ultimate
responsibility and accountability for the QC system as a whole
accountable for the annual evaluation. Additionally, paragraphs .14d
and .15b impose certification requirements that also drive
accountability for the evaluation process. The Board has adopted this
requirement as proposed.
The individual assigned operational responsibility for the
monitoring and remediation process is also responsible for
communicating, on a timely basis, matters related to monitoring and
remediation to the individuals assigned ultimate responsibility and
accountability for the QC system as a whole and operational
responsibility and accountability for the QC system as a whole. These
communications would include key aspects of the monitoring and
remediation process, such as the monitoring activities performed,
results of the monitoring activities, and the remedial actions taken.
The communication of this information to the individual assigned
ultimate responsibility and accountability for the QC system as a whole
facilitates and supports that individual's overall accountability for
the evaluation of the QC system.
2. Current PCAOB Standards
QC 20.22 requires the assignment of responsibility for the design
and maintenance of QC policies and procedures to appropriate
individuals but does not specify the role or roles to which such
responsibilities should be assigned. In addition, members of the SECPS
are required to designate a senior-level partner responsible for, among
other things:
Overseeing the functioning of the firm's independence
policies and consultation process;
Maintaining the restricted entity list and providing it to
all professionals; and
Supervising the monitoring system related to overseeing
that independence violations are addressed.
QC 1000 retains and expands on these concepts. However, rather than
specifying that a senior-level partner be responsible for independence
matters, the standard takes a more functional approach, requiring a
person with the experience, competence, authority, and time needed to
enable that person to carry out the assigned responsibilities.
Another key difference, as discussed above, is that QC 1000 imposes
specific responsibilities on the individuals assigned the specific
roles, such that enforcement action could be brought against them
individually if they fail to meet those responsibilities.

The Firm's Risk Assessment Process

The risk assessment process is the basis for a risk-based approach
to the design, implementation, and operation of the firm's QC system.
The firm's risk assessment process, in combination with the monitoring
and remediation process, creates a feedback loop to drive continuous
improvement of the firm's QC system.
The proposal included a risk assessment process that would be
principles-based and could be tailored to the size and complexity of
the firm and the types and variety of engagements it performs. Several
commenters, including firms, were generally supportive of a risk-based
approach to the firm's QC system. One commenter, an investor-related
group, expressed concern that a principles-based approach would allow
audit firms too much discretion in conducting their own risk
assessment. Another commenter noted that while they generally supported
a risk-based, scalable approach, they supported a more prescriptive
approach for the resources and monitoring and remediation components.
The Board has retained the approach as proposed because it believes
that applying a risk-based approach to the design, implementation, and
operation of the QC system will prompt firms to identify and focus on
the most relevant risks to quality in the context of their own practice
and will make QC 1000 appropriately adaptable to future changes in
technology, regulation, and the business environment. It will also
ensure scalability, allowing firms to right-size their QC systems as
their practices grow and change. As discussed above, QC 1000 contains a
balance of prescriptive and risk-based elements.
One commenter requested clarity on whether QC 1000 would operate
separately or in concert with other quality control standards,
specifically whether the risk assessment process would apply only to
engagements performed under PCAOB standards or to the firm's overall
risk assessment of all its engagements, including those performed under
other standards. Consistent with the way the term ``engagement'' is
defined in QC 1000,\158\ the requirements of QC 1000, including those
regarding the firm's risk assessment process, generally apply only to
work performed under PCAOB standards. However, nothing prevents a firm
from designing, implementing, and operating a single risk assessment
process for its entire audit and assurance practice that satisfies both
QC 1000 and the other quality control standards that apply to the firm.
---------------------------------------------------------------------------

\158\ See Terminology discussed above.
---------------------------------------------------------------------------

The risk assessment process should be familiar to firms because it
is analogous to existing auditor responsibilities for identifying,
assessing, and responding to risks of material misstatement of the
financial statements. Audit procedures for identifying and assessing
risks of material misstatement include information-gathering procedures
to identify risks (e.g., obtaining an understanding of the company, its
environment, and its internal control), assessment of risks based on
information obtained, and design and implementation of responses to
address the identified risks.\159\ The standard creates analogous
responsibilities in relation to the QC system. Similarly, as the
auditor is required by auditing standards to modify the overall audit
strategy and the audit plan if circumstances change during the course
of the audit,\160\ the firm is required by QC 1000 to monitor,
identify, assess, and respond to changes in relevant conditions,
events, and activities that affect the firm's QC system.
---------------------------------------------------------------------------

\159\ See generally AS 2110, Identifying and Assessing Risks of
Material Misstatement.
\160\ See AS 2110.74.
---------------------------------------------------------------------------

1. QC 1000.18
The firm's risk assessment process applies to the six components of
the firm's QC system that specify quality objectives. To design,
implement, and operate this process, the firm is required to:
Establish quality objectives;
Identify and assess quality risks to the achievement of
the quality objectives; and

[[Page 49622]]

Design and implement quality responses to address the
identified quality risks.
The process for establishing quality objectives, identifying, and
assessing quality risks, and designing and implementing quality
responses is iterative, and the requirements of the standard would not
necessarily be addressed in a linear manner. For example, in
identifying and assessing quality risks, the firm may determine that
one or more additional quality objectives are required; in designing
and implementing quality responses, the firm may identify additional
quality risks. The risk assessment process is also iterative and
ongoing, so that new or developing risks are identified and addressed
as they emerge. For smaller and less complex firms, the risk assessment
process may be centralized and involve only a few individuals. For
larger and more complex firms, the risk assessment process may be more
structured and decentralized, involving multiple layers and groups. The
Board believes that the risk assessment approach will prompt firms to
proactively identify, assess, and respond to quality risks, while at
the same time allowing them to apply judgment when identifying and
assessing quality risks.
a. Establish Quality Objectives (QC 1000.19)
The standard defines quality objectives as the desired outcomes in
relation to the components of the QC system to be achieved by the firm.
Establishing quality objectives is the first step in the risk
assessment process and forms the basis for the identification and
assessment of quality risks and the design and implementation of
quality responses. The quality objectives are outcome-based and the
risk assessment process provides firms the ability to determine how the
quality objectives are to be achieved.
One investor-related group expressed concern with the lack of
specificity in the proposed standard regarding the design of an audit
firm's quality control system, suggesting that the proposed standard
would enable firms to design a QC system that could too easily be
certified as working properly. The Board believes that the quality
objectives specified in QC 1000 will promote an appropriate level of
rigor in the QC system. While QC 1000 provides some flexibility with
regard to the quality risks that firms identify and the quality
responses that firms develop to address those risks, it does not
provide the same flexibility with regard to quality objectives.
Instead, quality objectives that will apply to all firms are specified
in the standard. Firms can establish additional quality objectives--
indeed, they are required to do so if necessary to achieve the
reasonable assurance objective--but they generally cannot omit or
modify any of the quality objectives set out in the standard.
Therefore, firms do not determine the criteria by which their QC
systems will be assessed, only the means by which they will meet those
criteria.
Quality objectives are specified in the standard for six of the
components of the QC system: governance and leadership, ethics and
independence, acceptance and continuance of engagements, engagement
performance, resources, and information and communication. A firm may
determine that it is necessary to establish quality objectives for its
monitoring and remediation process. In those circumstances, the firm's
risk assessment process would also apply to the monitoring and
remediation process. Otherwise, although monitoring and remediation
would not be subject to the firm's risk assessment process as described
in the standard, it would nevertheless be carried out in a way that is
informed by and responsive to quality risks.\161\
---------------------------------------------------------------------------

\161\ See Monitoring and Remediation Process below. For example,
quality risks and the reasons for their assessment are factors a
firm would take into account when determining the nature, timing,
and extent of its monitoring activities.
---------------------------------------------------------------------------

The Board believes that, for many firms, the quality objectives
specified in the standard are likely to be comprehensive and it does
not expect, in the current environment, that additional quality
objectives would generally be necessary. However, the Board also
recognizes that the nature and circumstances of a firm and its
engagements will vary and conditions may change. Accordingly, a firm is
required to establish additional quality objectives if necessary to
achieve the reasonable assurance objective.
The requirement for the firm to establish quality objectives
necessary to achieve the reasonable assurance objective is designed to
prompt ongoing reexamination of the quality objectives and modification
as needed, which should enable the firm's QC system to adapt to a
changing environment and remain fit for purpose. If a firm determines
that its quality objectives need to be more specific, it could
establish sub-objectives to provide a more direct link to quality risks
and support the development of more comprehensive or better-targeted
responses.
b. Identify and Assess Quality Risks (QC 1000.20)
The proposal defined quality risks as risks that, individually or
in combination with other risks, have a reasonable possibility of
adversely affecting the firm's achievement of one or more quality
objectives if the risks were to occur, and are either (i) risks that
have a reasonable possibility of occurring or (ii) risks of intentional
acts by firm personnel and other participants to deceive or to violate
applicable professional and legal requirements. The ``reasonable
possibility'' term in the definition of quality risks is aligned with
use of the term in PCAOB standards: \162\ there is a reasonable
possibility of an event when the likelihood of the event is either
``reasonably possible'' or ``probable,'' as those terms are used in the
FASB Accounting Standards Codification (``FASB ASC'') Topic 450,
Contingencies.\163\
---------------------------------------------------------------------------

\162\ See generally, e.g., AS 1105, Audit Evidence; AS 2101; AS
2201, An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements.
\163\ See FASB ASC paragraph 450-20-25-1; see also, e.g.,
footnote 4 to AS 1105.12, which incorporates the ASC definition.
---------------------------------------------------------------------------

A number of commenters raised questions or made suggestions about
the proposed treatment of intentional acts in the definition of quality
risks. One commenter suggested that intentional misconduct should not
be explicitly addressed in the definition because the necessary
response, especially as it relates to colleagues' behavior, may
negatively impact the trust among colleagues and could constrain the
achievement of quality objectives. Instead, this commenter suggested
that the risk of intentional misconduct may be more effectively
considered and responded to as part of the broader understanding of
quality risks. Another firm expressed concern that requiring
consideration of all illegal acts would contradict a risk-based
approach.
Several firms agreed that the definition of quality risks should
explicitly address the risk of intentional misconduct but suggested
that the definition should also address the possibility of occurrence
related to acts of intentional misconduct. Several commenters,
including firms, firm-related groups, and an academic, recommended that
the threshold of ``reasonable possibility of occurring'' should apply
to all quality risks, including risks of intentional misconduct. Many
of these commenters said that not applying the threshold of
``reasonable possibility of occurring'' to

[[Page 49623]]

the risk of intentional misconduct would not be practical and could
harm audit quality as this would divert time, resources, and attention
from addressing more reasonably possible risks. Some commenters
referenced the inclusion of the ``reasonable possibility of occurring''
threshold in AS 2110 and suggested that the same principle should apply
to the risk of intentional misconduct in QC 1000. Two of these
commenters suggested that not applying the threshold of ``reasonable
possibility of occurring'' to the definition of quality risks would be
inconsistent with AS 2401, Consideration of Fraud in a Financial
Statement Audit, and could impose a threshold on firms that exceeds the
current auditing standards over auditors' identification and assessment
of fraud risks. Several commenters also stated that the inclusion of
other participants in addressing every conceivable risk of intentional
misconduct may be impractical as firms may have limited access to
information on the conduct of other participants. One firm suggested
that additional guidance may be beneficial with regard to assessing and
responding to risks of intentional misconduct by other participants
that are not part of the firm.
A firm-related group suggested that not applying the threshold of
``reasonable possibility of occurring'' to intentional misconduct
appeared to go beyond the reasonable assurance objective and expressed
concern that, without further clarification of how firms should deal
with risks of intentional misconduct with less than a reasonable
possibility of occurring, a disproportionate level of resources could
be allocated to this area, to the detriment of other quality risks with
more than a remote possibility of occurring.
After considering the comments received, the Board revised the
definition of quality risks such that the threshold of ``reasonable
possibility of occurring'' applies to all risks, including risks of
intentional misconduct by firm personnel and other participants.
However, the Board continues to believe that firms should be explicitly
prompted to consider risks of intentional misconduct in their risk
assessment process, because without such a prompt, firms may discount
the possibility that intentional misconduct may occur and omit or
underweight these types of risks in their risk assessment process.
Therefore, the final definition provides that, for all risks, whether
or not related to intentional misconduct, the firm would assess the
possibility of occurrence and the possibility that the risks would have
an adverse effect on the achievement of its quality objectives.
One firm suggested that while the threshold of ``adversely
affecting'' is reasonably understood, additional guidance or examples
would be welcomed. Another commenter noted that more examples serve as
helpful interpretive guidance to those implementing the standard. Two
firms believed the threshold is sufficiently clear and did not have
specific requests for further guidance. The Board will monitor the
implementation of the new standard by audit firms, and, if appropriate,
consider the need for additional guidance.
The standard requires the firm to identify and assess quality risks
for each quality objective it establishes. Most quality objectives are
likely to have multiple quality risks. Some quality risks may relate to
multiple quality objectives, either within a single component or across
several components. The nature and extent of the firm's risk assessment
process would be commensurate with the firm's quality risks and
therefore will vary across firms in nature, scope, and complexity. In
assessing risks, the firm would consider how often the quality risks
may occur and the magnitude of the impact of the quality risks on the
related quality objectives. The firm would then take this information
into account in determining the nature, timing, and extent of the
quality response(s) needed to address the quality risk.
One commenter requested clarification of whether the Board expects
firms to categorize the identified risks (for example as lower, higher,
or significant). While there is nothing in QC 1000 that requires such
categorization, firms that find such an approach helpful could
certainly use it.
The standard requires the identification and assessment of quality
risks annually. Requiring an assessment annually, as well as when
matters come to the firm's attention, drives a systematic, disciplined,
and proactive approach to assessing the firm's quality risks. Through
the Board's oversight activities, it has observed that many firms
update their QC systems on an ad hoc basis, in response to changes in
regulatory requirements or deficiencies identified by internal or
external inspections, and do not have a systematic process of risk
assessment. This reactive approach can result in firms taking
corrective actions only after deficient audits have been identified.
The annual identification and assessment requirement will instill a
regular and disciplined approach to performing the risk assessment
process and to identifying new quality risks that require modifications
to the firm's quality responses or quality risks identified in a prior
year that may no longer be sufficient or relevant.
The standard does not specify quality risks that must be assessed
and responded to by all firms; rather it includes factors for the firm
to consider in its risk assessment process. The Board believes that
such an approach would result in the firm identifying and assessing the
quality risks that are most relevant in light of its facts and
circumstances.
i. Obtain an Understanding of the Conditions, Events, and Activities
That May Adversely Affect the Achievement of the Firm's Quality
Objectives
The standard requires the firm, as part of identifying and
assessing quality risks, to obtain an understanding of the conditions,
events, and activities that may adversely affect the achievement of the
firm's quality objectives. This understanding underpins the firm's
identification and assessment of the quality risks that are most
relevant to the achievement of the firm's quality objectives. Appendix
B of the standard provides examples related to the nature and
circumstances of the firm and its engagements that may give rise to
quality risks.
The considerations highlighted in paragraph .20a. and Appendix B
could assist the firm in identifying one or more quality risks to the
achievement of one or more quality objectives. For example,
consideration of changes in a firm's structure may be relevant for a
firm that has recently completed an acquisition of another firm. This
consideration may result in the identification of a number of quality
risks, such as a quality risk that the audit methodology used by the
acquired firm may not be compatible with the acquirer's methodology or
a quality risk that the firm is unable to retain personnel post-
acquisition, which may pose risks to quality objectives in areas like
engagement performance and resources.
Several commenters, including firms, noted that the examples
provided in Appendix B were helpful. Two commenters expressed concern
with the language used in paragraph .20a., specifically, that it was
not sufficiently clear that the specific examples in Appendix B are
meant to be illustrative rather than a checklist for every firm to
consider. As the Board stated in connection with the proposal, the list
in paragraph .20a. is not intended to be

[[Page 49624]]

exhaustive and the specific examples provided in Appendix B are meant
to be illustrative rather than a checklist for every firm to consider.
Whether particular conditions, events, and activities are relevant, and
result in one or more quality risks, depends upon the nature and
circumstances of the firm and its engagements and how the conditions,
events, and activities relate to or affect the operation of the firm's
QC system and the performance of its engagements. The firm may also
identify quality risks that do not relate to the list in paragraph
.20a. or to any of the specific examples.
One firm expressed concern with the inclusion of proposed paragraph
B10b. in Appendix B, which discusses the extent of alignment of a
third-party provider's standards of conduct with those of the firm. The
firm suggested that the example may imply that third-party providers
from outside the public accounting profession may not be appropriate or
sufficient, because they may not be subject to a centrally governed
code of conduct. Nothing in the Board's standards requires a third-
party provider to have a centrally governed code of conduct and the
Board has added the phrase ``if any'' to the example to eliminate any
ambiguity in that regard. However, the Board does believe that the
existence of such a code of conduct, and the extent to which it aligns
with the firm's own standards of conduct, is a relevant example that
could be considered by a firm in assessing whether there exist
conditions, events, or activities, as a result of its use of resources
or services obtained from third-party providers, that may adversely
affect the achievement of its quality objectives.
(1) The Nature and Circumstances of the Firm
The standard includes a list of considerations related to the
nature and circumstances of the firm. Appendix B of the standard
provides specific examples of each consideration in paragraphs .B2
through .B11.
The Board continues to believe that to consistently execute quality
audits, it is important that a commitment to audit quality is embedded
in the firm's culture and exists throughout the firm. In connection
with this, the Board has added a new paragraph .20a.(1)(d) and
paragraph .B5 to provide firms with an additional risk assessment
consideration relating to the culture of the firm, and the extent to
which a culture of integrity and a commitment to audit quality,
including ethics and independence, is promoted within the firm and
embraced by firm personnel across all levels of the firm.
In addition, the Board has added paragraph .B6e. to highlight that
in understanding the resources of the firm, the firm may also have to
consider the risks associated with technological resources, including
their susceptibility to cybersecurity breaches.
(2) The Nature and Circumstances of The Firm's Engagements
In obtaining an understanding of the nature and circumstances of
the firm's engagements, the firm considers the types of engagements
performed by the firm as well as the types of entities for which such
engagements are undertaken. Paragraph .B12 of Appendix B of the
standard contains a list of examples of these considerations. For
instance, a firm that conducts audits of broker-dealers may consider
information from relevant authorities, like the SEC and Financial
Industry Regulatory Authority (``FINRA''), in identifying risks
associated with such audit engagements. The Board added an example to
paragraph .B12a. to highlight that in understanding the nature and
circumstances of the firm's engagements, the firm may also consider the
laws and regulations to which the companies it audits are subject.
(3) Other Relevant Information
Other relevant information captures other information sources that
help the firm to identify quality risks. One such source is the firm's
monitoring and remediation activities. Consideration of information
from those activities creates a feedback loop within the QC system by
informing the firm of the results of the monitoring and remediation
process that may help the firm identify quality risks.
Other sources are external inspections and oversight activities by
regulators, and other external reviews, such as peer reviews. For
example, the results of an external inspection may identify a high rate
of noncompliance with independence requirements within a specific
office of the firm or within a certain employee staff level, which the
firm would take into account when identifying and assessing quality
risks for the ethics and independence component.
ii. Identify and Assess Quality Risks Based on the Understanding
Obtained
Under the standard, identifying and assessing quality risks is an
ongoing, iterative process. The firm assesses risks as part of the
initial design and implementation of the QC system, and thereafter
annually, including in response to new information or changes in its
circumstances and environment.
The standard requires the firm to identify and assess quality risks
for each of the quality objectives established by the firm, based on
the understanding of the relevant factors and other relevant
information and taking into account whether, how, and the degree to
which the achievement of the quality objectives may be adversely
affected. The note clarifies that this assessment is based on inherent
risk, without regard to the effect of any related quality responses.
The assessment is similar to the determination made under AS 2201 as to
whether an account or disclosure is significant based on inherent risk,
without regard to the effect of controls.\164\ One commenter agreed
with the clarification provided in the note that the assessment is
based on inherent risk, but expressed concern that the note may not be
sufficient to prompt or remind auditors of the independence of quality
risks from quality responses. The Board believes that the note to
paragraph .20b. provides clear direction for assessing quality risks
without regard to the effect of quality responses. The Board will
monitor the implementation of the new QC standard, and, if appropriate,
consider the need for additional guidance. Quality risks may affect one
or more quality objectives, either within a single component or across
several components. For example, a quality risk that the firm may not
be able to attract and retain qualified personnel would affect several
quality objectives in the resources component, and may also affect
quality objectives in other components, such as engagement performance
or engagement acceptance and continuance.
---------------------------------------------------------------------------

\164\ See AS 2201.A10.
---------------------------------------------------------------------------

Under the definition of quality risks, the firm would not be
required to identify every conceivable risk, but only those that have a
reasonable possibility of occurring and, if they were to occur, a
reasonable possibility of adversely affecting the firm's achievement of
one or more quality objectives. The identification of quality risks
takes into account individual risks as well as combinations of risks.
For example, a risk that has a reasonable possibility of occurring but
individually does not have a reasonable possibility of adversely
affecting the achievement of the quality objective may meet the
proposed definition of a quality risk when analyzed in combination with
other risks.
The firm may undertake the quality risk assessment separately or

[[Page 49625]]

concurrently with risk identification. Assessing the identified quality
risks involves consideration of the frequency with which the quality
risks may occur and the magnitude of the impact of the quality risks on
the related quality objective(s). Identifying quality risks with the
appropriate degree of specificity (not too narrowly or too broadly)
would help the firm design quality responses that reduce to an
appropriately low level the risk that the quality objective will not be
achieved. Quality risks that are defined too broadly may result in
quality responses that are not sufficiently targeted to the actual
quality risk. Conversely, if quality risks are defined too narrowly,
the quality responses may not sufficiently address the full extent of
the actual quality risk.
The process of identifying and assessing quality risks is depicted
below.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.005

[[Page 49626]]

BILLING CODE 8011-01-C
c. Design and Implement Quality Responses (QC 1000.21)
The standard requires the firm to design and implement quality
responses that address quality risks in order to achieve the quality
objectives. Quality responses are defined as policies and procedures
designed and implemented by the firm to address quality risks. Under
the definition, policies are statements of what should, or should not,
be done to address assessed quality risks. Procedures are actions to
implement and comply with policies.
Under the principles-based approach of the standard, the nature,
timing, and extent of quality responses depend on the underlying
quality risks and the reasons why these risks were assessed as quality
risks. For example, a quality risk that is tied to an event that is
expected to occur multiple times per year, or that could have a very
significant impact, requires a more extensive response than a quality
risk tied to a specific event that is expected to occur only once and
have a less significant impact.
The firm may decide to implement quality responses at the firm
level or the engagement level, or through a combination of responses at
the firm and engagement levels, depending on the nature of the quality
risk. Quality responses may address multiple quality risks related to
one or more QC components.
Quality responses may vary depending on to whom they apply. For
example, based on the quality risks that are being addressed, the firm
may develop some policies and procedures that are applicable to all
firm personnel and others that apply only to firm leadership or
personnel in a particular function or geographic location. Similarly,
the firm's policies and procedures regarding other participants may be
different for different types of other participants (e.g., network
affiliates, engaged specialists).
Information obtained from the identification and assessment of
quality risks enables the firm to develop quality responses that
appropriately and adequately respond to the quality risks. In assessing
risks, the firm would consider how often the quality risks may occur
and the magnitude of the impact of the quality risks on the related
quality objectives. The firm would then take this information into
account in determining the nature, timing, and extent of the quality
response(s) needed to address the quality risk.
In addition to the quality responses designed by the firm, the
standard requires certain specified quality responses for all firms.
Some specified quality responses are drawn from existing PCAOB
requirements \165\ or from the specified responses in ISQM 1,\166\ and
have been included either to carry existing requirements into the new
standard or to create other obligations that would have to be met in
designing, implementing, and operating the QC system. Other specified
quality responses are new provisions that the Board believes are
sufficiently important to merit an explicit requirement. The specified
quality responses are not intended to be comprehensive; on the
contrary, for most of the components of the firm's QC system, QC 1000
includes only a few specified quality responses, and for the engagement
performance component there are none. As a result, the specified
quality responses alone would not be sufficient to enable the firm to
achieve all established quality objectives, and firms must design and
implement their own quality responses in addition to the specified
quality responses. The specified quality responses and the quality
responses the firm designs and implements on its own are critical in
addressing quality risks.
---------------------------------------------------------------------------

\165\ See, e.g., QC 20.10, .13a, .13b, and .15a.
\166\ See paragraph .34 of ISQM 1.
---------------------------------------------------------------------------

For example, the specified quality response requiring mandatory
training \167\ may address some of the quality risks related to certain
quality objectives in the resources component (e.g., hiring,
developing, and retaining firm personnel).\168\ However, mandatory
training alone will not be sufficient to address all the quality risks
that may be identified for that quality objective and will have to be
combined with additional firm-developed quality responses.
---------------------------------------------------------------------------

\167\ See QC 1000.48.
\168\ See QC 1000.44a.
---------------------------------------------------------------------------

d. Modifications to the Quality Objectives, Quality Risks, or Quality
Responses (QC 1000.22-.23)
The standard requires firms to take proactive measures to address
new quality risks that may come up between the firm's periodic risk
assessments. To the extent practical, these policies and procedures
would be not just retrospective, but also forward-looking, so the firm
could anticipate and plan for significant changes. For example, a new
accounting standard may result in a firm identifying a new quality risk
that firm personnel may misinterpret the new standard. Identifying this
risk prior to the next annual risk assessment may prompt the firm to
revisit its quality responses that are affected by this event, and thus
avoid potential problems in future engagements.
One commenter suggested that it may be cost beneficial to require
or encourage audit firms' QC leaders to stay current with developments
in auditing literature to put them in a better position to triage newly
identified quality risks and identify engagements susceptible to those
risks. Another commenter recommended that firms be required to create
an individual or other entity charged with maintaining situational
awareness.
The Board notes that paragraph .22 of QC 1000 requires firms to
establish policies and procedures for monitoring changes to conditions,
events, and activities that indicate modifications to the firm's
quality objectives, quality risks, or quality responses may be needed.
In addition, the individual(s) responsible for monitoring such changes
are subject to the general due professional care standard of QC
1000.10, which requires a critical assessment of the relevant
information (which would include relevant literature). In light of
these overarching requirements, the Board does not consider it
necessary to add the specific provisions that commenters suggested.
Rather, the Board believes that allowing flexibility for firms to
establish policies and procedures to monitor, identify, and assess
changes to conditions, events, and activities encourages firms to
concentrate their efforts on the risks most relevant to them and
contributes to the standard being appropriately scalable. A firm may of
course determine, based on its nature and circumstances, that it is
appropriate to establish specific policies and procedures for the
monitoring of developments in auditing literature or to charge a
specific individual with maintaining situational awareness.
Policies and procedures in this area may vary, depending on the
size and complexity of the firm and the types and variety of
engagements it performs. For a larger firm operating in a complex
environment and auditing a wide range of different types of companies,
such policies and procedures would be extensive. For example, they
could involve periodic meetings with teams across the firm to gather
and analyze the necessary information to enable the firm to identify
changes to conditions, events, and activities that may require
modification of the firm's quality objectives, quality risks, or
quality responses. Smaller and less complex firms, operating in a less
varied and more stable environment, may have a

[[Page 49627]]

less extensive set of policies and procedures.
If the firm identifies changes to conditions, events, or activities
indicating modifications to the quality objectives, quality risks, or
quality responses may be needed, the standard requires the firm to
determine what, if any, modifications are needed, and to make them on a
timely basis. The timing depends on the nature and extent of the
modification needed. In some circumstances, immediate action may be
required, whereas in other cases, if the impact on risk is less urgent,
immediate action is not necessary. Modifications not implemented in a
timely manner may fail to prevent quality risks from occurring and
adversely affecting the quality objective. For example, in the case of
a new accounting standard, the firm would need to implement any
necessary modifications to its quality responses in time so that, once
the standard became effective, firm personnel would be able to apply it
properly.
2. Current PCAOB Standards
Under current PCAOB QC standards, firms have a responsibility to
establish and maintain a QC system to provide the firm with reasonable
assurance that its personnel comply with applicable professional
standards and the firm's standards of quality. The current QC standards
make few explicit statements about risk assessment.\169\
---------------------------------------------------------------------------

\169\ See, e.g., QC 20.16 (explaining that a firm's policies and
procedures should provide for obtaining an understanding with the
client about the services to be performed, to minimize the risk of
misunderstandings); QC 30.05 (identifying risks associated with the
firm's practice as a consideration in determining the need for and
extent of internal inspection procedures in monitoring the firm's QC
system).
---------------------------------------------------------------------------

Governance and Leadership

The governance and leadership component of the firm's QC system
addresses the environment that enables the effective operation of the
QC system and directs the firm's culture, decision-making processes,
organizational structure, and leadership. A firm's culture and tone, as
set by leadership, can and should promote the importance of quality.
The PCAOB has long considered firm governance and leadership to be
an important aspect of firms' QC systems. For example, PCAOB
inspections have historically covered the firm's tone at the top, a
foundational aspect of governance and leadership, during the process
for reviewing firms' QC systems.\170\ PCAOB inspection procedures focus
on how firm management is structured and whether actions and
communications by the firm's leadership--the tone at the top--
demonstrates a commitment to audit quality.\171\
---------------------------------------------------------------------------

\170\ See, e.g., Report on the PCAOB's 2004, 2005, 2006, and
2007 Inspections of Domestic Annually Inspected Firms, PCAOB Rel.
No. 2008-008 (Dec. 5, 2008) at 6, available at https://pcaobus.org/Inspections/Documents/2008_12-5_Release_2008-008.pdf; Staff
Inspection Brief, Vol. 2017/3: Information about 2017 Inspections
(Aug. 2017) at 8, available at https://pcaobus.org/Inspections/Documents/inspections-brief-2017-3-issuer-scope.pdf.
\171\ See https://pcaobus.org/oversight/inspections/inspection-procedures for information related to the PCAOB's inspection
procedures.
---------------------------------------------------------------------------

1. QC 1000
a. Governance and Leadership Quality Objectives (QC 1000.24)
Under QC 1000, a firm is required to establish quality objectives
for the governance and leadership component in several different areas:
The firm's commitment to quality;
Organization and governance structure; and
Resources.
i. The Firm's Commitment to Quality (QC 1000.25.a-d)
The firm's commitment to quality is an important factor in
influencing the behavior of firm personnel and the conduct of
engagements. The Board believes that the firm's commitment to quality
is most effectively demonstrated through the communications, actions,
behaviors, and directives of leadership at all levels of the firm.
Accordingly, the quality objectives related to commitment to quality
are directed at the communications, actions, and accountability of firm
leadership.
Frequent and consistent communication from leadership to firm
personnel regarding the commitment to quality is important in order to
create an appropriate culture and tone at the top. Paragraph .25a.
focuses on communicating and promoting key professional attributes by
recognizing and reinforcing the firm's role in protecting the interests
of investors and the public interest by meeting the firm's
responsibilities; the importance of adhering to appropriate standards
of conduct; the importance of professional ethics, values, and
attitudes; and expected behavior and responsibility of firm personnel
for quality both in QC-related activities and the performance of
engagements. Collectively, these attributes and expected behaviors are
the foundation of an effective QC system.
To achieve an appropriate tone at the top, however, it is not
enough for firm leadership to ``talk the talk.'' They also have to
``walk the walk.'' Accordingly, paragraphs .25b. and .25c. establish
objectives with regard to leadership's responsibility for and
commitment to quality, including through leadership's own behavior. For
example, leadership would demonstrate a commitment to quality by acting
in a manner consistent with the firm's communications described in
paragraph .25a. regarding expectations of firm personnel. Conversely,
repeated failure to take steps to address known quality concerns would
demonstrate a lack of commitment to quality.
One commenter sought clarification on the term ``leadership,''
including whether it relates only to the specified roles in paragraph
.11 and .12, or to all partners and equivalents in the firm. Under QC
1000, leadership is not limited only to those in specified QC roles.
While the composition of leadership may vary due to the nature and
circumstances of the firm and its engagements and how the firm chooses
to organize itself, it includes firm-wide leadership; the executive
team; regional, office, and industry segment leadership; and any other
levels of leadership the firm may establish. Not all partners or
partner equivalents are necessarily leadership; it would depend on the
role of the individual.
Firms and firm-related groups were broadly supportive of the
Board's proposed quality objectives for governance and leadership.
However, several commenters, mostly investors and investor-related
groups, urged the Board to go further in stressing the role of firm
leadership and the QC system as a counterbalance to the economic
incentives that may drive firms to compromise on quality. Some
suggested that compensation plans should weigh quality as much as, or
more than, revenue generation. One investor-related group suggested
that the standard should increase accountability for the firm and firm
leadership's quality control efforts. Another investor stated that
audit quality should be required to be considered at the time of the
appointment of firm leadership. One commenter suggested that
leadership's accountability should not be limited to deficiencies and
outcomes but extended to acknowledge positive behaviors and processes.
After considering these comments, the Board revised paragraph .25b
to explicitly mention performance evaluation and compensation in the
context of defining leadership's responsibility for quality and holding
leadership accountable. The Board believes this will drive increased
clarity

[[Page 49628]]

about the scope of leadership's responsibilities and increased
accountability for an effective QC system, and will prompt firms to
focus on their expectations for leadership behavior and the incentives
that drive it. Firms can use a variety of different means to define the
responsibility for quality and drive accountability--from firmwide
communications and policies to individualized job descriptions,
performance targets, promotion criteria, compensation schemes, and
sanctions--and can acknowledge both outcome-based and process-based
measures and both positive and negative behaviors. The revised quality
objective reflects that performance evaluation and compensation play a
necessary role in that process.
While the Board agrees with the commenter that quality
considerations should be taken into account in the appointment of firm
leadership, the Board believes other quality objectives already address
that issue, such as paragraph .44g of QC 1000. Additionally, the
criteria for appointing firm leadership may appropriately vary based on
the size of the firm and the nature of its practice, so the Board has
avoided being prescriptive in that regard. For example, a larger firm
may have numerous candidates for leadership roles with many criteria
considered for appointment, but smaller PCAOB audit practices may have
limited personnel eligible for leadership roles.
As noted in the proposal, paragraph .25d. focuses on the firm's
commitment to quality in relation to its strategic decisions and
actions, which include matters such as the firm's financial goals,
growth of the firm's market share, industry specialization, business
combinations, new geographic markets, and new service offerings. The
quality objective emphasizes that a firm's strategic decisions and
actions should be consistent with and support the firm's commitment to
quality.
One commenter expressed concern that strategic actions may take
extended periods of time to yield benefits to quality, and it may be
challenging for firms to demonstrate that such actions are consistent
with a commitment to quality. The Board notes, however, that this
quality objective does not prescribe any specific time horizon, and the
Board believes it is wholly consistent with both short-term measures
and long-term investments in technology, training, knowhow, and other
means of strengthening a firm's audit practice that may take an
extended period to yield measurable improvements.
Some investors and investor-related groups suggested that the Board
require a clear separation of duties between those responsible for
audit quality and those responsible for commercial interests. Two of
those commenters cited the regulation of credit ratings agencies as an
example of appropriate separation of regulated activity and commercial
interests.\172\ Another commenter cited with approval the 2007
amendments to the AICPA QC standard, which included application
material to the effect that QC leaders should have the authority to
implement policies and procedures to ensure that others within the firm
will not override those policies to meet short-term financial goals (a
concept that does not appear in other QC standards).\173\
---------------------------------------------------------------------------

\172\ See 17 CFR 240.17g-5(c)(8), pursuant to which ratings
agencies are prohibited from having any person who participates in
determining or monitoring a credit rating, or developing or
approving procedures or methodologies used for determining a credit
rating, also participate in sales or marketing or be influenced by
sales or marketing considerations.
\173\ See AICPA, QC Section 10, A Firm's System of Quality
Control, paragraph .A5.
---------------------------------------------------------------------------

The Board considered mandating a greater degree of separation
between decision-making about QC and potential commercial motivations,
as these commenters suggested, but the Board does not believe such
separation can be achieved by all firms, especially firms with smaller
PCAOB audit practices with limited leadership roles. As discussed in
more detail below, the Board is requiring firms with larger PCAOB audit
practices to include an element of independent oversight of their QC
system. Moreover, the Board does not believe it would be appropriate to
mandate a fully separate or independent QC function. Potential
conflicts of interest at the engagement level are addressed in numerous
ways in the Board's regulatory scheme: through independence
requirements,\174\ ethical requirements of integrity and
objectivity,\175\ and the basic requirement of professional skepticism,
a critical aspect of due professional care.\176\ At the firm level, the
Board believes that those conflicts can best be addressed by
emphasizing the responsibility and accountability of firm leadership.
QC 1000 requires that responsibility for QC reside at the highest
levels of firm leadership, and that leaders are evaluated and
compensated in a way that creates accountability. In the Board's view,
appropriately incentivized firm leadership are best positioned to set
the tone and establish a quality-focused culture throughout the firm.
Rather than requiring firms to segregate the governance of the firm's
audit practice from the firm's other commercial interests, the Board
believes the quality objectives described in paragraph .25 will promote
responsibility for and commitment to quality, while allowing firms to
develop quality responses appropriate to their particular governance
structure.
---------------------------------------------------------------------------

\174\ See PCAOB Rule 3500T, Interim Ethics and Independence
Standards.
\175\ See EI 1000, Integrity and Objectivity.
\176\ The general principles and responsibilities of the auditor
when conducting an audit, including professional skepticism and due
professional care, are being reaffirmed and combined in AS 1000, as
adopted. See Auditor Responsibilities Release.
---------------------------------------------------------------------------

Lastly, one commenter suggested the governance and leadership
component should promote diversity, equity, and inclusion in recruiting
talented leaders, a governance body, and auditors. Another commenter
suggested leadership can demonstrate its commitment to quality through
providing ongoing, meaningful support of scholarly audit and accounting
research. The Board has not revised the standard to reflect these
specific suggestions; however, firms may identify quality risks and
design and implement quality responses in these areas to achieve the
quality objective in paragraph .25a or other quality objectives
established by the firm.
ii. Organizational and Governance Structure (QC 1000.25.e)
Establishing and maintaining appropriate firm organizational
structures provides an institutional framework supporting the firm's QC
system and the performance of the firm's engagements. Organizational
structures may include operating units, operational processes,
divisions, and geographical locations.
Firm organizational structures may differ based on the size and
complexity of the firm in order to be flexible, scalable, and
proportionate to the circumstances of the firm. Some firms may
concentrate or centralize processes or activities and other firms may
have a decentralized approach. Some firms may use internal shared
service centers in the operation of the firm's QC system or to enable
the performance of its engagements.
A firm's governance structure may include a governing board or
committee with representation from various service lines, or with
members who are independent of the firm.\177\ Such a

[[Page 49629]]

governing board may have subcommittees to assist it with managing
specific areas, such as strategic planning, resource planning, the
firm's risk assessment process, and the monitoring and remediation
process.
---------------------------------------------------------------------------

\177\ When the Board refers to independence in the context of
firm governance, it means the criteria typically applied to
independent directors of issuers. See, e.g., New York Stock Exchange
(``NYSE'') Listed Company Manual, Section 303A.01-.02; Nasdaq Rule
5605(a)(2). This is distinct from the requirements for auditor
independence from the audit client, discussed below.
---------------------------------------------------------------------------

Paragraph .25e., which did not attract specific comment and the
Board adopted as proposed, will drive a firm's organizational and
governance structure to enable the design, implementation, and
operation of the QC system and support performance of the firm's
engagements in accordance with applicable professional and legal
requirements. This results-oriented approach focuses on whether the QC
system actually works as intended and allows firms to tailor the
establishment of their governance structure. Additionally, the firm
would consider the complexity and operating characteristics of the firm
as part of performing its risk assessment process and identifying
quality risks.\178\
---------------------------------------------------------------------------

\178\ Appendix B includes an example regarding the existence and
extent of governance structures providing oversight of leadership.
See QC 1000.B2.g.
---------------------------------------------------------------------------

The assignment of roles, responsibilities, and authority within the
firm's organizational structure is a key aspect of the design,
implementation, and operation of the QC system. Establishing clear
roles and responsibilities and clear lines of authority helps to
translate the broad institutional objectives of the QC system into
individual actions to be performed and monitored, and for which
individuals can be held accountable. The assignment of roles and
responsibilities may vary across firms depending on the nature and
circumstances of the firm and its engagements.\179\ For example, in a
smaller firm with a limited number of individuals in leadership roles,
the individual with oversight of the firm may assume all of the roles
and responsibilities related to the QC system. A larger firm may have
multiple levels of leadership that align to the firm's organizational
structure.
---------------------------------------------------------------------------

\179\ See Roles and Responsibilities above, for a discussion of
specific roles and responsibilities that are required to be
assigned.
---------------------------------------------------------------------------

iii. Resources (QC 1000.25.f)
The firm's resources \180\ enable the operation of the firm's QC
system and the performance of the firm's engagements. Firm leadership
influences the nature and extent of the resources that the firm
obtains, develops, uses, and maintains, and how those resources are
allocated or assigned, including the timing of when they are used. This
quality objective, which did not draw comment and which the Board
adopted as proposed, emphasizes the importance of the firm having the
necessary resources, and allocating them appropriately, such that the
firm's QC system is designed, implemented, and operated effectively and
the firm's engagements are performed in accordance with applicable
professional and legal requirements.
---------------------------------------------------------------------------

\180\ See Resources below, for a discussion of the different
types of resources.
---------------------------------------------------------------------------

b. Governance and Leadership Specified Quality Responses (QC 1000.26-
29)
The proposal included three specified quality responses in the
governance and leadership component, discussed in greater detail below.
Some firms and a firm-related group objected generally that the
specified quality responses were overly prescriptive and unnecessary,
and suggested they should be reformulated as risk-based quality
objectives. Other firms generally supported including specified quality
responses.
The Board believes the specified quality responses address
important risks that justify specific requirements and has retained
them in the final standard. Firms are required to include these
specified quality responses when designing and implementing quality
responses to address the quality risks in the governance and leadership
component.
Proposed QC 1000 included a requirement for the firm to establish
and maintain clear lines of responsibility and supervision within its
QC system. A commenter argued that the quality objective in paragraph
.25e is sufficient and the specified quality response was not
necessary. While paragraph .27 may address a portion of the firm's
quality response to .25e, the Board believes paragraph .27 provides
additional direction that is appropriate for all firms. Establishing
and maintaining structures within the firm--including defining
authorities, responsibilities, accountabilities, and supervisory and
reporting lines for roles within the firm--will support the effective
design and operation of the QC system and the performance of the firm's
engagements, regardless of the size of the firm or the types of
engagements it performs. The requirement also complements the
documentation requirements of QC 1000.\181\
---------------------------------------------------------------------------

\181\ See QC 1000.82a. for the documentation requirements
related to lines of responsibility and supervision.
---------------------------------------------------------------------------

One commenter expressed concern that this requirement, in
combination with the requirements of paragraph .12, could result in a
prescriptive, hierarchical approach that would not be desirable or
practical. The requirement in the final standard is intended to enhance
supervision within the context of firms' existing QC systems and
supervisory structures. It does not require firms to develop or adopt
any particular supervisory structure and would be compatible with a
range of different approaches, including very flat structures.
The commenter also expressed concern that individuals acting in a
supervisory capacity could face liability beyond what exists under
Sarbanes-Oxley, which may disincentivize teaming. As discussed above,
paragraphs .15, .16, and .17 of the final standard prescribe specific
supervisory roles within a firm's QC system, and the individuals who
fill those roles are supervisory persons who must exercise reasonable
supervision for purposes of section 105(c)(6) of Sarbanes-Oxley.
Additionally, to the extent that other individuals are assigned
supervisory responsibilities in light of paragraph .27's specified
quality response, those individuals, like all who are involved in the
design, implementation, and operation of the QC system, must exercise
due professional care as set forth in paragraph .10 of the final
standard.
Another commenter recommended that individuals in supervisory roles
should be held liable only for knowing or reckless violations. The
Board notes that paragraph .27 does not itself create responsibilities
for supervisory personnel or prescribe standards of liability that
apply when those responsibilities are not met. Those issues are
addressed elsewhere in the PCAOB's standards and rules, including in
the roles and responsibilities component of QC 1000 and PCAOB Rule
3502,\182\ as well as in section 105(c)(6) of Sarbanes-Oxley.\183\ In
the

[[Page 49630]]

Board's view, the requirement to establish and maintain clear lines of
authority and supervision primarily serves to clarify how the QC system
is structured and how it operates, by laying out clearly the
authorities, responsibilities, accountabilities, supervisory and
reporting lines, and who is responsible for each element of the QC
system. If the requirement has consequences in terms of individual
accountability and liability, that would only be because it removes any
doubt about which individuals are acting in a supervisory capacity and
the scope of their respective responsibilities, thereby clarifying how
these other provisions should be applied.
---------------------------------------------------------------------------

\182\ See PCAOB Rule 3502. The Board has proposed to amend Rule
3502 to change the standard of conduct for associated persons'
contributory liability from recklessness to negligence and to
provide that an associated person contributing to a violation need
not be an associated person of the registered firm that commits the
primary violation. See PCAOB Rel. No. 2023-007.
\183\ Under section 105(c)(6) of Sarbanes-Oxley, if an
associated person of a registered public accounting firm violates
any provision of law, rules, or standards referenced in section
105(c)(6), the Board may impose sanctions on the firm or its
supervisory persons if the Board finds that there was a failure
reasonably to supervise that associated person with a view to
preventing such a violation. The Board has adopted a rule related to
section 105(c)(6) that provides for commencing a disciplinary
proceeding if it appears that a firm or its supervisory personnel
have failed reasonably to supervise an associated person who has
committed a violation. See PCAOB Rule 5200, Commencement of
Disciplinary Proceedings, at (a)(2); see also, e.g., In the Matter
of Scott Marcello, CPA, PCAOB Rel. No. 105-2022-004 (Apr. 5, 2022)
(imposing sanctions under section 105(c)(6)); In the Matter of WWC,
P.C., PCAOB Rel. No. 105-2022-006 (Apr. 19, 2022) (same); In the
Matter of KPMG Inc., Cornelis Van Niekerk, and Coenraad Basson,
PCAOB Rel. No. 105-2022-015 (Aug. 29, 2022) (same).
---------------------------------------------------------------------------

The proposal included a specified quality response to incorporate
an oversight function for the audit practice including at least one
person from outside the firm, which would apply to firms that issue
audit reports with respect to more than 100 issuers. See Scalability
above, for a discussion of the 100-issuer threshold.
Comments were mixed on the need for and potential breadth of this
requirement. The Board received several comments, primarily from
investors and investor-related groups, suggesting that the proposed
requirement did not go far enough. Some commenters stated that the
oversight function should not be limited to one individual but instead
a larger number (such as three) of independent non-employee members
should be required, or potentially an advisory council or committee of
the firm's board of directors with multiple or even a majority of
independent non-employee members. Some of these commenters asserted
that requiring only one person with undefined authority to serve in an
oversight role makes it unlikely to be effective and falls short of the
2008 recommendations of the U.S. Treasury Department's Advisory
Committee on the Auditing Profession, which suggested consideration of
``firms appointing independent members with full voting power to firm
boards and/or advisory boards with meaningful governance
responsibilities.'' \184\ One commenter objected that the requirement
only mandates practices that are already in place at the largest firms,
and so will not generate any change. Another commenter asserted that
there is little merit in requiring an independent member of the firm's
oversight function without also considering the balance of the
oversight function and the contribution of the independent member.
Others called for more specificity about the individual's role,
including specific powers, such as the power to meet with firm
management and obtain relevant information. Some investor-related
groups also called for transparency on the role of the non-employee
members.
---------------------------------------------------------------------------

\184\ U.S. Treasury Department, Advisory Committee on the
Auditing Profession Final Report (Oct. 6, 2008) at VII.8.
---------------------------------------------------------------------------

Many commenters, including some larger firms, supported the
oversight role. Two commenters suggested that the requirement for an
independent oversight function be extended to apply to all firms that
issue audit reports for issuers and one of these commenters suggested
having firms consider whether an independent function is an appropriate
response to achieving the quality objectives.
Other commenters, including some mid-sized firms, did not support
the specified quality response and suggested it should be a quality
objective instead. One firm suggested that the objective could be
better accomplished by designating an ``audit quality expert'' on a
firm's board (similar to a ``financial expert'' on an audit committee)
or by hiring independent external QC advisers. Some commenters
expressed concern about the lack of specificity and clarity regarding
the role, including questions regarding the individual's authority and
function. One noted that the individual was not required to be a CPA
and asserted that the need for and benefits of the role had not been
sufficiently articulated; on that basis, the commenter did not support
it. Another commenter did not see the linkage between the specified
quality response and the quality objectives and suggested that the lack
of definition of the role, coupled with a lack of clarity about which
quality objectives were being addressed, would make implementation
challenging. Other commenters stated that finding individuals to fill
this role may be challenging.
Some commenters requested guidance on how to implement the
requirement, including with respect to the qualifications or roles of
the individuals. One firm sought clarity on whether supervisory
liability under Sarbanes-Oxley section 105(c)(6) would apply equally to
members with an oversight or advisory function. Some commenters,
including firms, expressed concern about the potential scope and
meaning of the terms such as ``governance structure,'' ``independent
judgment,'' and ``oversight function,'' and requested confirmation that
current practices such as independent advisory boards are a permissible
approach. One firm requested an extended implementation period to allow
time for firms to design and implement the oversight function,
including identifying and onboarding appropriate individuals.
Based on the comments received, the Board refined the proposed
requirement to provide additional specificity and clarity. The final
rule refers to an ``external'' oversight function ``for the QC system
composed of one or more persons,'' none of whom has a disqualifying
relationship with the firm. This more precise language clarifies that
the focus is on the QC system and emphasizes that the function is to be
carried out entirely by one or more persons external to the firm, who
are not principals or employees of the firm and do not have any other
relationship with the firm that would interfere with the exercise of
independent judgment with regard to QC-related matters. The Board also
added a name for the position--External QC Function, or EQCF--which it
believes clarifies and underscores that the person or persons are
external to the firm and serve in a QC-focused role.\185\ The Board
also conformed the provision to the descriptions in QC 1000.12 of other
specified QC system roles by providing that the EQCF should have the
experience, competence, authority, and time necessary to enable them to
carry out the responsibilities assigned to them by the firm.
---------------------------------------------------------------------------

\185\ Firms may assign other functions to the person or persons
serving in the EQCF role so long as the specified QC function can be
carried out as set forth in the standard and discussed in this
release.
---------------------------------------------------------------------------

To clarify what is entailed in ``an external oversight function for
the QC system,'' the final standard also specifies a baseline
requirement that the EQCF's responsibilities should include evaluating,
at a minimum, the significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system. The Board believes this addition is
responsive to commenters who requested clarification of the proposal,
as well as those suggesting that the

[[Page 49631]]

standard include some specific requirements with respect to the role.
The Board expects that firms will make a number of significant
judgments in performing and reporting on their QC system evaluation.
The Board expects that the person or persons serving in this external
oversight function will evaluate judgments made by firm personnel in
the firm's evaluation of the firm QC system and the required reporting.
The evaluation performed by the EQCF will be in some respects
analogous to the EQR's evaluation of significant judgments made by the
engagement team and the related conclusions reached in forming the
overall conclusion on the engagement and in preparing the engagement
report.\186\ Like the EQR, the EQCF will review and evaluate work
performed by others, not redo the work, and must exercise due
professional care in performing their responsibilities.\187\
---------------------------------------------------------------------------

\186\ See AS 1220.09.
\187\ See QC 1000.10; AS 1220.12.
---------------------------------------------------------------------------

However, there are important differences between the requirements
for the EQR and the EQCF. Unlike the EQR standard, QC 1000 does not
impose specific limits on the length of service of the EQCF, though
firms should consider the potential for arrangements relating to length
of service, such as term limits and protections against removal, to
prevent the creation of a relationship with the firm that impairs
independent judgment. QC 1000 also does not specify the procedures the
EQCF should perform to evaluate the significant judgments made and
related conclusions reached. These may vary based on the circumstances
of the firm and the design, implementation, and operation of its QC
system, but must be sufficient to enable the EQCF to perform their
evaluation with due professional care. In addition, unlike the EQR
standard, QC 1000 does not require that the EQCF provide concurring
approval of reporting, although firms would be free to establish such
concurring approval as a matter of policy. Documentation will have to
be prepared and maintained in sufficient detail to evidence how the
quality response operated.\188\ This will form part of the QC
documentation supporting the firm's ongoing risk assessment and
monitoring and remediation efforts, as well as the Board's oversight
activities. Under QC 1000.65, firms will be required to consider the
EQCF's evaluation in their ongoing monitoring of the QC system
(including monitoring of the evaluation process).
---------------------------------------------------------------------------

\188\ QC 1000.83b. The board expects such documentation to
include both (1) how the EQCF evaluated the significant judgments
made and the related conclusions reached by the firm when evaluating
and reporting on the effectiveness of its QC system and (2) the
results of the EQCF'2 evaluation.
---------------------------------------------------------------------------

Separately, the Board carefully considered commenter suggestions to
increase the required number of independent individuals and to
establish specific eligibility criteria for them. Given the oversight
responsibility of an EQCF, the Board believes at least one person is
always necessary and firms may determine, based on their circumstances,
that more than one person is needed to appropriately carry out the
function. The Board believes the requirement will respond to the
quality objective in paragraph .25e by ensuring an independent
perspective on QC matters, but it does not supplant firm leadership or
relieve them of their fundamental responsibility to instill and
maintain a firm culture that appropriately prioritizes QC. Accordingly,
the Board does not believe it would be appropriate to mandate a
specific number of individuals or the specific credentials they must
have (besides their ability to exercise independent judgment with
regard to matters related to the QC system and the general requirement
that they have the experience, competence, authority, and time
necessary to enable them to carry out their assigned responsibilities).
Rather, the decision will be based on specific skillsets of the person
or persons in this function to be able to carry out the requirements of
the function. In that regard, firms may conclude that one or persons
appointed to the EQCF should be non-auditors to bring a greater
diversity of perspectives to the function.
Beyond the minimum responsibilities specified in the standard, the
Board gave firms flexibility in establishing other responsibilities of
the EQCF, enabling the function to best respond to the nature and
circumstances of the firm. For example, if the firm has experienced an
increase in recurring engagement deficiencies, the firm may charge the
EQCF with reviewing and evaluating the firm's remediation actions and
monitoring plan. As another example, a firm may assign the EQCF with
strategic responsibilities, such as maintaining situational awareness
through the identification and monitoring of emerging risks or trends
that could potentially affect the firm's QC system. While QC 1000
specifies that the EQCF exercise oversight over the QC system, the firm
may also choose to extend its authority more broadly. The
responsibilities assigned to the EQCF will in turn drive decisions
about the scope of the EQCF's authority. At a minimum, that will entail
sufficient access to information, documentation, and firm personnel to
enable evaluation of the significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system, but it could be broader depending on
the scope of the EQCF's responsibilities as assigned by the firm.\189\
Consideration of the experience, competence, and time necessary to
serve in the role will likewise depend on the responsibilities assigned
by the firm.
---------------------------------------------------------------------------

\189\ The scope of the firm policies and procedures regarding
the EQCF will also depend on its role and the associated risks. For
example, pursuant to QC 1000.53g, firms will have to develop
policies and procedures regarding information communicated to and
obtained from the EQCF.
---------------------------------------------------------------------------

The firm may consider many matters when establishing an EQCF. Such
matters could include:
The responsibilities assigned by the firm to the EQCF,
including those specified in QC 1000;
The qualifications required of the individual(s) assigned
to fulfill those responsibilities, including those specified in QC
1000;
The scope of authority afforded to the EQCF in light of
the assigned responsibilities;
Whether to establish a direct line of communication from
the EQCF to the individual assigned ultimate responsibility and
accountability for the QC system as a whole, or the individual assigned
operational responsibility for the QC system as a whole, or both;
Whether to require that the EQCF comply with independence
requirements applicable to auditors; \190\
---------------------------------------------------------------------------

\190\ See Regulation S-X Rule 2-01(b)-(c), 17 CFR 210.2-01(b)-
(c), and PCAOB Rules under Section 3, Auditing and Related
Professional Practice Standards, Part 5--Ethics and Independence.
---------------------------------------------------------------------------

The level of external transparency of the EQCF's role and
responsibilities;
The compensation structure for the EQCF; and
The term of service for the EQCF, including restrictions
on removal and limits on length of service.
In making these determinations, the firm should be mindful of the
requirement that members of the EQCF not have any relationship with the
firm that would interfere with the exercise of independent judgment
with regard to matters related to the QC system.
The EQCF could be, but would not be required to be, in the ``chain
of command'' under the SEC independence rule.\191\ The Board does not
believe that the EQCF would be a ``supervisory person'' under Sarbanes-
Oxley section 105(c)(6) solely by virtue

[[Page 49632]]

of having evaluated the significant judgments made and related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of the firm's QC system. However, depending on the nature
and degree of their responsibility, ability, or authority to affect the
conduct of the firm's associated persons, as established by the firm,
the EQCF could be subject to Sarbanes-Oxley section 105(c)(6).
---------------------------------------------------------------------------

\191\ See 17 CFR 210.2-01(f)(8).
---------------------------------------------------------------------------

The Board has not required the results of the EQCF's evaluation to
be publicly disclosed.\192\ However, nothing set forth in this release
would limit or prohibit firms from disclosing any information about the
EQCF's activities--including the EQCF's practices, methods, or
procedures, or the manner or results of the EQCF's evaluation--if the
firm chooses.
---------------------------------------------------------------------------

\192\ For a discussion of certain legal constraints imposed by
Sarbanes-Oxley on the Board's ability to require public disclosure
of certain QC-related information, see Section IV.L.1.c.ii. As part
of a separate project, the Board has proposed a requirement for
firms that have an EQCF to disclose the identity of the person or
persons, an explanation for the basis of the firm's determination
that each such person is independent of the firm (including the
criteria used for such determination), and the nature and scope of
each such person's responsibilities. See PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

Based on comments received and experience with inspections of
firms' systems of quality control, the Board believes that investors,
audit committees, and other stakeholders will benefit from the EQCF's
evaluation even in the absence of public disclosure. An external
oversight function should enhance the discipline with which the firm
carries out its own QC system evaluation. As the Board observe the
implementation and performance of the EQCF through its inspection
activities, the PCAOB may publish observations or good practices. For
these reasons, the Board believes that the EQCF will support
improvements in firms' systems of quality control, ultimately
benefiting investors, audit committees, and other stakeholders.
People internal and external to the firm can help a firm identify
instances of noncompliance with applicable professional and legal
requirements earlier than might be possible through the firm's own
monitoring.\193\ The proposal included a specified quality response
requiring policies and procedures for addressing potential
noncompliance with applicable professional and legal requirements and
with the firm's policies and procedures with respect to the QC system,
the firm's engagements, firm personnel, or other participants.
---------------------------------------------------------------------------

\193\ In addition, through this process information may be
received regarding noncompliance with laws and regulations by
companies that engage the firm.
---------------------------------------------------------------------------

This would include clearly defining channels within the firm that
enable reporting of complaints and allegations by firm personnel and
external parties (e.g., employees of companies or other participants)
and establishing procedures for appropriately investigating and
addressing such complaints and allegations, including complying with
any applicable reporting or other requirements.\194\
---------------------------------------------------------------------------

\194\ A firm's program for addressing complaints and allegations
may be subject to requirements under applicable law regarding
whistleblowers (such as, for example, N.Y. Labor Law Section 740).
However, such a program should not be confused with a whistleblower
program established and administered by the Federal government,
including the program administered by the SEC, which has its own
requirements and protections. See, e.g., 17 CFR 240.21F-1 through
.21F-18. To the extent a firm's program for addressing complaints
and allegations provides protective measures, such as
confidentiality and non-retaliation, based only on firm policy and
not on law, such protective measures may not create legally
enforceable rights.
---------------------------------------------------------------------------

The proposal sought comment on the appropriateness of this
specified quality response, and whether any additional specified
quality responses should be considered. Two firms that commented
supported the specified quality response. Two other firms expressed
concern with the prescriptiveness of other participants being included
in the requirement. One investor suggested there should be an explicit
requirement for a whistleblower mechanism with key protections such as
confidentiality and protection against retaliation, and that the
individual responsible for the firm's QC system be responsible for the
investigation of whistleblower complaints and remediation of QC issues
identified by whistleblowers.
The Board adopted the specified quality response with some
modifications, described below. The Board believes that establishing
policies and procedures that support the reporting and investigation of
potential noncompliance will assist firms in complying with applicable
professional and legal requirements. It will also assist them in
identifying and dealing with individuals, including those in
leadership, who fail to comply with applicable professional and legal
requirements or the firm's policies and procedures. Finally, it may
result in firm personnel or external parties identifying and
communicating deficiencies in the QC system.
The final provision retains the reference to other participants, as
the Board believes it is important for the firm to capture any
potential noncompliance with applicable professional and legal
requirements, including with regard to work performed by other
participants that relates to the firm's QC system or the firm's
engagements.
The Board has expanded the requirements related to the firm's
policies and procedures for collecting and addressing complaints and
allegations to explicitly require that they:
Be made available to all firm personnel and other
participants;
Address processes and responsibilities for receiving,
investigating, and addressing complaints and allegations; and
Include protecting persons making complaints and
allegations from retaliation.
The Board also expanded the specified quality response to require
firms that issued audit reports with respect to more than 100 issuers
during the prior calendar year to include confidentiality protections
in their policies and procedures.
The firm's policies and procedures regarding complaints and
allegations should be made available to all firm personnel and other
participants, which could occur by posting them on an intranet site or
providing such policies and procedures to other participants upon
engagement. The policies and procedures should include identifying who
is responsible for receiving, investigating, and addressing complaints
and allegations; describing the process for submitting complaints and
allegations; and describing how the firm will investigate and address
complaints and allegations received. The Board also specified that the
policies and procedures should explicitly address protection against
retaliation of persons making complaints and allegations, which the
Board believes is a critical element of any effective program for
receiving complaints and allegations.
The required policies and procedures regarding investigating and
addressing complaints and allegations allow scalability. The process
for investigating and addressing a complaint or allegation would vary,
commensurate with and responsive to the significance of the complaint
or allegation.
For firms that issued audit reports with respect to more than 100
issuers during the prior calendar year, the policies and procedures
will have to provide a confidential and anonymous submission process
for complaints and allegations, similar to the requirements for audit
committees under the Exchange Act.\195\ For example, a firm

[[Page 49633]]

may have a confidential and anonymous submission process through a
website, toll-free number, or mobile app, and could manage the process
in-house or through a third-party provider. The firm's policies and
procedures will also have to provide for protection, during the
investigation, of the confidentiality of individuals and entities who
make complaints and allegations. The Board believes this requirement
specifically targets and responds to potential quality risks that are
more likely to arise in audit practices of a certain size and
complexity. However, firms that are not subject to this express
requirement may nevertheless determine that such requirements are a
necessary or appropriate quality response to address their quality
risks.
---------------------------------------------------------------------------

\195\ See 15 U.S.C. 78j-1(m).
---------------------------------------------------------------------------

2. Current PCAOB Standards
Existing PCAOB QC standards contain limited references to firm
governance and leadership. For example:
QC 20 acknowledges that the QC system includes the firm's
organizational structure; \196\
---------------------------------------------------------------------------

\196\ See QC 20.04.
---------------------------------------------------------------------------

The SECPS member requirements on independence quality
controls provide that the importance of compliance with such
independence standards, and the QC standards, should be reinforced by
management of the member firm, thereby setting the appropriate tone at
the top and instilling its importance into the professional values and
culture of the member firm; \197\ and
---------------------------------------------------------------------------

\197\ See SECPS 1000.46.
---------------------------------------------------------------------------

The SECPS member requirements provide that member firms
should communicate to all professional firm personnel the broad
principles that influence the firm's quality control and operating
policies and procedures on, at a minimum, matters related to the
recommendation and approval of accounting principles, present and
potential client relationships, and the types of services provided, and
inform professional firm personnel periodically that compliance with
those principles is mandatory.\198\
---------------------------------------------------------------------------

\198\ See SECPS 1000.08(l).
---------------------------------------------------------------------------

Ethics and Independence

This component addresses the fulfillment of firm and individual
responsibilities under relevant ethics and independence requirements.
Adhering to such requirements is a foundational concept that not only
promotes audit quality but also safeguards the vital role that auditors
play within the capital markets.
The ethics and independence component of the standard has been
tailored to the ethics and independence requirements that apply to
engagements performed under PCAOB standards. Under the standard, ethics
and independence requirements include the PCAOB's ethics and
independence standards and rules, the SEC's rule on auditor
independence, and other applicable requirements regarding accountant
ethics and independence, such as those arising under state law or the
law of other jurisdictions (e.g., obligations regarding client
confidentiality).\199\ The Board clarified that the reference to other
applicable requirements is limited to those that are relevant to
fulfilling auditor obligations and responsibilities in the conduct of
engagements or in relation to the QC system. The standard requires
firms to establish quality objectives related to ethics and
independence requirements and design and implement specified quality
responses.
---------------------------------------------------------------------------

\199\ Footnote 10 to QC 1000 provides: Ethics and independence
requirements include PCAOB independence and ethics standards and
rules, the U.S. Securities and Exchange Commission (``SEC'') rule on
auditor independence, and other applicable requirements regarding
accountant ethics and independence that are relevant to fulfilling
their obligations and responsibilities in the conduct of engagements
or in relation to the QC system, such as those arising under state
law or the law of other jurisdictions. See, e.g., 17 CFR 210.2-01,
and PCAOB Rules under Section 3. Auditing and Related Professional
Practice Standards, Part 5--Ethics and Independence.
---------------------------------------------------------------------------

1. QC 1000
a. Ethics and Independence Quality Objectives (QC 1000.31)
Understanding of and compliance with ethics and independence
requirements are fundamental to the auditor's role. Adherence to
standards of professional ethics is as important as adherence to
requirements regarding auditor independence, and firms' QC systems
should address both. Under the standard, firms are required to
establish quality objectives that address understanding of and
compliance with ethics and independence requirements. While maintaining
independence and adhering to ethical requirements is each individual's
responsibility, the firm also has responsibility and plays a critical
role in ensuring that individuals understand those requirements and
have the tools and resources they need to comply.
One firm suggested that the Board clarify the ethical requirements
that are subject to the responsibility of the individual assigned
operational responsibility for the firm's compliance with ethics and
independence requirements. The firm specifically commented that
competence and due care are characteristics required by both ethical
standards and QC standards, and as a result, there could be confusion
over whether such requirements are ethical requirements or quality
control requirements when determining the responsibility of the
individual assigned operational responsibility for the firm's
compliance with ethical and independence requirements. In some cases, a
matter may be applicable to the responsibilities of both the individual
assigned operational responsibility for the firm's compliance with
ethics and independence requirements and the individual assigned
operational responsibility and accountability for the QC system as a
whole. A firm could divide responsibilities based on the specific
issues involved, so long as the lines of responsibility are clear (for
example, duties of competence and due care in the context of the audit,
codified under the PCAOB's ethics rules, could be assigned to the
individual with operational responsibility for compliance with ethics
and independence requirements, while duties of competence and due care
in the context of QC system activities, codified in QC 1000, could be
assigned to the individual with operational responsibility for the QC
system).
Under the standard, the firm is required to establish a quality
objective to identify conditions, relationships, events, and activities
that could result in violations of ethics and independence requirements
and evaluate and respond to such conditions, relationships, events, and
activities on a timely basis. This will help the firm reduce the risk
of noncompliance by identifying potential violations of ethics and
independence requirements in time to prevent many violations and to
quickly remediate violations that do occur. For example, a firm that
plans to acquire another firm could identify the acquisition as an
event that could result in independence violations by the personnel of
the acquired entity. This could prompt the firm to develop policies and
procedures that address onboarding processes for firm personnel of
acquired entities around independence. These policies and procedures
would assist in identifying and resolving potential independence
violations before the acquisition is completed. One firm commented that
as the proposed quality objectives for ethics and independence are
broadly consistent with other jurisdictional and international quality
control/management standards, it

[[Page 49634]]

believes that they are appropriate, and no further changes are needed.
An investor-related group expressed concern that the proposal did
not sufficiently address conflicts of interest, such as when an audit
firm performs other services for the audited company. The investor-
related group further commented that without clear separation between
those responsible for quality control and those responsible for
maintaining client relationships and winning consulting contracts,
investors can have less than full confidence the system of quality
control will ensure the necessary level of audit quality. The Board
acknowledges that QC 1000 does not create new requirements regarding
auditor independence. However, in relation to the commenter's specific
concern about the performance of non-audit services, QC 1000 requires
the QC system to operate over compliance with numerous restrictions on
non-audit services that exist under current independence rules enacted
in response to previous independence conflicts.\200\
---------------------------------------------------------------------------

\200\ See, e.g., 17 CFR 210.2-01(c)(4); PCAOB Rules 3522-3526.
---------------------------------------------------------------------------

QC 1000 establishes quality objectives that apply to all firms.
Within the ethics and independence component, firms are required to
establish quality objectives that address both personal and firm-level
compliance. Personal violations include such matters as owning stock in
companies that are audit clients of the firm or its affiliated entities
while a ``covered person in the firm.'' \201\ Firm-level violations
include such matters as providing prohibited services or failing to
obtain required audit committee pre-approval. The Board has also
included specified quality responses that directly address the firm's
policies and procedures for identifying and monitoring firm and
personal relationships with audit clients to help mitigate the risk of
potential violations. In addition, the roles and responsibilities
requirements direct firms to assign an individual operational
responsibility for the firm's compliance with ethics and independence
requirements to provide oversight specifically focused on this area.
---------------------------------------------------------------------------

\201\ See 17 CFR 210.2-01(f)(11).
---------------------------------------------------------------------------

The quality objectives address compliance with ethics and
independence requirements not just by firm personnel, but also by
others who may be subject to ethics and independence requirements in
relation to work they perform on behalf of the firm. These others may
include, for example, ``persons associated with a public accounting
firm'' as defined in PCAOB rules \202\ or ``covered persons in the
firm'' under the SEC independence rule.\203\ The Board notes that these
and other concepts used in the ethics and independence rules do not map
directly to the terminology the Board generally uses in QC 1000. (For
example, some ``other participants,'' such as other accounting firms,
are subject to independence requirements, while others, such as engaged
specialists and the company's internal auditors, are not.) To ensure
that the requirements for this component of the QC system align with,
and do not go beyond, the ethics and independence requirements over
which the QC system would operate, in this component the Board uses
terminology that incorporates or refers back to the underlying ethics
and independence requirements. For example, rather than having quality
objectives address compliance by ``other participants,'' in this
component the quality objective addresses compliance by ``others
subject to [ethics and independence] requirements.''
---------------------------------------------------------------------------

\202\ See PCAOB Rule 1001(p)(i).
\203\ For example, because the definition of ``accounting firm''
under 17 CFR 210.2-01(f)(2) includes associated entities, ``covered
persons in the firm'' may include personnel of network affiliates in
addition to firm personnel.
---------------------------------------------------------------------------

One firm commented that it supported the direction of the quality
objectives, but asserted that some of the terms were confusing as it
related to ``others subject to ethics and independence requirements.''
The firm questioned whether these correspond to other participants as
defined in the standard. The firm further commented that the
terminology used for others subject to ethics and independence
requirements could create operational challenges because those terms
are open to interpretation and requested that the Board clarify the
language the standard used. The firm suggested that the proposed
requirements that contain this language could go beyond the intended
applicability of the independence rules to the various parties
contemplated. Again, the Board uses terminology in this component that
incorporates or refers back to the terminology used in ethics and
independence rules, terminology which it believes is well understood in
those contexts. The Board uses it precisely to avoid going beyond the
scope of existing ethics and independence requirements, and to ensure
that QC 1000 addresses exactly the same population as the ethics and
independence rules themselves.
One firm commented that while the proposed quality objectives for
ethics and independence are appropriate and important, further
clarification may be needed of how the objectives apply to firm
personnel. Specifically, the firm argued that it could be inferred that
the ethics and independence requirements extend to all individuals
involved in the operation of the firm's QC system, including those
individuals who are not subject to the requirements under the existing
PCAOB and SEC independence rules, for example, data research teams. QC
1000 does not impose ethics and independence requirements on
individuals who are not currently subject to them. References in the
standard to ``requirements'' and ``obligations'' are to existing
requirements and obligations which themselves specify to whom they
apply. However, firms may choose to implement broader policies
regarding ethical behavior that impose requirements on individuals who
are not subject to the ethics and independence rules of the PCAOB and
the independence rule of the SEC.
With respect to the timing of communication of violations to the
individual assigned operational responsibility for the firm's
compliance with applicable ethics and independence requirements, the
quality objective states that such actions should take place on a
timely basis. One firm agreed that timely communication of ethics and
independence related matters within the firm is important for audit
quality, but expressed concern that the prescriptive nature of the
requirements addressing communications may detract from the achievement
of the intended objectives. The firm suggested that it is important to
recognize that the evaluation of certain matters would be done in
accordance with the firm's policies and procedures, which are designed
to strike a balance between prematurely alerting individuals to matters
for which the facts and potential impacts are not sufficiently known
and making sure those with ultimate responsibility for decisions are
made aware on a timely basis. The final standard does not specify that
all violations need to be communicated immediately. However, the Board
believes timely communication and action should be sufficiently prompt
to achieve its objective. In some cases, for example, where there is a
high risk of a severe or pervasive problem, communication and action
may have to be immediate to be timely.
b. Ethics and Independence Specified Quality Responses (QC 1000.32-.36)
The specified quality responses are primarily based on existing
PCAOB ethics and independence requirements and SEC independence
requirements,

[[Page 49635]]

including the provisions regarding independence quality controls that
currently apply to SECPS member firms.\204\ The Board incorporated
these SECPS member requirements into QC 1000, with some refinements,
and extending those requirements to all firms. The Board's view is that
the SECPS requirements address matters that are generally relevant to a
QC system operating over compliance with SEC and PCAOB independence
rules. Since those rules apply to all firms that perform engagements
for issuers and broker dealers, the Board believes it is appropriate to
extend the SECPS requirements to all firms.
---------------------------------------------------------------------------

\204\ See SECPS 1000.46.
---------------------------------------------------------------------------

Under the standard, the firm is required to design, implement, and
maintain policies and procedures for the following:
General ethics and independence matters;
Certain specific matters that may reasonably be thought to
bear on independence;
Communication regarding ethics and independence policies
and procedures; and
Mandatory training on ethics and independence.
One firm commented that it generally supports the specified quality
responses and believes that it is appropriate to have the same set of
independence requirements apply for all firms. Another firm suggested
that the specified quality responses are not necessary to achieve the
objectives of QC 1000. Instead of prescriptive specified responses, the
firm suggested that the standard include more specified quality
objectives which would promote scalability and allow for future
adaptations to technological or other innovations. Another commenter
said that the proposal expanded on the independence requirements in a
granular manner and suggested that the details be moved into an
appendix or practice aid or provided as additional guidance to help
reduce differences between QC 1000 and other standard setters. The
specified quality responses for the ethics and independence component
primarily carry forward existing requirements from the PCAOB's QC
standards and extend certain existing requirements to all firms. The
Board believes that the specified quality responses relate to risks
that apply to all firms and therefore should be addressed by all firms.
The Board intends them to be obligations of all firms and have
therefore codified them within the rule text rather than as guidance.
i. QC Policies and Procedures About General Ethics and Independence
Matters (QC 1000.33)
The standard requires the adoption of policies and procedures
regarding general ethics and independence matters, carrying forward
current PCAOB and SEC requirements.
The proposed requirement in QC 1000.33.a did not draw comment and
was adopted as proposed.
The phrase ``may reasonably be thought to bear on independence'' is
used in PCAOB Rule 3526 \205\ and should be familiar to all firms. It
is taken from an independence standard that predates the existence of
the PCAOB,\206\ and, as the Board noted in connection with the adoption
of Rule 3526, it focuses auditors on the perceptions of reasonable
third parties when making independence determinations. It is consistent
with the SEC's general standard on independence.\207\ The firm's
policies and procedures are required to address all matters that may
reasonably be thought to bear on the independence of the firm, firm
personnel, and affiliates of the firm under SEC and PCAOB rules.
---------------------------------------------------------------------------

\205\ See PCAOB Rule 3526 (requiring auditors to describe to the
audit committee relationships that may reasonably be thought to bear
on independence).
\206\ See Independence Standards Board Standard No. 1,
Independence Discussions with Audit Committees. ISB No. 1 was
included in the Board's interim standards until it was superseded by
the adoption of Rule 3526.
\207\ See 17 CFR 210.2-01(b).
---------------------------------------------------------------------------

In addition to the broad concept of matters that ``may reasonably
be thought to bear on independence,'' SEC and PCAOB rules address
certain specific matters that bear on independence. For example, 17 CFR
210.2-01(c) sets forth a non-exclusive list of circumstances that the
SEC considers to be inconsistent with independence.\208\ Such
circumstances include, among others, certain financial relationships,
employment relationships, business relationships, non-audit services,
contingent fees, and circumstances related to partner rotation. PCAOB
rules also list certain prohibited tax transactions and tax services
that would make the firm not independent of its client.\209\
---------------------------------------------------------------------------

\208\ See 17 CFR 210.2-01(c).
\209\ See PCAOB Rule 3522, Tax Transactions; PCAOB Rule 3523,
Tax Services for Persons in Financial Reporting Oversight Roles.
---------------------------------------------------------------------------

The underlying facts and circumstances and relevant requirements
will determine what actions need to be taken by the firm to address a
matter that may reasonably be thought to bear on independence. For
example, in some situations, it will be sufficient to communicate the
matter to the audit committee. In other situations, further action may
be required.
The proposed requirements in QC 1000.33.b-c did not draw comment
and were adopted substantially as proposed.
Integrity and objectivity are important ethical concepts currently
addressed in QC 20.\210\ Under the existing standard, integrity
requires personnel to be honest and candid within the constraints of
client confidentiality, whereas objectivity imposes the obligation to
be impartial, intellectually honest, and free of conflicts of interest.
---------------------------------------------------------------------------

\210\ See QC 20.10.
---------------------------------------------------------------------------

As discussed in more detail below, the Board rescinded the interim
ethics and independence standard, ET 102, Integrity and Objectivity,
and replacing it with a new standard, EI 1000, Integrity and
Objectivity.\211\ QC 1000 includes a reference to that new rule and to
PCAOB Rule 3500T, Interim Ethics and Independence Standards.
---------------------------------------------------------------------------

\211\ See Rescission of ET Section 102; adoption of EI 1000;
related amendments.
---------------------------------------------------------------------------

The final standard clarifies that firm personnel are expected to
demonstrate integrity and objectivity in carrying out all of their
professional responsibilities associated with the QC system and the
performance of engagements. This includes activities ranging from the
design and implementation of the QC system, monitoring and remediation,
and evaluation of the QC system, to training and professional
development; planning, performing, and supervising engagements; and
internal and external communications. The Board also believes that it
is important for the firm's policies and procedures to address
obligations related to integrity and objectivity for associated persons
of the firm, other than firm personnel, who perform work on behalf of
the firm.
The proposed requirement in QC 1000.33.d did not draw comment and
was adopted as proposed.
Establishing a consultation process on independence matters is an
existing concept under SECPS independence requirements. Currently,
SECPS member firms are required to designate a senior-level partner
responsible for overseeing the adequate functioning of the firm's
independence policies and consultation process.\212\
---------------------------------------------------------------------------

\212\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

The Board expanded this concept in QC 1000 by covering not only
independence matters, but also ethics matters, and by expressly
requiring the firm's policies and procedures to address the
identification of ethics and independence matters that require
consultation. The Board believes the

[[Page 49636]]

specific focus on identifying matters requiring consultation should
prompt firm personnel and others subject to such requirements to more
effectively identify ethics and independence issues that are new,
challenging, or complex and that would benefit from evaluation by
subject matter experts. The Board applied the requirement to all firms,
not just SECPS member firms.
Under existing SECPS requirements, member firms are required to
establish a monitoring system to determine that corrective actions are
taken on all apparent independence violations reported by firm
personnel.\213\ Under those requirements, the monitoring system should
include procedures to provide reasonable assurance that (i) investments
of the firm and its benefit plans are in compliance with the firm's
policies and (ii) information received from its partners and managers
is complete and accurate. The SECPS requirements do not prescribe
specific activities for the monitoring system, other than stating that
generally it includes auditing, on a sample basis, selected information
such as brokerage statements, or alternative procedures that accomplish
the same objective. One firm requested clarification of whether
auditing, on a sample basis, selected information such as brokerage
statements, will be mandatory under QC 1000. The standard does not
prescribe specific activities to monitor compliance with ethics and
independence requirements and the firm's ethics and independence
policies. This allows scalability based on the firm's size and specific
circumstances. The Board expects that firms that have developed
monitoring systems to comply with SECPS requirements would continue to
use these systems as one aspect of monitoring compliance under the
standard. While auditing brokerage statements is not mandatory under QC
1000, the firm must design, implement, and maintain policies and
procedures to monitor compliance with applicable ethics and
independence requirements and related firm policies and procedures.
Based on the firm's size and specific circumstances, a firm can choose
which monitoring activities are an effective response to meet the
quality objective.
---------------------------------------------------------------------------

\213\ See SECPS 1000.46 (requirement 7.d).
---------------------------------------------------------------------------

With respect to compliance with applicable ethics and independence
requirements by the firm and its affiliates, the Board understands that
firms employ various manual and automated tools for evaluating whether
the firm and its affiliates comply with SEC and PCAOB independence
requirements and the firm's independence policies and procedures. Some
examples of such tools include having a centralized process to monitor
business relationships, establishing an independence confirmation
process that includes detailed guidance and questions related to
independence and prohibited non-audit services, and periodic review of
the completeness and accuracy of information reported on independence
confirmations.
A firm may establish ethics and independence policies and
procedures that are more restrictive than the rules of the SEC and
PCAOB--for example, to comply with requirements of other jurisdictions
or to simplify compliance with SEC and PCAOB requirements by setting
bright-line policies and reducing the range for individual judgment.
Under the standard, the firm's evaluation of compliance covers
applicable ethics and independence requirements as well as the firm's
policies and procedures.
The proposed requirements in QC 1000.33.f were adopted
substantially as proposed.
As previously discussed, QC 1000 includes the existing SECPS
requirement for firms to have policies and procedures that address
independence violations and expands the requirement to cover all firms
and to include ethics violations.
Under the standard, the firm is required to establish policies and
procedures addressing violations and potential violations of ethics and
independence requirements. These types of policies and procedures are
intended to be preventive, detective, and corrective by nature.
The firm's policies and procedures are required to address
identifying conditions, events, relationships, or activities that could
constitute ethics or independence violations involving the firm, firm
personnel, and, with respect to work performed on behalf of the firm,
others subject to such requirements. For example, if a firm or its
network is contemplating a reorganization or restructuring that would
affect the relationships among affiliated firms or other entities,
identifying post-reorganization investment activities as such an
activity could assist the firm in designing and implementing
appropriate policies to prevent independence violations.
With respect to ethics and independence violations that do or could
occur, the firm's policies and procedures are required to address the
taking of preventive and corrective actions to address violations on a
timely basis. Such policies and procedures could specify the
individuals responsible for taking preventive and corrective actions
(at the engagement or firm level), the timing of preventive and
corrective actions, and any potential sanctions against firm personnel
or other individuals for violating ethics and independence
requirements. While one firm supported bringing greater attention and
accountability to the ethics and independence component, it suggested
that the level of prescription may create operational challenges that
could be detrimental to audit quality. Specifically, with regards to
paragraph .33f.(2), the firm commented that ethical or independence
violations may take a variety of forms and that dictating that
preventive and corrective actions must be taken does not promote a
risk-based approach. The standard requires that a firm's policies and
procedures address, with respect to violations and potential
violations, the taking of preventive and corrective actions, as
appropriate. Ethics or independence violations may take a variety of
forms, and therefore the nature and extent of the preventive and/or
corrective actions may also take a variety of forms commensurate to the
severity and pervasiveness of the violation.
The firm's policies and procedures are required to address
reporting of ethics and independence violations. QC 1000 requires that
firm personnel and others performing work on behalf of the firm that
are subject to the ethics and independence requirements report both
their own violations and other violations of which they become aware
that may affect the firm. The Board revised the language in proposed
paragraph .33f.(3) to clarify that the requirement applies to others
performing work on behalf of the firm that are subject to the ethics
and independence requirements.
The standard takes a principles-based approach, which allows each
firm to determine which reporting mechanisms best fit its structure and
address its quality risks. Through the Board's oversight activities, it
has observed that firms employ various mechanisms for firm personnel to
report violations. Some examples include direct communication lines to
an ethics and independence group, designated individuals within the
human resources department or the legal department, and whistleblower
hotlines.\214\ Firms may assess each case individually and involve
appropriate subject matter experts, depending on the nature of the

[[Page 49637]]

violation. Some firms also establish escalation protocols for certain
types of ethics and independence violations (e.g., violations involving
a partner in the firm).
---------------------------------------------------------------------------

\214\ See, e.g., paragraph .29 of QC 1000, discussed above, for
requirements regarding firm processes for addressing complaints and
allegations.
---------------------------------------------------------------------------

In addition, the firm's policies and procedures are required to
address any communications that need to take place as a result of a
violation of ethics and independence requirements. For example, PCAOB
Rule 3526 requires certain communications to the audit committee
regarding matters that are thought to bear on the firm's independence,
including violations of independence requirements.
ii. QC Policies and Procedures About Certain Matters That May
Reasonably Be Thought To Bear on Independence: Restricted Entities,
Independence and Ethics Certifications, and Matters Requiring Audit
Committee Pre-Approval
Under the standard, the firm's policies and procedures on matters
that may reasonably be thought to bear on the independence of the firm
are required to address, among other things, (1) restricted entities,
including the maintenance and dissemination of the list of restricted
entities; (2) independence and ethics certifications; and (3) matters
requiring audit committee pre-approval.
(1) Restricted Entities (QC 1000.34.a-d)
Most of the requirements related to restricted entities come from
existing SECPS member requirements,\215\ which will now apply to all
firms. Under the standard, as under current requirements, restricted
entities include all audit clients (including affiliates of the audit
client) of the firm and affiliates of the firm. One firm commented that
the proposal did not define ``affiliates'' and recommended either
referencing the definition provided in PCAOB Rule 3501 or defining the
term in the standard in a manner similar to Rule 3501. ``Audit
client,'' ``affiliate of the audit client,'' and ``affiliate of the
accounting firm'' are terms defined in existing PCAOB and SEC
rules.\216\ As proposed, paragraph .34 includes a footnote referring to
those definitions.
---------------------------------------------------------------------------

\215\ The SECPS term ``restricted entities'' includes all audit
clients of the firm (and, where applicable, its foreign-associated
firms) that are SEC registrants, along with other entities that the
firm is required to be independent of under the applicable SEC
requirements.
\216\ ``Audit client'' is defined for purposes of SEC rules in
17 CFR 210.2-01(f)(6), and for purposes of PCAOB rules in PCAOB Rule
3501(a)(iv). ``Affiliate of the audit client'' is defined in PCAOB
Rule 3501(a)(ii) as having the same meaning as defined in 17 CFR
210.2-01(f)(4). ``Affiliate of the accounting firm'' is defined in
PCAOB Rule 3501(a)(i) and, for purposes of the Note to paragraph
.34a., ``accounting firm,'' which includes the firm's associated
entities, is defined in 17 CFR 210.2-01(f)(2).
---------------------------------------------------------------------------

Existing SECPS requirements require firms that audit more than 500
SEC registrants to have an automated system to identify investment
holdings of partners and managers that might impair independence.\217\
As proposed, the Board required an automated system for firms that
issued audit reports with respect to more than 100 issuers during the
prior calendar year. The Board understands that firms that audit more
than 500 SEC registrants already have automated systems in place, based
on the SECPS requirements to have an automated system 17 CFR 210.2-
01(d).\218\ Firms that issued audit reports for 100 or fewer issuers
are required to consider whether the system needs to be automated,
taking into account the quality risks and the nature and circumstances
of the firm. For example, a firm with close to 100 issuers and a
significant number of managers and partners may assess timely
identification of personal investments that may impair independence as
a quality risk, and a quality response to address that risk may include
an automated system to help facilitate a more timely relationship-
checking process.
---------------------------------------------------------------------------

\217\ See SECPS 1000.46 (requirement 4).
\218\ 17 CFR 210.2-01(d) provides that a firm's independence is
not impaired solely because a covered person in the firm is not
independent of an audit client, provided the covered person did not
know of the circumstances giving rise to the violation, the
violation was corrected as promptly as possible, and the firm
maintains a quality control system meeting specified standards. 17
CFR 210.2-01(d)(4), describes, for firms that provide audit, review,
or attest services to more than 500 SEC registrants, features
necessary for the firm's QC system to meet the specified standards,
including an automated system to identify investment holdings of
partners and managers that might impair independence.
---------------------------------------------------------------------------

One firm commented that the specified quality response to have an
automated process for identifying direct or material indirect financial
interests is appropriate, and another firm commented that it did not
object to the requirement. However, a firm and a firm-related group
recommended that the PCAOB consider if the existing SEC requirements
are sufficient such that no additional PCAOB requirements are needed,
and several firms commented that the costs of implementing the
requirement would be significant and instead the threshold should be
increased to 500 issuers to be consistent with the SEC requirements.
Some of these firms suggested that the cost may be a potential barrier
to entry for firms approaching the 100-issuer audit client threshold.
One of these firms commented further that some firms that audit over
100 issuers will consider decreasing the size of their practice due to
the associated cost of the requirement. This firm suggested that the
specified quality response be removed and instead, if necessary,
implement a quality objective that firms could address through their
risk assessment process. Several firms suggested that firms that audit
more than 100 but no more than 500 issuers could consider implementing
such a process, but it should not be required. One firm-related group
suggested that the threshold for requiring an automated independence
system be reduced further, given the number of repeated independence
issues among all firms.
One firm expressed concerns with both the proposed requirement in
paragraph .34a.(1) and the suggestion in paragraph .34a.(2) to automate
this process, suggesting that this would be cost prohibitive and firms
should design processes that reflect their respective size,
complexities and risks identified. Another firm commented that firms
subject to the current SECPS requirements have likely invested
significant capital and resources to implement and maintain tools that
enable compliance with those requirements, and while the firm views
that investment as worthwhile and believes the procedures have
contributed to audit quality over the years, it expressed concerns for
the cost of the requirement to firms that audit between 100 and 500
issuers. Another firm commented that it has such an automated system in
place, however it suggested that the implementation of such a system
within the timeframe set out in the proposed standard may be
challenging and costly. One firm commented that the determination of
whether or not to implement an automated process for identifying and
tracking direct and material indirect financial interests should be
risk-based and not include a prescriptive requirement based on an
arbitrary count of greater than 100 issuers. The firm specifically
commented that the size, scope, nature, and complexity of firms' issuer
practices can vary significantly among the annually inspected firms,
noting for example that a large portion of its issuer client count
consists of Form 11-K audits and smaller reporting companies. Another
firm commented that while the size of the firm's client base is one
factor to consider in determining an appropriate quality response, the
nature and circumstances of the firm and the firm's clients are also

[[Page 49638]]

factors that should be taken into consideration, as well as the firm
structure, industries served, and number of managers and partners.
Some firms sought clarity as to whether an automated process would
be required for other financial relationships, for example, employment
relationships, business relationships, or non-audit services, and
commented that the identification of certain financial relationships
cannot be easily automated. Instead, the firms suggested limiting the
requirement to automate the process for identifying investments in
securities that might impair independence, to align with the SEC
requirement. A number of firms and a firm-related group requested
clarity on what ``automated'' means and what the Board's expectations
are with regards to the nature, extent and scope of automation.
After consideration of the comments, the Board adopted the 100-
issuer threshold as proposed. The Board believes it is important to
maintain a consistent threshold for the incremental requirements in QC
1000. As discussed in more detail above, the Board believes that the
100-issuer threshold is appropriate, and while the nature of each
firm's audit client list may vary, there still exist complexities
inherent to firms with a large number of issuer audit clients that may
give rise to quality risks that apply to the firm's independence, for
which the automated system would be an appropriate quality response.
The Board clarified in the final standard that the requirement for
an automated process is limited to the process to identify investments
in securities that might impair the independence of the firm or firm
personnel, the same scope as required under 17 CFR 210.2-01(d). The
Board has observed through its oversight activities that some firms
have systems that automate the identification of their professionals'
investment holdings through direct broker feeds, but a direct broker
feed is not the only type of automated process that would meet the
Board's requirement. As discussed in a December 9, 1999, letter from
the SEC's Chief Accountant,\219\ firms need to develop a system that
tracks audit engagements and financial investments held by
professionals such that the conflict verification process is automated.
Such a system may rely on firm professionals accurately self-reporting
and entering their investments into the system in a timely manner.
These holdings would automatically be compared to the list of
restricted entities to identify any relationships with restricted
entities. Based on the size of the firm and other characteristics, a
firm may determine that a direct broker feed is an appropriate quality
response (for example, if the firm's monitoring activities found high
rates of non-compliance by firm personnel with the firm's policies and
procedures for reporting financial investments), but a direct broker
feed is not expressly mandated for firms subject to the requirement to
implement an automated process. The Board also made a change to require
that the process described in paragraph .34a.(1) must be automated to
conform the degree of responsibility that the requirement imposes on
the auditor to that required under paragraph .34.
---------------------------------------------------------------------------

\219\ See Letter From the Chief Accountant: Issues Related to
Independence/Quality Control to SEC Practice Section (II) (Dec.9,
1999), available at https://www.sec.gov/info/accountants/staffletters/calt129a.htm.
---------------------------------------------------------------------------

One firm suggested that a longer transition period be provided for
firms that are not currently subject to a requirement to implement an
automated system. The firm commented that if two firms merged and one
or both of the firms had previously not been subject to the
requirement, it is unlikely that a system of this nature could be
implemented and tested for effectiveness in the time period provided.
The Board believes that firms continuously monitor the size of their
audit practice relative to the 100-issuer threshold, and if a firm is
considering a transaction such as a merger that would increase its
number of issuer audit clients significantly, then the firm could begin
to implement such a system in advance of the end of the calendar year
in which the firm first surpasses the 100-issuer threshold. Indeed, for
a transaction such as a merger of audit firms, the Board believes that
there could exist specific risks to independence as a result, which in
itself may result in a firm developing an automated system as a quality
response.
Current SECPS requirements require timely (generally monthly)
communication of additions to the Restricted Entity List.\220\ The
proposal contemplated requiring that firms have policies and procedures
for maintaining and making available the list of restricted entities to
firm personnel and others performing work on behalf of the firm who are
subject to independence requirements, and updating and communicating
changes to the list of restricted entities at least monthly to such
persons.
---------------------------------------------------------------------------

\220\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

Several firms and a firm-related group suggested the specified
quality response be replaced with a quality objective regarding updates
to and awareness of changes in the restricted entity list. Two of these
firms suggested that the requirement be amended to limit communications
to additions to the restricted entity list. Another firm suggested
communications be limited to firm personnel subject to independence
requirements and the requirements should allow for flexibility in the
nature, timing, and extent of communications. QC 1000 does not enlarge
the population of individuals who are subject to ethics and
independence requirements. References in the standard to
``requirements'' and ``obligations'' are to existing requirements and
obligations which themselves specify to whom they apply. In addition,
after consideration of the comments received, the Board amended the
standard to limit the required communications to additions to the list
of restricted entities, rather than all changes.
Some firms did not support this communication to ``others
performing work on behalf of the firm,'' and suggested that
communications should be limited to potential covered persons affected
by the additions. Two of these firms commented that these individuals
would likely not be considered covered persons for engagements other
than the engagement they are working on, and suggested that the Board
allow firms to take a risk-based approach when determining the scope
and frequency of the communications. Another firm suggested that QC
1000 does not need to specifically address certain communications to
other participants where this is required by another standard,
specifically AS 2101 (as in effect for audits of fiscal years ending on
or after December 15, 2024) paragraph .06D, which includes a ``written
description of all relationships between the other auditor and the
audit client of persons in financial oversight roles at the audit
client that may reasonably be thought to bear on independence. Another
firm commented that the goal of alerting others performing work on
behalf of the firm to specific engagement independence requirements
could be achieved through engagement-specific independence
certifications.
After consideration of the comments received, the Board amended the
standard to require at least monthly communication of additions to the
list of restricted entities to firm personnel and others performing
work on behalf of the firm whose relationships and arrangements with
such additional restricted entities may reasonably be thought to bear
on the independence of

[[Page 49639]]

the firm. The Board believes that it is appropriate to limit
communications of additions to the list of restricted entities to firm
personnel and others performing work on behalf of the firm to those
additions that could reasonably be thought to bear on the independence
of the firm. For example, additions to the affiliate list for an issuer
would be relevant for an individual who is performing work on behalf of
the firm on that issuer, or a partner who is located in the same office
of the firm in which the lead audit engagement partner primarily
practices in connection with the audit. This communication should be
made as frequently as necessary, and on an at least monthly basis,
through the period that the individual is subject to the independence
requirements.
Several firms and a firm-related group commented that the
requirement to communicate the restricted entity list would not be more
effective than the automated systems already in place at larger firms.
Two firms also commented that smaller firms with infrequent changes to
the restricted entity list may not need to communicate changes monthly.
One of these firms suggested that many firms already have policies
where individuals are required to review the restricted entities list
prior to purchasing stock/during proposal/acceptance procedures to
determine whether an independence conflict would exist, and that many
firms also make those restricted lists readily available to employees
as part of their current QC systems. The Board believes, and has
observed through its oversight activities, that such automated systems
may not fully mitigate quality risks associated with the timely
reporting of financial relationships by firm personnel, for example, if
the automated system is not equipped to identify certain financial
relationships, or if the firm is reliant on its professionals making
timely reporting of these relationships into the firm systems. The
Board believes that requiring the communication of additions to the
list of restricted entities to firm personnel whose relationships and
arrangements with such additional restricted entities may reasonably be
thought to bear on the independence of the firm on an at least monthly
basis may prompt firm personnel to report a previously unreported
relationship. If there are no additions, there is no required
communication.
One firm commented that it is unclear whether communication is
intended to mean a distributed communication (e.g., email of the
updated list) or communication can be made available (e.g., a website
that hosts such list and is readily available to access). Some firms
may decide to communicate updates to the list of restricted entities on
a more frequent basis, as changes are being made, or in more targeted
ways (such as to particular offices or engagement teams). The standard
does not prescribe the method of communication. Through the Board's
oversight activities, it have observed that some firms comply with
existing SECPS requirements by communicating additions to the list of
restricted entities to all firm personnel weekly via email. These firms
could continue that practice to comply with the standard. However,
other methods that result in an effective communication may also be
acceptable; for example, a firm might communicate that there have been
additions to the list of restricted entities via email, and include
within the email a link to an accessible website-hosted list of
additions.\221\ While the standard requires communications of additions
to those individuals whose relationships and arrangements with such
additional restricted entities may reasonably be thought to bear on the
independence of the firm, the firm may choose to extend the
communications of additions more broadly. In addition, if the firm
communicates additions to less than all firm personnel, then the firm
must have correctly identified the group of people whose relationships
and arrangements with such additional restricted entities may
reasonably be thought to bear on the independence of the firm.
---------------------------------------------------------------------------

\221\ Firms are required to communicate additions to the list of
restricted entities. For periods where there were no changes, no
such communication would be required.
---------------------------------------------------------------------------

The standard does not prescribe a specific process for maintaining
and making available the list of restricted entities to firm personnel
and other individuals. Firms are able to determine the specific methods
and tools needed to keep the list of restricted entities up to date and
to ensure that any additions are communicated on a timely basis to firm
personnel and other individuals. This determination is based on factors
such as the size of the firm, the number of audit clients, and the
complexity of those clients (e.g., the number of audit client
affiliates). For example, a smaller firm with a small group of
professionals, a stable portfolio of audit clients, and a manual
process for maintaining the list of restricted entities may decide to
communicate changes monthly. For a larger firm with many audit clients
and firm affiliates, an automated tool could help facilitate more
frequent updates to the list of restricted entities. The firm is
required to notify relevant professionals of additions to the list at
least monthly.
The Board recognizes that some firms are members of networks that
may develop systems, processes, and controls to monitor network firms'
compliance with independence requirements, including maintaining a
database of restricted entities. As described above, the standard does
not prescribe a specific process for maintaining a database of
restricted entities, so this process could potentially be performed by
a network or outsourced to a third party. At the same time, the
standard requires each firm to establish its own quality objective,
which places responsibility on the firm with respect to resources or
services provided by the network or a third-party provider.\222\
---------------------------------------------------------------------------

\222\ See below for a discussion of the firm's responsibilities
when it uses resources or services provided by a network or third-
party provider.
---------------------------------------------------------------------------

The Board incorporated into QC 1000 the existing SECPS requirements
for firm personnel \223\ to review the list of restricted entities
prior to obtaining any security or other financial interest in an
entity, but with the following refinements:
---------------------------------------------------------------------------

\223\ SECPS requirements use the term ``professionals,'' which
means professional staff, including partners. See SECPS 1000.46
(requirement 1.a).
---------------------------------------------------------------------------

Require firm personnel to review the list of restricted
entities, not only before they or their relevant family members \224\
obtain a direct or material indirect financial interest in an entity or
enter into a direct or material indirect relationship with an
entity,\225\ but also after additions to the list of restricted
entities are communicated by the firm, upon firm personnel's employment
at the firm, prior to changes in position (e.g., going into a chain of
command or other covered person role \226\), and prior to entering into
or modifying any business or employment relationships.
---------------------------------------------------------------------------

\224\ Context determines which family members would be relevant.
See, e.g., 17 CFR 210.2-01(f)(9) (defining ``close family
members''); 17 CFR 210.2-01(f)(13) (defining ``immediate family
members''); see generally 17 CFR 210.2-01(c) (referring to ``close
family member'' or ``immediate family member'' depending on the
context).
\225\ The Board is using the terms direct and material indirect
in the same sense as 17 CFR 210.2-01(c).
\226\ ``Covered persons in the firm'' is defined in 17 CFR
210.2-01(f)(11).
---------------------------------------------------------------------------

Require the firm and firm personnel to take required
actions on a timely basis if the review of the list of restricted
entities indicates that action is required under applicable
professional and legal requirements or the firm's policies and
procedures.
Under this approach, the firm's policies and procedures will
require

[[Page 49640]]

that the list of restricted entities be reviewed before the firm enters
into any relationship, engagement to perform non-audit services, or fee
arrangement that might affect compliance with independence
requirements. This requirement serves the same purpose as review of the
list of restricted entities by the firm personnel and helps the firm to
identify relationships that may result in noncompliance with applicable
professional or legal requirements.
One firm commented that, rather than requiring that the list of
restricted entities be reviewed before the firm enters into any
relationships, engagements to perform non-audit services, or fee
arrangements that might affect compliance with independence
requirements, firms should be permitted to develop quality responses to
identify prohibited relationships and fee arrangements that
appropriately respond to quality risks, based on the firm's facts and
circumstances. The firm also suggested that the requirement for firm
personnel to review the list of restricted entities after changes to
the list are made should be deleted since firm personnel would already
be notified of changes based on paragraph .34b. The Board believes
these specified quality responses are appropriate and should be
addressed by all firms, regardless of the specific facts and
circumstances of the firm. In addition, the Board views the
requirements of paragraph .34b for the firm to maintain and make
available the list of restricted entities, and paragraph .34d for firm
personnel to review the list of restricted entities, as separate.
(2) Independence and Ethics Certifications (QC 1000.34.e)
Certifications are intended to drive greater accountability for
firm personnel's compliance with independence requirements and to deter
independence violations. The certification requirement is similar to an
existing SECPS requirement, which requires each professional to certify
near the time of initial employment and at least annually thereafter
that he or she (1) has read the member firm's independence policies,
(2) understands their applicability to his or her activities and those
of his or her spouse and dependents, and (3) has complied with the
requirements of the member firm's independence policies since the prior
certification.\227\
---------------------------------------------------------------------------

\227\ See SECPS 1000.46 (requirement 7.b).
---------------------------------------------------------------------------

The proposal contemplated obtaining certifications from firm
personnel regarding familiarity and compliance with SEC and PCAOB
independence requirements and the firm's independence policies and
procedures (1) upon employment, (2) at least annually thereafter, and
(3) upon any change in personal circumstances, such as firm role,
geographic location, or marital status, that is relevant to
independence.
Several commenters, including firms, did not support the
requirement to obtain additional certifications upon changes in
personal circumstances, and three firms raised practical concerns when
the changes involved marital status. One firm suggested that the
standard should emphasize that a firm's independence certification
process should consider timeliness in addressing the quality objective,
and instead encourage firms to consider the appropriateness of
obtaining periodic certifications throughout the year. One firm
commented that a firm should have flexibility to determine its own
policies and procedures for certifications beyond requiring them at
employment and annually thereafter; the firm suggested that, for
example, quarterly certification accompanied by training on the impact
of life events may be more effective and practicable than event-driven
review and certification. Another firm recommended that firms be
allowed to develop their own quality responses based on their own
unique quality risks when personal circumstances change rather than
requiring certification upon changes in personal circumstances as a
quality response. Another firm suggested that this requirement should
instead be managed through proper education and awareness of relevant
independence requirements. Another firm suggested that these items
would be better suited as examples of considerations included in
implementation guidance. One firm suggested that the certification
requirements should be applicable for firms with over 500 issuers that
already have an automated independence system. The firm further
commented that the requirement is onerous in terms of being able to
identify the data on a timely basis and suggested a semi-annual
representation period instead of circumstance-driven.
In addition, the proposing release sought feedback on whether the
standard should require annual written certification regarding
familiarity and compliance with ethics requirements and the firm's
ethics policies and procedures, in addition to those regarding
independence. The proposing release further asked whether firms should
be required or encouraged to adopt firm-wide codes of ethics or similar
protocols. One firm did not support a specific quality response that
includes a certification process for ethics requirements and
procedures. The firm suggested that firms should be permitted to adopt
a quality response that addresses the risks within their own practice,
and that a certification requirement that applies to all firm practice
staff could turn into a ``check-the-box'' compliance exercise that
would not benefit audit quality. One firm commented that such
requirements would already be addressed by the requirement for
mandatory training in paragraph .36. Other commenters, including firms,
investors, and investor-related organizations, supported the
requirement to obtain a written annual certification regarding
familiarity and compliance with ethics requirements and the firm's
ethics policies and procedures. One of these investors commented that
the main argument against such certifications is that it imposes a cost
and that it becomes a ``tick-the-box exercise,'' but in the investor's
view the cost is de minimis given other annual declarations needed by
firm personnel, and firm leadership can send an appropriate signal by
embracing the ethics code to stop such annual declarations becoming a
perfunctory exercise. One firm and an investor-related organization
supported a requirement that firms should adopt firm-wide codes of
ethics.
After consideration of the comments received, the Board made two
changes to the final standard. First, the Board removed from the
standard the requirement to obtain a certification from firm personnel
regarding familiarity and compliance with SEC and PCAOB independence
requirements and the firm's independence policies and procedures upon
any change in personal circumstances, and replaced this with the
requirement that such a certification must be obtained for any change
in professional circumstances that is relevant to independence. Rather
than include examples of such changes in the text of the standard, the
Board provided in this release some examples of changed professional
circumstances that may be relevant to the independence of the firm's
personnel under applicable independence rules. These examples include
changes within the firm such as promotions, moving offices, or changing
practice groups (e.g., changes to covered person status). Although, in
connection with this change, the Board removed a certification
requirement with regard to changes in personal circumstances, such
changes can have independence implications under SEC and PCAOB

[[Page 49641]]

independence requirements, and a firm's QC system must provide
reasonable assurance of compliance with those requirements. Secondly,
the Board added a requirement for certification by firm personnel
regarding familiarity and compliance with the applicable ethics
requirements and the firm's ethics policies and procedures as the Board
believes such certification will enhance individual accountability and,
ultimately, compliance. The Board not added a requirement for firms to
adopt a firm-wide code of ethics or similar protocol, because it
believes that firms should have flexibility to determine whether this
would assist them in meeting the relevant quality objectives.
The standard does not prescribe a checklist of specific content for
the certifications, focusing instead on general concepts of familiarity
and compliance. It is possible that the form of certification called
for by the existing SECPS requirement would satisfy the standard. In
addition, the standard expands on the existing SECPS requirement by
requiring firms to obtain certifications every time firm personnel have
a change in professional circumstances that is relevant to
independence, such as a change in role or geographic location. Changes
within the firm such as promotions, moving offices, or changing
practice groups may have consequences under independence rules (e.g.,
changes to covered person status) and result in noncompliance. The
Board continues to believe that a specified quality response requiring
specific event-driven independence and ethics certifications
appropriately considers timeliness in addressing the quality objective
and applies to quality risks that exist in all firms.
(3) Matters Requiring Audit Committee Pre-Approval (QC 1000.34.f)
The proposed requirement did not draw comment and was adopted as
proposed. QC 1000 contains a new requirement regarding firm policies
and procedures for identifying matters that require pre-approval by the
audit committee and obtaining such approval. The primary responsibility
for identifying matters that require audit committee pre-approval and
obtaining such pre-approval resides at the engagement level. The firm's
policies and procedures, however, provide tools and guidance that
enable engagement teams to properly identify the relevant matters and
obtain necessary pre-approvals on a timely basis. Through the Board's
oversight activities, it has observed numerous instances where firms
did not have an effective mechanism in place for monitoring whether
matters that require audit committee pre-approval were properly
disclosed to audit committees. The new requirement should lead to more
consistent compliance.
iii. Communication of Changes to Ethics and Independence Policies and
Procedures (QC 1000.35)
The proposed requirement did not draw comment and was adopted as
proposed. The final standard incorporates existing SECPS requirements
regarding the dissemination of the firm's independence policies and
procedures and expands the requirements to cover ethics policies and
procedures.
When deciding how to make ethics and independence policies and
procedures available, firms would consider how to make firm personnel
and others performing work on behalf of the firm aware of where and how
to find these policies and procedures in a way that supports those
individuals' ongoing compliance with certification and other
requirements. The standard requires the firm to communicate any
substantive changes to its ethics and independence policies and
procedures on a timely basis.
iv. QC Policies and Procedures About Mandatory Ethics and Independence
Training (QC 1000.36)
The proposed requirement did not draw comment and was adopted as
proposed.
The standard includes a requirement for mandatory periodic training
on ethics and independence, which expands on the existing SECPS
requirements that cover training on independence. The mandatory
training requirement promotes awareness and understanding of the ethics
and independence requirements, which should lead to better compliance
with such requirements. Under existing SECPS requirements, firms are
required to establish a training program for professionals to complete
near the time of initial employment and periodically thereafter.\228\
---------------------------------------------------------------------------

\228\ See SECPS 1000.46 (requirement 3).
---------------------------------------------------------------------------

The specific content and extent and timing of the training will be
determined by the firm, but the program is required to cover both the
relevant professional and legal requirements (for example, regarding
financial interests, business relationships, employment relationships,
proscribed services, and fee arrangements) and the firm's related
policies and procedures.
By not specifying the content for such mandatory training, the
standard allows firms the ability to develop training programs based on
their circumstances. For example, a firm may develop its training to
place a greater emphasis on areas with recurring ethics and
independence findings across the firm, or it may target specific ethics
and independence findings in different regions. Similarly, the standard
does not specify how the firm would provide such training. A firm may
develop and deliver its own training, contract with others to provide
training, or provide access to third-party training.
Under the standard, the firm is required to provide such training
at least annually, or more often as needed.
2. Current PCAOB Standards
QC 20 provides that policies and procedures should be established
to provide the firm with reasonable assurance that personnel maintain
independence (in fact and in appearance) in all required circumstances,
perform all professional responsibilities with integrity, and maintain
objectivity in discharging professional responsibilities.\229\ The
SECPS member requirements regarding independence quality controls apply
only to certain firms. The requirements for ethics and independence
discussed above are more detailed than the existing requirements in QC
20 and Appendix L of the SECPS and would apply to all firms.
---------------------------------------------------------------------------

\229\ See QC 20.09.
---------------------------------------------------------------------------

Acceptance and Continuance of Engagements

This component addresses the firm's processes when considering
whether to accept or continue an engagement.
1. QC 1000
a. Acceptance and Continuance of Engagements Quality Objectives (QC
1000.38)
The proposal described the quality objectives related to acceptance
and continuance of engagements. Several commenters, including firms,
were generally supportive of the proposed quality objectives.
A commenter on the AS 1000 rulemaking objected to the use of the
term ``client'' in that standard to refer to the company and its
management. The commenter suggested ``company under audit'' instead.
The Board agrees with the commenter that the terminology used in the
PCAOB standards should help to remind auditors that they work for the
benefit of investors, not the management of the company.

[[Page 49642]]

Accordingly, the Board generally replaced references to the ``client''
with references to the ``company'' or eliminated them altogether (for
example, this component, called ``Acceptance and Continuance of Client
Relationships and Specific Engagements'' in proposed QC 1000, is
``Acceptance and Continuance of Engagements'' in the final standard).
The Board, however, retained references to the ``client'' where that
aligns with other rules, such as in the area of independence.
The quality objectives in this component were adopted substantially
in the form proposed, with the exception of the change throughout to
focus on the engagement instead of the client relationship and the
other clarifications discussed below.
Acceptance and continuance of engagements is an aspect of a firm's
compliance and risk management process. Each firm, depending on its
nature and circumstances, may approach acceptance and continuance of
engagements differently. The acceptance and continuance of engagements
process assists the firm in mitigating reputational, business, and
litigation risk. The quality objectives stress the importance of
focusing the acceptance and continuance of engagements process on the
firm's ability to perform an engagement in accordance with applicable
professional and legal requirements.
i. Timing (QC 1000.38.a(1))
The proposed standard required the firm's judgment about whether to
accept or continue an engagement to be made as part of or before
performing preliminary engagement activities. Preliminary engagement
activities, which are activities the auditor should perform at the
beginning of the audit, are described in AS 2101.06.
One commenter stated that the proposed requirement implied that the
judgment was only made during preliminary activities and not throughout
the engagement. The Board clarified the quality objective in paragraph
.38a(1) to specify that the initial judgment is to be made as part of
or before preliminary engagement activities. QC 1000.40, discussed
below, addresses the firm's obligation to continue to address
situations that could have caused it to decline the engagement had the
information been known prior to acceptance and continuance.
ii. Independence and Permissibility of Services (QC 1000.38.a(2)(a) and
(b))
This proposed quality objective did not draw significant comment
and was adopted as proposed.
The firm's ability to perform the engagement includes considering
whether the firm is independent and whether the services are
permissible. These are threshold considerations for acceptance and
continuance, because in general, under PCAOB standards the firm is not
allowed to accept an engagement unless it is independent of the company
for which the engagement will be performed and the services are
permissible under applicable professional and legal requirements
(including obtaining audit committee pre-approval where that is
required).
The firm's policies for acceptance and continuance in the areas of
independence, permissibility of services, and pre-approval relate to
and to some extent overlap with the ethics and independence component.
The requirements in the ethics and independence component more
generally address the ongoing evaluation of compliance with applicable
professional and legal requirements relating to the independence of the
firm, firm personnel, and others subject to such requirements.
iii. Access to Company Information and Company Personnel (QC
1000.38.a.(2)(c))
This proposed quality objective did not draw significant comment
and was adopted substantially as proposed.
The firm's ability to perform an engagement in accordance with
applicable professional and legal requirements depends on the firm's
ability to obtain information from the company and gain access to
individuals at the company who can respond to the firm's inquiries.
Restricted or limited access to company information or personnel--for
example, due to language differences, physical location, or local law
restrictions--could impair the firm's ability to perform the engagement
in accordance with applicable professional and legal requirements.
iv. Resources (QC 1000.38.a(2)(d))
Another aspect of the firm's ability to complete the engagement in
accordance with applicable professional and legal requirements is the
resources available to the firm. The Board believes it is important for
a firm to have the right resources available so that the engagement can
be performed in accordance with applicable professional and legal
requirements. This includes the availability of resources like the
following, either internal or external to the firm:
Firm personnel or other participants with competence to
perform procedures (e.g., industry experience or experience with new or
specialized accounting pronouncements that apply to the company) and
sufficient availability to meet audit timing requirements;
Engagement partners;
Specialists;
EQRs;
Technology to be used in the performance of the
engagement, such as technology for testing the implementation and
effectiveness of automated processes; and
Intellectual resources needed in the performance of the
engagement (e.g., industry-specific audit programs).
One commenter suggested that consideration should be given to the
availability of industry-specific resources at the partner and manager
level and the Board agrees that industry-specific resources are
important in certain audits. However, the Board believes that issue is
adequately addressed by the general reference to ``resources to perform
the engagement,'' which includes industry-specific resources where
those would be needed. The Board adopted this quality objective as
proposed.
v. Other Relevant Factors (QC 1000.38.a(2)(e))
This proposed quality objective did not draw comment and was
adopted as proposed.
The firm's ability to perform engagements in accordance with
applicable professional and legal requirements may also be affected by
other factors associated with providing professional services in the
particular circumstances. Accordingly, the standard, by directing firms
to consider such other relevant factors, retains the breadth and
inclusiveness of QC 20.15b, which requires the firm to establish
policies and procedures to provide reasonable assurance that the firm
appropriately considers the risks associated with providing
professional services in the particular circumstances.
v. Information About the Nature and Circumstances of the Engagement,
Including the Integrity and Ethical Values of the Company (QC
1000.38.a(3))
In order for the firm to make appropriate judgments about whether
to accept or continue an engagement, the

[[Page 49643]]

firm needs to obtain sufficient information about the nature and
circumstances of the engagement (e.g., the nature of the company and
the environment in which it operates) and the integrity and ethical
values of the company, including its management and audit
committee.\230\ This information is relevant because it can help
identify potential risks to performing the engagement that may result
in the firm not being able to perform the engagement in accordance with
applicable professional and legal requirements. The nature and
circumstances of the engagement may, for example, reveal the need for
specialized expertise that the firm does not have. A lack of management
integrity may affect the reliability of the company's accounting
records. Designing and implementing policies and procedures that direct
and standardize the collection and evaluation of such information could
help the firm in consistently making appropriate judgments about
whether to accept or continue an engagement. Additionally, information
obtained during the firm's acceptance and continuance process about the
nature and circumstances of the engagement and the integrity of
management and the audit committee would in many cases be relevant when
planning and performing the engagement.\231\
---------------------------------------------------------------------------

\230\ For a prospective engagement, this includes evaluating
information obtained from a predecessor firm. See generally, e.g.,
AS 2610, Initial Audits--Communications Between Predecessor and
Successor Auditors.
\231\ See, e.g., AS 2110.41-.45.
---------------------------------------------------------------------------

One commenter requested clarification of whose integrity and
ethical values are relevant to the consideration of ``the integrity and
ethical values of the company (including management and the audit
committee)''--for example, whether consideration could be limited to
the audit committee chair. Since members of management and the audit
committee all have influence over the company's financial reporting,
the Board believes their integrity and ethical values are important to
the judgment of accepting or continuing an engagement. Therefore,
consistent with the proposal, the final standard does not include such
a limitation.
The quality objective in QC 1000.38.b retains the concept in QC
20.16 of having policies and procedures regarding obtaining an
understanding with the company about the engagement and aligns with
similar requirements under PCAOB auditing and attestation
standards.\232\ Achieving this objective should minimize the risk of
misunderstandings regarding the nature and scope of the engagement and
any limitations associated with it.
---------------------------------------------------------------------------

\232\ See paragraph .05 of AS 1301, Communications with Audit
Committees, and paragraph .46 of AT Section 101, Attest Engagements.
---------------------------------------------------------------------------

c. Acceptance and Continuance of Engagements Specified Quality Response
(QC 1000.39-.40)
The proposal included a specified quality response regarding
policies and procedures to address situations where the firm learns of
information that would have caused it to decline a previously accepted
engagement. Two commenters were generally supportive of the proposed
specified quality response.
Under this specified quality response, the firm's policies and
procedures are required to address situations in which the firm becomes
aware of relevant contrary information after the firm's decision to
accept or continue an engagement. This contrary information may have
existed at the time of the decision to accept or continue an engagement
but not been known by the firm at the time, or it may have emerged
subsequent to that decision. Depending on the circumstances,
appropriate responses may include such actions as:
Consulting with legal counsel or others within the firm to
determine if the firm is able to continue the engagement;
Discussing the information with management and the audit
committee to determine if the firm is able to continue the engagement;
Including this information in the auditor's risk
assessment procedures so that any additional risks are responded to
during the audit; and
Withdrawing from the engagement and notifying appropriate
regulatory authorities as required under applicable professional and
legal requirements.
One commenter suggested that specific circumstances should require
an immediate reconsideration of client continuance, such as illegal
acts, fraud, or material omissions of fact. Existing auditing
standards, such as AS 1301, include requirements related to evaluating
the continuation of the client relationship. The QC system would
address compliance with these requirements.
Under the proposal, a firm would be deemed to have become ``aware''
of information if any partner, shareholder, member, or other principal
of the firm was aware of such information, the same standard that
applies with respect to the reporting of specified events on Form 3.
One commenter stated that the concept of when a firm becomes ``aware''
should take into account the size and scale of the firm, and the nature
of the matters related to the QC system, suggesting that alignment with
the requirements of Form 3 may be inappropriate because of Form 3's
relatively limited scope compared to the matters addressed by QC 1000.
The Board continues to believe that it would be inappropriate to
differentiate among firm principals in this regard; all firm principals
should be responsible for promptly communicating and acting upon
relevant information. Accordingly, the class of persons whose awareness
is attributed to the firm was not been narrowed.
Another commenter recommended clarifying the timing of when a firm
becomes ``aware'' of information subsequent to accepting or continuing
a client relationship. Footnote 26 of the final standard reflects the
suggested clarification that the firm is deemed ``aware'' of
information when any partner, shareholder, member, or other principal
of the firm ``first becomes aware'' of such information.\233\
---------------------------------------------------------------------------

\233\ This approach aligns with the instructions to Form 3,
under which a firm is deemed aware of reportable facts on the first
day that any partner, shareholder, principal, owner, or member of
the firm first becomes aware of the facts. See Form 3, Note to
Instructions to Part II.
---------------------------------------------------------------------------

2. Current PCAOB Standards
The quality objectives of QC 1000 paragraph .38 do not
fundamentally change a firm's existing responsibilities regarding
acceptance and continuance decisions under QC 20.\234\ The quality
objectives expand on the requirements in QC 20 with regard to
considering the necessary information and making appropriate judgments
about the associated risks and the firm's ability to mitigate those
risks and perform an engagement in accordance with applicable
professional and legal requirements.
---------------------------------------------------------------------------

\234\ See QC 20.14-.16.
---------------------------------------------------------------------------

Engagement Performance

This component addresses the firm's processes relating to the
performance of the firm's engagements in accordance with applicable
professional and legal requirements. Engagement performance encompasses
the activities of firm personnel and other participants in all phases
of the design and execution of the engagement--planning, performing,
supervising, and documenting the engagement; conducting an engagement
quality review; and making

[[Page 49644]]

communications regarding the engagement.\235\ In order for the firm to
consistently deliver compliant engagements, including when performing
work on other firms' engagements, firm personnel and other participants
need to understand and fulfill their responsibilities in accordance
with applicable professional and legal requirements.
---------------------------------------------------------------------------

\235\ See QC 20.18.
---------------------------------------------------------------------------

1. QC 1000
The proposal described the quality objectives for the engagement
performance component and asked if there should be any specified
quality responses for this component. Firms that commented were
generally supportive of the proposed quality objectives. Two commenters
wanted clarity on why some concepts in auditing standards were or were
not included in QC 1000. One of these commenters, an investor-related
group, suggested the standard address certain areas like fraud
protection, crypto assets, climate change, and critical audit matters.
The Board believes these areas are engagement-level specific, whereas
QC 1000 focuses on the firm-level controls over engagement
responsibilities. Commenters, including firms and related groups, were
also supportive of not providing specified quality responses in this
component. The Board adopted these provisions substantially as
proposed.
Under QC 1000, a firm is required to establish quality objectives
for the engagement performance component in the following areas:
Engagement responsibilities;
Consultations and differences in professional judgment;
and
Engagement documentation.
a. Engagement Responsibilities (QC 1000.42.a)
This proposed quality objective did not draw comment and was
adopted as proposed.
The standard uses the term ``engagement partner'' with its existing
meaning under PCAOB audit and attestation standards: the member of the
engagement team \236\ with primary responsibility for the audit,
examination, or review, as the case may be.\237\ The definition of
``engagement'' under QC 1000, under which substantial role work is
defined as an engagement, does not change the meaning of engagement
partner or affect the responsibilities of individuals involved in
substantial role engagements. No comments were received on the use of
this term.
---------------------------------------------------------------------------

\236\ The term ``engagement team'' is used as defined in the
amendments to AS 2101, Audit Planning, adopted in PCAOB Rel. No.
2022-002, which takes effect for audits of financial statements for
fiscal years ending on or after Dec. 15, 2024.
\237\ See AS 1201.A2; AT No. 1 at paragraph .07 note; AT No. 2
at paragraph .06 note. AT 101 uses the term ``practitioner with
final responsibility for the engagement,'' which the Board construes
as having the same meaning.
---------------------------------------------------------------------------

i. Responsibilities of the Engagement Partner (QC 1000.42.a(1))
The engagement partner is responsible for the engagement and its
performance, including managing and achieving consistent compliance
with applicable professional and legal requirements on the engagement.
This quality objective focuses firms on partner involvement throughout
the engagement, including appropriately supervising firm personnel and
other participants.\238\
---------------------------------------------------------------------------

\238\ See generally, e.g., AS 1201.
---------------------------------------------------------------------------

ii. Due Professional Care (QC 1000.42.a(2)(a))
Due professional care means acting with reasonable care and
diligence, exercising professional skepticism, acting with integrity,
and complying with applicable professional and legal requirements.\239\
In the context of engagement performance, professional skepticism is an
attitude that includes a questioning mind and critical assessment of
audit evidence and other information that is obtained to comply with
PCAOB standards and rules. Exercising professional skepticism improves
the quality of judgments made while performing the engagement and is
key to performing an engagement in good faith and with integrity. PCAOB
oversight activities have suggested that the lack of professional
skepticism contributes to some of the QC deficiencies identified during
PCAOB inspections.\240\ As an example, a firm's policies and procedures
did not provide reasonable assurance that engagement partners
supervised engagements with due professional care, which contributed to
the failure to identify deficiencies in those engagements.
---------------------------------------------------------------------------

\239\ The general principles and responsibilities of the auditor
when conducting an audit, including professional skepticism and due
professional care, are being reaffirmed and combined in AS 1000, as
adopted. See Auditor Responsibilities Release.
\240\ See, e.g., 2022 Broker-Dealer Inspection Report, at 31.
---------------------------------------------------------------------------

The quality objective related to due professional care, including
professional skepticism, enables appropriate conclusions to be reached
that are supported by sufficient appropriate evidence.\241\
---------------------------------------------------------------------------

\241\ See Roles and Responsibilities above.
---------------------------------------------------------------------------

iii. Supervision (QC 1000.42.a.(2)(b))
Proper supervision aims to ensure that work is performed as
directed and supports the conclusions reached.\242\ The quality
objective emphasizes the importance of firm personnel and other
participants being supervised properly, consistent with AS 1201 and AT
No. 1.
---------------------------------------------------------------------------

\242\ See AS 1201.02.
---------------------------------------------------------------------------

iv. Reporting and Other Communications (QC 1000.42.a(3))
PCAOB standards and rules impose a number of requirements relating
to reporting and communicating the results of the engagement.\243\ The
engagement report and communications to the audit committee are
typically prepared at the engagement level and may include information
provided by the firm. For example, the firm may provide information
related to independence to be communicated in accordance with PCAOB
Rule 3524 or PCAOB Rule 3526. This quality objective emphasizes the
importance of auditor reporting and communication in accordance with
applicable requirements.
---------------------------------------------------------------------------

\243\ See generally, e.g., AS 3101, The Auditor's Report on an
Audit of Financial Statements When the Auditor Expresses an
Unqualified Opinion; AS 2201.85-.89; AS 1301; paragraphs .34-.38 of
AT No. 1; and AT 101.63-.90.
---------------------------------------------------------------------------

b. Consultations and Differences in Professional Judgment (QC
1000.42.b-.c)
Consultations are an important aspect of engagement performance, as
they provide a mechanism to discuss and resolve complex, unusual, or
unfamiliar matters with individuals who have the requisite knowledge,
skill, and ability. Under current PCAOB standards, QC 20.19 highlights
the significance of consultations, requiring appropriate policies and
procedures. The quality objective should drive firms to continue to
focus on the importance of consultation and resolution before the
issuance of an engagement report.
The quality objective in the proposed standard provided that
consultations on complex, unusual, or unfamiliar accounting and
auditing matters are undertaken with qualified individuals from within
or outside the firm.
One commenter suggested that the standard require firms to adopt
policies that identify situations when national office consultation is
required. The Board does not believe it is appropriate to include such
prescriptiveness in the standard, as not all firms have national
offices. Additionally, the quality objective provides that the firm
will identify the risks specific to their

[[Page 49645]]

engagements and determine whether there are specific situations that
always require consultation.
Another commenter said that the reference to ``unfamiliar''
accounting and auditing matters was unclear and was concerned that it
creates an unnecessary level of prescription that will be difficult to
operationalize. The commenter also expressed concern that an unintended
consequence could be that auditors may infer that consultations may
compensate for lack of competence on the engagement team. The final
standard retains the term, consistent with the use of ``unfamiliar'' in
current QC 20.19. It is noted that inclusion of that term in paragraph
.42 does not modify or limit auditor obligations to have the competence
necessary to conduct the engagement established elsewhere in PCAOB
standards.
Differences in professional judgment may occur when there is a
concern or disagreement regarding the application of applicable
professional and legal requirements during the performance of the
engagement. The quality objective underscores the importance of having
and adhering to appropriate procedures for the resolution of
differences in professional judgment during the performance of
engagements such that the firm, firm personnel, and other participants
comply with applicable professional and legal requirements.
The proposed quality objective provided that differences in
professional judgment related to the engagement are brought to the
attention of the individual(s) with responsibility and authority for
resolving such matters and are resolved before the issuance of an
engagement report. One commenter suggested clarifying that if the
engagement partner does not agree with the conclusions arising from the
consultation (addressed above), that would be treated as a difference
in professional judgment that would require compliance with the quality
objective regarding differences of professional judgment. The final
standard clarifies that point.
c. Engagement Documentation (QC 1000.42.d)
This proposed quality objective did not draw significant comment
and the Board adopted as proposed.
AS 1215 contains the general requirements for the documentation the
auditor should prepare and retain in connection with engagements. 17
CFR 210.2-06 also addresses documentation retention requirements.\244\
The quality objective regarding engagement documentation in proposed QC
1000 is meant to drive firms to focus on compliance with these
requirements.
---------------------------------------------------------------------------

\244\ 17 CFR 210.2-06.
---------------------------------------------------------------------------

2. Appendix K Requirements
Existing PCAOB standards (referred to as Appendix K requirements)
require SECPS member firms that are associated with international firms
or networks to seek adoption of policies and procedures by their
associated international firms or network regarding filing reviews,
inspection procedures, and disagreements between the engagement partner
and the reviewer.\245\ As noted in the proposal, the Board believes
that the purposes originally intended to be served by Appendix K have
either been eliminated (through the elimination of the U.S. GAAP
reconciliation) or otherwise addressed (through requirements for
engagement quality review). Accordingly, the Board proposed to not
retain requirements like those in Appendix K.
---------------------------------------------------------------------------

\245\ See SECPS 1000.08(n) (cross-referencing the objectives set
forth in Appendix K, SECPS 1000.45). The types of SEC filings
subject to review under Appendix K are registration statements,
annual reports on Form 20-F and Form 10-K, and other filings that
include or incorporate the foreign associated firm's audit report on
the financial statements of an SEC registrant.
---------------------------------------------------------------------------

The proposal asked whether the PCAOB should eliminate Appendix K
and rely exclusively on a risk-based approach. Commenters had mixed
views regarding the retention of Appendix K requirements. Some
commenters supported the elimination of Appendix K requirements and
reliance on a risk-based approach. Other commenters asserted that the
Appendix K requirements are beneficial and should be retained or made
even more prescriptive. The Board believes it unnecessary to retain the
Appendix K requirements because under the risk-based approach, firms
will have to assess and respond to quality risks including, if
applicable, a relative lack of experience in performing engagements
under U.S. professional and legal requirements.
Some commenters expressed concern that in a risk-based approach, a
person performing a limited review function similar to the current
Appendix K reviewer would be considered part of the engagement team,
while another commenter requested clarification that such a reviewer
would not necessarily be a member of the engagement team. Under QC
1000, the firm's assessment of quality risks will determine the nature
and extent, if any, of additional resources or reviews that would need
to be performed over engagements to ensure compliance with PCAOB and
SEC requirements. In some circumstances, the response might involve
adding one or more additional members to the engagement team. In other
circumstances, the response might involve resources that would not
constitute members of the engagement team because they perform a
contemporaneous quality control function and do not perform audit
procedures or help plan or supervise the audit work.\246\
---------------------------------------------------------------------------

\246\ See PCAOB Rel. No. 2022-002 at A4-5.
---------------------------------------------------------------------------

One commenter expressed concern that reviewers' firms would be
considered ``other accounting firms'' and reviewers' hours would be
included for purposes of Form AP filings. Specific to Form AP filing
requirements, firms should review the Note to Item 3.2 of the Form AP
Instructions regarding the reporting of other accounting firms.\247\
---------------------------------------------------------------------------

\247\ See id. at A3-19.
---------------------------------------------------------------------------

3. Current PCAOB Standards
Under current QC standards, engagement performance covers all
phases of the design and execution of the engagement, and engagement
quality reviews.\248\ QC 20 contains general requirements regarding
engagement performance, including planning, performing, supervising,
reviewing, documenting, and communicating the results of each
engagement; referring to authoritative literature; and consulting with
qualified individuals when appropriate. QC 20 provides that policies
and procedures should be established to provide reasonable assurance
that the engagement is performed in accordance with applicable
professional standards. QC 1000 retains these concepts from the extant
standards.
---------------------------------------------------------------------------

\248\ See QC 20.18.
---------------------------------------------------------------------------

As discussed above, QC 1000 does not contain provisions similar to
the Appendix K requirements that currently apply to former SECPS member
firms.

Resources

This component addresses the firm's responsibilities for obtaining,
developing, using, maintaining, allocating, and assigning resources--
including people, financial, technological, and intellectual
resources--to enable the design, implementation, and operation of the
firm's QC system and the performance of its engagements.

[[Page 49646]]

1. QC 1000
a. Resources Quality Objectives (QC 1000.44)
The proposal asked if the Board's proposed quality objectives for
resources were appropriate. Commenters that responded to this question
generally supported the quality objectives. One commenter suggested
that the risks associated with the resources component are greater and
that a prescriptive approach would be warranted. The Board believes the
combination of quality objectives and specified quality responses
appropriately provides for scalability and prescriptiveness.
Under QC 1000, a firm is required to establish quality objectives
for the resources component in several different areas:
People;
Technological resources;
Intellectual resources; and
Resources from a network or third-party provider.
i. People (QC 1000.44.a-.g)
The quality objectives in QC 1000.44.a-.b are similar to the
personnel management element of quality control addressed in QC 20 and
QC 40, and the Board adopted them as proposed with one change. The
proposed standard included a note that describes what competence
comprises--knowledge, skill, and ability--which is derived from QC
40.04.\249\ Two commenters suggested deleting the last sentence in the
note, which as proposed stated that ``The measure of competence is
qualitative rather than quantitative . . .,'' on the basis that it
would discourage the use of quantitative performance metrics. The Board
believes that QC 40 should be understood as saying, not that
quantitative measures are wholly irrelevant, but that competence is not
measured exclusively on a quantitative basis because quantitative
measurement alone may not accurately reflect the nature of experience
gained over time. The note in the final standard has been revised to
clarify that competence can be measured both qualitatively and
quantitatively.
---------------------------------------------------------------------------

\249\ See QC 40.04 (competencies are not measured by periods of
time because such quantitative measurement may not accurately
reflect the kinds of experiences gained in any given time period).
---------------------------------------------------------------------------

These two quality objectives work together in addressing competence
from the perspective of both the firm and individual. The firm and its
personnel have responsibilities for developing and maintaining
competence that will support the operation of the firm's QC system and
the performance of the firm's engagements in accordance with applicable
professional and legal requirements and the firm's policies and
procedures.
Understanding the competence needed to carry out responsibilities
for the operation of the firm's QC system and the performance of the
firm's engagements assists a firm in identifying its personnel needs.
This understanding also assists a firm in identifying areas for
personnel development. Competence can be developed through an
appropriate combination of education, professional experience in
accounting and auditing with proper supervision, and training such as
CPE.
A commitment to quality can be demonstrated through a person's
actions and behaviors, including consistent adherence to firm policies
and procedures, demonstrating key professional attributes like
objectivity, integrity, and due professional care, and taking the
initiative to develop and maintain competence. Conversely, a lack of
commitment to quality can be seen through actions and behaviors such as
inconsistent compliance with professional standards, cheating on
professional development and compliance exams, or a ``check the box''
approach to professional development.
The quality objectives in QC 1000.44.c-.e address the assignment of
firm personnel and individuals who are other participants, in the
firm's engagements, QC roles, and other firms' engagements. As
discussed previously, the firm's people resources may include firm
personnel (generally, employees of the firm) or resources from outside
the firm (other participants). For example, EQRs or personnel at
service centers may be considered either firm personnel (if employed by
the firm or functioning as firm employees) or other participants (if
contracted by the firm).\250\ One commenter was concerned that the
inclusion of other participants in the firm's QC system may create
cross-jurisdictional legal issues, such as employment information that
may be protected by privacy laws. The Board believes it is important
for the QC system to assess the competence of other participants, which
may include having policies and procedures on what to do if the firm is
unable to make such assessment due to legal issues. One commenter
mentioned that the responsibilities related to the use of specialists
engaged by the firm, other auditors, and internal auditors providing
direct assistance are addressed in existing auditing standards as
engagement team responsibilities and are not needed within this quality
objective. While it is acknowledged that there are auditing standards
that address those topics at the engagement level, the quality
objectives relate to the firm's processes for assigning the appropriate
individuals to engagements and QC activities.
---------------------------------------------------------------------------

\250\ See QC 1000.A5 and .A7.
---------------------------------------------------------------------------

One commenter emphasized the need for firm resources to have time
to fulfill their assigned responsibilities. Another commenter suggested
a prescriptive approach to human capital management, including
monitoring assignments and time requirements, utilization, and
engagements with high turnover and workloads. Given the wide range of
firms based on their size, scope, and nature of practice, the Board
does not believe prescriptive requirements in this area are
appropriate. The Board clarified paragraphs .44c and .44e by adding
``needed'' to the quality objective to increase the focus on sufficient
competency, objectivity, time, and when appropriate, the authority
needed to fulfill their assigned responsibilities. The PCAOB has also
separately proposed new reporting requirements regarding firm and
engagement metrics that, if adopted by the Board and approved by the
SEC, would enhance transparency about, among other things, firms' human
capital management.\251\
---------------------------------------------------------------------------

\251\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

The quality objectives focus on three key aspects of the ability to
fulfill the assigned role: competence, objectivity, and time.
Individuals need to have competence to fulfill their assigned roles in
accordance with applicable professional and legal requirements and the
firm's policies and procedures. As previously discussed, both the
individual and the firm play a part in developing a person's
competence. The ability to maintain objectivity is essential to
performing QC activities or engagements; a lack of objectivity may, for
instance, create an unconscious bias that directly affects quality.
Individuals' ability to devote appropriate time to their assignments
also affects quality.
In addition to the competence, objectivity, and time needed to
perform engagement and QC activities, individuals need to have the
requisite authority to perform effectively. In the context of
engagement activities, the auditing standards already provide authority
structures with respect to, for example, supervision and the
responsibilities of the engagement partner, and those standards are
augmented by firm policies on matters such as consultation. For QC
activities,

[[Page 49647]]

the need for appropriate authority is specified in the quality
objective.
The QC 1000.44.f quality objective to comply with the firm's
policies and procedures did not attract comment and was adopted as
proposed.
This quality objective is based on a concept embedded in QC 20:
that firm personnel should adhere to the firm's own standards of
quality. The Board believes that this should remain among the firm's
objectives, and also that it would play an important role in the
operation of the QC system under QC 1000.
The firm's QC-related policies and procedures are essential to the
proper functioning of an effective QC system. By definition, those
policies and procedures are the ``quality responses'' the firm has
designed and implemented to address quality risks. Firm personnel need
to understand those policies and procedures and operate in compliance
with them in order for the QC system to operate as designed and achieve
its objectives. Additionally, firm personnel need to understand and
comply with firm policies and procedures in order for the firm's work
on its own engagements and other firms' engagements to be performed
appropriately.
Evaluations help support and promote the continuous development of
the competence of firm personnel. Some commenters, generally investor-
related groups, suggested the standard address incentives in partner
compensation relative to quality control systems and weight it at least
as much as revenue growth. After considering comments, the Board
revised paragraph .44g to add ``including through compensation plans
and decisions in which quality considerations play a critical part.''
The Board believes this change will prompt firms to appropriately
weight quality concerns in their organization-wide compensation plans
and individual compensation decisions. The Board believes his change,
along with the change to the quality objective in paragraph .25b,
should result in firms giving appropriate weight to quality in
compensation plans and decisions regarding performance for both firm
leadership and firm personnel.
The quality objective contemplates that evaluations should be
performed at least annually. Many firms currently utilize an annual
performance review process in order to facilitate such evaluations. A
firm may have multiple quality responses to address the quality risks
associated with the different types of firm personnel. For example,
non-employee contractors and consultants, who work under the firm's
supervision or direction and control and are considered firm personnel,
may be evaluated through the contracting process to determine whether
the firm should retain them. The quality objective does not specify the
format of or approach to periodic evaluations.
The quality objective in QC 1000.44.g, which refers to
accountability and incentives, is principles-based, and firms will be
able to design and implement incentive systems based upon their nature
and circumstances. The ``appropriate standards of conduct'' identified
in the quality objective include fulfilling engagement and QC
responsibilities with competence, integrity, objectivity, and due
professional care and complying with applicable professional and legal
requirements and the firm's policies and procedures, as described in
paragraph .46 of the standard.
ii. Technological Resources (QC 1000.44.h)
Technological resources cover many aspects that collectively
comprise a firm's technological environment, including information
technology applications, infrastructure, and processes (e.g., firm
processes to manage access to the IT environment, program changes,
changes to the IT environment, or IT operations). Technological
resources may be developed by the firm or obtained, for example, from
the firm's network or a third-party provider.
The nature and extent of the use of technological resources differs
across firms. For example, some audit firms are making significant
investments in technological resources and expanding their use of
technology-based audit tools, such as software used to perform data
analytics or to access information from a distributed ledger. Some
technology facilitates the operation of firms' QC systems, such as
monitoring individual financial investments for purposes of compliance
with independence rules. The availability of ``off-the-shelf''
technological resources continues to evolve, leading to an increase in
firms of all sizes employing technology to assist in operating their QC
systems or planning and performing engagements.
The quality objective in QC 1000.44.h highlights that the proper
use of technological resources, in a manner that enables the operation
of the firm's QC system and the performance of its engagements in
accordance with applicable professional and legal requirements and the
firm's policies and procedures, is the firm's responsibility. The
proposal asked if the quality objective and specified quality responses
related to technological resources provide sufficient direction to
enable the appropriate use of emerging technologies. Commenters that
addressed this question, generally firms, indicated the proposed
quality objectives and specified quality responses provide sufficient
direction. One commenter suggested that the standard does not create
incentives to use technology to improve audit quality.
The technology environment is dynamic, and firms' use of
technological resources will likely continue to evolve in the future.
The Board believes that principles-based standards are more adaptable
to future developments, less likely to become obsolete, and less likely
to discourage the use of emerging technologies. As a result, QC 1000
does not include any prescriptive requirements related to how firms
address emerging technology. Instead, it includes a risk factor to
prompt consideration of technology as part of the firm's risk
assessment process.\252\ Separately, the Board has proposed certain
amendments to PCAOB auditing standards that address certain aspects of
designing and performing audit procedures using technology-assisted
data analysis of information in electronic format.\253\
---------------------------------------------------------------------------

\252\ See paragraph .20a.(1)(e) and Appendix B paragraph .B6 of
QC 1000.
\253\ See Proposed Amendments Related to Aspects of Designing
and Performing Audit Procedures that Involve Technology-Assisted
Analysis of Information in Electronic Form, PCAOB Rel. No. 2023-004
(June 26, 2023).
---------------------------------------------------------------------------

The Board adopted the technological resources quality objective as
proposed. The Board believes the risk-based approach creates incentives
for firms to obtain or develop, implement, maintain, and use
technological resources throughout the firm based on the size and
nature of the firm.
iii. Intellectual Resources (QC 1000.44.i)
The quality objective in QC 1000.44.i related to intellectual
resources did not attract comment and was adopted substantially as
proposed. The Board revised the note to add ``to enable the operation
of the firm's QC system,'' consistent with the quality objective.
Intellectual resources generally include the information the firm
uses to promote consistency in the execution of the firm's QC system
and the performance of engagements. Intellectual resources may be made
available through a variety of media, including via written manuals or
technological resources (e.g., the firm's methodology may be embedded
in the information technology application that enables the operation of
the firm's QC

[[Page 49648]]

system and facilitates the performance of the engagement).
Intellectual resources may be obtained or developed internally, or
acquired externally (for example, a commercially available audit or QC
methodology or a subscription data feed). Regardless of how
intellectual resources are acquired, the firm remains responsible for
ensuring they are fit for purpose and properly implementing and
maintaining them. For example, if a firm acquired its QC methodology
from a vendor, the firm is responsible for choosing a methodology and
implementing it (including appropriately identifying risks and
designing, implementing, and operating appropriate responses) in a way
that enabled the firm's engagements to be properly performed and the
firm's QC system to operate in accordance with QC 1000. If a firm
developed methodology to direct the performance of its engagements in
accordance with applicable professional and legal requirements, and a
new auditing standard were issued after that methodology was
implemented by the firm, the methodology would need to be updated to
properly address the applicable professional and legal requirements.
The quality objective related to intellectual resources in the
final standard is similar to the technological resources quality
objective, as both objectives relate to resources enabling the
operation of the firm's QC system and the performance of its
engagements in accordance with applicable professional and legal
requirements and the firm's policies and procedures.
iv. Resources From a Network or Third-Party Provider (QC 1000.44.j)
In some circumstances, the firm may use resources provided by a
network or a third-party provider. Such resources may include
methodologies, applications, and tools used in the firm's QC system or
the performance of its engagements.
The proposal included a quality objective in QC 1000.44.j related
to the resources provided by a network or a third-party provider. One
commenter requested the objective be broken into two quality
objectives, as a firm's approach to each of these groups may be
significantly different. The Board agrees that a firm's approach to
resources provided by the network may be different from resources
provided by a third-party provider, and that the approach to different
types of third-party providers could also vary. But the Board does not
believe that such differences compel separate quality objectives. A
firm may identify multiple quality risks and develop multiple quality
responses related to a single quality objective.
For example, a firm may use multiple third-party providers for a
variety of different resources, such as an audit methodology provider
or a confirmation intermediary. If these different types of third-party
providers or resources present different risks, the firm would be
required to develop different quality responses. In that scenario, the
firm could have different policies and procedures applicable to
different types of third-party providers and/or different types of
resources. A firm that is not affiliated with a network is not required
to establish a quality objective related to network-provided resources
and therefore would not identify quality risks or related quality
responses.
Notwithstanding that a firm may use resources from a network or a
third-party provider, the firm remains responsible for the use of these
resources in the QC system and performance of its engagements.
Consideration of the nature of the resources provided by the
network or third-party providers, how and to what extent the resources
will be used, and the general characteristics of the third-party
provider will assist the firm in determining whether it needs to
supplement or adapt such resources. For example, the firm may obtain
its methodology from a third-party provider under an arrangement
whereby the third-party provider agrees to update the methodology when
new standards are issued. In this scenario, the firm remains
responsible for verifying that such changes are incorporated into the
methodology and supplementing the methodology if such changes are not
made, so that the firm's resources support its performance of compliant
engagements. As another example, the firm may obtain a service from a
third-party provider that provides a System and Organization Controls 1
(SOC 1) report. The firm would be responsible for verifying that the
controls are designed effectively at the third-party provider and for
designing and implementing any complementary user entity controls
identified in the report.
The firm is also responsible for taking any necessary actions in
using a resource from a network or third-party provider to enable the
resource to function effectively. For example, the network or third-
party provider may need information related to the firm's restricted
entities so that it can facilitate independence confirmations. In
addition, if the firm discovered a problem with the design or operation
of the resource, it may need to communicate such problems to the
network or third-party provider so that the resource can effectively
operate.
b. Resources Specified Quality Responses (QC 1000.45-.51)
The proposal asked if the specified quality responses for resources
were appropriate. Two commenters that addressed this question supported
the specified quality responses. Two other commenters objected that the
specified quality responses were too prescriptive and suggested they be
rewritten as risk-based quality objectives.
One commenter stated that certain of these requirements relate
closely to auditing standards and requested clarity on how QC 1000 is
intended to interact with engagement-related auditing standards. QC
1000 focuses on firm-level controls over compliance with auditing
standards, including those related to engagement performance.
The Board adopted the specified quality responses as proposed, with
one modification suggested by commenters. These specified quality
responses carry provisions from the PCAOB's existing QC standards into
QC 1000 or establish firm-level requirements that align with existing
engagement-level requirements. They also include new requirements that
the Board believes are important to a firm's QC system.
The specified quality response related to appropriate standards of
conduct did not attract comment and was adopted as proposed.
The reference to ``appropriate standards of conduct'' reflects a
number of concepts in existing PCAOB standards, including:
Fulfilling responsibilities with professional competence;
\254\
---------------------------------------------------------------------------

\254\ See, e.g., QC 20.13a, .13b, and .15a.
---------------------------------------------------------------------------

Integrity and objectivity; \255\
---------------------------------------------------------------------------

\255\ See, e.g., QC 20.10.
---------------------------------------------------------------------------

Due professional care (including the exercise of
professional skepticism); \256\ and
---------------------------------------------------------------------------

\256\ The general principles and responsibilities of the auditor
when conducting an audit, including professional skepticism and due
professional care, are being reaffirmed and combined in AS 1000, as
adopted. See Auditor Responsibilities Release.
---------------------------------------------------------------------------

Complying with applicable professional and legal
requirements and the firm's policies and procedures.\257\
---------------------------------------------------------------------------

\257\ See, e.g., QC 20.03.
---------------------------------------------------------------------------

Firm personnel are individually responsible for complying with the
firm's standards of conduct, and the firm's policies and procedures
around these standards of conduct are intended to result in firm
personnel being held accountable for their behavior and actions. This
includes evaluating firm personnel's adherence to such standards

[[Page 49649]]

of conduct, addressing deviations, and holding personnel accountable
for fulfilling their engagement and QC responsibilities, including
through the firm's incentive system. The Board believes the standards
of conduct included in this specified quality response are foundational
to fulfilling not only engagement responsibilities, but also QC
responsibilities.
QC 40 addresses requirements regarding the competencies of
engagement partners and, by extension, EQRs.\258\ The proposed
standard, in QC 1000.47, required that firms' QC policies and
procedures address certain enumerated competencies, as well as other
competencies as necessary in the circumstances. Some commenters
suggested that the competencies identified in proposed paragraph .47a-h
be moved to a quality objective or staff guidance and argued that they
were redundant to the auditing standards. The Board believes that the
competencies in paragraph .47 are applicable to all firms and
accordingly are appropriate as specified quality responses. One
commenter asked for clarification of the expectation of ``including an
understanding of'' and suggested that the standard include
consideration of ``other competencies as necessary in the
circumstances,'' consistent with QC 40.08. The Board believes that
auditors should be familiar with the concept of obtaining an
understanding, and note that the construct of QC 40 is a restrictive
list whereas the list of competencies in this requirement is identified
as ``including'' and not intended to be comprehensive, so the Board
does not believe a reference to other competencies is necessary.
---------------------------------------------------------------------------

\258\ See, e.g., QC 40.08; AS 1220.05.
---------------------------------------------------------------------------

One commenter indicated that the firm would not be in a position to
impose the specific requirements in paragraph .47 on individuals that
are not part of the firm. The Board has narrowed the requirement to
apply only to firm personnel, rather than ``others participating in an
engagement,'' as proposed. It is noted, however, that other quality
objectives, such as those in paragraphs .44c and .44e, continue to
apply with respect to individuals outside of the firm as well as firm
personnel. As discussed in more detail above in the Acceptance and
Continuance of Engagements discussion, the Board also revised
``client'' to ``company'' in paragraph .47.
Paragraph .47 of QC 1000 both expands the required competencies for
engagement partners and requires certain competencies for other firm
personnel in engagement roles commensurate with their responsibilities.
This includes applying existing requirements for engagement partners--
an understanding of, among other things, the importance of exercising
sound judgment, the role of the firm's QC system in the performance of
engagements, and the industry in which the company operates--to
everyone in an engagement role, at a level commensurate with their
responsibilities.
To reflect changes in the environment since the existing QC
standards were issued, the Board required competencies related to
understanding the subject matter of attestation engagements, the
internal control framework and technology used by the company, and the
technological and intellectual resources used in performing engagement
procedures. Regarding technological and intellectual resources, the
Board required an understanding of how and whether it is appropriate to
use these resources in performing the engagement. This specified
quality response does not imply that the engagement partner or other
firm personnel participating on an engagement need to be knowledgeable
about how such resources are developed.
QC 20 provides that policies and procedures are required to be
established to provide the firm with reasonable assurance that
personnel participate in CPE and other professional development
activities that enable them to fulfill responsibilities assigned and
satisfy applicable CPE requirements.\259\ In addition, SECPS member
requirements provide that member firms are required to ensure that (1)
all professionals in the firm residing in the United States, including
CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE
every year and at least 120 hours every three years and (2)
professionals who devote at least 25 percent of their time to
performing audit, review or other attest engagements, or who have the
partner- or manager-level responsibility for the overall supervision or
review of any such engagements, must obtain at least 40 percent (eight
hours in any one year and 48 hours every three years) of their required
CPE in subjects relating to accounting and auditing.\260\
---------------------------------------------------------------------------

\259\ See QC 20.13; QC 40.02, .05.
\260\ See SECPS 1000.08(d), 8000. The SECPS member requirements
provide that ``accounting and auditing subjects'' should be broadly
interpreted, and include, for example, subjects relating to the
business or economic environments of the entities to which the
professional is assigned.
---------------------------------------------------------------------------

Through the PCAOB's oversight activities, the Board has observed
situations where a lack of understanding of professional standards
appears to have contributed to audit deficiencies. These problems have
been observed in domestic firms and international firms, including
firms that were not SECPS members.
One commenter requested the standard set out more specific
requirements with respect to training, identify areas or categories
that must be regularly addressed, and not eliminate the CPE obligation
in the existing standard. Another commenter requested the standard
include minimum requirements related to training of audit staff. The
Board believes it is important for firms to provide training focused on
areas where firm personnel need to develop or maintain their competence
so that they may fulfill their QC and engagement roles. If the Board
were to set specific requirements with respect to training, firms may
not evolve their training over time to respond to changes in the firm
or in the needs of firm personnel. The Board maintained the principles-
based approach to training.
Under the specified quality response in QC 1000.48, the firm is
required to provide training, including training on applicable
professional and legal requirements, that is mandatory for all firm
personnel on an annual basis. This specified quality response provides
firms the ability to determine the type and extent of training
necessary based on their personnel and the nature and circumstances of
the firm and its engagements. For example, a firm may determine that
training is necessary on a wide array of topics for a certain level of
staff within the firm. Another firm may determine that training is
necessary for one or more staff in a certain area due to a new
engagement or as a result of an area of development identified as part
of a performance evaluation. A firm may also decide that it is
necessary to repeat training as a periodic reminder of existing
requirements, such as those relating to internal control over financial
reporting. Ultimately, the type and extent of training should be
directed at whatever is necessary to enable firm personnel to fulfill
their assigned QC and engagement roles in accordance with applicable
professional and legal requirements and the firm's policies and
procedures.
This specified quality response in QC 1000.49 did not attract
comment and was adopted as proposed.
This specified quality response relates to the quality objective in
paragraph .44g., which provides that firm personnel are evaluated at
least

[[Page 49650]]

annually, incentivized to fulfill their assigned responsibilities and
adhere to appropriate standards of conduct, including through
compensation plans and performance decisions regarding performance that
appropriately prioritize quality considerations, and held accountable
for their actions and failures to act.
Specific to the individuals assigned ultimate responsibility and
accountability for the QC system as a whole and operational
responsibility and accountability for the QC system as a whole, the
firm's periodic performance evaluations of these individuals are
required to take into account the results of the firm's evaluation of
its QC system.\261\ A firm will be able to determine its approach to
comply with this specified quality response. For example, the firm may
set targets and measure the outcome of the evaluation of the QC system
against those targets. As another example, the firm may consider the
individual's actions taken in response to identified QC deficiencies or
major QC deficiencies, including the timeliness and effectiveness of
such actions. The periodic performance evaluation of these individuals
may be informal in a less complex firm or undertaken by a special
committee in a more complex firm.
---------------------------------------------------------------------------

\261\ Evaluation of a firm's QC system is addressed in
paragraphs .77-.78 of QC 1000 and discussed below.
---------------------------------------------------------------------------

No comments were received on the specified quality response in QC
1000.50 and it was adopted as proposed.
Laws or regulations may establish requirements for the professional
licensing or other qualifications of the firm and firm personnel. Under
this specified quality response, the firm is required to have policies
and procedures regarding licensure such that the firm and firm
personnel hold the required licenses or qualifications. The policies
and procedures address such matters as (1) the jurisdiction(s) where
firm and firm personnel are required to hold licenses or other
qualifications, and (2) whether the firm and such firm personnel comply
with the jurisdictions' requirements.
The quality objective in paragraph .44h. provides that
technological resources are obtained or developed, implemented,
maintained, and used to enable the firm's QC system and the performance
of its engagements. As part of the firm's quality response to this
quality objective, the firm's technological resources should also have
the characteristics described in paragraph .51. One commenter stated
that the quality objective in proposed paragraph .44h is sufficient and
this specified quality response should be removed. The Board believes
the firm's policies and procedures should address its technological
resources having the capacity (resource requirements for the necessary
output), integrity (guarding against improper information
modification), resiliency (ability to operate and recover under adverse
conditions), availability (ensuring timely and reliable access to and
use of information), reliability (ability to function consistently),
and security (protection against intentional subversion).\262\ These
characteristics enable the ongoing operation of the firm's QC system
and performance of its engagements. The Board believes this specified
quality response provides additional direction and has retained it in
the final standard.
---------------------------------------------------------------------------

\262\ See, National Institute of Standards and Technology
Glossary, available at https://csrc.nist.gov/glossary.
---------------------------------------------------------------------------

Also related to technology, the proposal asked if the standard
should include a specified quality response that would require the use
of technological resources by the firm to respond to the risks related
to the use of certain technology by the companies for which the firm
performs engagements. Several commenters did not support inclusion of
such a specified quality response. One commenter requested a
requirement to design and implement controls to prevent unauthorized
access to data and technology. The Board did not make any changes or
additions to the quality objective or specified quality responses
related to technological resources because it believes the more general
provisions appropriately address this issue, and more specific
provisions are at risk of quickly becoming outdated as technology
evolves.
2. Current PCAOB Standards
QC 1000 largely covers the same areas addressed in QC 20 and QC 40
for personnel management and assignment of responsibilities.\263\
Existing PCAOB QC standards do not provide specific direction on the
use of intellectual resources or technological resources, except for
one application regarding independence.\264\
---------------------------------------------------------------------------

\263\ See QC 20.13 and .22.
\264\ See SECPS 1000.46 (requirement 4).
---------------------------------------------------------------------------

Information and Communication

This component addresses the firm's processes for obtaining,
generating, sharing, and using information to enable the design,
implementation, and operation of the QC system and the performance of
the firm's engagements, and for communicating information within the
firm and to external parties.\265\ As discussed in more detail below,
the Board made some changes in response to commenter input but adopted
most provisions as proposed.
---------------------------------------------------------------------------

\265\ Other aspects of the standard also include specific
provisions regarding communication (see, e.g., paragraphs 16-.17 in
Roles and Responsibilities, and paragraphs .31 and .35 in Ethics and
Independence).
---------------------------------------------------------------------------

1. QC 1000
The information and communication area of the firm's operations
serves the critical function of generating, gathering, and
disseminating the information needed for the firm, including the QC
system, to function. The process of determining information needs is
iterative and ongoing; as the nature and circumstances of the firm
change, information needs also change. The information and
communication component of the QC system operates over this area of the
firm's operations.
One firm suggested that the information and communication component
refer to ``relevant and reliable'' information to convey that not all
information is intended to be obtained and disseminated to the relevant
individuals or roles. The firm disagreed that relevance and reliability
is implied within the context of the proposed requirements, and argued
that the term ``information'' needs parameters and qualifying language
to provide boundaries to the vast amount of information that exists or
could be created in the context of a firm's QC system. The firm further
argued that without appropriate qualifiers, the breadth of information
to be considered and/or communicated within a QC system will inhibit
firm leaders from identifying and focusing on information most relevant
to the successful operation of the QC system. As discussed in the
proposal, in determining specific information to be communicated to
firm personnel, including the nature and extent of such communication,
the firm may consider the type of information that is relevant to the
recipients given their roles and responsibilities within the firm. The
Board continues to believe that information would have to be relevant
and reliable to support the operation of the firm's QC system and the
performance of the firm's engagements in accordance with applicable
professional and legal requirements, so that a reference in the
standard to ``relevant and reliable'' information is unnecessary.

[[Page 49651]]

a. Information and Communication Quality Objectives
The standard requires the firm to establish a number of quality
objectives for the information and communication component. These
objectives are discussed in more detail below. One firm commented that,
as the proposed quality objectives for information and communication
are broadly consistent with other jurisdictional and international
quality control/management standards, they are appropriate, and no
further changes are needed.
i. Identifying, Capturing, Processing, and Maintaining Information (QC
1000.53.a)
Identifying, capturing, processing, and maintaining information is
an ongoing process necessary to support the firm's QC activities and
the performance of its engagements in accordance with applicable
professional and legal requirements. Information systems vary from firm
to firm and encompass various sets of activities involving people,
processes, data, or technology, or some combination thereof. Some
firms' information systems may be heavily reliant on IT aspects while
other information systems may require more manual intervention. Firms
are able to determine the type of information systems necessary to
achieve their quality objectives.
One commenter suggested that the information and communication
component could be enriched by explicitly integrating academic audit
and accounting studies as a vital source of information to be used by
firms to inform their QC system. The Board believes that the quality
objectives within the information and communication component
sufficiently establish the desired outcomes for the identification of
external information to support the operation of the firm's QC system.
A firm may determine that the conclusions of certain academic studies
inform the design or operation of its QC system. Furthermore, depending
on the nature and circumstances of the firm and its engagements, the
firm may consider any applicable academic studies in the firm's risk
assessment process as it obtains an understanding of the conditions,
events, and activities that may adversely affect the achievement of its
quality objectives. The requirement was adopted as proposed.
ii. Exchange of Information (QC 1000.53.b-.c)
Information is essential to firm personnel being able to understand
and fulfill their responsibilities relating to the QC system and the
performance of the firm's engagements. For example, through the Board's
oversight activities, it observed improved audit quality when there was
regular, consistent communication among members of the engagement
team.\266\ The quality objective prompts firms to tailor the nature,
timing, and extent of information communicated based on firm
personnel's responsibilities, including those related to the firm's
policies and procedures.
---------------------------------------------------------------------------

\266\ See, e.g., 2019 Inspection Observations Preview at 5.
---------------------------------------------------------------------------

Communication is generally an ongoing process that involves all
firm personnel. For example, the firm communicates information to
engagement teams, such as information obtained during the firm's
acceptance and continuance process that is relevant in performing the
engagement. Engagement teams also communicate information to the firm--
for example, information about the company obtained during engagement
performance that may assist the firm when evaluating whether to
continue the engagement. Two-way communication may also occur among
firm personnel. For example, firm personnel performing engagements may
exchange information directly with firm personnel performing activities
within the firm's QC system, such as information to facilitate
compliance with the firm's independence policies and procedures. The
standard emphasizes the need for two-way communication within the firm
and the responsibility of all firm personnel to communicate
information.
One commenter addressed the quality objectives set out in
paragraphs .53b.-.53c. of the proposed standard related to the timely
exchange of information between firm personnel and leadership,
including those with responsibilities for the firm's QC system. The
commenter recommended that the final release clarify that the firm's
policies and procedures assist in promoting communication such that the
appropriate individuals with responsibilities over the firm's QC system
become aware of relevant matters in a timely manner, as appropriate for
the size and the scale of the firm and relative nature of the matter.
As discussed above, the Board believes timely communication and action
should be sufficiently prompt to achieve its objective and that
timeliness is a function of the nature and significance of the issue.
These requirements were adopted as proposed.
iii. External Parties (QC 1000.53.d-.e)
There are many circumstances in which firms communicate information
about themselves and their performance to external parties. Some
external communications are required by law or regulation, such as the
transparency reporting that is required in some jurisdictions, and
others are made by firms voluntarily, for example, in connection with
marketing or recruitment efforts.
The standard requires the firm to establish a quality objective
that addresses communications to external parties in accordance with
applicable professional and legal requirements. This quality objective
focuses firms on providing the necessary communications to external
parties when required. Among other things, this objective (paragraph
.53d.) covers the completeness, accuracy, and timeliness of a firm's
existing annual and periodic reporting to the PCAOB (i.e., Forms 2 and
3, Form AP, and Form QC). It would also cover reporting under the
Board's proposed revised reporting requirements and metrics
requirements \267\ if those are ultimately adopted by the Board and
approved by the SEC.
---------------------------------------------------------------------------

\267\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

An investor expressed concern with the absence of references to
investors or the public from the examples of external parties, and
further commented that the proposal makes no mention of the role of
quality control with respect to critical audit matters. This provision
relates to communications to external parties that are required under
applicable professional and legal requirements. Under current
requirements, the only required communication from the audit firm to
investors is the audit report. Audit reporting is part of engagement
performance, is covered by a separate quality objective relating to
engagement performance,\268\ and is not addressed by this quality
objective. To the extent that a communication to a regulator is
ultimately available to the public (as is the case with, for example,
various forms filed with the PCAOB), such communications would be
covered by this quality objective, thus providing

[[Page 49652]]

downstream benefits for investors and the public.
---------------------------------------------------------------------------

\268\ See paragraph .42a.(3): ``Responsibilities are understood
and fulfilled . . ., including, as applicable . . . Responsibilities
for reporting and other communications with respect to the
engagement.''
---------------------------------------------------------------------------

A firm recommended that the scope of the requirement be limited to
information or communications regarding a firm's audit practice and
engagements performed in accordance with PCAOB standards. As discussed
in more detail above, the definition of applicable professional and
legal requirements in the final rule has been more narrowly tailored to
address engagements, as defined in QC 1000, and the QC system itself.
The Board believes this change addresses the commenter's concern about
the possible overbreadth of the quality objective, and the Board
adopted it as proposed.
The PCAOB also observed that some firms make public communications
about firm-level or engagement-level information, such as firm metrics
and financial data. For example, some firms publish transparency or
audit quality reports, either voluntarily or in response to the
requirements of other jurisdictions, that contain data such as:
Revenue breakdown by service line, by year, or by
geographic segment;
Professional staff ratios;
Staff turnover ratios;
Average training hours per professional; and
Partner workload.
In addition to transparency or audit quality reports, firms may
communicate these data via web pages or other media, such as
promotional publications, social media, interviews, or presentations
via webcast or video. Furthermore, if adopted, the Firm and Engagement
Metrics proposal will require firms to publicly report certain metrics
relating to their audits and their audit practices.
Regardless of the form of communication and the type of information
presented, the Board believes that firms' QC systems should address the
integrity of firms' external communications about themselves and the
performance of their engagements. Such information can influence the
views of relevant stakeholders, including audit committees determining
whether to engage or retain an auditor and investors determining
whether to ratify such an appointment.
The proposed standard contemplated that the firm would establish a
specific quality objective that firm-level or engagement-level
information communicated externally is accurate and not misleading and,
with respect to any performance metrics, that the communication
explains in reasonable detail how the metrics were determined and, if
applicable, how the metrics or the method of determining them changed
since performance metrics were last communicated. The Board's view is
that a specific quality objective in this area will prompt firms to
implement targeted policies and procedures that address, for example,
the quality and consistency of data and the need for context or
explanation. This in turn will improve the informativeness,
reliability, and comparability of such communications and avoid
misleading the intended audience.
Several commenters, including firms and related groups, broadly
supported the quality objectives or agreed that it is important to
address communications to stakeholders about a firm's or engagement's
performance, and that such communications should be accurate and not
misleading. However, many of the commenters on this topic raised
concerns with regard to the proposed quality objective addressing the
firm's external communications relating to metrics.
Several commenters suggested that additional clarification be
provided on the metrics and communications that are in scope for the
quality objective. Some commenters recommended that the scope of the
requirement be limited to metrics related to audit quality that are
required to be communicated under applicable professional, legal, or
other regulatory requirements and are communicated publicly. One firm
recommended that the scope of metrics be limited to those related to
the effectiveness of the firm's QC system or audit quality, and that
the scope of the communications be limited to ``formal'' external
reporting such as audit quality reports, transparency reports,
communications with audit committees, and other published reports.
Another firm recommended that the external communications in scope for
the objective should be limited to communications externally about
audit quality and should not extend to other external information
issued by the firm that is not specifically related to audit quality
such as marketing communications or recruiting information. The firm
further argued that this limitation on scope to only audit-quality-
related external communications should also apply to the communication
of how metrics were determined and explanations of year-on-year
changes. Another firm recommended that the scope be limited to
information or communications regarding a firm's audit practice and
engagements performed in accordance with PCAOB standards.
One firm expressed concern regarding firms' ability to design and
implement quality responses to address the risk of every type and form
of information communicated given the broad scope of the requirement.
The firm recommended that the scope should be limited to information
resulting from and regarding the evaluation of the firm's QC system,
which will allow firms to focus efforts on the information that is most
meaningful to stakeholders, which in turn will enhance the reliability
of such information.
One firm commented that in addition to recommending limiting the
quality objective to engagements performed under PCAOB standards that
would be subject to the firm's QC system, it may not be practicable to
communicate in reasonable detail how a metric was determined in all
situations (e.g., if the metric was provided in a speech). The firm
asserted that it should be allowed to present the information about how
a metric was determined and, if necessary, how it changed, in a single,
publicly available location (e.g., on the firm's website). One firm
commented that the level of disclosure that would be required may
create confusion or may not ultimately be necessary, in particular in
instances when the metric does not relate to audit quality. Further,
the firm stated that the disclosures may conflict with requirements
that may apply to registered firms outside of the U.S. Another firm
recommended that the words ``explains in reasonable detail how the
metrics were determined and, if applicable, how the metrics or the
method of determining them changed since performance metrics were last
communicated'' be removed from the quality objective. The firm asserted
that this requirement may discourage smaller firms from including many
quality metrics in their audit quality, transparency, and similar
reports given limited time and resources available to produce their
voluntary report. Some commenters, including firms and a related group,
recommended that considerations related to metrics in QC 1000 be taken
up as part of the PCAOB's research project on firm and engagement
performance metrics.
After consideration of the comments received, the Board continues
to believe it is appropriate that all firm communications to external
parties regarding themselves and their audit practice, in whatever
medium, meet the minimum standard of being accurate and not misleading.
However, in response to commenters, the Board clarified the quality
objective in certain respects. It has clarified that the quality
objective is limited to communications regarding the firm's audit
practice, firm personnel, or engagements and removed the word

[[Page 49653]]

``performance'' from the phrase ``performance metrics,'' to align with
the terminology use in the Board's proposed metrics requirements.\269\
Additionally, the Board revised the quality objective to provide that
only metrics communicated in writing require an explanation of how the
metrics were determined and, if applicable, how the method of
determining them changed since metrics were last communicated. The
Board believes this will address commenter concerns about the
feasibility of providing such explanations for metrics communicated
orally. In addition, the Board removed the requirement to explain in
reasonable detail, if applicable, how the metrics themselves have
changed since they were last communicated. The Board believes that
requiring an explanation of how the metrics were determined and, if
applicable, how the method of determining the metric changed since it
was last communicated will enhance the understandability and
comparability of the metrics made available to external parties.
However, the Board does not believe it to be necessary to require
narrative discussion of numeric changes in the metric period over
period if there has been no change in the underlying calculation
method.
---------------------------------------------------------------------------

\269\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

These disclosures may be incremental to requirements that could
apply to registered firms outside of the U.S., however, the Board does
not believe that these requirements will operate in conflict. The Board
has observed variation and complexities in how metrics are defined and
calculated by firms, as well as changes in the calculation method over
time such that it believes this quality objective is necessary to
improve the informativeness, reliability, and comparability of such
communications and avoid misleading the intended audience. In addition,
over 100 unique qualitative disclosures and quantitative audit quality
metrics have been observed by the Center for Audit Quality (``CAQ'') in
its analysis of the CAQ's eight Governing Board firms' most recent
audit quality reports.\270\ The Board believes this indicates both a
demand for and an ability to supply metrics, which further emphasizes
the need for consistency and comparability of the metrics.
---------------------------------------------------------------------------

\270\ See Audit Quality Reports Analysis: A Year in Review,
available at https://www.thecaq.org/aqr-analysis-yir/.
---------------------------------------------------------------------------

The Board considered whether it would be appropriate to allow for
additional disclosures relating to metrics to be presented in a single
public location such as the firm's website. However, the Board believes
that by limiting the requirement to written communications, it has
eliminated the concern about how to present such information with
respect to an oral communication, and given the importance of the
information to the intended audience, that this should be presented in
the same written communication as the disclosed metrics.
The Board received feedback from a number of commenters, including
investors and related groups, criticizing the proposal for failing to
include required metrics or audit quality indicators. The Board has
proposed a separate standard on firm and engagement metrics \271\ and
it has addressed these comments in that proposal.
---------------------------------------------------------------------------

\271\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

iv. Networks (QC 1000.53.f)
If the firm belongs to a network, exchange of information between
the firm and the network may play an important role in supporting the
operation of the firm's QC system and the performance of its
engagements. For example, if the network performs certain monitoring
activities relating to the firm's QC system, the network's
communication of information (e.g., results of its monitoring
activities or any changes to its activities from the prior year) may
result in the firm adjusting the nature, timing, and extent of its own
monitoring activities. On the other hand, the firm may need to
communicate to the network when there are changes to the firm's QC
system that may affect the network's monitoring activities.
The Board did not receive comment on the proposed quality objective
relating to the exchange of information between a firm and a network
and adopted it as proposed.
v. Other Participants (QC 1000.53.g-.h)
Many firms have increasingly involved parties outside the firm in
QC functions, such as independence compliance, and engagement
functions, such as performing audit procedures and evaluating audit
evidence. Working with other participants can differ from working with
individuals within the firm. For example, auditor-engaged specialists
\272\ may have different professional training and experience and may
operate under a different type of QC system, or none at all. Firms may
experience differences in local norms and expectations when working
with firms based in other jurisdictions. These and other factors give
rise to risks in the communication between firm personnel and other
participants, including the potential for misunderstandings regarding
the audit effort needed to meet the objective of the other
participant's work.\273\ It is therefore imperative that appropriate
communications take place between the firm and other participants to
enable the other participants to understand and carry out their
responsibilities relating to activities within the firm's QC system and
the performance of its engagements in accordance with applicable
professional and legal requirements and the firm's policies and
procedures.
---------------------------------------------------------------------------

\272\ AS 1210, establishes requirements regarding the use of a
specialist engaged by the auditor's firm (``auditor-engaged
specialist'') to assist the auditor in obtaining or evaluating audit
evidence with respect to a relevant assertion of a significant
account or disclosure.
\273\ See, e.g., PCAOB Rel. No. 2022-002.
---------------------------------------------------------------------------

The Board broadened the language of the quality objective to
clarify that it applies to the use of participants in both the firm QC
system and in engagements.
For other participants that are firms, the Board proposed that
information obtained from the other participants should include the
conclusion of the most recent evaluation of its QC system and a brief
overview of remedial actions taken and to be taken, as well as a
footnote clarifying that the most recent evaluation of the other
participant firm's QC system refers to that firm's evaluation under
paragraph .77 of QC 1000 as of the most recent evaluation date, if such
an evaluation was performed, and otherwise to the most recent QC
evaluation performed by the other participant firm under any
professional standard.\274\
---------------------------------------------------------------------------

\274\ See, e.g., ISQM 1 paragraphs .53-.54; and SQMS 1
paragraphs .54-.55.
---------------------------------------------------------------------------

One commenter stated that audit firms monitor the quality of member
firms but have typically been reluctant to share negative information
about a member firm, and that requiring transparency in such
information would be beneficial. However, several firms and related
groups expressed concerns about the impact of having other participant
firms share the most recent evaluation of their QC system based on the
confidentiality protections set out in Sarbanes-Oxley or other relevant
local laws and regulations. Two firms commented that these concerns
would be alleviated if the definition of QC deficiency was updated to
align with the definition in ISQM 1 and SQMS 1. One firm commented that
the proposed quality objective addressing information and communication
related to other participants is appropriate, however if

[[Page 49654]]

information is to be shared at the deficiency level, the firm is
concerned that this would violate the confidentiality provision within
Sarbanes-Oxley. Another firm suggested limiting the extent of
information shared to only what is necessary for firms to achieve the
reasonable assurance objective. This firm agreed with obtaining and
considering the other participant firm's overall conclusion of the most
recent evaluation of the QC system, however it argued that this should
not include information regarding deficiencies, if any, and remedial
actions taken and to be taken. Some commenters argued that firms should
be able to take a risk-based approach in determining whether it is
necessary to request specific information regarding an other
participant firm's QC system.
One firm-related group argued that certain international
legislation may be an issue for firms when reporting clients' or
individuals' personal information. The commenter further expressed
concerns that those firms applying QC 1000 fully and reporting
thereunder may be selected in preference to those using other
standards. Another firm-related group expressed concern that a firm-
level QC inspection finding might result in the best firm for the
component auditor role being bypassed. The commenter further suggested
that guidance is needed for when the evaluation and/or overview of
remedial actions is not forthcoming.
Some commenters, including firms and a related group, argued
practical concerns regarding the application of the requirement to
other participants not registered with the PCAOB. One firm commented
that, while it is not aware of any legal or regulatory concerns with
other participants sharing the most recent evaluation of their QC
system, it suggested that the PCAOB state that firms will not violate
this requirement if local laws or regulations exist that prevent
compliance.
After consideration of the comments received, the Board amended the
standard to limit the information that should be obtained to only the
conclusion of the most recent evaluation of the QC system. The Board
believes that this addresses commenter concerns relating to the risk of
communicating privileged information. Furthermore, the Board continues
to believe that obtaining the communication of the conclusion of the
other participant's most recent evaluation may assist a firm in
determining the nature and extent of supervision of the work of other
participants or deciding whether other participants are fit to
participate in the firm's engagements, including ensuring that the best
firm for the job is not bypassed. If necessary, the firm may discuss
the conclusion with the other participant firm to seek to gain a better
understanding of the basis for such conclusion.
The Board believes that in practically all cases, the firm would be
able to obtain the conclusion of the most recent evaluation of the
other participant's QC system. However, if a firm is unable to obtain
this (for example, if the other participant has not performed an
evaluation, or if local laws forbid them from sharing it), then the
firm should assess what other procedures are necessary to achieve the
quality objective.\275\
---------------------------------------------------------------------------

\275\ See PCAOB Rule 3101(a)(2).
---------------------------------------------------------------------------

One firm commented that paragraph 53f. specifically addressed
networks, while .53g. addresses other participants, and that it was
unclear whether paragraph .53g. also applies to networks given their
inclusion in the definition of ``other participants'' or if the Board
intends for paragraph .53g. to apply to any other party defined within
``other participants.'' Paragraph .53g. applies to firms within a
network to the extent that the firm is an other participant, as defined
in QC 1000.A7 and discussed in more detail above.
Another firm expressed concerns that it may not be able to
practically apply paragraph .53g. to all ``other participants.''
Specifically, the firm requested clarification as to the expectation
regarding the extent to which firms design policies and procedures to
ensure other participants comply with applicable professional and legal
requirements, including bifurcation of participants that are part of
the engagement team as compared to participants in the firm's quality
control system. Another firm suggested it would be impractical to
suggest that a firm's QC system can be applied to other participants or
that they would explicitly comply with the firm's policies and
procedures as if they were part of the firm. As discussed in more
detail above, just because a quality objective or other provision of QC
1000 refers to all types of other participants in the same way, this
does not mean that the firm should respond by treating all types of
other participants in the same way. The firm's policies and procedures
addressing other participants should differentiate based on the types
and roles of other participants to the extent necessary to be
responsive to the firm's quality risks (for example, the firm would
have different policies for the use of engaged specialists versus
external EQRs).
The proposed requirement in paragraph .53.h did not draw comment
and was adopted as proposed.
The firm may also participate in another firm's engagement as an
other participant. For the same reasons that apply when the firm is
issuing the engagement report and using the work of other participants,
it is important that there is an appropriate exchange of information in
order to enable the firm serving as an other participant to fulfill its
role in accordance with applicable professional and legal requirements.
d. Information and Communication Specified Quality Responses (QC
1000.55-.56)
One firm commented that the proposed specified quality responses
for information and communication are appropriate. Other comments that
are specific to each specified quality response are discussed below.
The requirement in paragraph .55 carries forward an existing
requirement from the PCAOB's QC standards and extends it to cover other
participants, not just firm personnel.\276\ One firm suggested that, as
it relates to other participants, the quality objective in paragraph
.53g. was sufficient, and the specified quality response was not
needed. Another firm commented that it is concerned that expanding the
requirement to communicate quality control policies and procedures
beyond firm personnel to include other participants may not be
operational due to the size, content, and methods of accessing the
policies and procedures. The firm further asserted that the proposed
standard may inappropriately blur the lines between a firm's system of
quality control and engagement-level requirements that are already
addressed through existing PCAOB standards and rules. The Board
believes that other participants play an important role in the
operation of the firm's QC system and the performance of its
engagements and that it is imperative for these other participants to
be aware of the firm's policies and procedures to the extent required
to enable them to carry out their responsibilities. For that reason,
the Board believes it is necessary to expand the existing requirement
to include other participants in a specified quality response.
---------------------------------------------------------------------------

\276\ See QC 20.23.
---------------------------------------------------------------------------

To address the concern about the volume of material required to be
shared with other participants, the Board clarified the requirement by
providing that policies and procedures should be

[[Page 49655]]

communicated ``to the extent'' and in a manner reasonably designed to
enable firm personnel and other participants to carry out their
responsibilities; in other words, the requirement is to communicate
what firm personnel and other participants need to know, not
necessarily all of the firm's policies and procedures. For example, a
firm would communicate to an EQR contracted by the firm its policies
and procedures related to EQR review and independence. In addition,
although the wording of the requirement is different, the substance of
the existing requirement \277\ is unchanged. Reference to ``reasonably
designed and implemented'' captures the existing requirement to
communicate in ``a manner that provides reasonable assurance that those
policies and procedures are understood and complied with'' without
repeating the reasonable assurance already captured by the overarching
objective of the QC standard.
---------------------------------------------------------------------------

\277\ See QC 20.18.
---------------------------------------------------------------------------

Another commenter requested clarification as to whether the
communication of policies and procedures is required in narrative,
flowchart, or other form. The Board believes that the policies and
procedures should be in writing and in a manner that is reasonably
designed to enable firm personnel and other participants to understand
and carry out their responsibilities relating to activities within the
firm's QC system and the performance of its engagements. The format of
these policies and procedures may vary depending on the specific
responsibilities being addressed and how the firm wants to communicate
them.
Under the existing PCAOB standard, the firm is also required to
make timely communications to appropriate personnel regarding changes
to its established quality control policies and procedures. The Board
does not think it is necessary to address changes to policies and
procedures separately; the requirement is to communicate policies and
procedures as in effect, which includes changes to such policies and
procedures over time. If the firm needs to communicate changes to its
policies and procedures to enable firm personnel and other participants
to understand and carry out their responsibilities, then the specified
quality response will require such communication.
Given the importance of information generated from the monitoring
and remediation process, paragraph .56 includes a specified quality
response that requires the firm to communicate such information to firm
personnel to enable them to take timely action. In determining specific
information to be communicated to firm personnel, including the nature
and extent of such communication, the firm may consider the type of
information that is relevant to the recipients given their roles and
responsibilities within the firm. For example, information communicated
to engagement teams may be focused on a description of identified
engagement deficiencies and related remedial actions that are likely to
be relevant to such firm personnel and their engagements. Information
communicated to all firm personnel may relate to deficiencies
identified through QC system-level monitoring activities, such as
compliance issues in connection with the firm's ethics and independence
policies and procedures.
One firm asserted that the requirement to communicate identified
engagement deficiencies and QC deficiencies to firm personnel could
hold firms to a higher standard than may be prudent, and that a
perceived requirement to communicate each engagement deficiency seems
imbalanced to appropriately influence change. The specified quality
response requires that such communications be made to enable firm
personnel to take timely action in accordance with their
responsibilities. Based on the results of the monitoring and
remediation process, the firm can assess the nature and extent of the
communications to be made, and this should be commensurate with the
risk that other similar unidentified engagement deficiencies exist; for
example, for engagement deficiencies related to the examination of
broker-dealer compliance reports, the firm may limit the communications
to firm personnel working on broker-dealer engagements and adjacent
industry sectors.
In addition, under paragraph .57 the firm is required to
communicate the results of the annual evaluation of its QC system to
certain individuals in firm leadership positions. These individuals may
use this information in various ways, for example, as a basis for
further communications to firm personnel about the importance of
quality or to address concerns about the QC system in a timely manner.
The requirement reinforces firm leadership's responsibility and
accountability for the firm's QC system.
2. Current PCAOB Standards
Existing PCAOB QC standards focus principally on communication of
certain information, specifically:
Firm QC policies and procedures; \278\
---------------------------------------------------------------------------

\278\ See QC 20.23.
---------------------------------------------------------------------------

Weaknesses identified in the QC system or the level of
understanding or compliance therewith; \279\
---------------------------------------------------------------------------

\279\ See QC 30.03.
---------------------------------------------------------------------------

Internal inspection findings; \280\
---------------------------------------------------------------------------

\280\ See QC 30.06.
---------------------------------------------------------------------------

Principles that influence the firm's policies and
procedures on matters related to the recommendation and approval of
accounting principles, present and potential client relationships, and
the types of services provided; \281\
---------------------------------------------------------------------------

\281\ See SECPS 1000.08(l), 1000.42.
---------------------------------------------------------------------------

Additions to the Restricted Entity List; \282\ and
---------------------------------------------------------------------------

\282\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

Notification to the SEC of resignations and dismissals
from audit engagements for SEC registrants.\283\
---------------------------------------------------------------------------

\283\ See SECPS 1000.08(m); see also Appendix 5 for a proposed
new standard, AS 1310, Notification of Termination of the Auditor-
Issuer Relationship, that would retain existing requirements of
SECPS 1000.08(m) and apply those requirements to all firms.
---------------------------------------------------------------------------

QC 1000, by contrast, more broadly addresses the firm's
responsibilities regarding its information system and internal and
external communications.

Monitoring and Remediation Process

1. QC 1000
a. Overview (QC 1000.58)
The monitoring and remediation process is an integral part of an
effective QC system because it creates a feedback loop to inform the
firm's risk assessment process. The feedback loop will help the firm
identify and assess new and evolving quality risks and design and
implement effective quality responses. It drives a firm's focus on
continuing to improve its QC system, with a view to preventing future
engagement deficiencies. The monitoring and remediation process applies
to the design, implementation, and operation of all QC system
components, including the monitoring and remediation component, and
provides the basis for a firm's evaluation of whether its QC system is
effective and for reporting on the QC system.\284\
---------------------------------------------------------------------------

\284\ For further discussion of the evaluation of a firm's QC
system, see below.
---------------------------------------------------------------------------

The Board has observed through its oversight activities that some
firms have made significant efforts to enhance their monitoring and
remediation process, which has led to improvements in the firms' QC
systems and in audit quality. These efforts include increased attention
to ongoing monitoring activities, internal monitoring of both in-
process and completed engagements,

[[Page 49656]]

root cause analysis of both positive outcomes and QC deficiencies, and
remedial actions to address QC deficiencies. However, PCAOB inspections
continue to identify deficiencies for some firms, suggesting that not
all firms have made meaningful improvements in these areas.
Under QC 1000, the monitoring and remediation process addresses the
following:
General requirements;
Engagement monitoring activities;
QC system-level monitoring activities;
Monitoring activities performed by a network;
Determining whether engagement deficiencies exist;
Responding to engagement deficiencies;
Determining whether QC observations exist;
Determining whether QC deficiencies exist;
Responding to QC deficiencies; and
Monitoring the implementation and operating effectiveness
of remedial actions.
Under the standard, a firm performs monitoring activities to
determine whether its quality responses are properly designed and
operating as intended, such that the firm's quality risks are
sufficiently mitigated and its quality objectives are achieved. As
described later, the results of the firm's monitoring and remediation
process are to be evaluated annually as part of the evaluation of the
QC system. Therefore, the monitoring activities conducted need to be
sufficient to support the conclusions reached during such an
evaluation.
b. General Requirements (QC 1000.59-.61)
The standard specifies three goals for the monitoring and
remediation process:
Relevant, reliable, and timely information. Monitoring and
remediation must provide information about the design, implementation,
and operation of the firm's QC system that is relevant, reliable, and
timely. The information obtained from monitoring activities informs a
firm about actions, behaviors, or conditions that contributed to issues
that need to be addressed and may also provide insights as to factors
that help prevent deficiencies from occurring. For example, information
obtained about actions, behaviors, and conditions related to an
engagement that was subject to internal or external monitoring
activities where no deficiencies were identified may provide insights
about good practices to use when addressing issues on similar
engagements.
Reasonable basis for timely detection of engagement
deficiencies and QC deficiencies. The standard uses the concept of
``reasonable basis,'' which is present throughout PCAOB auditing
standards, including the standards governing the auditor's report.\285\
Therefore, this concept is well understood by the profession.
``Timely'' as it relates to the detection of engagement deficiencies
means that the firm's monitoring activities are designed to identify
deficiencies as promptly as practicable. For example, the Board expects
that the firm's monitoring activities will generally enable the firm to
identify deficiencies in calendar year-end engagements in time to
include them in its evaluation of the QC system as of the following
September 30.
---------------------------------------------------------------------------

\285\ See, e.g., AS 3101.09f (noting that one of the elements in
the Basis for Opinion section of the auditor's report is ``[a]
statement that the auditor believes that the audit provides a
reasonable basis for the auditor's opinion'').
---------------------------------------------------------------------------

Timely remediation. The firm's monitoring and remediation
process must enable timely remediation of identified engagement
deficiencies and QC deficiencies. What constitutes ``timely'' depends
on the deficiency's nature, scope, and impact. For example, where there
is a high risk of severity or pervasiveness, remedial actions may have
to be immediate to be timely.
The first element of monitoring and remediation is designing and
performing monitoring activities for engagements and the QC system
itself. The Board believes that the selected frequency and timing of
the firm's monitoring activities (e.g., a combination of ongoing and
periodic monitoring activities) are important elements in achieving an
overall effective monitoring and remediation process. Ongoing
monitoring activities are generally those activities that are routine
in nature, built into the firm's processes, and performed on a real-
time basis. Periodic monitoring activities, by contrast, are conducted
from time to time at set intervals. The use of ongoing and periodic
monitoring activities would vary by firm and be influenced by the
nature and circumstances of the firm.
The other elements of the monitoring and remediation process
specified in the standard are:
Determining whether engagement deficiencies exist and
responding to them.
Determining whether QC observations exist.
Determining whether QC deficiencies exist.
Performing root cause analysis of QC deficiencies.
Designing and implementing remedial actions to respond to
QC deficiencies and determining whether such actions are implemented as
designed and operate effectively.
These other elements are discussed below, in relation to the
requirements of paragraphs .61-.76.
BILLING CODE 8011-01-P

[[Page 49657]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.006

BILLING CODE 8011-01-C
QC 1000 requires that the firm's QC system include both engagement
monitoring activities and QC system-level monitoring activities. The
standard differentiates engagement monitoring activities from QC
system-level monitoring activities. The two types of activities would
provide different kinds of information and, in the Board's view, a firm
would need both in order to have a reasonable basis for detecting
engagement and QC deficiencies and evaluating its QC system. Engagement
monitoring activities are monitoring procedures performed on
engagements, including in-process and completed engagements. QC system-
level monitoring activities are monitoring procedures regarding aspects
of a firm's QC system, including the firm's risk assessment and
monitoring and remediation processes.
Notwithstanding the differences between engagement monitoring
activities and QC system-level monitoring activities, a firm could
design and perform dual-purpose monitoring activities--i.e., activities
directed at individual engagements that also address aspects of the
firm's QC system. For example, a firm could perform engagement
monitoring activities related to acceptance and continuance of
engagements that would also address the design, implementation, and
operation of the acceptance and continuance of engagements component of
the firm's QC system.
QC 1000 defines ``engagement'' as any audit, attestation, review,
or other engagement performed under PCAOB standards (1) led by a firm
or (2) in which a firm plays a substantial role in the preparation or
furnishing of an engagement report. Under the standard, substantial
role engagements that the firm undertakes would be required to be
included in the population of engagements on which the firm performs
monitoring activities. In situations where the firm participates in
another firm's engagement but does not play a substantial role, while
such work would not be treated as the firm's own ``engagement'' for
purposes of the standard, any firm that was required to implement and
operate an effective QC system under the standard is required to extend
its QC system to all audit, attestation, review, and other work it
performs under PCAOB standards, including other firms' engagements in
which the firm plays less than a substantial role.
In general, for purposes of QC 1000, engagement monitoring
activities are performed only on ``engagements'' as

[[Page 49658]]

that term is defined in the standard. One firm suggested that audit
quality should consistently be measured for all engagements, whether
performed under the PCAOB standards or other auditing standards, and
therefore a firm's QC system should provide reasonable assurance of
performing all such engagements in compliance with applicable laws and
professional requirements. This firm urged the Board to consider
whether the monitoring-related requirements in QC 1000 that use the
term ``engagements'' (as defined in QC 1000) may result in a lost
opportunity to fully capitalize on the expected benefits of a more
comprehensive monitoring program. Given the limits of the Board's
statutory authority under Sarbanes-Oxley, the Board does not believe it
would be appropriate to expand the scope of the term ``engagements'' to
include work performed under standards of other standard-setters.
However, nothing prevents firms from developing a single QC system for
their entire audit practice that satisfies both PCAOB requirements and
other professional standards to which the firm is subject, which could
include performing the same types of monitoring activities for both
PCAOB engagements and other audits.
The Board also understands that firms that perform only a small
number of issuer and broker-dealer engagements would be significantly
affected by a requirement to perform monitoring activities over PCAOB
``engagements'' every year.\286\ In the extreme case, a firm that
issues an audit report for only one issuer would have to monitor the
same engagement every year. The prospect of annual monitoring could
disincentivize partners from serving as the engagement partner and
ultimately affect competitive conditions in the market. Accordingly,
paragraph .61a includes a note that permits firms that issued
engagement reports for five or fewer issuers, brokers, and dealers in
the previous year to include audits not performed under PCAOB auditing
standards in their engagement monitoring activities for purposes of QC
1000, so long as the audits are selected taking into account the
factors in determining the nature, timing, and extent of engagement
monitoring activities set forth in paragraph .64. This accommodation
takes into consideration the structure of the SEC's partner rotation
requirements exemption for small firms,\287\ and is limited to audits
rather than attestation work because audits are performed under more
rigorous standards. These firms will still have to design, implement,
and operate a monitoring and remediation process that meets the
requirements of QC 1000, including the requirements regarding the
objectives and elements of the monitoring and remediation process set
forth in paragraphs .59 and .60, which focus on ``engagements'' as
defined in the standard. The firms will also be subject to the
requirement under paragraph .62b to inspect at least one completed
PCAOB engagement for each engagement partner on a cyclical basis, as
discussed below.
---------------------------------------------------------------------------

\286\ Firms that issued audit opinions for between one and five
issuers or broker-dealers represented 38% of all registered firms in
2022, 39% in 2021, and 43% in 2020.
\287\ See 17 CFR 210.2-01(c)(6)(ii).
---------------------------------------------------------------------------

Current PCAOB QC standards provide that, in some circumstances,
individuals may perform monitoring procedures over the same areas for
which they are responsible.\288\ Such monitoring procedures are a type
of self-assessment and under the proposed standard, self-assessments
would not have been permissible. Individuals would lack the requisite
objectivity if they reviewed engagements in which they participated
(or, in the case of audits, for which they performed the engagement
quality review), or monitoring activities for which they participated
in the design, implementation, or operation of the activity.
---------------------------------------------------------------------------

\288\ See QC 30.10, which applies to small firms with a limited
number of management-level individuals.
---------------------------------------------------------------------------

Two commenters agreed that self-assessment should not be permitted
in QC 1000. Other commenters, including firms and a related group,
raised concerns regarding the proposal's disallowance of self-
assessments as part of a firm's monitoring and remediation process.
Specific concerns included the impact of this requirement on smaller
firms and the resource constraint that may be very difficult for firms
to overcome if individuals who may be involved in an engagement through
consulting with engagement teams, evaluating engagement team progress,
or monitoring turnover on the engagement team are ineligible to perform
monitoring activities.
While the Board appreciates the concerns around resource
constraints raised by commenters, allowing individuals to review their
own work is inconsistent with the quality objective in paragraph .44e
that individuals assigned to perform activities within the QC system
have the objectivity needed to perform such activities in accordance
with applicable professional and legal requirements and the firm's
policies and procedures. Taking into account commenter feedback, the
Board added a note to the standard to clarify that the restriction on
self-assessment is grounded in that quality objective. The note further
explains the implication, in the context of the monitoring and
remediation process, that individuals generally cannot perform
monitoring activities over their own work, for example by performing
engagement monitoring activities on an area of an engagement in which
they participated. The impact of this restriction will depend on the
role that the individual played in the engagement. For example,
individuals who have consulted on a particular area of an engagement
would be permitted to perform monitoring activities on other areas of
an engagement that were unrelated to the consultation. However,
individuals that served as the engagement quality reviewer on an
engagement may not perform monitoring activities on that engagement,
even if they did not review every area of the engagement.
e. Engagement Monitoring Activities (QC 1000.62-.64)
Engagement monitoring activities provide valuable information to
firms on whether engagement or QC system-level areas may require
additional attention. For example, monitoring procedures may highlight
an area on an audit engagement where insufficient audit evidence was
obtained to support the auditor's opinion. More broadly, engagement
monitoring activities may identify pervasive issues where a number of
engagements have similar problems, possibly highlighting the need to
revise methodology, provide additional training, or take other actions
at the QC-system level.
i. Monitoring Completed Engagements (QC 1000.62)
Similar to the proposal, the final standard requires firms to
perform engagement monitoring activities on completed engagements. Two
commenters expressed support for the requirement to monitor completed
engagements. One commenter suggested that paragraph .62 be amended to
permit the legacy flexibility of QC 20 for a firm to have pre-issuance
or post-issuance, or both, monitoring programs, depending on the
individual firm's risk assessment. This commenter asserted that some
smaller firms, in particular, have already implemented robust pre-
issuance quality monitoring reviews on substantially all issuer audits.
The Board continues to believe that the information derived from
performing inspections of completed

[[Page 49659]]

engagements provides the firm a perspective on its engagements that
cannot be obtained through other monitoring activities. The Board also
noted that the standard does not prescribe specific monitoring
activities, so firms will be able to determine what activities to
perform when monitoring completed engagements. Based on PCAOB oversight
activities, the Board has observed that most firms perform engagement
monitoring activities on their completed engagements as part of their
existing QC practices. Requiring the inspection of completed
engagements would therefore not change practice for most firms and,
accordingly, seems unlikely to impose incremental costs in most
instances.
The proposed standard also included a requirement for firms to
establish a cyclical basis for monitoring completed engagements such
that each engagement partner would have at least one engagement subject
to monitoring in each cycle. Some firms and a related group supported
that requirement in principle. Some commenters suggested that firms
should be permitted to include all of the engagements within a
particular engagement partner's portfolio of engagements, not only
PCAOB engagements, since the firm operates a single QC system. One
commenter stressed that if firms are not permitted to consider all
engagements in an engagement partner's portfolio, it may unnecessarily
drive firms to two separate cyclical inspection programs (that is,
doubling inspection program activities) based on the applicable set of
professional standards. This commenter also suggested that the standard
should allow firms to consider whether engagement partners have been
subjected to external inspections/reviews when determining if, and
when, to subject them to an internal inspection.
Similar to the proposal, the final standard requires firms to
inspect at least one completed PCAOB engagement for each engagement
partner over a cyclical period. Although, as discussed above, firms
with five or fewer issuer and broker-dealer engagements may be
permitted to include non-PCAOB engagements in their monitoring
activities, inspections under this paragraph must be of ``engagements''
as defined in QC 1000. This will ensure that firms regularly evaluate
the work of every partner under PCAOB standards to determine whether
engagement deficiencies or QC deficiencies have occurred and can design
and implement appropriate remedial actions. The note to the final
standard clarifies that point.
The proposed standard also included a note stating that if a firm
uses a cycle longer than three years, the firm would be required to
demonstrate how its cycle is adequate to provide the firm with a
reasonable basis for detecting engagement deficiencies and QC
deficiencies, taking into account the factors in paragraph .64. Several
commenters, including an investor-related group, disagreed with this
aspect of the proposal, suggesting that each firm should be allowed to
determine the appropriate cycle for engagement partner selection. Some
of these commenters stated that requiring a set interval for engagement
partner selection could actually result in a reduced ability by the
firm to incorporate unpredictability into the selection process. One
firm further stated that the proposed requirement regarding the
engagement partner selection cycle could also decrease the frequency of
other monitoring activities, such as in-process reviews, or curb
investment and innovation in pre-issuance monitoring programs.
The Board continues to believe it is appropriate to incorporate an
expectation that each engagement partner will be subject to inspection
at least every three years and adopted that aspect as proposed. A
three-year period appears to be a norm for other standard setters and,
based on PCAOB oversight activities, is common in practice.\289\ The
Board appreciates that requiring a set interval could make the timing
of selection predictable for an engagement partner, so a three-year
cycle is a baseline expectation, not a requirement. Firms can of course
adopt a shorter cycle, or can adopt a longer cycle if they are able to
demonstrate how that cycle is adequate to provide a reasonable basis
for detecting engagement deficiencies and QC deficiencies. Regardless
of the cyclical period used by the firm, risks or other circumstances
related to an engagement or an engagement partner may trigger the need
for the firm to inspect an engagement partner's completed engagement(s)
more than once during the cyclical period.
---------------------------------------------------------------------------

\289\ The application material accompanying the IAASB and AICPA
QC standards provide an example of a three-year inspection cycle for
engagement partners performing financial statement audits. See ISQM
1 paragraph A153, SQMS 1 paragraph A165.
---------------------------------------------------------------------------

The proposed note to paragraph .62b also included language
requiring firms to consider incorporating a level of unpredictability
when determining when, during the cyclical period, an engagement
partner has an engagement selected for monitoring and which completed
engagement(s) to select. This was intended to make it less likely that
engagement partners would be in a position to manage engagements with
the expectation that they would or would not be inspected. However,
commenters, including firms and investors and related groups, suggested
that this language should be strengthened to require that the firm
``should'' incorporate unpredictability into the selection process. One
of these commenters went further to suggest that the PCAOB also
incorporate language requiring unpredictability in the focus areas
subject to internal inspection monitoring, in addition to the timing of
such monitoring. The Board agreed with the comments raised with respect
to requiring firms to incorporate unpredictability into their selection
process and this change is reflected in the note to paragraph .62b.
Additionally, in order to allow sufficient flexibility for firms to
determine how to incorporate unpredictability in the selection process,
language has been added to the note to clarify that the firm should
include an element of unpredictability in ``at least one of'' the
elements listed in the note to paragraph .62b.
The firm's selection of completed engagements should be responsive
to information obtained from various sources, including prior
monitoring activities. The standard, in paragraph .64 (discussed
further below), includes factors for a firm to take into account when
selecting engagements for monitoring. These factors will assist a firm
when determining its cyclical basis and selecting at least one
engagement to inspect for each engagement partner.
ii. Monitoring In-Process Engagements and Other Work (QC 1000.63)
Monitoring in-process engagements can help firms detect and prevent
potential engagement deficiencies before an engagement report is
issued, resulting in a more proactive, preventive monitoring approach.
Through its oversight activities, the PCAOB has observed a variety of
different in-process engagement monitoring activities, including:
Monitoring activities on a specific area of the audit
after the engagement team has conducted certain audit procedures or
used a specific tool or template (e.g., an in-process reviewer
evaluates an engagement team's testing of management's earnings
forecast used in an impairment analysis);
Engagement team coaching by an individual who is not part
of the engagement team (e.g., a member of the firm's national office
works with an engagement team to review their audit

[[Page 49660]]

approach, including the nature, timing, and extent of planned audit
procedures);
Evaluating an engagement team's progress against certain
defined milestones or metrics and taking appropriate action when such
milestones or metrics are not achieved (e.g., if an engagement partner
did not review an engagement team's planning memo before interim audit
procedures were to start, adjusting the engagement team's schedule so
that the document could be reviewed and comments addressed before
starting interim work; if an engagement team's hours exceed a certain
weekly threshold, taking action by identifying the issue and adding
additional resources to the team); and
Monitoring engagement team turnover during the engagement
and taking appropriate action when issues arise (e.g., if more
experienced or senior personnel on the engagement, such as the manager
or senior manager, leaves the firm during the engagement and prior to
the completion of procedures, taking actions to ensure the engagement
team has the necessary resources to complete the engagement).
The proposed standard contemplated that firms that issue audit
reports with respect to more than 100 issuers during the prior calendar
year would be required to monitor in-process engagements. The proposal
noted the Board's understanding that monitoring in-process engagements
may be challenging for some firms based on their size and nature, so
the proposed standard also included a ``should consider'' requirement
to provide sufficient scalability for firms that issue audit reports
with respect to 100 or fewer issuers. Under the proposed standard,
firms that audit 100 or fewer issuers would be expected to reach a
conclusion about whether to monitor in-process engagements in light of
identified quality risks and quality responses.
Firms that commented on this requirement supported the concept of
monitoring in-process engagements and the flexibility the standard
provided for firms to design their in-process monitoring based on the
nature and circumstances of the firm. Two firms stated that the
purposes of in-process monitoring are clear and appropriate and that
the proposed standard clearly distinguished between in-process
engagement monitoring and engagement quality reviews under AS 1220. Two
firms suggested that the 100-issuer threshold is not necessary, and
that all firms should only be required to consider whether to monitor
in-process engagements.
The Board believes that differentiating a firm's obligation based
on the number of issuer clients is appropriate because, in its view,
firms with larger, more complex audit practices generally are subject
to quality risks for which in-process monitoring is an appropriate
quality response. The Board based the requirement on the size of a
firm's issuer audit practice rather than its broker-dealer audit
practice, as it believes the number of a firm's issuer clients is more
indicative of the firm's size and the complexity of its practice. And,
as noted above, firms are familiar with the threshold of more than 100
issuer audit reports. The majority of firms with 100 or fewer issuers
do not perform in-process engagement monitoring activities. Requiring
these firms to perform such monitoring activities could significantly
change current practice and is not justified by the circumstances of
every firm. However, due to the benefits of this proactive engagement
monitoring, the standard requires that firms that do not meet the 100-
issuer threshold should consider monitoring in-process engagements. The
Board believes that this approach strikes an appropriate balance
between prescriptiveness and scalability, and adopted the requirement
as proposed.
One individual commenter suggested that audit firms would find it
cost prohibitive to build in ``in process'' controls that would be akin
to doing an inspection of an audit in process, with the exception of
certain circumstances, but the PCAOB did not receive any specific
comments from firms expressing that concern. In addition, firms with
over 100 issuer clients typically have the resources to implement such
procedures, and based on PCAOB oversight activities, the majority of
them already monitor in-process engagements to some extent.\290\
---------------------------------------------------------------------------

\290\ In 2023, 11 of the 14 annually inspected firms performed
some in-process engagement monitoring activities.
---------------------------------------------------------------------------

In situations where the firm participates in another firm's
engagement but does not play a substantial role, paragraph .63c
provides that the firm should consider performing monitoring activities
on such work. Some commenters agreed with the requirement for firms to
consider performing monitoring activities on their work on other firms'
engagements. When deciding whether and when to do so, and what
monitoring activities to perform, firms would take into account the
factors identified in paragraph .64, such as the firm's monitoring and
external inspection history and the risks associated with the
performance of the work. In addition, if a substantial portion of the
firm's activities that are subject to the QC system relate to work
performed on other firms' engagements at less than a substantial role,
the firm would have to make that decision in light of the overall
objectives of the QC system.\291\
---------------------------------------------------------------------------

\291\ See QC 1000.05a.(2).
---------------------------------------------------------------------------

One commenter requested clarification as to whether the in-process
monitoring activities the Board has observed would be sufficient to
meet the requirement, or whether the Board expects such activities to
be expanded or enhanced. The standard does not specify any particular
monitoring activities, so the firm has discretion to select activities
based on the nature and circumstances of the firm and its engagements
and the scope and nature of its other monitoring activities. For
example, when determining which engagements to select for in-process
monitoring, a firm would leverage the factors presented in paragraph
.64 of the standard to identify engagements where there is a greater
risk of noncompliance with applicable professional or legal
requirements. Similarly, these factors will also assist a firm in
determining the riskier areas of such engagements upon which to perform
in-process engagement monitoring activities.
i. Designing Engagement Monitoring Activities, Including Selecting
Which Engagements To Monitor (QC 1000.64)
Similar to the proposal, the final standard requires a firm to take
into account certain factors when determining the nature, timing, and
extent of engagement monitoring activities, including which completed
or in-process engagements to select for monitoring. These factors
reflect aspects of a firm and its engagements that could create a
greater risk of noncompliance with applicable professional and legal
requirements. A firm will need to tailor its monitoring activities to
address the particular circumstances of the firm and select engagements
for monitoring based upon their specific risks.
The factors are:
Quality risks and the reason for their assessments, and
quality responses. For example, the complexity of or changes to
applicable professional and legal requirements and the firm's policies
and procedures may present a quality risk that the firm may not timely
communicate the required use of a practice aid for planning audit
procedures when certain fraud risk factors are present. In response to
this risk, the firm would design its

[[Page 49661]]

engagement monitoring activities to verify the engagement team's use of
the practice aid. The earlier these monitoring activities are
performed, the more proactive the firm could be in planning audit
procedures that address audit issues as they arise. Regarding the
proposed factor in paragraph .64b related to the ``design of the
quality responses,'' the final standard has removed the word ``design''
from the factor and made other edits to clarify that the firm should
also take into account the scope and operation of quality responses,
for example related to information about how those quality responses
operated in previous years.
The nature, timing, extent, and results of previous
monitoring activities. This includes insights learned from previous
engagements and QC system-level monitoring activities that are applied
when determining engagement monitoring activities to perform. For
example, in selecting engagements for monitoring, the firm would take
into account deficiencies identified in previous engagements for the
same client and other engagements where a similar deficiency may exist.
As another example, engagement deficiencies related to inventory
obsolescence testing identified by a firm through prior year engagement
monitoring activities may prompt a firm to monitor the testing of
inventory obsolescence on more engagements in the current year. One
commenter recommended a clarifying revision to paragraph .64c to change
the reference to ``inspections of in-process engagements'' to
``monitoring of in-process engagements.'' The commenter explained that
the characterization of in-process engagement monitoring as an
``inspection'' is not consistent with how in-process engagement
monitoring was described in the proposal, as the in-process monitoring
activities observed by the PCAOB do not include inspections of in-
process engagements. The Board agreed and included this revision in the
final standard.
Information obtained from oversight activities by
regulators, other external inspections or reviews, and, if applicable,
monitoring activities performed by a network. Information obtained from
network monitoring activities or external reviews provides a firm
direction as to, for example, the type of procedures to perform or when
to perform them. The results of network monitoring activities or
information obtained from external reviews could also identify issues
that may exist on other similar engagements of the firm, prompting a
decision to monitor some or all of these other engagements. For
example, if an engagement was recently inspected through network
monitoring activities or an external review, a firm may determine that
selecting the same engagement for internal inspection would be
unnecessary.
The proposal included a note that a firm cannot rely solely on
network monitoring activities or external inspections by regulators of
individual engagements without performing its own inspections of
completed engagements. One commenter, a firm, agreed with the proposed
requirements for firms to perform their own monitoring activities
rather than solely relying on the monitoring activities performed by
the network. Another firm disagreed and recommended that the standard
permit networks to perform monitoring activities on behalf of a member
firm, including in certain circumstances as the sole source of a firm's
QC engagement monitoring. This commenter stated that monitoring of
completed and in-process engagements by the network may provide member
firms in the network with more objective and experienced monitoring
resources, and that smaller member firms may not have the resources to
perform objective monitoring on completed and/or in-process engagements
without leveraging the network. Similar to what is described below as
it relates to a firm's QC system and the extent of monitoring
activities performed by a network, regardless of whether a network
performs engagement monitoring activities on a firm's engagements, the
firm is ultimately responsible for its QC system and for evaluating any
information it obtains from the network about any engagement monitoring
activities the network performs. The firm would take into account the
nature and extent of activities performed by a network in designing and
implementing its own activities but all firms are required to perform
some level of engagement monitoring. The final standard includes a
clarifying revision to this note that replaces ``inspections of
completed engagements'' with ``engagement monitoring activities.''
Characteristics of a particular engagement. Factors such
as the industry, the type of engagement (e.g., issuer audit, broker-
dealer audit, attestation), the location(s) or jurisdiction(s) in which
the client is located or the work is to be performed, whether it is a
new engagement for the firm, and the experience and competence of the
engagement team could affect conduct and outcomes of the engagement.
For example, if the engagement team members are all new to the
engagement, their lack of historical knowledge may present an
additional risk for that engagement and provide a basis for its
selection for monitoring.
Characteristics of particular engagement partners. Factors
such as the experience and competence of engagement partners, the
results of internal and external inspections of their work, and the
firm's cycle for inspecting their engagements could affect the quality
risks associated with an engagement, whether positively or negatively.
For example, an engagement partner's lack of experience in an industry
the company under audit recently entered may create additional risks to
complying with applicable professional and legal requirements.
Therefore, performing engagement monitoring activities on such
engagements may be appropriate.
Other information relevant to the quality risks. The
standard includes a non-exhaustive list of examples. For clarity, this
factor was rephrased in terms of ``quality risks'' rather than ``risks
of noncompliance with applicable professional and legal requirements.''
The standard also includes a footnote referencing footnote 26, which
explains that the firm is deemed ``aware'' of information when any
partner, shareholder, member, or other principal of the firm first
becomes aware of such information.
The requirement is both principles-based and risk-centered, rather
than prescriptive. It provides for scalability by including factors for
firms to take into account when determining the nature, timing, and
extent of engagement monitoring activities. In addition to the factors
included in the standard, a firm may identify other factors that are
also relevant based on the nature and circumstances of the firm and its
engagements.
d. QC System-Level Monitoring Activities (QC 1000.65)
Similar to the proposal, the final standard requires a firm to take
into account certain factors when determining the nature, timing, and
extent of QC system-level monitoring activities.
Due to their nature, some of the factors are consistent with the
factors a firm is required to take into account when determining the
nature, timing, and extent of engagement monitoring activities, such as
the quality responses, including their timing, frequency, scope and
operation. Regarding the proposed factor in paragraph .65b related to
the ``design of the quality responses,'' conforming to the change made
in paragraph .64b, the word ``design'' was

[[Page 49662]]

removed from the factor and made other edits to clarify that the firm
should also take into account the scope and operation of quality
responses, for example related to information about how those quality
responses operated in previous years. The specific features of a firm's
quality responses are also relevant for a firm to consider when
designing QC system-level monitoring activities. For example, a firm's
quality responses related to acceptance and continuance of engagements
might include a policy that firm personnel complete a checklist and
assemble information evaluated by the engagement partner before making
a recommendation to firm leadership on whether to continue with an
engagement for the upcoming year. Based on this quality response, a
firm might design QC system-level monitoring activities that include a
review of the checklist and documentation for a selection of
engagements.
Some other factors the standard requires firms to take into account
when determining the nature, timing, and extent of QC system-level
monitoring activities include:
The design of a firm's risk assessment and monitoring and
remediation processes. The design of these processes is relevant when
designing monitoring activities to evaluate if such processes are
implemented and operating effectively. For example, a firm may monitor
the cyclical basis determined by the firm for inspecting engagement
partners' completed engagements. A firm's monitoring activities in this
area could include whether the firm is complying with the established
period for selecting completed engagements as well as evaluating
whether changes to the period may be necessary based on the results of
other monitoring activities. The firm could also develop metrics for
its QC system and use them in its monitoring and remediation process.
Changes in the QC system. As a firm's QC system is
continuously evolving in response to changes in risks, the firm would
have to consider whether and how such changes necessitate changes to
the nature, timing, and extent of QC-system level monitoring
activities. For example, changes to a quality response would be an
indication that changes to the activities that monitor the design,
implementation, and operation of such response may be necessary. It
should be noted that, even in the absence of changes in the QC system,
for example in cases where the firm determines that there have been no
changes related to a particular quality response, the firm would still
need to consider whether previous monitoring activities related to that
quality response continue to provide the firm with a reasonable basis
to evaluate the QC system, including the appropriateness of the firm's
monitoring activities for the current period.
When applicable, services provided by other participants
in the firm's QC system. A firm may use other participants in its QC
system (for example, other participants may assist with engagement
quality reviews). The firm would take that into account when deciding
what QC system-level monitoring activities to undertake (for example,
assessing other participants' compliance with PCAOB standards regarding
engagement quality reviews).\292\
---------------------------------------------------------------------------

\292\ See generally, e.g., AS 1220.
---------------------------------------------------------------------------

A firm's monitoring activities are likely to vary over time as a
firm takes into account the factors included in the standard (see
paragraphs .64-.65). Since a firm's QC system is a continuous and
iterative process, such factors will generally lead a firm to perform
different monitoring activities or employ different monitoring
approaches over time.
Several commenters, including investor-related groups, suggested
that the standard should require that the monitoring and remediation
process, or more generally QC 1000, provide for use of quantitative
metrics. QC 1000 does not require firms to use quantifiable metrics in
their monitoring activities or suggest the use of any particular
metrics. The Board has recently proposed a new set of firm reporting
requirements that includes both firm-level and engagement-level
metrics, and the comments regarding metrics received in response to the
QC 1000 proposal are addressed in that proposing release.\293\
---------------------------------------------------------------------------

\293\ See PCAOB Rel. No. 2024-002 at 12-13.
---------------------------------------------------------------------------

Other than removing the word ``performance'' from the phrase
``performance metrics,'' to align with the terminology used in the
PCAOB's proposed metrics requirements, the Board adopted as proposed
paragraph .65c, which requires the firm to take into account any
metrics that the firm may use in its QC system when determining the
nature, timing, and extent of QC system-level monitoring activities.
This could include, but is not required to include, any metrics firms
would be required to report if the metrics proposal is ultimately
adopted by the Board and approved by the SEC, as well as any additional
metrics a firm may develop. Depending on their circumstances, firms may
find that developing metrics to monitor engagements and the QC system
would enhance their ability to identify deficiencies, measure whether
quality objectives have been met, and evaluate the effectiveness of
remediation activities.
e. Monitoring Activities Performed by a Network (QC 1000.66)
The Board adopted substantially as proposed the requirements that
apply when networks perform monitoring activities relating to a firm's
QC system or engagements. Networks employ a variety of different
approaches to monitoring firm QC systems. Some networks perform
monitoring activities either directly on the firm's QC system, such as
monitoring a firm's compliance with QC policies and procedures
established by the network and adopted by the firm, or on tools or
other resources developed or purchased by the network and used by the
firm, such as an independence tracking system. Other networks perform
no monitoring activities.
The nature and extent of a network's monitoring activities will
inform a firm's approach to monitoring. To illustrate, if a firm used a
network independence tracking system to identify matters that may bear
on the independence of firm personnel, and if the network monitored the
design and operation of the tracking system and provided the firm with
relevant information about those activities, the firm is required to
evaluate the monitoring activities performed by the network on the
tracking system. In performing its evaluation, the firm needs to
understand the scope of the network monitoring activities, such as
whether the firm's personnel were selected for monitoring procedures,
and if so, whether the population selected was sufficient to provide a
reasonable basis for detecting engagement and QC deficiencies. To the
extent provided, the firm is also required to evaluate the results of
the testing performed by the network, and if deficiencies were
identified, the remedial actions, if any, taken or proposed to be taken
by the network. Under this example, the firm would also determine its
responsibilities in assisting the network with any monitoring or
remediation activities related to the tracking system.
Regardless of any QC monitoring activities that a network may
perform on behalf of the firm, the firm is ultimately responsible for
its QC system. Therefore, under the standard, the firm is responsible
for evaluating any information it obtains from the network

[[Page 49663]]

about any QC monitoring activities the network performs. Some
commenters, all of which were firms, supported the proposed
requirements related to monitoring activities performed by a network.
A firm is required to adjust its monitoring activities as
necessary, based on the scope of the network's monitoring activities
and the information the firm receives (or does not receive) from the
network about those activities. One commenter expressed concern that
the proposal allows the firm to request certain categories of
information from a network but does not require that the information
actually be received. In situations where a firm does not receive
information requested from the network about the monitoring activities
the network performed, the firm would not be in a position to take such
activities into account in planning its own activities. To illustrate,
a network may provide information to a firm regarding the results of
member firms' internal engagement monitoring activities, which the firm
uses to evaluate the competence of other network firm personnel and
their ability to participate in the firm's engagements. If, due to a
change in a particular network firm's local privacy laws, the network
is unable to provide such information regarding that member firm, the
firm will need to evaluate that member firm's competence and ability
using a different approach.\294\ To illustrate another case, if a firm
requests but does not receive any information from the network
regarding QC monitoring activities related to independence that the
network performed on behalf of the firm, and the firm does not perform
any monitoring activities related to its QC system in that area, the
firm would have no basis for concluding that the quality objectives
related to independence were achieved.
---------------------------------------------------------------------------

\294\ Irrespective of how the evaluation is performed, the
engagement partner's responsibility for the engagement and its
performance would not change. See AS 1201.03.
---------------------------------------------------------------------------

f. Determining Whether Engagement Deficiencies Exist (QC 1000.67)
The requirements for determining whether engagement deficiencies
exist did not draw comment and were adopted with one modification,
described below.
As defined by the standard, an engagement deficiency is an instance
of noncompliance with applicable professional or legal requirements by
the firm, firm personnel, or other participants with respect to an
engagement of the firm, or by the firm or firm personnel with respect
to an engagement of another firm. Engagement deficiencies include:
Instances of noncompliance in which a firm did not
adequately support its opinion--because the firm did not perform
sufficient procedures, obtain sufficient appropriate evidence, or reach
appropriate conclusions with respect to relevant financial statement
assertions;
Instances in which the firm did not fulfill the objective
of its role in the engagement, such as not performing attestation
services in accordance with AT No. 2; and
Other instances of noncompliance with applicable
professional and legal requirements with respect to a firm's
engagement, which may include, for example, not satisfying applicable
independence requirements,\295\ not making required communications to
the audit committee,\296\ or not filing Form AP.\297\
---------------------------------------------------------------------------

\295\ See generally, e.g., 17 CFR 210.2-01; PCAOB rules under
Section 3. Auditing and Related Professional Practice Standards,
Part 5--Ethics and Independence.
\296\ See generally AS 1301.
\297\ See PCAOB Rule 3211, Auditor Reporting of Certain Audit
Participants.
---------------------------------------------------------------------------

The standard requires a firm to evaluate a variety of information
in making its determination about whether an engagement deficiency
exists, including internally developed information from monitoring
activities, information from external parties like regulators and peer
reviewers, and other relevant information of which the firm becomes
aware. Beyond the sources specified in the standard, a firm is not
expected to seek out other sources of information that may indicate an
engagement deficiency exists. However, if the firm becomes aware of
such information, the firm is expected to evaluate it. For purposes of
the standard, the firm is deemed ``aware'' of information when any
partner, shareholder, member, or other principal of the firm first
becomes aware of such information. The Board made a change to the
proposed note in paragraph .67e item (4) to clarify that complaints the
firm becomes aware of, that may indicate the existence of an engagement
deficiency, could be related to either a company or the firm. The
language was also broadened to clarify that complaints are not limited
to those submitted through a formal whistleblower program.
The standard does not specify how a firm would evaluate information
to determine whether an engagement deficiency exists. Rather, it
provides firms the ability to develop an approach for such evaluation.
A determination that an engagement deficiency exists due to the firm
not complying with a PCAOB reporting requirement may be relatively
simple to make. For example, evaluating whether the firm filed a Form
AP in accordance with PCAOB Rule 3211 would not require a significant
amount of effort. However, evaluating information indicating the firm
did not perform the necessary audit procedures for an issuer's revenue
transactions to determine whether an engagement deficiency exists could
be more complex, and therefore require a more in-depth analysis.
A firm's determination that an engagement deficiency exists may
pertain to an in-process engagement, a completed engagement, or work
performed on other firms' engagements.
If a firm obtains information about a potential deficiency in an
in-process engagement, whether from monitoring activities or other
sources, the firm is expected to evaluate the information to determine
whether an engagement deficiency exists before the engagement report is
issued. In that regard, it should be noted that identifying a problem
while an engagement is in process may enable the firm to rectify the
problem before an engagement deficiency could arise. Many professional
and legal requirements that apply to performing an engagement impose
ongoing responsibilities that are not completed until the engagement
itself is completed. In relation to such ongoing responsibilities, if a
problem is identified in an in-process engagement but resolved before
the engagement is completed, no engagement deficiency would arise. For
example, if an engagement team initially failed to obtain sufficient
appropriate audit evidence in its testing of revenue because it failed
to perform a necessary procedure, the engagement team could still
perform the procedure at a later time during the engagement; as long as
sufficient appropriate audit evidence was obtained prior to the
issuance of the report, there would be no engagement deficiency. QC
1000 does not have specific provisions to address remediation of this
type of problem because the auditor's responsibility is already
addressed by applicable professional and legal requirements. However,
even in instances where an engagement deficiency does not arise because
a problem was identified and corrected prior to issuance of an
engagement report, a firm would still need to consider whether the
existence of the problem constitutes a QC observation--an observation
about the design, implementation, or operation of

[[Page 49664]]

the firm's QC system that may indicate one or more QC deficiencies
exist--and, ultimately, a QC deficiency.
By contrast, some applicable professional and legal requirements
(such as those relating to preliminary engagement activities, including
engagement acceptance procedures, and certain required communications
to the audit committee) are required to be complied with prior to or at
the beginning of the engagement. With respect to those requirements, an
engagement deficiency would arise if the required time for performance
had passed and the required activities were not performed
appropriately, even if the engagement was still in process.
The standard requires determinations to be made on a timely basis.
For completed engagements, the timeliness of the determination depends
on the nature of the information subject to evaluation. For example, if
the information suggested other engagements may present a similar
issue, then it would be expected that determination would be made
sooner so that the risk of engagement deficiencies on other
engagements--whether in-process or completed--is mitigated.
The final standard was revised to clarify that the evaluation and
determination of whether engagement deficiencies exist must both be
done on a timely basis.
g. Responding to Engagement Deficiencies (QC 1000.68)
Under the final standard, when a firm determines an engagement
deficiency exists, the firm is required to take action to address the
deficiency. The action taken would depend on whether the engagement
deficiency related to an in-process engagement, a completed engagement,
or work performed by the firm on other firms' engagements. In some
instances, a firm may find it beneficial to perform a root cause
analysis to determine what action to take.
i. Engagement Deficiency Related to an In-Process Engagement
For an engagement deficiency related to an in-process engagement,
the proposed standard provided that the firm take action to address the
deficiency in accordance with applicable professional and legal
requirements. The nature of the engagement deficiency would determine
what a firm would need to do to address it and the timing of the
required action. For engagement deficiencies that could affect the
auditor's report, under the proposed standard, remedial action would be
required before the engagement report is issued, such that the
engagement report issued is appropriate in the circumstances. In other
instances, action would still be required to address the deficiency,
but the firm would have more flexibility regarding when such actions
are performed; action could be performed either before the report is
issued or afterwards (if afterwards, the provisions of paragraph .68b
would apply). The Board adopted substantially as proposed the
requirement for responding to an engagement deficiency on an in-process
engagement.
ii. Engagement Deficiency Related to a Completed Engagement
For an engagement deficiency related to a completed engagement, the
proposed standard included a requirement for firms to take action to
address the engagement deficiency in accordance with applicable
professional and legal requirements (discussed in more detail below in
connection with paragraph .70). However, under the proposed
requirement, no action would have been required if it was probable that
the engagement report was not being relied upon.\298\
---------------------------------------------------------------------------

\298\ The use of ``probable'' in the note to paragraph .68 is
consistent with how the term is used in FASB ASC, Contingencies
Topic, paragraph 450-20-25-1, which provides that an event is
``probable'' when it is likely to occur.
---------------------------------------------------------------------------

The proposed standard included a note that stated the firm must
treat an auditor's report as being relied upon if the auditor's report
is included in the most recent SEC filing on a form that requires its
inclusion. Because this note also appeared in the proposed amendments
to AS 2901 in paragraph .01, refer to the detailed discussion below for
commenter feedback and the Board's responses. The note to paragraph
.68b. was revised to provide that, in the absence of circumstances
indicating that reliance is impossible or unreasonable (e.g., cessation
of a trading market for issuer securities), inclusion of an engagement
report in the most recent filing on an SEC form that requires inclusion
of such an engagement report generally evidences that the report is
being relied upon. The Board believes this is responsive to commenter
concerns and allows for sufficient flexibility for such circumstances.
The note was also revised to clarify that an engagement report can be
included in an SEC filing either directly or through incorporation by
reference.
iii. Engagement Deficiency Related to Work Performed on Other Firms'
Engagements
For an engagement deficiency related to work performed on other
firms' engagements, the standard requires a firm to communicate to the
other firm the engagement deficiency. The communication needs to be
sufficient to enable the other firm to develop a response commensurate
with the extent of noncompliance. These engagement deficiencies, while
there may or may not be additional remedial actions for the firm to
take related to the particular work performed, should be included in
the population of QC observations to be evaluated to determine whether
QC deficiencies exist. The Board did not receive comment on this aspect
of the proposal and adopted it as proposed.
iv. Evaluating Whether Similar Engagement Deficiencies Exist
The proposed standard also required a firm to evaluate whether
similar engagement deficiencies exist in other in-process engagements,
completed engagements (unless it is probable that the engagement report
is not being relied upon), and work performed on other firms'
engagements, and if so, to take actions as required by paragraphs
.68a.-c. for in-process engagements, completed engagements, and any
other work performed by the firm on other firms' engagements at less
than a substantial role. Understanding the nature of the engagement
deficiency will assist the firm in determining the extent of the
necessary evaluation. To illustrate, if the engagement deficiency was
caused by an error in the firm's methodology for auditing a company's
loan valuation allowance, then the firm would evaluate whether similar
engagement deficiencies exist on engagements that were also using that
methodology. As another example, if engagement team members did not
comply with PCAOB standards when auditing accounts receivable because
they failed to perform certain procedures in the firm's audit program,
the firm would evaluate whether the person(s) who were responsible for
performing the procedures and the person(s) supervising the work
participated in any other audit engagement's accounts receivable
testing, and if so, whether similar engagement deficiencies exist.
One commenter requested that the Board provide additional examples
of engagement deficiencies, as the concept of applicability to other
in-process engagements could be subject to different interpretations.
The Board will

[[Page 49665]]

consider whether application guidance in this area would be
appropriate.
Another commenter stated that the expectation of what ``evaluate,''
as used in this context, may require is not clear and suggested that
the evaluation be limited to certain engagements based on a risk-based
assessment, taking into consideration the root cause of the identified
engagement deficiency. As noted above, understanding the nature of the
engagement deficiency would assist the firm in determining the extent
of the actions to take in order to evaluate whether similar engagement
deficiencies exist on other engagements.
The Board adopted this aspect of the standard as proposed.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.007

[[Page 49666]]

BILLING CODE 8011-01-C
v. Addressing Engagement Deficiencies (QC 1000.69-70)
Paragraph .69 of the standard requires firms to respond to
engagement deficiencies by taking into account the nature and severity
of the engagement deficiency. In other words, the response should be
targeted based on the nature of the problem and proportionate to the
severity of the problem.
Understanding the nature and severity of an engagement deficiency
could assist firms in:
Developing an appropriate response to the engagement
deficiency;
Determining whether an engagement deficiency could relate
to other engagements; and
Assessing whether the engagement deficiency, which
represents a QC observation, is also a QC deficiency.
The actions taken by the firm to respond to engagement deficiencies
may include preventive or corrective actions (or a combination of these
actions):
Corrective actions are actions taken to rectify an
identified deficiency in a current or completed engagement (for
example, performing a procedure that had been omitted, designing and
performing additional or alternative procedures if audit evidence is
insufficient, or filing a required report).
Preventive actions are actions taken to prevent the
occurrence of a deficiency in future engagements (for example,
training, developing audit tools, or enhancing audit methodology).
The proposed note to this requirement also appeared in the proposed
amendments to AS 2901.04 and a detailed discussion of commenter
feedback and the Board's views appears below. As adopted, the note in
paragraph .69 includes clarifying changes. The requirement was
otherwise adopted as proposed.
The proposed requirement in paragraph .70 did not draw comment and
the Board adopted it as proposed. Firms should comply, as applicable,
with other standards related to engagement deficiencies on completed
engagements.
AS 2901 addresses auditor responsibilities with respect to
engagement deficiencies on completed audit engagements. AS 2201.99
directs the auditor to comply with AS 2901 as it relates to audits of
internal control over financial reporting.
AS 2905 deals with auditor responsibilities when,
subsequent to the date of a report on audited financial statements, the
auditor becomes aware of facts that might have affected the report had
he or she then been aware of such facts before issuing the report. AS
2201.98 is a similar provision relating to auditor's reports on
internal control over financial reporting.
AT No. 1 and AT No. 2 incorporate responsibilities similar
to those required under AS 2901 for attestation engagements relating to
certain broker-dealer reports.
The amendments to AS 2901 are discussed below.
h. Determining Whether QC Observations Exist (QC 1000.71)
The proposed standard would have required firms to determine the
existence of ``QC findings,'' defined as ``[a] finding about the
design, implementation, or operation of the firm's QC system that may
indicate one or more QC deficiencies exist. Engagement deficiencies are
QC findings.''
Commenter feedback on this defined term was in most instances
directly related to the last sentence in the defined term, urging that
engagement deficiencies should not automatically be considered QC
findings. The Board was concerned that commenters may have
misinterpreted ``QC findings'' as akin to ``QC deficiencies,'' whereas
the intention is only to designate matters that have to be evaluated as
potential QC deficiencies. To alleviate the potential confusion, the
defined term was changed to ``QC observation'' and the definition
reworded. The definition of a QC observation in the final standard is
``(1) An engagement deficiency; or (2) Any other observation about the
design, implementation, or operation of the firm's QC system that may
indicate one or more QC deficiencies exist.'' \299\
---------------------------------------------------------------------------

\299\ QC deficiencies are defined and discussed in the next
subsection. See below.
---------------------------------------------------------------------------

Under the definition, any information that may indicate a problem
with the design, implementation, or operation of the firm's QC system
would be a QC observation. Because a QC system provides reasonable
assurance that engagements are conducted in accordance with applicable
professional and legal requirements, all engagement deficiencies would
be QC observations. Examples of other QC observations include an error
in the design or operation of a technology tool or methodology, or
information suggesting that a firm may not have achieved a quality
objective.
The determination of QC observations involves collecting
observations and related evidence that may indicate a QC deficiency
exists, including information from monitoring activities, information
from external parties like regulators and peer reviewers, and other
relevant information of which the firm becomes aware.
Under the standard, the results of all monitoring activities
performed by the firm, and if applicable, those performed by a network
relating to the firm's QC system or its engagements, are required to be
analyzed by the firm to determine if there are QC observations. It is
possible that a firm's engagement monitoring activities could identify
not only engagement deficiencies, but also QC observations that are not
engagement deficiencies. For example, if, as part of the firm's quality
response related to technological resources, the firm's technology
leader must review and approve all software audit tools used on
engagements, and if a firm's engagement monitoring activities reveal
that an engagement team did not receive the appropriate authorization
to use a specific tool, that observation would be a QC observation,
regardless of whether the use of the tool also gave rise to an
engagement deficiency.
Oversight activities by regulators and external inspections or
reviews include activities of the PCAOB and other regulators. As a firm
typically has one QC system for its entire audit practice, the results
of the inspections, reviews, and other oversight activities performed
by these external parties would likely be relevant to a firm's
determination of whether QC observations exist.
Other relevant information of which the firm becomes aware would
comprise information obtained from within and outside the firm. A firm
would not be expected to seek out such other sources of information;
however, if other relevant information came to the firm's attention, a
firm is expected to determine whether it is a QC observation. For
example, the firm may become aware of an issue with a formula in a
practice aid used to assist engagement teams in auditing stock-based
compensation if a member of an engagement team communicates that issue
to firm personnel supporting the firm's QC system.
The final standard has been revised to clarify that the evaluation
and determination must both be done on a timely basis.
i. Determining Whether QC Deficiencies Exist (QC 1000.72)
The standard requires firms to determine whether QC deficiencies
exist, and (except for the change in terminology to ``QC observation'')
was adopted as proposed.

[[Page 49667]]

i. Definition of QC Deficiency
In response to commenter input, the Board made changes to the
definition of the term ``QC deficiency.'' As proposed, the definition
provided in part that a QC deficiency was a QC finding that results in
``a reduced likelihood of the firm achieving the reasonable assurance
objective or one or more quality objectives,'' and included a note
providing examples of circumstances where that likelihood could be
reduced. Two commenters questioned the operability of that aspect of
the proposed definition of QC deficiency, in particular its linkage to
the definition of an internal control deficiency under COSO in its
integrated framework through the phrase ``reduced likelihood.'' Two
commenters suggested that the definition of QC deficiency should
incorporate the concept of ``a significantly reduced likelihood.''
Another commenter requested guidance relative to the application of the
``reduced likelihood'' model. Other commenters suggested that the
definition should be more closely aligned with that of other standard
setters, for example ISQM 1, by incorporating the concept of an
``acceptably low level.''
Taking into account commenter feedback, the standard defines a QC
deficiency as a QC observation that, based on the evaluation under
paragraph .72, individually, or in combination with one or more other
QC observations, evidences:
That the likelihood of the firm not achieving the
reasonable assurance objective or one or more quality objectives has
not been reduced to an acceptably low level;
Note: The likelihood of not achieving the reasonable assurance
objective or one or more quality objectives would be above an
acceptably low level if, for example, a quality objective is not
established, a quality risk is not properly identified or assessed, or
a quality response is not properly designed or implemented or is not
operating effectively.
Noncompliance with requirements of this standard, other
than those under ``Documentation''; or
Noncompliance with requirements of this standard under
``Documentation'' that adversely affects the firm's ability to comply
with any of the other requirements of this standard.
The first subparagraph of the definition of QC deficiency
incorporates an existing concept of ``acceptably low level'' that is
currently used in PCAOB auditing standards \300\ so this concept should
be familiar to firms. In addition, it aligns more closely with similar
definitions of other standard setters, for example the definition of
``deficiency'' in ISQM 1. The Board made conforming changes to the note
that follows subparagraph (1) of the definition.
---------------------------------------------------------------------------

\300\ See, e.g., AS 2315, Audit Sampling.
---------------------------------------------------------------------------

Similar to the proposal, the definition of QC deficiency in the
final standard also includes noncompliance with the requirements of the
proposed standard other than documentation requirements, such as the
requirements related to roles and responsibilities, the firm's risk
assessment process, the monitoring and remediation process, and the
evaluation of the QC system. Two commenters expressed concern with this
requirement, stating that there may be instances where the firm may not
comply with a requirement in the standard but the quality objectives
and specified quality responses were met, and a firm should be able to
apply judgment to determine whether a QC deficiency exists under those
circumstances. The Board continues to believe that compliance with the
requirements of QC 1000 is a baseline element of any firm's QC system,
such that failure to comply is always a QC deficiency, and adopted this
aspect of the QC definition as proposed.
The definition also includes noncompliance with the documentation
requirements of QC 1000, to the extent that such noncompliance
adversely affects the firm's ability to comply with any of the other
requirements of the proposed standard, while excluding other
documentation issues. For example, a firm's failure to document some
details of its monitoring activities, in a context where the firm
otherwise sufficiently documents the evaluation of the results from its
monitoring activities, would not meet the definition of a QC
deficiency. The Board received no comment on this aspect of the
definition of QC deficiency and adopted it as proposed.
Under the final standard, the determination of whether something
identified as a QC observation meets the definition of a QC deficiency
would be based on the nature, severity, and pervasiveness of the
underlying matter; the likelihood that it could affect other
component(s) of the QC system or other engagements; and the severity of
such an effect if it were to occur. In the case of engagement
deficiencies, this evaluation would take account of the basis for the
firm's determination of the actions required under paragraph .68 of QC
1000, including any root cause analysis performed. These considerations
are discussed, in turn, in the following subsections.
The final standard has been revised to clarify that the evaluation
and determination must both be done on a timely basis.
ii. Nature, Severity, and Pervasiveness of the Matter That Gave Rise to
the QC Observation
The nature, severity, and pervasiveness of the matter that gave
rise to the QC observation should be taken into account when
determining whether a QC deficiency exists. For a QC observation that
is also an engagement deficiency, the results of the firm's evaluation
of whether a similar engagement deficiency exists on other in-process
and completed engagements would provide useful information to the firm
when determining whether a QC deficiency exists.
The standard explains that the nature, severity, and pervasiveness
of the matter that gave rise to the QC observation includes:
The component(s) of the QC system, quality objective(s),
or quality risk(s) to which the QC observation relates. Depending on
the quality risks that a firm identifies, some components may play a
greater role in its QC system than others. For example, for a small
firm that audits one issuer and has no intention to expand its issuer
audit practice, the engagement performance component would have a
greater role than acceptance and continuance of engagements because the
quality risks associated with the new engagement would be mitigated by
the firm's policy of not taking on new issuer audit engagements. Based
on the firm's risk assessment, certain quality risks may pose a greater
threat to the firm's QC system than others. In addition, some QC
observations may relate to a single component of the QC system or a
single quality objective, while others may relate to multiple
components of the QC system or multiple quality objectives. For
example, an engagement deficiency may relate to the resource component
(e.g., competence and training of firm personnel, firm methodology),
the information and communication component (e.g., failure to
communicate changes to the methodology), or the engagement performance
component (e.g., failure to consult when required), or all three of
those components.
Whether the QC observation is in the design,
implementation, or operation of the QC system. For example, a matter
that gave rise to a QC observation in the design of a process has a
greater likelihood of being pervasive to a firm's practice than a

[[Page 49668]]

process that did not operate as designed on one occasion.
The frequency with which the QC observation occurred.
Frequency relates to the number of times the matter that gave rise to
the QC observation occurred--for example, on engagements within a
particular industry sector or practice group, a particular office, or
firmwide. It might also relate to the number of times the observation
was identified, the number of firm personnel involved, or the number of
quality objectives affected. When related to the execution of a firm's
quality response, it would also include relative frequency of QC
observations compared to the number of times the procedure was executed
properly.
The duration of time that the QC observation existed. Duration
addresses how long the matter that gave rise to the QC observation
existed. In order to understand duration, a firm would need to
understand whether there were other instances prior to those initially
identified by the firm as QC observations.
iii. Likelihood That the Matter That Gave Rise to the QC Observation
Could Affect Other Component(s) of the QC System or Other Engagements,
and the Severity of Such an Effect
Whether a QC observation is a QC deficiency would also depend on
the likelihood that the matter that gave rise to the QC observation
could affect other QC system components or other engagements.
Other engagements include in-process engagements, completed
engagements, engagements to be performed in the future, as well as work
performed on other firms' engagements. A firm may design and implement
mitigating actions to address an engagement deficiency when such a
deficiency comes to the firm's attention. When considering the
likelihood that future engagements could be affected (for purposes of
determining whether a QC deficiency exists), a firm would not take into
account any mitigating actions, even if they have been implemented.
This is because the determination of whether a QC deficiency exists
must be made based on the nature, severity, and pervasiveness of the
matter that gave rise to the QC observation, viewed on its own. That
shows the extent to which the QC system failed in allowing the
underlying matter to occur. Whether the firm was subsequently able to
partially or fully remediate the QC deficiency does not eliminate the
fact that the failure occurred.
In addition to the likelihood of a matter's recurrence, the
standard also requires a firm to evaluate the matter's severity if it
were to affect other component(s) or engagements.
One commenter suggested that the standard address the concept of
compensating responses as a factor when considering QC findings in
proposed paragraph .72. In considering whether a QC observation is a QC
deficiency (on the basis that the likelihood of the firm not achieving
the reasonable assurance objective or one or more quality objectives
has not been reduced to an acceptably low level) the firm could
consider compensating responses that address the same quality risk.
Additional discussion in response to this commenter's feedback appears
below in the context of discussion of remedial actions.
BILLING CODE 8011-01-P

[[Page 49669]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.008

BILLING CODE 8011-01-C
j. Responding to QC Deficiencies
i. Root Cause Analysis (QC 1000.73-.74)
The requirement to perform root cause analysis on all identified QC
deficiencies did not draw comment and was adopted as proposed.
Root cause analysis is a widely used concept in QC frameworks.\301\
Identifying and understanding the underlying causes of a problem
supports developing solutions that address those causes, rather than
just the symptoms. Proper determination of the causal factors that led
to QC deficiencies is essential to developing effective remedial
actions. For example, a policy or procedure could be inappropriately
designed or implemented or a person may not have complied with a policy
or executed a procedure as it was intended. As another example, an
audit tool may not have operated as intended. Root cause analysis looks
for different types of causes through investigating the patterns of
negative effects, finding hidden flaws in the QC system, and
discovering specific actions that contributed to the problem.
Improvements in audit quality have generally been observed through
PCAOB oversight activities where a firm has established an effective
root cause analysis program.\302\ Many different types of causes may
contribute to a problem.
---------------------------------------------------------------------------

\301\ See Spotlight: Root Cause Analysis--An Effective Practice
to Drive Audit Quality (April 2024) available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/root-casue-spotlight.pdf?sfvrsn=55f82206 2.
\302\ See 2018 Inspection Observations Preview.

---------------------------------------------------------------------------

[[Page 49670]]

A firm might find it helpful when performing root cause analysis to
leverage information obtained from its evaluation of whether a QC
deficiency exists. That is, information about the nature, severity, or
pervasiveness of the matter that gave rise to the QC observation and
the likelihood that the matter that gave rise to the QC observation
could affect other components of the QC system or other engagements may
provide evidence of what caused the problem to occur.
Root cause analysis procedures could take different forms depending
on the circumstances, which allows for scalability. Some key elements
that the PCAOB has observed that may lead to more robust and
comprehensive root cause analysis include: \303\
---------------------------------------------------------------------------

\303\ See June 2014 SAG Briefing Paper at 2.
---------------------------------------------------------------------------

Monitoring audit deficiencies identified and performing
root cause analysis on a continual basis. This allows firms to obtain
information that allows them to react more timely and implement
remedial actions to reduce recurring deficiencies in other audits.\304\
---------------------------------------------------------------------------

\304\ See Staff Inspection Brief, Vol. 2017/4: Preview of
Observations from 2016 Inspections of Auditors of Issuers (Nov.
2017), at 16, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/inspections/documents/inspection-brief-2017-4-issuer-results.pdf?sfvrsn=c216d8a7_0.
---------------------------------------------------------------------------

Process mapping at the engagement level and the firm level
of the underlying work flows of how a firm conducts its practice. A
well-defined process makes it easier to analyze negative events to
determine what went wrong.
Consideration of both positive and negative quality events
(i.e., actions, behaviors, or conditions that resulted in positive or
negative outcomes) to identify whether such actions, behaviors, or
conditions were present on engagements where QC deficiencies were
identified.
Measuring, in real time, the effectiveness of remedial
actions and audit quality improvement plans or initiatives to identify
whether remedial efforts are effective.
The standard does not require firms to perform root cause analysis
on QC observations that are not QC deficiencies.
Paragraph .74 of the standard requires that the nature, timing, and
extent of the root cause analysis be commensurate with the nature,
severity, and pervasiveness of the QC deficiency. This provision did
not draw comment and was adopted as proposed.
A QC deficiency that could affect multiple engagements may require
more urgent root cause analysis, depending on the circumstances. To
illustrate, a QC deficiency related to a firm's approach to testing
business combinations would be more urgent if a firm's clients
regularly enter into such transactions. Taking into account the nature,
severity, and pervasiveness of the QC deficiency, root cause analysis
may be performed at different points in time or, depending on the size
and nature of the firm, operate as more of a continual process. At
times, it might be effective to combine similar QC deficiencies and
perform root cause analysis on them collectively rather than on an
individual basis.
In some instances, the causal factors may be relatively apparent
and therefore require less analysis than in a situation where the cause
of the deficiency is complex and requires significant investigation and
analysis. As previously mentioned, there may be multiple causes
contributing to a QC deficiency. Generally, the more thorough the
analysis, the more likely the causal factors will be identified and the
greater the likelihood that a firm could design and implement
remediation efforts that will be effective in preventing similar QC
deficiencies from occurring again.
It is important for firms to have well-defined processes in order
to perform sufficient root cause analysis. The better delineated the
underlying processes, the less work that may be necessary to determine
why the QC deficiency occurred.
ii. Remedial Actions (QC 1000.75)
The requirement to design and implement timely remedial action for
QC deficiencies did not attract comment and was adopted as proposed.
The timing of a firm's efforts to design and implement remedial
actions depends on the results of the firm's root cause analysis and
the nature, severity, and pervasiveness of the QC deficiency. The Board
expects a firm to respond in a manner that would mitigate the
occurrence of additional QC deficiencies related to similar underlying
causes.
In some circumstances, due to the extent of remedial actions
necessary to address the QC deficiency, a firm might design and
implement temporary remedial actions until permanent actions can be
designed and implemented. For example, a firm could design and
implement supplemental audit practice aids to address QC deficiencies
until the firm is able to revise its comprehensive audit methodology.
In some situations, a complex QC deficiency may result in the firm
developing a multi-step plan with milestones necessary to be achieved
as the firm designs and implements its remedial actions.
In other situations, the extent of remedial actions the firm needs
to take to address a particular QC deficiency may be reduced by other
compensating responses that the firm has in place. If the remedial
actions, including any relevant compensating responses, have been
tested and found effective in addressing the issue, the firm might
determine, based on the facts and circumstances, that no further
remedial action is necessary.
The process of identifying QC observations, determining QC
deficiencies, performing root cause analysis, and designing and
implementing remedial actions is iterative. For example, a firm may
learn information from performing root cause analysis that may identify
issues that would have been relevant when evaluating a different QC
observation had such information been known at the time. If this were
to occur, a firm would further evaluate the other QC observation to
determine if a QC deficiency exists based on this new information. As
another example, the work entailed in a root cause analysis could
potentially help a firm identify other quality objectives that are not
being met. To illustrate, the firm's root cause analysis may show that
a lack of training caused deficiencies in a complex audit or accounting
area that is common to the firm's engagements, and may also lead to the
identification of other problems in the same area, such as inadequate
audit methodology or a missed consultation due to the lack of a well-
understood, robust consultation process.
PCAOB oversight activities have identified that some firms evaluate
positive quality events associated with engagements where no engagement
deficiencies were identified. For example, certain procedures,
techniques, or voluntary practice aids may have contributed to an
engagement performed in accordance with applicable professional and
legal requirements. These firms use the information obtained from such
evaluations to assess the actions of individuals on engagements with
deficiencies, ultimately highlighting potential actions to prevent
future engagement deficiencies. The Board believes that evaluating
positive outcomes could contribute to the success of the firm's root
cause analysis and remediation efforts. Therefore, the standard
includes a note highlighting that it may be beneficial for firms to
consider actions, behaviors, or conditions that resulted in positive

[[Page 49671]]

outcomes, such as where aspects of the firm's QC system operated
effectively or where no engagement deficiencies were identified for
individual engagements.
In some circumstances, a firm may determine the root cause of a QC
deficiency is related to the use of a resource or service provided by a
third-party provider. If this were to occur, under the standard, the
firm is responsible for addressing the effect of the deficiency on its
QC system. This could include, among other things, working with the
third-party provider to design and implement remedial actions or
deciding to end the relationship with the third-party provider and, as
part of the firm's remedial actions, revising its policies and
procedures in the area affected. Irrespective of the approach taken and
the extent of participation by third parties, the firm remains
responsible for its QC system.
If a firm belongs to a network and uses network resources or
services to enable the operation of the firm's QC system or the
performance of its engagements, a root cause of a QC deficiency could
be related to the network resource or service. Similar to a firm's use
of resources or services provided by a third-party provider, a firm is
responsible for addressing the effect of the deficiency on its QC
system regardless of whether the remedial actions taken by the firm are
coordinated with the network or designed and implemented exclusively by
the firm. Further, the firm remains responsible for determining whether
the actions taken by the network sufficiently remediate the QC
deficiency.
Under the standard, firms are able to design their approach to
conducting root cause analysis and developing remedial actions. Firms'
approaches will vary based on the nature and circumstances of the firm
and its engagements. In addition, approaches will likely change as new
technologies become available and other techniques develop.
k. Monitoring the Implementation and Operating Effectiveness of
Remedial Actions (QC 1000.76)
The requirement to monitor the implementation and operating
effectiveness of remedial action for QC deficiencies did not attract
comment and was adopted as proposed.
Under the final standard, a firm monitors the effectiveness of its
remedial actions through engagement monitoring activities and/or QC
system-level monitoring activities, depending on the nature of the QC
deficiency. If a firm determines the remedial actions were not properly
implemented or operating effectively, the firm would be required to
take timely actions until the monitoring activities indicate the QC
deficiency was remediated. Timely actions could include, among others,
one or more of the following:
Adjusting the implemented remedial actions;
Designing and implementing additional remedial actions; or
Performing additional root cause analysis to determine if
other causes exist and, if so, designing and implementing remedial
actions to address such causes.
Once additional actions are taken, a firm is required to perform
monitoring activities on such changes to determine whether the QC
deficiency was remediated.
BILLING CODE 8011-01-P

[[Page 49672]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.009

BILLING CODE 8011-01-C
2. Current PCAOB Standards
Current PCAOB QC standards require firms to establish policies and
procedures to provide the firm with reasonable assurance that the
policies and procedures relating to each of the other QC elements are
suitably designed and are being effectively applied.\305\ The standards
also address how a firm implements the monitoring element of a QC
system in its accounting and auditing practice.\306\ The standards
discuss various monitoring procedures that a firm may perform, such as
reviewing engagements before or after the engagement reports are
issued, reviewing selected administrative and personnel records
pertaining to the QC elements, considering systemic causes of findings
that indicate improvements are needed, determining corrective actions,
and following up to ensure that any necessary modifications are made to
the firm's QC policies and procedures on a timely basis.\307\ Although
current PCAOB QC standards provide that monitoring procedures taken as
a whole should enable firms to obtain reasonable assurance that their
QC systems are effective,\308\ there are no express obligations for
firms to perform any specific types of monitoring.
---------------------------------------------------------------------------

\305\ See QC 20.20.
\306\ See generally QC 30.
\307\ See QC 30.03; QC 30.06.
\308\ See QC 30.03.
---------------------------------------------------------------------------

Evaluation of and Reporting on the QC System

1. QC 1000
a. Annual Evaluation of the Effectiveness of the QC System (QC 1000.77)
A firm's evaluation of the results of its monitoring and
remediation process helps the firm identify the areas within the QC
system that are designed, implemented, and operating effectively, as
well as areas that require attention. This perspective will assist firm
leadership in allocating resources to address QC deficiencies and
provide them with a basis for communicating to others--within or
outside the firm--the status of the firm's QC system.
Current PCAOB QC standards do not require such an evaluation. The
Board

[[Page 49673]]

understands that some firms already evaluate their QC systems, either
voluntarily or in response to other requirements.\309\ However, not all
firms evaluate their QC systems, and those that do may not apply the
same degree of rigor.
---------------------------------------------------------------------------

\309\ See, e.g., NYSE Listed Company Manual, Section
303A.07(b)(iii)(A); Section 2(d) of Article 13, Regulation (EU) 537/
2014.
---------------------------------------------------------------------------

i. Evaluation Requirement
The proposed standard included a requirement for the firm to
evaluate annually whether its QC system is effective, is effective
except for one or more unremediated QC deficiencies that are not major
QC deficiencies, or is not effective (i.e., one or more major QC
deficiencies exists). Pursuant to proposed paragraph .07c, firms that
were not required to implement and operate a QC system at any time
within the previous 12 months would not be subject to the requirement
to evaluate and report on their QC system.
Some commenters expressed support for the proposed annual
evaluation requirement. However, several commenters suggested that the
Board conform the terminology to ISQM 1, such that the conclusions
reached in evaluating the QC system would be the same under both
standards. Some commenters expressed concern about the potential for
stakeholder confusion because the criteria and terminology used in QC
1000 differ from ISQM 1. One commenter expressed concern that the more
stringent criteria of QC 1000 would create a competitive disadvantage.
One commenter recommended that the Board eliminate the middle
category (effective except for one or more unremediated QC deficiencies
that are not major QC deficiencies), so that a firm's QC system would
be evaluated as either effective or not effective based on whether any
unremediated major QC deficiencies exist as of the evaluation date,
such that the reasonable assurance objective has not been achieved. The
commenter analogized to ICFR reporting, where management is only
required to report material weaknesses.
The Board adopted the evaluation requirements as proposed. The
Board does not believe there is any likelihood of confusion among
external stakeholders arising from differences in evaluation criteria
between QC 1000 and ISQM 1 because, under the final PCAOB standard, the
conclusion reached about the effectiveness of a firm's QC system is not
required to be made public. The same is true under ISQM 1. Therefore,
if a firm were to evaluate its QC system under both standards and reach
different conclusions, market participants would be unaware of that
fact unless the firm chose to make the results of its evaluation public
(in which case, it could also choose to provide an explanation of the
difference). Additionally, while ISQM 1 requires communication to those
charged with governance about how the system of quality management
supports the consistent performance of quality audit engagements, QC
1000 does not require any such communication to the audit
committee.\310\ Firms would of course be free to discuss the evaluation
of their QC system with the audit committee, potentially as part of the
report required under listing standards that may apply to the
issuer.\311\ The Board believes most audit committee members are
already well acquainted with reviewing information prepared under
different frameworks, e.g., financial statements prepared under U.S.
GAAP and under IFRS, and could readily understand that the more
stringent criteria under QC 1000 could lead to a different conclusion
about the effectiveness of the QC system.
---------------------------------------------------------------------------

\310\ See Reporting to the audit committee, discussed below.
\311\ See NYSE Listed Company Manual, Section
303A.07(b)(iii)(A).
---------------------------------------------------------------------------

Similarly, the Board believes that firms that are required to
perform multiple QC system evaluations will be able to train their
personnel and acquire other resources as necessary to avoid confusion
among internal stakeholders and perform the evaluation under QC 1000
appropriately. A firm will be subject to both QC 1000 and other QC
standards only if it is performing audits under multiple sets of
auditing standards. Just as such firms manage the differences in audit
requirements and methodology associated with different auditing
standards, the Board believes they will be capable of managing
differences in the QC system requirements under QC 1000 and other QC
standards, including differences in the criteria and terminology used
in evaluating the QC system.
The Board also believes that requiring three categories for the QC
system evaluation, as proposed--effective, effective except for one or
more unremediated QC deficiencies that are not major QC deficiencies,
and ineffective--will result in a more rigorous QC system evaluation, a
greater incentive for firms to address QC deficiencies promptly, and
more detailed and informative reporting to the PCAOB. Given that
reporting is only to the PCAOB, the Board does not believe an analogy
to management's public reporting regarding ICFR, where only material
weaknesses are required to be reported, is appropriate.
Firms will be required to perform an evaluation of their QC system
annually. The firm's evaluation is based on data and evidence provided
by the firm's monitoring and remediation activities. An annual
evaluation will provide leadership with timely information to
facilitate an effective feedback loop.\312\ This approach highlights
the importance of the QC system in driving continuous improvement in
firms' ability to perform compliant engagements on a consistent basis.
The evaluation requirement will drive firms to collect and analyze the
results of their monitoring and remediation processes in order to
identify deficiencies and will provide an additional incentive for
firms to focus on areas requiring the most immediate attention and
improvement.
---------------------------------------------------------------------------

\312\ Firms could decide to evaluate the QC system more
frequently than required under the standard. For example, a firm
with one or more major QC deficiencies may decide to perform a mid-
year evaluation to gauge the effectiveness of its remedial actions.
---------------------------------------------------------------------------

The evaluation requirement also reinforces the responsibility and
accountability of leadership for the firm's QC system.\313\ As
discussed above, the individual charged with ultimate responsibility
and accountability for the QC system as a whole will be accountable for
the annual evaluation, and both that individual and the individual
charged with operational responsibility and accountability for the QC
system as a whole will be required to certify the firm's annual report
regarding the evaluation of its QC system.\314\ The Board believes this
will send a clear message about the importance of the evaluation and
incentivize firm leadership to take ownership of both the annual
evaluation of the QC system and the results.
---------------------------------------------------------------------------

\313\ See QC 1000.13-.17.
\314\ See QC 1000.14c.-d. and .15b.
---------------------------------------------------------------------------

While the Board adopted as proposed a requirement for annual
evaluation of the QC system, it made some changes in response to
commenter input, as described below.
ii. Evaluation Frequency and Date
The proposed standard would have required the firm to evaluate its
QC system annually as of November 30 and conclude on whether any
unremediated QC deficiencies (including major QC deficiencies) exist as
of that date.

[[Page 49674]]

One commenter, an investor-related group, supported the proposed
November 30 evaluation date and opposed allowing firms to set their own
reporting date.
Many commenters, generally firms and firm-related groups, suggested
that firms should be permitted to choose their own evaluation date,
primarily because it would enable them to choose a date based on their
own operating and business cycle or inspection cycle. These commenters
also noted other considerations, such as alignment with the firm's
fiscal year end or the date already chosen for the evaluation required
under ISQM 1. Several commenters suggested that firms should be able to
choose a date that would allow them sufficient time to perform root
cause analysis, remediate identified issues, and test the effectiveness
of their remediation efforts. One commenter noted that firms could
choose a date with a view to enabling real-time conversations with
audit committees. Another commenter suggested that additional
flexibility on the evaluation date would enhance the scalability of the
standard. Some commenters stated that requiring a specific evaluation
date could lead firms to perform assessments twice a year. Several
commenters also raised a concern about potential resource limitations
in performing the evaluation on the timetable the Board proposed.
Other commenters suggested various options for potential
alternative evaluation dates:
March 31, on the basis that it is better aligned with a
natural business cycle for many firms or aligns with the Form 2
reporting date. (These commenters generally preferred allowing firms to
choose their own evaluation date over a mandated date applicable to all
firms and suggested March 31 as a second-best approach.)
September 30, which would allow firms to report to the
PCAOB by November 15 and, in turn, report to audit committees before
the end of the calendar year.
September 30 or October 31, if the proposed January 15th
reporting date is implemented, to allow additional time to complete
reporting.
February 28, to allow reporting by April 1, in advance of
the April/May proxy season.
A window, for example, November to March, within which
firms could choose a date.
Taking into account commenter feedback on the proposed evaluation
date of November 30, the evaluation date was revised to September 30
for all firms. The Board believes this earlier date addresses commenter
concerns that the November 30 date would have caused potential resource
limitations during the traditional busy period for many firms. Further,
the Board believes an evaluation date of September 30 would provide the
firm with enough time to identify and potentially remediate any QC
deficiencies identified from the most recent calendar year-end
engagements, which might not be possible if an earlier date were
selected.
As summarized above, some firms expressed concern that a firm that
has already chosen its evaluation date under ISQM 1 would be required
to perform two QC system evaluations per year since the PCAOB's
evaluation date differs from ISQM 1's. The Board believes firms can
build on work already done for the purpose of complying with the
requirements of one QC standard in performing the other, to the extent
applicable. However, since the nature of the two evaluations is
inherently different (e.g., the determination of major QC deficiencies,
the differing definitions of QC deficiency under QC 1000 vs. deficiency
under ISQM 1), the Board believes that there would always be some
differences between the evaluation required under QC 1000 and the
evaluation required under ISQM 1. While there could be additional costs
associated with multiple evaluations if a firm chose to have separate
evaluation dates for purposes of QC 1000 and other QC standards to
which it is subject, firms would be free to change their evaluation
date under other QC standards so that the evaluation dates coincide.
The proposed standard also included a note clarifying what
unremediated means in the context of this requirement: remedial actions
that completely address the QC deficiency have not been fully
implemented, tested, and found effective. While this note did not draw
specific comment, one commenter suggested that the framework afforded
by section 104(g)(2) of Sarbanes-Oxley, which the commenter said
focuses on substantial good faith progress instead of complete
remediation, is necessary and should be retained. The Board disagrees
as, in its view, the two provisions serve fundamentally different
purposes and a different approach is appropriate for firm evaluation
and reporting under QC 1000.
Sarbanes-Oxley section 104(g)(2) governs the circumstances under
which the PCAOB is permitted to make portions of an inspection report
dealing with quality control criticisms and potential defects public.
It forbids publication if the criticisms or defects ``are addressed by
the firm, to the satisfaction of the Board,'' not later than 12 months
after the date of the report. In describing its process for determining
whether a matter has been addressed to its satisfaction, the Board
indicated that a ``favorable Board determination reflects the Board's
assessment that the firm has demonstrated substantial, good faith
progress toward achieving the relevant quality control objectives,
sufficient to merit the result that the criticisms remain nonpublic. A
favorable determination does not necessarily mean that the firm
completely and permanently cured any particular quality control
defect.'' \315\
---------------------------------------------------------------------------

\315\ PCAOB Rel. No. 104-2006-077 at 6.
---------------------------------------------------------------------------

By contrast, reporting on Form QC is simply factual: as of the
evaluation date, has each identified QC deficiency been fully
remediated or not? Under QC 1000, firms will perform a self-evaluation,
based on the process and criteria set forth in the standard. This is
very different from the process by which the Board determines whether a
matter has been remediated to its satisfaction for purposes of section
104(g)(2),\316\ not least because it involves the firm's self-
assessment rather than the Board's judgment. Moreover, the Board does
not believe the consequences of a firm reporting an unremediated QC
deficiency to the PCAOB would be the same as the consequences of the
PCAOB publishing QC criticisms in an inspection report; in particular,
the Board does not believe that the legislative policy choice reflected
in section 104(g)(2), which, as the Board has said, favors ``the
correction of quality control problems over the exposure of them,''
\317\ applies in this context, given the nonpublic nature of the Form
QC reporting. Accordingly, the Board adopted the note to paragraph .77
as proposed.
---------------------------------------------------------------------------

\316\ See PCAOB Rule 4009, Firm Response to Quality Control
Defects.
\317\ PCAOB Rel. No. 104-2006-007 at 2.
---------------------------------------------------------------------------

b. Determining Whether Major QC Deficiencies Exist (QC 1000.78)
The standard requires firms to evaluate unremediated QC
deficiencies as of the evaluation date to determine whether major QC
deficiencies exist. While the identification of QC deficiencies will be
an ongoing process throughout the year, the determination of whether
any of those QC deficiencies, alone or in combination, constitute major
QC deficiencies will be required only as part of a firm's annual
evaluation of its QC system.

[[Page 49675]]

i. Definition of a Major QC Deficiency
The proposed standard provided that a major QC deficiency was ``an
unremediated QC deficiency or combination of unremediated QC
deficiencies, based on the evaluation under paragraph .78, that
severely reduces the likelihood of the firm achieving the reasonable
assurance objective or one or more quality objectives.'' One commenter
supported the concept of major QC deficiency. However, a number of
commenters expressed concern with that proposed definition:
Several commenters expressed concern that the definition
could cause a firm to come to a different conclusion about its QC
system during the annual evaluation process under QC 1000 than the
conclusion a firm may reach under ISQM 1 and suggested that the
definition be revised to include the concepts of severe and pervasive,
similar to the concepts that appear in relation to the evaluation of QC
deficiencies under ISQM 1.
One commenter stated that it was unclear why a new term,
``major QC deficiency,'' would be necessary and questioned the need for
a reference to a threshold other than ``achieving reasonable
assurance.''
Another commenter was concerned that the concept of major
QC deficiency, which other QC standards do not use, will redirect time
and resources to analyzing the level of a deficiency instead of the
important elements to remediate the deficiency such as root cause
analysis and implementing timely changes to a firm's system.
Another commenter stated that the phrase ``severely
reduces the likelihood'' in the definition of major QC deficiency is
vague and not sufficiently defined in the proposed QC standards and
suggested that the phrase be replaced with the phrase ``prevents the
firm from concluding.''
The Board considered the commenter feedback and determined to adopt
this language as proposed. The Board agrees it is possible that firms
could reach different conclusions as to the effectiveness of their QC
system under QC 1000 and ISQM 1 or SQMS 1. However, the concept of
severe and pervasive, which commenters suggested be incorporated in the
definition, appears in the factors for firms to consider when
determining the existence of a major QC deficiency (see paragraph .78b.
below). The Board believes that including this concept in the factors
clarifies the process firms will need to go through in making their
determination of whether a major QC deficiency exists.
The defined term ``major QC deficiency'' is unique to QC 1000, but
the concept it embodies--that the QC system does not provide the firm
with reasonable assurance that the objectives of the QC system have
been met--is not, and appears in both ISQM 1 and SQMS 1. Accordingly,
the Board does not believe that phrasing the requirements as it has,
including the use of a defined term, will require a different
evaluation process than if it had simply required a determination that
the QC system was ineffective. The standard does not require the
determination of major QC deficiencies to be performed at any time
other than the evaluation date. However, firms may choose to perform
such an analysis ahead of the annual evaluation date to enable
sufficient time to design, implement, and test remedial actions related
to the QC deficiencies that have the greatest potential impact on the
QC system.
As with the defined term ``QC deficiency,'' the defined term
``major QC deficiency'' is analogous to a term in COSO's integrated
framework, major deficiency, which includes the concept of ``severely
reduces the likelihood.'' The Board believes that this concept is
already well-understood by firms.
Another commenter expressed concern that a major QC deficiency
would exist if there was a severely reduced likelihood that the firm
did not achieve a single quality objective, even when the firm had in
fact achieved the reasonable assurance objective. In the Board's view,
this concern is more theoretical than real. The quality objectives in
QC 1000 relate to compliance with applicable professional and legal
requirements in each component of the QC system and in the aspects of
the firm's practice that are addressed by each component. Failing to
achieve such a quality objective implies that the reasonable assurance
objective has not been achieved. Some quality objectives, particularly
in the resources component, also relate to compliance with the firm's
policies and procedures. These quality objectives are directed to the
QC system itself: compliance with policies and procedures is necessary
for the QC system to operate as designed. While failure to comply with
firm policies and procedures does not necessarily imply failure to
comply with applicable professional and legal requirements, it does
mean that the QC system is not operating as designed, which may raise
questions about the level of assurance it provides.
In response to commenter feedback regarding the proposed concept of
presumed major QC deficiencies (discussed in the next section), the
lead-in language of paragraph .78 was revised to clarify that the
factors in paragraph .78b are to be applied by the firm both (i) when a
presumption arises that a major QC deficiency exists and the firm
attempts to rebut the presumption, and (ii) in instances where no
presumption arises.
ii. Presumed Major QC Deficiency (QC 1000.78.a)
The proposed definition of a major QC deficiency provided for two
circumstances that would be presumed to evidence a major QC deficiency.
These circumstances included an unremediated QC deficiency or
combination of unremediated QC deficiencies that:
Relates to the firm's governance and leadership that
affect the overall environment supporting the operation of the QC
system. Firm governance and leadership establish the environment that
determines how firm personnel carry out responsibilities for the
operation of a firm's QC system and the performance of its engagements.
Because of the pervasive impact of leadership and the ``tone at the
top,'' one or more unremediated QC deficiencies related to firm
governance and leadership that affect the overall environment
supporting the operation of the QC system would almost always severely
reduce the likelihood of the firm achieving the reasonable assurance
objective or one or more quality objectives.
Results in or is likely to result in one or more
significant engagement deficiencies in engagements that, taken
together, are significant in relation to the firm's total portfolio of
engagements conducted under PCAOB standards. A significant engagement
deficiency exists when (1) the engagement team failed to obtain
sufficient appropriate evidence in accordance with the standards of the
PCAOB or failed to perform interim review or attestation procedures
necessary in the circumstances, (2) the engagement team reached an
inappropriate overall conclusion on the subject matter of the
engagement, (3) the engagement report is not appropriate in the
circumstances, or (4) the firm is not independent of its client.\318\
An unremediated QC deficiency that would likely result in one or more
of these deficiencies in engagements that, taken together, are
significant in relation to the firm's total portfolio of engagements

[[Page 49676]]

conducted under PCAOB standards would give rise to a presumption that a
major QC deficiency exists. The definition included examples of
quantitative and qualitative criteria that may signal such
significance.
---------------------------------------------------------------------------

\318\ See Notes to AS 1220.12, .17, .18B.
---------------------------------------------------------------------------

One commenter argued that the proposed presumption regarding
deficiencies in the governance and leadership component was
unnecessary, on the basis that not every deficiency in governance and
leadership was necessarily a major QC deficiency. Other commenters
expressed concern that the circumstances presumed to evidence a major
QC deficiency remove the auditor's ability to apply professional
judgment. Another commenter suggested that the presumptions could be
replaced with indicators of a major QC deficiency, similar to how AS
2201 treats material weaknesses. Another commenter stated that it is
not appropriate to include in the proposed definition circumstances
when a major QC deficiency is presumed to exist because the factors
provided in paragraph .78 are sufficient to make the evaluation of
whether a QC deficiency is a major QC deficiency. Another commenter
suggested that these presumed major QC deficiencies could be relocated
from the definition and into paragraph .78 and achieve the same
objective.
The Board considered the commenter feedback. However, as described
above, the Board continues to believe that because of the pervasive
impact of leadership and the ``tone at the top,'' one or more
unremediated QC deficiencies related to firm governance and leadership
that affect the overall environment supporting the operation of the QC
system would almost always severely reduce the likelihood of the firm
achieving the reasonable assurance objective or one or more quality
objectives--that is, would almost always result in a major QC
deficiency.
The Board also noted that, consistent with the proposal, the
presumptions are not conclusive and can be rebutted by the firm in
appropriate circumstances. The note to paragraph .78a clarifies that in
order to rebut a presumption that a major QC deficiency exists, a firm
must demonstrate, by taking into account both of the factors in
paragraph .78b. (including all of the listed examples in paragraph
.78b.(1)), that a major QC deficiency does not exist.\319\ The standard
thus allows for circumstances in which a deficiency related to one of
the presumptions does not amount to a major QC deficiency, and creates
an opportunity for firms to exercise professional judgment in deciding
whether to attempt to rebut the presumption and, if so, how to apply
the paragraph .78b factors. However--appropriately, in the Board's
view--the presumptions shift the burden of proof to the firm, which
will have to demonstrate that circumstances generally reflecting a
major QC deficiency do not constitute a major QC deficiency in its
case. The Board believes the term ``presumption'' achieves this burden
shifting more clearly than ``indicators'' or other terms would do.
---------------------------------------------------------------------------

\319\ When circumstances exist that are presumed to evidence a
major QC deficiency, but the firm demonstrates that it does not have
a major QC deficiency, the firm will be required to disclose the
basis for its determination in its report to the PCAOB on Form QC,
as discussed further below. See Form QC, Report on the Evaluation of
the Firm's System of Quality Control, Item 2.5.
---------------------------------------------------------------------------

The Board agrees with the commenter that suggested that the
presumed major QC deficiencies should not be included in the definition
of major QC deficiency and have taken another commenter's suggestion to
relocate the presumption to paragraph .78. Accordingly, the Board made
the following revisions to paragraph .78:
Relocated the circumstances presumed to evidence a major
QC deficiency from the definition into paragraph .78a, so they are
explicitly part of the process of determining whether a major QC
deficiency exists.
Included a note to clarify what the firm has to
demonstrate in order to rebut the presumption that a major QC
deficiency exists.
Importantly, the circumstances where a major QC deficiency is
presumed to exist are not an exhaustive list of possible major QC
deficiencies. For example, any deficiency that requires significant
effort and resources to remediate may be a major QC deficiency.
One firm requested clarification of the relationship between the
definitions of ``engagement deficiencies'' and ``significant engagement
deficiencies.'' As is evident from their respective definitions,
significant engagement deficiencies are a subset of engagement
deficiencies. QC 1000 defines an engagement deficiency as ``an instance
of noncompliance with applicable professional and legal requirements by
the firm, firm personnel, or other participants with respect to an
engagement of the firm, or by the firm or firm personnel with respect
to an engagement of another firm.'' As the footnote to paragraph .78 of
the standard provides, ``A significant engagement deficiency exists
when (1) the engagement team failed to obtain sufficient appropriate
evidence in accordance with the standards of the PCAOB or failed to
perform interim review or attestation procedures necessary in the
circumstances, (2) the engagement team reached an inappropriate overall
conclusion on the subject matter of the engagement, (3) the engagement
report is not appropriate in the circumstances, or (4) the firm is not
independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.''
iii. Factors for Consideration
To help firms make the determination of whether a major QC
deficiency exists, the standard provides factors on which to base the
determination, which assist firms in applying the definition. Several
commenters expressed general support for the proposed factors, and the
Board adopted them as proposed.
The Board did not receive comments on the examples that illustrated
the proposed factors, and adopted this aspect of the proposal
substantially as proposed, with one addition, in a renumbered paragraph
.78b.(1)(d). The added example relates to the persistence of an
unremediated QC deficiency or combination of unremediated QC
deficiencies over time. Through its oversight activities the PCAOB has
observed repeat or persistent criticisms--appearing in consecutive
inspections, or occurring consistently over multiple years, even if not
every year--which the Board believes may be indicative of a problem so
pervasive and/or so severe that the firm has been unable to effectively
remediate it, or of significant failures in the firm's remediation
process. Firms will need to consider whether and how the existence of a
persistent unremediated QC deficiency or combination of unremediated QC
deficiencies year over year might indicate the existence of a major QC
deficiency.
Under the standard, the factors for determining whether a major QC
deficiency exists are:
The severity and pervasiveness of the unremediated QC
deficiency or combination of unremediated QC deficiencies. A firm
assesses an unremediated QC deficiency, considering both quantitative
and qualitative implications. For example, a firm will assess how many
of the components of its QC system, quality objectives, and quality
responses are affected by the deficiency, the number of root causes,
and the number of affected engagements or engagements likely to be
affected in the future, as well as the impact on those engagements,
including engagements

[[Page 49677]]

where the opinion was not appropriately supported or the financial
statements or management's internal control assessment had to be
revised or restated. The firm would also consider the implications of
the deficiency for the QC system overall, based on ways in which the
design or operation of other aspects of the QC system may be affected,
the pervasiveness of the root causes, and the risk of the firm issuing
inappropriate engagement reports or otherwise performing deficient
engagements in the future. Viewed this way, for example, an
unremediated QC deficiency that affects engagements only in a single
industry, where the firm has few clients and no intention to acquire
more and the engagements represent an insignificant portion of the
firm's total portfolio of engagements under PCAOB standards, is less
likely to be severe or pervasive. The Board views the concepts of
severity and pervasiveness as overlapping and the factors in paragraph
.78b.(1) that indicate the severity and pervasiveness of an
unremediated QC deficiency, or combination of unremediated QC
deficiencies, represent both aspects. The standard does not require the
firm to determine that an unremediated QC deficiency is both severe and
pervasive in order for it to constitute a major QC deficiency, nor is
the list of examples exhaustive.
The extent to which remedial actions have been
implemented, tested, and found to be effective. Before the annual
evaluation date, a firm may implement remedial actions that reduce the
severity or pervasiveness of an unremediated QC deficiency. To
illustrate, if a firm identifies an issue with its audit software, it
could develop a temporary ``work around'' to mitigate the unremediated
QC deficiency until a permanent solution is employed. For this factor
to be relevant for a firm when determining whether a major QC
deficiency exists as of the annual evaluation date, the remedial
actions have to be tested and the results have to show that such
remedial actions are operating effectively.
BILLING CODE 8011-01-P

[[Page 49678]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.010

[[Page 49679]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.011

[[Page 49680]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.012

BILLING CODE 8011-01-C
c. Firm Reporting on QC System Evaluation (QC 1000.79-.80)
i. Reporting to the PCAOB
(1) Annual Reporting
Under the proposal, firms were to report to the Board annually the
outcome of the evaluation of the firm's QC system with respect to any
period during which the firm was required to implement and operate the
QC system. Many commenters supported the proposed annual reporting
requirement. However, one commenter stated that this annual firm
reporting would be of no meaningful incremental benefit to the PCAOB
and has the potential to create an adversarial dynamic that would not
promote audit quality or well serve investor protection goals. Another
commenter suggested that if the required reporting on Form QC to the
PCAOB would lead to follow-on requests from the PCAOB to furnish more
detailed information as to specific findings, then confidentiality
legislation may be an issue for firms. Other commenters argued that,
because the PCAOB could obtain the same information through the
inspections process, reporting to the PCAOB would be unnecessarily
duplicative. Another commenter argued that all unremediated QC
deficiencies should not have to be reported on Form QC, specifically
commenting that the PCAOB already has the ability to access QC
documentation for all registered firms to view this information.
Another commenter suggested that the value of the report when not
accompanied by independent attestation is likely to be limited.
The Board acknowledges that it has the ability to request from
firms information relating to their QC systems. However, the Board
continues to believe that annual reporting to the Board will provide
the PCAOB with important information about firm QC systems in a timely
and structured way and will provide an effective and efficient means of
gathering information about firm QC systems. Currently, only 14 of the
approximately 1,600 registered firms are subject to annual inspection.
Approximately 640 registered firms are required to be inspected on a
triennial basis, of which approximately one third are inspected in any
given year.\320\ Therefore, the Board does not believe that collecting
firms' QC information during an inspection would provide timely
information regarding the majority of registered firms' QC systems.
Data collected by the PCAOB will inform its inspections process,
including decisions about the selection of firms and engagements as
well as focus areas to inspect and the nature and extent of its
inspection procedures (both for QC processes and individual
engagements), and will enable the PCAOB not only to make more refined
data requests from the firms, but also to focus its inspection
resources on those firms and engagements with the greatest risk. The
Board believes that this will help better advance its investor
protection mandate. Additionally, the Board believes that a formal
reporting process will result in enhanced accountability of firm
leadership for QC and an additional incentive for prompt remediation of
identified QC deficiencies. While the standard does not require
attestation over the firm's evaluation process, the Board believes that
the requirements regarding the form, including required certifications,
will provide sufficient incentive for firms to report accurately and
completely (and enforcement remedies will be available if they do not).
The incremental effort for a firm to report its evaluation to the PCAOB
will not be substantial, as the firm is simply communicating the
results of its evaluation process and any related remediation
activities, which it is required to conduct and document under QC 1000
in any case.
---------------------------------------------------------------------------

\320\ The data were obtained from Audit Analytics and publicly
available data from the PCAOB's Registration, Annual and Special
Reporting (RASR) available at https://rasr.pcaobus.org.
---------------------------------------------------------------------------

One firm suggested that the Board only require reporting to the
PCAOB if a firm performed engagements in accordance with PCAOB
standards during the one-year period ending on the evaluation date. The
Board considered whether this change would be of significant benefit to
firms and would further enhance the scalability of the standard.
However, firms that are not currently performing engagements may have
responsibilities with respect to past engagements.\321\ Moreover,
regardless of whether they are required to report the results of the
annual evaluation, firms will still be required to perform an
evaluation pursuant to QC 1000 in such a circumstance. On that basis,
the Board believes that reporting would be valuable even for firms that
did not perform an engagement during the year preceding the evaluation
date, and that reporting should not constitute an undue burden.
---------------------------------------------------------------------------

\321\ See, e.g., AS 2901; AS 2905.
---------------------------------------------------------------------------

(2) Reporting Mechanism: Form QC
As proposed and under the final rules, firms are required to report
their annual QC evaluation on a new form, Form QC. Several commenters
supported the use of a separate Form QC, with some of these commenters
asserting that because firms should be allowed to select their own
evaluation date, this would necessitate the use of Form QC, rather than
an existing form such as Form 2. Another commenter supported the view
that expanding Form 2 to incorporate QC information

[[Page 49681]]

was not favorable as this would make the form longer and more complex.
The Board continues to believe that separate reporting on new Form QC
remains appropriate. The contents of Form QC are the result of a
separate evaluation process by a firm and the Board believes that it is
simpler for the results of the annual evaluation to be reported on a
separate form. In addition, as discussed in more detail above, QC 1000
requires firms to conduct an annual evaluation of their QC system as of
September 30. The use of a separate Form QC for reporting the results
of the annual evaluation will facilitate closer alignment of the timing
of the reporting and the annual evaluation date. For example, the
submission deadline for Form 2 is June 30, which is nine months after
the annual evaluation date of September 30. Furthermore, Form 2
reporting is public and, as discussed in more detail below, Form QC
will not be publicly available.
The proposal asked whether Form QC should be permitted to be filed
in XML or another machine-readable format. In response, one commenter
supported the PCAOB permitting widely accepted formats that support
usability. Another commenter supported that the web-based system for
submitting the information be navigable and easy to use. Reporting to
the PCAOB will be done using the same platform as its other reporting
forms (currently, its web-based RASR system and, in the future,
potentially new means of information exchanges as the PCAOB continues
to modernize its reporting technology aimed at simplifying and
automating data collection, processing, and interoperability).
(3) Contents of Form QC
The contents of Form QC will address the matters listed in
paragraphs .79-.80. In addition, Form QC will elicit certain
information about the firm and the individuals responsible for the QC
system, aggregated information about the items required to be reported
in paragraph .80, the areas of QC to which any unremediated QC
deficiencies relate, and a certification of the evaluation of the QC
system by certain designated individuals (discussed below).
One firm asserted that the requirement to report unremediated
deficiencies is at too granular a level to be meaningful. The Board
considered several alternatives, including requiring firms to report to
the Board on the outcome of the annual evaluation of the firm's QC
system only when the firm identifies a major QC deficiency. While this
approach could reduce some of the costs associated with preparing the
annual evaluation to the PCAOB, it would also significantly reduce the
value of the reporting of the firm's annual evaluation to the PCAOB, as
well as potentially affecting the rigor of the firm's evaluation
process. As noted above, reporting on all unremediated QC deficiencies
will inform various aspects of the Board's oversight activities. In
addition, to the extent that reporting may increase firm leadership's
focus on their responsibility and accountability for quality, reduced
reporting would be less beneficial. Therefore, the Board decided that
annual reporting to the PCAOB of the results of firms' annual
evaluation of the QC system, including unremediated QC deficiencies, is
the appropriate approach.
One commenter supported the inclusion of Item 4.1 of Form QC on
whether the Board should inform a party of a subpoena for information
on Form QC, but another commenter argued that it was unnecessary, may
interfere with investigations, may create a potential ground for firms
to sue the Board in the event notification did not occur, or
potentially involve the PCAOB in private litigation. Because Form QC
will be nonpublic, the Board believes that firms should be given the
opportunity to request such notification, consistent with the PCAOB's
treatment of the other nonpublic form filed with the PCAOB.\322\
---------------------------------------------------------------------------

\322\ See General Instructions 5 to PCAOB Form 1-WD, Request for
Leave to Withdraw from Registration.
---------------------------------------------------------------------------

An investor suggested firms should also affirm to the PCAOB on Form
QC that any information that the firm voluntarily released (e.g., in
transparency reports, audit quality reports, and CEO speeches) over the
time period covered by Form QC was consistent with the state of their
quality control system, as of the time of the voluntary disclosure.
This commenter also suggested that the affirmation should be publicly
available. An investor-related group suggested that firms should report
publicly on Form QC how an independent QC board committee (established
under paragraph .28 of QC 1000) carries out its responsibilities. As
discussed in more detail below, Form QC will not be publicly available,
so there would be no benefit to the public in adding this information
to Form QC. However, the Board remains committed to finding additional
ways of providing public disclosure to better inform investors about
firms, and to that end, has separately proposed to amend Form 2 to
identify whether the firm has an external oversight function for the
audit practice (established under paragraph .28 of QC 1000) and, if so,
the identity of the person or persons and an explanation for the basis
of the firm's determination that each such person is independent
(including the criteria used for such determination) and the nature and
scope of each such person's responsibilities.\323\
---------------------------------------------------------------------------

\323\ See PCAOB Rel. No. 2024-003 at 29.
---------------------------------------------------------------------------

Some commenters indicated that there might be circumstances in
which information required by Form QC may be restricted from disclosure
by the operation of legal requirements (such as data protection laws).
Two of these commenters suggested that the instructions to Form QC
should include a provision found in other PCAOB forms allowing firms to
decline to provide information if the firm believes that providing such
information would violate non-U.S. law. Another commenter, while
acknowledging that it was not aware of non-U.S. laws that would
prohibit reporting the information required on Form QC, suggested that
the Board state that firms would not violate the requirement to file
Form QC if laws or regulations exist in the jurisdiction(s) of the firm
that prevent compliance with this requirement.
The Board acknowledges that certain PCAOB forms include a general
instruction for assertions of conflicts with non-U.S. law. In these
circumstances, the instructions identify the specific parts and items
within the form for which the firm may withhold responsive information
on the basis that the firm could not provide such information without
violating non-U.S. law. Form QC, however, calls for certain discrete
information that the Board does not believe, and that no commenter has
suggested, would be restricted from disclosure under non-U.S. law
(e.g., the firm's name, the evaluation date, the overall conclusion of
the firm's evaluation, the number of unremediated QC deficiencies, and
for each unremediated QC deficiency, whether it is or is not major and
the areas of the QC system to which it relates). Beyond that, Form QC
requires firms to provide narrative information, including a
description of each unremediated QC deficiency, the basis for the
firm's QC deficiency determination, a summary of remedial actions, and
the firm's major QC deficiency presumption analysis (if applicable).
The Board believes that the narrative information required to be
reported in Form QC can be provided at a sufficiently summarized level
such that the reporting of such information

[[Page 49682]]

by the firm would not require disclosure of information that could be
restricted by legal requirements such as data protection laws. For
example, if a firm reports an unremediated QC deficiency on Form QC,
the Board believes that the firm could provide a description of the
deficiency and a summary of the remedial actions taken and planned to
be taken without violating non-U.S. law.
Some commenters suggested that the standard should clarify that
firms submit Form QC in connection with an inspection under section 104
of the Sarbanes-Oxley Act and that Form QC should receive the same
confidentiality protections of section 105(b)(5)(A) of the Act that
other inspections-based documents and information receive. One of these
commenters further suggested that the Board should make clear that all
of Form QC and its contents benefit from the privilege established by
section 105(b)(5)(A), regardless of how a deficiency has come to light.
Another commenter suggested that the Board consider requesting firms to
provide the information proposed to be in Form QC through the
inspection process, and that such requests could be made at any time to
facilitate the PCAOB's inspections. The commenter explained that under
this suggested alternative approach, Part II and the related exhibits
of Form QC could be removed and instead, the PCAOB could request this
as part of the inspection process, to allow the information to be
privileged under section 105(b)(5), while retaining the certification.
The Board does not believe that it is appropriate to specify that
Form QC is provided in connection with an inspection. The obligation to
furnish Form QC to the PCAOB does not derive from a request from PCAOB
inspection staff; instead, that obligation arises expressly from
paragraph .79 of QC 1000. And while Form QC, like other forms filed
with the PCAOB (such as annual reports on Form 2), may be used to
inform the PCAOB inspection process, that is not the only purpose of
the form; it may be used, for example, in connection with PCAOB
standard-setting processes, its economic and risk analysis, and its
registration program, to name a few examples. Furthermore, Form QC
submissions may not directly relate to an inspection. For example,
triennially inspected firms are required to report on Form QC annually,
including in years in which they are not subject to inspection. Firms
that are no longer performing engagements making them subject to PCAOB
inspection may still be required to report on Form QC in light of their
post-issuance QC responsibilities, such as their audit documentation
retention obligations under AS 1215. Accordingly, the Board does not
believe that Form QC is received by the Board in connection with an
inspection for purposes of section 105(b)(5)(A) of the Act, though it
notes, as discussed further below, that certain information contained
within a Form QC may be subject to the protections of section
105(b)(5)(A).
(4) Reporting Date
The proposal contemplated that firms would have until January 15 of
the year following the November 30 evaluation date to file Form QC.
This provided firms 46 days from the evaluation date to the reporting
date. As adopted, the standard provides that firms have until November
30 to report on Form QC to the PCAOB. This provides firms with 61 days
after the evaluation date of September 30 to file Form QC. A general
instruction was added to Form QC to clarify the reporting period
covered by the firm's evaluation. The reporting period is the period
beginning on October 1 of the year preceding the year in which Form QC
is required to be filed (or, if a firm's obligation to implement and
operate a QC system arises under paragraph .07a after October 1 of that
year, the date on which that obligation arises)) and ending September
30 of the year Form QC is required to be filed. Under this provision,
the reporting period will generally be 12 months long, but will be
shorter if the obligation to implement and operate the QC system arises
mid-period (whether by virtue of the effective date of QC 1000 or the
firm's otherwise becoming subject to the requirement to implement and
operate the QC system).
Several commenters suggested a 90-day period from the evaluation
date to the reporting date would be appropriate because this would
allow for testing of controls that operate at the evaluation date, and
allow firms to perform thorough and detailed evaluations. Several
commenters suggested that additional time is required for Form QC
preparation beyond 45 days to be able to compile relevant information,
including information on remedial actions, with some commenters
supporting a 60-day period that would align with the shortest due date
applicable to issuers to report on their conclusion on internal control
over financial reporting. Another commenter suggested that reporting
should be in advance of the April/May proxy season, suggesting a
reporting date of April 1 using an evaluation date of February 28. One
commenter did not support a January 15 reporting deadline, suggesting
that this would be close to the conclusion of the audit and, if there
are matters to be reported to the audit committee, would leave the
audit committee with little time to consider and respond to the
information before the due date of the issuer's Form 10-K. The
commenter also suggested that for firms subject to both ISQM 1 and QC
1000, having different reporting dates would create unnecessary
complexities for audit committees receiving reports under different
standards and different points in time. Several commenters suggested
that a January 15 reporting deadline would be challenging for many
firms given the proximity to year-end holidays. One commenter suggested
that coinciding the reporting date of January 15 with the PCAOB's
inspection process should not be a key consideration for firms in
determining the most appropriate date for their annual assessment.
The Board believes that extending the number of days from the
evaluation date to the reporting date to 61 days will provide firms
sufficient time to complete their evaluation and report to the PCAOB.
In addition, the reporting date of November 30 as adopted is prior to
the calendar year end and the traditional busy period for many firms,
which the Board believes will further benefit firms in performing their
evaluations.
ii. Form QC: Not Publicly Available
The proposed standard contemplated that Form QC would be nonpublic.
Many commenters, including firms, supported requiring the contents of
Form QC to be nonpublic. One firm commented that to require public
reporting would be inconsistent with the balance that Congress struck
in sections 104(g)(2) and 105(b)(5) of Sarbanes-Oxley. One commenter
asserted that the PCAOB should not use rulemaking to cause firms to
disclose quality control matters that the PCAOB is prohibited by
Sarbanes-Oxley from disclosing or cause firms to otherwise disclose
information that would be confidential under statute. Another commenter
suggested that public disclosure of unremediated QC criticisms could
allow companies that have a lower demand for audit quality to select a
lower quality auditor.
Other commenters, generally investors and investor-related groups,
objected to the lack of public disclosure. Two investors commented that
the proposed disclosure to audit committees but not to the public
leaves investors in the dark, and that disclosure requirements provide
an effective incentive for remediation of identified quality control
issues. Another

[[Page 49683]]

commenter asserted that if the PCAOB is permitted to compel firms to
disclose quality control information to audit committees, then they
expect that the PCAOB could also compel disclosure of such information
to the public. The commenter suggested that QC disclosures only to
audit committees may have unintended consequences for the public
markets as companies will have more information regarding the quality
of their auditors than individual investors. Some investors and
investor-related groups commented that the proposal provides little
public accountability with no mandated or meaningful disclosures about
the operation of the QC system. Two investors and an investor-related
group commented that firms furnish a statement of the quality control
policies of the firm when registering with the PCAOB, however this
information is not required to be updated and can quickly become out of
date. Therefore, providing the public with additional disclosure about
a firm's quality control system will act as an updating function.
One firm suggested that it would be difficult for the public to
synthesize in a useful manner the information in Form QC without the
right level of context. However, three investor-related groups did not
support the view that partial disclosure of Form QC would result in
potentially incomplete or misleading picture of a firm's QC system, and
favored disclosing elements of Form QC and leaving to investors the
assessment of the relative importance of the information. One of the
investors further suggested a restructuring of Form QC that would allow
confidential information to remain confidential while sharing decision-
useful information with investors. Another investor suggested that
investors would directly benefit from the disclosure of firm-identified
deficiencies that omits PCAOB-identified deficiencies, further
commenting that to the extent firms do not disclose any deficiencies to
the public, investors may have concern that the system of quality
control was not sufficient to proactively identify deficiencies.
The Board continues to recognize the desire of investors and other
stakeholders for information related to audit quality and the
effectiveness of firms' QC systems. But its ability to require firms to
publicly disclose their QC deficiencies is subject to certain legal
constraints imposed by Sarbanes-Oxley.
As a threshold matter, some or all of the unremediated QC
deficiencies identified during a firm's annual evaluation may have been
identified as QC criticisms or potential defects during a PCAOB
inspection.\324\ Furthermore, the Board believes that the QC
deficiencies identified during PCAOB inspections are likely to be
important information from the perspective of investors and other
stakeholders, especially because PCAOB inspection teams customize their
QC-related procedures based on, among other things, the firm's
structure, procedures performed in prior inspections, past and current
inspection observations, the size of the firm, and an assessment of
risk related to each focus area. Notably, however, section 104(g)(2) of
Sarbanes-Oxley provides that if a quality control criticism or
potential defect identified during a PCAOB inspection is addressed by
the firm to the Board's satisfaction within 12 months of the date of
the Board's inspection report, no portions of the inspection report
that deal with that criticism or potential defect will be made
public.\325\ Making or requiring public disclosure through a publicly
available form of QC deficiencies that have been identified during a
PCAOB inspection would be inconsistent with this provision of Sarbanes-
Oxley, if disclosure were required before the Board has determined
whether it is satisfied with the firm's remediation efforts or after
the Board has determined that the firm has satisfactorily addressed the
deficiencies.
---------------------------------------------------------------------------

\324\ See QC 1000.71b.
\325\ See section 104(g)(2) of Sarbanes-Oxley, 15 U.S.C.
7214(g)(2); see also PCAOB Rule 4009.
---------------------------------------------------------------------------

The limitation imposed by section 104(g)(2) is a significant one.
In light of section 104(g)(2), it appears that even if the PCAOB were
to require Form QC to be publicly available, the PCAOB could not
require the disclosure of information regarding the existence or nature
of QC deficiencies that are still subject to the Board's remediation
determination. However, if information reported by a firm on Form QC
informs a QC criticism contained within an inspection report, and if
that QC criticism is not addressed to the Board's satisfaction within
12 months of the date of that report, then the QC criticism would be
made public in accordance with section 104(g)(2).
The Board believes that the omission of deficiencies that are still
subject to the Board's remediation determination (or as to which the
Board has made a favorable remediation determination) would result in a
publicly available Form QC that supplies an incomplete and potentially
misleading picture of the effectiveness of the firm's QC system. This
view is guided by the familiar principle that omitting material facts
from a disclosure can cause the statements that are made to be
misleading.\326\ The Board's decision not to mandate public disclosure
of Form QC, in a context where material information (namely, the
existence and nature of QC deficiencies that are still subject to the
Board's remediation determination) may often be omitted, is motivated
in part by that concern, not by any lack of confidence in investors'
ability to interpret the information provided to them. For example, a
firm may have self-identified a number of relatively minor QC
deficiencies in its own evaluation, while QC deficiencies identified by
the PCAOB are more severe or could be of greater public interest. In a
partial disclosure scenario, the firm would disclose the minor matters,
but not the more significant ones that are still subject to the Board's
remediation determination, creating a misleading picture of the state
of its QC system.
---------------------------------------------------------------------------

\326\ See, e.g., 17 CFR 240.10b-5(b).
---------------------------------------------------------------------------

The Board was also concerned that, in certain circumstances, even
such partial disclosure would conflict with section 104(g)(2) of
Sarbanes-Oxley. For example, assume firms were required to disclose the
conclusion of their most recent evaluation and any QC deficiencies that
were self-identified, but not any PCAOB-identified QC deficiencies that
remain subject to the Board's remediation determination. Under such an
approach, if a firm had PCAOB-identified QC deficiencies but no
additional self-identified QC deficiencies, then the firm would not
disclose any specific QC deficiencies but would disclose an overall
conclusion (either ``effective except for one or more QC deficiencies
that are not major QC deficiencies'' or ``ineffective,'' depending on
the nature of the PCAOB-identified deficiencies) that nonetheless
reveals that the firm has unremediated QC deficiencies, without
specifically identifying them. In such a scenario, the Board would be
indirectly requiring firms to disclose the existence of PCAOB-
identified QC deficiencies that are still subject to the Board's
remediation determination, notwithstanding section 104(g)(2) of
Sarbanes-Oxley.
Moreover, public disclosure of portions of Form QC may in some
cases be subject to other legal constraints imposed by Sarbanes-Oxley.
Depending on how a QC deficiency has come to light, certain information
contained within a Form QC might be confidential pursuant to section
105(b)(5)(A) of Sarbanes-Oxley, which addresses documents and
information prepared or received by or specifically for the Board

[[Page 49684]]

in connection with an inspection or investigation.\327\ Additionally,
Form QC requires firms to report on remedial actions that in certain
(though likely rare) circumstances may be subject to laws relating to
the confidentiality of proprietary, personal, or other information, or
might reasonably be identified by a firm as proprietary. In such a
scenario, the Board, in accordance with section 102(e) of Sarbanes-
Oxley, would need to honor a firm's properly substantiated request for
confidential treatment of such information.\328\
---------------------------------------------------------------------------

\327\ See section 105(b)(5)(A) of Sarbanes-Oxley, 15 U.S.C.
7215(b)(5)(A).
\328\ See section 102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e);
PCAOB Rule 2300(b).
---------------------------------------------------------------------------

The Board also believes that firms may be in a better position to
report fully and candidly to the PCAOB about their annual evaluation--
more effectively supporting both their own remediation efforts and
PCAOB oversight activities--if they are confident that the information
would be understood and used in the context of a broader understanding
of their overall audit practice and an ongoing dialogue between the
firm and the PCAOB.
Accordingly, the Board adopted Form QC as a nonpublic form, as
proposed.
To that end, the Board adopted new PCAOB Rule 2203A, which
establishes the Form QC reporting requirement and specifies that the
Board will not make a filed Form QC or the contents thereof (including
any amendment thereto) public.\329\ The rule does not, however,
prohibit a firm from voluntarily disclosing its Form QC or the contents
thereof to the public or to particular stakeholders. Nor does the rule
prohibit the PCAOB from sharing Form QCs or their contents and related
documentation with the SEC or other entities, consistent with Sarbanes-
Oxley.\330\ The rule expressly provides that Form QCs and their
contents may be publicly disclosed in enforcement proceedings.\331\
---------------------------------------------------------------------------

\329\ Sections 102(b)(2) and (d) of Sarbanes-Oxley authorize the
Board to adopt rules requiring firms to periodically update the
information contained in their registration applications or provide
to the Board information as necessary or appropriate in the public
interest or for the protection of investors. See section
102(b)(2)(D), (b)(2)(H), and (d) of Sarbanes-Oxley, 15 U.S.C.
7212(b)(2)(D), (b)(2)(H), and (d). section 102(e) of Sarbanes-Oxley,
in turn, permits the Board to designate in its rules the portions of
registration applications and annual reports that will be made
available for public inspection (subject to applicable laws relating
to the confidentiality of proprietary, personal, or other
information, and provided that the Board shall protect from public
disclosure information reasonably identified by the firm as
proprietary information). See section 102(e) of Sarbanes-Oxley, 15
U.S.C. 7212(e); see also PCAOB Rule 2300(a)(2) (providing that forms
filed pursuant to Part 1 or Part 2 of Section 2 of the Board's rules
will be publicly available ``except to the extent otherwise
specified in the Board's rules or the instructions to the form'').
\330\ See, e.g., section 105(b)(5)(B) of Sarbanes-Oxley, 15
U.S.C. 7215(b)(5)(B).
\331\ On Form QC, firms may elect to request notification from
the Board if the Board is requested by legal subpoena or other legal
process to disclose information contained in Form QC. The Board will
make reasonable efforts to honor such a request. This notification
process does not apply to the PCAOB's or the SEC's use of Form QC or
its contents in an enforcement proceeding, because those scenarios
do not involve Board disclosure of Form QC information in response
to a legal subpoena or other legal process.
---------------------------------------------------------------------------

One commenter noted that Form QC or its contents may not be
relevant to all enforcement proceedings and suggested that the Board
explicitly clarify in the final standard that the Form QC may become
public as part of an enforcement proceeding where Form QC or its
content is relevant to the respective enforcement proceeding. The Board
does not believe that such a clarification is necessary. When a Form QC
or its content is relevant to an enforcement proceeding, it would be
admissible, and when it is not relevant to an enforcement proceeding,
PCAOB adjudication rules already specify that it shall be
excluded.\332\
---------------------------------------------------------------------------

\332\ See PCAOB Rule 5441, Evidence: Admissibility.
---------------------------------------------------------------------------

The rule also provides that the Board may publish Form QC
information in summaries, compilations, or other general reports,
provided that the firm or firms to which particular Form QC information
relates are not identified (unless the information has previously been
made public by the firm or firms involved or by other lawful means).
Two commenters suggested that the Board could publish Form QC
information in summaries, compilations, or other general reports,
provided that the firms are not identified. However, another commenter
did not support aggregated anonymized information and suggested that
this would depart from the spirit and letter of the confidentiality
provisions of Sarbanes-Oxley. The Board believes that summaries,
compilations, or general reports that present relevant QC-related
information on an aggregated and anonymized basis may provide useful
insight to investors, audit committees, firms, and other stakeholders
about firm QC systems, the implementation of QC 1000, and related
matters. The Board also continues to believe that presenting such data
on an aggregated and anonymized basis would not run afoul of any
limitations of Sarbanes-Oxley.\333\
---------------------------------------------------------------------------

\333\ For comparison, see PCAOB Rule 4010, Board Public Reports,
which provides, in pertinent part, that the Board may publish
summaries, compilations, or other general reports concerning the
findings and results of its inspections, including discussion of QC
criticisms or potential QC defects, provided that no such published
report shall identify the firm or firms to which such criticisms
relate, or at which such defects were found, unless that information
has previously been made public in accordance with PCAOB Rule 4009,
by the firm or firms involved, or by other lawful means.
---------------------------------------------------------------------------

While firm reporting on Form QC will be nonpublic due to the
aforementioned legal constraints and policy considerations, the Board
notes that other aspects of QC 1000 and related requirements promote
transparency about firm QC systems within the confines of those
constraints. For example, the PCAOB has observed the emerging practice
of firm transparency reporting, including that the nature and content
of these reports continues to evolve and expand in response to market
demand. Advances in thinking about firm and engagement metrics could
also affect what financial statement users demand and what firms could
usefully provide. QC 1000 requires that the QC system operate over any
public reporting that firms do provide, including any public reporting
of metrics. Firms have to establish a specific quality objective with
regard to their public reporting, including that any firm-level or
engagement-level information with respect to the firm's audit practice,
firm personnel, or engagements communicated to external parties be
accurate and not misleading, and--as with any quality objective--they
have to monitor their performance in relation to that objective and
remediate identified deficiencies.
As part of their annual reporting on Form 2, all registered firms
will also be required to provide an annual confirmation with regard to
the design of their QC system under QC 1000 and whether they were
required to implement and operate the QC system. The Board believes an
annual confirmation will be a useful reminder to all firms of their
responsibilities regarding the design, implementation, and operation of
an effective QC system. The Board also believes that the public will
benefit from being able to determine whether a particular firm has been
required to implement and operate its QC system from year to year. Such
information on Form 2 will be publicly available on the PCAOB website
and will be accessible to investors and other financial statement
users, audit committees, and other stakeholders. It will also inform
PCAOB oversight efforts.
To accompany the changes to Form 2, a similar confirmation has been
added to the application for PCAOB

[[Page 49685]]

registration, Form 1. The Board believes such a confirmation will
appropriately put applicants on notice of their obligations with
respect to their QC systems, which would apply from and after the time
that their registration is approved.
iii. Certification of the Evaluation of the Firm's QC System by Firm
Leadership
As proposed, the Board required that both the individual assigned
ultimate responsibility and accountability for the QC system as a whole
and the individual assigned operational responsibility and
accountability for the firm's QC system as a whole (the ``QC
certifiers'') certify the firm's report to the PCAOB on the evaluation
of its QC system.\334\ Several commenters were supportive of the
certification requirement, including a commenter that stated that
individual certifications are likely to focus the mind and it seems
likely that improvements will be seen as a result of such a
requirement.
---------------------------------------------------------------------------

\334\ See QC 1000.14d and .15b.
---------------------------------------------------------------------------

Some commenters opposed the certification requirement, saying it
adds little value to the evaluation of the QC system, may not provide a
full view of the subject matter it purports to be certifying to and may
create an unjust reliance by a third party on the certification, or is
an ineffective incentive for making quality control a higher priority
within a firm. Another suggested that while certification may sharpen
an individual's sense of accountability, this may not necessarily lead
to and cannot guarantee enhanced engagement quality. Another commenter
suggested that certification requirements could act as a barrier to
registration for firms operating in environments in which there are no
Sarbanes-Oxley style reporting requirements,\335\ and that it could
have a disproportionate impact on smaller firms.
---------------------------------------------------------------------------

\335\ Under SEC rules adopted pursuant to section 302 of
Sarbanes-Oxley, CEOs and CFOs of issuers are required to certify,
for each quarterly or annual report of the issuer, among other
things, that (1) they have reviewed the report; (2) based on the
officer's knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact
necessary to make the statements made not misleading; (3) based on
the officer's knowledge, the financial statements and other
financial information included in the report fairly present in all
material respects the financial condition and results of operations
of the issuer; (4) they (a) are responsible for establishing and
maintaining internal control over financial reporting, (b) have
designed ICFR to ensure that material information is made known to
them, (c) have evaluated the effectiveness of ICFR, and (d) have
presented their conclusions about the effectiveness of ICFR in the
report; and (5) they have disclosed to the issuer's auditors and
audit committee any significant deficiencies in ICFR and any fraud
involving management or others involved with ICFR. See 17 CFR
240.13a-14(a), 240.15d14(a).
---------------------------------------------------------------------------

The Board continues to believe that, analogous to the CEO and CFO
certifications required under Sarbanes-Oxley, certification of Form QC
will lead to increased discipline in the evaluation process and will
reinforce the accountability of the certifying individuals, which in
turn should improve the quality of the firm's evaluation. The text of
the certification, which is unchanged from the proposal, appears in
Item 3.2 of Form QC. That item requires certification of certain
information regarding the design and evaluation of a firm's QC system,
including that each QC certifier reviewed the Form QC and that the
disclosures made in the Form QC are complete and accurate in all
material respects to the individual's knowledge.\336\
---------------------------------------------------------------------------

\336\ See e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys,
Corporate Governance Reform and Executive Incentive: Implications
for Investments and Risk Taking, 30 Contemporary Accounting Research
1298 (2013) (finding that their sample of firms significantly
reduced investments in risky projects in the period following SOX);
Hsihui Chang, Jengfang Chen, Woody M. Liao, and Birendra K. Mishra,
CEOs'/CFOs' Swearing by the Numbers: Does it Impact Share Price of
the Firm?, 81 The Accounting Review 22 (2006) (concluding that the
SEC order requiring filing of sworn statements by CEOs and CFOs had
a positive effect on the market value of certifying firms); Gerald
J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting
Increase after the Sarbanes-Oxley Act? Initial Evidence, 20
Accounting Horizons 57 (2006).
---------------------------------------------------------------------------

As proposed, the final rules require certification from both the
individual assigned ultimate responsibility and accountability for the
QC system (i.e., the firm's principal executive officer(s)) and the
individual assigned operational responsibility and accountability for
the QC system. One commenter suggested that certification be required
only from the individual with ultimate responsibility and
accountability for the firm's QC system on the basis that, in the event
of differences of opinion between the two certifiers, the individual
responsible for the operational responsibility and accountability for
the QC system could be subject to excessive pressure from the firm's
principal executive officer. However, under EI 1000, certifiers will be
subject to a duty to act with integrity, which includes not
subordinating their professional judgment, and the individual with
ultimate responsibility and accountability for the firm's QC system
will have a number of obligations (for example, under QC 1000.14a.)
that are inconsistent with the exercise of undue influence over a
subordinate.
The Board does not require similar certifications from other
personnel in the QC system, but firms may choose to institute policies
that require levels of certification internal to the firm to assist
those certifying Form QC.
Some commenters raised concerns about the potential liability of
the QC certifiers. Several requested clarification on whether the QC
certifiers could be held personally liable for an inaccurate statement
only if they made the statement knowing it was false or recklessly not
knowing it was false. One of these commenters further stated it had
concerns about the potential for unnecessary and excessive liability
that the certification could impose upon the QC certifiers, and the
effect that this could have on firms' ability to recruit qualified
professionals to serve. The commenter further suggested that the final
adopting release expressly state that while the QC certifiers are
responsible for exercising professional competence in connection with
the design and operation of the firm's QC system (and may face
consequences for failure to do so), the QC certifiers shall not be held
responsible for inevitable system errors or the wrongful acts of others
which may, in limited circumstances, overcome the best of those
efforts.
If a QC certifier fails to certify the firm's Form QC, such conduct
would constitute a violation of the individual's obligation under
either paragraph .14d or .15b of QC 1000, as applicable to the
particular individual. The Board believes this requirement is important
for creating accountability within the firm to achieve the reasonable
assurance objective.
Beyond that, QC certifiers' potential liability for statements
contained within the Form QC certification is informed by the
particular language of those statements. Certain statements in the
certification reflect objective facts that the Board believes are
readily knowable by the individual. Paragraph 1 of the certification,
for instance, recites that the individual reviewed the firm's report on
Form QC. Paragraph 3(a) of the certification contains an
acknowledgement that the individual is responsible and accountable for
the firm's QC system as a whole and has designed, or caused to be
designed, the QC system to ensure that it meets QC 1000's reasonable
assurance objective. Notably, this paragraph is not tantamount to a
certification that the firm's QC system in fact meets QC 1000's
reasonable assurance objective; on the contrary, Form QC contemplates
that a firm might conclude, and report on its certified Form QC, that
its QC

[[Page 49686]]

system is not effective. Rather, in paragraph 3(a), the QC certifiers
acknowledge their role in designing (or causing to be designed) the
firm's QC system. Paragraph 3(b) of the certification states that the
individual evaluated the effectiveness of the firm's QC system and has
presented in Form QC the conclusions reached. With respect to each of
these statements in the Form QC certification, the Board believes that
the QC certifiers can and should reach a conclusion about their
accuracy through the exercise of due professional care. In light of the
nature of these statements, the Board does not agree with the
commenters that a showing of recklessness or knowing misconduct is
necessary to establish a violation with respect to these aspects of the
Form QC certification.
The other statements in the Form QC certification are subject to
knowledge qualifiers. In paragraph 2, the QC certifier states that the
disclosures made in Part II of Form QC regarding the evaluation of the
effectiveness of the firm's system of quality control are complete and
accurate in all material respects ``[b]ased on my knowledge.''
Similarly, paragraph 3(c) states that the QC certifier has disclosed,
based on the evaluation of the QC system, all unremediated QC
deficiencies ``of which I am aware.'' These statements would be
inaccurate, and the QC certifier's certification would therefore
constitute violative conduct, only if they were knowingly false (if the
QC certifier knew that Part II was not complete and accurate in all
material respects, or if the QC certifier was aware of undisclosed
unremediated QC deficiencies), or if they were made recklessly not
knowing they were false.
One commenter suggested that the certification say ``to the best of
my knowledge'' rather than ``based on my knowledge,'' and another
commenter suggested that the wording of the certification be updated to
``in my capacity as the individual assigned [ultimate/operational]
responsibility'' rather than ``who have been assigned [ultimate/
operational] responsibility.'' After consideration of these comments,
the Board believes that the proposed language is clear, appropriate,
and likely to be easily understood, and does not believe that the
proposed certification text requires amending.
One commenter did not support the clause in the proposed
certification that states that the firm has disclosed all unremediated
quality control deficiencies. The commenter, while acknowledging that
this statement is subject to a knowledge qualifier, suggested that this
certification could lead to unnecessary disputes over what the QC
certifiers should have known in a particular circumstance and suggested
that obtaining a certification from the firm (not the individual) may
sufficiently address this item without discounting the standards to
which auditors are held. As discussed above, the inclusion of ``of
which I am aware'' in paragraph 3(c) of certification means that
liability would arise with respect to that paragraph only if the QC
certifier made the statement knowing it was false or recklessly not
knowing it was false.
Another commenter also suggested that the standards clarify that
such certification relates to the ``firm's evaluation'' of its QC
system, and not a specific individual's evaluation of the quality
management system. As reflected in paragraph .77 of QC 1000, the annual
evaluation is conducted by the firm, but the firm, as a legal entity,
acts through individuals, and the QC certifiers are the individuals
who, under the standard, are responsible and accountable for the QC
system as a whole and are required to certify the firm's report to the
PCAOB on its annual evaluation.
Another commenter asserted that the text of the certification
suggests that a certifying individual should be considered to have
violated QC 1000 only to the extent that the inaccuracy in a submitted
certification is material to an investor's or reasonable auditor's
understanding of the QC system as a whole, and asked that the Board
confirm that is the case. The Board does not agree with this
characterization of Form QC. Some statements in Form QC, such as the
one in paragraph 2, are expressly conditioned on materiality, while
other statements, such as that in paragraph 3(b), are not.
One commenter suggested that creating a potential Sarbanes-Oxley
type certification for privately held accounting firms and making this
available to the public could create market confusion as to what
exactly is being certified and the level of reliance users should place
on such a certification. The certification does not contain the outcome
of the firm's annual evaluation of its QC system or identify any
unremediated QC deficiencies, but rather certifies the completeness and
accuracy of the information being reported to the PCAOB on Form QC.
That information is set forth elsewhere in Form QC and, as explained
above, that information is treated as nonpublic. Because the certified
information is treated as nonpublic, the Item 3.2 certifications are
likewise treated as nonpublic; in the Board's view, the certifications
do not present a full or useful picture of a firm's QC system without
the underlying information.
iv. Requirement for Form QC Amendments
The proposed general instructions for Form QC included provisions
detailing when amendments of Form QC should be filed. Those
instructions indicate that Form QC should be amended only to correct
information that was incorrect at the time that the form was filed or
to provide information that was omitted from the form and was required
to be provided at the time the form was filed. The Board considered
commenters' feedback, and retained the language regarding amendments in
the proposed general instructions for Form QC, which mirrors the
standard for amending certain other PCAOB forms.
Two commenters requested clarification on how firms should consider
information that comes to their attention after the evaluation date or
the reporting date that is relevant to the firm's conclusion on Form
QC, including how this interacts with relevant provisions in proposed
EI 1000. Other commenters suggested that revisions to Form QC not be
required for inconsequential matters. Other commenters requested
guidance on when an amendment to Form QC would be required, and some
suggested that a threshold be developed for potential amendments.
QC 1000 requires firms to conduct the annual evaluation of their QC
system's effectiveness as of September 30 and to file their report on
Form QC regarding that evaluation by November 30. Consequently, annual
evaluations under QC 1000 should conclude sometime between October 1
and November 30 of each year. Information that relates to the firm's QC
system as of the evaluation date (September 30), and that comes to the
firm's attention after the evaluation date but before the firm has
filed Form QC, should be factored into the firm's evaluation and
reflected, if and as appropriate, in Form QC. In contrast, any
information that relates to the firm's QC system as of the evaluation
date, but that comes to the firm's attention after the firm has filed
its Form QC, would not need to be reflected on Form QC or on an
amendment to Form QC (although it may constitute a QC observation to be
considered in the next annual evaluation of the QC system).
In other words, Form QC captures, and conveys to the Board, the
conclusions reached by the firm as a result of its completed annual
evaluation, and that evaluation cannot disregard information that comes
to light before Form QC has been filed.

[[Page 49687]]

Therefore, when Form QC is filed, it should be complete and accurate as
of the date of its filing. Similar to PCAOB staff guidance on Form 2
reporting,\337\ if a firm discovers that it provided incorrect
information in a filed Form QC or omitted information that should have
been included based on information that the firm was aware of at the
time of filing, then the firm should file an amended Form QC. That
amendment obligation is not subject to any materiality or other
thresholds, because the Board believes it is entitled to receive Form
QCs that contain information that is correct and that do not omit
information that was required to be provided. The Board does not
believe that any of the information on Form QC is inconsequential.
---------------------------------------------------------------------------

\337\ See Staff Questions and Answers Annual Reporting on Form
2, at Q34, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/registration/rasr/documents/staff_qa-annual_reporting.pdf?sfvrsn=5e7259ff_0.
---------------------------------------------------------------------------

v. Reporting to the Audit Committee
In connection with the proposal of QC 1000, the Board also proposed
amendments to AS 1301, Communications with Audit Committees, which
contemplated communication to the audit committee of certain
information about the firm's most recent evaluation of its QC system.
Several commenters supported the amendments as proposed. Other
commenters supported limiting the communications to the conclusion of
the annual evaluation or limiting communication of deficiencies to only
major QC deficiencies. One commenter expressed concern with reporting
to audit committees about all unremediated QC deficiencies that exist
as of the evaluation date, in part because of the interaction of such
communications with the confidentiality restrictions under section
105(b)(5)(A) of Sarbanes-Oxley. The commenter further suggested that
requiring all QC deficiencies to be communicated would create more
extensive communication requirements for firms related to QC
deficiencies than what auditors are required to communicate to audit
committees in an audit of ICFR, and in addition, this approach would
differ from management's external reporting on its ICFR to its
stakeholders, which solely discloses deficiencies that are material
weaknesses.
One commenter asserted that audit committees are likely to find
more value in understanding quality matters specific to the engagement
and having a broader dialogue about the firm's approach to quality
control. Two commenters argued that a firmwide report on audit quality
would have little utility to each individual audit committee. One of
these commenters suggested instead that audit committees would be more
influenced by an independent verification of the QC system such as the
PCAOB inspection report on their auditor, and information relating to
the auditor's performance on their engagement, including audit quality
indicators. The other commenter recommended that firms report relevant
human resource metrics to the audit committee and explain what was done
to assure audit quality was not compromised. One commenter asserted it
could be extremely challenging for audit committees to understand and
reconcile the information that would be communicated to them under the
proposed changes to AS 1301, especially given the considerable time
period between the issuance of public portions of firm inspection
reports and the potential release of nonpublic inspection findings. One
commenter did not support the requirement to disclose a firm's QC
deficiencies to audit committees, and stated that QC deficiencies may
have little to no impact on a given reporting issuer's audit or that
area of the firm's practice. Another commenter questioned whether or
not the audit committee would be inclined to seek a new auditor based
only on a firm-wide evaluation of quality control furnished to the
audit committee by the auditor. One commenter was generally supportive
of the requirements but expressed concern with the timing of the
required communication due to existing important year-end
communications. The commenter expressed concern that not communicating
QC deficiencies known at a January 15 reporting date could potentially
introduce legal considerations that could place tension on the
engagement team and the firm's obligation to comply with other existing
required communications under AS 1301. One commenter recommended
specifying that this communication is not required to be in writing due
to confidentiality concerns, and two commenters did not support any
required communication of the annual evaluation of the QC system to the
audit committee.
One commenter asserted that requiring firms to communicate to audit
committees about their most recent annual QC evaluations is
inconsistent with the Congressional balance struck in Sarbanes-Oxley
section 104(g)(2). In addition, the commenter suggested that the
requirement indirectly regulates the actions of audit committees and
imposes a fiduciary duty of care on audit committees, regardless of
whether quality control issues relate to the performance of the
engagement, which is beyond the scope of the PCAOB's jurisdiction.
Another commenter asserted that the proposed communication could also
be construed as contradictory to the PCAOB's conclusion that Form QC
would be treated as nonpublic.
Several commenters were concerned about the proposed requirement to
discuss remedial actions taken and to be taken, and suggested that some
of this information may be protected by section 104(g)(2) or section
105(b)(5)(A) of Sarbanes-Oxley. One commenter suggested that the
communication of a brief overview of remedial actions taken or to be
taken should only be required upon the determination that substantial
good faith progress has not been made on the remedial actions.
After consideration of the comments received, the Board determined
not to adopt the proposed amendments to AS 1301. Although the Board
continues to believe that firms could communicate the overall
conclusion of their annual evaluation and their planned remedial
actions to audit committees without expressly disclosing information
subject to section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley,
the Board recognizes that such a disclosure obligation could present
implementation challenges. Specifically, and as discussed in more
detail above, there may be challenges associated with compelling firms
to publicly disclose certain information about their QC systems while
simultaneously preserving their ability not to disclose other related
information that may be subject to confidentiality protections,
privileges, or prescribed disclosure procedures under Sarbanes-Oxley.
The Board believes that the same challenges could arise if firms were
compelled to make disclosures to audit committees.
The Board also recognizes that firms and audit committees have
direct interaction, so while PCAOB standards do not require firms to
make disclosures to audit committees, an audit committee may ask a firm
to voluntarily disclose information about its QC system. As the Board
has previously noted, such inquiries could include requesting the firm
to keep the audit committee apprised of the status of the quality
control remediation process (including whether the firm made a
submission to the Board responding to inspection report quality control
criticisms by the 12-month deadline) and whether the

[[Page 49688]]

Board has made a final remediation determination (including a negative
determination that has not yet become public).\338\
---------------------------------------------------------------------------

\338\ See Information for Audit Committees about the PCAOB
Inspection Process, PCAOB Rel. No. 2012-003, at 11 (Aug. 1, 2012),
available at https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf.
---------------------------------------------------------------------------

2. Current PCAOB Sstandards
Current PCAOB QC standards do not require firms to evaluate their
QC systems or to report on any such evaluations. As previously noted,
some firms conduct evaluations and share their results in published
reports, either voluntarily or under other regulatory requirements.

Documentation

Documentation supports a firm's QC system in a number of ways. It
helps provide clarity around roles and responsibilities and the firm's
policies and procedures, which promotes consistent compliance by firm
personnel and other participants. Documentation enables proper
monitoring and supports the evaluation and continuous improvement of a
firm's QC system. It makes it easier to train firm personnel and other
participants and facilitates the retention of organizational knowledge,
providing a history of the basis for decisions made by the firm about
its QC system. Further, documentation assists others conducting reviews
of the firm's QC system by providing evidence of the system's design,
implementation, and operation. Current PCAOB standards provide only
general direction on the nature and extent of QC documentation and
specific requirements for documentation of certain items.\339\
---------------------------------------------------------------------------

\339\ See, e.g., QC 20.21, .24-.25.
---------------------------------------------------------------------------

Through its oversight activities, the PCAOB has observed that the
nature and extent of firms' documentation of their QC systems vary
greatly. Some firms have detailed documentation for all areas of their
QC systems. Other firms have significantly less documentation. For
example, some firms have documentation only in areas that have been
subject to PCAOB inspections, such as remediation, root cause analysis,
or internal inspections. QC 1000 establishes more comprehensive
requirements for firms to document their QC systems.
1. QC 1000
The proposal included an overarching documentation requirement that
captured the design, implementation, and operation of the firm's QC
system and the annual evaluation of the QC system. The scope of that
requirement was then specified in proposed paragraphs .82 and .83.
The documentation of the design and implementation of the QC system
captures decisions made regarding ``the who, what, when, where, why,
and how'' of the QC system. This aspect of documentation will help firm
personnel and others understand what is expected of them in fulfilling
their responsibilities and support consistent implementation and
operation of the firm's QC system. For example, documentation of the
design of policies and procedures regarding general and specific
independence matters would enable a consistent understanding by firm
personnel and others about who is responsible for what, when the
responsibilities are triggered, and why certain actions are
necessary.\340\ Such documentation will allow for consistent actions by
firm personnel and others in implementing the design of those policies.
---------------------------------------------------------------------------

\340\ See, e.g., QC 1000.33-.34.
---------------------------------------------------------------------------

The documentation of the operation of the firm's QC system enables
the firm to determine if the policies and procedures were operated in
the manner that the firm intended.\341\ It would also provide evidence
of compliance with the specified quality responses and other
requirements of QC 1000. For example, it would provide evidence of how
the firm complied with specific communication requirements related to
the operation of the firm's QC system and the performance of its
engagements \342\ and whether the quality responses implemented by the
firm operated as designed.
---------------------------------------------------------------------------

\341\ Firms that are not required to implement and operate their
QC system would not be expected to have anything to document with
respect to the operation of the QC system.
\342\ See, e.g., QC 1000.55-.57.
---------------------------------------------------------------------------

The Board received no comments on the general obligation to prepare
and retain documentation regarding the QC system and paragraph .81 was
adopted as proposed. The comments received regarding the scope of the
proposed documentation requirement are addressed below, in connection
with the discussion of paragraphs .82 and .83.
The proposal included a list of specific matters that firms would
be required to document. Documentation of the lines of responsibilities
and supervision within the QC system should reduce operational
ambiguity and provide clarity about who within the firm is accountable
for various firm supervisory responsibilities within the firm's QC
system. One firm suggested that the phrase ``successive senior levels''
may not be clear. As discussed in more detail above, under QC 1000.27,
the firm should establish and maintain clear lines of responsibility
and supervision--including defining authorities, responsibilities,
accountabilities, and supervisory and reporting lines for roles within
the firm, up to and including the principal executive officer(s)--
within the QC environment. A description of these successive lines of
responsibility and supervision must be included in the documentation of
the QC system, and a reference to paragraph .27 was added to clarify
that point.
The requirement for the firm to document aspects of its risk
assessment process ensures that the firm will have adequate evidence to
support its annual risk assessment. Specifically, the firm is required
to document identified quality risks, reasons these risks were
identified, and policies and procedures the firm had put in place in
response. This documentation is valuable in subsequent risk assessments
and could help to support decisions about, for example, whether to
establish additional quality objectives, identify new or modified
quality risks, or design and implement new quality responses.
The requirements for the firm to document aspects of its monitoring
and remediation process will also support its monitoring and
remediation activities. For example, a firm's documentation of
engagement and QC system-level monitoring activities performed, its
evaluation of the results of those monitoring activities, actions taken
to address engagement deficiencies, and identified QC deficiencies
would demonstrate the firm's approach to complying with certain
requirements of the standard for the monitoring and remediation process
component. This documentation will also assist the firm in monitoring
its monitoring and remediation process and in making its annual
evaluation of the effectiveness of the QC system pursuant to paragraph
.77.
The standard also requires the firm to document the basis for the
conclusion it reached in evaluating the effectiveness of its QC system
pursuant to paragraph .77. This documentation provides evidence of the
decisions made in reaching the conclusion about the effectiveness of
the firm's QC system, which may be valuable in future evaluations and
in establishing compliance with the firm's reporting obligations to the
PCAOB.
The standard requires the firm to document certain matters if the
firm uses resources or services provided by a network or a third-party
provider in the firm's QC system or the performance

[[Page 49689]]

of the firm's engagements. When a firm uses resources or services
provided by a network or a third-party provider, the standard requires
the firm to document how the resources or services are developed and
maintained and, if such services or resources were supplemented or
adapted, how and why they were supplemented or adapted. Firms will also
have to document how the resources or services were implemented and
operated. Documentation of such matters will serve as evidence of
decisions made regarding resources or services used by the firm.
Some networks or third-party providers may provide documentation
about their services or resources to the firm. For example, the firm
may obtain an understanding of how the resources were developed and
maintained by the network through documentation provided by the
network. This documentation may need to be supplemented by the firm
depending on various factors, including the extent of the documentation
provided and whether the firm supplements or adapts the resource or
service.
As discussed above, a reference to paragraph .27 was added to
paragraph .82a. to clarify that a description of the successive lines
of responsibility and supervision must be included in the documentation
of the QC system. Paragraph .82 was otherwise adopted as proposed.
Requiring documentation to be in sufficient detail to support a
consistent understanding of the QC system by firm personnel, including
an understanding of their roles and responsibilities with respect to
the firm's QC system, will help to clarify the firm's expectations of
its personnel and promote consistent compliance with the firm's QC
policies and procedures.
One firm expressed concern that this ``consistent understanding''
threshold may not be easily understood. The Board believes that firms
will be able to determine the nature and extent of the documentation
needed to facilitate a consistent understanding by firm personnel based
on the functioning of their QC system. Based on the requirements in
paragraph .83a, firms would initially determine the appropriate level
of detail of documentation based on the experience they already have in
implementing and operating a QC system under current standards and
whether their personnel understand their roles and responsibilities,
and modify documentation as needed over time based on their monitoring
and remediation activities and the results of their QC system
evaluations.
As described previously, documentation supports a firm's QC system
in a number of ways. For example, it provides clarity around the firm's
policies and procedures, enables proper monitoring, and supports the
evaluation and continuous improvement of a firm's QC system.
Documentation also facilitates the retention of organizational
knowledge, providing a history of the basis for decisions made by the
firm about its QC system. Further, it assists others conducting reviews
of the firm's QC system by providing evidence of the system's design,
implementation, and operation.
In particular, the Board believes that appropriate documentation of
the QC system is necessary for the PCAOB to fulfill its statutory
mandate to protect investors and the public interest. Sarbanes-Oxley
requires that, in conducting an inspection of a registered public
accounting firm, the PCAOB evaluates the sufficiency of the quality
control system of the firm and the manner of the documentation and
communication of that system by the firm.\343\ Sarbanes-Oxley further
authorizes the PCAOB to perform such other testing of quality control
procedures as are necessary or appropriate in light of the purpose of
the inspection and the responsibilities of the Board.\344\ In addition,
the Board's rules provide that a regular inspection will include, but
is not limited to, the steps and procedures as specified in sections
104(d)(1) and (2) of Sarbanes-Oxley and any other tests of the audit,
supervisory, and quality control procedures of the firm as the Director
of the Division of Registration and Inspections or the Board determines
appropriate.\345\ As part of the Board's inspection procedures, firms
will be expected to provide the PCAOB with evidence relating to the
effectiveness of the QC system.
---------------------------------------------------------------------------

\343\ See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C
7214(d)(2).
\344\ See section 104(d)(3) of Sarbanes-Oxley, 15 U.S.C
7214(d)(3); see also Rule 4001, Regular Inspections.
\345\ See Rule 4001, Regular Inspections.
---------------------------------------------------------------------------

Given that mandate, the level of documentation that would be
sufficient to enable PCAOB inspectors to evaluate the effectiveness of
a firm's QC system through an inspection may be different from the
level of documentation that would be sufficient for the firm to support
its annual evaluation. Under QC 1000, a firm must evaluate the
effectiveness of its QC system based on the results of its monitoring
and remediation activities,\346\ and firms can determine the nature,
timing, and extent of QC system-level monitoring activities taking into
account a number of factors.\347\ There could be certain quality
responses, or certain instances of the operation of quality responses,
that are not monitored by the firm within a given year and not
considered in connection with the firm's annual evaluation. If the firm
were required to prepare and retain documentation only to the extent
related to its own annual evaluation, the firm might not prepare and
retain documentation to evidence that these quality responses operated
effectively. However, in light of the scope of the PCAOB's statutory
mandate, its inspection procedures cannot be limited to quality
responses (and, to the extent applicable, samples of the operation of
quality responses) that the firm chose to monitor in the period. On the
contrary, firms will be expected to provide evidence of the operating
effectiveness of any quality responses selected for inspection in
connection with the PCAOB's evaluation of the effectiveness of the
firm's QC system.
---------------------------------------------------------------------------

\346\ See QC 1000.77.
\347\ See QC 1000.65.
---------------------------------------------------------------------------

Therefore, the proposed standard contemplated that, in order to
effectively support the firm's QC system, the documentation of the QC
system needs to be at the level of detail to enable an experienced
auditor that understands QC systems but has no experience with the
design, implementation, and operation of the firm's QC system to
understand the design, implementation, and operation of the QC system,
including the quality objectives, quality risks, quality responses,
monitoring activities, remedial actions, and basis for the firm's
conclusions reached in the evaluation of the QC system (``experienced
auditor threshold''). Incorporating the experienced auditor threshold
when describing the extent of detail firms are required to document and
maintain regarding their QC system is appropriate because that level of
detail will facilitate the firm's monitoring activities and external
monitoring, including PCAOB inspections conducted in accordance with
Sarbanes-Oxley. Two firms agreed that the experienced auditor threshold
was appropriate.
Several commenters, including firms and a related group, argued
that the proposed documentation requirements were too broad, and
suggested a variety of different limitations to narrow their scope.
Some firms suggested that the standard differentiate data relating to

[[Page 49690]]

the operation of the QC system from data relating to the design,
implementation, and annual evaluation of the QC system, with a shorter
retention period for the former. Other commenters, including firms and
a related group, recommended that the documentation requirements be
comparable to the documentation requirements that Sarbanes-Oxley
imposes on issuers with regard to management's assessment of the
effectiveness of the issuer's internal control over financial
reporting.\348\ Another firm suggested that the documentation
requirements be comparable and analogous to the documentation retention
requirements set out in the SEC's rules for issuer audits and related
interpretive guidance.\349\ One firm and a related group suggested that
the documentation requirements be limited to the evidence to support
the annual evaluation of the QC system and related monitoring. Two
firms suggested that additional guidance or clarity would be necessary
in order for firms to appropriately adopt documentation retention
policies related to the operation of controls that meet the
expectations of the proposed standard.
---------------------------------------------------------------------------

\348\ See 17 CFR 229.308 (requiring issuers to maintain
evidential matter, including documentation, to provide reasonable
support for management's assessment of the effectiveness of ICFR).
\349\ See 17 CFR 210.2-06(a) (requiring, for audits or reviews
of an issuer's financial statements, retention of records relevant
to the audit or review, including workpapers and other documents
that form the basis of the audit or review, and memoranda,
correspondence, communications, other documents, and records
(including electronic records), which: (1) Are created, sent or
received in connection with the audit or review, and (2) Contain
conclusions, opinions, analyses, or financial data related to the
audit or review).
---------------------------------------------------------------------------

The Board does not believe that any of the more narrowly scoped
documentation requirements suggested by commenters would be
appropriate. QC 1000's documentation requirements need to be aligned
with the PCAOB's mandate, provided by Congress, to ``evaluate the
sufficiency of the quality control system of a firm'' through its
inspection procedures.\350\ Therefore, the Board believes that it is
imperative that documentation that enables the experienced auditor to
evaluate the operation of the quality responses should be included in
the documentation that is prepared and retained by the firm.
---------------------------------------------------------------------------

\350\ See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C.
7214(d)(2).
---------------------------------------------------------------------------

To clarify the level of detail of the documentation relating to the
operation of the QC system that is to be prepared and retained under QC
1000, paragraph .83 was revised to include a note to .83b. stating that
with respect to the operation of the QC system, the documentation must
include documentation that enables the experienced auditor to evaluate
the operation of the quality responses. As discussed in connection with
paragraph .86 below, the Board continues to believe that all of the
documentation required under the standard should be retained for seven
years.
Commenters also expressed concern that firms would be required to
retain large volumes of documentation. Several commenters suggested
that the costs associated with retaining documentation of the operation
of the QC system would be burdensome, and some further commented that
the data relating to the operation of the QC system could include
sensitive data, and a requirement to prepare and retain all such data
could also introduce heightened data security risks. One firm suggested
the Board consider adding language that appears in SQMS 1 clarifying
which matters require documentation, specifically referencing SQMS 1
paragraphs A224 and A227.\351\
---------------------------------------------------------------------------

\351\ Paragraph A224 of SQMS 1 states that it is neither
necessary nor practicable for the firm to document every matter
considered, or judgment made, about its system of quality
management. Furthermore, compliance with this SQMS may be evidenced
by the firm through its information and communication component,
documents or other written materials, or IT applications that are
integral to the components of the system of quality management.
Paragraph A227 of SQMS 1 states that the firm is not required to
document the consideration of every condition, event, circumstance,
action, or inaction for each quality objective or each risk that may
give rise to a quality risk. However, in documenting the quality
risks and how the firm's responses address the quality risks, the
firm may document the reasons for the assessment given to the
quality risks (that is, the considered occurrence and effect on the
achievement of one or more quality objectives) to support the
consistent implementation and operation of the responses.
---------------------------------------------------------------------------

In considering commenters' concerns that the documentation to
support that the quality responses operated effectively in every
instance would result in a substantial volume of documentation, the
Board believes that the ability to effectively monitor whether the
firm's quality responses are properly designed and operating
effectively should not be restricted by the documentation requirements
of the standard. Furthermore, the Board believes that the new note to
paragraph .83b clarifies that the firm need not prepare and retain
excessively voluminous documentation of the day-to-day operation of
every action of its QC system, provided the information is not required
to satisfy the requirements of paragraphs .82-.83.
The Board believes that the extent of documentation sufficient to
evidence whether the quality responses operated effectively would scale
with the size of the firm's PCAOB practice and the risks and
complexities of their engagements and, in turn, the assessed quality
risks and the quality responses established to address them. Therefore,
the documentation requirements of the standard should be less costly
and burdensome for firms with smaller PCAOB audit practices, which the
Board believes is appropriate.
In addition, firms are able to evaluate the nature and extent of
the documentation that is necessary to evidence the operation of the
quality responses. In determining the sufficiency of the detail and
extent of the QC documentation, the firm may identify quality responses
for which the evidence required to be able to demonstrate that the
quality response operated effectively may not entail retention of all
the information produced in the day-to-day operation of the QC system.
For example, in the event that a large volume of automated emails sent
by the firm to its employees are evidence supporting that a quality
response operated, the firm could evaluate whether alternative evidence
(such as email delivery reports or other aggregated data) would provide
sufficient support regarding the operation of the quality response--
without having to prepare and retain all of the individual emails
within the QC documentation. In addition, to the extent that the
operation of the firm's QC system includes sensitive data, the firm has
flexibility to not include the sensitive data fields in the
documentation that is prepared and retained to the extent that they are
not necessary to evidence that the quality response operated
effectively. Furthermore, informed by its oversight activities, the
PCAOB has observed that firms currently archive and retain
documentation for extended periods of time and are able to implement
processes to appropriately safeguard the information. The PCAOB has
also observed instances where firms have migrated systems and still
maintained the appropriate documentation through archives or through
migration of the information onto the new systems.
As the note to paragraph .83b makes clear, documentation of every
aspect of the operation of the firm's QC system may not be required to
evidence that each quality response operated effectively. For example,
there may be certain documentation, such as emails or meeting
invitations that are sent as part of the day-to-day operation of the

[[Page 49691]]

QC system, that may not be necessary to enable an experienced auditor
to evaluate the effective operation of the quality responses. In these
circumstances, the firm may determine it is not required to prepare and
retain this information within the documentation of its QC system.
However, the Board also believes that there may be circumstances in
which an email or meeting invitation needs to be retained because it
evidences how a quality response operated to address a quality risk and
is necessary to enable an experienced auditor to evaluate the operation
of the quality response.
Although some commenters suggested the documentation requirements
be analogous to the SEC's ICFR documentation retention guidance, the
Board does not believe that is an appropriate threshold. The SEC's
guidance indicates that management's documentation needs to provide
``reasonable support'' for its ICFR assessment and that management's
documentation need not include all controls that exist within a process
that impacts financial reporting, but should be focused on those
controls that management concludes are adequate to address the
financial reporting risks.\352\ QC 1000 is not a ``reasonable support''
standard and instead requires documentation to understand how the
firm's quality responses are designed to address the quality risks and
evidence the operation of the QC system.
---------------------------------------------------------------------------

\352\ See Commission Guidance Regarding Management's Report on
Internal Control Over Financial Reporting Under section 13(a) or
15(d) of the Securities Exchange Act of 1934, SEC Rel. No. 33-8810
(June 27, 2007), available at https://www.sec.gov/files/rules/interp/2007/33-8810.pdf.
---------------------------------------------------------------------------

The standard's approach to documentation requirements is
principles-based and provides for scalability. When determining the
form, content, and extent of documentation, the firm will consider,
among other things, the nature and circumstances of the firm and the
nature and complexity of the matter being documented. For example, for
a large multi-office firm that performs many audits under PCAOB
standards, the extent of documentation would be greater than for a
small, single-office firm with a few firm personnel that audits one
issuer or broker-dealer. The firm's documentation may take the form of
formal written manuals and checklists or may be informally documented
(e.g., in email communications), subject to the requirement of
paragraph .83 that the documentation be in sufficient detail to support
a consistent understanding of the QC system by firm personnel and for
an experienced auditor to understand the design, implementation, and
operation of the QC system. The firm may determine that a detailed memo
is a more appropriate form of documentation for more complex matters,
whereas, for less complex matters, briefer communications, such as
email, may suffice. The nature and circumstances of the firm and the
nature and complexity of the matter being documented are not the only
factors that could drive the form, content, and extent of
documentation. There may be other factors, such as the nature of the
firm's engagements or the frequency and extent of changes in the firm's
QC systems. The Board believes this principles-based approach provides
for scalability and that providing specific guidelines and detailed
examples of various types of documentation would potentially limit
firms' flexibility unnecessarily.
The proposal contemplated that firms would have to concurrently
file their Form QC and assemble their documentation for retention by
the same date. As adopted, the standard provides that firms have an
additional 14 days after the date that the firm is required to file
Form QC to assemble their documentation. Several commenters expressed
concern with having the QC documentation completion date be concurrent
with the date that the firm must report annually to the PCAOB on Form
QC pursuant to paragraph .79. Many of these commenters recommended a
document completion date 45 days after the reporting date, with some of
these commenters suggesting that 45 days would ensure consistency with
the requirements of AS 1215. One firm suggested that a full 45 days to
assemble a complete and final set of documentation was not necessary,
but the time period needed to assemble documentation should be built
into an evaluation of the length of the reporting period if the final
standard retained a document completion date concurrent to the
reporting date.
After consideration of the comments received, the Board revised
paragraph .84 to provide firms up until December 14 (a total of 75 days
after the evaluation date) to complete a final set of QC documentation.
This includes an additional 14 days after the date that the firm is
required to report to the PCAOB on Form QC. The 14-day period aligns
with the changes to PCAOB requirements for engagement
documentation.\353\ The Board believes that larger PCAOB audit
practices with more complex and scaled up QC systems will employ the
use of electronic tools in the assembly of the documentation of the QC
system, and therefore a 14-day period to the QC documentation
completion date is feasible. In addition, for smaller PCAOB audit
practices with scaled down QC systems, the Board expects that the
volume of documentation to be assembled will be smaller such that a 14-
day period is also feasible for those firms. Furthermore, the Board
notes that, because the final rule includes a longer period from
evaluation date to reporting date than proposed, under the final
standard firms will have 75 days after the evaluation date to assemble
their documentation, rather than 45 days as proposed.
---------------------------------------------------------------------------

\353\ Amendments to the engagement documentation requirements in
AS 1215 are addressed in a separate release. See Auditor
Responsibilities Release.
---------------------------------------------------------------------------

The standard permits additional documentation supporting a firm's
QC system to be added after the QC documentation completion date in a
manner similar to the addition of audit evidence to audit documentation
under AS 1215.16. When this occurs, the standard requires a firm to
indicate the date the information was added, the name of the person who
prepared the additional documentation, and the reason for adding it.
The standard also requires all previously retained documentation
supporting the firm's evaluation of its QC system to remain intact and
not be discarded.
The proposed standard contemplated that the firm would retain QC
documentation for seven years from the QC documentation completion
date, unless a longer period is required by law.
Two firms commented that they believed the seven-year retention
period to be cost-prohibitive. One of these firms commented that if the
firm changed its systems, for example, it will have to maintain
additional licenses for old systems to access and use the data and pay
for up to seven years' worth of storage, and it believes that
maintaining that much data would introduce unnecessary cost as well as
increased cybersecurity risk. The firm also commented that the seven-
year retention period goes beyond the retention requirements of the
quality management standards set forth by the

[[Page 49692]]

AICPA \354\ and IAASB,\355\ and that this difference could cause
operational challenges. The firm recommended aligning the documentation
requirements with the firm's inspection and remediation cycle or
allowing the firm to use a risk-based approach based on its judgment.
Two firms opposed the seven-year period and suggested that it be based
on the most recent inspection (for example, one year from the most
recent inspection period), or until the inspection for a particular
period has been completed.
---------------------------------------------------------------------------

\354\ SQMS 1 requires the firm to establish a period of time for
the retention of documentation for the system of quality management
that is sufficient to enable the firm and its peer reviewer to
monitor the design, implementation, and operation of the firm's
system of quality management or for a longer period if required by
law or regulation. See paragraph 61. Of SQMS 1.
\355\ ISQM 1 requires the firm to establish a period of time for
the retention of documentation for the system of quality management
that is sufficient to enable the firm to monitor the design,
implementation and operation of the firm's system of quality
management, or for a longer period if required by law or regulation.
See paragraph 60. of ISQM 1.
---------------------------------------------------------------------------

As discussed in the proposal, the Board was concerned that
requiring the retention period to be aligned with the PCAOB inspection
cycle would be too short. A firm's remediation activities may span
multiple years and the actions taken by the firm in certain areas may
be informed by prior actions. Further, the objective of the
documentation requirement is much broader than providing evidence for
inspection purposes or enabling proper remediation. As described in the
proposal, the Board believes that the documentation may also be useful
for training purposes, ensuring the retention of organizational
knowledge, and providing a history of the basis for decisions made by
the firm about its QC system. One firm commented on these purposes and
suggested that firms should determine what documentation has continuing
relevance based on the circumstances. Another firm suggested that this
could be reasonably handled by firms on a case-by-case basis, and any
necessary documentation that could impact or inform future periods
could be specifically retained. The firm further commented that some
information would become stale over time and that it does not
anticipate information retained early on being used for training or the
retention of organizational knowledge in later years. A firm and a
related group commented that a seven-year retention requirement is
appropriate as it pertains to documentation that supports a firm's
evaluation of its system of quality control and the related testing.
After consideration of the comments received, together with the
amendment made to paragraph .83. of the standard, the Board adopted the
requirement to retain documentation for seven years from the QC
documentation completion date, unless a longer period of time is
required by law, as proposed. Paragraph .86 was amended to clarify that
the documentation to be retained for this period is the documentation
of its QC system required under paragraphs .81-.83 and paragraph .85.
This requirement aligns the QC document retention requirement with
other requirements in PCAOB standards and SEC rules (such as 17 CFR
210.2-06). Furthermore, the documentation relating to the firm's
engagements must be retained for seven years,\356\ and the Board
believes that it is appropriate for the firm to also retain
documentation of the QC system that operated over those engagements for
the same time period. For consistency and practical application, the
retention period is the same for all firms and applies to all
documentation the firm is required to accumulate to meet the
documentation requirements of the standard.
---------------------------------------------------------------------------

\356\ See AS 1215.14.
---------------------------------------------------------------------------

2. Current PCAOB Standards
Existing QC 20 provides that:
Appropriate consideration should be given to the extent to
which QC policies and procedures, and compliance with them, should be
documented.\357\
---------------------------------------------------------------------------

\357\ See QC 20.21.
---------------------------------------------------------------------------

The form, content, and extent of documentation depends on
relevant factors, including the size, structure, and nature of the
firm's practice.\358\
---------------------------------------------------------------------------

\358\ See QC 20.24-.25.
---------------------------------------------------------------------------

A firm should prepare appropriate documentation to
demonstrate compliance with its policies and procedures for the QC
system.\359\
---------------------------------------------------------------------------

\359\ See QC 20.25.
---------------------------------------------------------------------------

Documentation should be retained for a period sufficient
to enable those performing monitoring procedures and a peer review to
evaluate the extent of the firm's compliance with its QC policies and
procedures.\360\
---------------------------------------------------------------------------

\360\ See QC 20.25.
---------------------------------------------------------------------------

QC 30 and the SECPS membership requirements include documentation
requirements for certain items such as findings from certain monitoring
activities, CPE, notification of cessation of client relationships,
filing reviews under Appendix K, and corrective actions to address
apparent independence violations.\361\
---------------------------------------------------------------------------

\361\ See, e.g., QC 30.08; SECPS 1000.08(m), 1000.45, 1000.46,
8000.
---------------------------------------------------------------------------

Additional Amendments

QC 1000 supersedes the existing PCAOB interim QC standards in their
entirety. Currently, Rule 3400T requires registered firms and their
associated persons to comply with the AICPA's quality control standards
as in existence on April 16, 2003, to the extent not superseded or
amended by the Board. Rule 3400T identifies the AICPA's Statements on
QC Standards (QC 20, QC 30, QC 40) and certain of the AICPA's SECPS
membership requirements, which are applicable only to firms that were
members of the AICPA SEC Practice Section on April 16, 2003. The Board
rescinded Rule 3400T. In consequence, the interim quality control
standards referenced in Rule 3400T are no longer part of PCAOB
standards. Rule 3400T is replaced with Rule 3400, which describes the
auditor's responsibilities for complying with quality control standards
adopted by the Board and approved by the SEC.
Other amendments to PCAOB standards, rules, and forms are described
below.

Amendments to AS 2901, Consideration of Omitted Procedures After the
Report Date, and Related Amendments

1. Background
Currently, AS 2901 applies when the auditor concludes, after
issuing its report on the financial statements, that procedures
``considered necessary at the time of the audit in the circumstances
then existing'' were omitted from an audit of the financial statements,
but there is no indication that the financial statements are not fairly
presented.\362\ Existing AS 2901 requires remedial action if (i) the
auditor concludes that the omitted procedures impair its ability to
support the previously issued opinion, and (ii) people are likely to
rely on the report. If remedial action is required but the auditor is
not able to perform the omitted procedures or alternative procedures
that support the opinion, the standard directs the auditor to consult
with counsel. Existing AS 2901 does not apply to ICFR audits or to
attestation engagements.
---------------------------------------------------------------------------

\362\ AS 2905, rather than AS 2901, applies if the auditor
subsequently learns of facts regarding the financial statements
existing at the date of its report that might have affected its
opinion. Paragraph .98 of AS 2201 is an analogous provision in the
context of ICFR audits.
---------------------------------------------------------------------------

2. Amendments to AS 2901
The Board believes that amendments to AS 2901 are appropriate to
modernize the standard, incorporate the concepts and terminology
introduced in QC 1000, and bring the standard into alignment

[[Page 49693]]

with the auditor's existing responsibility to obtain sufficient
appropriate audit evidence to support the opinion.
QC 1000 introduces a new term, ``engagement deficiency,'' defined
as an instance of noncompliance with applicable professional or legal
requirements by the firm, firm personnel, or other participants with
respect to an engagement of the firm, or by the firm or firm personnel
with respect to an engagement of another firm. For an engagement
deficiency related to a completed engagement, QC 1000 requires firms to
take action to address the engagement deficiency ``in accordance with
applicable professional and legal requirements'' (e.g., AS 2901, AS
2905, AS 2201.98-.99).
The Board broadened the scope of AS 2901 to incorporate this new
terminology, so that remedial action is required for engagement
deficiencies for both financial statement audits and ICFR audits unless
it was probable that the engagement report is not being relied
upon.\363\ Reflecting this broader scope, the name of the standard was
also changed to ``Responding to Engagement Deficiencies After Issuance
of the Auditor's Report.''
---------------------------------------------------------------------------

\363\ See QC 1000.68b.
---------------------------------------------------------------------------

a. Scope and Applicability (AS 2901.01-.02)
Note that, under PCAOB Rule 1001(a)(xii), ``auditor'' as used in AS
2901 means both firms and their associated persons.
i. Engagements Covered
Existing AS 2901 predates ICFR audit requirements and applies only
to financial statement audits. The Board proposed to extend the scope
of AS 2901 to cover engagement deficiencies in ICFR audits as well.
Several commenters, generally firms, agreed with the proposal to extend
the scope of AS 2901 to include engagement deficiencies in ICFR audits,
and the Board adopted that change in scope.
Similar to the concept in existing AS 2901, the Board proposed that
the revised standard would not apply to engagements where it is
probable that the audit report is not being relied upon.\364\ The
proposed standard included a note providing that the firm must treat an
engagement report as being relied upon if the engagement report is
included in the most recent SEC filing on a form that requires its
inclusion. One commenter pointed out that the use of the term ``must''
in the proposed note did not allow for the auditor to take into account
situations that may indicate an auditor's report is not being relied
upon even when the auditor's report is included in the most recent
filing on an SEC form. Two commenters suggested that the standard
should also exclude engagements where the issuance of the subsequent
year's auditor's report is imminent.
---------------------------------------------------------------------------

\364\ Under current AS 2901, the test is whether the auditor
believes there are persons currently relying, or likely to rely, on
the audit report. Under the final standard, the test would be
whether it is probable that no one is relying, without reference to
the auditor's belief. The term ``probable'' has the same meaning as
described in the FASB ASC paragraph 450-20-25-1.
---------------------------------------------------------------------------

The Board agrees that the standard should allow for circumstances
where the auditor's report is included in the most recent filing on an
SEC report, but the auditor may nonetheless conclude that the auditor's
report is no longer being relied upon. However, in the Board's view,
the fact that the issuance of the subsequent year's auditor's report is
imminent is not determinative of whether the report continues to be
relied upon.
The Board revised the note to paragraph .01 to provide that, in the
absence of circumstances indicating that reliance is impossible or
unreasonable (e.g., cessation of a trading market for issuer
securities), inclusion of an auditor's report in the most recent filing
on an SEC form that requires inclusion of such an auditor's report
evidences that the report is being relied upon. The Board believes this
is responsive to commenter concerns and allows for sufficient
flexibility. The note has also been revised to clarify that an
auditor's report can be included in an SEC filing either directly or
through incorporation by reference.
The determination that an auditor's report is not being relied upon
would primarily be influenced by whether the auditor's report and
related financial statements are readily available and whether a
trading market exists for the company's securities. Circumstances that
may suggest the engagement report is no longer being relied upon could
include:
So much time has elapsed that the financial statements
covered by the auditor's report are no longer required to be included
in SEC periodic reports.
The issuer's or broker-dealer's business has been
dissolved or gone into liquidation.
ii. Compliance With AS 2905/AS 2201.98
Under the amendments, AS 2901 points the auditor to AS 2905 or AS
2201.98 to the extent they apply. This preserves the difference in
treatment that exists under current auditing standards between
situations where financial statements and potentially the audit opinion
may be in doubt (AS 2905 or AS 2201), and other circumstances where
remedial action is required but there is no initial indication that the
financial statements might be misstated (AS 2901).
iii. Deficiencies Covered
Existing AS 2901 applies when the auditor concludes that procedures
considered necessary at the time of the audit in the circumstances then
existing were omitted. As proposed, AS 2901 was extended to cover all
engagement deficiencies identified. The Board believes it is more
consistent with the basic philosophy of QC 1000 and better supports the
ultimate goal of improving audit quality to require remedial action for
all engagement deficiencies, regardless of whether the audit opinion is
unsupported.
b. Activities To Address Engagement Deficiencies
AS 2901 currently requires remedial action when, due to omitted
procedures that were considered necessary at the time of the audit, the
auditor's opinion is not sufficiently supported. The required action is
to perform the omitted procedures or alternative procedures that would
support the opinion. If that is not possible, the auditor is directed
to consult an attorney to determine an appropriate course of action.
Under the proposal, remedial action would be required for all
engagement deficiencies--both those engagement deficiencies that affect
the auditor's opinion and those that do not. Many commenters expressed
concern with the proposal to require remedial actions for all
engagement deficiencies, with one commenter suggesting that remedial
actions should only be required for major deficiencies, and another
commenter suggesting that the need for remedial actions should be
assessed on a case-by-case basis, taking into account the severity of
the engagement deficiency. Several commenters suggested that firms
should be able to exercise judgment about whether remediation is
necessary and observed that in practice most identified engagement
deficiencies are remediated. Other commenters considered the proposed
requirement overly prescriptive and one commenter suggested that the
requirement was unnecessarily burdensome for instances where the
auditor's report is adequately supported despite an identified
engagement deficiency. On the other hand, two commenters expressed
support for the Board's approach to the

[[Page 49694]]

obligation to remediate engagement deficiencies, with one commenter
stating that requiring remedial action for all identified engagement
deficiencies, not just in situations where the auditor's opinion may be
unsupported, would contribute to improving audit quality.
The Board continues to believe that requiring firms to take action
to address all engagement deficiencies, whether related to an
unsupported auditor's opinion or not, is appropriate and reinforces a
firm's obligation to comply with all applicable professional and legal
requirements, and adopted this requirement as proposed. As discussed
below, when the opinion is appropriately supported, the firm may
determine which actions to take in response to an engagement
deficiency.
i. Addressing Engagement Deficiencies Related to an Unsupported
Auditor's Opinion (AS 2901.03)
Under the proposal, in cases where the auditor did not obtain
sufficient appropriate audit evidence to support the opinion, the
auditor would have been required to either obtain additional evidence
such that the opinion is adequately supported or take action to prevent
future reliance on the report. One firm suggested that further guidance
regarding these requirements would assist a firm in distinguishing
between the engagement deficiencies that are subject to this provision
rather than paragraph .04 (discussed below), or in the alternative,
explicit alignment to the PCAOB's definition of a Part I.A or Part I.B
deficiency.\365\ The Board is reluctant to incorporate terminology into
its standards that does not have a fixed meaning under PCAOB rules and
is subject to change.\366\ The Board also does not want to suggest that
the requirements apply only to deficiencies identified by the PCAOB.
However, in order to address this concern, paragraphs .03a and .03b
were revised to make it explicit that the auditor's actions in
paragraph .03b relate specifically to instances where the auditor is
not able to obtain sufficient appropriate audit evidence to support the
auditor's opinion.
---------------------------------------------------------------------------

\365\ Subsequent to the date of the comment letter, the PCAOB
created an additional category, Part I.C deficiencies. Definitions
of Part I.A, Part I.B, and Part I.C deficiencies are available on
the PCAOB website at https://pcaobus.org/oversight/inspections/inspection-procedures.
\366\ As an example of how the Board's inspection reporting
framework can change over time, in May 2023, the Board introduced
several transparency enhancements to its inspection reports,
including a new section of the inspection report focused on
independence violations (Part I.C).
---------------------------------------------------------------------------

The type of procedures that the auditor performs in response should
be guided by the type and amount of evidence needed to support the
auditor's opinion. If the auditor is not able to obtain sufficient
appropriate evidence to support the opinion, the auditor is required to
take appropriate action to prevent future reliance on the audit report.
The Board also amended AS 2201 as part of this rulemaking to include a
reference to AS 2901 as a reminder of auditor responsibilities under
that section with respect to audits of internal control over financial
reporting.\367\
---------------------------------------------------------------------------

\367\ See Appendix 5, Other Amendments.
---------------------------------------------------------------------------

ii. Addressing All Other Engagement Deficiencies
Under the proposed standard, for all other deficiencies on audit
engagements, the auditor would have been required to perform remedial
actions, similar to those described in QC 1000.69, based on the
auditor's determination of what action (corrective, preventive, or
both) is appropriate based upon the specific facts and circumstances.
The proposal described the following potential responses to engagement
deficiencies:
Take corrective action to completely remediate the
deficiency, where appropriate.
For deficiencies that cannot be completely remediated,
remediate to the extent possible and implement measures to prevent
recurrence. For example, if a Form AP was filed late, the auditor would
not be able to remediate the lateness but could improve the controls
over the filing process.
Determine, based on the facts and circumstances, that no
further remedial action is necessary, e.g., because of remedial actions
already taken to respond to other deficiencies.
One commenter suggested including language in the lead-in to the
note to paragraph .04 to further clarify that the actions a firm may
take to remediate an engagement deficiency could be either corrective
or preventive, or could be a combination of the two. The note in the
final standard reflects this clarification.
Additionally, the term ``remedial'' was removed from the final
standard in the lead-in to the note to paragraph .04 in order to
encompass all actions required under applicable professional and legal
requirements, some of which (e.g., notification to the board of
directors or regulatory agencies) may not be remedial in nature.
c. Documentation
The proposed documentation requirement did not draw comment and was
adopted as proposed.
When the auditor's response to engagement deficiencies involves
adding additional information to the auditor's working papers, the
requirements of AS 1215.16 will apply.
Under AS 2901, the auditor should document the actions taken
pursuant to paragraphs .03 and .04 to address engagement deficiencies
in an audit engagement where the audit report has previously been
issued. This documentation requirement is consistent with the
documentation requirements in proposed QC 1000.82c for all engagement
deficiencies.
3. Related Amendments
The Board proposed to add provisions similar to AS 2901 to the
standards for broker-dealer attestation engagements, AT No. 1 and AT
No. 2, to prompt auditors of brokers and dealers to take appropriate
action if they discover that the opinion or conclusion in a previously
issued attestation report was not supported. Currently, those standards
are silent as to the responsibilities that apply when a deficiency is
identified after the engagement report is issued.
One commenter, who recommended changes to proposed AS 2901
(including that remediation should be required only when the auditor's
opinion may not be supported), suggested that the same changes be
incorporated into AT No. 1 and AT No. 2. For the reasons discussed
above in the context of AS 2901, the Board does not believe such a
limitation is appropriate. However, the Board made a conforming change,
similar to a change made to AS 2901, to the note to clarify that the
auditor must treat reports as being relied upon when the examination
report (in the case of AT No. 1) or review report (in the case of AT
No. 2) is included (either directly or through incorporation by
reference) in an SEC filing on an SEC form that requires inclusion of
such an examination report or review report. The Board also made
revisions to the proposed requirements in AT No. 1 and AT No. 2 by
removing the word ``remedial'' from the lead-in language to the notes
in each of the respective standards in order to encompass all actions
required under applicable professional and legal requirements, some of
which (e.g., notification to the board of directors or regulatory
agencies) may not be remedial in nature. With these modifications, the
Board adopted the proposed amendments to AT No. 1 and AT No. 2.
The Board also amended AS 2201 as part of this rulemaking to
include a reference to AS 2901 as a reminder of auditor
responsibilities under that

[[Page 49695]]

section with respect to audits of internal control over financial
reporting.\368\
---------------------------------------------------------------------------

\368\ See Appendix 5, Other Amendments.
---------------------------------------------------------------------------

The Board did not propose to amend its interim attestation
standards to include provisions similar to AS 2901. One commenter
encouraged the Board to consider creating a separate attestation
standard like AS 2901 to minimize repetition within each attestation
standard, especially if the Board plans to adopt new standards beyond
AT No. 1 and AT No. 2 in the future. At this time, the Board did not
amend its interim attestation standards to include provisions similar
to AS 2901, though it may consider doing so in the future.

Rescission of ET Section 102; Adoption of EI 1000; Related Amendments

1. Rescission of ET Section 102 and Adoption of EI 1000, Integrity and
Objectivity
The Board rescinded an interim ethics and independence standard, ET
102, Integrity and Objectivity, replacing it with a new standard, EI
1000, Integrity and Objectivity. EI 1000 is based on existing ET 102,
including its related interpretations codified as ET 102.02, .03, and
.05, but reflects revisions that align PCAOB ethics requirements with
the scope, approach, and terminology of QC 1000. To take one example,
the new EI 1000 applies to registered public accounting firms and their
associated persons rather than current AICPA ``members'' as referenced
in ET 102.
Integrity and objectivity are foundational to the audit and
critical to the performance of engagements under PCAOB standards. They
lend credibility and engender trust in financial reporting. As the U.S.
Supreme Court pointed out in United States v. Arthur Young:

By certifying the public reports that collectively depict a
corporation's financial status, the independent auditor assumes a
public responsibility transcending any employment relationship with
the client. The independent public accountant performing this
special function owes ultimate allegiance to the corporation's
creditors and stockholders, as well as to the investing public. This
``public watchdog'' function demands that the accountant maintain
total independence from the client at all times, and requires
complete fidelity to the public trust.\369\
---------------------------------------------------------------------------

\369\ United States v. Arthur Young, 465 U.S. 805, 817-818
(1984).

The responsibility to maintain integrity and objectivity is an
important counterbalance to the risk that the auditor may be unduly
influenced by company management or may be subject to cognitive or
other biases in performing the audit.\370\ In turn, an auditor's
integrity and objectivity can help to increase investor trust in
financial reporting and strengthen capital markets.
---------------------------------------------------------------------------

\370\ See, e.g., Auditing Accounting Estimates, Including Fair
Value Measurements and Amendments to PCAOB Auditing Standards, PCAOB
Rel. No. 2018-005 (Dec. 20, 2018), at 30-35 (discussing auditor
incentives and potential cognitive biases).
---------------------------------------------------------------------------

Currently, paragraph .01 of ET 102 sets out three requirements that
apply in the performance of a professional service: (i) maintaining
integrity and objectivity, (ii) being free of conflicts of interest,
and (iii) not knowingly misrepresenting facts or subordinating
judgment. The remaining paragraphs of the rule and the relevant
portions of ET 191 provide more detailed direction in specific
contexts.
The Board proposed creating two overarching requirements in EI
1000: (i) maintaining integrity, which would include being honest and
candid, not knowingly or recklessly misrepresenting facts, and not
subordinating judgment; and (ii) maintaining objectivity, which would
include being impartial, intellectually honest, and free of conflicts
of interest. The proposal incorporated descriptions of integrity and
objectivity that were substantially based on existing requirements in
QC 20.10.\371\
---------------------------------------------------------------------------

\371\ QC 20.10 states: ``Integrity requires personnel to be
honest and candid within the constraints of client confidentiality.
. . . The principle of objectivity imposes the obligation to be
impartial, intellectually honest, and free of conflicts of
interest.''
---------------------------------------------------------------------------

In addition to substantially recodifying existing requirements, the
Board also proposed to clarify the scope of the rule and more closely
align it with the scope, approach, and terminology of QC 1000.
With two clarifications discussed below, the Board adopted EI 1000
as proposed and rescinded ET 102.
a. General
As proposed, the Board modernized the standard and aligned it with
other PCAOB standards and rules by renumbering it in accordance with
the PCAOB's reorganized standards framework, incorporating PCAOB
terminology, and eliminating outdated provisions.
The final rule clarifies that the requirements of EI 1000 apply in
connection with all responsibilities under ``applicable professional
and legal requirements'' (as defined in QC 1000) and the firm's related
policies and procedures, whether in relation to the firm's engagements,
work the firm does on other firms' engagements, training, independence
monitoring, or other activities that are part of or subject to the
firm's QC system. In addition, EI 1000 applies to registered firms and
their associated persons, rather than to ``members'' as ET 102
currently provides.
The final rule also corrects a reference in EI 1000.02.b(2) from
``materially false and misleading'' to ``materially false or
misleading.''
One commenter supported the replacement of ET 102 with EI 1000, but
recommended labeling it ``OI'' for Objectivity and Integrity. As
described in the proposal, the Board created a designation not only for
its standard on objectivity and integrity, but for future standards as
well. The Board intends to use ``EI'' for all ethics and independence
standards, just as it uses ``AS'' to designate auditing standards.
While one commenter confirmed that the terms used in EI 1000 are
generally clear, another commenter recommended clarifying the
expectations for the terms ``being honest and candid'' in EI 1000.02
and ``being intellectually honest'' in EI 1000.03. This language is
drawn from existing QC 20.10, has a clear plain English meaning, and
the Board believes should be well understood.
b. Integrity
EI 1000.02 notes that, as part of maintaining integrity, a firm and
its associated persons must be ``honest and candid.'' This requirement
is drawn from existing QC 20.10. The Board omitted the reference to
``within the constraints of client confidentiality'' in order to avoid
suggesting that ``client confidentiality'' could limit a firm's or its
associated persons' obligations to comply with the requirements of
PCAOB rules or standards. This is consistent with the Board's
interpretation of QC 20.10, under which a firm or its associated
persons must be honest and candid in complying with PCAOB rules and
standards, including during PCAOB inspections. It also confirms, among
other things, that associated persons have the ability to report
wrongdoing within the firm and to the appropriate regulatory
authorities without constraints of confidentiality, consistent with
PCAOB rules and standards. Similar to current QC 20.10, EI 1000.02 does
not address the requirements of client confidentiality beyond the
requirements set forth in PCAOB rules and standards and applicable
requirements of the Federal

[[Page 49696]]

securities laws, including the Sarbanes-Oxley Act.\372\
---------------------------------------------------------------------------

\372\ As a general matter, the Uniform Accountancy Act excludes
from the prohibition against voluntary disclosure, in part,
``information required to be disclosed by the standards of the
public accounting profession in reporting on the examination of
financial statements or as prohibiting compliance with applicable
laws, government regulations or PCAOB requirements.'' AICPA, Uniform
Accountancy Act (January 2018). available at https://us.aicpa.org/content/dam/aicpa/advocacy/state/downloadabledocuments/uaa-eighth-edition-january-2018.pdf.
---------------------------------------------------------------------------

One commenter suggested that, rather than removing the reference to
confidentiality, the Board should instead refer to IESBA Code Section
260 related to noncompliance with laws or regulations. In general, the
Board does not incorporate by reference the concepts and terminology
used by other standard setters. In relation to noncompliance with laws
and regulations in particular, the Board has proposed its own new
standard.\373\ If a new PCAOB standard in that area is ultimately
adopted by the Board and approved by the SEC and makes it appropriate
for the Board to amend EI 1000, the Board would of course intend for EI
1000 to align with its new standard rather than the IESBA code.
---------------------------------------------------------------------------

\373\ See Proposing Release: Amendments to PCAOB Auditing
Standards related to a Company's Noncompliance with Laws and
Regulations And Other Related Amendments, PCAOB Rel. No. 2023-003
(June 6, 2023).
---------------------------------------------------------------------------

The proposal clarified that the responsibility to avoid factual
misrepresentations covers not only knowing, but also reckless behavior,
and that this responsibility applies to any knowing or reckless
misrepresentation of fact, including situations where documents--such
as work papers and communications with the PCAOB and the SEC--
containing materially false or misleading information are knowingly or
recklessly signed, permitted or directed to be signed, or left
uncorrected by those with authority to correct them.
One commenter suggested that the concept of failing to correct a
document that is materially false and misleading when having the
authority to do so should be limited to circumstances in which the
document was materially false and misleading ``when made.'' The Board
agrees that the duty to correct is not unbounded, and generally applies
at the time that a document is made (including when filed with or
submitted to a regulatory authority). The Board notes, however, that
while EI 1000 does not independently impose a duty to correct a
document that was not materially false or misleading when made, such a
duty may arise under other statutes, laws, or regulations, and the
Board believes that in such a circumstance, the failure to discharge
that duty should also constitute a violation of EI 1000. The Board
added language to EI 1000.02b to clarify the circumstances under which
failure to correct a document would constitute a knowing or reckless
misrepresentation of facts.
The Board proposed to broaden the responsibility to avoid
subordination of judgment so it would apply to any dispute or
disagreement over applicable professional and legal requirements or how
to apply them. One commenter suggested that, as part of the provision
on subordination of judgment, the Board should address the risk of
supervisors exercising undue influence over subordinates in the same
manner as under the AICPA Code of Professional Conduct.\374\ The
relevant interpretive provision of the AICPA Code, 1.130.020,
Subordination of Judgment, identifies undue influence by a supervisor
as a potential threat to compliance with the AICPA's Integrity and
Objectivity Rule \375\ and provides safeguards to be applied when the
threat is not at an acceptable level. The safeguards to be applied are
essentially the same as the process required under EI 1000.02c,
including research and consultation to determine whether the
supervisor's position is supportable, consultation with higher levels
of management, and, if appropriate action is not taken, consideration
of potential duties to notify third parties and consideration of the
appropriateness of continuing a relationship with the firm. In addition
to the provision in EI 1000, QC 1000 also addresses the risk of undue
influence through a quality objective in the engagement performance
component related to the appropriate resolution of differences in
professional judgment,\376\ as well as general provisions that would
apply to undue influence by a supervisor, including in the governance
and leadership component,\377\ the ethics and independence
component,\378\ and the resources component.\379\ The Board believes
these provisions address the concerns raised by this commenter and have
adopted the subordination of judgment provision of EI 1000 as proposed.
---------------------------------------------------------------------------

\374\ AICPA Code of Professional Conduct 1.130.020,
Subordination of Judgment.
\375\ Id. at 1.100.001.
\376\ QC 1000.42.c.
\377\ QC 1000.25.
\378\ QC 1000.33b, c., and f.
\379\ QC 1000.46a.
---------------------------------------------------------------------------

c. Objectivity
One commenter suggested that the Board could clarify the standard
by including references to the AICPA or IESBA concepts of conflict of
interest. As noted above, it is not generally Board policy to
incorporate by reference the concepts and terminology used by other
standard setters. The Board also believes that a cross reference is not
appropriate because EI 1000 addresses essentially the same conduct as
the AICPA and IESBA provisions.
d. Rescission of Certain AICPA Interpretations
Additionally, the Board rescinded the former AICPA interpretations
currently codified as ET 102.04, .06, and .07, which address members'
obligations to their employer's external accountant, performance of
educational services, and professional services involving client
advocacy, respectively. These are generally not relevant to engagements
performed under PCAOB standards. In addition, the matters addressed in
paragraph .07 are either effectively superseded by 17 CFR 210.2-01 or
more effectively addressed elsewhere in PCAOB standards (e.g., AS 2610,
Initial Audits--Communications Between Predecessor and Successor
Auditors).
2. Amendments to ET Section 191
In connection with EI 1000, the Board also proposed amending ET 191
by making a conforming amendment to paragraph .062 and rescinding
paragraphs .130, .131, .170, .171, .186, .187, .198, .199, .202, and
.203. The only commenter on this topic supported these amendments. The
Board adopted the amendments as proposed. The interpretations the Board
rescinded (addressing, respectively, use of the CPA designation by
accountants not in public practice, service as a director of a bank,
service on the board of directors of United Way or a similar federated
fund-raising organization, providing services for company executives,
and providing client advocacy services) are generally not relevant to
engagements performed under PCAOB standards or are addressed elsewhere
in PCAOB and SEC rules. The Board did not amend the portions of ET 191
that pertain to ET 101, which is not being substantively amended in
this rulemaking.
3. Amendments to Rule 3500T, Interim Ethics and Independence Standards,
and ET Section 101, Independence
The Board proposed amending paragraph (a) of Rule 3500T to
eliminate the introductory phrase ``In connection with the preparation
or issuance of any audit report,'' which it believes may cause the rule
to be read unduly narrowly. The Board also proposed eliminating
references to ET 102, Integrity and Objectivity, and

[[Page 49697]]

substituting a reference to EI 1000, Integrity and Objectivity. These
proposed amendments did not receive any comment and were adopted as
proposed.
Lastly, the Board amended paragraphs .04, .13, and .16 of ET 101,
Independence, to conform the references to ET 102, which will be
rescinded, to EI 1000.

Other Amendments

In connection with the adoption of QC 1000, the Board also adopted
amendments to other professional standards, PCAOB rules, and PCAOB
forms. As discussed in more detail below, these amendments:
Align terminology, concepts, and cross-references with QC
1000;
Rescind standards that are unnecessary in light of the
adoption of QC 1000;
Recodify certain provisions of requirements that are
rescinded into other PCAOB standards and rules; and
Make other technical and clarifying amendments.
The one commenter that addressed this topic generally supported the
amendments and also recommended an amendment to PCAOB Rule 1001(p)(vi)
to use the term ``quality control standards'' instead of ``quality
control policies and procedures.'' The language used in PCAOB Rule
1001(p)(vi) is drawn from section 110(5) of Sarbanes-Oxley and the
Board believes its rule should continue to align with that statutory
provision.
These amendments are discussed further below.
1. Rescission of Rule 3400T, Interim Quality Control Standards;
Adoption of Rule 3400, Quality Control Standards
These rule changes did not receive any comment and were adopted as
proposed.
PCAOB Rule 3400T, Interim Quality Control Standards, requires
registered public accounting firms and their associated persons to
comply with the Board's interim quality control standards. The Board
rescinded Rule 3400T, including all current QC standards identified in
the rule, which the Board adopted on an interim, transitional
basis.\380\ The Board adopted in its place a new rule, Rule 3400, to
codify the auditor's responsibilities for complying with the Board's
quality control standards.
---------------------------------------------------------------------------

\380\ Under PCAOB Rule 3400T(a), all firms are required to
comply with QC standards as described in ``the AICPA's Auditing
Standards Board's Statements on Quality Control Standards, as in
existence on April 16, 2003 (AICPA Professional Standards, QC
Sec. Sec. 20-40 (AICPA 2002)), to the extent not superseded or
amended by the Board.''. PCAOB Rule 3400T(b) requires certain firms
to comply with QC standards as described in ``the AICPA SEC Practice
Section's Requirements of Membership (d), (l), (m), (n)(1), and (o),
as in existence on April 16, 2003 (AICPA SEC Practice Section Manual
1000.08(d), (j), (m), (n)(1), and (o)), to the extent not superseded
or amended by the Board.'' PCAOB Rule 3400T(b). The note to Rule
3400T provides that those requirements ``only apply to those
registered public accounting firms that were members of the AICPA
SEC Practice Section on April 16, 2003.''
---------------------------------------------------------------------------

2. Rescission of AS 1110, Relationship of Auditing Standards to Quality
Control Standards
The Board received no comment on the proposed rescission of AS 1110
and rescinded it, as proposed.
At the time AS 1110 was issued, it served to describe the
relationship between the then already-existing auditing standards and
the new set of standards that governed a firm's system of quality
control. This relationship is now well understood by firms and
clarified within QC 1000. In addition, the first two paragraphs of AS
1110 merely repeat the requirements to comply with the auditing and QC
standards that are addressed by other PCAOB standards and rules.
Accordingly, the Board rescinded AS 1110.
3. Adoption of AS 1310, Notification of Termination of the Auditor-
Issuer Relationship
The Board adopted a new standard, AS 1310, which recodifies
existing requirements of SECPS 1000.08(m), Notification of the
Commission of Resignations and Dismissals from Audit Engagements for
Commission Registrants, and applies those requirements to all firms and
all issuer engagements. As noted above, the Board rescinded the QC
standards that pertain only to firms that were SECPS members at the
time the PCAOB was created. In lieu of the SECPS requirement, the Board
adopted a new standard that requires the auditor to notify the SEC upon
resignation or dismissal from an audit engagement of an issuer if the
issuer does not report such change in a current report on Form 8-K.
The only commenter to address this proposed standard agreed that it
could provide valuable and timely information to investors to alert
them when audit committees have failed to fulfill their reporting
responsibilities. The Board notes, however, that notifications provided
under the current SECPS requirement might not be made publicly
available. Nevertheless, the Board believes that notices provided to
the SEC under the standard could provide valuable information to the
SEC. Therefore, the Board adopted the standard substantially as
proposed, with a revision to conform to the precise language on Form 8-
K. This requirement applies to all issuer engagements, regardless of
whether the firm was a member of the SECPS and regardless of whether
the issuer is required to report on Form 8-K.
4. Amendments to AT Section 101, Attest Engagements
These amendments did not receive any comment and were adopted as
proposed.
The amendments to AT Section 101 align with the rescission of AS
1110 discussed above, by deleting the paragraphs that address the
relationship of attestation standards to QC standards. Additionally,
the deletion of footnote 23 removes language related to monitoring
compliance with quality control policies and procedures, which is
unnecessary in light of the adoption of QC 1000.
5. Amendments to Form 1, Application for Registration
The Board proposed to amend Form 1 to (i) refer to QC 1000 in the
instructions in order to prompt firms to consider their obligations
with respect to QC in connection with their application for
registration, and (ii) add a new item whereby firms confirm whether
they have designed a QC system in accordance with PCAOB standards. The
only commenter to address this amendment agreed that the amendments
would be appropriate. The Board adopted these amendments as proposed.
6. Amendments to Form 2, Annual Report Form
The Board proposed to amend Form 2 to add a new item whereby firms
would confirm (i) that they have designed a QC system in accordance
with PCAOB standards; and (ii) whether they were required to implement
and operate a QC system in accordance with PCAOB standards at any time
during the period of time covered by Form 2. The only commenter to
address this amendment agreed that the amendments would be appropriate.
The Board adopted these amendments as proposed.
7. Technical and Conforming Amendments
These amendments did not receive any comment and were adopted as
proposed.
The Board implemented a number of technical and conforming
amendments to align terminology and concepts in

[[Page 49698]]

existing standards and one PCAOB form with QC 1000.
The Board also implemented a technical amendment to the
instructions to Form AP to clarify an exclusion from disclosing the
identity of, and hours incurred by, accounting firms in certain
circumstances. The Board, when it adopted Form AP, stated that it
intended to exclude the reporting of ``hours incurred in the audit of
entities in which the issuer has . . . an investment'' using the equity
method of accounting.\381\ Form AP currently excludes hours ``of an
accounting firm performing the audit of entities in which the issuer
has an investment that is accounted for using the equity method,'' but
the Board is concerned that such language might be read to exclude all
of the audit work performed by such an accounting firm on an audit,
rather than only those hours spent performing the audit of entities in
which the issuer has an investment accounted for using the equity
method. The Board revised the instruction in Part IV of the form to
exclude from its disclosure requirements the identity of, and hours
incurred by, accounting firms ``in performing'' the audit of entities
in which the issuer has an investment that is accounted for using the
equity method, which clarifies that the identity of, and hours incurred
by, such firms with respect to other work on the audit must be
disclosed on Form AP, unless they are subject to other Form AP
exclusions.
---------------------------------------------------------------------------

\381\ See Improving the Transparency of Audits: Rules to Require
Disclosure of Certain Audit Participants on a New PCAOB Form and
Related Amendments to Auditing Standards, PCAOB Rel. No. 2015-008
(Dec. 15, 2015), at 26.
---------------------------------------------------------------------------

Effective Date

In the proposing release, the Board sought comment on the amount of
time auditors would need before the proposed new quality control
standard and the other proposed amendments to PCAOB standards, rules,
and forms, if adopted by the Board and approved by the SEC, become
effective. We proposed an effective date of December 15 of the year
after approval by the SEC.
One commenter agreed that the proposed effective date should be
reasonable in practical terms. Another commenter asserted that the
standard is not clear on the effective date as it relates to design and
implementation and operating effectiveness, and recommended that the
Board allow firms significant time between the release of the final
standard and its effective date. One commenter suggested that an 11-
month period from the effective date to the first evaluation date would
not be practicable, and firms would need time to consider whether and
how to transition from their evaluation date previously established
under ISQM 1.
Several commenters suggested that if the standard is approved in
2023, and becomes effective on December 15, 2024, this would provide
challenges to auditors. Some of these commenters further suggested that
the proposed effective date would be particularly challenging for
smaller firms that might not have already implemented ISQM 1 and do not
have to implement SQMS 1 until December 15, 2025. Commenters suggested
alternative effective dates such as December 15, 2025; 18 months after
approval by the SEC and no sooner than December 15, 2025; the later of
12 months after approval by the SEC or December 15, 2025; or two years
after SEC approval. One commenter suggested a phased approach such that
the effective date would be different for firms that are annually
inspected than for other firms, while other commenters suggested that
firms that are required to implement incremental requirements based on
the size of the firm should be provided additional time to implement
the incremental requirements. One commenter suggested that an overly
speedy adoption timeline could create unintended consequences such as
disruption to QC systems and increased difficulty of getting buy-in on
the proposed QC changes from stakeholders. Another commenter suggested
that an additional one to two years may be needed for firms with less
than 100 issuers, or that have not adopted ISQM 1, to develop and
implement the additional monitoring, evaluation and remediation
requirements. The commenter further suggested that a proposed initial
evaluation date that is eleven and a half months after the effective
date may not allow enough time for remediation and that the PCAOB
should consider a longer onboarding process.
After considering the comments received subject to approval by the
SEC, the final standard and related amendments to auditing standards,
rules, and forms will take effect on December 15, 2025.
The Board believes that an effective date of December 15, 2025
strikes an appropriate balance between the benefits to investors of
having QC 1000 take effect as promptly as practicable, while allowing
sufficient time for firms to design and implement robust, QC 1000-
compliant QC systems.
One commenter suggested the Board consider how mergers and
acquisitions of firms would impact the effective date for the standard,
and suggested the Board consider similar guidance to the SEC that
provides that issuers may exclude an acquired business's internal
control over financial reporting from its assessment of internal
control for up to one year or for one assessment. After consideration
of the comment received, the Board appreciates that it could take time
to fully integrate a newly acquired firm's QC system and perform an
evaluation of its effectiveness. However, the Board does not believe
that it is appropriate or consistent with its investor protection
mandate to allow for a portion of a firm's QC system to be excluded
from the annual evaluation. The Board believes that specific quality
risks could arise as the result of a merger or acquisition, and that
firms should be designing, implementing, and operating quality
responses to address these as part of merger planning and execution.
Furthermore, if, as a result of a merger or acquisition between
registered public accounting firms, the resultant firm is unable to
conclude that the QC system is effective as of the evaluation date,
then the Board believes that it is essential that the firm has
identified and is remediating the QC deficiencies that exist as a
result of the merger or acquisition and is monitoring any impact on the
firm's engagements.
Unlike ISQM 1 and SQMS 1, under QC 1000, the requirements for QC
system evaluation are not being implemented on a delayed basis. When QC
1000 takes effect, all provisions of QC 1000 will take effect. Because
the evaluation date of September 30 builds in over a nine-month delay
between the effective date of the standard and the first evaluation
date, the Board does not believe further delaying the effective date of
the evaluation requirements would be necessary or appropriate. However,
the first evaluation period will be of the period beginning on the
effective date of the standard (i.e., December 15, 2025) and ending on
the next September 30, rather than the 12-month period ending on that
September 30.

D. Economic Considerations and Application to Audits of Emerging Growth
Companies

Economic analysis is an important aspect of the rulemaking process.
This economic analysis describes the baseline for evaluating the
economic impacts of the rulemaking, the need for rulemaking, its
expected economic impacts (including benefits, costs, and potential
unintended consequences), and reasonable alternatives considered. Due
to data limitations, much of the economic analysis is qualitative in

[[Page 49699]]

nature; however, where reasonable and feasible, the analysis
incorporates quantitative information, including information from PCAOB
inspections of registered firms.
The Board has sought information relevant to the economic analysis
over the course of this rulemaking.\382\ To the extent that commenters
expressed views related to the economic analysis, many commenters
generally agreed with the need for QC 1000, but some commenters raised
concerns with certain impacts of the proposed standard. Several
commenters expressed concerns about costs associated with certain key
requirements, such as documentation. Some commenters suggested that the
economic analysis should more explicitly consider costs that could
disproportionately impact smaller and mid-size firms. Some commenters
asserted potential unintended consequences with the proposed standard,
including demand on staff resources and potential competitive effects,
while other commenters suggested alternatives to help manage costs
associated with certain proposed requirements, such as the 100-issuer
threshold and evaluation and reporting dates. Some commenters offered a
quantitative perspective regarding impacts. Several commenters
referenced additional academic research for the Board's consideration.
The Board considered all the comments received, including the
quantitative perspectives and academic research the comments
referenced, and has developed the following economic analysis that
evaluates the expected benefits and costs of the final requirements,
discusses potential unintended consequences, and facilitates comparison
to alternative actions considered.
---------------------------------------------------------------------------

\382\ See PCAOB Rel. No. 2022-006; PCAOB Rel. No. 2019-003.
---------------------------------------------------------------------------

Baseline

The discussion above provides an overview of current PCAOB QC
standards; summarizes observations from PCAOB oversight activities; and
describes developments in the auditing environment since the adoption
of current PCAOB QC standards, including the actions of other standard
setters. This section expands on that discussion by describing
additional aspects of the economic baseline against which the economic
impacts of the requirements can be considered and presenting other
relevant information on the audit services market for issuers and
broker-dealers. Specifically, this expanded discussion includes:
Three complementary proxies for the level of compliance
with professional standards applicable to the performance of
engagements, derived from PCAOB inspections data. Analysis of these
proxies informs the baseline for considering the expected benefits of
the requirements (e.g., improved compliance with professional
standards).\383\
---------------------------------------------------------------------------

\383\ See below for further discussion.
---------------------------------------------------------------------------

Information on resources that U.S. global network firms
(``GNFs'') invest in their QC systems. As the requirements are expected
to result in changes to some firms' QC systems, this information
informs the baseline for considering the expected costs of the
requirements.
Changes firms have made to their QC systems to remediate
QC deficiencies identified by PCAOB inspections staff and presents QC
deficiencies related to firms' management of their audit practices.
This discussion provides information on the evolution of QC systems and
informs the evaluation of the need for and the economic impacts of the
requirements.
A concise survey of academic literature on quality-
threatening behaviors that suggest certain weaknesses in some QC
systems in practice.
Key assumptions regarding how QC systems are likely to
evolve absent the requirements.
In describing the baseline,\384\ the analysis presents anonymized
and aggregated summary statistics regarding deficiencies included in
past PCAOB inspection reports. Since PCAOB inspection reports do not
consider broker-dealer engagements, the analysis also presents
anonymized and aggregated summary statistics regarding audit and
attestation engagement deficiencies included in annual reports on the
PCAOB's interim inspection program related to audits of brokers and
dealers. The following background information associated with this
quantitative inspection information bears emphasizing:
---------------------------------------------------------------------------

\384\ The scope of the information on inspections and
remediation efforts presented in the baseline section is limited to
those firms that are subject to inspection under Sarbanes-Oxley;
specifically, firms that provide one or more audit reports for an
issuer, broker, or dealer and firms that play a substantial role in
the preparation or furnishing of such audit reports. See section
104(a)(1), (2), and (b)(1) of Sarbanes-Oxley, 15 U.S.C. 7214(a)(1),
(2), and (b)(1). In particular, PCAOB's analysis of deficiencies
included in past PCAOB inspection reports does not include
registered firms that would be subject only to design requirements
on the basis that they do not perform ``engagements'' as defined in
QC 1000. Based on Form 2 reporting as of June 30, 2023,
approximately 60% of registered firms reported that they had not
issued an audit report for an audit of an issuer or broker-dealer or
played a substantial role in such an engagement during the preceding
12 months.
---------------------------------------------------------------------------

QC deficiencies presented in Part II of a PCAOB inspection
report \385\ may relate to: (1) a firm's management of its audit
practice or (2) a firm's performance of audit procedures.\386\ QC
deficiencies of the first type refer to the operation of QC policies
and procedures. For example, a QC deficiency related to a firm's
management of its audit practice may be identified through inspection
staff's review of how the firm considers and addresses risks in
connection with engagement acceptance and continuance decisions. QC
deficiencies of the second type are inferred through analysis of
deficiencies identified during inspections of individual issuer audit
engagements. For example, a QC deficiency related to a firm's
performance of audit procedures may be identified through inspection
staff review of the performance of audit procedures related to
management's accounting estimates.\387\
---------------------------------------------------------------------------

\385\ Part II of a firm's inspection report includes any
criticisms of, and potential defects in, the firm's QC system, that
were communicated to the firm as part of a PCAOB inspection. As
required under Sarbanes-Oxley, any QC deficiencies observed during a
PCAOB inspection are not included in the public portion of the
relevant inspection report when first issued. If a firm does not
address to the Board's satisfaction criticisms of, and potential
defects in, the firm's QC system within 12 months after the issuance
of the PCAOB inspection report, Part II of the report will be issued
publicly to include such deficiencies. Additional information is
available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation.
\386\ See PCAOB Rel. No. 2012-003, at 8-9.
\387\ See PCAOB Rel. No. 2012-003, at 8.
---------------------------------------------------------------------------

Deficiencies presented in Part I.A of an inspection report
represent deficiencies in issuer audits selected for inspection that
were of such significance that the Board believes that the firm, at the
time it issued its audit report, had not obtained sufficient
appropriate audit evidence to support its opinion on the issuer's
financial statements and/or internal control over financial reporting.
As part of the PCAOB's process for reviewing firms' QC systems, PCAOB
inspection teams evaluate whether identified deficiencies in individual
audits indicate a defect or potential defect in a firm's QC system.
However, a Part I.A deficiency does not, on its own, necessarily imply
significant defects or potential defects in a firm's QC system. The
PCAOB inspection team will consider the nature, significance, and
frequency of deficiencies and related firm methodology, guidance,
practices, and possible root causes when assessing whether Part I.A
deficiencies in individual audits indicate significant

[[Page 49700]]

defects or potential defects in a firm's QC system that should appear
in Part II of the firm's inspection report.\388\
---------------------------------------------------------------------------

\388\ Additional information on PCAOB inspection procedures is
available on the PCAOB website at https://pcaobus.org/oversight/inspections/inspection-procedures.
---------------------------------------------------------------------------

The Dodd-Frank Wall Street Reform and Consumer Protection
Act gave the PCAOB oversight of auditors of broker-dealers registered
with the SEC. In June 2011, the PCAOB established an interim program to
inspect these auditors and identify and address with them any
significant issues observed in their audits and related attestation
engagements. This interim inspection program remains in place today.
The inspection processes for audits of issuers and broker-dealers are
different in many respects, including the applicable laws, rules, and
professional standards; the inspection selection process; inspection
focus areas; and reporting of inspection results. In particular, unlike
PCAOB inspections of issuer audits, which lead to an inspection report
for each inspected firm, the PCAOB issues a single annual report on the
interim inspection program related to audits of brokers-dealers, which
summarizes the results of the PCAOB's inspections of broker-dealer
engagements performed during the previous year.\389\
---------------------------------------------------------------------------

\389\ See Annual Report on the Interim Inspection Program
Related to Audits of Brokers and Dealers, PCAOB Rel. No. 2023-005
(Aug. 10, 2023). Additional information on the interim inspection
program is available on the PCAOB website at https://pcaobus.org/resources/information-for-audit-firms/information-for-auditors-of-broker-dealer.
---------------------------------------------------------------------------

The analysis of QC and issuer audit deficiencies below is
presented over a twelve-year period for three separate categories of
firms: (1) U.S. GNFs, (2) other firms having more than five inspected
issuer engagements, and (3) other firms having five or fewer inspected
issuer engagements.\390\ Categorizing inspections information among
firms of different sizes helps account for the significantly skewed
variation in audit firm size present in the audit market.\391\ The 2011
through 2022 period is used because information from earlier inspection
years is less comparable and information from later inspection years
was not completely available as of the date of this analysis.
Information was preliminary for the 2022 inspection year as of the date
of the PCAOB staff analysis.
---------------------------------------------------------------------------

\390\ Time trends can help to identify associative relationships
and may suggest how the audit market could evolve absent the
requirements. However, time trends in PCAOB inspection deficiencies
depend on, among other things, changes in the set of firms and
engagements selected for inspection. Firms that issue 100 or fewer
audit reports for issuers are, in general, inspected at least once
every three years. Firms that issue audit reports for more than 100
issuers are inspected annually. Therefore, the set of inspected
firms and engagements is not fixed year over year.
\391\ Current PCAOB QC standards recognize that the nature,
extent, and formality of a firm's QC policies and procedures should
take into account various factors, including the size of the firm.
Because PCAOB QC assessments also take into account these factors,
the number of QC deficiencies across each of the three categories of
firms are not directly comparable. See PCAOB Rel. No. 104-2006-077,
at 9-10.
---------------------------------------------------------------------------

The analysis of audit and attestation engagement
deficiencies included in annual reports on the PCAOB's interim
inspection program related to audits of brokers and dealers below is
presented over a 12-year period. The 2011 through 2022 period is used
because 2011 was the first year of the interim inspection program and
2022 is the most recent year that data are available as of the date of
this analysis. Information on deficiencies associated with attestation
examinations or reviews is not available prior to 2015 because 2015 was
the first full year during which the PCAOB was able to review
attestation engagements of brokers and dealers.
1. Proxies Related to Compliance With Professional Standards
This subsection presents analyses of three quantitative proxies for
the level of compliance with professional standards and thus provides
information on the baseline for considering the key expected benefit of
the requirements: improved compliance with professional standards.
Specifically, it presents information on Part I.A deficiencies, QC
deficiencies related to audit performance, and broker-dealer engagement
deficiencies, from the audits or engagements PCAOB inspected. Overall,
the analyses suggest that some firms' QC systems may not be providing
the required reasonable assurance. Broker-dealer engagements and issuer
audits performed by firms other than U.S. GNFs appear to have more room
for improvement on average based on the period examined.
a. Part I.A Deficiencies
Figure 1 presents for categories of PCAOB-inspected audits the
percentage of inspected issuer audits having at least one Part I.A
deficiency. PCAOB staff calculated the Part I.A deficiency rates by
dividing the number of inspected issuer audits that had at least one
Part I.A deficiency by the number of inspected issuer audits for each
given year. The Part I.A deficiency rate should not be equated with the
rate of audit deficiencies across the whole issuer population. It may
understate the true rate of issuer audit deficiencies because some
deficiencies may not rise to the level of a Part I.A deficiency and
because PCAOB inspectors do not inspect all aspects of inspected
audits. However, it may also overstate the true rate of issuer audit
deficiencies because PCAOB inspectors generally focus their attention
on, among other things, audits and audit areas with a heightened risk
of material misstatement.
Despite these potential biases in the Part I.A deficiency rate, the
Board believes that the Part I.A deficiency rates presented in Figure 1
are indicative of underlying issuer audit deficiencies. However, there
are two caveats that may impact the interpretation of Figure 1. First,
because the audits with deficiencies are not drawn from a random
sample, the deficiencies could be driven in part by changes over time
in the proportion of reviewed audits that were selected based on
characteristics associated with high-risk audits. Second, PCAOB
inspections staff review more focus areas during reviews of U.S. GNF
issuer audits than they do during reviews of other firms' issuer
audits, increasing the opportunity for a reviewed U.S. GNF issuer audit
to have at least one Part I.A deficiency.
For U.S. GNFs, Figure 1 shows that the percentage of inspected
issuer audits having at least one Part I.A deficiency was 37% in 2011
and 30% in 2022 For other firms, the percentage has remained in the 31%
to 53% range.

[[Page 49701]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.013

Figure 2 provides additional insight on how the percentage of
inspected issuer audits having at least one Part I.A deficiency varies
by firm. Each bar indicates the percentage of 2020, 2021, and 2022 firm
inspections with a Part I.A deficiency rate within a given range. For
example, Figure 2 indicates that 22% of all 2020, 2021, and 2022 U.S.
GNF inspections and 11% of all 2020, 2021, and 2022 inspections of
other firms with more than five inspected engagements had a Part I.A
deficiency rate below 10%. Figure 2 excludes firm inspections with five
or fewer inspected engagements because the Part I.A deficiency rate is
a less informative proxy in these cases due to the small number of
inspected engagements.

[[Page 49702]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.014

Note: During the 2020, 2021, and 2022 inspection years, there
were in total 18 inspections of U.S. GNFs and 35 inspections of
other firms having more than five engagements reviewed.

b. QC Deficiencies Related to Audit Performance
Figure 3 presents the average number of QC deficiencies related to
audit performance per inspected firm. QC deficiencies related to audit
performance are inferred through analysis of inspections of individual
audits and thus represent another proxy for the level of compliance
with professional standards. To prepare Figure 3, PCAOB staff counted
the number of distinct QC deficiencies related to audit performance in
Part II of PCAOB inspection reports. Staff assigned a zero to firm
inspections that resulted in no QC deficiencies related to audit
performance. Staff then calculated averages per inspected firm by year
and firm group, assigning equal weight to each QC deficiency regardless
of its nature or whether it was a repeat deficiency. While the total
number of QC deficiencies is not readily comparable across each of the
three categories of firms because of differences in inspection
approach, the averages have ranged between 3.3 and 15.8 for U.S. GNFs,
between 2.9 and 8.0 for other firms having more than five engagements
reviewed, and between 0.9 and 2.7 for other firms having five or fewer
engagements reviewed. Two caveats may impact the interpretation of
Figure 3. First, starting in 2019, the PCAOB revised its approach to
identifying QC deficiencies related to audit performance. The Board
believes this policy change reduced the number of QC deficiencies
related to audit performance for some of the inspections of non-
affiliated firms (``NAFs'') but not for the U.S. GNFs. Second, the
variability in the deficiency rate in the second panel may be due in
part to year-over-year changes in the set of firms having more than
five engagements reviewed, which may include triennial firms.\392\
---------------------------------------------------------------------------

\392\ Firms that issued audit reports with respect to 100 or
fewer issuers during the prior calendar year (``triennial firms'')
must be inspected at least once every three years.

---------------------------------------------------------------------------

[[Page 49703]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.015

c. Broker-Dealer Engagement Deficiencies
Figure 4 presents the percentage of broker-dealer audits with
deficiencies and the percentage of attestation engagements and reviews
with deficiencies, among the selected sample of PCAOB engagements. The
percentages are reproduced from the PCAOB's annual reports on the
interim inspection program related to the audits of broker-dealers. The
percentages are equal to the number of inspected engagements for which
there were deficiencies divided by the number of inspected engagements.
The percentages of audits and attestation examinations with
deficiencies have remained greater than 45%. The percentage of
attestation reviews with deficiencies has remained in the 23% to 54%
range.
[GRAPHIC] [TIFF OMITTED] TN11JN24.016

[[Page 49704]]

2. Resources Associated With QC systems
Firms implement their QC systems through a set of policies and
procedures. These policies and procedures vary across firms, reflecting
both the principles-based nature of current QC standards and the
variation in firms' particular circumstances. To inform the baseline
for considering the expected costs of the requirements, PCAOB staff:
(1) held initial discussions with U.S. GNFs to obtain qualitative
information regarding the resources associated with their QC systems
and (2) conducted a voluntary survey of U.S. GNFs on the resources they
employ to design, implement, and operate QC policies and procedures.
Overall, the information indicates the resources that U.S. GNFs are
already devoting to the design, implementation, and operation of QC
policies and procedures related to the ISQM 1 requirements.
The U.S. GNF survey requested both qualitative and quantitative
information for each of the eight QC system components specified by
ISQM 1: risk assessment, governance and leadership, independence and
ethics, acceptance and continuance, engagement performance, resources
(human, intellectual, and technological), information and
communication, and monitoring and remediation.\393\ In addition, the
survey requested qualitative and quantitative information related to
network requirements or network services, evaluation of the QC system,
and documentation.\394\ The request referred to ISQM 1 explicitly in
order to facilitate comparability of the information gathered across
firms and to the proposed QC standard.
---------------------------------------------------------------------------

\393\ See paragraphs 23-33 and 35-47 of ISQM 1.
\394\ See paragraphs 48-60 of ISQM 1.
---------------------------------------------------------------------------

All six U.S. GNFs provided qualitative information and five
provided quantitative information. Staff received completed surveys
between June 23 and July 6, 2021. The respondents provided the
information as of their most recently completed fiscal year-end or QC
system assessment date.
The qualitative information that PCAOB staff received indicates
that U.S. GNFs' QC policies and procedures are extensive and highly
integrated with the audit process. Multiple groups, teams, functions,
and individuals participate in the design, implementation, and
operation of QC policies and procedures. Engagement teams play a key
role in the operation of many QC policies and procedures. Among other
QC-related responsibilities, engagement teams often assist in
acceptance and continuance decisions; initiate consultations; help
maintain accurate and complete information within independence systems;
attend training; and initiate and complete individual performance
evaluations.
The U.S. GNFs' QC systems involve multiple IT systems that support
QC activities and may also serve other operational functions. These QC
systems may also rely upon work or services provided by the firm's
global network and/or third-party vendors. Global network services may
relate to development and maintenance of technological and intellectual
resources (e.g., global audit methodology, global independence and
assurance policies and procedures, etc.) or monitoring the quality of
audit services performed by network affiliates. The firms report making
ongoing investments in their QC systems, including implementation of
new technology that supports QC activities.
The quantitative portion of the survey asked the U.S. GNFs to
estimate: (1) the number of firm personnel involved in designing,
implementing, or operating QC policies and procedures on an annual
basis (by partner vs. non-partner); (2) the percentage of their time
committed; and (3) the expected percentage change in QC resource
requirements as of December 15, 2022, when ISQM 1 became
effective.\395\ PCAOB staff asked the firms to include in their
estimates only those resources directly related to the design,
implementation, and operation of QC policies and procedures over audits
of U.S. issuers and broker-dealers. In cases where removing time spent
on QC policies and procedures related to audits of private companies
was prohibitively difficult or impossible, staff asked firms to include
this time in their estimates and describe the inseparable portion.
Firms reported that their QC policies and procedures generally apply
across their entire audit practice and thus their estimates typically
included resources dedicated to QC systems over engagements performed
under PCAOB standards as well as audits performed under other
standards.
---------------------------------------------------------------------------

\395\ More specifically, staff asked U.S. GNFs to estimate the
number of firm personnel who are directly involved in the design,
implementation, or operation of each QC system component by
commitment level (i.e., <10%, 10-40%, 40-60%, 60-90%, or >90% of the
individual's time). If an individual committed time to multiple QC
system components, staff asked firms to count the individual once
for each QC component and to indicate the time committed to each
component. For example, if an individual committed 100% of the
individual's time to the firm's QC system, 50% to acceptance and
continuance and 50% to monitoring and remediation, firms were asked
to count the individual under the 40-60% commitment level for both
components.
---------------------------------------------------------------------------

In initial discussions with the U.S. GNFs, firms reported that
identifying all firm personnel hours related to their QC systems would
be an enormous challenge. To make the data request feasible, PCAOB
staff directed firms to exclude from their quantitative estimates time
spent by engagement teams operating QC policies and procedures (e.g.,
performing independence procedures, planning for or engaging in
consultations, executing the firm's methodology) and facilitating
internal inspections. Staff also asked firms to exclude: (1) time spent
by firm personnel attending training; (2) time spent by individuals on
compliance with personal independence policies and procedures; (3) time
spent performing engagement quality reviews of individual engagements;
and (4) any resources invested at the global network level to design,
implement, or operate QC policies or procedures. The qualitative
information received from the firms suggests that these aspects of
their QC systems are likely resource-intensive.
Table 1 summarizes the quantitative information received in
aggregate form. It presents the means and standard deviations of
partner, non-partner, and total full-time equivalents (FTEs) by QC
system component.\396\ The means provide a sense of average scale while
the standard deviations provide a sense of average variability across
the firms. Overall, the means presented in Table 1 indicate that U.S.
GNFs commit a mean of 647.9 total FTEs to designing, implementing, and
operating their QC policies and procedures. QC policies and procedures
related to: (1) independence and ethics utilize a mean of 189.9 total
FTEs and (2) human,

[[Page 49705]]

intellectual, and technological resources utilize a mean of 252.6 total
FTEs. Non-partner FTEs are roughly 3.5 times partner FTEs, but partners
play a relatively larger role in the governance and leadership,
engagement performance, and monitoring and remediation components of QC
systems. The standard deviations presented in Table 1 indicate that the
average variability across firms is 499.9 total FTEs. The average
variability for the independence and ethics component is 173.9 total
FTEs and for the resources component is 295.2 total FTEs.
---------------------------------------------------------------------------

\396\ To calculate the means presented in Table 1, staff summed
the number of individuals directly involved in the design,
implementation, or operation of each QC system component, weighting
individuals by the mid-point of their respective commitment level
and divided by the number of firms that were able to provide data
for the respective QC system component. The ``Total'' row mean is
equal to the number of individuals directly involved in the design,
implementation, or operation of any QC system component, weighting
individuals by the mid-point of their respective commitment level
divided by five (i.e., the number of firms that provided
quantitative information). Therefore, the ``Total'' row mean does
not equal the sum of the QC component-level means. The standard
deviations presented in Table 1 were calculated without Bessel
corrections. The standard deviation for the ``Other'' component is
equal to the geometric mean of the standard deviations of the
network requirements or network services, evaluation of the system
of quality management, and documentation components. The Board's
data are insufficient to account for potential covariances between
these components.
---------------------------------------------------------------------------

The mean ``Total'' row values presented in Table 1 may include some
underestimation error for several reasons. First, some firms were
unable to reasonably estimate all of the resources for certain
components, most notably for the governance and leadership component.
Second, firms were generally unable to reliably estimate the cost of IT
infrastructure that supports the QC system. Third, firms were generally
unable to reliably estimate the portion of common-pool resources
attributable to the QC system that support broader operational or
financial objectives of the firm. Fourth, due to estimation challenges
as described above, firms were directed to exclude certain resources
from their estimates, including time spent by engagement teams
executing QC policies and procedures and time spent by firm personnel
attending training.
By contrast the mean ``Total'' row values may also include some
overestimation error. For example, firms broadly reported that their QC
policies and procedures apply to both issuer and non-issuer audits and
it would generally be infeasible to identify firm personnel hours
related to quality control over issuer audits only. In these cases,
PCAOB staff asked firms to include both issuer and non-issuer QC hours
in their estimates.
Some firms were unable to separately break out the level of
resources committed to designing, implementing, and operating QC
policies and procedures for risk assessment, information and
communication, network requirements or network services, evaluation of
the system of quality management, and documentation. These firms
distributed these resources across the remaining components. While this
leads to some overestimation error to the remaining components, the
information provided by the firms that were able to separately break
out these components indicates that these components are relatively
less resource-intensive and, therefore, the overestimation error is
likely small. This overestimation error does not apply to the mean
``Total'' row values because any errors in how the firms allocated
across components nets out when summing.

Table 1--Resources Associated With U.S. GNFs' QC Policies and Procedures
----------------------------------------------------------------------------------------------------------------
Total (FTEs)
Partner Non-partner ----------------------------------------------------
(FTEs) mean (FTEs) Mean per
Per firm St. dev firm St. dev
----------------------------------------------------------------------------------------------------------------
Risk Assessment................. 2.1 1.4 4.6 2.3 6.7 2.4
Governance and Leadership....... 10.0 5.8 9.2 9.3 19.2 14.7
Independence and Ethics......... 17.7 15.7 172.2 164.2 189.9 173.9
Acceptance and Continuance...... 11.5 6.1 13.7 13.8 25.2 14.2
Engagement Performance.......... 38.9 23.1 52.8 29.0 91.7 49.0
Resources....................... 42.4 36.6 210.2 267.0 252.6 295.2
Information and Communication... 2.6 2.6 8.6 3.3 11.2 4.9
Monitoring and Remediation...... 22.1 7.1 34.9 15.1 56.9 21.1
Other *......................... 4.1 0.6 11.6 2.5 15.6 2.8
-------------------------------------------------------------------------------
Total....................... 143.6 85.3 504.3 428.9 647.9 499.9
----------------------------------------------------------------------------------------------------------------
* The ``Other'' category includes network requirements or network services, evaluation of the system of quality
management, and documentation.

Most U.S. GNFs were unable to provide precise estimates regarding
expected future changes in QC system resource requirements as of
December 15, 2022, when ISQM 1 became effective. The qualitative
information provided by the firms indicates that: (1) additional
resources likely were required; (2) some of the U.S. GNFs had assigned
teams to manage ISQM 1 implementation; and (3) the risk assessment
component and the evaluation of the system of quality management
component were expected to require the most additional resources.
The Board also received information regarding non-GNFs through the
proposal comment process that indicates that non-GNFs have devoted
resources to the design, implementation, and operation of QC policies
and procedures related to ISQM 1 and/or SQMS 1 requirements. One
commenter noted that national firms with fewer than 500 issuers have
significantly fewer resources associated with QC policies and
procedures.\397\ One commenter noted that firms have invested
significant time and resources to comply with the existing quality
management standards from other standard setters, and another commenter
noted that, at least with respect to QC roles and responsibilities,
smaller firms have already designed their processes to accord with ISQM
1 and SQMS 1. One firm explained that its implementation efforts of
ISQM 1 required a great deal of evaluation of risks and related
responses, and another firm explained that its implementation effort
was a significant undertaking that involved a number of people across
the firm. Another commenter suggested that non-U.S. firms may be
incorporating quality management frameworks adopted by their local
regulator, such as CPAB's Quality Management System framework. Several
commenters representing non-GNF perspectives focused more generally on
the provisions of QC 1000 that diverge from ISQM 1 and SQMS 1, which
the Board understands as implying that these firms had expended
resources to construct and operate quality control systems in
compliance with those standards. However, at least one

[[Page 49706]]

commenter noted that for small firms that do not need to comply with
ISQM 1, efforts may be ongoing to implement SQMS 1, indicating that
some of these firms may be focused on resources for design and may not
yet be spending resources to operate QC policies in line with SQMS 1.
---------------------------------------------------------------------------

\397\ The commenter asserted that the mean total FTEs reported
in Table 1 for GNFs represent approximately 10% of partners and
employees for firms of similar size and composition to the
commenter. However, the commenter also reported having approximately
90% fewer partners and employees than some U.S. GNFs and
approximately 99% fewer than other U.S. GNFs, so the resources
reported in Table 1 would likely be scaled down accordingly for the
commenter and similar sized firms.
---------------------------------------------------------------------------

One commenter noted research that appears to be too tangential or
unrelated to actual resources employed by firms to be useful for
advancing the Board's understanding of resources associated with the
design, implementation, and operations of their QC systems. The
commenter noted that most academic studies related to resources
employed by NAFs or foreign affiliates of GNFs in the design,
implementation, and operations of their QC systems focus on either: (1)
the contributions of internal quality reviews to audit firm quality
\398\ or (2) the association of audit firm network arrangements, as
proxies for resources, with audit quality.\399\ For example, one study
suggests that when firms have formal connections via networks or large
alliance arrangements, audits within those arrangements have similar
levels of quality,\400\ which the commenter noted may imply that formal
connections are a vehicle to share and enforce QC practices.
---------------------------------------------------------------------------

\398\ See, e.g., Richard W. Houston and Chad M. Stefaniak, Audit
Partner Perceptions of Post-Audit Review Mechanisms: An Examination
of Internal Quality Reviews and PCAOB Inspections, 27 Accounting
Horizons 23 (2013); Denise Hanes Downey and Kimberly D. Westermann,
Challenging Global Group Audits: The Perspective of US Group Audit
Leads, 38 Contemporary Accounting Research 1395 (2021); Olof Bik and
Reggy Hooghiemstra, Cultural Differences in Auditors' Compliance
with Audit Firm Policy on Fraud Risk Assessment Procedures, 37
Auditing: A Journal of Practice & Theory 25 (2018).
\399\ See, e.g., Renee Flasher and Kristy Schenck, Exploring
PCAOB Inspection Results for Audit Firms Headquartered Outside of
the US, 37 Journal of International Accounting, Auditing and
Taxation 1 (2019); Philip Keejae Hong, David S. Kerr, and Casper E.
Wiggins, PCAOB International Inspections: Updates and Extensions, 26
International Journal of Auditing 279 (2022); Matthew S. Ege, Young
Hoon Kim, and Dechun Wang, Do Global Audit Firm Networks Apply
Consistent Audit Methodologies across Jurisdictions? Evidence from
Financial Reporting Comparability, 95 The Accounting Review 151
(2020).
\400\ See Flasher and Schenck, Exploring PCAOB Inspection
Results 1.
---------------------------------------------------------------------------

3. Developments in Firms' QC Policies and Procedures
This subsection provides information on the evolution of firms' QC
policies and procedures. First, it describes changes firms have made to
their QC policies and procedures to remediate QC deficiencies
identified in inspection reports. Second, it presents analyses of QC
deficiencies related to firms' management of their audit practices. QC
deficiencies related to firms' management of their audit practice
relate to the operation of QC policies and procedures. Overall, the
information suggests that QC policies and procedures are advancing.
Many firms have implemented a number of changes to their QC systems
to remediate their QC deficiencies.\401\ Changes brought about through
remediation are wide-ranging and can touch upon all major elements of
the current QC standards. The nature, extent, and formality of changes
made by a firm vary based on the size of the firm and the nature and
complexity of its practice. Examples of changes made by various types
of firms include: \402\
---------------------------------------------------------------------------

\401\ Additional information about the PCAOB remediation process
is available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation/remediation_process.
\402\ Examples are drawn from firms' Rule 4009 submissions. A
Rule 4009 submission is a submission prepared by a firm, pursuant to
PCAOB Rule 4009, concerning the ways in which a firm has addressed a
QC criticism. For additional background, see PCAOB Rel. No. 104-
2006-077.
---------------------------------------------------------------------------

Adding in-process review and coaching programs to assist
engagement teams in certain challenging areas, including ICFR and
accounting estimates;
Creating a committee to evaluate partner performance in
relation to audit quality and issuing an accountability framework with
penalties for negative audit quality events;
Implementing a new template that includes guidance to
facilitate the assessment and documentation of partner performance,
including guidance related to various performance metrics (such as
technical knowledge; leadership and training skills; and compliance
with firm quality control policies and procedures);
Requiring audit partners to articulate specific actions
they will take to achieve performance goals related to audit quality
and providing additional guidance and information around partner
workload management;
Implementing new policies and procedures for engagement
teams to focus on obtaining a thorough understanding of how issuers
initiate, record, process, and report significant classes of
transactions and how that information is recorded in the financial
statements;
Hiring external consultants to work with the firm to
develop a new ICFR audit approach;
Adding new leadership positions to the internal inspection
program, developing new analysis and reporting of internal inspection
findings, and beginning to disseminate findings more broadly;
Creating a committee to provide oversight on the firm's
audit quality initiatives and a new leadership position to drive
consistency across regions; and
Implementing new templates that provide guidance related
to performing a root cause analysis, including identifying areas of a
firm's quality control process to perform causal analysis, collecting
relevant data, and documenting the results.
The Board took these observations into account in developing QC
1000.
One commenter, an academic, referred to a recent unpublished study
examining how firms change and manage their QC systems, which involved
surveying QC leaders from eight U.S. accounting firms. The commenter
reported that the three most common changes currently underway in the
firms relate to: (1) engagement monitoring and use of data analytics;
(2) organizational structure (e.g., a dedicated ISQM team, independent
advisors); and (3) a more proactive approach to identifying QC
issues.\403\
---------------------------------------------------------------------------

\403\ The commenter also reported that the three most commonly
described ideal changes relate to: (1) engagement monitoring and use
of data analytics; (2) human talent-related initiatives such as
changes to hiring and promotion practices; and (3) client risk
assessment processes. Ideal changes are described as changes the QC
leaders would make if the firms did not face resource constraints.
---------------------------------------------------------------------------

Figure 5 presents the average number of QC deficiencies related to
firms' management of their audit practice per inspected firm. To
prepare Figure 5, PCAOB staff counted the number of distinct QC
deficiencies related to firms' management of their audit practice in
Part II of PCAOB inspection reports. Staff assigned a zero to firm
inspections that resulted in no QC deficiencies related to the firm's
management of its audit practice. Staff then calculated averages per
inspected firm by year and firm group, assigning equal weight to each
QC deficiency regardless of its nature or whether it was a repeat
deficiency. While the total number of QC deficiencies are not readily
comparable across each of the three categories of firms, the averages
have ranged between 0.8 and 10.2 for U.S. GNFs, between 0.3 and 1.5 for
other firms having more than five engagements reviewed, and between 0.3
and 0.6 for other firms having five or fewer engagements reviewed.

[[Page 49707]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.017

4. Academic Literature on Quality-Threatening Behaviors and Quality
Control
This subsection discusses academic research on behaviors that
suggest certain weaknesses in QC systems in practice. Over time,
researchers have documented a variety of quality-threatening behaviors,
including ``premature sign-off of audit procedures, failure to perform
required procedures, inappropriate reductions in substantive testing or
other forms of under-auditing, underreporting of time, inadequate
adjustments of audit procedures in response to changing risk
conditions, and over-reliance on management explanations of unusual
deviations in analytical procedures.'' \404\
---------------------------------------------------------------------------

\404\ Monika Causholli and W. Robert Knechel, An Examination of
the Credence Attributes of an Audit, 26 Accounting Horizons 631, 647
(2012).
---------------------------------------------------------------------------

Some commenters provided additional specific examples of quality-
threatening behaviors. For example, one commenter reported that some
academic research finds auditors may not always be objective when
deciding on the acceptability of management's accounting choices or
when recommending audit adjustments that would reduce reported income
or assets.\405\ Citing a settlement between a U.S. GNF and the Federal
Deposit Insurance Corporation, another commenter asserted that one
firm's QC system failed when one of the firm's engagement teams
inappropriately assigned a responsibility to an intern.
---------------------------------------------------------------------------

\405\ See, e.g., Kathryn Kadous, Jane S. Kennedy, and Mark E.
Peecher, The Effect of Quality Assessment and Directional Goal
Commitment on Auditors' Acceptance of Client-Preferred Accounting
Methods, 78 Accounting Review 759 (2003); Christopher Koch and
Steven E. Salterio, The Effects of Auditor Affinity for Client and
Perceived Client Pressure on Auditor Proposed Adjustments, 92
Accounting Review 117 (2017); Lori Shefchik Bhaskar, Patrick E.
Hopkins, and Joseph H. Schroeder, An Investigation of Auditors'
Judgments When Companies Release Earnings before Audit Completion,
57 Journal of Accounting Research 355 (2019).
---------------------------------------------------------------------------

Research suggests that quality-threatening behaviors imply a
failure of QC systems to provide reasonable assurance of
compliance.\406\ Moreover, some research suggests that, while not
solely responsible, certain features of firms' management of their
audit practice may encourage quality-threatening behaviors.\407\ For
example, experimental research suggests that certain cognitive biases
in auditor evaluation and reward systems may inadvertently deter
appropriate professional skepticism \408\ and other studies suggest
that partner reward systems at some firms may weight revenue generation
more heavily than professional competencies.\409\ Some research finds
that reward systems oriented toward revenue generation are associated
with lower proxies for audit quality.\410\ Synthesizing several recent
academic studies, one commenter reported that an excessive focus on
commercialism, rather than professionalism, continues to be a dominant
focus within firms' cultures and may negatively impact audit
quality.\411\ The commenter also reported that academic research
indicates quality-threatening behaviors may be negatively associated
with audit team leadership characteristics.\412\ For

[[Page 49708]]

example, skeptical auditors may be penalized if they do not find a
material misstatement,\413\ audit managers sometimes reward senior
associates for performing the unethical act of under-reporting time
when the client is more desirable,\414\ or while internal inspections
lead to increased auditor effort in the inspection year, positive
internal inspection results may lead auditors to decrease effort in the
future.\415\
---------------------------------------------------------------------------

\406\ See, e.g., Jean C. Bedard, Donald R. Deis, Mary B. Curtis,
and J. Gregory Jenkins, Risk Monitoring and Control in Audit Firms:
A Research Synthesis, 27 Auditing: A Journal of Practice & Theory
187 (2008).
\407\ See, e.g., David P. Donnelly, Jeffrey J. Quirin, and David
O'Bryan, Attitudes Toward Dysfunctional Audit Behavior: The Effects
of Locus of Control, Organizational Commitment, and Position, 19
Journal of Applied Business Research 95 (2003).
\408\ See, e.g., Joseph F. Brazel, Scott B. Jackson, Tammie J.
Schaefer, and Bryan W. Stewart, The Outcome Effect and Professional
Skepticism, 91 The Accounting Review 1577 (2016).
\409\ See, e.g., Marie-Laure Vandenhaute, Kris Hardies, and
Diane Breesch, Professional and Commercial Incentives in Audit
Firms: Evidence on Partner Compensation, 29 European Accounting
Review 521 (2020).
\410\ See, e.g., J[uuml]rgen Ernstberger, Christopher Koch, Eva
Maria Schreiber, and Greg Trompeter, Are Audit Firms' Compensation
Policies Associated With Audit Quality? 37 Contemporary Accounting
Research 218 (2020); Thomas Riise Johansen and Jeppe Christoffersen,
Performance Evaluations in Audit Firms: Evaluation Foci and
Dysfunctional Behavior, 21 International Journal of Auditing 24
(2017).
\411\ See, e.g., Christina Thomas Alberti, Jean C. Bedard, Olof
Bik, and Ann Vanstraelen, Audit Firm Culture: Recent Developments
and Trends in the Literature, 31 European Accounting Review 59
(2022); Chris Carter and Crawford Spence, Being a Successful
Professional: An Exploration of Who Makes Partner in the Big 4, 31
Contemporary Accounting Research 949 (2014); Ken H. Guo, The
Institutionalization of Commercialism in the Accounting Profession:
An Identity-Experimentation Perspective, 35 Auditing: A Journal of
Practice and Theory 99 (2016); Claire-France Picard, Sylvain
Durocher, Yves Gendron, The Colonization of Public Accounting Firms
by Marketing Expertise: Processes and Consequences, 37 Auditing: A
Journal of Practice & Theory 191 (2018); Jonathan S. Pyzoha, Mark H.
Taylor, and Yi-Jing Wu, Can Auditors Pursue Firm-Level Goals
Nonconsciously on Audits of Complex Estimates? An Examination of the
Joint Effects of Tone at the Top and Management's Specialist, 95 The
Accounting Review 367 (2020).
\412\ See, e.g., Noel Harding and Ken T. Trotman, The Effect of
Partner Communications of Fraud Likelihood and Skeptical Orientation
on Auditors' Professional Skepticism, 36 Auditing: A Journal of
Practice & Theory 111 (2017); Sean A. Dennis and Karla M. Johnstone,
A Field Survey of Contemporary Brainstorming Practices, 30
Accounting Horizons 449 (2016); Jodi L. Gissel and Karla M.
Johnstone, Information Sharing During Auditors' Fraud Brainstorming:
Effects of Psychological Safety and Auditor Knowledge, 12 Current
Issues in Auditing P1 (2018).
\413\ See, e.g., Brazel, et al., The Outcome Effect.
\414\ See, e.g., Christopher P. Agoglia, Richard C. Hatfield,
Tamara A. Lambert, Audit Team Time Reporting: An Agency Theory
Perspective, 44 Accounting, Organizations & Society 1 (2015).
Desirability in this case is determined by various situational and
contextual factors that are inherent to the client, such as a client
that is convenient for the audit manager's work schedule, a client
that is easy to get to, client management that the audit manager
gets along particularly well with personally, a client that is
within the audit manager's industry of interest, or an engagement
that involves an influential partner at the audit manager's office.
\415\ See, e.g., Daniel Aobdia and Reining C. Petacchi, The
Effect of Audit Firm Internal Inspections on Auditor Effort and
Financial Reporting Quality, 98 The Accounting Review 1 (2023).
---------------------------------------------------------------------------

An excessive focus on commercial objectives may also lead to undue
focus on cost-control in the execution of audits. For example, in one
study, audit staff report working, on average, five hours per week, and
sometimes 20 hours per week, past the threshold where they feel audit
quality begins to deteriorate.\416\ In another study, audit staff
report working on average 72 hours per week during busy season.\417\
Other research finds that a heavier workload in the fieldwork phase of
the audit is negatively associated with proxies for audit quality \418\
and that high levels of time pressure are positively associated with
audit quality-threatening behaviors.\419\ Referring to academic
research, one commenter reported that engagement-level pressures,
including meeting budgets, can affect audit quality.\420\ The commenter
also reported that academic research finds that audit partner workload
compression is negatively associated with audit quality.\421\
---------------------------------------------------------------------------

\416\ See Julie S. Persellin, Jaime J. Schmidt, Scott D.
Vandervelde, and Michael S. Wilkins, Auditor Perceptions of Audit
Workloads, Audit Quality, and Job Satisfaction, 33 Accounting
Horizons 95 (2019).
\417\ See Dana R. Hermanson, Richard W. Houston, Chad M.
Stefaniak, and Anne M. Wilkins, The Work Environment in Large Audit
Firms: Current Perceptions and Possible Improvements, 10 Current
Issues in Auditing A38 (2016).
\418\ See, e.g., Brant E. Christensen, Nathan J. Newton, and
Michael S. Wilkins, How Do Team Workloads and Team Staffing Affect
the Audit? Archival Evidence from US Audits, 92 Accounting,
Organizations and Society 1 (2021).
\419\ See, e.g., Tobias Svanstr[ouml]m, Time Pressure, Training
Activities and Dysfunctional Auditor Behaviour: Evidence from Small
Audit Firms, 20 International Journal of Auditing 42 (2016).
\420\ See, e.g., Mark E. Peecher, M. David Piercey, Jay S. Rich,
and Richard M. Tubbs, The Effects of a Supervisor's Active
Intervention in Subordinate's Judgments, Directional Goals, and
Perceived Technical Knowledge Advantage on Audit Team Judgments, 85
Accounting Review 1763 (2010); Koch and Salterio, The Effects 117;
and William F. Messier and Martin Schmidt, Offsetting Misstatements:
The Effect of Misstatement Distribution, Quantitative Materiality,
and Client Pressure on Auditors' Judgments, 93 Accounting Review 335
(2018).
\421\ See, e.g., Jun Chen, Wang Dong, Hongling Han, and Nan
Zhou, Does Audit Partner Workload Compression Affect Audit Quality?
29 European Accounting Review 1021 (2020).
---------------------------------------------------------------------------

One commenter noted academic papers that study various factors that
may impact audit quality but appear to be too tangential or unrelated
to quality-threatening behaviors that suggest certain weaknesses in QC
systems. The commenter included academic research that studies the
relationship between audit teams' use of the work of other participants
and audit quality.\422\ The commenter also cited research from other
countries that finds evidence that partner-related characteristics
influence audit quality.\423\ In addition, the commenter noted academic
papers that find evidence that non-audit services can negatively affect
audit quality through mechanisms other than independence
impairment.\424\ Moreover, the commenter included research that has
examined the association between PCAOB inspections of audit firms and
audit quality but does not appear to relate specifically to weaknesses
in QC systems.\425\
---------------------------------------------------------------------------

\422\ See, e.g., Candice T. Hux, Use of Specialists on Audit
Engagements: A Research Synthesis and Directions for Future
Research, 39 Journal of Accounting Literature 23 (2017); Joseph F.
Brazel, Tina D. Carpenter, and J. Gregory Jenkins, Auditors' Use of
Brainstorming in the Consideration of Fraud: Reports from the Field,
85 The Accounting Review 1273 (2010); J. Gregory Jenkins, Eric M.
Negangard, and Mitchell J. Oler, Getting Comfortable on Audits:
Understanding Firms' Usage of Forensic Specialists, 35 Contemporary
Accounting Research 1766 (2018); Emily E. Griffith, Jacqueline S.
Hammersley, and Kathryn Kadous, Audits of Complex Estimates as
Verification of Management Numbers: How Institutional Pressures
Shape Practice, 32 Contemporary Accounting Research 833 (2015);
Nathan H. Cannon and Jean C. Bedard, Auditing Challenging Fair Value
Measurements: Evidence from the Field, 92 The Accounting Review 81
(2017); Steven M. Glover, Mark H. Taylor, and Yi-Jing Wu, Current
Practices and Challenges in Auditing Fair Value Measurements and
Complex Estimates: Implications for Auditing Standards and the
Academy, 36 Auditing: A Journal of Practice & Theory 63 (2017); J.
Efrim Boritz, Natalia Kochetova-Kozloski, and Linda Robinson, Are
Fraud Specialists Relatively More Effective than Auditors at
Modifying Audit Programs in the Presence of Fraud Risk, 90 The
Accounting Review 881 (2015); Aleksandra ``Ally'' B. Zimmerman,
Dereck Barr-Pulliam, Joon-Suk Lee, and Miguel Minutti-Meza, 61
Journal of Accounting Research 1363 (2023).
\423\ See, e.g., W. Robert Knechel, Ann Vanstraelen, and Mikko
Zerni, Does the Identity of Engagement Partners Matter? An Analysis
of Audit Partner Reporting Decisions, 32 Contemporary Accounting
Research 1443 (2015); Yanyan Wang, Lisheng Yu, Yuping Zhao, The
Association between Audit-Partner Quality and Engagement Quality:
Evidence from Financial Report Misstatements, 34 Auditing: A Journal
of Practice & Theory 81 (2015); W. Robert Knechel, Lasse Niemi, and
Mikko Zerni, Empirical Evidence on the Implicit Determinants of
Compensation in Big 4 Audit Partnerships, 51 Journal of Accounting
Research 349 (2013); Simon Dekeyser, Ann Gaeremynck, W. Robert
Knechel, and Marleen Willekens, The Impact of Partners' Economic
Incentives on Audit Quality in Big 4 Partnerships, 96 The Accounting
Review 129 (2021); Herman Van Brenk, Barbara Majoor, and Arnold M.
Wright, The Effects of Profit-Sharing Plans, Client Importance, and
Reinforcement Sensitivity on Audit Quality, 40 Auditing: A Journal
of Practice & Theory 107 (2021).
\424\ See, e.g., Erik L. Beardsley, Andrew J. Imdieke, and
Thomas C. Omer, The Distraction Effect of Non-audit Services on
Audit Quality, 71 Journal of Accounting and Economics 1 (2021); Dain
C. Donelson, Matthew Ege, Andrew J. Imdieke, and Eldar Maksymov, The
Revival of Large Consulting Practices at the Big 4 and Audit
Quality, 87 Accounting, Organizations and Society 1 (2020).
\425\ See, e.g., Daniel Aobdia, The Impact of the PCAOB
Individual Engagement Inspection Process--Preliminary Evidence, 93
The Accounting Review 53 (2018); Inder K. Khurana, Nathan G.
Lundstrom, and K.K. Raman, PCAOB Inspections and the Differential
Audit Quality Effect for Big 4 and Non-Big 4 US Auditors, 38
Contemporary Accounting Research 376 (2021); Lindsay M. Johnson,
Marsha B. Keune, and Jennifer Winchel, U.S. Auditors' Perceptions of
the PCAOB Inspection Process: A Behavioral Examination, 36
Contemporary Accounting Research 1540 (2019); Kimberly D.
Westermann, Jeffrey Cohen, and Greg Trompeter, PCAOB Inspections:
Public Accounting Firms on ``Trial'', 36 Contemporary Accounting
Research 694 (2019); Bradley E. Hendricks, Wayne R. Landsman, and F.
Pe[ntilde]a-Romera, The Revolving Door between Large Audit Firms and
the PCAOB: Implications for Future Inspection Reports and Audit
Quality, 97 The Accounting Review 261 (2022).
---------------------------------------------------------------------------

5. Assumptions Regarding the Baseline
Absent the requirements, the Board believes that many firms would
continue to design and implement new QC policies and procedures or
modify existing QC policies and procedures in response to evolving
audit market conditions, technological advances, PCAOB oversight
activities, internal monitoring, and actions of other standard
setters.\426\ The Board believes that most firms have either
implemented ISQM 1 or will implement SQMS 1 when it goes into effect.
PCAOB-registered firms with an international presence or that are part
of a global network will likely find it efficient to design and
implement a QC system that complies with both PCAOB standards and ISQM
1 and have that

[[Page 49709]]

system operate over their entire assurance practice. For similar
reasons, PCAOB-registered firms with a private company audit practice
will likely find it efficient to design and implement a QC system that
complies with both PCAOB standards and SQMS 1 and have that system
operate over their entire assurance practice.
---------------------------------------------------------------------------

\426\ See above for additional background on the actions of
other standard setters.
---------------------------------------------------------------------------

Supporting that view, comment letters on the proposing release
suggest that some firms have already designed and implemented, or are
in the process of designing and implementing, QC policies and
procedures consistent with the requirements of other QC standards. For
example, one commenter said that nearly all firms are subject to
multiple QC standards, including ISQM 1. Another commenter said that
firms in Europe have invested heavily to implement ISQM 1. Another
commenter said that nearly all firms that will need to adopt QC 1000
are also subject to other QC standards, including ISQM 1 and SQMS 1,
and that firms have already invested significant time and resources to
comply with them. Another commenter presented its recent survey
research that finds firms have started to prepare for ISQM 1 and SQMS 1
implementation but that there is variation in their level of
preparedness.\427\ Overall, the comments indicate that firms have made
progress implementing the quality control standards of other standard
setters.
---------------------------------------------------------------------------

\427\ See Christie Hayne, Market E. Peecher, Jeff Pickerd, and
Yuepin (Daniel) Zhou, Managing Quality Control Systems: How Audit
Firms Experience and Navigate Conflicting Institutional Demands,
available at https://ssrn.com/abstract=4339512.
---------------------------------------------------------------------------

The Board's view is also informed by several public information
sources. First, the AICPA website indicates that most registered firms
that are headquartered in the U.S. were reviewed as part of the AICPA's
Peer Review program since 2019, and therefore were required to comply
with AICPA QC standards at that time.\428\ Second, among the U.S.-
headquartered firms that signed an issuer or broker-dealer audit
opinion in 2021 but were not peer reviewed since 2019, most indicate on
their web page that they perform audits or tax services that require
them to comply with AICPA QC standards. Third, most foreign
jurisdictions require companies to have a statutory audit performed,
which the Board believes suggests that most registered firms
headquartered in foreign jurisdictions likely perform audits under
IAASB QC standards. Finally, firms' annual reports filed with the PCAOB
on Form 2 for the April 1, 2022, through March 31, 2023, reporting
period indicate that most firms collected fees for services aside from
the performance of issuer audits and therefore may have performed
services subject to AICPA or IAASB QC standards during that time.
Overall, the Board believes these public information sources support
its view that most firms will be complying with either ISQM 1 or SQMS
1. Furthermore, most firms that will not be complying with ISQM 1 or
SQMS 1 will likely be scaled-applicability firms and therefore less
impacted by the requirements.
---------------------------------------------------------------------------

\428\ See AICPA Peer Review web page, available at https://us.aicpa.org/interestareas/peerreview.
---------------------------------------------------------------------------

Need

1. Introduction and summary
This section discusses the problem that the requirements are
intended to address and explains how the requirements address it.
Overall, three observations suggest that there is a problem that the
requirements will help to address:
Under current PCAOB QC standards, a firm's QC system is
required to provide reasonable assurance that the firm's personnel
comply with applicable professional standards, regulatory requirements,
and the firm's standards of quality.\429\ However, the audit market
does not currently provide sufficient incentives for all firms to
design, implement, and operate QC systems that achieve this requirement
on a consistent basis.
---------------------------------------------------------------------------

\429\ See above for more discussion of current QC requirements.
---------------------------------------------------------------------------

Current PCAOB QC standards contain higher-level principles
and do not directly address recent developments in QC. As a result, the
current regulatory baseline is not rigorous enough to sufficiently
support PCAOB oversight, further undermining firms' and individuals'
incentives to provide the required reasonable assurance.
The lack of incentives to provide the required reasonable
assurance is evidenced by the prevalence of audit performance
deficiencies--i.e., Part I.A deficiencies and QC deficiencies related
to audit performance discussed above--which, as noted in the first two
observations above, suggest that some firms' QC systems are not
providing the required reasonable assurance.
The requirements of QC 1000 will help address the problem by
establishing three overarching features, which are discussed further
below:
The requirements mandate firms' QC systems to more
proactively assess risks and monitor and remediate deficiencies.
The requirements improve accountability within firms with
respect to the reasonable assurance objective.
The requirements use more precise language and include
more prescriptive requirements in key areas to reflect best practices.
2. The Audit Market Does Not Provide Sufficient Incentives for All
Firms To Design, Implement, and Operate QC Systems That Provide
Reasonable Assurance
A diverse set of investors and other financial statement users need
and request high quality audits. However, due to the presence of
asymmetric information \430\ and positive externalities \431\ in the
audit market, there are not sufficient incentives for all firms to
design, implement, and operate QC systems that provide reasonable
assurance that a firm's personnel comply with applicable professional
standards, regulatory requirements, and the firm's standards of
quality. This lack of incentives can lead to an inefficient allocation
of audit services as described in the following paragraphs.
---------------------------------------------------------------------------

\430\ See N. Gregory Mankiw, Principles of Economics 468 (6th
ed. 2008) (``A difference in access to relevant knowledge is called
an information asymmetry.'').
\431\ See Mankiw, Principles of Economics 196 (``An externality
arises when a person engages in an activity that influences the
well-being of a bystander but neither pays nor receives any
compensation for that effect. . . If it is beneficial, it is called
a positive externality.'').
---------------------------------------------------------------------------

Investors and other financial statement users cannot easily observe
the services performed by an auditor. This information asymmetry
creates a risk that, unbeknownst to investors and other financial
statement users, auditors may under-audit and gather insufficient audit
evidence to support their opinion or may otherwise depart from
applicable requirements. Economic theory refers to this effect as moral
hazard.\432\ While this may enable the auditor to do less work and
reduce potential conflicts with company management and may therefore
lead to short-run benefits for the auditor, it may also lead to a net
welfare loss in the audit market as a whole.\433\
---------------------------------------------------------------------------

\432\ See, e.g., Mankiw, Principles of Economics 468 (``Moral
hazard is a problem that arises when one person, called an agent, is
performing some task on behalf of another person, called the
principal. If the principal cannot perfectly monitor the agent's
behavior, the agent tends to undertake less effort than the
principal considers desirable.'').
\433\ See, e.g., Mankiw, Principles of Economics 145 (``Consumer
surplus and producer surplus are the basic tools that economists use
to study the welfare of buyers and sellers in a market. Consumer
surplus is the benefit that buyers receive from participating in a
market, and producer surplus is the benefit that sellers receive. It
is therefore natural to use total surplus as a measure of society's
economic well-being. . .Total surplus in a market is the total value
to buyers of the goods, as measured by their willingness to pay,
minus the total cost to sellers of providing those goods.'').

---------------------------------------------------------------------------

[[Page 49710]]

A positive externality inherent to the current audit market may
exacerbate this risk. The services of an auditor provide benefits to a
variety of investors and financial statement users, including current
shareholders, potential shareholders, investors in other companies,
creditors, and regulators, among others. However, auditors do not
bargain with all of these parties. Rather, Sarbanes-Oxley requires that
the audit committee be responsible for the appointment, compensation,
and retention of the auditor.\434\ In practice, company management may
also play a role through its influence over the audit committee.\435\
This creates a de facto principal-agent relationship between the
company and the auditor. Moreover, some beneficiaries of the auditor's
work (e.g., investors generally, who benefit from overall confidence in
the quality of financial information provided to the market) may have
no influence on the auditor at all. Economic theory suggests that, in
the presence of positive externalities such as these, markets may
undersupply goods or services.\436\ As a result, the positive
externality in the audit market may create an additional risk that
auditors may gather insufficient audit evidence to support their
opinion or otherwise depart from applicable requirements.
---------------------------------------------------------------------------

\434\ See section 301 of Sarbanes-Oxley, 15 U.S.C 78j-1.
\435\ See, e.g., Liesbeth Bruynseels and Eddy Cardinaels, The
Audit Committee: Management Watchdog or Personal Friend of the CEO?,
89 The Accounting Review 113 (2014) (finding that social ties
between management and the audit committee are present in 39% of the
companies in their sample and ``may reduce the quality of the audit
committee's oversight'').
\436\ See, e.g., Mankiw, Principles of Economics 200, 201 (``In
the presence of a positive externality, the social value of the good
exceeds the private value. The optimal quantity is therefore larger
than the equilibrium quantity . . . Positive externalities lead
markets to produce a smaller quantity than is socially
desirable.'').
---------------------------------------------------------------------------

A firm also faces its own management challenges in implementing its
desired service, economic, and regulatory compliance objectives.
Individual offices or personnel may have incentives that diverge from
the firm's collective best interest. For example, some research
suggests that certain partners or offices may be commercially dependent
on particular clients and may be willing to take risks to retain those
clients that the firm as a whole would not--a form of free riding on
the firm's reputation and capacity to absorb potential litigation
costs.\437\ In addition, research suggests that an audit firm's QC
system is essential to increase audit effort and audit quality because
it aligns incentives of individual partners with those of the
firm.\438\ Even if QC systems were able to align the incentives of
individual offices and personnel to the firm's collective best
interest, some research suggests that behavioral biases (e.g.,
confirmation bias, over-optimism, and anchoring bias) may lead offices
or personnel to act in ways contrary to both their own self-interest
and the firm's collective best interest.\439\ One commenter presented
its recent unpublished survey research regarding challenges firms face
when implementing changes to their QC systems. The commenter reported
that challenges include obtaining buy-in and acceptance from staff as
well as managing different perspectives from various offices.\440\
---------------------------------------------------------------------------

\437\ See, e.g., Robert A. Prentice, The Case of the Irrational
Auditor: A Behavioral Insight into Securities Fraud Litigation, 95
Northwestern University Law Review 133 (2000).
\438\ See, e.g., Daniel Aobdia, The Economic Consequences of
Audit Firms' Quality Control System Deficiencies, 66 Management
Science 2883 (2019).
\439\ See, e.g., Prentice, The Case of the Irrational Auditor
133, 162.
\440\ See Hayne, et al., Managing Quality Control Systems.
---------------------------------------------------------------------------

Some firms may manage these challenges by adopting centralized
control practices that may have ambiguous impacts on their QC systems.
For example, academic research suggests that firms carefully screen new
partners to act in the best interest of the firm\441\ and emphasize
meeting engagement budgets--an easily monitored metric that ties
directly to profitability.\442\ One commenter asserted that audit
firms' financial incentives to operate too lean undermine audit
quality. Investors and other financial statement users may have trouble
monitoring how firms incentivize, implement, and monitor compliance
with applicable professional requirements. These monitoring challenges,
as well as the lack of specificity in current PCAOB QC standards, give
firms the flexibility to design, implement, and operate QC systems that
may not fully meet the needs of investors and other financial statement
users.
---------------------------------------------------------------------------

\441\ See, e.g., C. J. McNair, Proper Compromises: The
Management Control Dilemma in Public Accounting and its Impact on
Auditor Behavior, 16 Accounting, Organizations and Society 635
(1991).
\442\ See, e.g., Bernard Pierce and Breda Sweeney, Cost-Quality
Conflict in Audit Firms: An Empirical Investigation, 13 European
Accounting Review 415 (2004).
---------------------------------------------------------------------------

In the absence of sufficient market incentives to achieve an
efficient allocation of audit services,\443\ regulatory intervention
can introduce incentives that generate changes in behavior and impact
audit quality.\444\ For example, economic research suggests that
auditing standards play a role in determining the amount of effort an
auditor exerts, which ultimately impacts audit quality.\445\ In
addition, auditing standards can introduce incentives by providing a
baseline against which an auditor manages legal liability.\446\
Auditing standards also provide a benchmark for regulatory inspections
and enforcement actions that introduce incentives for firms to initiate
changes that impact audit

[[Page 49711]]

quality.\447\ Moreover, research suggests that PCAOB Part II inspection
findings introduce strong incentives for firms to make changes
necessary to remediate QC deficiencies in order to avoid public
disclosure of the deficiencies.\448\
---------------------------------------------------------------------------

\443\ An efficient allocation of resources occurs when total
surplus is maximized. Total surplus is maximized when the good or
service in question is supplied until the marginal benefit is equal
to the marginal cost. See Mankiw, Principles of Economics 146-148.
\444\ See, e.g., W. Robert Knechel, Do Auditing Standards
Matter?, 7 Current Issues in Auditing A1 (2013) (explaining that
auditing standards send a message to auditors that it is
inappropriate to intentionally under-audit, regardless of
incentives). Note that QC standards are not auditing standards but
that auditing standards are a closely related form of regulatory
intervention. Also, academic research suggests that a positive
association among standard setting, auditor effort, and audit
quality depends on a number of factors. See, e.g., Pingyang Gao and
Gaoqing Zhang, Auditing Standards, Professional Judgment, and Audit
Quality, 94 The Accounting Review 201 (2019) (showing that auditing
standards can help align auditor incentives with investor interests
by compelling the auditor to exert more effort, which improves audit
quality, but that auditing standards can weaken the auditor's
incentive to acquire expertise, which reduces audit quality); Mark
DeFond and Jieying Zhang, A Review of Archival Auditing Research, 58
Journal of Accounting and Economics 275 (2014) (concluding that the
effectiveness of auditing standard setting is difficult to gauge
since it involves broader consideration of the social welfare of all
stakeholders).
\445\ See, e.g., Marleen Willekens and Dan A. Simunic, Precision
in Auditing Standards: Effects on Auditor and Director Liability and
the Supply and Demand for Audit Services, 37 Accounting and Business
Research 217 (2007) (showing that decreasing the precision of
auditing standards initially incentivizes auditors to produce higher
audit quality by exerting more effort but that decreasing precision
beyond a certain point leads auditors to decrease effort).
\446\ See, e.g., Ronald A. Dye, Auditing Standards, Legal
Liability, and Auditor Wealth, 101 Journal of Political Economy 887
(1993) (showing that an auditor who intends to comply with standards
typically prefers higher standards when the auditor's personal
wealth is observable by potential litigants but prefers lower
standards when the auditor's wealth is unobservable); Causholli and
Knechel, An Examination of the Credence 631 (explaining that
regulation and litigation play an important role in shaping the
audit process and an auditor's behavior); Knechel, Do Auditing
Standards A1 (explaining that auditing standards can influence the
likelihood and extent of under-auditing by providing a basis for
auditor liability that is an increasing function of the extent to
which auditor effort falls short of the standard-compliant level).
\447\ See, e.g., Aobdia, The Impact of the PCAOB Individual 53
(finding that firms take corrective action on engagements with PCAOB
Part I inspection findings and the effects spillover to non-
inspected engagements); Phillip T. Lamoreaux, Michael Mowchan, and
Wei Zhang, Does Public Company Accounting Oversight Board Regulatory
Enforcement Deter Low-Quality Audits?, 98 The Accounting Review 335
(2023) (finding that large audit firm offices improve audit quality
following enforcement naming another office within their firm while
small firm offices improve following enforcement of local small firm
competitors).
\448\ See, e.g., Aobdia, The Economic Consequences 2883.
---------------------------------------------------------------------------

3. Current PCAOB QC Standards Do Not Directly Address Recent QC
Developments
Developments in the auditing environment since the development of
the current PCAOB QC standards by the AICPA and subsequent adoption of
these standards on an interim basis by the Board are discussed above.
In brief and as discussed above, the audit market has changed
significantly since the AICPA developed the current PCAOB QC standards
in 1997. At that time, the audit market was largely self-regulated by
firms and QC inspections were performed through a peer review program.
Since then, PCAOB oversight has led firms to address deficiencies
identified during inspections, including making changes to their QC
systems to remediate QC deficiencies.\449\ There have also been
significant developments in the use of technology by firms in relation
to QC activities and performing engagements. Some firm management and
organizational structures have also evolved to include more focus on
centralization and a globally consistent methodology. Some firms have
strengthened their approaches to firm governance and leadership,
incentive systems, and accountability. In addition, thought leadership
in quality management has advanced,\450\ as have the QC standards
adopted by other standard setters.
---------------------------------------------------------------------------

\449\ See discussion on the developments in firms' QC policies
and procedures within the baseline discussion above.
\450\ See, e.g., COSO, ISO 9000, and the audit firm governance
codes of the UK Financial Reporting Council and Japan Financial
Services Agency.
---------------------------------------------------------------------------

The current PCAOB QC standards are based on the higher-level
principles described above and do not directly address the developments
described in the previous paragraph. While research suggests that PCAOB
oversight is associated with higher audit quality,\451\ the current
PCAOB QC standards were not written with a view to inspection and
enforcement by a regulator. As a result, the current PCAOB QC standards
yield a regulatory baseline that is not rigorous enough to sufficiently
support the Board's ability to address audit performance deficiencies
through PCAOB inspection and enforcement activities related to firms'
QC systems. For example, some firms have added external parties to
oversight roles as described above, but current PCAOB QC standards
contain limited references to firm governance and leadership. At the
same time, the current PCAOB QC standards do not provide sufficiently
specific requirements to directly incentivize firms and individuals to
establish and implement QC policies and procedures that achieve the
reasonable assurance objective as evidenced by the prevalence of audit
performance deficiencies.
---------------------------------------------------------------------------

\451\ See, e.g., Albert L. Nagy, PCAOB Quality Control
Inspection Reports and Auditor Reputation, 33 Auditing: A Journal of
Practice & Theory 87 (2014) (concluding that audit firms lose market
share following public disclosure of PCAOB Part II inspection
findings, suggesting that disclosure provides a credible signal of
auditor quality). The results from this study that suggests a
positive association between PCAOB oversight and audit quality does
not necessarily mean that PCAOB oversight causes higher audit
quality.
---------------------------------------------------------------------------

4. Prevalence of Audit Performance Deficiencies
The three proxies for the level of compliance with applicable
professional standards discussed above--i.e., Part I.A deficiencies, QC
deficiencies related to audit performance, and deficiencies arising
during inspections of broker-dealer engagements--as well as the recent
PCAOB enforcement actions discussed above suggest that some firms' QC
systems are not providing reasonable assurance as required under
current PCAOB QC standards.\452\ To be sure, this analysis of PCAOB
inspection activities does suggest that some improvements in audit
performance have followed from remedial changes firms have made to
their QC systems \453\ and that some firms have already reduced the
number of QC deficiencies related to management of their audit
practice.\454\ However, the Board continues to observe high rates of
audit performance deficiencies \455\ and believes that a new QC
standard will address these audit performance deficiencies because the
new standard will incentivize firms to design, implement, and operate
effective QC systems.
---------------------------------------------------------------------------

\452\ See Background discussion above for more discussion of
current regulatory requirements.
\453\ This point is discussed more fully in below.
\454\ See Figure 5 above.
\455\ See Figures 1 and 3 above.
---------------------------------------------------------------------------

5. How the Requirements Address the Need
The requirements provide substantial additional direction to firms
regarding the design, implementation, and operation of their QC systems
that the Board believes address the need for standard-setting. Three
overarching features of the requirements help address the problem. The
first feature pertains to the mandate for a more integrated, proactive,
and risk-based QC system. The second pertains to the enhancements to
accountability within the firm to achieve the reasonable assurance
objective. The third pertains to more precise language and more
prescriptive requirements in several key areas.
Regarding the first feature, the new risk assessment process,
coupled with a detailed monitoring and remediation process, form a
feedback loop designed to foster a proactive approach to QC that drives
continuous improvement. For example, the risk assessment process
requires the firm to obtain an understanding of the conditions, events,
and activities that may adversely affect the achievement of its quality
objectives; identify and assess quality risks; and then design and
implement quality responses. The monitoring and remediation process
will help the firm evaluate whether the QC system is working
effectively in practice. This more proactive approach to QC should help
address the positive externality problem in the audit market by leading
firms to implement QC systems that more consistently satisfy the
interests of all beneficiaries of the audit. Additionally, as discussed
above, information asymmetry may cause investors and other financial
statement users not to have sufficient information to understand
whether their issuer's audit firm has an effective QC system that
consistently produces high-quality audits, and investors and other
financial statement users may not have a sufficient voice in the
financial reporting ecosystem to be able to demand or incentivize audit
firms to implement one. Requiring the auditor to implement a robust QC
system substitutes a compliance incentive for the insufficient market
incentive.
Regarding the second feature, the Board believes QC 1000 will
improve accountability within the firm to achieve the reasonable
assurance objective. Several of the requirements that improve
accountability within the firm address the positive externality

[[Page 49712]]

problem directly by leading firms to implement QC systems that more
consistently satisfy the interests of all beneficiaries of the audit.
For example, QC 1000 requires the firm to document and assign roles and
responsibilities; communicate information related to the monitoring and
remediation process to firm personnel to enable them to take timely
action in accordance with their responsibilities; and establish a
quality objective to incentivize individuals to fulfill their assigned
responsibilities, through means such as performance evaluations and
compensation. Leadership will also be accountable for the design,
implementation, and operation of the firm's QC system, including
through means such as their performance evaluation and compensation,
and the firm will be required to establish a quality objective that
leadership communicate and promote the firm's role in protecting the
interests of investors and the public interest. The requirements that
improve accountability within the firm will help address the
information asymmetry problem by requiring the firm's QC system to
operate over any public reporting regarding firm or engagement metrics
that the firm provides.\456\ Overall, this second feature reinforces
the first through an additional incentive that is personal to
responsible individuals within the firm and reinforces the general
incentives for the firm to comply with the standard.
---------------------------------------------------------------------------

\456\ See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

Regarding the third feature, while the requirements provide
substantial additional guidance to firms regarding the design,
implementation, and operation of their QC systems, QC 1000 also
provides more precise and prescriptive requirements that will enhance
the Board's ability to inspect and enforce and incentivize firms to
design, implement, and operate effective QC systems. For example, QC
1000 includes more unconditional responsibilities than current PCAOB QC
standards and specifies precise conditions under which a firm must
design, implement, and operate an effective QC system. Together with
the features described above--i.e., a more integrated, proactive, and
risk-based QC system and enhanced accountability within the firm to
achieve the reasonable assurance objective--these features establish a
regulatory baseline that more directly incentivizes firms and
individuals to comply in order to avoid enforcement.

Economic Impacts

This section discusses the expected benefits and costs, and the
potential unintended consequences, that may result from the
requirements. The expected impacts of several key provisions are
highlighted. These provisions relate to:
Scaled applicability;
In-process monitoring activities;
Firm governance structure;
The automated independence process;
Complaints and allegations policies and procedures;
Reporting the annual QC system evaluation;
Certification of the annual QC system evaluation;
Responding to engagement deficiencies identified after
issuance of the audit report; and
SECPS requirements.
While the analysis of economic impacts is largely qualitative in
nature due to data limitations, the analysis does, in part, use PCAOB
inspections data to help evaluate the expected benefits. Technical
details regarding the quantitative analysis of the expected benefits
are included in a separate staff white paper.\457\
---------------------------------------------------------------------------

\457\ See PCAOB, Staff White Paper, The Impact of Quality
Control System Remediation on Audit Performance and Financial
Reporting Quality (Nov. 18, 2022), (``QC White Paper''), available
at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/qc-staff-white-paper-november-2022.pdf?sfvrsn=ddb22504_4.
---------------------------------------------------------------------------

The economic impacts of the requirements will arise out of changes
firms will make to their QC systems that they would not otherwise make
but for the requirements. As discussed above, the Board expects that,
absent the requirements, many firms would continue to make changes to
their QC systems in response to evolving audit market conditions,
advances in technology, PCAOB oversight activity, internal monitoring,
and the actions of other standard setters. This attenuates both the
benefits and the costs attributable to the requirements.
1. Benefits
The expected benefits of the requirements are described using four
complementary views: (1) the benefits of quality management frameworks
generally; (2) the direct benefits of the requirements in the form of
improved compliance with applicable professional and legal
requirements; (3) the indirect benefits of the requirements in the form
of improved financial reporting quality and capital market efficiency;
and (4) the benefits of key provisions.
a. Benefits of Related Frameworks
QC 1000 bears resemblance to existing quality management and
enterprise risk management frameworks (e.g., ISO 9000 and COSO). These
frameworks share several features in common with QC 1000, including
embedding risk in decision making, proactive involvement of leadership,
clearly defined objectives, objective-oriented processes, monitoring,
and remediation. Using a variety of proxies (e.g., market reaction),
academic research has found that these frameworks improve company
performance.\458\ In particular, researchers have found that the COSO
framework--the closest antecedent to QC 1000--effectively improves
financial reporting.\459\ Similarly, research finds that markets
penalize public companies with weaker internal control systems and
reward the remediation of those weaknesses.\460\ While differences
between QC 1000 and existing frameworks as well as differences between
audit firms and other companies may limit the relevance of this
research to some extent, this research suggests that QC 1000 may help
firms design, implement, and operate more effective QC systems.
---------------------------------------------------------------------------

\458\ See, e.g., I[ntilde]aki Heras[hyphen]Saizarbitoria and
Olivier Boiral, ISO 9001 and ISO 14001: Towards a Research Agenda on
Management System Standards, 15 International Journal of Management
Reviews 47 (2013); Robert E. Hoyt and Andre P. Liebenberg, The Value
of Enterprise Risk Management, 78 Journal of Risk and Insurance 795
(2011).
\459\ See, e.g., Hanwen Chen, Wang Dong, Hongling Han, and Nan
Zhou, A Comprehensive and Quantitative Internal Control Index:
Construction, Validation, and Impact, 49 Review of Quantitative
Finance and Accounting 337 (2017); Ifeoma Udeh, Observed
Effectiveness of the COSO 2013 Framework, 16 Journal of Accounting &
Organizational Change 31 (2020).
\460\ See, e.g., Hollis Ashbaugh[hyphen]Skaife, Daniel W.
Collins, William R. Kinney, Jr., and Ryan Lafond, The Effect of SOX
Internal Control Deficiencies on Firm Risk and Cost of Equity, 47
Journal of Accounting Research 1 (2009).
---------------------------------------------------------------------------

b. Improved Compliance With Applicable Professional and Legal
Requirements
The Board expects the requirements will benefit investors and other
financial statement users by improving compliance with applicable
professional and legal requirements via a more detailed QC standard. As
described above, the requirements are expected to achieve this through
three principal mechanisms. First, they explicitly connect the
components of the QC system into an integrated cycle of risk
assessment, performance monitoring, and remediation. Second, several of
the new requirements will support the effectiveness of QC systems by

[[Page 49713]]

emphasizing accountability to the reasonable assurance objective.
Third, more precise and prescriptive requirements will enhance the
Board's ability to inspect and enforce. Broker-dealer engagements and
issuer audits performed by firms other than U.S. GNFs may see more
improvement because they appear to have more room for improvement on
average. However, the recent uptick in deficiencies for U.S. GNFs
suggests that QC 1000 will also be a valuable resource for these firms
to address those deficiencies and, thus, further protect investors.
Some commenters described how a risk-based QC standard would
improve audit quality. However, one commenter argued that the
requirements are too risk-based (e.g., they could result in too little
change at the larger firms) and suggested an even stronger prescriptive
approach to certain aspects of the standard (e.g., training and
supervision). The Board believes the standard reflects a balanced
approach that includes prescriptive requirements where appropriate.
PCAOB staff analysis of PCAOB inspections data supports the view
that more effective QC policies and procedures will lead to improved
compliance with applicable professional and legal requirements. Staff
examined the historical association between satisfactory remediation of
QC deficiencies and subsequent Part I.A deficiencies for triennial
firms. Satisfactory remediation of a QC deficiency reflects substantial
good-faith progress toward achieving a quality control objective.\461\
As such, an association between historical satisfactory remediation
efforts and a subsequent decrease in Part I.A deficiencies would
suggest that more effective QC policies and procedures lead to improved
compliance with applicable professional and legal requirements. After
controlling for auditor and issuer characteristics that may also drive
Part I.A deficiencies using standard statistical techniques, the staff
analysis indicates that, on average, satisfactory remediation is
associated with reduced likelihood of subsequent Part I.A deficiencies.
This suggests that more effective QC policies and procedures may lead
to improved compliance with applicable professional and legal
requirements.\462\ One commenter reported observing that satisfactory
remediation of QC deficiencies results in fewer audit failures and
asserted that this was in line with certain key findings of the staff
analysis.
---------------------------------------------------------------------------

\461\ See Staff Guidance Concerning the Remediation Process
(Nov. 18, 2013), available at https://pcaobus.org/Inspections/Pages/Remediation_Process.aspx.
\462\ For additional details, including definitions of all
control variables, see QC White Paper.
---------------------------------------------------------------------------

The staff analysis is subject to several important caveats. First,
remedial actions typically target specific aspects of a firm's QC
system. By contrast, implementation of QC 1000 may require a broader
set of changes. Second, due to the transformational nature of QC 1000,
the changes firms will make to their QC systems could be substantially
different from firms' historical satisfactory remedial actions. Third,
U.S. GNFs were intentionally excluded from the analysis, potentially
limiting its applicability to the U.S. GNFs. However, though
association does not imply causation, the historical association
between the number of QC deficiencies related to U.S. GNFs' management
of their audit practice \463\ and U.S. GNFs' compliance with applicable
professional standards \464\ suggests that, even among the U.S. GNFs,
more effective QC systems could lead to improved compliance with
applicable professional and legal requirements.\465\ Overall, the Board
expects the association between satisfactory remediation and subsequent
Part I.A deficiencies among triennial firms more likely understates the
impact of QC 1000 due to its transformational nature.
---------------------------------------------------------------------------

\463\ See Figure 5 above.
\464\ See Figures 1 and 3 above.
\465\ Several nuances of smaller firms' QC systems and the PCAOB
inspections process may explain the absence of such an association
for these firms. First, although there is a downward trend in QC
deficiencies related to management of the audit practice (Figure 5
above), smaller firms' QC systems may be deficient in certain
important respects that render them less effective overall. Second,
the roughly increasing trend in QC deficiencies related to audit
performance for the smallest firms (Figure 3 above) may be driven in
part by deficiencies in the application of new auditing requirements
by these firms. Third, the inspection approach to QC assessments for
the smaller firms is simplified and does not lend itself to such a
correlation analysis.
---------------------------------------------------------------------------

Observations from PCAOB inspections and academic research also
suggest that the requirements may improve compliance with applicable
professional and legal requirements. PCAOB inspectors have observed
that root cause analyses, effective design and implementation of
remedial actions, and appropriate governance practices related to
leadership's tone can drive audit quality,\466\ and one academic study
reports that, as perceptions of the strength of the QC system increase,
the likelihood of ``reduced audit quality behaviors'' decreases.\467\
These findings likewise support the view that the requirements, which
place greater emphasis on root cause analysis, remediation, and
governance practices, if successfully implemented, will lead to
improved compliance with applicable professional and legal
requirements.
---------------------------------------------------------------------------

\466\ See, e.g., 2018 Inspection Observations Preview
\467\ See, e.g., Charles F. Malone and Robin W. Roberts, Factors
Associated with the Incidence of Reduced Audit Quality Behaviors, 15
Auditing: A Journal of Practice & Theory 49 (1996).
---------------------------------------------------------------------------

c. Improved Financial Reporting Quality and Capital Market efficiency
Academic research provides evidence that compliance with auditing
standards is positively associated with proxies for financial reporting
quality.\468\ Research also finds a positive association between firms'
successful remediation of QC deficiencies--a proxy for adopting
effective QC system practices--and the financial reporting quality of
their issuer clients.\469\ PCAOB staff analysis also provides some
evidence that successful remediation may be associated with improved
financial reporting quality.\470\ The fact that the results from each
of these studies that suggest a positive association with financial
reporting quality does not necessarily mean that auditing standards or
remediation of deficiencies cause better financial reporting quality.
---------------------------------------------------------------------------

\468\ See, e.g., Daniel Aobdia, Do Practitioner Assessments
Agree with Academic Proxies for Audit Quality? Evidence from PCAOB
and Internal Inspections, 67 Journal of Accounting and Economics 144
(2019); Katherine A. Gunny and Tracey Chunqi Zhang, PCAOB Inspection
Reports and Audit Quality, 32 Journal of Accounting and Public
Policy 136 (2013).
\469\ See, e.g., Aobdia, The Economic Consequences 2883.
\470\ See QC White Paper.
---------------------------------------------------------------------------

Investors and other financial statement users may benefit from
improved issuer financial reporting quality because it helps solve
information asymmetries and agency problems inherent to capital
markets. Economic theory suggests that investors face a separation-of-
ownership-and-control problem whereby issuer management may
misappropriate investors' capital.\471\ Relevant and accurate financial
reporting can alleviate these problems by providing investors and other
financial statement users with more accurate information regarding the
financial position and operating results of companies. Investors may
use this information to improve the efficiency of their capital

[[Page 49714]]

allocation decisions (e.g., investors may more accurately identify
companies with the strongest prospects for generating future risk-
adjusted returns and allocate their capital accordingly). Investors may
also perceive less risk in capital markets generally, leading to an
increase in the supply of capital. An increase in the supply of capital
could increase capital formation while also reducing the cost of
capital to companies.\472\ While some uncertainty remains regarding the
economic impacts of financial reporting,\473\ empirical academic
research has affirmed this basic premise under certain conditions.\474\
Moreover, some studies have identified a direct association between
auditors' compliance with PCAOB standards and capital market
efficiency.\475\
---------------------------------------------------------------------------

\471\ See, e.g., Michael C. Jensen and William H. Meckling,
Theory of the Firm: Managerial Behavior, Agency Costs and Ownership
Structure, 3 Journal of Financial Economics 305 (1976); Adolf
Augustus Berle and Gardiner Coit Means, The Modern Corporation and
Private Property (1991).
\472\ See, e.g., Richard Lambert, Christian Leuz, and Robert E.
Verrecchia, Accounting Information, Disclosure, and the Cost of
Capital, 45 Journal of Accounting Research 385, 387 (2007)
(discussing how increasing the quality of mandated disclosures
should in general move the cost of capital to the risk-free rate for
all firms in the economy); William Robert Scott and Patricia C.
O'Brien, Financial Accounting Theory (2003), 412 (explaining that
regulation is intended to improve the operation of capital markets
by enhancing public confidence in their fairness).
\473\ See, e.g., Christian Leuz and Peter D. Wysocki, The
Economics of Disclosure and Financial Reporting Regulation: Evidence
and Suggestions for Future Research, 54 Journal of Accounting
Research 525 (2016) (explaining the relative rarity of evidence on
causal effects of disclosure and reporting regulation); Matthias
Breuer, Christian Leuz, and Steven Vanhaverbeke, Mandated Financial
Reporting and Corporate Innovation, No. w26291. National Bureau of
Economic Research (2020), at 41 (reporting evidence consistent with
the notion that mandatory reporting deters firms' incentives to
innovate and generate proprietary know-how because of concerns about
the loss of proprietary information).
\474\ See, e.g., Christian Leuz and Robert E. Verrecchia, The
Economic Consequences of Increased Disclosure, 38 Journal of
Accounting Research 91 (2000) (finding that German companies that
elect to commit to International Accounting Standards or U.S. GAAP
exhibit lower percentage bid-ask spreads and higher share turnover
than firms using German GAAP); Utpal Bhattacharya, Hazem Daouk, and
Michael Welker, The World Price of Earnings Opacity, 78 The
Accounting Review 641 (2003) (finding that an increase in overall
earnings opacity in a country is linked to an economically
significant increase in the cost of equity and an economically
significant decrease in trading in the stock market of that country
based on financial statements from 34 countries for the period 1984-
1998). Because U.S. institutions differ from other countries and the
studies pre-date Sarbanes-Oxley, the results may not be directly
relevant to all PCAOB-registered firms.
\475\ See, e.g., Nemit Shroff, Real Effects of PCAOB
International Inspections, 95 The Accounting Review 399 (2020).
---------------------------------------------------------------------------

The requirements may also lead to improved compliance with
applicable professional and legal requirements on broker-dealer audit
engagements and, in turn, improved financial reporting quality and
investor protection. An auditor's work on these engagements, if
appropriately performed, should make it more likely that a broker-
dealer will maintain appropriate controls over compliance and less
likely that there will be material reporting errors. The auditor's work
also has the potential to make it more difficult for broker-dealers to
engage in fraud and other misconduct. Improved broker-dealer financial
reporting quality also gives industry overseers, such as the SEC and
FINRA, as well as other users of broker-dealer financial information,
such as the Securities Investor Protection Corporation, more accurate
information relevant to a broker-dealer's financial condition, its
ability to continue as a going concern, and its handling of customer
securities and cash. This, in turn, enhances the ability of these
organizations to carry out their responsibilities in ways that protect
investors. Compliance with applicable professional and legal
requirements may also contribute to the early identification or
prevention of broker-dealer failures. Failures of large broker-dealers
can have a negative impact on the stability and liquidity of financial
markets, and failures caused by misconduct may damage investor
confidence. A reduction in such failures could help improve the
strength and safety of the financial system.
d. Benefits of Key Provisions
i. Scaled Applicability
QC 1000 will require that a firm implement and operate an effective
QC system at all times when the firm is required to comply with
applicable professional and legal requirements with respect to any of
the firm's engagements, and thereafter through the next September
30.\476\ The discussion above provides further information on this
provision. As of June 30, 2023, up to 60% of firms may not meet this
criterion but will be required to design a QC system in compliance with
QC 1000.\477\ Because registering with the PCAOB enables a firm to
issue audit reports or play a substantial role on audits performed
under PCAOB standards for issuers and broker-dealers, and because
investors and companies considering engaging the firm could reasonably
expect that any firm that could pursue such an engagement would already
have a PCAOB-compliant QC system designed and ready for implementation
and operation, the Board believes that imposing a design requirement on
all registered firms promotes its mission of protecting investors and
promoting the public interest. The Board also believes that designing
the QC system will better position these firms to accept and perform
engagements in compliance with applicable professional and legal
requirements to the extent that the firm will have a PCAOB-compliant QC
system ready for implementation and operation.
---------------------------------------------------------------------------

\476\ See QC 1000.07.
\477\ The 60% reported here is based on Form 2 reporting as of
June 30, 2023, and reflects registered firms that reported they had
not issued an audit report for an audit of an issuer or broker-
dealer or played a substantial role in such an engagement during the
preceding 12 months. As noted above, approximately 51% of firms have
not performed an engagement under PCAOB standards for an issuer or
broker-dealer in the past five years. The PCAOB does not collect
information about whether registered firms perform engagements under
PCAOB standards other than for issuers and broker-dealers. Firms may
be engaged, for example, in connection with the audit of a reporting
company that does not meet the Sarbanes-Oxley definition of
``issuer'' described in footnote 2 above, in connection with certain
offerings of securities that are exempt from registration under the
Securities Act (e.g., offerings under Regulation A, Regulation D, or
Regulation Crowdfunding), pursuant to a contractual obligation such
as a loan covenant, or on an entirely voluntary basis.
---------------------------------------------------------------------------

ii. In-Process Monitoring Activities
QC 1000 will require firms that issued audit reports with respect
to more than 100 issuers during the prior calendar year to monitor in-
process engagements and will require all other firms to consider
monitoring in-process engagements.\478\ The discussion above provides
further information on this provision. Monitoring in-process
engagements can help firms detect and prevent engagement deficiencies
before the engagement report is issued, resulting in a more proactive
and preventive monitoring approach that has the potential to benefit
investors through improved audit quality. The benefits will depend on
the extent to which firms already have in-process monitoring activities
in place. Information gathered through PCAOB inspection activities
indicates that 11 out of 14 annually inspected firms perform some in-
process engagement monitoring activities.
---------------------------------------------------------------------------

\478\ See QC 1000.63.
---------------------------------------------------------------------------

iii. Firm Governance Structure
QC 1000 will require firms that issued audit reports with respect
to more than 100 issuers during the prior calendar year to incorporate
into their governance structure an external oversight function for the
QC system composed of one or more persons who are not principals or
employees of the firm and do not otherwise have a commercial, familial,
or other relationship with the firm that would interfere with the
exercise of

[[Page 49715]]

independent judgment with regard to matters related to the QC system
(i.e., EQCF).\479\ The final standard specifies a baseline requirement
that the EQCF's responsibilities should include, at a minimum,
evaluating the significant judgments made and the related conclusions
reached by the firm when evaluating and reporting on the effectiveness
of its QC system. The discussion above provides further information on
this provision. Such an oversight function could reduce negative
impacts of commercial considerations on decision making by firms about
their QC system and thereby improve incentives to implement QC systems
that more fully meet the interests of investors and other financial
statement users. Some academic research finds that the level of board
of directors independence is associated with certain benefits, such as
improved operating performance and company value, which implies
independent oversight in a firm`s governance structure could
potentially improve the quality of audit services provided by the
firm.\480\
---------------------------------------------------------------------------

\479\ See QC 1000.28.
\480\ See, e.g., Anzhela Knyazeva, Diana Knyazeva, and Ronald W.
Masulis, The Supply of Corporate Directors and Board Independence,
26 The Review of Financial Studies 1561 (2013). Other academic
research indicates that a tradeoff of more independent board of
directors may be less efficient monitoring by directors. See, e.g.,
Praveen Kumar and K. Sivaramakrishnan, Who Monitors the Monitor? The
Effect of Board Independence on Executive Compensation and Firm
Value, 21 The Review of Financial Studies 1371 (2008).
---------------------------------------------------------------------------

iv. The Automated Independence Process
QC 1000 will require firms that issued audit reports with respect
to more than 100 issuers during the prior calendar year to automate the
process to identify investments in securities that might impair the
independence of the firm or firm personnel that are managerial
employees or partners, shareholders, members, or other principals.\481\
The discussion above provides further information on this provision.
Automating this process should help firms more effectively and
efficiently identify such investments. The automated process could also
indirectly improve compliance with other relevant independence
requirements. For example, automating this process may lead firms to
maintain and make available the list of restricted entities more
efficiently and effectively.
---------------------------------------------------------------------------

\481\ See QC 1000.34a.
---------------------------------------------------------------------------

v. Complaints and Allegations Policies and Procedures
QC 1000 will require firms to design, implement, and maintain
policies and procedures that address processes and responsibilities for
receiving, investigating, and addressing complaints and allegations and
include protecting persons making complaints and allegations from
retaliation.\482\ Firms that issued audit reports with respect to more
than 100 issuers during the prior calendar year will be required to
include confidentiality protections in their policies and procedures.
The discussion above provides further information on this provision.
Overall, the Board expects the policies and procedure regarding
complaints and allegations will help reduce information asymmetry
within the firm by alerting responsible individuals to instances of
non-compliance of which they may otherwise be unaware. Some academic
research suggests that the complaints and allegations provisions will
increase the likelihood that individuals will submit complaints and
allegations related to potential non-compliance. For example, one
survey of public company auditors finds that (1) greater protection of
individual identity and (2) trust that the firm would investigate and
act on a report are both positively associated with intention to report
non-compliance with auditing standards.\483\ A survey of accounting
students finds that a weaker threat of retaliation is positively
associated with the propensity to submit a complaint.\484\ The Board
acknowledges that some experimental research finds that explicit
protections may unintentionally deter internal complaints and
allegations because the protections signal to potential persons making
complaints that retaliation is a risk.\485\ However, overall, the Board
expects the complaints and allegations provisions will benefit
investors by reducing non-compliance with auditing standards and, thus,
improving audit quality.
---------------------------------------------------------------------------

\482\ See QC 1000.29.
\483\ See Mary B. Curtis and Eileen Z. Taylor, Whistleblowing in
Public Accounting: Influence of Identity Disclosure, Situational
Context, and Personal Characteristics, 9 Accounting and the Public
Interest 191 (2009).
\484\ See Gregory Liyanarachchi and Chris Newdick, The Impact of
Moral Reasoning and Retaliation on Whistle-Blowing, 89 Journal of
Business Ethics 37 (2009).
\485\ See James Wainberg and Stephen Perreault, Whistleblowing
in Audit Firms: Do Explicit Protections from Retaliation Activate
Implicit Threats of Reprisal?, 28 Behavioral Research in Accounting
83 (2016).
---------------------------------------------------------------------------

vi. Reporting the Annual QC System Evaluation
QC 1000 will require firms to report to the PCAOB about the annual
evaluation of their QC system.\486\ The discussion above provides
further information on this provision. This requirement will help the
Board obtain more timely, structured, and consistent information
regarding the effectiveness of firms' QC systems relative to what could
be gathered through the inspections process, especially for the
triennial firms. The Board will use this information to support its
oversight activities (e.g., to select firms, audits, or focus areas for
review). Reporting to the PCAOB will also improve incentives within a
firm to design, implement, and operate an effective QC system.
---------------------------------------------------------------------------

\486\ See QC 1000.79.
---------------------------------------------------------------------------

vii. Certification of the Annual QC System Evaluation
QC 1000 will require certain individuals in firms' leadership to
certify the annual evaluation of their firm's QC system.\487\ The
discussion above provides further information on this provision. This
requirement will help address the positive externality problem in the
audit market by creating greater accountability within firm leadership
to implement an effective QC system. As noted in the proposal, PCAOB
staff reviewed academic literature on the impacts of CEO and CFO
certification requirements in the U.S. and engagement partner signature
requirements in the United Kingdom and found both supportive and
unsupportive findings.\488\ One commenter noted academic research that
has found there is little, if any, effect of CEO and CFO certifications

[[Page 49716]]

required under Sarbanes-Oxley.\489\ Citing academic literature on
accountability frameworks, the same commenter noted that imposition of
accountability is largely positive \490\ but that the increased
accountability that would result from the certification requirement
could have negative consequences.\491\ As discussed below, the Board
acknowledges that increased accountability could lead to potential
unintended consequences. However, the Board continues to believe that
the certification requirement will benefit investors by increasing
discipline in the evaluation process and reinforcing the accountability
of the certifying individuals.
---------------------------------------------------------------------------

\487\ See QC 1000.14d. and .15b.
\488\ See, e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z.
Lys, Corporate Governance Reform and Executive Incentive:
Implications for Investments and Risk Taking, 30 Contemporary
Accounting Research 1298 (2013) (finding that their sample of firms
significantly reduced investments in risky projects in the period
following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and
Birendra K. Mishra, CEOs'/CFOs' Swearing by the Numbers: Does it
Impact Share Price of the Firm?, 81 The Accounting Review 1, 22
(2006) (concluding that the SEC order requiring filing of sworn
statements by CEOs and CFOs had a positive effect on the market
value of certifying firms); Jeffrey R. Cohen, Colleen Hayes, Ganesh
Krishnamoorthy, Gary S. Monroe, and Arnold M. Wright, The
Effectiveness of SOX Regulation: An Interview Study of Corporate
Directors, 25 Behavioral Research in Accounting 61 (2013)
(discussing that CEO certification was viewed as having led to
heightened ownership and diligence on the part of decision agents
throughout the financial reporting decision hierarchy but was also
identified as a source of the costly resource-intensive reaction to
Sarbanes-Oxley).
\489\ See, e.g., Paul A. Griffin and David H. Lont, Taking the
Oath: Investor Response to SEC Certification Under Sarbanes-Oxley, 1
Journal of Contemporary Accounting & Economics 27 (2005); Gerald J.
Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase
after the Sarbanes-Oxley Act? Initial Evidence, 20 Accounting
Horizons 57 (2006); Utpal Bhattacharya, Peter Groznik, and Bruce
Haslem, Is CEO Certification of Earnings Numbers Value-Relevant?, 14
Journal of Empirical Finance 611 (2007).
\490\ See, e.g., Andrew Quinn and Barry R. Schlenker, Can
Accountability Produce Independence? Goals as Determinants of the
Impact of Accountability on Conformity, 28 Personality and Social
Psychology Bulletin 472 (2002); Virginia R. Stewart, Deirdre G.
Snyder, and Chia-Yu Kou, We Hold Ourselves Accountable: A Relational
View of Team Accountability, 183 Journal of Business Ethics 691
(2023); Angela T. Hall, Michael G. Bowen, Gerald R. Ferris, M. Todd
Royle, Dale E. Fitzgibbons, The Accountability Lens: A New Way to
View Management Issues, 50 Business Horizons 405 (2007); Marko
Pitesa and Stefan Thau, Masters of the Universe: How Power and
Accountability Influence Self-Serving Decisions under Moral Hazard,
98 Journal of Applied Psychology 550 (2013); Constantine Sedikides,
Deletha Hardin, Kenneth Herbst, and Gregory Dardis, Accountability
as a Deterrent to Self-Enhancement: The Search for Mechanisms, 83
Journal of Personality & Social Psychology 592 (2002).
\491\ See, e.g., Jennifer J. Dose and Richard J. Klimoski, Doing
the Right Thing in the Workplace: Responsibility in the Face of
Accountability, 8 Employee Responsibilities & Rights Journal 35
(1995); Jennifer S. Lerner and Philip E. Tetlock, Accounting for the
Effects of Accountability, 125 Psychological Bulletin 255 (1999);
Randall A. Gordon, Richard M. Rozelle, and James C. Baxter, The
Effect of Applicant Age, Job Level, and Accountability on
Perceptions of Female Job Applicants, 123 Journal of Psychology 59
(1989); Philip E. Tetlock, The Impact of Accountability on Judgment
and Choice: Toward a Social Contingency Model, 25 Advances in
Experimental Social Psychology 331 (1992); Angela T. Hall, Dwight D.
Frink, and M. Ronald Buckley, An Accountability Account: A Review
and Synthesis of the Theoretical and Empirical Research on Felt
Accountability, 38 Journal of Organizational Behavior 204 (2017);
Sheldon Adelberg and Daniel C. Batson, Accountability and Helping:
When Needs Exceed Resources, 36 Journal of Personality and Social
Psychology 343 (1978); Mark E. Peecher, Ira Solomon, and Ken T.
Trotman, An Accountability Framework for Financial Statement
Auditors and Related Research Questions, 38 Accounting,
Organizations and Society 596 (2013); Angela T. Hall, M. Todd Royle,
Robert A. Brymer, Pamela L. Perrew[eacute], Gerald R. Ferris and
Wayne A. Hochwarter, Relationships Between Felt Accountability as a
Stresser and Strain Reaction: The Neutralizing Role of Autonomy
Across Two Studies, 11 Journal of Occupational Health Psychology 87
(2006).
---------------------------------------------------------------------------

viii. Responding to Engagement Deficiencies Identified After Issuance
of the Audit Report
The amendments to AS 2901, Consideration of Omitted Procedures
After the Report Date, include: (1) addressing engagement deficiencies
in addition to omitted procedures and (2) including the ICFR audit
within its scope. Relatedly, the amendments to AT No. 1 and AT No. 2
mirror the amendments to AS 2901. The discussion above provides further
information on this provision. The Board expects these amendments will
lead auditors to perform additional procedures to obtain sufficient
appropriate evidence or take additional action to prevent future
reliance on insufficiently supported audit opinions (or review reports
in the case of review engagements) that are being relied on. In such
cases, PCAOB standards will require firms to advise their client to
make appropriate disclosure of the newly discovered facts and their
impact on the financial statements (or examination or review reports in
the case of attestation engagements) to persons who are known to be
currently relying or who are likely to rely on the financial statements
and the related auditor's report (or review report in the case of a
review engagement). Academic research on ICFR suggests that such
disclosures will be valuable to capital market participants with
improvements in company performance and financial reporting.\492\
---------------------------------------------------------------------------

\492\ See discussion on economic impacts above and the research
cited therein.
---------------------------------------------------------------------------

ix. SECPS Requirements
The requirements will refine, integrate into QC 1000, and extend to
all firms the SECPS member requirements currently required under PCAOB
Rule 3400T. Based on current registration data, approximately 13% of
PCAOB-registered firms are already subject to these requirements under
PCAOB Rule 3400T. The discussion above provides an overview of these
requirements. The Board expects that this feature of the rulemaking
will benefit investors by enhancing audit quality through improved
compliance with SEC and PCAOB independence rules on engagements
performed by firms not already subject to these requirements under
PCAOB Rule 3400T.
2. Costs
The Board expects the requirements will result in additional direct
and indirect costs to auditors and, potentially, indirect costs to the
companies that they audit. The extent of these costs will depend on the
degree to which firms otherwise have QC systems in place designed to
comply with other QC standards and the specific policies and procedures
adopted by the firm. The information presented above suggests that U.S.
GNFs commit hundreds of partner and non-partner FTEs to their QC
systems, including, individually, each of the major QC system
components specified in ISQM 1. Resources are particularly utilized in
the areas of independence, ethics, and resources. As discussed above,
the Board believes most firms are subject to other QC standards. In
designing, implementing, and operating their QC systems, firms that are
subject to both PCAOB standards and other QC standards can leverage the
investments they make to comply with the requirements of the other
standards. Therefore, the Board expects that a portion of the overall
costs of designing, implementing, and operating policies and procedures
to comply with QC 1000 have been or will be incurred by most firms
regardless of whether QC 1000 is adopted. As a consequence, for most
firms, the Board expects the costs discussed below will derive
primarily from the provisions in QC 1000 that go beyond the
requirements of other QC standards.
Several commenters noted there will be costs and challenges to
implement and operate features of QC 1000 that are incremental to the
systems firms have established to comply with other QC standards. One
commenter said that the need to accommodate nuances among different
standards results in firms maintaining different methodologies,
practices, and procedures that puts pressure on limited firm resources.
Several commenters asserted that firms that audit between 100 and 500
issuers will be significantly impacted by costs associated with some or
all of QC 1000's incremental requirements for firms that issue audit
reports for more than 100 issuers, and some of the commenters noted
resource differences between GNFs and annually inspected NAFs. Since QC
systems are resource-intensive, the efforts required to respond to the
additional provisions in QC 1000 or to otherwise adapt the QC system to
the auditing environment for issuers and SEC-registered broker-dealers
could be significant.

[[Page 49717]]

While the PCAOB lacks data to quantify the costs that could result
from QC 1000, some studies have estimated costs associated with ICFR
under Sarbanes-Oxley section 404.\493\ The Board acknowledges
differences between section 404 and QC 1000, but section 404 is similar
to QC 1000 in that section 404 was a policy shock that led large public
companies to improve their internal control practices. In addition,
while QC 1000 is not an internal control framework per se, it does
reflect similar principles as COSO, the industry standard control
framework that was widely relied upon to implement section 404. One
commenter observed that the requirements under QC 1000 are similar in
certain ways to the requirements related to ICFR under Sarbanes-Oxley
for companies and suggested that the impacts of QC 1000 on auditors
will be similar to the impact Sarbanes-Oxley had on companies
notwithstanding key differences between a company's ICFR and an audit
firm's QC system.
---------------------------------------------------------------------------

\493\ Based on a sample of companies that voluntarily disclosed
Section 404 cost information in their SEC filings during the period
Jan. 2003 to Sept. 2005, one study found that the mean total
compliance costs for Section 404 was $2.2 million ($3.7 million
adjusted for inflation), and the median was $1.2 million ($2.0
million adjusted for inflation). See Jagan Krishnan, Dasaratha Rama,
and Yinghong Zhang, Costs to Comply with SOX Section 404, 27
Auditing: A Journal of Practice & Theory 169 (2008). Using a sample
of Fortune 1000 companies, another study estimated the companies
spent an average of $5.9 million ($9.6 million adjusted for
inflation) to comply with Section 404 in the first year of
implementation. See Charles River Associates, Sarbanes-Oxley 404
Costs and Remediation of Deficiencies: Estimates from a Sample of
Fortune 1000 Companies (2005). Another study found that direct costs
of Section 404 fell by as much as 40% by the second year after
implementation and varied significantly by company size. See John C.
Coates IV, The Goals and Promise of the Sarbanes-Oxley Act, 21
Journal of Economic Perspectives 91 (2007). Another study reported
an SEC survey sample that showed an overall average Section 404
compliance expense of $1.2 million ($1.7 million adjusted for
inflation) in the latest fiscal year before the survey (Dec. 2008 to
Jan. 2009) and respondents reported a decline over time in such
costs. See Cindy R. Alexander, Scott W. Bauguess, Gennaro Bernile,
Yoon-Ho Alex Lee, and Jennifer Marietta-Westberg, Economic Effects
of SOX Section 404 Compliance: A Corporate Insider Perspective, 56
Journal of Accounting and Economics 273 (2013). To adjust results
from the studies for inflation, PCAOB staff used an inflationary
factor as of the third quarter 2023 from the current dollar index
number of the Employment Cost Index for private workers employed in
the professional, scientific, and technical services industry
published by the U.S. Bureau of Labor Statistics (available at
https://www.bls.gov/eci/data.htm). This inflationary adjustment does
not account for any potential differences between QC 1000 costs and
Section 404 costs or any potential structural changes over time.
---------------------------------------------------------------------------

a. Direct and Indirect Costs of the Proposed Requirements
The Board expects the requirements will lead to several direct and
indirect costs. There will be a direct cost to audit firms to design a
QC system that complies with QC 1000. For example, firms will likely
spend time reviewing QC 1000; assigning roles and responsibilities;
identifying staffing and training needs; and developing a set of
quality objectives, quality risks, and quality responses. Once a QC
system is designed, firms will incur costs to monitor, identify, and
assess changes to conditions, events, and activities that indicate
modifications to the firm's quality objectives, quality risks, or
quality responses may be needed. Some firms may outsource certain
aspects of QC system design. The Board also expects that customization
will be necessary to ensure that each QC system design appropriately
addresses each firm's circumstances. The extent of the design costs
will likely depend on facts and circumstances unique to each firm.
Among firms that will be subject to other QC standards, which the Board
believes represents most firms, the design costs will likely be reduced
and limited to incremental requirements around ethics, independence,
monitoring, and remediation.
For full applicability firms--those that will be required to
implement and operate an effective QC system--there will likely be
additional costs. Firms may need to implement fixed resources (e.g.,
people, financial, technological, or intellectual) prior to operating
their QC system. For example, a firm may need to invest in an IT system
or train individuals having QC roles or responsibilities. Several
commenters identified significant implementation costs and called for
an extended implementation period due to these costs. Describing the
results of its recent survey of assurance service QC leaders, one
commenter reported that obtaining ``buy in'' and acceptance from
organizational members is the most common challenge firms face when
implementing changes to their QC systems.\494\ As discussed, the Board
agrees there will be implementation costs; however, these
implementation costs will be reduced to the extent that firms already
implement the requirements to comply with the actions of other standard
setters or due to other developments. Furthermore, the Board expects
the design and implementation costs will be largely fixed in nature and
will decline over time.
---------------------------------------------------------------------------

\494\ See Hayne, et al., Managing Quality Control Systems.
---------------------------------------------------------------------------

Firms may also incur new operating costs, at the firm level and the
engagement level. At the firm level, firms may require additional
resources to administer new or revised quality responses after they are
implemented, execute the annual risk assessment, perform the annual
evaluation of the QC system, report the results of the evaluation to
the PCAOB using the same PCAOB platform as the other reporting forms,
and prepare and retain the required documentation. Several commenters
identified significant operating costs. For example, one commenter
argued that the proposed independent oversight function could entail
insurance costs. At the engagement level, engagement team time may be
required to execute new or revised quality responses. For example, an
engagement team may carry out procedures regarding continuance of the
firm's relationship with the client served by that engagement team.
These operating costs will be reduced for firms that would be subject
to other standard setters or other developments.
Several commenters asserted that the documentation costs, as
originally proposed, could be particularly onerous. For example,
several commenters asserted that firms would be required to retain
large volumes of documentation to support the operation of the firm's
quality responses for each instance related to all years for which
firms are required to maintain such documentation. One commenter noted
that information evidencing the operation of a firm's QC system can
vary in size, type, and storage requirements and that the costs of
modifying the firm's existing IT systems to comply with the
documentation requirement could be significant. Some commenters noted
that the amount of documentation to be retained is expected to require
considerably more storage space for each evaluation period, which the
commenters suggested translates to a need for new servers and extended
licensing agreements. One commenter said that firms that change their
systems will have to maintain licenses for old systems for up to seven
years. The same commenter said the seven-year retention period goes
well beyond the retention requirements of ISQM 1 and SQMS 1 and
asserted that firms with a significant private company client base
would be challenged to have different documentation retention policies
since many aspects of quality control relate to the firm as a whole.
Some commenters suggested that retaining sensitive information
introduces heightened

[[Page 49718]]

cybersecurity risks for firms, firm personnel, clients, and other
stakeholders. The Board acknowledges that the documentation requirement
could create costs for firms, including costs related to retention and
cybersecurity infrastructure. To clarify the expected cost burden, the
discussion above notes that documentation of every aspect of the
operation of the firm's QC system may not be required to evidence that
each quality response operated effectively.
Several commenters asserted that smaller firms may be especially
affected by the new QC requirements, including requirements incremental
or alternative to ISQM 1 and SQMS 1. One commenter said that smaller
firms will need to hire consultants or additional staff for the
monitoring, remediation, and evaluation functions, notwithstanding the
scalability of QC 1000. Another commenter asserted that QC 1000 will
impose disproportionate costs on smaller firms but noted that the
commenter did not analyze in detail the cost of each incremental
requirement and therefore did not have an estimate of the
disproportionate costs. Relatedly, research finds that implementation
and operating costs of internal control frameworks precipitated by
Sarbanes-Oxley are proportionally greater for smaller companies.\495\
---------------------------------------------------------------------------

\495\ See, e.g., John C. Coates and Suraj Srinivasan, SOX after
Ten Years: A Multidisciplinary Review, 28 Accounting Horizons 627
(2014).
---------------------------------------------------------------------------

The Board acknowledges that the direct costs will likely vary
depending on the size of the firm and the nature of its audit practice.
Larger PCAOB audit practices that already have extensive QC systems in
place may benefit from economies of scale or scope when incorporating
the new requirements into their existing systems, which would decrease
the cost of QC 1000 per engagement. Larger PCAOB audit practices will
be able to distribute fixed implementation costs over a larger number
of engagements, while smaller practices will distribute fixed
implementation costs over a smaller number of engagements. On the other
hand, it may also be difficult for firms with more complex clients and
diverse client portfolios--characteristics of larger PCAOB audit
practices--to implement effective QC systems. To the extent that
smaller firms may be disproportionately impacted as commenters have
suggested, the Board continues to believe that the principles-based
features and scalable nature of QC 1000, described in greater detail
above, as well as the 100-issuer threshold for some provisions, help to
mitigate their costs because smaller firms will rely on proportionally
fewer resources for design, implementation, and operation of their QC
systems.
In addition to the direct costs to auditors to comply with the
requirements, indirect costs may arise. To the extent that compliance
with the requirements will improve compliance with applicable
professional and legal requirements at the engagement level, costs may
increase for the affected engagements. For example, in bringing their
work into compliance with PCAOB auditing standards, some engagement
teams may gather additional or more persuasive audit evidence and
prepare more documentation than they previously did. However, firms
should be incurring these costs already.
Audited companies may also incur indirect costs related to the
requirements. For example, some commenters asserted that the 100-issuer
threshold could deter triennially inspected firms from accepting new
public company audit engagements or encourage firms to resign from
existing audit engagements to avoid crossing the 100-issuer threshold.
Although the Board recognizes this possibility, for context regarding
the number of firms currently around the 100-issuer threshold, PCAOB
staff analysis of audit reports included in SEC filings indicates that,
during the 2022 calendar year, two NAFs audited between 80 and 100
issuers and two NAFs audited between 100 and 120 issuers. Firms may
pass on part of any increased costs they incur at the firm or
engagement level by raising the fees they charge their clients. In
addition, to the extent that the requirements improve compliance with
applicable professional and legal requirements, some audited companies
could face additional costs to respond to their auditors' requests for
additional or more extensive audit evidence. Audited companies may
incur other costs due to changes in audit firm QC policies and
procedures. For example, if QC 1000 results in changes to firms' client
acceptance and continuance practices, firms may require greater fees or
refuse to accept or retain high-risk clients. While this outcome would
represent a cost to audited companies, the result could be a more
efficient audit market if riskier companies pay more. These indirect
costs will be reduced to the extent that firms will have already
implemented the requirements in response to similar actions of other
standard setters or due to other developments.
b. Costs of Key Provisions
i. Scaled Applicability
Scaled-applicability firms will incur the design costs discussed
above. Should a scaled-applicability firm ever become subject to the
implementation and operation requirements, the firm will then incur the
implementation and operation costs discussed above. As with other
registered firms, the costs to scaled-applicability firms will be less
to the extent they will already be complying with ISQM 1 or SQMS 1.
Firms and a related group suggested allowing firms that do not perform
engagements the flexibility to design their QC system in accordance
with another QC standard, such as ISQM 1 or SQMS 1, to help manage
costs. However, the Board expects the design costs for those firms to
be limited to incremental requirements around ethics, independence,
monitoring, and remediation. Furthermore, scaled-applicability firms
may choose to avoid the design costs by withdrawing from PCAOB
registration given that they are not required to be registered.
ii. In-Process Monitoring Activities
The Board believes the in-process monitoring requirement may
contribute to the direct and indirect costs discussed above such as:
(1) developing documentation, (2) providing training, (3) gathering
additional audit evidence, and (4) other potential indirect costs such
as the time required of issuers to provide their auditor with
additional or more extensive audit evidence. The costs will depend on
the extent to which firms already have in-process monitoring activities
in place. In addition, in-process monitoring may result in increased
audit fees. Information gathered through PCAOB inspection activities
indicates that 11 out of 14 annually inspected firms perform some in-
process engagement monitoring activities.
iii. Firm Governance Structure
The Board believes there could be costs to design, implement, and
operate the oversight function (i.e., EQCF). For example, firms that
are required to incorporate the oversight function into their
governance structure for the first time may incur costs when retaining
appropriate individuals from outside of the firm.\496\ Firms with an
existing

[[Page 49719]]

oversight function may incur costs to find different individuals to
fill the role. In addition, firms with an existing oversight function
may incur incremental costs to incorporate the baseline requirement to
evaluate, at a minimum, significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system.
---------------------------------------------------------------------------

\496\ According to Spencer Stuart, the average compensation per
non-employee director was $327,764 in 2023. See 2023 U.S. Spencer
Stuart Board Index (2023), available at https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf (analyzing 489 DEF-14A proxy statements
filed by S&P 500 companies with the SEC between May 1, 2022, and
Apr. 30, 2023). PCAOB staff notes that variation between the
responsibilities of an oversight function and a non-employee
director function may limit the relevance of this cost reference to
some extent.
---------------------------------------------------------------------------

Several commenters expressed concern that the oversight function
would be costly or difficult to fulfill, especially for firms that
audit between 100 and 500 issuers. One commenter suggested the
oversight function could add costs that ultimately have to be passed on
through higher audit fees, which investors in smaller issuers are
unlikely to support, particularly when the costs are spread over a
small amount of invested public capital in a firm's issuer audits
clients. Conversely, one commenter said that the costs of the oversight
function could be reduced by engaging an independent accounting firm to
provide weekly advisory services.
To help address these cost concerns, the requirement will allow
firms to implement an oversight function into their QC system suitable
for their circumstances. Costs, as well as the associated benefits,
could be attenuated for U.S. GNFs by the fact that all of the U.S. GNFs
indicate, as of the 2020 inspection cycle, that they already have a
governance structure that includes a non-employee.
iv. The Automated Independence Process
The Board believes there could be costs to design, implement, and
operate the required automated process to identify investments in
securities that might impair independence. The costs will depend on the
extent to which firms already have such an automated process in place.
Information gathered through PCAOB inspection activities indicates that
nine out of 14 annually inspected firms already have one in place. The
remaining five have processes in place that are not fully automated.
Firms will be able to automate the process in a way that is suitable to
their unique facts and circumstances. Most firms will likely need to:
(1) convert their restricted entity list into a searchable electronic
form; (2) maintain the electronic restricted entity list; and (3)
develop queries that can compare a manager's or partner's relevant
investments in securities to the electronic restricted entity list.
Some firms may choose to integrate the automated process with existing
systems related to client acceptance or time and expense. Firms with
simple restricted entity lists (e.g., fewer clients, fewer
subsidiaries) or simpler QC policies and procedures for restricted
entities (e.g., any investment in any security of a restricted entity
is restricted) may require less investment in software and expertise
than other firms.
Several commenters said that the proposed automated process will
entail significant costs. One commenter emphasized that there will be
upfront and ongoing investments in technology and other overhead to
operate such a process. Another commenter noted that implementing and
maintaining an automated independence monitoring system is costly for
smaller firms, which audit predominantly privately held companies and
have not previously been subject to the automated independence system
requirement under SEC rules. One commenter said it was unaware of any
truly off-the-shelf system responsive to the proposed requirement. One
commenter emphasized that for firms that audit between 100 and 500
issuers, the main potential downside of an automated process is the
associated time and incremental cost to develop an efficient and
effective system. The commenter noted that, in addition to software
costs, there will be costs to oversee the system to ensure the data
entered are correct and firm personnel are trained to use the system.
Another commenter noted that the six largest firms represent 60% of
issuers and approximately 98.7% of the capital markets and asserted
that the automated independence process will nearly triple the number
of firms required to implement automated investment tracking systems
but pick up less than 15% of issuers, which represent less than 1% of
the capital markets. The same commenter also asserted that the
differences in size, scope, nature, and complexity between the six
largest annually inspected firms and other annually inspected firms can
be immense and that more than 80% of the commenter's issuer client
count consists of either Form 11-K audits or audits of smaller
companies, which have less impact on capital markets. While the
commenter provided these figures in response to costs of the automated
independence process, the same figures could apply to the costs and
benefits of each of the key policy provisions that invoke the 100-
issuer threshold.
To help address these views, the final standard clarifies that the
required automated process: (1) will apply only to the identification
of relevant investments in securities and (2) will permit firms to rely
on firm professionals accurately self-reporting and entering their
investments into the system (e.g., direct brokerage feeds will not be
expressly mandated). In addition, the Board believes that existing
software products likely could be adapted to respond to the
requirements. Furthermore, off-the-shelf systems more tailored to the
requirements may enter the market in the future. Notwithstanding the
commenters' views, the Board retained the automated independence
process requirement, and acknowledges there will be costs to design,
implement, and operate it.
v. Complaints and Allegations Policies and Procedures
The Board expects the policies and procedures regarding complaints
and allegations will entail direct costs to firms to design, implement,
and maintain. Most notably, firms will incur additional variable costs
to receive, investigate, and address complaints and allegations. Firms
that issued audit reports with respect to more than 100 issuers during
the prior calendar year will incur costs to implement confidentiality
protections. The costs will depend on the extent to which firms already
have policies and procedures regarding complaints and allegations in
place. Information gathered through PCAOB inspection activities
indicates that 10 out of 14 annually inspected firms already have
hotlines in place that may satisfy certain of the complaints and
allegations requirements.\497\
---------------------------------------------------------------------------

\497\ According to one hotline vendor that posted their service
prices online, the annual fee for a hotline that covers up to 75
employees starts at $1,200 and the annual fee for a hotline that
covers more than 5,000 employees starts at $7,000 (see https://www.allvoices.co/basic-purchase). The Board notes that the
complaints and allegations provisions include more than having a
hotline.
---------------------------------------------------------------------------

vi. Reporting the Annual QC System Evaluation
The Board expects the requirement to report the annual QC system
evaluation to the PCAOB will entail an additional annual cost to firms
to prepare Form QC. However, since firms will already be required to
perform and document the evaluation, any additional costs associated
with preparing Form QC should be minimal. The requirement may also
result in some increased

[[Page 49720]]

litigation risk to the extent that information reported to the PCAOB is
not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, and
to the extent that reporting of this information to a third party may
vitiate other privileges that otherwise could have been used to protect
the information from compelled disclosure in third-party actions. Non-
protected material may become subject to compulsory production, which
could impose indirect costs on firms to the extent that legal or other
consequences may flow from that production.
vii. Certification of the Annual QC System Evaluation
The certification requirement itself may not impose much direct
cost on firms because the evaluation activities precede certification.
However, to the extent that firms choose to implement a more robust
internal compliance infrastructure (e.g., by requiring sub-
certifications from personnel with direct responsibility for certain
functions), those costs could also be attributable to the certification
requirement. Moreover, firms may be exposed to litigation costs because
the certifications in Form QC are not subject to privilege under
section 105(b)(5) of Sarbanes-Oxley, meaning that third parties may be
able to compel production of the certifications, and the certifications
may have an impact in third-party litigation. For example, the threat
of liability for negligent conduct could lead to costs if individuals
demand additional remuneration or take additional steps to act
reasonably and demonstrate that they have acted reasonably (e.g.,
assuring themselves that the QC system is appropriately designed) or to
defend against enforcement allegations. The Board believes, however,
that the internal compliance exercise, and even potentially the threat
of third-party litigation, can reinforce the importance of the firm's
QC system within the firm, which in turn can help produce the benefits
the Board expects this provision will generate.
viii. Responding to Engagement Deficiencies Identified After Issuance
of the Audit Report
The amendments to AS 2901, Consideration of Omitted Procedures
After the Report Date, and related amendments to AT No. 1 and AT No. 2
will contribute to the engagement-level costs discussed above to the
extent auditors will perform additional procedures to obtain sufficient
appropriate evidence or take additional action to prevent future
reliance on insufficiently supported audit opinions (or review reports
in the case of review engagements) that are being relied on. The Board
expects the requirement to extend the scope of AS 2901 to include the
ICFR audit within its scope will be particularly impactful because the
audit of internal control over financial reporting is both resource-
intensive \498\ and a common and recurring area of deficiency.\499\
---------------------------------------------------------------------------

\498\ See, e.g., U.S. Securities and Exchange Commission Office
of Economic Analysis, Study of the Sarbanes-Oxley Act of 2002
Section 404 Internal Control over Financial Reporting Requirements
(Sept. 2009), at Table 8 (reporting that roughly one-third of total
audit fees may be attributable to the ICFR audit).
\499\ See, e.g., 2020 Inspection Observations Preview.
---------------------------------------------------------------------------

vii. SECPS Requirements
The requirements will refine, integrate into QC 1000, and extend to
all firms the SECPS member requirements currently required under PCAOB
Rule 3400T. The Board expects this will increase development,
implementation, and operating costs for firms not already subject to
these requirements. However, the Board believes the costs should be
minimal because, based on its oversight activities, the Board believes
these firms already have in place policies and procedures related to
compliance with SEC and PCAOB independence rules.
3. Unintended Consequences
The requirements could give rise to unintended consequences.
Overall, however, the Board expects any potential unintended
consequences will be mitigated by other factors.
a. Human Capital
Some firms may require additional staff resources to implement the
requirements. To meet this demand, firms may transfer personnel from
engagement-level roles to QC roles. This could create a risk that
engagements are insufficiently staffed. Alternatively, some firms may
assign more junior staff to QC roles or to new openings on engagements.
This could create a risk that QC system or engagement personnel lack
sufficient training or experience. One commenter reported the
commenter's own analysis to demonstrate that audits are largely
conducted by non-CPAs with limited experience in the field of auditing.
QC 1000 includes quality objectives that mitigate these risks. For
example, firms will be required to establish quality objectives that
individuals who are assigned to engagements or perform QC system
activities have the competence, objectivity, authority (in the case of
activities within the QC system), and time to perform their
responsibilities in accordance with applicable professional and legal
requirements and the firm's policies and procedures.\500\
---------------------------------------------------------------------------

\500\ See QC 1000.44c. and e.
---------------------------------------------------------------------------

Some commenters argued that the costs of QC 1000 would be
especially significant due to labor shortages. One commenter asserted
that an aggressive enforcement atmosphere may create disincentives for
individuals to join the profession, harming the talent pipeline that is
necessary for the production of high-quality audits. Another commenter
raised concerns that recruiting and retaining partners and employees
for a firm's QC system will be a tremendous challenge for firms willing
and able to absorb additional costs to properly implement the
requirements of QC 1000 given the tight labor market. One commenter
reported that some market research indicates significant declines in
the number of new CPA candidates and annual accounting degree
completions.\501\ The commenter also reported commentary from a survey
that reveals the largest accounting firms regularly score low along
dimensions that are most indicative of their desirability as places to
work.\502\ Another commenter cited news articles \503\ and academic
research \504\ that suggest attracting and retaining talent is a
serious concern for accounting firms and university accounting
programs. However, based on its preliminary survey research, another
commenter reported that some QC leaders do not feel resource
constrained.\505\
---------------------------------------------------------------------------

\501\ See AICPA Trends Report.
\502\ See Mark Kolakowski, Best Accounting Firms (Vault Top 50
Accounting Firms) (Jan. 14, 2020).
\503\ See, e.g., Lindsay Ellis, Why so Many Accountants are
Quitting, Wall St. J. (Dec. 28, 2022); Stephen Foley, Accountants
Work to Shed ``Boring'' Tag Amid Hiring Crisis, Financial Times
(Oct. 3, 2022).
\504\ See, e.g., Hermanson, et al., The Work Environment in
Large Audit Firms A38; Dana R. Hermanson, Heather M. Hermanson,
Susan D. Hermanson, Where is Public Company Auditing Headed?, 90 CPA
Journal 54 (2020); Westermann, et al., PCAOB Inspections 694.
\505\ See Hayne, et al., Managing Quality Control.
---------------------------------------------------------------------------

The Board acknowledges the commenters' concerns about the potential
impact on staff resources. However, the potential impact on staff
resources is likely the result of the interplay among numerous factors
in the labor market, such as the rigor of qualifying for and completing
the requirements for CPA licensure and the relatively low starting
salaries being cited by college students as one of the main hurdles to
choosing accounting as a major. To meet increased demand for staff
resources, some firms may choose to hire additional experienced staff.
It is

[[Page 49721]]

possible that the labor demand shock could result in increased wages
and potentially higher audit fees, which could be exacerbated by the
concentration of large firms in the audit market. Higher wages could in
turn help firms attract and retain a skilled workforce or encourage
qualified individuals to take essential roles at firms.\506\ The
principles-based features and scalable nature of QC 1000 described
above, as well as the 100-issuer threshold for some provisions, help
mitigate this risk because fewer resources will be required for firms
based on those features.
---------------------------------------------------------------------------

\506\ There are some indications that retention and recruitment
of staff is currently a challenge for audit firms. See, e.g.,
Persellin, et al., Auditor Perceptions 95; AICPA Private Companies
Practice Section, 2021 PCPS CPA Top Issues Survey; AICPA, 2021
Trends: A Report on Accounting Education, the CPA Exam and Public
Accounting Firms' Hiring of Recent Graduates (``AICPA Trends
Report'') (Apr. 2022).
---------------------------------------------------------------------------

b. Competition
The requirements could also cause firms to exit the public company
audit market or deter other firms from future entry. Entry deterrence
could be exacerbated by the fact that being registered with the PCAOB
will subject firms to certain QC requirements even if they do not
perform engagements. Several commenters agreed that the proposed
requirements, if adopted, could impact competition. One commenter
expressed concern that the incremental requirements of QC 1000 relative
to other QC standards could lead smaller high-quality firms to exit the
market. One commenter asserted that the certification requirement would
be an especially significant driver of exit, particularly for smaller
firms. Some commenters suggested that the design requirement for
scaled-applicability firms could lead some scaled-applicability firms
to deregister with the PCAOB or create a barrier to entry. One
commenter added that the design requirement for scaled-applicability
firms could impact audit markets beyond the U.S. by creating a
disincentive for foreign firms to serve specific audit markets. Another
commenter suggested that further enhancing the scalability of QC 1000
may be helpful for smaller firms to stay competitive. One commenter
noted that QC 1000 requirements may serve as an impediment to audit
firm mergers and acquisitions and otherwise perturb market activity.
Correspondingly, less consolidation could mitigate concentration or
help preserve a competitive dynamic amongst firms. Nevertheless, the
presence of fewer firms could reduce competition in the public company
audit market even in light of additional scalability or fewer mergers
and acquisitions. Some commenters said that some firms may resign
existing issuer clients or decline new ones to avoid incremental QC
1000 requirements for firms that issue more than 100 audit reports.
This could lead to a further reduction in competition for engagements
that these firms would otherwise compete. This reduction in competition
would likely only apply to actual or potential issuer clients of firms
that are close to the 100-issuer threshold. As noted above, PCAOB staff
analysis of audit reports included in SEC filings indicates that,
during the 2022 calendar year, the number of firms currently around the
100-issuer threshold includes two NAFs that audited between 80 and 100
issuers and two NAFs that audited between 100 and 120 issuers.
Confirming the widely held view that audit firms compete on price,
some research suggests that reduced competition is indeed associated
with higher audit fees.\507\ However, any exit would likely be limited
primarily to firms with small market shares and to the smaller issuer
or broker-dealer audit markets, which research suggests tend to be
competitive.\508\ For example, firms that would manage their client
portfolio to avoid incremental QC 1000 requirements would likely prefer
to resign (or decline to accept) smaller issuer clients than larger
issuer clients. Moreover, some research suggests that reduced
competition may have a positive impact on audit quality because it
curtails issuers' opportunity to opinion shop.\509\ Compounding this
effect, the requirements may further deter opinion shopping as a basis
for competition to the extent they would improve auditors' compliance
with professional standards. One commenter argued that opinion shopping
is not prevalent and any reduction in opinion shopping would be
minimal.
---------------------------------------------------------------------------

\507\ See, e.g., Joshua L. Gunn, Brett S. Kawada, and Paul N.
Michas, Audit Market Concentration, Audit Fees, and Audit Quality: A
Cross-Country Analysis of Complex Audit Clients, 38 Journal of
Accounting and Public Policy 1 (2019).
\508\ While research generally has focused on competition for
the largest public company audits and the corresponding
concentration amongst the largest audit firms, less is known about
market forces within the smaller audit firm market. However, some
research has studied competitive aspects of the smaller firm market.
See, e.g., Tracy Ti Gu, Dan A. Simunic, Michael T. Stein, Minlei Ye,
and Ping Zhang, The Market for Audit Services: The Role of Market
Power, 19 Journal of International Accounting Research 3 (2020)
(concluding that small public companies can potentially purchase
audit services from any audit firm and that the number of suppliers
to small public companies is relatively higher than the number of
suppliers to large public companies); Kenneth L. Bills and Nathaniel
M. Stephens, Spatial Competition at the Intersection of the Large
and Small Audit Firm Markets, 35 Auditing: A Journal of Practice and
Theory 23 (2016) (concluding that smaller and larger firms compete
locally in some cases); Andrew Kitto, Phillip T. Lamoreaux, and
Devin Williams, Do Entry Barriers Allow Low Quality Audit Firms to
Enter the Public Company Audit Market?, available on SSRN: https://ssrn.com/abstract=3572688(2023) (concluding that current barriers to
entry likely deter some audit firms from entering the audit market
but that current barriers fail to prevent entry by firms that are
significantly lower quality compared to incumbent firms); Brant
Christensen, Kecia Williams Smith, Dechun Wang, and Devin Williams,
The Audit Quality Effects of Small Audit Firm Mergers in the United
States, 42 Auditing: A Journal of Practice & Theory 75 (2023)
(concluding that audit quality decreases post-merger based on data
regarding mergers of very small audit firms).
\509\ See, e.g., Nathan J. Newton, Julie S. Persellin, Dechun
Wang, and Michael S. Wilkins, Internal Control Opinion Shopping and
Audit Market Competition, 91 The Accounting Review 603 (2016);
Nathan J. Newton, Dechun Wang, and Michael S. Wilkins, Does a Lack
of Choice Lead to Lower Quality? Evidence From Auditor Competition
and Client Restatements, 32 Auditing: A Journal of Practice & Theory
31 (2013).
---------------------------------------------------------------------------

c. Network Resources
Some commenters expressed concern that the requirements could
diminish the availability of global network resources and that smaller
firms around the world could decline to assist U.S. firms in their
global audits. One commenter added that this could be detrimental to
overall engagement quality. Several factors could mitigate this
potential unintended consequence. First, staff analysis of 2021 Form AP
filings finds that 74% of all audits (32% of Fortune 500 audits) do not
use other auditors.\510\ Second, this potential unintended consequence
would likely be limited primarily to firms that lack the network
resources to implement QC 1000. One academic study finds that 94% of
component auditors identified on Form AP are affiliated with the
principal auditor (99% when the principal auditor is a GNF).\511\
Third, other auditors that do not play a substantial role on any PCAOB
engagement would be able to deregister with the PCAOB and continue to
perform their existing roles on the engagements. Fourth, the
competitiveness of the smaller issuer audit market suggests that
principal auditors would be able to retain a different component
auditor of comparable quality. Finally, to the extent the requirements
would lead a firm to retain a lower-quality

[[Page 49722]]

component auditor, existing PCAOB standards related to audits involving
other auditors could help mitigate the risk that the new component
auditor performs a low-quality component audit.\512\ It is possible
that, despite the requirements, firms may not improve compliance with
applicable professional and legal requirements when performing their
engagements. For example, personnel assigned to QC roles may adopt a
perfunctory, ``check the box'' attitude toward compliance. The firm's
risk assessment process and monitoring and remediation process
requirements, which require personnel assigned to QC roles to think
proactively about the reasonable assurance objective, could help to
mitigate this risk. As another example, engagement partners may
overestimate the ability of their firm's QC system to support
achievement of the reasonable assurance objective and relax their
efforts to self-monitor or monitor others. While QC 1000 centralizes
responsibility for QC to a degree, other requirements could mitigate
this risk. For example, individual responsibility features prominently
in QC 1000 and PCAOB auditing standards emphasize the responsibility of
the engagement partner for the engagement and its performance.\513\
---------------------------------------------------------------------------

\510\ See PCAOB Rel. No. 2022-002, at Figure 2.
\511\ See William M. Docimo, Joshua L. Gunn, Chan Li, and Paul
N. Nichas, Do Foreign Component Auditors Harm Financial Reporting
Quality? A Subsidiary-Level Analysis of Foreign Component Auditor
Use, 38 Contemporary Accounting Research 3113 (2021).
\512\ See, e.g., PCAOB Rel. No. 2022-002.
\513\ See, e.g., QC 1000.42a.(1); AS 1201.03. The Board has also
proposed to clarify the engagement partner's existing
responsibilities for supervision and review in AS 1201, AS 1215, and
AS 2101 to provide more specificity about the engagement partner's
responsibility to exercise due professional care related to
supervisory and review activities required to be performed under
existing auditor requirements. See PCAOB Rel. No. 2023-001 at 15.
---------------------------------------------------------------------------

d. Accountability
Some commenters expressed concern that the accountability
provisions of QC 1000 could have potentially harmful unintended
consequences. For example, one commenter asserted that good faith
actions with regard to supervisory responsibilities could become
subject to PCAOB enforcement. Some commenters suggested that the roles
and responsibilities requirements could reduce audit quality or
increase costs by creating a disincentive for the most qualified
individuals to take on the specified roles. One commenter noted that
individual certification poses a potential threat of additional
liability and could affect the recruitment of talented individuals
needed to fill critical roles within firms. Another commenter noted
that for firms with an issuer practice that makes up a small portion of
the overall practice, it can be difficult to find partners to fill lead
and engagement quality reviewer roles on engagements when those roles
are subject to a higher risk of individual enforcement actions.
The Board acknowledges that, in addition to positive consequences,
accountability can have negative consequences, such as disincentives
from taking on QC roles with greater accountability. One commenter
suggested that the incorporation of rewards into the firms'
accountability model could mitigate this potential unintended
consequence. QC 1000 contemplates that the firm's compensation plans
and performance evaluations will appropriately incentivize firm
personnel to fulfill their assigned responsibilities \514\ and that
firm leadership will be held accountable for quality, including through
their performance evaluations and compensation.\515\ Depending on the
firm's specific quality risks, including the risk that qualified
individuals may be unwilling to take on QC roles, firms can incorporate
both positive incentives (``carrots'') and negative incentives
(``sticks'') in the design of their incentive plans.
---------------------------------------------------------------------------

\514\ See QC 1000.44g.
\515\ See QC 1000.25b.
---------------------------------------------------------------------------

e. Scalability
One commenter expressed concern based on academic research that
limiting the applicability of certain requirements to firms of a
certain size could give rise to audit quality differences between
larger and smaller firms. In general, the incremental requirements for
larger PCAOB audit practices are less suitable to smaller PCAOB audit
practices' QC systems. For example, a smaller firm may not need an
automated system to track investments if it has a stable number of
issuer clients and a small group of persons subject to independence
requirements. But if a smaller firm does not achieve its quality
objectives or the reasonable assurance objective, it will have to take
remedial action, which could include implementing some or all of the
incremental QC system features that are expressly required for larger
PCAOB audit practices.
f. Design Requirements Under Scaled Applicability
Some commenters expressed concern that scaled-applicability firms
could design QC systems inappropriate for the future circumstances that
would arise should the firm eventually become a full-applicability
firm. One commenter cited research that suggests audit firm personnel
designing a QC system to address hypothetical future circumstances will
need to overcome numerous cognitive biases.\516\ The Board believes
this potential unintended consequence is mitigated by QC 1000's
proactive approach. For example, the firm will be required to establish
policies and procedures to monitor, identify, and assess changes to
conditions, events, and activities that indicate modifications to the
firm's quality objectives, quality risks, or quality responses may be
needed. When such changes are identified, the firm will be required to
determine what, if any, modifications are needed to make them on a
timely basis. In effect, a scaled-applicability firm's QC system design
should be appropriate for its circumstances in the event it becomes a
full-applicability firm.
---------------------------------------------------------------------------

\516\ See, e.g., Paul J.H. Schoemaker, Forecasting and Scenario
Planning: The Challenges of Uncertainty and Complexity, in Blackwell
Handbook of Judgment & Decision Making, eds. D.J. Koehler and N.
Harvey, 274 (2004); Edward J. Joyce and Gary C. Biddle, Anchoring
and Adjustment in Probabilistic Inference in Auditing, 19 Journal of
Accounting Research 120 (1981); Noel Harding and Ken T. Trotman,
Improving Assessments of Another Auditor's Competence, 28 Auditing:
A Journal of Practice & Theory 53 (2009); Byron J. Pike, Mary B.
Curtis, and Lawrence Chui, How Does an Initial Expectation Bias
Influence Auditors' Application and Performance of Analytical
Procedures?, 88 The Accounting Review 1413 (2013); Amos Tversky and
Daniel Kahneman, Judgment under Uncertainty: Heuristics and Biases,
185 Science 1124 (1974); Steven M. Glover, James Jiambalvo, and Jane
Kennedy, Analytical Procedures and Audit-Planning Decisions, 19
Auditing: A Journal of Practice & Theory 27 (2000); Vicky B. Hoffman
and Mark F. Zimbelman, Do Strategic Reasoning and Brainstorming Help
Auditors Change their Standard Audit Procedures in Response to Fraud
Risk?, 84 The Accounting Review 811 (2009); Tim D. Bauer, Sean M.
Hillison, Mark E. Peecher, and Bradley Pomeroy, Revising Audit Plans
to Address Fraud Risk: A Case of ``Do as I Advise, Not as I Do''?,
37 Contemporary Accounting Research 2558 (2020).
---------------------------------------------------------------------------

g. Other Potential Unintended Consequences
Because firms' QC systems will likely operate over all of their
engagements, including those that are not subject to PCAOB standards,
the engagement-level costs discussed above could apply to those
engagements as well. Moreover, one commenter asserted that firms with a
significant private company client base will be challenged by different
documentation retention policies based on client base since many
aspects of QC relate to the firm as a whole. Correspondingly, the
requirements could improve compliance on those engagements because they
would be governed by more effective QC policies and procedures. Indeed,
one commenter said that requiring all firms to design a QC system that
complies with QC 1000

[[Page 49723]]

could have a beneficial impact on private company audits.
Research on other quality management and enterprise risk management
systems suggests other potential unintended consequences. For example,
research on ISO 9000 adoption indicates that it may reduce staff
morale, stifle innovation, and require excessive levels of
documentation.\517\ The principles-based features and scalable nature
of QC 1000 described above, as well as the 100-issuer threshold for
some provisions, help mitigate these concerns by providing firms the
ability to design, implement, and operate policies and procedures to
support achievement of the reasonable assurance objective based on
their facts and circumstances.
---------------------------------------------------------------------------

\517\ See, e.g., John Seddon, Ten Arguments Against ISO 9000, 7
Managing Service Quality: An International Journal 162 (1997);
Bozena Poksinska, J[ouml]rgen AE Eklund, and Jens J[ouml]rn
Dahlgaard, ISO 9001:2000 in Small Organisations Lost Opportunities,
Benefits and Influencing Factors, 23 International Journal of
Quality & Reliability Management 490 (2006).
---------------------------------------------------------------------------

Alternatives Considered

During the development of the requirements, the Board considered a
number of alternative approaches to address the need described above.
This section explains: (1) why standard setting is preferable to other
policy-making approaches, such as providing interpretive guidance or
enhancing inspection or enforcement efforts; (2) why the chosen
standard-setting approach is preferable to other standard-setting
approaches; and (3) key policy choices made in determining the details
of the standard-setting approach.
1. Why Standard Setting Is Preferable to Another Approach
As potential alternatives to standard setting, the Board considered
whether interpretive guidance or greater focus on inspections or
enforcement could better address the need described above.
Interpretive guidance assists firms in the implementation of
existing PCAOB standards and rules and can advance audit quality by
establishing a common understanding of a firm's obligations under PCAOB
standards and rules. For example, interpretive guidance may address,
among other things, specific, common audit deficiencies identified
during PCAOB inspections and the applicable requirements under PCAOB
standards and rules. By contrast, as discussed above, some firms' QC
systems appear to not be providing reasonable assurance of compliance
generally. Moreover, current PCAOB QC standards were developed decades
ago in a very different audit environment and have not been updated to
reflect the risk-based, proactive approach to QC that the Board
believes would be most effective. Therefore, the Board believes
revisions to the current PCAOB QC standards are needed to require firms
to make the necessary enhancements to their QC systems to help drive
compliance with professional standards.
While the PCAOB will continue to address firms' compliance with
PCAOB standards and rules through inspection and enforcement
activities, QC standard setting provides certain unique benefits.
Firms' QC systems operate over all aspects of all issuer audits and
broker-dealer engagements, whereas PCAOB inspections assess compliance
with only certain aspects of the issuer audits and broker-dealer
engagements selected for review. In addition, inspection and
enforcement efforts take place after the engagement has occurred and
after investors and other financial statement users have potentially
suffered harm. Therefore, greater focus on inspecting and enforcing
compliance with PCAOB standards and rules may not be as effective as
updating the QC standards and amending other related standards.
2. Why the Chosen Standard-Setting Approach Is Preferable to Other
Standard-Setting Approaches
QC 1000 shares the same basic structure as ISQM 1 and SQMS 1. The
Board also considered basing QC 1000 on a different quality management
framework, such as COSO or ISO 9001, or developing its own risk-based
approach. The essential features of these other quality management
frameworks are broadly similar to ISQM 1 and SQMS 1. For example, they
typically are risk-based and focus on monitoring and remediating
deficiencies. However, ISQM 1 and SQMS 1 have the further advantage of
being specifically tailored to audit firms. Furthermore, an original
risk-based approach would likely include the same essential features as
ISQM 1 and SQMS 1. Overall, the Board believes that the benefits of
basing QC 1000 on a different quality management framework or an
original PCAOB risk-based approach (e.g., improved compliance with
applicable professional and legal requirements) would be similar to the
benefits of using a structure similar to ISQM 1 and SQMS 1.
Basing QC 1000 on a different quality management framework or an
original PCAOB risk-based approach would likely be more costly. As
highlighted above, the Board expects that many firms are familiar with
ISQM 1 or SQMS 1 and have made, or will make, investments in their QC
systems to comply with those requirements. Firms may be less familiar
with other quality management frameworks than they are with ISQM 1 and
SQMS 1. Basing QC 1000 on a different quality management framework or
an original PCAOB risk-based approach therefore would likely require
additional effort by firms to understand and apply the standard. Some
firms may be required to employ or engage persons with the necessary
expertise in the particular quality framework to facilitate appropriate
implementation. While the largest firms may employ consultants with
this expertise, smaller firms may not, and acquiring or engaging the
necessary consultants could be costly. In addition, basing QC 1000 on a
different quality management framework or an original PCAOB risk-based
approach may introduce an element of regulatory complexity, which could
both increase cost and detract from audit quality for firms that would
be required to comply with ISQM 1 or SQMS 1.\518\
---------------------------------------------------------------------------

\518\ One commenter suggested that the Board look at any lessons
learned or studies published by the IAASB or the AICPA related to
their quality management standards to help inform any refinements
that might be needed or additional implementation guidance that
might be useful for adoption of QC 1000. As discussed above, the
Board took into consideration actions by other standard setters and
requirements of their quality management standards in the
development of QC 1000. PCAOB staff searched for studies but did not
find any available. The recent effective date of ISQM 1 on Dec. 15,
2022, and the forthcoming effective date of SQMS 1 on Dec. 15, 2025,
may explain a dearth of lessons learned or post-implementation
studies published by IAASB or the AICPA to date.
---------------------------------------------------------------------------

3. Key Policy Choices
This section discusses several potential provisions that the Board
decided against including in QC 1000. These provisions relate to: (1)
applicability; (2) the threshold for incremental requirements; (3) firm
governance structure; (4) self-assessment monitoring; (5) in-process
monitoring activities; (6) the evaluation and reporting dates; (7)
reporting the annual QC system evaluation; (8) certification of the
annual evaluation; (9) public reporting; and (10) audit committee
communications.
a. Applicability
The discussion above explains the distinction between scaled
applicability and full applicability. The Board considered requiring
all firms to design, implement, and operate a QC system that meets the
requirements only upon being required to comply with applicable
professional and legal requirements with respect to a firm

[[Page 49724]]

engagement. This approach would reduce the costs of the requirements to
firms not performing engagements by allowing them to defer the costs of
designing their QC system. However, scaled-applicability firms may
reduce their costs under the approach by withdrawing from PCAOB
registration. Furthermore, any reduced costs would not address the risk
that firms could be unprepared to accept and perform engagements in
compliance with applicable professional and legal requirements.
The discussion above also addresses commenters' views on
alternative approaches to this key policy choice. For example, several
commenters suggested allowing scaled applicability firms to design a QC
system that complies with ISQM 1. One commenter suggested limiting the
design requirements to acceptance and continuance policies. One
commenter suggested limiting the design requirement to firms that
satisfy an issuer client market capitalization criterion. While these
alternative approaches could reduce some of the costs to scaled-
applicability firms associated with designing their QC systems, they
could also reduce the benefit of firms having a PCAOB-compliant QC
system ready for implementation and operation. Furthermore, as
discussed above, firms could avoid the costs of designing a QC system
that complies with QC 1000 by deregistering.
b. Threshold for Incremental Requirements
The incremental requirements that will apply only to firms that
issued audit reports for more than 100 issuers in the prior calendar
year (e.g., requirements related to firm governance structure) are
discussed above. Several commenters suggested alternative thresholds.
For example, some commenters suggested the threshold should consider
the market capitalizations of issuer clients. One commenter suggested
that the threshold should consider the types of financial statements
being audited.\519\ These alternative approaches could help ensure QC
1000 is appropriately scalable to the facts and circumstances of all
firms. However, the Board believes there could be practical challenges
with implementing a more complex threshold. For example, market
capitalization can be volatile and would require PCAOB and firm
resources to track. Some firms may cross an issuer market
capitalization threshold multiple times within a short period of time.
Issuer count, by contrast, aligns with Rule 4003, Frequency of
Inspections, is easier to track, and may not be as volatile as market
capitalization. Finally, while market capitalization may be a useful
proxy for investor exposure to the issuers audited by the firm, it
would be a less useful proxy for the complexity of a firm's QC system.
---------------------------------------------------------------------------

\519\ The commenter noted that a large percentage of their
issuer audit counts consist of Form 11-K audits, which have limited
impact on the capital markets.
---------------------------------------------------------------------------

c. Firm Governance Structure
Specified quality responses related to governance and leadership
are discussed above. The Board considered extending to all firms the
requirement to incorporate into their governance structure an external
oversight function for the QC system composed of one or more persons
who are not principals or employees of the firm and do not otherwise
have a commercial, familial, or other relationship with the firm that
would interfere with the exercise of independent judgment regarding
matters related to the QC system. However, in light of the direct cost
of such an oversight function, which could disproportionately impact
smaller PCAOB audit practices, and reflecting the Board's view that the
public interest in such independent oversight is strongest in relation
to the largest firms, the requirement applies only to firms that issued
audit reports with respect to more than 100 issuers during the prior
calendar year.
Some commenters suggested that more than one independent member of
the oversight function should be required. In support of this view, one
commenter noted that the independent member(s) would be in the minority
and cited academic research regarding audit committees that suggests
oversight functions are more effective with a greater proportion of
independent members.\520\ Another commenter referred to a report that
cites survey research that suggests female directors improve corporate
governance and that the positive influence is most significant when
there are three or more female directors.\521\ The same commenter
suggested that the oversight function should have public reporting
responsibilities. Some commenters suggested that the independent
oversight member should have more control. The Board acknowledges the
commenters' views on the potential additional benefits of additional
independent oversight requirements. However, the Board is also
sensitive to the costs of any additional requirements, which several
commenters suggested may be costly or difficult to fulfill.\522\
---------------------------------------------------------------------------

\520\ See, e.g., F. Todd DeZoort, Dana R. Hermanson, Deborah S.
Archambeault, and Scott A. Reed, Audit Committee Effectiveness: A
Synthesis of the Empirical Audit Committee Literature, 21 Journal of
Accounting Literature 38 (2002); Jean B[eacute]dard and Yves
Gendron, Strengthening the Financial Reporting System: Can Audit
Committees Deliver?, 14 International Journal of Auditing 174
(2010); Joseph V. Carcello, Dana R. Hermanson, and Zhongxia (Shelly)
Ye, Corporate Governance Research in Accounting and Auditing:
Insights, Practice Implications, and Future Research Directions, 30
Auditing: A Journal of Practice & Theory 1 (2011).
\521\ See The Conference Board, Maximizing the Benefits of Board
Diversity: Lessons Learned from Activist Investing at 13 (June
2020); Alison M. Konrad, Vicki W. Kramer, and Sumru Erkut, Critical
Mass: The Impact of Three or More Women on Corporate Boards, 37
Organizational Dynamics 145 (2008).
\522\ See previous discussion on economic impacts above.
---------------------------------------------------------------------------

d. Self-Assessment Monitoring
The Board considered permitting individuals to perform monitoring
procedures over the same areas for which they are responsible. It
decided against this approach because the Board feels it would be
inconsistent with the quality objective that individuals who are
assigned to perform activities within the QC system have the
objectivity to monitor work in accordance with applicable professional
and legal requirements and the firm's policies and procedures.\523\ As
emphasized above, this quality objective is important for creating
accountability within the firm to achieve the reasonable assurance
objective. Information gathered through PCAOB inspection activities
indicates that roughly 3% of firms inspected between 2018 and 2020
performed self-assessments. This suggests that relatively few firms
would be impacted by this policy choice. The Board considered allowing
self-assessment monitoring under certain conditions to reduce costs for
impacted firms but ultimately decided against it out of concern that
individuals may not be able to objectively assess their own work. In
these circumstances, the firm may use other participants or third-party
providers to perform monitoring activities.
---------------------------------------------------------------------------

\523\ See QC 1000.44e.
---------------------------------------------------------------------------

e. In-Process Monitoring Activities
In-process monitoring activities are discussed above. The Board
considered extending the requirement to monitor in-process engagements
to all firms but decided to limit the requirement to firms that issue
audit reports with respect to more than 100 issuers. The Board believes
that differentiating a

[[Page 49725]]

firm's obligation based on the number of issuer clients may be
appropriate because, in the Board's view, firms with larger, more
complex audit practices are generally subject to quality risks for
which in-process monitoring is an appropriate quality response. The
Board also understands through PCAOB oversight activities that the
majority of smaller PCAOB audit practices do not perform in-process
monitoring activities and may lack the resources to do so. Therefore,
to balance these concerns, QC 1000 includes a ``should consider''
requirement to provide sufficient scalability for firms that issue
audit reports with respect to 100 or fewer issuers.
f. Evaluation and Reporting Dates
Several commenters suggested that QC 1000 should allow firms to
choose their own evaluation date. This alternative could reduce the
cost of QC 1000 by allowing firms to perform the evaluation when most
convenient. For example, some firms could set their QC 1000 evaluation
date near their ISQM 1 evaluation date and use parts of their ISQM 1
evaluation for their QC 1000 evaluation. However, the information
reported to the PCAOB on Form QC would be less current and therefore
less informative to the PCAOB when it selects firms and engagements for
inspection, inspection focus areas, and inspection procedures. Tracking
firms' compliance with the evaluation requirements could also be more
challenging. In addition, the inherent differences between the QC 1000
and ISQM 1 evaluations will require incremental effort from firms to
comply with QC 1000.
The Board initially proposed a November 30 evaluation date followed
by 46 days from the evaluation date to both report and document the QC
system evaluation. This timeline would provide the PCAOB with timely
information to inform PCAOB oversight activities. Some commenters
expressed concern that a November 30 evaluation date could present
costs and other challenges because some firms have already chosen an
alternative evaluation date under ISQM 1 or because the timeframe for
the evaluation could conflict with some firms' inspection cycles or
business cycles and can encompass holidays and religious observances.
The Board was persuaded that a November 30 evaluation date could have
led to unnecessary incremental resource demands during the busy and
holiday seasons. Accordingly, the Board instead required firms to adopt
a September 30 evaluation date as discussed above. Some commenters
expressed concern that 46 days would be insufficient to report on and
document their evaluation. The Board was persuaded that 46 days to
report on and document the QC system evaluation could have created
unnecessary costs to firms. Therefore, under the final standard, a firm
will have 61 days to evaluate their QC system and an additional 14 days
after the evaluation to assemble their documentation.
g. Reporting the Annual QC System Evaluation
Firm reporting on the QC system evaluation is discussed above. One
commenter asserted that an explicit reporting requirement is
unnecessary because the PCAOB inspection process provides the Board and
staff with any relevant contemporaneous quality control information for
both annual and triennially inspected firms. The Board considered
obtaining the annual QC system evaluation as part of the PCAOB
inspection process rather than an explicit reporting requirement. Under
this alternative approach, the evaluation would be less timely,
structured, and consistent and likely would not inform the PCAOB's
inspection approach as effectively, especially for triennial firms. It
could also diminish the beneficial incentive effect of mandatory
reporting to the PCAOB. This alternative approach could eliminate or
reduce the costs to firms associated with preparing a summary report of
the firm's QC system evaluation. In addition, if, under this
alternative approach, the privilege protections of section 105(b)(5)
were determined to apply to some or all of the information generated by
the firm pursuant to QC 1000, that could diminish the discoverability
of such information in litigation, thereby decreasing third-party
litigation risk. However, this alternative approach would not address
the lost information value, particularly for the triennial firms.
The Board also considered requiring firms to report to the Board on
Form QC only when the firm identifies a major QC deficiency. This
approach would reduce some of the variable costs associated with
preparing and transmitting Form QC to the PCAOB. However, this approach
would also reduce the value of Form QC to the PCAOB. For example,
reporting on unremediated QC deficiencies would inform various aspects
of PCAOB oversight activities, including focusing inspection resources
on higher risk firms, engagements, and focus areas; designing the
nature and extent of inspection procedures, both for QC processes and
individual engagements; and making more refined data requests from the
firms. This alternative approach could also diminish the beneficial
incentive effect of mandatory reporting to the PCAOB.
Several commenters suggested that the PCAOB clarify that Form QC is
submitted under the PCAOB's inspections authority, as a way of
bestowing the confidentiality protections of section 105(b)(5) upon the
information provided therein. This would, according to commenters,
alleviate uncertainty about the extent to which information submitted
thereon may be subject to discovery or other disclosures, diminish a
risk of unwarranted legal exposure, and help place the information in
the context of the ongoing inspections dialogue. The Board acknowledges
the commenters' concerns about these issues. However, as discussed
above, QC 1000 is not an inspections rule; it is a QC standard that
places obligations on all registered firms regardless of their
inspection status (annual, triennial, or exempt), and as such the Board
is not able to say that Form QC information is necessarily submitted
``in connection with an inspection'' as would be necessary to trigger
the confidentiality protections of section 105(b)(5) of Sarbanes-Oxley.
h. Certification of the Annual Evaluation
Some commenters requested that the Board specify a heightened legal
standard (e.g., recklessness) at which liability could be imposed on
individuals for making a certification that is later determined to be
false, or create safe harbors for inevitable system errors or the
wrongful acts of others. As discussed above, the standard for liability
turns on the particular language of each statement in the
certification: some statements are subject to a negligence standard,
while others (namely those with knowledge qualifiers) give rise to
liability only if the certifier knew that the statement was false or
recklessly did not know it was false. The Board acknowledges that
alternative approaches urged by commenters could have saved some costs.
Specifically, limiting liability to recklessness in all circumstances
would provide individuals with comfort that their decisions would not
be second-guessed in litigation. This result may make the performance
of those services more efficient by removing an incentive to perform
tasks that are not directly related to quality. For example,
individuals may be less incentivized to engage in self-protective
behaviors if a heightened legal standard (e.g.,

[[Page 49726]]

recklessness) is imposed. In addition, more staff may be willing to
take these roles (or to take them at a lower price) if liability or
workload would have been more limited by a heightened legal
standard.\524\ However, that approach would have attenuated the
benefits sought to be achieved by the certification requirement by
removing the Board's ability to hold individuals accountable for
conduct that fails to meet a reasonable person standard of care.
---------------------------------------------------------------------------

\524\ See Economic benefits--improved compliance with applicable
professional and legal requirements--above for a discussion of
commenters' concerns regarding increased liability or workload
associated with the roles as potential disincentives that may keep
qualified individuals from accepting the roles.
---------------------------------------------------------------------------

i. Public Reporting
The discussion above summarizes commenters' views on public
reporting about firms' QC systems and legal constraints on public
disclosure that are imposed by Sarbanes-Oxley. Some commenters
suggested that the non-confidential portions of Form QC could be made
publicly available. Such public reporting could in principle provide
investors with additional information on audit quality and thereby help
address the problem discussed above. However, the Board believes that
significant portions of Form QC may be confidential. As a result, the
non-confidential portions of Form QC could have been misleading and
difficult to compare across firms. Public reporting of non-confidential
portions of Form QC could also lead firms to be less candid in their
Form QC reporting and thereby diminish its value to the PCAOB. Some
commenters also expressed concern that any public reporting could be
contrary to Sarbanes-Oxley. After considering the benefits and costs of
alternative approaches, including those identified by commenters, the
Board believes that firm reporting on Form QC should be nonpublic.
Several commenters suggested that QC 1000 should require firms to
publicly disclose information related to audit quality. As discussed
above, the Board has proposed separate rules related to firm and
engagement metrics as well as firm reporting.\525\
---------------------------------------------------------------------------

\525\ See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

j. Audit Committee Communications
Commenters' views on potential required reporting to audit
committees are discussed above. The Board initially proposed to require
the firm to discuss with the audit committee the conclusion of the
firm's most recent annual evaluation of its QC system and a brief
overview of remedial actions taken and to be taken. This information
could give audit committees greater insight into the quality of their
auditor. Several commenters were supportive of the proposed
requirement. However, several other commenters asserted that the
information could be largely difficult to understand, irrelevant to an
individual audit committee, and potentially inconsistent with Sarbanes-
Oxley. Furthermore, one commenter noted research and expressed concern
that disclosure regarding the annual QC system evaluation to the audit
committee only could enable audit committees to shop for lower-quality
auditors.\526\ Similarly, another commenter expressed concern with an
approach that would provide mandatory disclosure to audit committees
but not to investors and the public. As discussed above, the Board
determined not to adopt the proposed amendments to AS 1301 after
consideration of the comments received.
---------------------------------------------------------------------------

\526\ See, e.g., Melissa Carlisle, Wei Yu, and Bryan K. Church,
The Effect of Small Audit Firms' Failure to Remediate the PCAOB's
Quality Control Criticisms on Audit Market Segmentation, 41 Journal
of Accounting and Public Policy 1 (2022).
---------------------------------------------------------------------------

Special Considerations for Emerging Growth Companies

Pursuant to section 104 of the Jumpstart Our Business Startups
(``JOBS'') Act, rules adopted by the Board subsequent to April 5, 2012,
generally do not apply to the audits of emerging growth companies
(``EGCs''), as defined in section 3(a)(80) of the Exchange Act, unless
the SEC ``determines that the application of such additional
requirements is necessary or appropriate in the public interest, after
considering the protection of investors and whether the action will
promote efficiency, competition, and capital formation.'' \527\ As a
result of the JOBS Act, the rules and related amendments to PCAOB
standards that the Board adopts are generally subject to a separate
determination by the SEC regarding their applicability to audits of
EGCs.
---------------------------------------------------------------------------

\527\ See Public Law 112-106 (Apr. 5, 2012). Section
103(a)(3)(C) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(3)(C), as added by
section 104 of the JOBS Act, also provides that any rules of the
Board requiring (1) mandatory audit firm rotation or (2) a
supplement to the auditor's report in which the auditor would be
required to provide additional information about the audit and the
financial statements of the issuer (auditor discussion and analysis)
shall not apply to an audit of an EGC. None of the rules and
amendments would fall within either of these two categories.
---------------------------------------------------------------------------

To inform consideration of the application of PCAOB standards to
audits of EGCs,\528\ PCAOB staff prepares a white paper annually that
provides general information about characteristics of EGCs.\529\ As of
the November 15, 2022, measurement date, there were 3,031 companies
\530\ that self-identified as EGCs and filed audited financial
statements with the SEC between May 16, 2021, and November 15, 2022,
that included an audit report signed by a firm. Of the 263 registered
firms that audited EGCs, 227 firms (or 86%) performed audits for both
EGC and non-EGC issuers.\531\ Approximately 98% of EGCs were audited by
these 227 firms.\532\
---------------------------------------------------------------------------

\528\ This analysis of the impact on EGCs is provided to assist
the SEC in making the determination required under section 104 to
the extent that the requirements apply to ``the audit of any
emerging growth company'' within the meaning of section 104 of the
JOBS Act.
\529\ See PCAOB, Characteristics of Emerging Growth Companies
and Their Audit Firms at November 15, 2022 (Feb. 20, 2024) (``EGC
White Paper''), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/economicandriskanalysis/projectsother/documents/white-paper-on-characteristics-of-emerging-growth-companies-as-of-nov-15-2022.pdf?sfvrsn=a8294f3_2.
\530\ The EGC White Paper uses a lagging 18-month window to
identify companies as EGCs. Please refer to the ``Current
Methodology'' section in the EGC White Paper for details. Using an
18-month window enables PCAOB staff to analyze the characteristics
of a fuller population in the EGC White Paper but may tend to result
in a larger number of EGCs being included for purposes of the
present EGC analysis than would alternative methodologies. For
example, an estimate using a lagging 12-month window would exclude
some EGCs that are delinquent in making periodic filings. An
estimate as of the measurement date would exclude EGCs that have
terminated their registration or that have exceeded the eligibility
or time limits.
\531\ See EGC White Paper, at 17.
\532\ See id.
---------------------------------------------------------------------------

PCAOB staff also gathered information on Part I.A deficiencies for
the audits of EGCs between 2013 and 2022. Figure 6 presents the
percentage of inspected EGC and non-EGC issuer audits having at least
one Part I.A deficiency. The data suggest that Part I.A deficiencies
are even more common among audits of EGCs, raising questions about
whether QC systems of firms that audit EGCs are effective in preventing
audit deficiencies for these types of audit engagements.

[[Page 49727]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.018

In general, any new PCAOB standards and amendments to existing
standards determined not to apply to the audits of EGCs would require
auditors to address differing requirements within their methodologies
or policies and procedures with respect to audits of EGCs and non-EGCs,
which would create the potential for confusion. This may not be
practical in the context of the QC standards; while some components of
the QC system (such as engagement monitoring) may enable different
approaches for audits of EGCs compared to audits of other companies,
other elements (for example, resources and governance and leadership)
are necessarily firm-wide and cannot easily be differentiated for
different types of audits. Even where differentiation is possible,
maintaining separate QC system components for EGC and non-EGC audits
and separate methodologies with respect to, for example, auditor
obligations with respect to deficiencies in completed engagements and
foundational ethics requirements, may add cost or lead to confusion,
and could run counter to the objective of integrating QC practices into
a single virtuous cycle of risk assessment, monitoring, and
remediation. These methodology and QC system differentiation costs
would affect at least the 227 registered firms that audit both EGCs and
non-EGCs and that, collectively, audit approximately 98% of EGCs.
The discussion of economic impacts of the requirements is generally
applicable to the audits of EGCs. In particular, the benefits to
financial reporting quality articulated above may be especially
pertinent for EGCs, including improved efficiency of capital
allocation, lower cost of capital, and enhanced capital formation. EGCs
tend to be smaller \533\ and have a shorter SEC financial reporting
history than the broader population of public companies. Academic
research suggests that, for several reasons, smaller public companies
tend to exhibit greater information asymmetry between management and
investors.\534\ Accordingly, EGCs are likely to exhibit greater
information asymmetry between management and investors and hence the
importance of the external audit to investors in enhancing the
credibility of EGC financial reporting may be more pronounced.
---------------------------------------------------------------------------

\533\ See EGC White Paper, at Figure 9 and Figure 12 (indicating
that exchange-listed EGCs have lower market capitalization and
revenue than exchange-listed non-EGCs).
\534\ For example, smaller public companies tend to have less
analyst coverage and a greater share of insider holdings. See, e.g.,
Raymond Chiang and P. C. Venkatesh, Insider Holdings and Perceptions
of Information Asymmetry: A Note, 43 Journal of Finance 1041 (1988);
Ravi Bhushan, Firm Characteristics and Analyst Following, 11 Journal
of Accounting and Economics 255 (1989).
---------------------------------------------------------------------------

The requirements could impact competition in an EGC product market
if the indirect costs to audited companies of the requirements
disproportionately impact the EGCs relative to their competitors. EGCs
may be forced to raise prices, thereby diverting market share toward
their competitors. This could increase competition in markets where
EGCs have a dominant market share and decrease competition in markets
where EGCs have a less than dominant market share. The potential impact
to competition in EGC product markets would be reduced to the extent
EGC auditors will already be required to comply with ISQM 1 or SQMS 1
or otherwise would choose not to pass on incremental costs arising from
the requirements in the form of higher audit fees.
The proposal sought comment on the applicability of the proposed
requirements to audits of EGCs. Some commenters agreed that the
proposed requirements should apply to the audits of EGCs.
Accordingly, and for the reasons explained above, the Board
requests that the Commission determine that it is necessary or
appropriate in the public interest, after considering the protection of
investors and whether the action will promote efficiency, competition,
and capital formation, to apply QC 1000 and the related amendments to
Board standards, rules, and forms to audits of EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for
Commission Action

Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period (i) as the Commission may
designate up to

[[Page 49728]]

90 days of such date if it finds such longer period to be appropriate
and publishes its reasons for so finding; or (ii) as to which the Board
consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules
should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed
rules are consistent with the requirements of Title I of the Act.
Comments may be submitted by any of the following methods:

Electronic Comments

Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
Send an email to [email protected]. Please include
PCAOB-2024-02 on the subject line.

Paper Comments

Send paper comments in triplicate to Vanessa A.
Countryman, Secretary, Securities and Exchange Commission, 100 F Street
NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-02. This file number should
be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method. The Commission will post all comments on the
Commission's internet website (https://www.sec.gov/rules/pcaob). Copies
of the submission, all subsequent amendments, all written statements
with respect to the proposed rules that are filed with the Commission,
and all written communications relating to the proposed rules between
the Commission and any person, other than those that may be withheld
from the public in accordance with the provisions of 5 U.S.C. 552, will
be available for website viewing and printing in the Commission's
Public Reference Room, 100 F Street NE, Washington, DC 20549, on
official business days between the hours of 10 a.m. and 3 p.m. Copies
of such filing will also be available for inspection and copying at the
principal office of the PCAOB. Do not include personal identifiable
information in submissions; you should submit only information that you
wish to make available publicly. We may redact in part or withhold
entirely from publication submitted material that is obscene or subject
to copyright protection. All submissions should refer to PCAOB-2024-02
and should be submitted on or before July 2, 2024.

For the Commission, by the Office of the Chief Accountant.\535\
---------------------------------------------------------------------------

\535\ 17 CFR 200.30-11(b)(1) and (3).
---------------------------------------------------------------------------

Vanessa A. Countryman,
Secretary.
[FR Doc. 2024-12692 Filed 6-10-24; 8:45 am]
BILLING CODE 8011-01-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.