U.S. audit firms are supposed to know enough about their clients to avoid providing services that might call their objectivity and reliability into question.
In reality, far-flung global firms can fall short without the right training and checks in place to make sure audits are performed consistently and ethically, with potentially serious consequences. Enforcement cases against KPMG LLP, PwC LLP, and RSM LLP this year all involved breakdowns in quality controls.
“It’s very easy to have blind spots,” said Helen Munter, a former audit inspections director who now runs her own consulting firm, Adigeo LLC. “Everyone comes in with the intention of doing a good job every day. But without a system to support that, it would be unreasonable of leadership to think it’s going to happen.”
The Public Company Accounting Oversight Board, which is charged with regulating audits in the U.S., is trying to close such gaps by updating rules for how firms should police their work. The board—seeking to modernize its approach in a shifting global marketplace—plans to solicit comments soon as a first step.
A core requirement for firms, the quality control standard covers personnel management, ethics, engagement performance, and client acceptance. The PCAOB inspects firm’s control structures as part of routine regulatory reviews.
“We are concerned that those standards as currently written are outdated and do not adequately promote audit quality,” said William Duhnke, the PCAOB chair, in remarks at a Dec. 3 auditing conference.
A pending international proposal on a similar auditing rule will serve as the starting point for the board’s discussions. Duhnke said the board hopes to align the U.S. rules with international standards, and avoid unnecessary differences that could weaken audit effectiveness.
An International Project
Firms following those international audit standards could soon have to consider how they use technology as they evaluate the resources and expertise they can provide to clients. And they will have more flexibility to design internal controls that better reflect the needs of their clients, the services they provide, and the size and abilities of the firm.
Those are among the changes being considered by the International Auditing and Assurance Standards Board, which aims to finalize its proposed rules in 2020.
The proposed revisions respond to concerns about audit quality around the world and pressure from stakeholders and regulators that the largest global network firms need to do more and smaller firms need more flexibility, said Karin French, who serves on the IAASB and chairs the board’s quality management task force.
Instead of a checklist of requirements that apply to all firms, the board has proposed a more risk-based approach. Each firm would need to set its own quality objectives, consider risks in their practice that would keep them from meeting those goals, and determine how to respond to those risks, French said.
Thomas Ray, a former PCAOB chief auditor who now teaches at Baruch College in New York, called the current U.S. standards a workable set of rules that have been refined through the inspections process. But the board recognizes it needs to catch up to other standard-setters and explore newer ideas, he said.
The PCAOB rules predate its existence, so they don’t reflect the requirements of the 2002 Sarbanes-Oxley Act, which created the audit regulator. The board borrowed its framework from American Institute of CPAs’ rules that date to 1997 and 2000 as part of the interim standards enacted as the board set up shop.
Since then, the AICPA has updated its rules twice—including a major overhaul in response to the collapse of accounting giant Arthur Andersen, said Bob Dohrer, the institute’s chief auditor.
Globalization, increasingly complex business transactions, and rapid technology changes demand more of audit standards. They can easily become ineffective as risks change, Dohrer said.
A Global Debate
The AICPA is monitoring the debate on quality controls closely. The group runs its own Audit Standards Board, which sets rules for private entity audits in the U.S., and has committed to converge with international standards.
Dohrer is among those advocating for global consensus when it comes to the internal checks that firms have in place.
“It is in nobody’s best interest to have quality management standards that are not converged around the world,” Dohrer said. “It would be a disaster if firms had to have two or three different systems of quality control.”
Mazars USA LLP’s quality and risk management leader Wendy Stevens agrees.
Public company audits represent just a small piece of Mazars’ overall business in the U.S. Complying with competing frameworks among the various standard-setters is Stevens’ top concern as the PCAOB joins the debate.
Mazars operates in 90 countries—each with different local requirements and services provided. That requires a quality management framework that is global and can be tailored to each member firm’s unique needs, Stevens said.
She supports the proposal the IAASB has issued because it focuses on managing risk, rather than eliminating risk. But if the plan is adopted, she faces a year or more of work to write new quality goals, re-do manuals, and overhaul training.
“It’s like starting over,” Stevens said.