Leveraging the Latest PCAOB Reports to Improve Your SOX Program
PCAOB Spotlight Reports are a valuable resource for SOX teams, providing insights into common audit deficiencies and lessons learned from recent PCAOB inspections. Most public accounting firms will take their findings from PCAOB inspections, digest them, and then publish guidance to the rest of their audit teams to determine areas that are coming under increased focus. By reviewing PCAOB Spotlight Reports, SOX Teams can get ahead of the curve for future potential areas of focus from their external Audits. This article highlights lessons SOX teams can apply from two of the most recent PCAOB Spotlight Reports related to testing and review practices.
What Are PCAOB Spotlight Reports?
PCAOB Spotlight Reports highlight timely information for auditors, audit committee members, investors, and others. The PCAOB publishes the reports on its website to help auditors and audit committees stay up-to-date on the latest developments in the auditing profession and to improve the quality of audits. These reports can also be helpful for investors and other stakeholders who want to learn more about the PCAOB’s work and how it protects investors. Many SOX professionals, internal auditors, and others involved in SOX testing are unaware of the PCAOB guidance until it is directed to them.
What Can SOX Teams Learn from PCAOB Reports?
Like any good audit report, the PCAOB Spotlight Reports provide four essential elements related to the results of their inspections: deficiency details, root cause analysis, remediation recommendations, and insights into best practices. Most importantly, the reports identify the most common audit deficiencies that the PCAOB has identified in its inspections. SOX teams can use this information to focus their audit efforts on the areas where they will most likely find deficiencies. Even during planning, they can use the root cause analysis to understand why these deficiencies occur, where to look, and how to prevent them. The remediation plans might be used to guide the team if the same issues are found in their company or to tighten up controls in some areas preemptively. Finally, the PCAOB shares “good practices” they observed so others can incorporate these ideas into their work.
Recent Findings from the PCAOB
Two of the most recent Spotlight Reports highlighted information that SOX program leaders should learn from and share with their teams and stakeholders. In the April 2023 Spotlight, The PCAOB lists out their 2023 Staff Priorities and gives insight into the top areas that the PCAOB is planning on focusing on during the year. Of those, two distinctly stood at the forefront: talent and its impact on audit quality, and use of technology within the audit. With the shortage of qualified candidates within the accounting profession and the reliance more and more on college graduates to assist in not only testing but also designing and executing controls, the PCAOB intends to focus more on the policies and procedures implemented around hiring qualified candidates. While the focus is more on public accounting firms, this is sure to pass onto the auditee as the accounting firms look to ensure the quality of information they receive is accurate.
The second key area is around the use of data and technology. With the rapid change of technology, whether it be in analytics, AI, or the platforms used to execute the audit, the PCAOB will continue to focus on what public account firms, and by their proxy audit clients, use to help organize and more effectively complete the audit.
In the July 2023 Spotlight, the PCAOB focused on testing performed by auditors. Of the findings that were discussed, two stood out. First, testing may not have been conducted at a level of precision sufficient to conclude its effectiveness. One way this could manifest in your organization is through sampling. If control owners rely on detective controls and sampling the population judgmentally, the control may need to be more precise, especially in the case of high-risk control areas including the identification, or implementation of, less judgemental IT Application controls. In the event IT Application controls may not be available or may not be practical – either given the age of the application or its complexity, SOX testing teams may need to alter testing procedures to gain greater comfort that the controls are designed and operating effectively.
Next, information produced by the entity (IPE) was not tested for accuracy and completeness when testing user access and change management controls. IPE is notoriously weak in most companies and has been a focus area for external auditors and the PCAOB for several years Some SOX teams have found it helpful to provide templates and explicit guidance to control owners to ensure the documentation is accurate and complete to prove control effectiveness. On that same note, the PCAOB called out templates as a good practice, saying, “Over the years, firms have developed various tools and templates to drive consistency in the application of the auditing standards and firm methodology.” It is important to note, however, that the completeness and accuracy of IPEs is still management’s assertion, and while Internal Audit groups may assist, management should still attest to the assertions of those IPEs. SOX teams need to remember the downstream impact of a control failing – including the lack of reliance on the controls that are using the IPE in the execution of the control.
The October 2023 Spotlight centered on the review processes in place by audit teams. In this case, the findings hit on three key concerns: reviewer competency, documentation of the review, and overlooking deficiencies. In SOX programs, the level of review can suffer when the teams are under too much pressure. Often, this happens during quarterly and year-end testing, primarily when short-staffed. In their excellent practice observations, the PCAOB offers great advice. They recommend a multifaceted approach that includes “workload monitoring” to ensure the task of reviewing is staffed correctly, “increased accountability,” and the use of “new and revised audit tools and guidance.” Each recommendation is excellent, but combined, this can mean the difference between success and failure for a SOX program.
Share the Insights with Your Team
Too many SOX teams have yet to learn these reports exist. The PCAOB publishes various information, and the Spotlight Reports very often highlight deficiencies found while reviewing the external auditors’ work. Internal SOX programs can reap substantial benefits by understanding the types of mistakes found in these reports to prevent these from ever happening in the first place. Not only will the quality of the SOX program improve, but the externals may even be able to place higher reliance on your work, which is a win for everyone involved.
Mike Wych is a Manager of Product Solutions at AuditBoard with a focus on ESG, Risk, and Controls. Mike joined AuditBoard from KPMG where he was a manger in their Risk Assurance practice specializing in external audits, internal audits, and information security audits. Mike also bring experience assisting audit, risk, and control functions with streamlining and optimize processes. Connect with Mike on LinkedIn.