Conclusions from the PCAOB Inspection Findings 2023

There is an annual Inspection Program by the Public Company Accounting Oversight Board (PCAOB), which is a process through which the PCAOB assesses and oversees registered accounting firms that audit public companies or brokers and dealers, in accordance with United States laws.

Each year, the PCAOB selects a range of audits conducted by these authorized firms to be part of the inspection program. The selection is based on a variety of factors, including perceived risk. For the selected sample, the PCAOB assesses whether the firm has complied with applicable professional and regulatory standards. This may include the review of significant judgments made by the auditor, the sufficiency of evidence gathered, and compliance with the PCAOB's Auditing Standards

The inspections focus on high-risk areas, and the PCAOB may adjust its approach based on new market trends and emerging risks. This could include areas such as the estimation of uncollectible accounts, the accounting for business combinations, or the audit of internal controls.

It is important to mention that the program also includes the inspection of non-U.S. firms that audit companies registered in the U.S.

After the inspection, the PCAOB issues a report detailing its findings. The firm has the opportunity to respond to the report, and their responses are included in the public version of the document. The reports may identify deficiencies in the selected audits and, in some cases, may identify systemic issues in the firm's quality practices.

Results of the 2022 report, issued in July 2023:

Through the inspection of 157 audit firms, reviewing portions of 710 audits (excluding their separate inspection program for brokers and dealers), the following key results are obtained:

? Deficiencies in audits increased in 2022.

? PCAOB staff anticipates that approximately 40% of the reviewed audits will have one or more deficiencies.

? This represents an increase from 34% in 2021 and 29% in 2020. The most significant increase in 2022 was observed in the category of Global Network Firms (GNFs) inspected by the PCAOB (including both U.S. and non-U.S. GNFs)

My personal comments and action plan proposals to address these findings:

Essentially, the PCAOB divides the report into two sections:

• Internal Controls over Financial Reporting (ICFR):

ICFR is a crucial part of a company's governance structure, designed to provide reasonable assurance that the financial statements are reliable and prepared in accordance with generally accepted accounting principles (US GAAP - IFRS). During the inspection, the PCAOB evaluates how auditors have assessed and tested these controls, examining aspects such as the selection and testing of key controls, the assessment of the operational effectiveness of controls, and the identification of control deficiencies.

• Substantive Audit (Auditing Financial Statement Areas):

Substantive audit refers to audit procedures aimed at detecting material errors or irregularities in the accounts and balances of financial statements. In this part of the inspection, the PCAOB is interested in how auditors have designed and executed substantive tests to obtain sufficient appropriate audit evidence. This may include reviewing the validity of transactions, the accuracy of balances, and the application of techniques such as confirmations, detailed testing, and analytical analysis.

In this case, I will provide my conclusions for both sections separately, as the types of failures, root causes, and action plans are quite different.

My conclusions are based solely on the extract from Part A of the report, as Parts B and C contain additional comments that are not public and are intended for the audited firm, as well as information about potential violations of laws or regulations by the firm or its associated members, respectively, which are not relevant to the general public and not the focus of this article.

My conclusions regarding Internal Controls over Financial Reporting (ICFR):

Essentially, as in previous years, we have the following main observations:

Observation #1 - Adequate Evaluation of Controls:

PCAOB indicates that, in general, auditors did not adequately evaluate whether controls with a review element selected for testing operated at a level of precision sufficient to prevent or detect significant material errors. In these cases, auditors did not properly assess the review procedures carried out by control owners, including the procedure for identifying items for follow-up and the procedures to determine if those items were appropriately addressed. This type of deficiency in testing is the most common when evaluating management testing controls.

Proposed Action Plans:

Plan #1: Focus Testing on Key Minimum Aspects of a Control:

A control essentially consists of 5 key parts that are important: a 'Title,' a 'What,' which means what control activity is performed to mitigate the risk, a 'How,' where there should be sufficient detail, without being a narrative, for a properly informed third party to understand the control without resorting to personal interpretations. Then, there should be a defined, when applicable, a 'Threshold'; this indicates the depth (precision) of the control. Following that, there should be a space for 'Exceptions' when applicable; this allows for delineating the scope of the control and the risk appetite of that specific control. Finally, there should be a space for 'Evidence'.

When an auditor is clear about these components, they force themselves to validate whether the controls operated at a level of precision sufficient to prevent or detect significant material errors. This is because these elements have a direct correlation with the process, associated risk, and accounting assertions.

In summary, auditors should have this checklist that allows them to focus their testing not on what the control owner told them the control was during the walkthrough, but on what the control is intended to be.

Plan #2: Three-Part Review of Risks, Controls, and Accounting Assertions:

Develop internal guidelines for evaluating controls with a review element, where consideration is always given to the in-scope account (process), the risk, the accounting assertion mitigated by the control, and the control itself. This analysis should be conducted before walkthroughs and should be led and executed by key members of the audit team.

By linking risks to controls and accounting assertions, a clear understanding is created of how controls are designed to mitigate risks and what impact they would have on the financial statements.

I believe that auditors often spend too little time on the correct design of a company's ICFR program. In my opinion, this should be the phase where the most hours are dedicated during the audit planning stage. A review of WCGRs, controls, and assertions and how they interact with each other is an area that should be significantly improved.

Observation #2 - IPE:

PCAOB states that, in general, auditors do not perform procedures to test the accuracy and integrity of information produced by the company and used by the auditor, as the general population would, to test user access and change management controls. This failure affects confidence in critical reports used in other controls or substantive testing.

What action plan do I propose:

The ongoing struggle between IPE and auditors, I don't think there's an observation by PCAOB that's repeated as frequently as this one. Before delving into my specific recommendations, the first thing auditors should do is define what IPE is because, in my view, this is the root cause. In my professional experience, I've noticed that auditors can always provide examples of IPE when asked about what it is, but they rarely manage to conceptualize it.

Plan #1: Rigorous Verification Procedures for Accuracy and Integrity of Information:

A robust and standardized process for verifying the accuracy and integrity of information produced by the company already exists in all firms and internal audit departments. Therefore, I can only conclude that we are good at designing controls but poor at their execution.

To ensure the proper execution of the process in practice, we must include verification of original sources, data reconciliation, and validation with third parties if necessary. All of this should be formally documented within the working paper, with a dedicated section/tab specifically for IPE (Information Produced by the Entity). As part of this process, sampling should not be selected until the IPE has been validated, and we are certain that all items encompassed by the control are included in the report or universe to be used for sampling.

We must stop relying on what the auditee sends us as the universe, assuming that it contains all the items that the control should cover.

On the other hand, let's remember that the entity responsible for having an IPE process, in the first place, is the control executor. We, as auditors, only revalidate it. In other words, we must encourage management to have a robust IPE documentation process.

Within the processes to validate IPE, we should consider the following:

? Initial Information Assessment: Identify and evaluate the information that will be used in the SOX controls by process. This is done to gain familiarity with the sources and relationships, to understand their origin and use in user access controls and change management, and to validate with the IT team that the report(s) used by the control owner come from an ITGC system within the scope of testing.

? Source Verification: Compare the information produced by the company with the original sources to ensure accuracy.

? Data Reconciliation: If databases or systems are involved, conduct reconciliations to ensure that the information is consistent and complete.

? Third-Party Validation: If applicable, validate the information with third parties to obtain independent confirmation of its accuracy.

? Documentation of Procedures: Clearly document all procedures performed and the results obtained to ensure transparency in the control universe and that procedures can be replicated or reviewed.

Example:

Let's assume an auditor is evaluating user access controls for a key financial system. The company provides a report detailing who has access to the system. The auditor could start by understanding how this report is generated and which systems or databases are used to produce it."

Next, the auditor could compare a sample of the accesses in the report with the original documentation (e.g., approved access requests, change logs) to verify accuracy. If there is a database that records access, the auditor could reconcile this database with the report. Finally, the auditor could validate some of the accesses with the IT department to obtain independent confirmation. This approach provides reasonable assurance that the information used in the audit is accurate and complete, which can restore confidence in the reports and audit procedures.

I also recommend that internal audit teams always have consulting roles for key SOX systems and receive training from management on how to obtain reports related to SOX controls. This helps increase independence and effectiveness. On the other hand, external auditors can leverage these internal audit accesses to cover IPE issues for the most significant controls through 'direct assistance' hours, and for those that are not, use a reliance strategy with internal audit. With this approach, all controls will have independent, direct, and efficient IPE."

This translation conveys the original text's meaning accurately and effectively. If you have any more text to translate or additional questions, please don't hesitate to ask.

Observation #3 - Identification of Key Controls:

PCAOB states that, in general, auditors did not identify or test controls that are significant for the auditor's conclusions about whether the issuer's controls adequately address the assessed risk of misstatement for each relevant assertion. In many cases, auditors did not identify and test controls over the accuracy and integrity of data used by the control owner in the operation of a control.

Proposed Action Plan:

Plan #1 - Identification and Detailed Evaluation of Relevant Controls:

Establish a structured and methodical approach to identify and assess controls that are critical for risk assessment and audit conclusions. This will involve a thorough review of controls over data accuracy and integrity and will require the involvement of experienced audit personnel.

Procedures to Consider:

? Identification of Critical Controls: Identify all controls that are essential for the auditor's conclusions, with a special focus on those related to data accuracy and integrity.

? Assessment of Associated Risks: Evaluate the risks associated with each identified control, considering the potential for misstatement and its impact on relevant assertions.

? Consider Accounting Assertions as Part of the Analysis: Have a risk-control-assertion-process view.

? Review by Experienced Personnel: Involve personnel experienced in auditing to review and validate the identification, assessment, and testing of controls.

? It is vital to define what is considered an acceptable level of aggregation. This level is the threshold below which deficiencies in controls are not individually considered significant but could be if aggregated with other deficiencies.

Example:

If an internal control for approving invoices has minor deficiencies that, on their own, are not materially significant, they should be considered in aggregation with similar deficiencies to assess their overall significance.

When deficiencies in controls are identified, they should be evaluated both individually and in aggregation with other deficiencies to determine if they are materially significant."

This translation accurately conveys the original text's meaning. If you have more content to translate or additional questions, please don't hesitate to ask.