How to Survive a PCAOB Inspection

Accounting Today

September 20, 2004
Vol. 18, No. 17

St. Louis Since Oct. 22, 2003, the government, by means of Section 101 of the Sarbanes Oxley Act of 2002 and by the establishment of the Public Company Accounting Oversight Board, has taken over the regulation, registration and inspection of CPAs. It has also taken over the auditing standard setting process. All of these activities were previously vested with the American Institute of CPAs and its Auditing Standards Board. The first step that the government took in this direction was to clear the decks by prohibiting accounting firms from preparing or issuing audit reports for U.S. public companies unless and until they register with the PCAOB. For U.S. CPA firms, the deadline for registration was Oct. 22, 2003, and for non U.S. firms the deadline for registration was July 19, 2004. The registration process was designed to bar accountants with serious compliance or disciplinary issues from continuing to audit the financial statements of public companies.

The inspection process, to which both U.S. and non U.S. registered public accounting firms are now subject, is the PCAOB's principal tool for ensuring that accountants who audit the books of public companies comply with SOX, the rules and professional standards of the board and the rules of the Securities and Exchange Commission.

Registered public accounting firms that issue audit reports or that play a substantial role in the preparation of audit reports of 100 or more public companies will be subject to annual inspections, and those with 100 or less will be subject to triennial inspections. In addition, the PCAOB has the authority to conduct unannounced special inspections in certain situations when prompted by anonymous tips or media stories.

It is important to note that non U.S. registered public accounting firms are equally subject to the inspection powers of the PCAOB, although the board does have the discretion to rely upon inspections conducted by a home country system, and the extent of that reliance will depend on the board's evaluation of the rigor of the local inspection system.

The principal objective of a registered public accounting firm that undergoes an inspection is to ensure, as much as possible, that the inspection does not develop into an investigation or a disciplinary proceeding.

Who are they inspecting?

Accounting firms and individual accountants: At the outset, it is important to appreciate that the PCAOB is not only inspecting accounting firms but also individual accountants and others at the firms who participate in the preparation of an audit report. Accordingly, an inspection may result in the registered public accounting firm itself, or one of its accounting staff, or both, being cited and sanctioned for a deficiency.

In view of the fact that it is only accountants that audit the accounts of "issuers" that are subject to the PCAOB regulatory regime and inspection powers, it is important to know who is an issuer.

An issuer is any public company, including a non U.S. company, that is required to file reports with the SEC or that has filed with the commission a registration statement for a public offering of its securities. In order for an accountant auditing the books of an issuer to be subject to the regulatory powers of the PCAOB, it is not necessary that the securities of the issuer be listed on a securities exchange or be publicly traded.

For example, an accounting firm whose practice consists solely of auditing the financial statements of a public real estate limited partnership that files reports with the commission must register with the PCAOB even though the limited partnership interests are not listed on an exchange and are not traded.

Non public registered broker/dealers: Accountants whose practice consists solely of certifying the accounts of non public broker/dealers may be subject to PCAOB regulation, including the registration requirements and inspection powers in respect of financial statements for fiscal years ending after Jan. 1, 2006. This may be so even though non public broker/dealers are not issuers, since by virtue of Section 17(e)(1)(A) of the Securities Exchange Act of 1934, as amended by Section 205 of SOX, the accounts of broker/dealers are required to be certified by a registered firm rather than by an independent public accountant.

Employee benefit plans: In addition, a public accounting firm is required to register with the PCAOB if its practice consists solely of auditing employee stock purchase, savings and similar plans for which Forms 11 K are filed with the commission.

Accountants registered with the PCAOB that have no public clients: Accounting firms that have registered with the PCAOB but do not have any public clients will not be subject to inspection. In addition, an audit report on a non issuer performed in accordance with the PCAOB standards, either because this is required by statute, as is the case with respect to supervised investment bank holding companies, or because the auditor agreed voluntarily to do so at the request of banks or others, is not subject to PCAOB inspection.

For the purposes of PCAOB inspections, the term "associated person" includes not only accountants or persons pursuing accounting degrees but also all persons that participate in the audit even if they do not have or are not studying for an accounting degree. It also includes non employees, such as independent contractors who participate in the preparation of audit reports.

What are they inspecting?

Initially, the PCAOB inspectors would likely focus on the accountants' compliance with the provisions of Sarbanes Oxley that regulate the conduct of the accountant. These provisions require that:

The accounting firm refrain from providing any prohibited non audit services, such as bookkeeping services, financial information systems design, appraisal or valuation services, actuarial services, internal audit outsourcing services, management functions or human resources, broker/dealer, investment advisor or investment banking services, legal services or expert services unrelated to the audit;

The provision of permitted non audit services to the audit client be pre approved by an independent audit committee of the company;

The lead and reviewing partners take a five year break from the audit engagement after each five years of service, and audit partners with lesser involvement take a break for two years after seven years of service. (Although registered public accounting firms with fewer than five audit clients and 10 partners are exempt from the partner rotation requirements, this exemption is not automatically granted and depends upon the results of the triennial PCAOB inspections in connection with the overall quality of the audits that such firms conduct and the competence of the key personnel of the audit engagement teams);

Any person who was on the audit engagement team during the one year period preceding the date that audit procedures commenced does not currently work for the audit client in a financial reporting oversight role;

The accountants are in constant communication with the audit committee, beginning with the execution of the engagement letter and through all stages of the engagement;

Before the auditor's report on the financial statements is filed with the SEC there is evidence that the accountants discussed the contents of the financial statements and any accounting issues that may have arisen with the audit committee; and,

The audit committee of issuers listed on an exchange has a qualified audit committee financial expert as required by SOX.

Compliance with the rules of the board

The PCAOB will also inspect compliance with the rules of the board. This includes compliance with the AICPA's auditing, attestation, quality control, ethical and independence standards as they existed on April 16, 2003, which the PCAOB has adopted as its own interim standards. These rules, originally promulgated by the AICPA and its ASB, are now the rules of and subject to amendment by the PCAOB.

Accordingly, since April 16, 2003, the place to look for any changes in these standards is not in the AICPA or ASB literature but in the PCAOB rules. These standards, with which public registered accountants must comply and which will likely be the subject of a PCAOB review, include, among others, the following:

The 10 auditing standards included in Statement on Auditing Standards 95, which require of the auditor the following: adequate technical training and proficiency, independence, due professional care, adequate planning of audits and supervision of engagement staff, an understanding of internal controls, the collection of evidential matter on which to base the audit opinion, a statement that the financial statements are presented in accordance with the rules of the PCAOB, the identification of circumstances in which the rules have not been observed, a statement to the extent that informative disclosures in the financial statements are not adequate, and an expression of opinion regarding the financial statements;

The attestation standards included in the ASB Statements on Standards for Attestation Engagements, which apply when a CPA is engaged to issue a report about a subject matter based upon assertions made by the client, and which require that the accountant be independent; exercise due care; and have adequate training and proficiency for the attest function, adequate knowledge of the subject matter, and adequate basis to believe that the subject matter can be evaluated against criteria selected by the client;

The quality control standards included in the ASB's Statements on Quality Control Standards. These require that a registered public accounting firm have a system of quality control for its auditing and accounting practice that provides the firm with reasonable assurance that its personnel comply with the applicable professional standards of quality, including independence, integrity and objectivity, personnel management, acceptance and continuance of clients and engagements, engagement performance, and monitoring;

The ethics standards included in Rules 102 and 191 of the AICPA's Code of Professional Conduct. These standards require that in the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, shall not knowingly misrepresent facts and shall not subordinate her judgment to others; and,

The independence standards included in Rule 101 of the AICPA's Code of Professional Conduct and certain standards included in the Independence Standards Board, all subject to the rules included in Rule 2 01 of Regulation S X of the commission's rules relating to auditor independence.

It should be noted that under Sarbanes Oxley, any violation of the board's rules, including the interim standards referred to above, will be treated in the same manner and subject to the same penalties as a violation of the Exchange Act.

The inspectors will be looking for client acceptance and continuance policies. They will want to see documentation evidencing the background checks and considerations taken into account before a firm initially accepts the client, and updates on this information as a basis for continuing the relationship. The inspectors have also been known to ask for documentation showing the reasons why the firm decided not to take on a potential client that it pitched.

Such acceptance and continuation policies should require that before accepting an issuer as a client, the following steps should be taken:

  • The prospective client's SEC reports and tax returns should be reviewed;
  • Information regarding the client should be gathered from lawyers, bankers, underwriters and the business community;
  • Former accountants of the potential client should be interviewed regarding the nature of disagreements reported on a Form 8 K;
  • A determination should be made whether there is any evidence of opinion shopping;
  • Information should be gathered about the integrity of client's management; and,
  • A determination should be made whether the firm has or can obtain sufficient expertise and knowledge to perform the engagement.

Such client acceptance and continuance policies should also require that:

  • During the course of the relationship with the client, the firm should monitor the following and other changes in the client to determine whether to continue the relationship: changes in ownership, senior personnel, directors, advisors, the nature of the business and its financial health, or changes in the scope of the work requested by the client;
  • The firm should monitor for the development of conditions that would have caused it to reject the client had they existed at inception, such as going concern issues and questionable estimates by management;
  • The firm should monitor delinquency in paying fees as an independence/retention issue; and,
  • The firm should continue to monitor a client that has been accepted notwithstanding certain issues observed, to make sure that such issues are under control.

Tone at the top

The PCAOB inspection of public registered accounting firms, especially as it pertains to quality controls and procedures, can be referred to as the accountants' very own Section 404. The PCAOB inspectors will approach the inspection with the same emphasis on tone at the top as the accountants do in connection with their Section 404 attestation on management's assessment of the company's internal controls over financial reporting.

This should not come as a surprise. If the tone emanating from those who write the paychecks, grant bonuses and give the nod to promotions is derisive or dismissive of compliance and the integrity of the audit, then all the compliance manuals and ethical standards in the world will be as useless as they were at Enron.

Accordingly, the board will be very keen to interview the owners of the firm to understand how much time and concern they devote to audit work, how passionate they are about the integrity of the audit, what they are being paid for and what they consider to be the criteria for employee promotion. They will also interview employees and prospective partners to determine what message is being disseminated throughout the firm and what the rank and file believe they need to do to advance their careers with the firm.

By conducting a series of focus group interviews on the subject of the tone at the top, the inspectors will compare the story they get from the owners with the story they get from employees for any tell tale signs of discrepancies that might point to lip service ethics rather than applied ethics.

The firm's internal inspection programs

Perhaps one of the best ways to prepare for the PCAOB inspection is for the firm to have its own rigorous and regular internal inspection program. The PCAOB considers the firm's internal inspection process the most important component of its quality controls.

A firm's internal inspection should include testing the firm's compliance with quality controls, reviewing selected engagements, summarizing the findings, determining the corrective actions to be taken as a result of any deficiencies perceived, communicating the inspection findings and suggested improvements to the personnel involved, following up to make sure the corrective actions are implemented and documenting all of the above.

The PCAOB attaches so much importance to the firm's internal inspection program that they have announced that they may tag along on selected internal inspections to observe how they are performed.

The reviewer who conducts the internal inspection should not have been part of the engagement team that conducted the audit. She should be a respected member of the firm whose knowledge and experience are looked up to, rather than an individual who is appointed to the position because she is not otherwise busy. A firm with insufficient personnel to conduct an internal inspection program should consider hiring an outside auditor to perform the inspection.

In determining which engagements to select for review, the person conducting the internal inspection will likely choose, as will the PCAOB in its inspection, engagements with a high level of assessed risk such as companies with restatements, litigation, investigations or turnover of auditors, engagements that have not been previously reviewed, and at least one engagement worked on by each audit partner at the firm.

SAS No. 99

One of the questions that the PCAOB inspectors are certain to ask is what incremental steps the registered public accounting firm has taken in an audit engagement to detect fraud, as required by SAS 99. This is not surprising, given the recent spate of fraud both at the bookkeeping and the financial statements level.

SAS 99 requires that, in planning the audit and during its implementation, the engagement personnel discuss among themselves the risks of material misstatements due to fraud and that they adopt a mindset of professional skepticism. Material misstatements due to fraud can arise from fraudulent financial reporting and from misappropriation of assets.

In order to detect whether fraud is present or is likely to occur, the auditor must be sensitive to the existence of the following four symptoms. First, whether management or employees are under pressure or have an incentive to commit fraud. Such pressures can arise from the need to meet whisper numbers or to prevent the triggering of default provisions in loan agreements, and such incentives can be the rewards for reaching compensation thresholds.

The second symptom is whether there is a lack of internal controls making it easy to steal without getting caught. The third is whether management has the ability to override internal controls. The fourth is whether those involved in the fraud are able to rationalize the fraudulent act. It has been reported that Andrew Fastow often complained that he felt "under appreciated" for his work at Enron.

At the outset of the engagement, SAS 99 requires the auditors to brainstorm on how and where they believe the entity's financial statements might be susceptible to fraud, how management and others could perpetrate and conceal fraud, and how assets could be stolen.

As part of the SAS 99 process, inquiries should be made of management, the audit committee, in house counsel and non management employees about whether there have been incidences of fraud in the past, the risks of fraud in the future and the existence of internal controls to detect and prevent them. In this context, management's ability to override internal controls should also be scrutinized and the effectiveness of the audit committee and the existence of a code of conduct should be examined.

The possible existence of fraud should be more thoroughly investigated in situations where management assertions involve a high degree of judgment and subjectivity, and the auditor should presume the existence of a risk of material misstatement due to fraud in revenue recognition matters. The auditor should use an element of unpredictability in the audit by performing different tests at different locations at different times, preferably near the end of the reporting periods.

Warning signs that should alert the auditor to the possibility of fraud include the existence of complex and non recurring transactions; inter company transfers; ledger entries made by unauthorized individuals; ledger entries made near the end of the reporting period; asset impairments; incomplete recording of transactions; last minute adjustments; missing documents; altered documents; significant unexplained items on reconciliations; implausible responses from management; missing inventory or assets; denial of access to records, employees and customers; undue time pressures imposed by management to solve complex issues; complaints by management regarding the conduct of the audit; unusual delays in presenting requested information; unwillingness to clarify disclosures in financial statements; and uncharacteristically large amounts of transactions being reported in the last week or two of the reporting period from unusual transactions.

The SAS 99 procedures implemented in the audit, including the audit planning discussion among engagement personnel regarding the susceptibility of the entity's financial statements to fraud, should be documented, and should recite when the discussion occurred, the team members who participated in it and the subject matters discussed.

Documentation standards

Following its preliminary inspections of a limited number of accounting firms, including the Big Four, in 2003, the PCAOB formed a concern that auditors may place insufficient emphasis on the importance of thorough documentation of the audit work. Such lack of emphasis on documentation could make it more difficult for any subsequent reviewer of the audit report, including the PCAOB inspectors themselves, to follow the conclusions of the auditor.

Accordingly, the board adopted Auditing Standard No. 3, which sets out the requirements for documentation to be created by auditors in connection with the audit of financial statements, internal control over financial reporting and review of interim financial information and the length of time that such documents should be retained. Subject to the approval of the Securities and Exchange Commission, Auditing Standard No. 3 will go into effect for audits with respect to fiscal years ending on or after Nov. 15, 2004.

In these standards, the board requires that the audit documentation must contain sufficient information to enable an experienced auditor, with no previous connection to the engagement but with knowledge of the relevant industry and its accounting and auditing issues, to understand the nature, timing, extent and results of the procedures performed, the evidence obtained and the conclusions reached. The documentation should also record who performed the work, the date such work was completed, who reviewed the work and the date of such review.

When subjective financial statement assertions are made by management that, if wrong, could have a significant negative impact on the bottom line, more documentary evidence supporting such assertions should be included in the file to justify their acceptance. When there is disagreement on accounting or auditing issues between members of the engagement team and when, in the course of preparing the audit, the auditors come across findings inconsistent with the final conclusions that they have reached on significant accounting or auditing matters, the documentation should record what the issues were and how they were resolved.

The failure to prepare adequate documentation, particularly when the risk of a material misstatement associated with an assertion is high, is considered a serious violation of the PCAOB rules.

Documentation of auditing procedures related to the inspection of significant contracts or agreements should include abstracts or copies of the documents or refer to where they can be found.

How long should workpapers be retained?

Audit documentation must be retained by the auditors for seven years from the date that all necessary auditing procedures are completed, sufficient evidence has been obtained to support the representations in the auditor's report, and the auditor grants permission to use the auditor's report, unless a longer period of time is required by law, and in the case of interim reports, seven years from the date that fieldwork was substantially completed. If the engagement was terminated, documents should be retained for seven years from the date of termination.

Following the completion of the audit, the auditor may realize that, although the necessary procedures were performed, the requisite evidence was obtained and appropriate conclusions have been reached, such procedures and evidence have not been sufficiently documented to make the audit report self explanatory to a reviewer. For example, the auditor of Parmalat may indeed have called the Bank of America to confirm the existence of the $4.9 million in the account, but may have forgotten to document the call. The auditor now wants to go back and supplement the record by making a note to the file that the call was made.

In considering what additions may be made to the audit workpapers after the completion of the audit to better record the procedures that were performed but not sufficiently documented, one needs to distinguish between two dates. The first is the report release date and the second is the document completion date, which is 45 days after the report release date, by which time a complete and final set of audit documentation must be assembled for retention.

In between the report release date and the document completion date, additions may be made to documentation as circumstances require. After the document completion date, audit documentation must not be deleted or discarded, but information may be added to record audit procedures performed as long as it indicates the date the information was added, the name of the person who prepared the additional documentation and the reason for adding it.

Of course, the longer the time that elapses between the performance of the procedures and the documentation of the information, the less precise one's memory may become regarding the facts one is recording, and the more susceptible the audit report may be to challenge. Relying on oral explanation as the primary source of evidence for procedures performed puts the accounting firm undergoing an inspection in a vulnerable position. This vulnerability can be avoided by documenting what was done.

To the extent that the public accounting firm that issues the report relies on the work of another firm for the audit of part of, or a subsidiary of, the issuer, the public firm that issues the report is responsible for ensuring that all required audit documentation is prepared by and retained by the other firm or is at least readily accessible to the firm issuing the auditor's report. In addition, the office issuing the auditor's report must obtain and review, prior to the repost release date, certain documentation outlined in the standard relating to the work performed by the other auditors.

To the extent that the workpapers of the other audit firm are written in a foreign language, attempts should be made to have workpapers translated into English so that they are intelligible to persons reviewing the engagement.

The results of an inspection

Although it is likely that the inspectors will conduct an exit interview with the firm or with individual partners, there is no legal requirement for them to do so. The PCAOB satisfies its legal requirements by making available for review by the firm a draft inspection report in which the PCAOB points out any deficiencies that it found.

Although the registered public accounting firm is not obliged to respond to the draft report, the firm will have 30 days to do so, subject to extension by the board. The firm may object to or otherwise comment on the draft inspection report and may suggest steps that it may take to address any deficiencies.

After receiving a response, the board may adopt its draft report as final, revise the draft report, or continue or supplement the inspection before issuing a final report. After a final inspection report is issued, the board makes it available for review by the firm, and sends a copy to the commission and to each appropriate state regulatory authority, together with the firm's response to the draft report.

Quality control defects

If a final inspection report contains criticisms of the quality controls of the registered public accounting firm, the firm may demonstrate that it has improved such controls no later than 12 months after the issuance of the board's final inspection report. The board will notify the firm whether it deems the deficiencies to have been adequately fixed, and if not, why not.

If the board determines that the firm has adequately fixed the deficiencies, it will notify the firm, the commission and any state regulatory authority to which it had supplied the final inspection report of this fact. Defects in the quality controls that the firm has not adequately corrected during this time period shall be made public.

Benefit of cooperation

It would be tragic indeed if a public registered accounting firm worthy of passing an inspection on the merits were to be cited for a violation for failure to cooperate with the inspectors.

Cooperation includes providing the inspectors access to, and the ability to copy and remove from the firm's premises, any record; responding to interviews; providing written responses; or otherwise providing records and information even if they do not arise out of an audit of an issuer.

Accordingly, if the inspectors request workpapers of the audit of a non issuer because they want to inspect whether a deficiency is systemic throughout the firm, or even for no stated reason, it would likely be a violation of the duty to cooperate to refuse to give it to them. Similarly, a refusal to produce the tax returns of a tax partner that the PCAOB might wish to review in order to determine the ratio of tax service revenues to audit service revenues at the firm, or for no stated reason, might constitute a violation of the duty to cooperate.

Likewise, a public registered accounting firm's refusal to provide documentation or information based on any state laws' professional non disclosure requirements, or in a situation in which the client has prohibited the accountant from disclosing information to a third party, will likely constitute a violation of the duty to cooperate. The PCAOB has made it clear that it will not honor assertions of "accountant client" privilege and that any state laws or professional rules that prohibit the production of client documents or disclosure of client information on the basis of accountant client privilege are, in the board's view, pre empted by Sarbanes Oxley.

An inspection that turns into an investigation

If an inspection leads to an investigation, the PCAOB, with the assistance of the SEC, has the power to compel the testimony of the firm, any associated person, or any client of the firm, and to compel the production of documents that the board considers relevant.

At the end of the investigation, the board may commence a disciplinary hearing to determine whether there has been a violation. Such a hearing could result in the imposition of one or more of the following penalties temporary suspension or permanent revocation of the firm's registration; the temporary or permanent suspension or bar of a person from further association with any registered public accounting firm; prohibiting a firm from accepting new audit clients for a period of time; the assignment of a supervisor to an associated person; requiring a firm to terminate one or more audit engagements; requiring a firm to make functional changes in supervisory personnel organization or in engagement team organization; the imposition of a civil money penalty for each such violation in an amount equal to not more than $100,000 for a natural person or $2 million for any other person; and, in the event of intentional or knowing conduct, including reckless conduct or repeated instances of negligent conduct, not more than $750,000 for a natural person or $15,000,000 for any other person.

Inspection and peer review

The knee jerk reaction of many accountants to the new regime of PCAOB inspections is that it is nothing more than a peer review inspection formerly conducted by the SEC Practice Division of the AICPA and that there should, therefore, be no cause for concern. While it is certainly true that maintaining the standards required to pass a peer review is a good baseline for PCAOB inspections, there are significant differences between the two.

The most significant difference between the PCAOB inspection and the peer review is not so much in what is being inspected but in who is doing the inspecting. The PCAOB inspectors are not the firm's peers. Under the peer review inspection program, the firm got to choose its inspector. The firm does not choose the PCAOB inspector. The peer review inspectors had no authority to refer the results of the inspection to the SEC or to other government authorities, and their sanctions were principally limited to expulsion from the SEC Practice Section of the AICPA. Most significantly, whereas the peer review inspectors respect accountant client confidentiality even if it gets in the way of the peer review, the PCAOB does not.

Finally, the fact that a firm has or has not recently undergone a peer review has little bearing on when the firm will be chosen for a PCAOB inspection. Probably the most significant bearing that a peer review has on the PCAOB inspection is that the PCAOB inspector will want to see that any deficiencies cited in prior peer reviews have been corrected.


The PCAOB inspection may perhaps be the last opportunity accounting firms have to get it right. If accounting firms fail in this opportunity, the government may well follow the example of other countries and introduce statutory audits in which the financial statements of public companies are audited by government auditors. At the end of the day, passing the PCAOB inspection is about protecting the brand. A failed inspection could lead to a damaged reputation, even to the PCAOB's shutting the firm down. But if the PCAOB and accounting firms have one goal in common, it is the protection of the investing public. Achieving this goal will ultimately protect the accounting profession.

Reprinted with permission from the September 20, 2004 edition of the Accounting Today.
© 2004 Thomson Media Inc. All Rights Reserved. Further duplication without permission is prohibited.

Related practice areas:

© Copyright 2020 Carter Ledyard & Milburn LLP