The Public Company Accounting Oversight Board will be looking out for some major risk areas at audit firms in the months ahead.
A recent report from the consulting firm Protiviti advises public companies and auditors to focus on three specific areas highlighted in late August in a PCAOB staff inspection brief about its upcoming inspections.
“This has become an annual thing with the PCAOB, giving preparers a heads up with the PCAOB,” said Protiviti managing director Charles Soranno. “We are seeing folks that are ahead of the curve on rev rec, using some of the best practices they’ve developed from an internal controls standpoint, to help in the changes from other perspectives, on leases.”
Protiviti is also warning auditors and companies to be aware the PCAOB will also be scrutinizing technology, including use of audit tools by auditors, as well as audit procedures performed to assess and address the risks of material misstatement to financial statements posed by weak cybersecurity.
“Plenty of great audit firms with advisory practices focus on preventative measures for cyber,” said Soranno. “It’s a financial reporting risk when it occurs. Cyber is a huge business risk, but is it a financial reporting risk? Ultimately when it occurs, it is because there’s reputation damage. There could be loss of data. There could be financial penalties to pay, depending on what industry you’re in.”
Financial reporting could also be a risk area, especially areas that may involve significant judgment, estimates and subjectivity from management and auditors, such as the auditor’s consideration of the entity’s ability to continue as a going concern, and income tax disclosures.
Many financial reporting risks are tied to valuation, Soranno noted, along with other facets. “It’s business combinations, it’s goodwill, it’s intangibles, it’s illiquid securities, financial reporting compliance, use of a specialist,” he said. “Are they getting their arms around the use of a specialist? Is management taking responsibility for the use of a specialist? Do they have the aptitude and the experience to actually review to an auditable standard the work of a specialist for illiquid securities, for example? Some do, some don’t.”
The PCAOB is also expected to focus on recurring audit deficiencies. “They’re going to use a non-random risk-weighted inspection process focusing on historical issues, the propensity for financial reporting risk in an industry, and then other issues that may be economic, environmental or specific to the business,” said Soranno. “Risk profiling is alive and well at the PCAOB, and that’s going to continue. Things get added to the list, but nothing ever seems to come off the list.”