Investors trust audit firms to confirm the financial integrity of organizations across industries, and now regulators are challenging auditors to look within their own firms to enhance the quality of financial statement auditing
The Public Company Accounting Oversight Board (PCAOB) released an analysis showing a concerning trend of increased audit deficiencies and noncompliance with PCAOB standards and rules. PCAOB staff expects approximately 40% of the audits reviewed in 2022 will have one or more deficiencies, up from 34% in 2021 and 29% in 2020. And the Securities and Exchange Commission (SEC) continues to charge audit firms and audit firm executives with improper professional conduct for violating auditing standards.
“The PCAOB will continue demanding firms do better, conducting transparent inspections and bringing strong enforcement actions where appropriate,” said PCAOB Chair Erica Y. Williams, signaling there is no end to the microscope.
Indeed, regulators have historically taken the approach of where there is one, there are many —whether it is financial services firms, technology companies, or now audit firms, once one major breach of misconduct occurs, regulators take a closer look at the industry at large to understand how deep and wide an issue may be.
In this environment of increased scrutiny of auditors, audit firms must double down on a culture of integrity and ensure that they have quality control systems in place to enforce compliance. Like their clients, firms must invest in their own compliance and internal controls to guard against potential misconduct.
Instill a culture of integrity and compliance
Like all companies, audit firms should prioritize fostering a culture of integrity and compliance. A code of conduct should remind all employees that they are responsible for acting ethically, complying with relevant internal and external regulations and policies (such as, for example, the Code of Professional Conduct that the American Institute of Certified Public Accountants has for its members). Employees should also know they are to speak up when they have a question or concern.
Compliance training should reinforce the code of conduct. While many trainings recite policies verbatim, a more effective, alternative approach is to reference real events or headlines to make risks more tangible. For example, the SEC fined a Big Four auditing and accounting firm $100 million because its employees were caught cheating on CPA ethics exams and misleading an investigation. Organizations can leverage such a scenario within training to more clearly show the difference between right and wrong and the damage that wrongful behavior can cause.
Firms must also ensure a robust internal process to review questions or concerns raised by employees, discipline wrongdoers, and remediate compliance gaps or control weaknesses. Fostering a healthy speak-up culture can help organizations identify issues that may otherwise fly under the radar. Remediating potential weaknesses early minimizes reputational risks and helps to negotiate lesser penalties or avoid enforcement actions.
Considering the impact of technology
If organizations are not already exploring data analytics, they should be. Government agencies and regulators — including the Department of Justice and the SEC — have publicly touted their use of data analytics programs in their own work. If the government is using data analytics to spot trends and issues, audit firms should be taking the same steps to get ahead of instances of potential wrongdoing.
Advancements in technology will continue to transform traditional auditing techniques. For example, auditors can use technology-based tools or data analysis to identify potentially suspicious transactions with increased speed and efficiency. And generative artificial intelligence (AI) is — and will further — impact audit firms, from automating some manual processes to more sophisticated applications.
As with all technology, firms should assess the risks and benefits. For example, routine procedures, such as data entry, may become automated, freeing up time for value-adding analysis from the audit team. However, over-reliance on automation may lead some team members to fail to apply appropriate professional judgment and not review work as closely.
At the core, firms should ensure they understand how their audit teams use technology, including thinking about the risks inherent in it use. Firms should also create policies and training surrounding its use, helping eliminate misunderstandings that can yield undesirable consequences. Training around technology and hard skills is equally necessary as training on ethics and the code of conduct — and such training can help teams understand how to apply new tools, regulations, or requirements to their day-to-day jobs.
Leveraging ongoing quality control
Under the three lines of defense model, revenue-generators are the first line, support functions such as compliance are the second line, and internal audit is the third line. Each line of defense has its responsibilities for risk management — the first line for owning and managing risk; the second line for guidance, support, and monitoring of risks; and the third line for independent assurance of the first and second lines’ activities. Audit firms can apply this model to enhance audit quality and mitigate misconduct.
Following international trends, the PCAOB proposed a new standard to revamp quality control requirements and require audit firms to take a more proactive approach to identifying and managing quality control risks, including ongoing monitoring and remediation. The standard would also provide a more structured approach to evaluating and reporting on the quality control system. As the PCAOB, SEC, and other government agencies continue to identify misconduct at audit firms, there is no better time to get a head start on identifying potential improvements.
And it’s not just audit firms that can leverage this time to get their houses in order. Given broader economic uncertainties and constantly evolving risks, regulators will almost certainly be knocking on the doors of other industries in the future. By leveraging those tools and processes with proven track records and enhancing them with new technological capabilities, audit firms and other organizations can establish or enhance a foundation of ethics and integrity, building upon that culture to ensure compliance for the long-haul.
Ksenia Ioffe contributed to this article.