Coming soon to a financial statement near you: CAMs! Late this summer, in audit reports for large accelerated filers with June 30 fiscal year ends, auditors will begin to disclose "critical audit matters." Under the new auditing standard for the auditor's report (AS 3101), CAMs are defined as "matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment." Essentially, the concept is intended to capture the matters that kept the auditor up at night, so long as they meet the standard's criteria. Compliance will be required for audits of large accelerated filers for fiscal years ending on or after June 30, 2019, and for audits of all other companies to which the requirement apply (not EGCs) for fiscal years ending on or after December 15, 2020. With that in mind, the PCAOB has released three new documents offering guidance on CAM implementation: The Basics; A Deeper Dive on the Determination of CAMs; and Staff Observations from Review of Audit Methodologies. (See also thecorporatecounsel.net blog and this article in ComplianceWeek.)
You may remember that the PCAOB requirement to disclose CAMs in audit reports was approved in 2017 after many years of self-examination, meditation, rumination, reflection, cogitation, outreach, discussion, debate and deliberation about the concept of the audit report. Following the financial crisis of 2008, the fact that clean audit reports were given to a number of failed or failing companies, together with the lack of transparency in the current form of audit report, led to a demand for a new look at whether the pass/fail report model might be improved; the current model has long been disparaged as just boilerplate that doesn't really convey to investors any of the auditor's insight into judgment calls and business risks. In 2011, the PCAOB sought to address this concern in a Concept Release by floating various alternatives, principle among them the "auditor's discussion and analysis." (See this Cooley news brief.) But the ADA concept was widely criticized because, among other things, it was viewed as "fundamentally changing the auditor's current role from attesting on information prepared by management to providing an analysis of financial statement information," thus causing the auditors to step into a role of management. After a number of proposals and reproposals, the final standard was adopted. Then SEC Commissioner Kara Stein observed in her statement on approving the new standard that it "marks the first significant change to the auditor's report in more than 70 years."
In "The Basics," the staff of the PCAOB runs through the "basic" provisions of the rule at a high level. No surprises here. The PCAOB summarizes how CAMs are determined, provides the required introductory language, outlines the documentation necessary (particularly in connection with matters determined not to be CAMs), as well as the required communications with the audit committee. (For a summary of the requirements in the adopting release, see this PubCo post.)
In "Deeper Dive," the staff delves further into the subject of CAM determinations, first observing that "CAMs are required to relate to accounts or disclosures that are material to the financial statements. Materiality is not solely based on quantitative factors; it also reflects qualitative factors." For example, a potential loss contingency might be a CAM, but not if the likelihood was determined to be remote and it was not recorded in the financial statements; in that case it would "not relate to an account or disclosure that is material to the financial statements." A potentially illegal act could be qualitatively material (and potentially a CAM), even if the amounts involved were not quantitatively material, so long as there was an accrual or disclosure in the financial statements. A CAM could also relate to many accounts or disclosures and have a pervasive effect on the financial statements, such as in the event of a potential going-concern qualification.
The staff also runs through a number of FAQs, as summarized below:
- It's all relative. The staff notes that the "standard uses the word 'especially,' instead of 'most' as originally proposed, to convey more clearly that there could be multiple CAMs and that matters are assessed on a relative basis within the specific audit." Each of the specific criteria in the definition are to be considered individually and in combination. The description of the CAM should be specific and discuss why the auditor determined that the matter was a CAM—what especially challenging, subjective or complex auditor judgments were implicated.
- Consistency across auditors? Although the requirements for determining CAMs are principles-based and fact-specific, some issues inherently fit the bill, regardless of the auditor. For example, the staff observes, "[b]y their nature, accounting estimates generally involve subjective assumptions and measurement uncertainty and may involve complex methods." That's generally the case with estimates regardless of the characteristics of the auditor, according to the staff. However, other matters may well reflect differences in auditor judgments.
- Consistency across years? That depends on the circumstances. Some issues may meet the definition every year, while others my occur only in one year, for example, implementation of a new accounting standard or accounting for a significant unusual transaction. Some may be CAMs sporadically, such as the audit of deferred tax assets accounts and disclosures when the auditor is required to assess the company's ability to use NOL carryforwards.
- Evaluation of events related to overall business or the economic or regulatory environment. Events of this type—natural disasters, cybersecurity breaches, significant changes in regulations, standards, government policy or the economic or business environment—are sometimes the subject of communications between the auditor and the audit committee, leading auditors to consider the impact on the audit and the audit response. The example the staff provides is of a cybersecurity breach that targets the company's general ledger system, which could affect specific accounts or could be pervasive. With regard to CAM determination, the auditors would assess the impact of the breach on the financials and the audit.
- Internal control weaknesses or deficiencies. The evaluation of control weaknesses or deficiencies are not, by themselves, CAMs because they do not relate to a financial statement account or disclosure. However, in light of the possibility of material misstatements of account balances or disclosures resulting from a control weakness or deficiency, the audit response to the deficiency or weakness could involve especially challenging, subjective or complex auditor judgment and could be a CAM. In describing the related CAM, if "a significant deficiency was among the principal considerations in determining that a matter was a CAM, the auditor would describe the relevant control-related issues over the matter in the broader context of the CAM without using the term 'significant deficiency.' For material weaknesses, unlike significant deficiencies, there is reporting by the company, so there would be no sensitivity around using that term in a CAM description if referring to the existence of a material weakness was responsive to the requirements for CAM communication."
- CAMs and critical accounting estimates. CAEs (estimates to be discussed in MD&A because high levels of subjectivity or uncertainty make them material or subject to change or the effect on the financials is material) and CAMs may overlap, but they are not congruent. The source of CAMs is broader, and matters that are not CAEs may be determined to be CAMs.
- "Significant risks" as CAMs. These two matters may also overlap but are not the same. Among the factors to be considered by the auditor in determining whether a matter is a CAM is the auditor's assessment of the risks of material misstatement, including significant risks. However, if responding to a significant risk did not involve especially challenging, subjective or complex auditor judgment, that response would not be a CAM. And, while audit responses to risks of material misstatement may not amount to "significant risks," they could still meet the CAM definition, "particularly when the risks relate to areas in the financial statements which involve greater degrees of judgment and estimation."
- Audit strategy and CAMs. While decisions and changes to audit strategy may not themselves be CAMs, they could be indicative of CAMs and included in the description of how the auditor addressed the CAM, such as the degree of auditor judgment, the extent of audit effort or the nature of the audit evidence.
- Disclosures not in the financial statements and CAMs. CAMs, by definition, must relate to financial statement accounts or disclosures. Ordinarily, the auditor would not include in the CAM description information about the company that had not been made publicly available by the company unless the "information is necessary to describe the principal considerations that led the auditor to determine that a matter is a CAM or how the matter was addressed in the audit." However, public disclosures by the company outside the financials can be used in the CAM description.
As discussed in this PubCo post, because the selection of and disclosure regarding CAMs will certainly present a challenge for both auditors and audit committees, auditors have been taking steps to prepare for the coming change, including conducting "dry runs" to get a better handle on how the new CAM disclosures will look and how the process will affect financial reporting. To provide some lessons learned from these early dry runs and enhance the understanding of audit committees, auditors and other participants in the process, the Center for Audit Quality has published Critical Audit Matters: Lessons Learned, Questions to Consider, and an Illustrative Example. What does the CAQ tell us about the first lessons learned from these dry runs?
- The principles-based process of determining which matters are CAMs involves "significant auditor judgment." The auditor's exercise of that judgment will be affected by a number of different factors, with the result that the determination of which matters amount to CAMs will be "unique to each audit."
- To avoid surprises, communication among the auditor, audit committee and management should occur early and often. As discussed in this PubCo post, the prospect of CAM disclosures may drive audit committees and managements to revisit the company's own disclosures. Why? Because, generally, audit committees and managements much prefer that the company get a jump on the disclosure so that the auditors will not need to resort to the creation of original material and the company can best frame the discussion from its own perspective. The CAQ cautions, however, that any "modifications of a company's disclosures should be based on management's reporting requirements and should be independent of the auditor's identification of CAMs."
- The process will take substantial time, and auditors and other participants in the process need to build appropriate time into the schedule, taking into account the necessity of discussions of draft CAM communications with management and the audit committee "well in advance of when the auditor's report is to be issued."
- A key lesson learned is that drafting "informative, but not overly technical" CAM disclosure is not easy, particularly with regard to achieving "the right balance between the CAM description in the auditor's report and information in the company's disclosures, to convey concisely the essence of why a matter is a CAM, and to describe how the CAM was addressed in the audit."
As discussed further in the post, to facilitate the dialogue between auditors and audit committees regarding CAMs, the CAQ has developed a list of questions and responses for audit committee members to consider in developing their understanding of the requirements.
In "Staff Observations," the PCAOB staff has reviewed CAM methodologies and materials submitted by 10 US audit firms (collectively auditing approximately 85% of large accelerated filers), and provides some insights gleaned from that review. Generally, the observations cautioned auditors to be specific in their disclosures and not to view the new standard too narrowly. Auditors were advised:
- Not to exclude any audit committee communication from the population of potential CAMs.
- In determining CAMs, to consider, in addition to the six factors identified in the standard (see this PubCo post), other factors specific to the audit, as provided in the standard.
- To be specific in describing the principal considerations that led to the CAM determination—not just that the matter was especially challenging etc., but why it involved especially challenging, subjective or complex auditor judgment.
- When describing how a matter was addressed in the audit, to tailor discussion to the specific audit and the specific matter and to avoid standardized language. For example, instead of a general reference to internal control testing, the auditor should "describe the testing of the relevant controls."
As reported by Bloomberg BNA, SEC Chair Jay Clayton, commenting in 2017 on the new CAM requirement in the auditor's report, observed that "if it results in boilerplate, I'll be really bummed out." The PCAOB's admonition here to be specific is surely intended to discourage any lapses into the much-feared boilerplate. Commenters on the proposed standard had indeed raised doubts regarding, among other things, the usefulness of the information in CAMs, particularly the concern that they would fall into overly standardized prose. The SEC acknowledged that, as with "Risk Factors," standardization was a possibility, but contended that the narrower definition of CAMs and related disclosure requirements should mitigate that risk. Notably, an earlier PCAOB staff study of expanded auditor reporting in the UK did not find standardization, at least for the first year of implementation: "the descriptions of the risks of material misstatement in the auditor's reports in the first year of implementation were not presented in standardized language, but included variations in content length, description, and presentation. The most frequently described risk topics related to revenue recognition, tax, and goodwill and intangible assets." (See this PubCo post.)
- To recognize that the communication can refer to both the relevant financial statement account and the relevant disclosure; they are not necessarily alternatives.
- To recognize that "publicly available" information, which may be included in the CAM description, may include information made public by the company outside the financial statements.
- To recognize that, although the auditor is required to provide a draft of the CAM to the audit committee and is expected to discuss the draft with the committee, "CAMs are the responsibility of the auditor—not the audit committee."
Although the CAM adopting release suggested that the process related to CAM disclosure would be an iterative one between the company and the auditors, the level of input the auditors will allow audit committees or managements in reviewing the auditors' selection or disclosure remains an open question. In his remarks before the American Institute of CPAs in 2017, SEC Chief Accountant Wesley Bricker provided some advice as to what audit committee should expect from their auditors in that regard:
"expectations for timely, ongoing communication will continue to be an important element to the auditor-audit committee relationship as the auditors implement this new auditor reporting standard. In that regard, audit committees should have reasonable expectations that auditors prepare to take members through the application of the standard on their engagement. For example, what would the critical audit matters be this year? What would be the close calls? When could those matters have been raised, and which ones could have been identified at the start of the audit cycle? What does the auditor expect to say about those matters? When would we expect to see a draft report or at least a draft of the critical audit matters? These are illustrative examples of the communication planning and expectation setting that audit committee members may wish to consider as part of the transition period."
"Dry runs" and an iterative process may help to mitigate the possibility of auditor/client disagreements about CAMs. As reported in Compliance Week, Wes Bricker, SEC Chief Accountant, said that there are certainly "possibilities of material disagreements....We have a system designed to resolve those situations, but it's better to know what those areas are so they can be resolved over the course of preparing the information, so the end product reflects the trio of voices—management, audit committee, and auditors—with as much consistency and clarity as the three can work out." The dry run process, he said, has helped to ensure that the information communicated to investors reflects "the best calibration of the requirements."
What's more, companies may want to take a proactive approach with respect to their own disclosures of matters that are likely to be identified as CAMs. In particular, the prospect of CAM disclosure and the dry-run process may well precipitate a reassessment by audit committees and companies of related corporate disclosure to ensure that companies stay ahead of the curve. Generally, audit committees might prefer that the company get a jump on the disclosure so that the auditors will not need to resort to the creation of original material and the company can best frame the discussion from its own perspective. See this PubCo post.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.