The PCAOB has posted a 2023 audit committee resource that identifies a number of questions that audit committees may want "to consider amongst themselves or in discussions with their independent auditors, particularly given today's economic and geopolitical landscape." The topics include the risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, M&A activities, use of the work of other auditors, talent and its impact on audit quality, independence, critical audit matters and cybersecurity. Audit committee members will certainly want to review the resource in its entirety, but, to give you a flavor, summarized below are some of the questions.
- With regard to the risk of fraud, the PCAOB suggests that audit committees ask about whether the auditors identified any new risks of fraud and, if not, what procedures the auditors performed, including identifying any new procedures. What procedures did the auditors perform to identify potential related-party transactions? How did they determine if significant unusual transactions had a valid business purpose or determine if management perpetrated fraud? Did the auditors ask management about potential illegal acts or noncompliance with sanctions?
SideBar
In this Statement, The Auditor's Responsibility for Fraud Detection, SEC Chief Accountant Paul Munter expressed his concern that, in conducting audits, auditors are not adequately making use of the "fraud lens"—a focus on the consideration of fraud in the audit—in fulfilling their gatekeeper role. That is, auditors may not be adequately responding to fraud risks and red flags or otherwise exercising "professional skepticism." It is critical, he said, that auditors evaluate whether the audit has surfaced information that may be indicative of fraud and "how fraud could be perpetrated or concealed by management." Are auditors exhibiting a type of bias, focusing risk assessments on risks of error and essentially overlooking or minimizing risks of fraud? (See this PubCo post.) Similarly, in this Statement, The Importance of a Comprehensive Risk Assessment by Auditors and Management, Munter cautioned auditors and company managements against conducting risk assessments that focus too narrowly "on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls." Similarly, auditors and managements may sometimes dismiss isolated incidents, perhaps as a result of confirmation bias, without adequately analyzing whether these issues might be indicative of larger issues that require responsive action and disclosure. Munter warns that "[s]uch a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information." (See this PubCo post.)
- Regarding controls, the PCAOB suggests questions about how the auditor tested controls, how the auditors modified their approach in response to control deficiencies, and how the auditors took into account economic factors, such as inflation, rising interest rates, supply chain risks and access to capital, as well as the company's ability to mitigate these risks, and whether the auditors considered these factors in connection with going-concern risks. (See this PubCo post.)
- With respect to disclosure on critical accounting policies and practices, were any proposed significant changes to the disclosure rejected by management?
- If there has been a restatement, how did the auditors assess management's materiality analysis? (See this PubCo post.)
- With regard to significant estimates and assumptions, how did the auditors consider potential management bias?
- Do the auditors have the special knowledge and skills required to audit digital assets, especially controls?
- Following an M&A transaction, if performance has been lower than expected, have the auditors performed an evaluation for impairments? (See this PubCo post.)
- If other accounting firms play a substantial role in the audit, are they registered with the PCAOB? How do the lead auditors ensure that the other auditors are familiar with the requirements of the applicable financial reporting framework and PCAOB standards? (See this PubCo post.)
- If the audit firm was affected by the "great resignation," how is it addressing staffing issues and ensuring competency of the engagement team? If the audit was conducted in a remote/hybrid environment, how was proper supervision ensured?
- How does the audit firm identify and evaluate threats to independence and what processes are used to be sure that all possible relationships that may affect independence are communicated to the audit committee? (See this PubCo post.)
- How have the auditors identified critical audit matters? Were any matters determined to be CAMs on a preliminary basis, but not ultimately reported? (See this PubCo post and this PubCo post.)
- On cybersecurity, how did the auditors consider the risk of cyberthreats or cyber incidents? Were the auditors advised of cyber breaches that may affect financial reporting?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
