A pair of updates to auditing standards has the potential to reshape how firms prove that their issuer audits are up to snuff while reframing how auditors think of their role in the financial reporting process.
The May 13 passage of new standards on responsibility and quality control by the Public Company Accounting Oversight Board (PCAOB) is the latest development in a movement to increase the auditor’s role in a growing range of reporting and compliance tasks, including cybersecurity, fraud, and ESG.
The updates are vastly different. The responsibility standard (AS 1000) is billed as a clarification of existing standards—on an auditor’s role, independence, skills, and professional values like thoroughness and skepticism—that are now packaged in a single document that’s easier to follow. (Well, as easy to follow as a 138-page document can be.) Meanwhile, the quality control standard (QC 1000) adds a host of new requirements that include new processes, programs, and reporting.
The rigorous QC standard was “creating a continuous feedback loop for improvement,” the PCAOB said in a press release following its vote. Board chair Erica Williams drove the point home: “When quality control systems operate effectively, quality audits follow, and investors are better protected.”
Got the message. Some industry groups, including the Center for Audit Quality (CAQ), had pushed back on parts of both AS 1000 and QC 1000 since they were proposed in 2023 and 2022, respectively. But the PCAOB’s updates left at least the CAQ pretty happy overall.
“We’re still digesting the details” of the final standards, Vanessa Teitelbaum, CAQ’s senior director of professional practice, told CFO Brew the day after they were passed, but both “will improve audit quality.”
AS you were. The PCAOB took pains in its press release to emphasize that the new responsibility standard won’t add new work or liability, “but simply clarifies those that already exist.” Backstory: The board had gotten an earful, via public comments, over concerns that a previous draft would make auditors legally liable to investors of the companies they audited. But the board listened to that earful. The statement that auditors don’t have a new legal responsibility to investors “was an important clarification that addressed our concern,” CAQ’s Teitelbaum told CFO Brew.
In addition to combining those standards so that they’re easier to follow, the PCAOB in the most recent iteration of this rule, sought to “clarify the engagement partner’s responsibility to exercise due professional care” as they oversee the audit and shortened the timeline for submitting post-audit documentation from 45 to 14 days. It also asserts that auditors should be skeptical “throughout the audit process,” not just during “the evaluation of the sufficiency and appropriateness of audit evidence.”
News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
Control yourself. Firms registered with the PCAOB will have to design a quality control system that addresses the firm’s unique risks and to reevaluate the system each year in a new filing to the board. Firms that audit more than 100 issuers per year will need to find an outside party to check their quality control process and to review engagements as they go along. Big firms will also need to create a program that receives and resolves confidential complaints and set up an automated system to check if investments that compromise the independence of their audits.
Teitelbaum said the board’s revisions to its initial proposals had addressed the CAQ’s worries that AS 1000 would “change or expand the auditors’ legal obligations to investors” and that QC 1000 would make firms create a separate quality control system from the ones used to comply with the International Standard on Quality Management 1, the International Auditing and Assurance Standards Board (IAASB) standard that took effect in late 2022. It appears that QS 1000 “for the most part will allow firms to have one system,” Teitelbaum said.
The group didn’t get everything it wanted in the final version. Like PCAOB board member Christina Ho, who voted against QS 1000, the CAQ had opposed the PCAOB’s requirement to design a quality control system if the firm doesn’t audit issuers.
What’s next. Both new standards still need to be approved by the Securities and Exchange Commission. Pending SEC signoff, AS 1000 will go into effect for audits and financial statements in the first fiscal year starting after Dec. 15, although firms that audit fewer than 100 issuers will get an extra year (Dec. 15, 2025) to comply with the new 14-day timeline to submit post-audit documentation. Firms will need to start complying with QC 1000 by Dec. 15, 2025, assuming the SEC approves it.