Nearly three weeks after approving a batch of new Public Company Accounting Oversight Board (PCAOB) auditing standards, the Securities and Exchange Commission (SEC) on Sept. 9 OK’d another new rule from the audit regulator, this time on quality control.
The SEC approved the quality control standard by a 3-2 vote.
The PCAOB approved the updated quality control standard, QC 1000, A Firm’s System of Quality Control, last May. The new standard will require all PCAOB-registered accounting firms to identify their specific risks that would inhibit audit quality—like the use of technology-based auditing tools that could create new risks if they don’t work as intended or are used incorrectly—and design a quality control system that includes policies and procedures to guard against those risks.
In addition, accounting firms that audit more than 100 public companies annually would be required to establish an external oversight function, or EQCF, for the quality control system composed of one or more professionals who can “exercise independent judgment,” the PCAOB said in May. The EQCF’s responsibilities should include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its quality control system, the board said.
In 2023, only 14 audit firms out of a total of more than 1,600 registered with the PCAOB met the 100-issuer-or-more threshold.
Firms will be required to annually evaluate their quality control system and report the results of their evaluation to the PCAOB on new Form QC, which would be certified by key firm personnel to reinforce individual accountability.
“An auditing firm is ultimately a professional services firm, and it needs to ensure the quality of the services it provides,” SEC Chair Gary Gensler said in a statement. “I am pleased to approve this standard because it will improve the quality control systems of auditors, and thus better protect investors.”
SEC Chief Accountant Paul Munter added, “Effective QC systems provide critical investor protections by driving continuous improvement in firms’ audit quality in support of the issuance of informative, accurate, and independent audit reports. QC 1000 is an integrated risk-based QC standard that strikes an appropriate balance that can be applied by firms of varying sizes and complexities along with a set of mandates tailored to the size of the firms’ audit practices, which should assure that QC systems are designed, implemented, and operated with an appropriate level of rigor.”
Gensler and SEC Commissioners Jaime Lizárraga and Caroline Crenshaw voted in favor of the standard, while Commissioners Mark Uyeda and Hester Peirce voted against it.
While noting the importance of quality control, Peirce said there were too many questions about the standard, including the role of the EQCF, that remain unanswered for her to support it.
“The responsibilities of the EQCF must include, at a minimum, ‘evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system.’ What does this role entail in practice?” she said in a statement. “What procedures must the EQCF follow to reach and document its review? When must that review take place? What if its judgments differ from the firm’s judgments? Does this role’s specificity, which differs from the proposal, require some or all large firms to set up a new audit quality oversight function, or are the functions they already have in place sufficient? If this function is new, who would be likely to perform such a function? What type of liability might the EQCF face? Does the answer differ depending on whether the person is an auditor? Does the EQCF requirement broaden the PCAOB’s reach to parties over which it has no legal jurisdiction? Will EQCFs be subject to firm discipline? Will the firms have to share confidential information with the EQCF, and what are the legal implications of doing so? Given the likely expense of the requirement as adopted, should the threshold for application of the requirement be higher—perhaps applying only to firms that audit more than 500 issuers, as some commenters suggested?”
Uyeda said he’s concerned with the standard’s requirement that every PCAOB-registered firm, even those without a current audit engagement subject to PCAOB standards, must design a compliant quality control system.
“While the requirement to implement and operate an effective QC system applies only to firms performing engagements, the standard’s ‘design-only’ requirement imposes costs without attendant benefits. This requirement may disproportionately burden smaller audit firms that do not have current engagements but may be seeking smaller public companies, broker-dealers, and others as clients,” he said in a statement. “The board states that the design-only requirement ‘is consistent with our investor protection mandate.’ But if a firm does not have any engagements, exactly which investors are being protected? The PCAOB states that ‘investors and companies considering engaging the firm could reasonably expect that any firm that could pursue such an engagement would already have a PCAOB-compliant QC system designed and ready for implementation and operation.’ However, if investors are adequately protected by having the implementation and operation requirements apply only upon an engagement, why are they not similarly protected if the design requirement also applies at that time?”
The PCAOB’s current quality control standards were developed and issued by the AICPA before the audit regulator was established in 2002. Given the significant changes in the auditing environment since that time, quality control has been a top modernization priority for the PCAOB.
“We thank our SEC colleagues for their review and approval of our new quality control standard,” PCAOB Chair Erica Williams said in a statement on Monday. “When a firm’s QC system operates effectively, quality audits follow. And when QC systems operate ineffectively, investors are put at risk. Our new QC standard takes an integrated, risk-based approach that can be applied by firms of varying sizes and complexity. When put into practice, it will improve investor protection. The new standard also represents a major step forward for the board’s strategic goal to modernize standards, given that the PCAOB’s current QC standards were developed and issued by the accounting profession before the PCAOB was established in 2002.”
QC 1000 and the related amendments to other PCAOB standards, rules, and forms will take effect on Dec. 15, 2025.
On Aug. 20, the SEC approved new PCAOB standards on auditor negligence, general responsibilities of an auditor when conducting an audit, and the responsibilities auditors have when performing procedures using technology-assisted analysis.
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
Tags: Accounting, Audit Standards, Auditing, PCAOB, SEC