P.O. Box 456
Morganville, New Jersey 07751
732.792.6101
November 18, 2024
There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards
The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them.
The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems.
QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025.
The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute.
At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.”
In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool.
New requirements
QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment.
There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are:
- Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system.
- Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system.
- Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence.
- Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements.
- Quality Objectives: The firm’s personnel must comply with its policies and procedures
- Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing.
- Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established
- Risk Assessment Processes: Quality risks must be identified and assessed annually.
- Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard.
- Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years.
That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect.
Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
The American Institute of Certified Public Accountants’ (AICPA) new Quality Management Standards have been out for some time, and you can’t wait to read it. That’s not a prediction. It’s a warning. The new standards have to be in place and in use by December 15, 2025, and getting into compliance is not something that can wait until the last minute. Yes, that’s more than a year away, but according to the AICPA, you should have started working on it two years ago. You probably know the new Statements on Quality Management Standards (SQMS) is out there, but not just how much effort coming into compliance will take. That applies to sole practitioners as much as it does to medium-sized and large public accounting firms. The new SQMS is what we call “thinking standards” — you have to really think it through and customize it for your attest practice, based on things like the type of clients you have and the services you provide. It’s not just new requirements and changes in the way you do things. The new SQMS takes an entirely new, risk-based approach to quality, with two completely new components: Risk Control, and Information and Communication. Risk and Information Under the new risk assessment process, firms must establish specific quality objectives. They must “identify and assess quality risks, and then they must design and implement responses to those risks that are tailored to the firm’s unique circumstances.” Information and communication is the second entirely new component of the new SQMS. It requires the establishment of processes that support the SQMS, including the use of reliable internal and external sources of information, and the creation of a culture that supports and reinforces the responsibility for sharing information with colleagues and the firm. This information must be communicated in an understandable and actionable manner to internal personnel, service providers, and external sources as required. Specific quality objectives must be created for each of the eight SQMS components: ● Risk control ● Governance and leadership ● Relevant ethical requirements ● Acceptance and continuance of client relationships and specific engagements ● Engagement performance ● Resources (formerly human resources) ● Information and communications ● Monitoring The other six components have also changed under the new SQMS, several dramatically. Changes Throughout The leadership responsibilities for quality within the firm component, for example, is now Governance and leadership. It includes a new and more robust focus on the role these two elements play in establishing and supporting an environment, and establishing a culture, that supports the SQMS. Leaders are now not only responsible and accountable for quality, but are expected to demonstrate a commitment to quality through their actions. Relevant ethical requirements are less prescribed under the new standards, but have a new focus on responsibility and on ensuring that others involved in the SQMS or in performing engagements understand and meet those requirements. The acceptance and continuance of client relationships and specific engagements has a new emphasis on professional standards and the integrity and ethical values of the client. It also highlights the need to ensure that financial and operational priorities don’t influence acceptance and continuance judgements. Engagement performance has a new focus on an engagement partner’s oversight and involvement. There is also a new emphasis on the exercise of professional judgment and skepticism. Resources is no longer prefaced by “human” and now has new requirements revolving around technological and intellectual resources in the SQMS. Other requirements relate to the competence and commitment to quality of personnel, and bringing in outsiders to fill any personnel gaps. Finally, the Monitoring component has a new focus on the firm’s remediation process, and offers expanded and enhanced guidance throughout. One aspect is a new requirement that firms establish policies and procedures that address the objectivity of the monitors. Monitoring now also includes a new term, findings, that focuses on any deficiencies that exist. The firm must “evaluate the severity and pervasiveness of identified deficiencies using a root cause analysis,” and design appropriate remedial actions. Get Going The end of that three-year time frame suggested by the AICPA for creating and building out the new Quality Management Standards is now just a year and a quarter away, and firms have three responsibilities between now and December 15, 2025. The first, of course, is to continue using the extant standard (Statement of Quality Control Standard (SQCS) No. 8, (Redrafted) until your firm is ready to implement the new requirements. The second is to perform the risk assessment and gap analysis, and then design and implement the new standards. Finally, firms need to consult with their peer reviewer before final implementation. If you haven’t started yet, that’s a lot of work for the next 15 months! Then there’s one more year, until Dec. 15, 2026, to carry out the first annual evaluation of your new quality management system! Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
Mastering these three soft skills will help you take your accounting career to the next level
Now new rules are adding complexity with ‘referred-to’ auditors and a risk-based approach to planning and performing a group audit
Cryptocurrency is burrowing deeper and deeper into the U.S. and international banking and finance system, and that means auditors and accountants need to understand crypto and the technology underlying it. Or at least know how to find reputable and knowledgeable experts who do understand it. One of the most important things to understand is that crypto is complex and that once you get past bitcoin and ether, there are several hundred tokens large enough to be called mainstream (and tens of thousands in all) and clients can use them in a wide variety of ways. As an auditor, it’s vital to know who your client is and what they are doing with that token. Is it an investment? A holding? Is it used for payments? Is it a cost? It all depends on what your client is using it for. Beyond that, are they incorporating blockchain technology into their systems, and if so are they using public or private blockchains? The differences can be dramatic. The first challenge of accounting and auditing crypto clients is knowing what you don’t know. It’s important to recognize the risk of overconfidence in deciding whether to accept a client that is using cryptocurrencies or blockchain technology in their operations The FASB Chimes In In December 2023, the Financial Accounting Standards Board (FASB) issued standards on Accounting for and Disclosure of Crypto Assets effective for all entities for fiscal years beginning after December 15, 2024. Crypto assets must be measured “at fair value each reporting period with changes in fair value recognized in net income.” It also requires “disclosure about significant holdings, contractual sale restrictions, and changes during the reporting period.” The key difficulty for auditors and accountants is going to be establishing that fair value, as the price of crypto assets can and generally does shift wildly — even relatively stable bitcoin regularly fluctuates as much as 5% to 10% on a weekly, and sometimes daily, basis. Most of these tokens are not going to be Level 1 on the hierarchy of fair value. A lot of the activity for these types of tokens is probably going to be Level 2 or Level 3. You have to get experts to come in and help you. While the top exchanges and crypto asset price-tracking websites can offer solid numbers, even they tend to differ somewhat. But you’ll need to look at several of the most advantageous markets to get an idea of where the range is. Which leads to a second big difficulty: There are many exchanges with shaky if not shady numbers, due to factors ranging from widespread wash trading to flat out fake volume, to say nothing of other forms of market manipulation. Challenges of Auditing Crypto At the highest level, blockchain technology isn’t that difficult to grasp, but crypto gets staggeringly complex fairly quickly. You can’t do it alone. One challenge is that auditors and accountants with experience and expertise in the field are in high demand. Finding those experts takes work, so obtaining expert training and education for auditing staff is a top priority. It’s important to realize that many of the experts have not gravitated towards the larger public accounting firms. A number of small and mid-sized firms have built niches in the field. Look for accountants and auditors who are already dealing with actual transactions and clients, and even those involved with industry organizations or in the policymaking that’s going on in the U.S. and EU. A second challenge is that the rules are not all that clear. In the U.S., the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) are attempting to regulate crypto under existing law while Congress works on crypto-specific bills. Regulation by litigation remains a common industry complaint. The EU is ahead, with the European Securities and Market Authority’s (ESMA) just now implementing the Markets in Crypto Assets (MiCA) regulations that came into effect on June 30. A third challenge is understanding what the client is doing. What types of crypto they are using and how are they using it? Are they working with public or private blockchains? Are they holding crypto or using it for transactions? What type of internal controls do they have? How are they safeguarding the private keys that control their tokens—which are, after all, bearer instruments? There are other complexities. The pseudo-anonymity of blockchain users can cloud the identity of developers and investors, including perfectly respectable ones. Which doesn’t help in a field in which criminal involvement with crypto remains a substantial problem, as does theft by hackers. In conclusion, it’s worth noting that plenty of companies inside the blockchain and crypto industry itself say they have trouble finding auditors and accountants with the necessary expertise. Becoming one of those experts requires investing time and money in education about a field in which the rules are still being written and the technology keeps growing. But if you are able to accept those clients, it’s a wide open field. Collemi Consulting leverages almost three decades of experience in providing trusted technical accounting and auditing expertise when you need it the most. Salvatore A. Collemi, CPA, Managing Member & Founder, is regarded as an industry leader and subject matter expert by various organizations and media outlets. To schedule an appointment to see how we might work together, contact us at (732) 792-6101.
Marketing & Creative Partner: Rufhaus Designs