[Federal Register Volume 89, Number 113 (Tuesday, June 11, 2024)]
[Notices]
[Pages 49588-49728]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-12692]



[[Page 49587]]

Vol. 89

Tuesday,

No. 113

June 11, 2024

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------





Public Company Accounting Oversight Board; Notice of Filing of Proposed 
Rules on a Firm's System of Quality Control and Related Amendments to 
PCAOB Standards; Notice

  Federal Register / Vol. 89 , No. 113 / Tuesday, June 11, 2024 / 
Notices  

[[Page 49588]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-100277; File No. PCAOB-2024-02]


Public Company Accounting Oversight Board; Notice of Filing of 
Proposed Rules on a Firm's System of Quality Control and Related 
Amendments to PCAOB Standards

June 5, 2024.
    Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the 
``Act''), notice is hereby given that on May 24, 2024, the Public 
Company Accounting Oversight Board (the ``Board'' or the ``PCAOB'') 
filed with the Securities and Exchange Commission (the ``Commission'') 
the proposed rules described in items I and II below, which items have 
been prepared by the Board. The Commission is publishing this notice to 
solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

    On May 13, 2024, the Board adopted A Firm's System of Quality 
Control and Other Amendments to PCAOB Standards, Rules, and Forms 
(collectively, the ``proposed rules''). The text of the proposed rules 
appears in Exhibit A to the SEC Filing Form 19b-4 and is available on 
the Board's website at Docket 046 [verbar] PCAOB (pcaobus.org) and at 
the Commission's Public Reference Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

    In its filing with the Commission, the Board included statements 
concerning the purpose of, and basis for, the proposed rules and 
discussed any comments it received on the proposed rules. The text of 
these statements may be examined at the places specified in Item IV 
below. The Board has prepared summaries, set forth in sections A, B, 
and C below, of the most significant aspects of such statements. In 
addition, the Board is requesting that the Commission approve the 
proposed rules, pursuant to section 103(a)(3)(C) of the Sarbanes-Oxley 
Act, for application to audits of emerging growth companies (``EGCs''), 
as that term is defined in section 3(a)(80) of the Securities Exchange 
Act of 1934 (``Exchange Act''). The Board's request is set forth in 
section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the 
Proposed Rules

(a) Purpose
    The Board adopted a new PCAOB quality control (``QC'') standard 
that it believes will lead registered public accounting firms 
(``firms'') to significantly improve their QC systems. An effective QC 
system protects investors by facilitating the consistent preparation 
and issuance of informative, accurate, independent, and compliant 
engagement reports. Properly conducted audits and other engagements 
enhance the confidence of investors and other market participants in 
the information firms report on.
    The Board adopted an integrated, risk-based standard, QC 1000, A 
Firm's System of Quality Control, that mandates quality objectives and 
key processes for all firms' QC systems, with a focus on accountability 
and continuous improvement. The Board has designed QC 1000 to be 
applied by firms of varying size and complexity. If approved by the 
U.S. Securities and Exchange Commission (the ``SEC''), the Board 
believes this new standard will lead firms to better serve investors by 
more consistently complying with the professional and legal 
requirements that apply to PCAOB engagements.
    In connection with the adoption of QC 1000, the Board also adopted 
other changes to its standards, rules, and forms. QC 1000 and the other 
changes adopted substantially reflect the Board's November 2022 
proposal,\1\ but have been modified in response to commenter input.
---------------------------------------------------------------------------

    \1\ See A Firm's System of Quality Control and Other Proposed 
Amendments to PCAOB Standards, Rules, and Forms, PCAOB Rel. No. 
2022-006 (Nov. 18, 2022) (``proposal'' or ``proposed standards''), 
available on the Board's website in Docket 046.
---------------------------------------------------------------------------

    In a separate release, the Board also adopted a new auditing 
standard, AS 1000, General Responsibilities of the Auditor in 
Conducting an Audit, that addresses the general principles and 
responsibilities of the auditor.\2\ This release includes references to 
AS 1000, where appropriate
---------------------------------------------------------------------------

    \2\ See General Responsibilities of the Auditor in Conducting an 
Audit and Amendments to PCAOB Standards, PCAOB Rel. No. 2024-004 
(May 13, 2024) (``Auditor Responsibilities Release'').
---------------------------------------------------------------------------

Improving the Board's QC Standards
    The Board strongly believes that an effective quality control 
system facilitates continuous improvement. Over time, the PCAOB's 
oversight experience suggests that firm QC systems fall short. For 
example, PCAOB inspectors observed that approximately 40% of the issuer 
audits they reviewed in 2022 had one or more deficiencies where the 
auditor failed to obtain sufficient appropriate audit evidence to 
support its opinion, an increase of six percentage points over the 
deficiency rate in 2021 and 11 percentage points over the rate in 
2020.\3\ In all those cases, auditors issued audit opinions without 
completing the audit work that PCAOB standards require for them to 
obtain reasonable assurance about whether the financial statements were 
free of material misstatement and/or whether the issuers maintained, in 
all material respects, effective internal control over financial 
reporting.
---------------------------------------------------------------------------

    \3\ See Spotlight: Staff Update and Preview of 2022 Inspection 
Observations (July 2023) (``2022 Inspection Observations Preview''), 
at 3, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/spotlight-staff-preview-2022-inspection-observations.pdf?sfvrsn=1b116d49_4.
---------------------------------------------------------------------------

    Every step of this rulemaking--from the December 2019 concept 
release,\4\ to the proposal, to adoption--has been informed by 
extensive research and outreach, as well as by PCAOB inspections and 
enforcement activities. The PCAOB's current QC standards were developed 
decades ago and issued by the American Institute of Certified Public 
Accountants (``AICPA'') before the PCAOB was established. The auditing 
environment has changed significantly since that time, including 
evolving and greater use of technology, and increasing auditor use of 
outside resources, such as other accounting firms and providers of 
support services. Firms themselves have also changed significantly, as 
has the role of firm networks. And advances in internal control, 
quality management, and enterprise risk management suggest that factors 
such as active involvement of leadership, focus on risk, clearly 
defined objectives, objective-oriented processes, monitoring, and 
remediation of identified issues can contribute to more effective QC. 
These developments have, in part, led to PCAOB advisory groups' general 
support for strengthening the QC standards, including through risk-
based elements and enhanced requirements for firm governance and 
leadership.
---------------------------------------------------------------------------

    \4\ See Concept Release, Potential Approach to Revisions to 
PCAOB Quality Control Standards, PCAOB Rel. No. 2019-003 (Dec. 17, 
2019) (``concept release''), available on the Board's website in 
Docket 046.
---------------------------------------------------------------------------

    Taking into account those considerations, as well as the comments 
the Board received on the concept release and proposal, the Board 
believes that improving PCAOB standards will lead firms to improve 
their QC systems. This should result in more consistent

[[Page 49589]]

compliance with applicable requirements, which ultimately better serves 
and protects investors. The specific improvements the Board adopted 
include:
     Emphasizing accountability, firm culture and the ``tone at 
the top,'' and firm governance through requirements for specified roles 
within and responsibilities for the QC system, including at the highest 
levels of the firm; quality objectives that link compensation to 
quality; and, for the largest firms, the requirement of an independent 
perspective in firm governance;
     Striking the right balance between a risk-based approach 
to QC--which should drive firms to proactively identify and manage the 
specific risks associated with their practice--and a set of mandates, 
including required risk assessment and other QC-related processes, 
quality objectives, and quality responses--which should assure that the 
QC system is designed, implemented, and operated with an appropriate 
level of rigor;
     Addressing changes in the audit practice environment, 
including the increasing participation of other firms and other outside 
resources, the role of firm networks, the evolving use of technology 
and other resources, and the increasing importance of internal and 
external firm communications;
     Broadening responsibilities for monitoring and remediation 
of deficiencies to create a more effective ongoing feedback loop that 
drives continuous improvement; and
     Requiring a rigorous annual evaluation of the firm's QC 
system and related reporting to the PCAOB, certified by key firm 
personnel, to underscore the importance of the annual evaluation of the 
QC system, reinforce individual accountability, and support PCAOB 
oversight.
Framework of the QC Standard
    The Board carefully considered the characteristics of an 
appropriate framework for a PCAOB QC standard that could accomplish its 
regulatory goals. As a threshold issue, section 103 of the Sarbanes-
Oxley Act of 2002 (``Sarbanes-Oxley'') provides that PCAOB QC standards 
must include requirements regarding certain specified matters, and also 
grants the Board broad authority to include such other requirements as 
it may prescribe in carrying out its investor protection mandate. The 
Board also considered how best to capture areas it had identified for 
improvement and how best to foster consistent, compliant implementation 
by the firms it regulates. Because the Board believes it is the best 
structure for accomplishing its goals, the Board adopted the QC 1000 
framework as proposed.
    The Board notes that the framework has commonalities with other 
international and domestic standards for firm QC systems, though it 
goes beyond those requirements in a number of areas, including with 
regard to firm governance of the largest firms, more specific 
requirements for monitoring and remediation and the evaluation of the 
QC system, an ethics and independence component aligned with SEC and 
PCAOB requirements, and more specific provisions addressing technology 
and externally communicated firm-level and engagement-level information 
and metrics. The Board believes that building on a well-understood 
basic framework, appropriately tailored and strengthened to address its 
legal and regulatory environment and its investor protection mandate, 
will enable firms to implement and comply with QC 1000 more 
effectively. In designing, implementing, and operating their QC 
systems, firms that are subject to both PCAOB standards and other 
international or domestic QC standards--which the Board believes 
constitute a very substantial majority of the firms that perform 
engagements under PCAOB standards--can leverage the work they have 
already done and the investments they have already made to comply with 
those other requirements.
QC 1000
    The Board developed QC 1000 with a view to its statutory mandate to 
protect the interests of investors and the public interest, and the 
Board believes the new standard will facilitate the consistent 
preparation and issuance of informative, accurate, and independent 
engagement reports. The final standard provides a framework for a QC 
system that is grounded in an ongoing process of proactively 
identifying and managing risks to quality, with a feedback loop from 
ongoing monitoring and remediation that should drive continuous 
improvement, an explicit focus on firm governance and leadership, firm 
culture, and individual accountability, and specific direction in a 
number of areas that current PCAOB standards do not address directly.
    QC 1000 primarily consists of:

Two process components
     The firm's risk assessment process
     The monitoring and remediation process
Six components that address aspects of the firm's organization and 
operations
     Governance and leadership
     Ethics and independence
     Acceptance and continuance of engagements
     Engagement performance
     Resources
     Information and communication
Requirements for evaluation of and reporting on the QC system
     Annual evaluation of the effectiveness of the QC system
     Reporting to the PCAOB on the QC system evaluation

    The standard also includes requirements regarding individual roles 
and responsibilities in the QC system and documentation requirements.
Scalability
    In the Board's view, the basic objectives of the QC system should 
be the same for all firms, but the scope of the QC standard and how it 
applies should take into account the wide disparities in nature and 
circumstances across registered firms, in particular the extent to 
which their practices include engagements required to be performed 
under PCAOB standards and the complexity of such engagements. The risks 
that firms face, and therefore the specific policies and procedures 
necessary to appropriately serve investor interests through an 
effective QC system, vary significantly from the largest firms, 
operating as part of global networks, to local firms or sole 
proprietorships. QC 1000 establishes a uniform basic structure to be 
used by all firms, within which firms will be required to pursue an 
approach to quality control that is appropriate in light of the risks 
associated with their particular PCAOB audit practice. Aspects of the 
new standard are risk-based, and to that extent inherently scalable. In 
addition, it imposes more stringent requirements for the largest firms 
in some areas, while enabling smaller firms to comply with the core 
requirements in ways that take into account these firms' size and the 
complexity of audits performed by them.
Scalability: Larger PCAOB Audit Practice
    The Board believes that firms with a particularly extensive PCAOB 
audit practice (i.e., those that issue audit reports for more than 100 
issuers per year) should be subject to enhanced requirements, given 
such firms' greater complexity and the relatively greater public 
interest implicated by the fact that they audit companies that make up

[[Page 49590]]

a substantial majority of U.S. public market capitalization. The 
incremental requirements under QC 1000 for such firms include:
     An external oversight function for the QC system compose 
of one or more persons who can exercise independent judgment related to 
the QC system;
     A program for collecting and addressing complaints and 
allegations that includes confidentiality protections;
     An automated system to track investments that may bear on 
independence; and
     Required monitoring of in-process engagements.
Scalability: Smaller PCAOB Audit Practice
    Many firms perform only a small number of PCAOB engagements per 
year and are subject to resource constraints that larger PCAOB audit 
practices do not face. The Board has addressed the particular needs of 
these firms in a number of ways, including:
     Providing that a single individual may be assigned more 
than one of the QC system oversight roles required under the standard; 
and
     Allowing firms that issue five or fewer engagement reports 
for issuers or broker-dealers in a year to include audits not performed 
under PCAOB auditing standards in some of their monitoring activities.
Scalability: Firms That Do Not Have Responsibilities in Relation to a 
PCAOB Engagement
    All registered firms will be required to design a QC system that 
meets the requirements of QC 1000. Firms will be required to implement 
and operate the QC system in compliance with QC 1000 when they lead an 
engagement under PCAOB standards, play a substantial role in the 
preparation or furnishing of an audit report (as defined in PCAOB 
rules), or have current responsibilities under applicable professional 
and legal requirements regarding any such engagement. This approach 
reflects the Board's view that all firms that register with the PCAOB 
should be appropriately prepared to perform a PCAOB engagement, 
regardless of whether they are currently subject to requirements with 
respect to one, while limiting the costs of compliance in circumstances 
where the risk to investor protection is minimal.
Key Changes From the QC 1000 Proposal
    Key changes from the proposal include:
     For the firms with larger PCAOB audit practices, the 
requirement to include an independent oversight function for their QC 
system has been refined. Under the final rule, the external quality 
control function (``EQCF'') will be composed of one or more persons who 
are not principals or employees of the firm and do not otherwise have a 
relationship with the firm that would interfere with the exercise of 
independent judgment with regard to matters related to the QC system. 
The responsibilities of the EQCF may vary across firms but include, at 
a minimum, evaluating the significant judgments made and the related 
conclusions reached by the firm when evaluating and reporting on the 
effectiveness of its QC system.
     The final rule requires firms to report on their QC system 
evaluation to the PCAOB, but not to the audit committee, as proposed. 
Legal constraints limit our ability to require public disclosures about 
the effectiveness of firms' QC systems at the level that some investors 
have requested. While the final rule recognizes the impediments to 
requiring public disclosure of QC system evaluation, the Board remains 
committed to finding additional ways of providing public disclosure to 
better inform investors about firms and PCAOB audit engagements. To 
that end, we have separately proposed a set of firm-level and 
engagement-level metrics across 11 areas that would be reported 
publicly.
     The timing of the QC system evaluation and reporting has 
changed. Under the final rule, the evaluation date for the annual 
evaluation of the QC system is September 30, rather than November 30 as 
proposed, with Form QC due by November 30 rather than January 15 of the 
following year. This shift allows more time between the evaluation date 
and the filing date than we proposed, but still allows sufficient time 
to generally enable the firm's monitoring activities to identify 
deficiencies in calendar year-end engagements and the results of that 
monitoring to be included in the evaluation.
Other Changes to PCAOB Standards, Rules, and Forms
    In connection with the adoption of QC 1000, the Board also adopted 
other changes to PCAOB standards, rules, and forms. These include, 
among other changes, expanding the auditor's responsibility to respond 
to deficiencies on completed engagements under an amended and retitled 
AS 2901, Responding to Engagement Deficiencies After Issuance of the 
Auditor's Report, and related amendments to AT No. 1, Examination 
Engagements Regarding Compliance Reports of Brokers and Dealers, and AT 
No. 2, Review Engagements Regarding Exemption Reports of Brokers and 
Dealers; and replacing the existing standard ET 102, Integrity and 
Objectivity, with a new standard, EI 1000, Integrity and Objectivity, 
to better align PCAOB ethics requirements with the scope, approach, and 
terminology of QC 1000.
Effective Date
    If approved by the SEC, the final standard and related amendments 
to auditing standards, rules, and forms will take effect on December 
15, 2025, with the initial evaluation of the QC system to be performed 
as of September 30, 2026, and initial reporting to the PCAOB by 
November 30, 2026. Firms will be permitted to elect to comply with the 
requirements of QC 1000, except reporting to the PCAOB on the annual 
evaluation of the QC system, before the effective date, at any point 
after SEC approval of the final standard and related amendments.
(b) Statutory Basis
    The statutory basis for the proposed rules is Title I of Sarbanes-
Oxley.

B. Board's Statement on Burden on Competition

    Not applicable. The Board's consideration of the economic impacts 
of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From 
Members, Participants or Others

    The Board issued a concept release regarding potential changes to 
quality control standards for public comment in PCAOB Release No. 2019-
003 (Dec. 17, 2019). The Board received 36 written comment letters on 
the concept release. The Board released the proposed rule amendment for 
public comment in PCAOB Release No. 2022-006 (Nov. 18, 2022). The Board 
received 43 written comment letters on its proposal. The Board has 
carefully considered all comments received. The Board's response to the 
comments it received and the changes made to the rules in response to 
the comments received are discussed below.

Background

    This section presents background information on this rulemaking, 
including an overview of existing PCAOB QC requirements and current 
practice, a review of other developments

[[Page 49591]]

since the current QC requirements were adopted, a summary of relevant 
actions taken by other standard setters, a discussion of PCAOB research 
and outreach efforts related to QC, the December 2019 concept release 
and 2022 proposal, and a summary of the key areas the Board has 
identified for improvement of the QC standards.

Overview of Existing Requirements and Current Practice

1. Requirements of the Sarbanes-Oxley Act of 2002
    Sarbanes-Oxley requires the Board to establish certain professional 
standards, including quality control standards, to be used by 
registered public accounting firms in the preparation and issuance of 
audit reports for issuers, brokers, and dealers.\5\ Furthermore, 
Sarbanes-Oxley requires the PCAOB's QC standards to address:
---------------------------------------------------------------------------

    \5\ See sections 101(c)(2) and 103(a)(1) of Sarbanes-Oxley, 15 
U.S.C. 7211(c)(2), 7213(a)(1). This release uses the terms 
``issuer,'' ``broker,'' and ``dealer'' as defined in Sarbanes-Oxley. 
See section 2(a)(7) of Sarbanes-Oxley, 15 U.S.C. 7201(7) (defining 
``issuer''); Sections 110(3) and (4) of Sarbanes-Oxley, 15 U.S.C. 
7220(3), (4) (defining ``broker'' and ``dealer''); see also PCAOB 
Rules 1001(b)(iii), (d)(iii), (i)(iii) (defining ``broker,'' 
``dealer,'' and ``issuer,'' respectively). Entities that are brokers 
or dealers or both are sometimes referred to herein as ``broker-
dealers.''
---------------------------------------------------------------------------

     Monitoring of professional ethics and independence from 
issuers, brokers, and dealers on behalf of which the firm issues audit 
reports;
     Consultation within the firm on accounting and auditing 
questions;
     Supervision of audit work;
     Hiring, professional development, and advancement of 
personnel;
     Acceptance and continuation of engagements;
     Internal inspection; and
     Such other requirements as the Board may prescribe.\6\
---------------------------------------------------------------------------

    \6\ See section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 
7213(a)(2)(B).
---------------------------------------------------------------------------

2. Current PCAOB QC Standards
    Under current PCAOB standards, a QC system is a process to provide 
a firm with reasonable assurance that its personnel comply with 
applicable professional standards and the firm's standards of 
quality.\7\ The QC system encompasses the firm's organizational 
structure and the policies adopted and procedures established to 
provide that reasonable assurance.\8\
---------------------------------------------------------------------------

    \7\ See paragraph .03 of QC 20, System of Quality Control for a 
CPA Firm's Accounting and Auditing Practice.
    \8\ See QC 20.04.
---------------------------------------------------------------------------

    Current PCAOB QC standards were adopted on an interim, transitional 
basis in 2003 from QC standards originally developed and issued by the 
AICPA.\9\ They include three general QC standards that apply to all 
firms.\10\ Beyond that, they also include certain requirements of 
membership in the AICPA's former SEC Practice Section (``SECPS''), 
which apply only to firms that were SECPS members immediately prior to 
the adoption of the PCAOB's interim QC standards. Below is an overview 
of the general QC standards and the SECPS member requirements.
---------------------------------------------------------------------------

    \9\ See PCAOB Rule 3400T, Interim Quality Control Standards; see 
also Establishment of Interim Professional Auditing Standards, PCAOB 
Rel. No. 2003-006 (Apr. 18, 2003).
    \10\ Under PCAOB Rule 3400T(a), all firms are required to comply 
with QC standards as described in ``the AICPA's Auditing Standards 
Board's Statements on Quality Control Standards, as in existence on 
April 16, 2003 (AICPA Professional Standards, QC Sec. Sec.  20-40 
(AICPA 2002)), to the extent not superseded or amended by the 
Board.''
---------------------------------------------------------------------------

a. General QC Standards
i. QC 20, System of Quality Control for a CPA Firm's Accounting and 
Auditing Practice
    QC 20 provides that a firm should have a system of quality control 
that provides the firm with reasonable assurance that its personnel 
comply with applicable professional standards and the firm's standards 
of quality.\11\ In the context of engagement performance, the system of 
quality control should also provide reasonable assurance that the work 
performed meets applicable regulatory requirements.\12\
---------------------------------------------------------------------------

    \11\ See QC 20.03.
    \12\ See QC 20.17.
---------------------------------------------------------------------------

    The firm's quality control policies and procedures should address 
the following elements:
     Independence, integrity, and objectivity;
     Personnel management;
     Acceptance and continuance of clients and engagements;
     Engagement performance; and
     Monitoring.\13\
---------------------------------------------------------------------------

    \13\ See QC 20.07.
---------------------------------------------------------------------------

    These elements of quality control are interrelated.\14\ Policies 
and procedures should be established to provide the firm with 
reasonable assurance with respect to each of these elements of QC. An 
appropriate individual or individuals in the firm should be assigned 
responsibility for the design and maintenance of the various quality 
control policies and procedures.\15\ These policies and procedures 
should be communicated in a manner that provides reasonable assurance 
that personnel will understand and comply.\16\ Additionally, 
documentation should be prepared to demonstrate compliance with the 
firm's policies and procedures for the elements of quality control.\17\
---------------------------------------------------------------------------

    \14\ See QC 20.08.
    \15\ See QC 20.22.
    \16\ See QC 20.23.
    \17\ See QC 20.25.
---------------------------------------------------------------------------

    ii. QC 30, Monitoring a CPA Firm's Accounting and Auditing Practice
    QC 30 addresses how a firm should implement the monitoring element 
of quality control discussed in QC 20. Monitoring involves an ongoing 
consideration and evaluation of the following:
     The relevance and adequacy of the firm's policies and 
procedures;
     The appropriateness of the firm's guidance materials and 
any practice aids;
     The effectiveness of professional development activities; 
and
     Compliance with the firm's policies and procedures.\18\
---------------------------------------------------------------------------

    \18\ See QC 30.02.
---------------------------------------------------------------------------

    Under QC 30, monitoring procedures should enable the firm to obtain 
reasonable assurance that its system of quality control is 
effective.\19\ A firm's monitoring procedures may include:
---------------------------------------------------------------------------

    \19\ See QC 30.03.
---------------------------------------------------------------------------

     Inspection procedures;
     Pre-issuance or post-issuance review of selected 
engagements;
     Analysis and assessment of:
     New professional pronouncements;
     Results of independence confirmations;
     Continuing professional education (``CPE'') and other 
professional development activities undertaken by firm personnel;
     Decisions related to acceptance and continuance of client 
relationships and engagements;
     Interviews of firm personnel;
     Determination of any corrective actions to be taken and 
improvements to be made in the quality control system;
     Communication to appropriate firm personnel of any 
weaknesses identified in the quality control system or in the level of 
understanding or compliance therewith; and
     Follow-up by appropriate firm personnel to ensure that any 
necessary modifications are made to the quality control policies and 
procedures on a timely basis.\20\
---------------------------------------------------------------------------

    \20\ See QC 30.03.
---------------------------------------------------------------------------

    The nature and extent of monitoring procedures generally depends on 
the firm's size and the nature and complexity of the firm's 
practice.\21\ QC 30 provides that individuals in a small firm may 
perform monitoring procedures, including post-issuance review of 
engagement working papers, reports, and clients' financial

[[Page 49592]]

statements, with respect to their own compliance with the firm's QC 
policies and procedures, but only if such individuals are able to 
critically review their own performance, assess their own strengths and 
weaknesses, and maintain an attitude of continual improvement.\22\
---------------------------------------------------------------------------

    \21\ See, e.g., QC 30.05, .10, .11.
    \22\ See QC 30.09, .10.
---------------------------------------------------------------------------

iii. QC 40, The Personnel Management Element of a Firm's System of 
Quality Control--Competencies Required by a Practitioner-in-Charge of 
an Attest Engagement
    QC 40 addresses the personnel management element of the quality 
control system. Personnel management includes hiring, assigning 
personnel to engagements, professional development, and advancement 
activities. Policies and procedures should be established to provide 
the firm with reasonable assurance that:
     Those hired possess the appropriate characteristics to 
enable them to perform competently.
     Work is assigned to personnel having the degree of 
technical training and proficiency required in the circumstances. 
Personnel participate in general and industry-specific continuing 
professional education and other professional development activities 
that enable them to fulfill responsibilities assigned, and satisfy 
applicable professional education requirements of the AICPA, and 
regulatory agencies.
     Personnel selected for advancement have the qualifications 
necessary for fulfillment of the responsibilities they will be called 
on to assume.\23\
---------------------------------------------------------------------------

    \23\ See QC 40.02.
---------------------------------------------------------------------------

    A firm's policies and procedures related to personnel management 
should be designed to provide a firm with reasonable assurance that 
practitioners-in-charge of engagements (i.e., engagement partners) 
possess the kinds of competencies that are appropriate given the 
circumstances of the client engagement.\24\ Competencies are the 
knowledge, skills, and abilities that enable an engagement partner to 
be qualified to perform an engagement.\25\ Competencies may be gained 
in various ways, including through relevant industry, governmental, and 
academic positions.\26\ A firm's policies and procedures should 
ordinarily address the following competencies for an engagement 
partner:
---------------------------------------------------------------------------

    \24\ See QC 40.03.
    \25\ See QC 40.04.
    \26\ See QC 40.05.
---------------------------------------------------------------------------

     Understanding of the role of a system of quality control 
and a code of professional conduct;
     Understanding of the service to be performed;
     Technical proficiency;
     Familiarity with the industry;
     Professional judgment; and
     Understanding the organization's information technology 
systems.\27\
---------------------------------------------------------------------------

    \27\ See QC 40.08.
---------------------------------------------------------------------------

    Under QC 40, these competencies are interrelated.\28\ When 
establishing policies and procedures related to competencies needed by 
an engagement partner, a firm may need to consider the requirements of 
policies and procedures established for other elements of quality 
control.\29\
---------------------------------------------------------------------------

    \28\ See QC 40.09.
    \29\ See QC 40.10.
---------------------------------------------------------------------------

b. SECPS Member Requirements
    The SECPS was a division of the AICPA for U.S. firms that audited 
public companies, which established incremental quality control 
requirements for its members. The SECPS requirements originally applied 
to all U.S. firms that audited public companies under AICPA standards. 
The SECPS ceased to exist following the establishment of the PCAOB.
    Under PCAOB rules, certain SECPS requirements still apply to firms 
that were members of the SECPS as of April 16, 2003.\30\ Based on 
current registration data, the SECPS member requirements apply to 201 
(approximately 12% of) PCAOB-registered firms, including 11 of the 14 
annually inspected firms in 2023.
---------------------------------------------------------------------------

    \30\ PCAOB Rule 3400T(b) requires certain firms to comply with 
QC standards as described in ``the AICPA SEC Practice Section's 
Requirements of Membership (d), (l), (m), (n)(1) and (o), as in 
existence on April 16, 2003 (AICPA SEC Practice Section Manual 
1000.08(d), (j), (m), (n)(1) and (o)), to the extent not superseded 
or amended by the Board.'' The note to Rule 3400T provides that 
those requirements ``only apply to those registered public 
accounting firms that were members of the AICPA SEC Practice Section 
on April 16, 2003.'' One of the SECPS member requirements, 
concerning concurring partner review, was superseded in 2009 by the 
PCAOB's adoption of AS 1220, Engagement Quality Review.
---------------------------------------------------------------------------

i. Section 1000.08(d)--Continuing Professional Education of Audit Firm 
Personnel
    Section 1000.08(d) requires SECPS member firms to ensure that all 
professionals residing in the United States, both CPAs and non-CPAs, 
participate in at least 20 hours of qualifying CPE every year and at 
least 120 hours every three years.\31\ Professionals who devote at 
least 25% of their time to performing audit, review, or other attest 
engagements, or who have responsibility for supervision or review of 
such engagements, must obtain at least 40% of their CPE hours in 
subjects related to accounting and auditing.\32\
---------------------------------------------------------------------------

    \31\ See SECPS 1000.08(d).
    \32\ See SECPS 1000.08(d).
---------------------------------------------------------------------------

    Additional information on Section 1000.08(d)'s CPE requirements 
appears in SECPS Section 8000, Continuing Professional Education 
Requirements Effective for Educational Years Beginning After May 31, 
2002.\33\ That information is summarized into three categories: (1) 
record-keeping for each professional to ensure that each professional 
adheres to all CPE requirements; (2) adherence to standards for CPE 
program sponsors for each program sponsored by the member firm; and (3) 
compliance with additional CPE requirements of the SECPS.\34\ Appendix 
A to Section 8000 includes the AICPA policies related to CPE.
---------------------------------------------------------------------------

    \33\ See SECPS 1000.08(d) (referring, in a footnote, to Section 
8000).
    \34\ See SECPS 8000.
---------------------------------------------------------------------------

ii. Section 1000.08(l)--Communication by Written Statement to All 
Professional Personnel of Firm Policies and Procedures on the 
Recommendation and Approval of Accounting Principles, Present and 
Potential Client Relationships, and the Types of Services Provided
    Section 1000.08(l) requires SECPS member firms to communicate, 
through a written statement, to all professional firm personnel the 
broad principles that influence the firm's quality control and 
operating policies and procedures.\35\ Periodic communication also must 
inform professional firm personnel that compliance with those 
principles is mandatory.\36\
---------------------------------------------------------------------------

    \35\ See SECPS 1000.08(l). Section 1000.08(l) includes a cross-
reference to Appendix H SECPS Section 1000.42, Illustrative 
Statement of Firm Philosophy, which provides an illustration of such 
a statement.
    \36\ See id.
---------------------------------------------------------------------------

iii. Section 1000.08(m)--Notification of the Commission of Resignations 
and Dismissals From Audit Engagements for Commission Registrants
    Section 1000.08(m) requires that, if an SECPS member firm has 
resigned, declined to stand for reelection, or been dismissed as the 
auditor of an SEC registrant and the registrant has not reported the 
change in auditors to the SEC in a timely filed Form 8-K, the member 
firm is to report that the client-auditor relationship has ceased 
directly, in writing, to the former SEC client and the SEC within five 
business days.\37\
---------------------------------------------------------------------------

    \37\ See SECPS 1000.08(m). Section 1000.08(m) cross-references 
Appendix D SECPS Section 1000.38, Revised Definition of an SEC 
Client, which provides the definition of an SEC client, as well as 
Appendix I SECPS Section 1000.43, Standard Form of Letter Confirming 
the Cessation of the Client-Auditor Relationship, which provides a 
standard form of such report.

---------------------------------------------------------------------------

[[Page 49593]]

iv. Section 1000.08(n)--Audit Firm Obligations With Respect to the 
Policies and Procedures of Correspondent Firms and of Other Members of 
International Firms or International Associations of Firms
    Section 1000.08(n) requires SECPS member firms that are members of, 
correspondents with, or similarly associated with international firms 
or international associations of firms to seek adoption of policies and 
procedures that are consistent with the objectives in Appendix K (SECPS 
Section 1000.45), SECPS Member Firms With Foreign Associated Firms That 
Audit SEC Registrants.\38\
---------------------------------------------------------------------------

    \38\ See SECPS 1000.08(n).
---------------------------------------------------------------------------

    Appendix K was adopted with the intention of enhancing the quality 
of SEC filings by issuers whose financial statements are audited by 
foreign associated firms of SECPS member firms.\39\ It requires SECPS 
member firms to seek adoption by their international organizations or 
individual foreign associated firms of certain policies and procedures, 
including:
---------------------------------------------------------------------------

    \39\ See SECPS 1000.45.01.
---------------------------------------------------------------------------

     Procedures to be performed on certain SEC filings by a 
filing reviewer who is knowledgeable in applicable accounting and 
auditing standards, independence requirements, and SEC rules and 
regulations;
     Inspection procedures for a sample of audit engagements 
performed by foreign associated firms for issuer clients, to be 
performed by inspection reviewers who are knowledgeable in the same 
areas as filing reviewers; and
     Policies and procedures under which disagreements between 
the filing or inspection reviewer and the audit partner-in-charge 
should be resolved in accordance with the policy of the international 
organization or the filing or inspection reviewer's firm.\40\
---------------------------------------------------------------------------

    \40\ See id.
---------------------------------------------------------------------------

v. Section 1000.08(o)--Policies and Procedures To Comply With 
Independence Requirements
    Section 1000.08(o) requires SECPS member firms to have policies and 
procedures in place to comply with applicable independence 
requirements.\41\ Section 1000.08(o) cross-references Appendix L, SECPS 
Section 1000.46, Independence Quality Controls, which requires firms to 
establish written policies \42\ covering relationships with 
``restricted entities,'' for example, relationships between the 
restricted entity and the member firm, its benefit plans, and its 
professionals.\43\ These relationships include investments, loans, 
brokerage accounts, business relationships, employment relationships, 
proscribed services, and fee arrangements.\44\ Firms should maintain a 
database that includes all restricted entities (``restricted entity 
list'') and make the restricted entity list available to the firm's 
professionals and to foreign associated firms.\45\
---------------------------------------------------------------------------

    \41\ See SECPS 1000.08(o).
    \42\ PCAOB rules do not mandate that writings be paper-based. 
See, e.g., paragraph .04 of AS 1215, Audit Documentation (audit 
documentation may be in the form of paper, electronic files, or 
other media).
    \43\ See SECPS 1000.46 (requirement 1).
    \44\ See id.
    \45\ See SECPS 1000.46 (requirements 4, 5, and 6).
---------------------------------------------------------------------------

    A senior-level partner should be designated to oversee the 
independence policies and maintain and communicate the restricted 
entity list.\46\ The policies and procedures also should require:
---------------------------------------------------------------------------

    \46\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

     Reviewing the restricted entity list prior to obtaining 
any security;
     Obtaining independence certifications from the firm's 
professionals;
     Reporting violations of policies;
     Establishing a monitoring system; and
     Developing policies for potential sanctions for violations 
of the firm's policies and procedures or professional independence 
requirements.\47\
---------------------------------------------------------------------------

    \47\ See SECPS 1000.46 (requirement 7).
---------------------------------------------------------------------------

    The policies and procedures should be made available to all 
professionals and a training program should be established to provide 
reasonable assurance that professionals understand the policies.\48\
---------------------------------------------------------------------------

    \48\ See SECPS 1000.46 (requirement 3).
---------------------------------------------------------------------------

3. Observations From Oversight Activities
    In the course of conducting inspections of registered public 
accounting firms \49\ and investigating potential violations of PCAOB 
standards and other related laws and rules governing audits of public 
companies and audits and attestation engagements of broker-dealers, the 
PCAOB may identify deficiencies in firms' execution of engagements and 
in firms' QC systems. Oversight activities also help the PCAOB to 
identify good practices, both for engagements and for QC systems. The 
PCAOB also considers information derived from the SEC's enforcement 
program.
---------------------------------------------------------------------------

    \49\ The information on inspections and remediation efforts is 
limited to those firms that are subject to inspection by the PCAOB.
---------------------------------------------------------------------------

    Over time, firms have implemented a number of changes to their QC 
systems to remediate deficiencies identified through the PCAOB's 
inspections program.\50\ Examples of changes firms have made in 
response to the Board's inspections include: \51\
---------------------------------------------------------------------------

    \50\ Additional information about the PCAOB remediation process 
is available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation/remediation_process.
    \51\ Examples are drawn from firms' Rule 4009 submissions. A 
Rule 4009 submission is a confidential submission prepared by a 
firm, pursuant to PCAOB Rule 4009, Firm Response to Quality Control 
Defects, concerning the ways in which a firm has addressed a QC 
criticism. For additional background, see The Process for Board 
Determinations Regarding Firms' Efforts to Address Quality Control 
Criticisms in Inspection Reports, PCAOB Rel. No. 104-2006-077 (Mar. 
21, 2006).
---------------------------------------------------------------------------

     Independence--Creating automated links between the firm's 
tools for tracking subcontractors and evaluating and tracking business 
relationships to ensure that independence evaluations are complete and 
timely;
     Engagement Performance--Implementing new policies and 
procedures for engagement teams to focus on obtaining a thorough 
understanding of how issuers initiate, record, process, and report 
significant classes of transactions and how that information is 
recorded in the financial statements;
     Resources--Creating a committee to evaluate partner 
performance in relation to audit quality and establishing an 
accountability framework with penalties for negative audit quality 
events;
     Monitoring and Remediation--Adding new leadership 
positions to the internal inspection program, developing new analysis 
and reporting of internal inspection findings, and disseminating such 
findings more broadly; and
     Monitoring and Remediation--Adding in-process review and 
coaching programs to assist engagement teams in certain challenging 
areas, including internal control over financial reporting (``ICFR'') 
and accounting estimates.
    Observations from PCAOB oversight activities have shown that 
improvements in quality controls can enhance the quality of 
engagements.\52\ However, PCAOB inspections continue to identify 
deficiencies related to engagements and the operation of firm QC 
systems, suggesting that not all firms have made meaningful 
improvements in these areas. Moreover, the pervasiveness of recent 
findings regarding such

[[Page 49594]]

deficiencies--both in terms of the number of firms affected and the 
percentage of deficient engagements--suggests that an updated QC 
standard is needed to drive proactive, systemic, and consistent 
improvements in audit quality rather than just case-by-case 
improvements in response to firm-specific findings.
---------------------------------------------------------------------------

    \52\ See, e.g., Spotlight: Staff Update and Preview of 2021 
Inspection Observations (Dec. 2022) (``2021 Inspection Observations 
Preview''), at 20-22, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_4; Staff Inspection 
Brief: Staff Preview of 2018 Inspections Observations (May 6, 2019) 
(``2018 Inspection Observations Preview''), at 1-4, available at 
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/staff-preview-2018-inspection-observations.pdf?sfvrsn=b5f8cb09_0.
---------------------------------------------------------------------------

    The following discussion summarizes recent observations from PCAOB 
inspections \53\ and investigations of QC systems, including 
deficiencies and violations--instances of noncompliance with PCAOB 
requirements--and good practices that the Board believes support and 
strengthen QC systems. The Board has taken these observations into 
account in developing the final QC standard and related amendments, 
rules, and forms.
---------------------------------------------------------------------------

    \53\ PCAOB inspections are designed to assess a firm's 
compliance with PCAOB standards and rules and other applicable 
regulatory and professional requirements with respect to the firm's 
QC system and in the portions of engagements selected for review. An 
inspection does not involve a review of all aspects of a firm's QC 
system. An inspection also does not necessarily involve a review of 
all of a firm's engagements, nor is it designed to identify every 
deficiency in the reviewed engagements. The inspection data are 
derived from PCAOB inspection reports. Part II of PCAOB inspection 
reports include criticisms of, and potential defects in, a firm's QC 
system, to the extent any are identified. The PCAOB includes, in 
Part II of its inspection reports, deficiencies observed in 
inspections of individual engagements when the results indicate that 
the firm's QC system does not provide reasonable assurance that firm 
personnel will comply with applicable professional standards and 
regulatory requirements. In evaluating whether engagement 
observations are indicative of QC deficiencies, PCAOB staff consider 
the nature, significance, and frequency of deficiencies; related 
firm methodology, guidance, and practices; and possible root causes.
---------------------------------------------------------------------------

a. QC Deficiencies and Violations Observed From Oversight Activities
    PCAOB observations have generally revealed that while some firms 
have made improvements to their QC systems, the progress has been 
uneven. Even taking that progress into account, in roughly a third of 
the issuer audits the PCAOB inspected from 2020 to 2022, the auditor's 
opinion was not adequately supported.\54\ This suggests that there is 
significant room for improvement in QC systems' ability to provide 
reasonable assurance that firm engagements are performed in accordance 
with applicable professional standards and regulatory requirements.
---------------------------------------------------------------------------

    \54\ See Figure 1 below, and accompanying text for an analysis 
of 2011-2022 inspections data.
---------------------------------------------------------------------------

    As described below, the PCAOB's observations all too frequently 
indicate that firms' QC systems did not appear to provide reasonable 
assurance that firm personnel will comply with applicable professional 
standards in, among others, the areas of: (1) acceptance of 
engagements; (2) engagement performance; (3) independence, integrity, 
and objectivity; (4) personnel management; (5) monitoring; and (6) 
engagement quality reviews. Below are examples of the PCAOB's 
observations in these areas.
i. Acceptance of Engagements
    A firm's QC system should provide the firm with reasonable 
assurance that it undertakes only those engagements that the firm can 
reasonably expect to be completed with professional competence.\55\ 
This includes taking into consideration, among other things, the 
availability of resources to perform an engagement and the competence 
of those resources. The PCAOB has observed instances where a firm's 
lack of policies and procedures in the area of engagement acceptance 
and continuance resulted in accepting new engagements that were not 
completed with professional competence and resulted in numerous 
violations of PCAOB auditing standards.\56\
---------------------------------------------------------------------------

    \55\ See QC 20.15.
    \56\ See, e.g., In the Matter of WithumSmith+Brown, PC, PCAOB 
Rel. No. 105-2024-010 (Feb. 20, 2024); In the Matter of Jack Shama 
and Jack Shama, CPA, PCAOB Rel.e No. 105-2024-004 (Jan. 23, 2024); 
In the Matter of Shandong Haoxin Certified Public Accountants Co., 
Ltd., LIU Kun, MA Yao, SUN Penghuan, and ZHU Dawei, PCAOB Rel. No. 
105-2023-045 (Nov. 30, 2023); In the Matter of Alfonse Gregory 
Giugliano, CPA, SEC Accounting and Auditing Enforcement Release 
(``AAER'') No. 4458 (Sept. 12, 2023); In the Matter of Marcum LLP, 
PCAOB Rel. No. 105-2023-005 (June 21, 2023); In the Matter of Marcum 
LLP, SEC AAER No. 4423 (June 21, 2023).
---------------------------------------------------------------------------

ii. Engagement Performance
    A properly functioning QC system should provide the firm with 
reasonable assurance that the work performed by engagement personnel 
meets applicable professional standards, regulatory requirements, and 
the firm's standards of quality.\57\ A QC system cannot provide 
reasonable assurance if, for example, there are severe, frequent, or 
widespread deficiencies, or recurring instances of similar types of 
deficiencies at the engagement level. The PCAOB has observed 
deficiencies and violations in a range of areas of engagement 
performance, including, for example:
---------------------------------------------------------------------------

    \57\ See QC 20.17.
---------------------------------------------------------------------------

     Failure to identify and test controls that address risks 
of material misstatement or sufficiently evaluate review controls;
     Insufficient evaluation of significant assumptions or data 
used in developing an estimate; \58\
---------------------------------------------------------------------------

    \58\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010.
---------------------------------------------------------------------------

     Unwarranted reliance on data or reports used in testing an 
issuer's financial reporting controls or in substantive testing; \59\
---------------------------------------------------------------------------

    \59\ See, e.g., PKF O'Connor Davies, LLP, PCAOB Rel. No. 105-
2022-001.
---------------------------------------------------------------------------

     Engagement partners' failure to adequately supervise the 
engagement with due professional care, which contributed to not 
identifying deficiencies; \60\
---------------------------------------------------------------------------

    \60\ See, e.g., Alfonse Gregory Giugliano, CPA, SEC AAER No. 
4458; In the Matter of Deloitte Touche Tohmatsu Certified Public 
Accountants, LLP, SEC AAER No. 4342 (Sept. 29, 2022); In the Matter 
of RSM, SEC AAER No. 4346 (Sept. 30, 2022); In the Matter of 
Mancera, S.C., Alejandro Valdez Mendoza, C.P., and Angel Radames 
Corral Nieblas, C.P., SEC AAER No. 4198 (Dec. 17, 2020); In the 
Matter of Whitley Penn LLP, Susan Lunn Powell, CPA, Jeffry Shannon 
Lawlis, CPA, and John Griffin Babb, CPA, PCAOB Rel. No. 105-2020-002 
(Mar. 24, 2020); In the Matter of David M. Burns, CPA, PCAOB Rel. 
No. 105-2017-055 (Dec. 19, 2017); In the Matter of BDO Auditores, 
S.L.P., Santiago Sa[ntilde][eacute] Figueras, and Jos[eacute] 
Ignacio Alg[aacute]s Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039 
(Sept. 26, 2017); In the Matter of KPMG LLP and John Riordan, CPA, 
SEC AAER No. 3888 (Aug. 15, 2017).
---------------------------------------------------------------------------

     Failure to implement and maintain adequate policies and 
procedures to provide reasonable assurance that work is performed and 
documented; \61\ and
---------------------------------------------------------------------------

    \61\ See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-
010; In the Matter of SW Audit, PCAOB Rel. No. 105-2024-009 (Feb. 
20, 2024); Shama, PCAOB Rel. No. 105-2024-004; In the Matter of 
Haynie & Company, PCAOB Rel. No. 105-2024-001 (Jan. 23, 2024); 
Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel. 
No. 105-2023-045; In the Matter of Deloitte & Touche S.A.S., PCAOB 
Rel. No. 105-2023-025 (Sept. 26, 2023); Marcum LLP, SEC AAER No. 
4423 ; Deloitte Touche Tohmatsu Certified Public Accountants, LLP, 
SEC AAER No. 4342; In the Matter of HLB Mann Judd, Darryl Swindells, 
and Aidan Smith, PCAOB Rel. No. 105-2020-008 (June 29, 2020); In the 
Matter of Castillo Miranda y Compa[ntilde][iacute]a, S.C., Ignacio 
Garc[iacute]a Pareras, Juan Mart[iacute]n Gudi[ntilde]o Casillas, 
Luis Ra[uacute]l Michel Dom[iacute]nguez, Juan Francisco Olvera 
D[iacute]az, Carlos Rivas Ramos, and Bernardo Soto Pe[ntilde]afiel, 
PCAOB Rel. No. 105-2019-028 (Oct. 31, 2019); In the Matter of 
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 (Oct. 31, 2019); In 
the Matter of Deloitte Touche Tohmatsu Auditores Independentes, 
PCAOB Rel. No 105-2016-031 (Dec. 5, 2016).
---------------------------------------------------------------------------

     Failure to ensure audits are performed under PCAOB 
standards and not another framework.\62\
---------------------------------------------------------------------------

    \62\ See, e.g., In the Matter of Dale Matheson Carr-Hilton 
LaBonte LLP, PCAOB Rel. No. 105-2021-021 (Dec. 14, 2021); In the 
Matter of WDM Chartered Professional Accountants and Mike Kao, PCAOB 
Rel. No. 105-2021-016 (Sept. 30, 2021).
---------------------------------------------------------------------------

iii. Independence, Integrity, and Objectivity
    A firm's QC system should also provide the firm with reasonable 
assurance that personnel maintain independence--in fact and in 
appearance--in all required circumstances.\63\ Observations relating to 
auditor independence have been recurring over the last several 
years.\64\

[[Page 49595]]

Examples of these observations frequently have included:
---------------------------------------------------------------------------

    \63\ See QC 20.09.
    \64\ See, e.g., 2022 Inspection Observations Preview at 18; 2021 
Inspection Observations Preview at 19; PCAOB, Spotlight: Staff 
Update and Preview of 2020 Inspection Observations (Oct. 2021) 
(``2020 Inspection Observations Preview''), at 12, available at 
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2020-inspection-observations-spotlight.pdf?sfvrsn=10819041_4; Spotlight: Staff Update and Preview 
of 2019 Inspection Observations (Oct. 8, 2020) (``2019 Inspection 
Observations Preview''), at 7, available at https://pcaobus.org/Inspections/Documents/Staff-Preview-2019-Inspection-Observations-Spotlight.pdf; Staff Inspection Brief: Inspections Outlook for 2019 
(Dec. 6, 2018) (``2019 Inspections Outlook''), at 2, available at 
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/inspections-outlook-for-2019.pdf?sfvrsn=538b8bb7_2.
---------------------------------------------------------------------------

     Violations of independence, including financial 
relationship and partner rotation requirements of 17 CFR 210.2-01; \65\
---------------------------------------------------------------------------

    \65\ See, e.g., In the Matter of Ernst & Young LLP, James G. 
Herring, Jr., CPA, James A. Young, CPA, and Curt W. Fochtmann, CPA, 
SEC AAER No. 4239 (Aug. 2, 2021); In the Matter of Raich Ende Malter 
& Co., PCAOB Rel. No. 105-2019-009 (Apr. 9, 2019); In the Matter of 
Marcum LLP and Alfonse Gregory Giugliano, CPA, PCAOB Rel. No. 105-
2019-022 (Sept. 10, 2019); In the Matter of Marcum Bernstein & 
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 (Sept. 10, 2019).
---------------------------------------------------------------------------

     Noncompliance by firm personnel in reporting their 
financial relationships during the independence confirmation process;
     Independence violations related to the firm providing 
impermissible non-audit services; \66\
---------------------------------------------------------------------------

    \66\ See, e.g., In the Matter of Pricewaterhousecoopers LLP, SEC 
AAER No. 4084 (Sept. 23, 2019); In the Matter of RSM US LLP (f/k/a 
McGladrey LLP), SEC AAER No. 4066 (Aug. 27, 2019).
---------------------------------------------------------------------------

     Noncompliance with PCAOB Rule 3524, Audit Committee Pre-
approval of Certain Tax Services, and PCAOB Rule 3526, Communication 
with Audit Committees Concerning Independence; \67\
---------------------------------------------------------------------------

    \67\ See, e.g., In the Matter of PricewaterhouseCoopers, S.C., 
PCAOB Rel. No. 105-2019-017 (Aug. 1, 2019); In the Matter of BDO 
Magyarorszag Konyvvizsgalo Kft., PCAOB Rel. No. 105-2017-024 (Apr. 
12, 2017).
---------------------------------------------------------------------------

     Improper inclusion of indemnification clauses in 
engagement letters, which impaired independence based on the general 
standard of independence prescribed by 17 CFR 210.2-01(b); and
     Failure to implement and maintain adequate policies and 
procedures to provide reasonable assurance that firm personnel timely 
consult on complex, unusual, or unfamiliar independence issues.\68\
---------------------------------------------------------------------------

    \68\ See, e.g., In the Matter of PricewaterhouseCoopers LLP, 
PCAOB Rel. No. 105-2024-014 (Mar. 28, 2024).
---------------------------------------------------------------------------

    The PCAOB has also observed highly concerning, widespread instances 
where firm personnel have improperly shared answers on examinations 
required to obtain or maintain professional licenses.\69\ The Board has 
acted decisively in responding to this conduct, which was prevalent 
both domestically and internationally.\70\ The PCAOB has also observed 
instances where firm personnel have not acted with integrity by 
altering work papers \71\ or failing to cooperate with the Board.\72\
---------------------------------------------------------------------------

    \69\ See, e.g., In the Matter of Navarro Amper & Co., PCAOB Rel. 
No. 105-2024-025 (Apr. 10, 2024); In the Matter of Imelda & Rekan, 
PCAOB Rel. No. 105-2024-024 (Apr. 10, 2024); In the Matter of KPMG 
Accountants N.V., PCAOB Rel. No. 105-2024-022 (Apr. 10, 2024); In 
the Matter of KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032 
(Dec. 6, 2022); In the Matter of Ernst & Young LLP, SEC AAER No. 
4313 (June 28, 2022); In the Matter of PricewaterhouseCoopers LLP, 
PCAOB Rel. No. 105-2022-002 (Feb. 24, 2022); In the Matter of KPMG, 
PCAOB Rel. No. 105-2021-008 (Sept. 13, 2021); In the Matter of KPMG 
LLP, SEC AAER No. 4051 (June 17, 2019).
    \70\ See, e.g., In the Matter of PricewaterhouseCoopers Zhong 
Tian LLP, PCAOB Rel. No. 105-2023-044 (Nov. 30, 2023); In the Matter 
of PricewaterhouseCoopers, PCAOB Rel. No. 105-2023-043 (Nov. 30, 
2023); KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032 
PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2022-002 KPMG, PCAOB 
Rel. No. 105-2021-008.
    \71\ See, e.g., In the Matter of Jose Daniel Melendez Gimenez, 
PCAOB Rel. No. 105-2022-035 (Dec. 6, 2022); In the Matter of Edgar 
Mauricio Ramirez Rueda, PCAOB Rel. No. 105-2022-036 (Dec. 6, 2022); 
In the Matter of Marco Alexander Rodriguez Ramirez, PCAOB Rel. No. 
105-2022-037 (Dec. 6, 2022); In the Matter of KPMG S.A.S., PCAOB 
Rel. No. 105-2022-034 (Dec. 6, 2022); In the Matter of Jonathan B. 
Taylor, CPA, PCAOB Rel. No. 105-2022-025 (Oct. 18, 2022); Castillo 
Miranda y Compa[ntilde][iacute]a, S.C.PCAOB Rel. No. 105-2019-028 
Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 Deloitte Touche 
Tohmatsu Auditores Independentes, PCAOB Rel. No 105-2016-031.
    \72\ See, e.g., Shandong Haoxin Certified Public Accountants 
Co., Ltd., PCAOB Rel. No. 105-2023-045 Jose Daniel Melendez Gimenez, 
PCAOB Rel. No. 105-2022-035 Edgar Mauricio Ramirez Rueda, PCAOB Rel. 
No. 105-2022-036 Marco Alexander Rodriguez Ramirez, PCAOB Rel. No. 
105-2022-037 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-
035 Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No. 
105-2019-028 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB 
Rel. No 105-2016-031.
---------------------------------------------------------------------------

    These recurring deficiencies and violations suggest that some firms 
and their personnel either do not have the requisite understanding of 
applicable independence and ethics requirements, or, as evidenced by 
the systemic nature of certain of these violations, do not have 
appropriate controls in place to prevent violations.\73\
---------------------------------------------------------------------------

    \73\ See 2021 Inspection Observations Preview at 19; 2019 
Inspections Outlook at 2.
---------------------------------------------------------------------------

iv. Personnel Management
    The quality of a firm's work ultimately depends on the integrity, 
objectivity, intelligence, competence, experience, and motivation of 
personnel who perform, supervise, and review the work.\74\ A firm's QC 
system should provide the firm with reasonable assurance that personnel 
participate in general and industry-specific CPE and other professional 
development activities that enable them to fulfill responsibilities 
assigned and satisfy applicable CPE requirements.\75\ A firm's QC 
system also should provide the firm with reasonable assurance that 
personnel possess the appropriate characteristics to enable them to 
perform competently and that work is assigned to personnel having the 
degree of technical training and proficiency required in the 
circumstances.\76\
---------------------------------------------------------------------------

    \74\ See QC 20.12.
    \75\ See QC 20.13c.
    \76\ See QC 20.13a. and b.
---------------------------------------------------------------------------

    The PCAOB has observed deficiencies related to compliance with the 
firm's auditing policies and procedures.\77\ The PCAOB also has 
observed deficiencies and violations where the firm did not assign 
personnel to engagements who had the training and proficiency required 
to perform audit work in accordance with PCAOB standards.\78\
---------------------------------------------------------------------------

    \77\ See 2022 Inspection Observations Preview at 18.
    \78\ See, e.g., Jack Shama PCAOB Rel. No. 105-2024-004 ; In the 
Matter of Hall & Company Certified Public Accountants & Consultants, 
Inc., and Anthony J. Price, CPA, PCAOB Rel. No. 105-2022-029 (Nov. 
3, 2022); In the Matter of PKF O'Connor Davies, LLP, PCAOB Rel. No. 
105-2022-001 (Jan. 25, 2022); In the Matter of WDM Chartered 
Professional Accountants, PCAOB Rel. No. 105-2021-016 (Sept. 30, 
2021); In the Matter of Grant Thornton LLP, PCAOB Rel. No. 105-2017-
054 (Dec. 19, 2017); BDO Auditores, S.L.P., Santiago 
Sa[ntilde][eacute] Figueras, and Jos[eacute] Ignacio Alg[aacute]s 
Fern[aacute]ndez, PCAOB Rel. No. 105-2017-039.
---------------------------------------------------------------------------

v. Monitoring
    A firm's QC system should provide the firm with reasonable 
assurance that its policies and procedures are suitably designed and 
effectively applied.\79\ The PCAOB has observed situations where a 
firm's internal inspection procedures did not detect significant audit 
deficiencies or the firm did not make changes to address repeated 
identified audit deficiencies.\80\ These deficiencies and violations 
were subsequently identified through SEC and PCAOB oversight.\81\
---------------------------------------------------------------------------

    \79\ See QC 20.20.
    \80\ See, e.g., 2022 Inspection Observations Preview at 19.
    \81\ See, e.g., In the Matter of KPMG Assurance and Consulting 
Services LLP and Sagar Pravin Lakhani, PCAOB Rel. No. 105-2022-033 
(Dec. 6, 2022); In the Matter of Friedman LLP, SEC AAER No. 4339 
(Sept. 23, 2022); In the Matter of BMKR LLP and Joseph Mortimer, 
CPA, PCAOB Rel. No. 105-2022-003 (Feb. 24, 2022); PKF O'Connor 
Davies, LLP, PCAOB Rel. No. 105-2022-001 WDM Chartered Professional 
Accountants, PCAOB Rel. No. 105-2021-016 ; In the Matter of Haskell 
& White LLP, PCAOB Rel. No. 105-2021-006 (Aug. 13, 2021); In the 
Matter of RBSM LLP, PCAOB Rel. No. 105-2021-004 (Aug. 9, 2021); 
Castillo Miranda y Compa[ntilde][iacute]a, S.C., PCAOB Rel. No. 105-
2019-028 Marcum LLP, PCAOB Rel. No. 105-2019-022 Marcum Bernstein & 
Pinchuk LLP, PCAOB Rel. No. 105-2019-023 PricewaterhouseCoopers, 
S.C., PCAOB Rel. No. 105-2019-017; In the Matter of Bharat Parikh & 
Associates Chartered Accountants, Bharatkumar Balmukund Parikh, FCA, 
and Anuj Bharatkumar Parikh, PCAOB Rel. No. 105-2019-003 (Mar. 19, 
2019); Grant Thornton, PCAOB Rel. No. 105-2017-054.

---------------------------------------------------------------------------

[[Page 49596]]

vi. Engagement Quality Reviews
    Both the PCAOB and SEC have identified deficiencies and violations 
in audit areas that require evaluation by the engagement quality 
reviewer (``EQR''),\82\ which suggests the EQR did not perform the 
evaluation with due professional care.\83\ Additionally, for certain 
broker-dealer audit and attestation engagements, the PCAOB has observed 
instances where engagement quality reviews were not performed or 
sufficiently documented \84\ and policies and procedures did not 
provide reasonable assurance that engagement quality reviews were 
performed with due professional care.\85\
---------------------------------------------------------------------------

    \82\ See, e.g., Spotlight: Inspection Observations Related to 
Engagement Quality Reviews (Oct. 2023), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/eqr-spotlight.pdf?sfvrsn=95a345e6_4; 2022 Inspection Observations 
Preview at 19; 2021 Inspection Observations Preview at 20; 2018 
Inspection Observations Preview, at 4; 2020 Inspection Observations 
Preview at 12.
    \83\ See, e.g., In the Matter of RAM Associates & Company LLC 
and Parameswara K. Ramachandran, PCAOB Rel. No. 105-2023-021 (Aug. 
8, 2023); In the Matter of Total Asia Associates PLT, PCAOB Rel. No. 
105-2023-007 (June 23, 2023); In the Matter of RT LLP, PCAOB Rel. 
No. 105-2023-002 (Apr. 11, 2023); In the Matter of Donald R. Burke, 
CPA, PCAOB Rel. No. 105-2021-012 (Sept. 29, 2021); RBSM LLP, PCAOB 
Rel. No. 105-2021-00; In the Matter of Cheryl L. Gore, CPA and 
Stanley R. Langston, CPA, PCAOB Rel. No. 105-2021-020 (Dec. 14, 
2021); Whitley Penn LLP, PCAOB Rel. No. 105-2020-002; In the Matter 
of Helen R. Liao, CPA, PCAOB Rel. No. 105-2020-014 (Sept. 24, 2020); 
In the Matter of Crowe Horwath LLP, Joseph C. Macina, CPA, and Kevin 
V. Wydra, CPA, SEC AAER No. 4007 (Dec. 21, 2018); In the Matter of 
BDO Auditores, S.L.P., PCAOB Rel. No. 105-2017-039.
    \84\ See, e.g., In the Matter of Alvarez & Associates, Inc., 
Certified Public Accountants, and Vicente Alvarez, CPA, PCAOB Rel. 
No. 105-2022-039 (Dec. 21, 2022); In the Matter of Citrin Cooperman 
& Company, LLP, Joseph Puglisi, CPA, Mark Schniebolk, CPA, and John 
Cavallone, CPA, PCAOB Rel. No. 105-2022-007 (May 11, 2022).
    \85\ See Annual Report on the Interim Inspection Program Related 
to Audits of Brokers and Dealers, PCAOB Rel. No. 2023-005 (Aug. 10, 
2023) (``2022 Broker-Dealer Inspection Report''), at 31.
---------------------------------------------------------------------------

b. Good Practices Observed From Inspections
    The following observations regarding good QC practices are based on 
inspections in recent years.\86\ A good QC practice could be a 
procedure, technique, or methodology that is appropriately 
comprehensive and suitably designed in relation to a firm's size and 
the nature and complexity of the firm's practice. The Board has taken 
these observations into account in its consideration of QC 1000, while 
recognizing that the nature, extent, and formality of the design, 
implementation, and operation of QC systems can vary across firms.
---------------------------------------------------------------------------

    \86\ See, e.g., 2022 Inspection Observations Preview; 2021 
Inspection Observations Preview; 2020 Inspection Observations 
Preview; 2019 Inspection Observations Preview; and 2018 Inspection 
Observations Preview.
---------------------------------------------------------------------------

i. Well-Defined QC System
    A well-defined QC system includes all key elements of quality 
control and is supported by documentation that helps to promote firm 
personnel's understanding and consistent application of the firm's QC 
system. Helpful characteristics that the PCAOB has observed in some 
firms' QC systems include:
     Narratives and process flows that articulate how and where 
quality objectives fit within the QC processes and define risks posed 
to those quality objectives, including considering what could go wrong 
along the way;\87\ and
---------------------------------------------------------------------------

    \87\ See 2021 Inspection Observations Preview at 22; 2019 
Inspection Observations Preview at 4.
---------------------------------------------------------------------------

     Developing risk and control matrices that include well-
defined controls.
ii. Accountability for Audit Quality
    Leadership involvement in and commitment to a firm's QC system sets 
the tone at the top and drives clear expectations regarding the 
importance of audit quality. The PCAOB observed positive behaviors 
where firms have placed an emphasis on the importance of audit quality 
through extending accountability beyond engagement partners to other 
key leaders at the firm, such as audit quality leaders, technical 
experts, and office leaders, through performance management 
processes.\88\
---------------------------------------------------------------------------

    \88\ See 2018 Inspection Observations Preview at 2.
---------------------------------------------------------------------------

iii. Root Cause Analysis of Identified Deficiencies
    Identifying causal factors for engagement and QC deficiencies 
(i.e., root cause analysis) can enable a firm to determine the 
appropriate response to and remediation of deficiencies and modify 
policies and procedures to prevent similar occurrences in the future. 
The PCAOB has observed that thorough root cause analyses drive better 
remediation of identified deficiencies. If root cause analysis is 
performed by a centralized team, having a defined process to share data 
and lessons learned outside of the root cause analysis team may further 
enhance the performance of a firm's QC system.
    Through its inspection activities the PCAOB has observed that some 
firms' root cause analysis programs have significantly evolved since 
the PCAOB was formed. The PCAOB has observed that some firms' approach 
to root cause analysis includes one or more of the following:
     Interviews with engagement teams and firm leadership;
     Use of proprietary tools to analyze large amounts of data;
     Root cause analysis training and the use of templates to 
facilitate consistency;
     Consideration of available performance metrics, such as 
engagement hours, training records, audit milestone dates, and partner 
experience years; and
     Consideration of positive quality events (i.e., actions, 
behaviors, or conditions that resulted in positive outcomes, such as 
where aspects of the firm's QC system operated effectively or where no 
engagement deficiencies were identified for individual engagements) to 
identify whether such actions, behaviors, or conditions were present on 
engagements where QC deficiencies were identified.
iv. Timely Monitoring and Evaluation Activities
    Timely and effective monitoring activities drive high-quality 
audits. The PCAOB has observed several good practices followed by some 
firms in their monitoring activities, including:
     Increased real-time monitoring of in-process audit 
engagements, for example, through pre-issuance reviews or coaching 
programs; \89\
---------------------------------------------------------------------------

    \89\ See 2020 Inspection Observations Preview at 4, 13.
---------------------------------------------------------------------------

     Formalized monitoring processes and actions for defined 
triggering events, including restatements, internal and external 
inspection results, and results of peer reviews; and
     Mature QC processes including internal self-certifications 
of the effectiveness of QC components and sub-components.

Other Developments Since the Adoption of Current PCAOB QC Standards

    Since the PCAOB's current QC standards were first developed and 
issued, the auditing environment has changed significantly. The current 
QC standards were developed in the context of the self-regulatory peer-
review system that existed before the establishment of the PCAOB. 
Therefore, they were not written with a view to inspection and 
enforcement by a regulator and do not address the current regulatory 
environment, including firms' responsibilities with respect to

[[Page 49597]]

information brought to their attention through the PCAOB inspection 
process.
    Since the QC standards were established, there have been 
significant developments in the availability and use of technologies 
and data analytic techniques, the organizational structure and 
management of firms have changed, and some firms have significantly 
increased their focus on governance and quality control.
    For example, there have been significant developments in the use of 
technology by firms in relation to QC activities and performing 
engagements. Some firms have made significant investments in internally 
developed tools for use in the audit. The increased availability of 
``off-the-shelf'' technologies, such as analytical software packages, 
has made some tools more readily available for use by firms. Firms 
developing or acquiring new technology-based tools, making changes to 
existing tools, and training firm personnel on how and when to use such 
tools have had impacts on QC. Many of these tools may reduce risk, for 
example by reducing the possibility of human error and enabling the 
analysis of whole populations of transactions rather than samples. But 
they may also create new risks if they do not work as intended or are 
used incorrectly.
    Furthermore, some firm management and organizational structures 
have evolved to include more focus on centralization and a globally 
consistent methodology. Some firms have increased their use of services 
and resources supplied by firm networks, affiliates, and third-party 
providers. For example, some global networks are increasingly imposing 
requirements on member firms regarding the use of methodologies, 
technology, and policies and procedures that are developed or 
established at the network level. Some firms have also increased their 
use of shared service centers to assist with QC activities or 
performing engagements. In addition, some firms have changed their 
governance structures either voluntarily or due to changes in legal 
requirements.\90\ At the same time, some firms have begun to publish 
``transparency reports'' that seek to inform the public about the 
firm's operations and quality control systems and practices.
---------------------------------------------------------------------------

    \90\ See, e.g., the UK Financial Reporting Council, Audit Firm 
Governance Code (Apr. 2022) available at https://www.frc.org.uk/getattachment/5af7cdb7-a093-4da8-94d7-f4486596e68c/FRC-Audit-Firm-Governance-Code_April-2022.pdf, and the Japan Financial Services 
Agency, Audit Firm Governance Code (Mar. 2017) available at https://www.fsa.go.jp/news/28/sonota/20170331-auditfirmgc/3.pdf.
---------------------------------------------------------------------------

    Additionally, some firms have strengthened their approaches to firm 
governance and leadership, incentive systems, culture, and 
accountability. For example, some firms have added external parties to 
oversight roles. Some firms have also augmented their monitoring and 
remediation processes, including through implementing or enhancing 
ongoing monitoring activities and internal inspection processes, 
establishing processes for considering PCAOB inspection findings, 
performing root cause analysis, and increasing remediation efforts. 
Observations from PCAOB oversight activities have shown that 
improvements in quality controls can enhance the quality of audits.\91\ 
However, as noted above, PCAOB oversight activities continue to 
identify pervasive deficiencies, suggesting that many firms have 
meaningful improvements to make.
---------------------------------------------------------------------------

    \91\ See, e.g., 2018 Inspection Observations Preview at 1-4.
---------------------------------------------------------------------------

    There have also been notable advances in internal control, quality 
management, and enterprise risk management frameworks and approaches, 
including the Committee of Sponsoring Organizations of the Treadway 
Commission (``COSO'') framework for internal control\92\ and the 
International Organization for Standardization (``ISO'') quality 
control standard ISO 9000:2015.\93\ Many of these share important 
commonalities, stressing active involvement of leadership, focus on 
risk, clearly defined objectives, objective-oriented processes, 
monitoring, and remediation of identified issues. Academic research 
suggests that these frameworks improve company performance.\94\
---------------------------------------------------------------------------

    \92\ See, e.g., COSO, Internal Control-Integrated Framework (May 
2013). An executive summary of COSO's internal control framework is 
available at https://www.coso.org/_files/ugd/3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf.
    \93\ More information about ISO 9000:2015 is available at 
https://www.iso.org/standard/45481.html.
    \94\ See Benefits of related frameworks below.
---------------------------------------------------------------------------

Actions by Other Standard Setters

    Following is a brief description of the quality control standards 
adopted by the IAASB and the AICPA.
1. IAASB
    The IAASB identified concerns related to its then effective QC 
standard, International Standard on Quality Control (ISQC) 1, Quality 
Control for Firms that Perform Audits and Reviews of Financial 
Statements, and Other Assurance and Related Services Engagements, and 
decided to take steps to improve the standard. In December 2020, the 
IAASB released a suite of new quality management standards, including 
International Standard on Quality Management 1, Quality Management for 
Firms that Perform Audits or Reviews of Financial Statements, or Other 
Assurance or Related Services Engagements (``ISQM 1''),\95\ which 
became effective on December 15, 2022.\96\
---------------------------------------------------------------------------

    \95\ In addition to ISQM 1, the IAASB adopted two other 
standards, International Standard on Quality Management 2, 
Engagement Quality Reviews (``ISQM 2''), and International Standard 
on Auditing 220 (Revised), Quality Management for an Audit of 
Financial Statements (``ISA 220 (Revised)''). ISQM 2 operates at the 
firm level, and is analogous to PCAOB AS 1220, Engagement Quality 
Review. ISA 220 (Revised) operates at the engagement level and deals 
with the engagement partner's and the engagement team's 
responsibilities for quality management for an audit of financial 
statements. Similar topics are addressed in PCAOB standards in AS 
1201, Supervision of the Audit Engagement.
    \96\ ISQM 1 sets forth eight components of a QC system that 
operate in an iterative and integrated manner, as well as other 
requirements. See IAASB Fact Sheet, Introduction to ISQM 1, Quality 
Management for Firms that Perform Audits or Reviews of Financial 
Statements, or Other Assurance or Related Services Engagements (Dec. 
2020), available at https://www.ifac.org/system/files/publications/files/IAASB-ISQM-1-Fact-Sheet.pdf.
---------------------------------------------------------------------------

2. AICPA
    In May 2022, the Auditing Standards Board of the AICPA adopted new 
quality management standards designed to improve a firm's risk 
assessment and audit quality, including Statement on Quality Management 
Standards (SQMS) No. 1, A Firm's System of Quality Management (``SQMS 
1'').\97\ The AICPA's quality management standards closely align with 
the IAASB's quality management standards, adapted for private companies 
in the United States. The new AICPA standards will become effective on 
December 15, 2025.
---------------------------------------------------------------------------

    \97\ The AICPA's other QC standards are SQMS No. 2, Engagement 
Quality Reviews; Statement on Auditing Standards (SAS) No. 146, 
Quality Management for an Engagement Conducted in Accordance With 
Generally Accepted Auditing Standards; and Statement on Standards 
for Accounting and Review Services (SSARS) No. 26, Quality 
Management for an Engagement Conducted in Accordance With Statements 
on Standards for Accounting and Review Services.
---------------------------------------------------------------------------

PCAOB Outreach and Research

    The Board and its advisory groups have long considered the 
potential for improvements to PCAOB QC standards. For example, in 2010, 
the Standing Advisory Group (``SAG'') discussed a potential QC 
rulemaking project, including considerations and potential challenges 
in designing and implementing a QC system.\98\ In 2014,

[[Page 49598]]

the SAG discussed how QC standards may benefit from stronger 
requirements and other enhancements with respect to, for example, firm 
culture and tone at the top, firm risk assessment, and monitoring of 
the quality control system, including use of root cause analyses.\99\ 
In 2018, the SAG discussed whether additional or more specific 
direction in the quality control standards with respect to governance 
and leadership would lead to enhancements in firm quality control 
systems.\100\ Advisory group members have generally supported including 
requirements concerning firm governance and leadership in PCAOB QC 
standards.
---------------------------------------------------------------------------

    \98\ See Briefing Paper for the Standing Advisory Group, 
Designing and Implementing a System of Quality Control (Oct. 13, 
2010). An archive of SAG meeting agendas, briefing papers, and 
webcasts is available at https://pcaobus.org/about/advisory-groups/archive-advisory/standing-advisory-group/sagmeetingarchive. The 
materials for the Oct. 13-14, 2010, SAG meeting are available at 
https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_476.
    \99\ See Briefing Paper for the Standing Advisory Group, 
Initiatives to Improve Audit Quality--Root Cause Analysis, Audit 
Quality Indicators, and Quality Control Standards (June 24, 2014) 
(``June 2014 SAG Briefing Paper''). The materials for the June 24-
25, 2014, SAG meeting are available at https://pcaobus.org/news-events/events/event-details/pcaob-standing-advisory-group-meeting_772.
    \100\ See Briefing Paper for the Standing Advisory Group, 
Quality Control: Governance and Leadership (Nov. 29, 2018). The 
materials for the Nov. 29, 2018, SAG meeting are available at 
https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_1137.
---------------------------------------------------------------------------

Rulemaking History

    On December 17, 2019, the Board issued the concept release to 
explore the possibility of revising PCAOB QC standards. The concept 
release described an approach similar to the approach taken by the 
then-proposed ISQM 1, with certain differences and alternative 
requirements to specifically address the PCAOB's objectives, including 
establishing requirements that:
     Align with U.S. Federal securities law, SEC rules, and 
other PCAOB standards and rules;
     Retain important topics in current PCAOB QC standards;
     Address specific emerging risks and problems observed 
through PCAOB oversight activities; and
     Provide more definitive direction to prompt appropriate 
implementation of certain requirements.\101\
---------------------------------------------------------------------------

    \101\ See Concept Release at 6.
---------------------------------------------------------------------------

    The Board received 36 comment letters in response to the concept 
release.\102\ Commenters included firms and related groups, investors 
and related groups, academics, trade groups, and others.
---------------------------------------------------------------------------

    \102\ The comment letters received in response to the concept 
release are available on the Board's website in Docket 046.
---------------------------------------------------------------------------

    On November 18, 2022, the Board issued a proposal to supersede 
current PCAOB QC standards with an integrated, risk-based standard, QC 
1000, A Firm's System of Quality Control, that would apply to all 
registered firms. The Board received 42 comment letters in response to 
the proposal.\103\ Commenters included firms and related groups, 
investors and related groups, academics, trade groups, and others. The 
Board has considered all comments in developing the final standard and 
related amendments, and commenter input is included where relevant in 
the discussion that follows.
---------------------------------------------------------------------------

    \103\ The comment letters received in response to the proposal 
are available on the Board's website in Docket 046. In addition to 
42 letters received from commenters, Docket 046 includes an analysis 
prepared by the PCAOB Office of Economic and Risk Analysis.
---------------------------------------------------------------------------

Areas of Improvement to the QC Standards

    Taking into account the foregoing considerations, as well as 
careful consideration of comments received, the Board adopted changes 
to its QC standards that it believes will drive significant 
improvements in firms' QC systems, by:
     Emphasizing accountability, firm culture and the ``tone at 
the top,'' and firm governance through requirements for specified roles 
within and responsibilities for the QC system, including at the highest 
levels of the firm; quality objectives that link compensation to 
quality; and, for the largest firms, the requirement of an independent 
perspective on firm governance;
     Striking the right balance between a risk-based approach 
to QC--which should drive firms to proactively identify and manage the 
specific risks associated with their practice--and a set of mandates, 
including mandatory quality objectives; mandatory processes for risk 
assessment, monitoring and remediation, and QC system evaluation; and 
specific requirements in key areas--which should assure that the QC 
system is designed, implemented and operated with an appropriate level 
of rigor;
     Addressing changes in the audit practice environment, 
including the increasing participation of other firms and other outside 
resources, the role of firm networks, the evolving use of technology 
and other resources, and the increasing importance of internal and 
external firm communications;
     Broadening responsibilities for monitoring and remediation 
of deficiencies to encourage an ongoing feedback loop that drives 
continuous improvement; and
     Requiring a rigorous annual evaluation of the firm's QC 
system and related reporting to the PCAOB, certified by key personnel, 
to underscore the importance of the annual evaluation of the QC system, 
reinforce individual accountability, and support PCAOB oversight.
    In the Board's view, the basic objectives of the QC system should 
be the same for all firms, but the scope of the QC standard and how it 
applies should take into account wide disparities in nature and 
circumstances across registered firms, in particular the extent to 
which their practices include engagements required to be performed 
under PCAOB standards, and the complexity of such engagements. The 
risks that firms face, and therefore the specific policies and 
procedures necessary to appropriately serve investor interests through 
an effective QC system, vary significantly from the largest firms, 
operating as part of global networks, to local firms or sole 
proprietorships. The scalability of the new QC standard is discussed in 
greater detail below.

QC 1000: Basic Structure, Terminology, and Scalability

Basic Structure

1. Considerations Informing the Structure of QC 1000
    Informed by its observations and assessment of changes to auditing 
practice, the Board believes it is critical that its new QC standard 
strikes an appropriate balance between risk-based elements, which 
should drive firms to proactively identify and manage the specific 
risks associated with their practice, and a set of mandates to assure 
that the QC system is designed, implemented, and operated with an 
appropriate level of rigor. Moreover, the Board believes the new QC 
standard should foster a proactive approach to QC that drives 
continuous improvement. Based in part on its observations, the Board 
also believes its new standard should include specific requirements for 
some important areas of the QC system that are addressed more generally 
in current PCAOB QC standards, such as firm governance and leadership, 
technology and other firm resources, and firm communications.
    QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires 
PCAOB QC standards to address, which the Board believes will provide a 
robust framework for a firm's QC system. It incorporates eight 
components, which are based on mandatory elements and

[[Page 49599]]

mandatory processes that create a basic structure applicable to all 
firms. For example, as discussed in more detail below, QC 1000 
establishes mandatory, outcome-based quality objectives and mandatory 
processes for risk assessment and monitoring and remediation. Within 
the structure created by these mandates, firms will develop their own 
policies and procedures based on the specific risks created by their 
circumstances and practice. QC 1000 also includes requirements for 
annual evaluation of the QC system and reporting to the PCAOB on that 
evaluation, which the Board believes will add rigor and accountability 
to the firm's evaluation of whether the QC system has met its 
objectives, and will strengthen the feedback loop that drives 
continuous improvement.
    The structure itself addresses areas that current PCAOB standards 
do not directly address, such as firm governance and leadership, 
technology and other firm resources, and firm communications. In 
addition, to the extent it is principles-based and focused on the 
specific risks faced by the firm, the structure is inherently scalable 
and can be applied to firms of all sizes and circumstances.
    The structure of QC 1000 has commonalities with the structure of 
ISQM 1 and SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has 
informed the Board's thinking, the Board has carefully analyzed every 
aspect of that approach and considered where to align and where to 
further strengthen the PCAOB standard by including alternative or 
incremental provisions that the Board believes will better serve 
investor protection and the public interest. The Board believes that 
building on a well-understood basic framework, appropriately tailored 
and strengthened to address its legal and regulatory environment and 
its investor protection mandate, will enable firms to implement and 
comply with QC 1000 more effectively. In designing, implementing, and 
operating their QC systems, firms that are subject to both PCAOB 
standards and IAASB or AICPA QC standards--which the Board believes 
constitute a very substantial majority of firms that perform 
engagements under PCAOB standards \104\--can leverage the work they 
have already done and the investments they have already made to comply 
with those other requirements.
---------------------------------------------------------------------------

    \104\ See below for a discussion of the assumptions regarding 
the baseline.
---------------------------------------------------------------------------

    Many commenters, including firms and related groups, were generally 
supportive of structuring QC 1000 in a manner similar to the structure 
of ISQM 1 and SQMS 1. However, several commenters, including firms and 
related groups, suggested that further alignment should be considered, 
and any differences should be minimized. Several commenters suggested 
that firms would be subject to at least two different quality 
management/quality control systems, and commented that this would be 
impractical for firms to operate. The Board does not believe that QC 
1000 conflicts with the requirements of other standard setters or that 
anything prevents firms from developing a single QC system for their 
entire practice that satisfies both PCAOB requirements and other 
professional standards to which the firm is subject. The Board 
acknowledges certain differences between QC 1000 and the quality 
management standards set by other standard setters, in particular areas 
where QC 1000 establishes additional or more stringent requirements. 
However, the Board believes that quality responses developed by firms 
under QC 1000 can be considered by firms for the purposes of other 
quality management standards to which they are subject, reducing the 
need for two or more separate QC systems.
    One investor-related group did not support the framework of the 
standard, arguing that ISQM 1 is a process-driven and compliance-
oriented framework that does not encourage firms to meaningfully 
enhance their QC systems for the benefit of investors. Another investor 
expressed concern regarding the reliance on ISQM 1 in the development 
of QC 1000 on the basis that it does not always reflect the best 
interests of investors. The Board continues to believe that a common 
basic structure among quality control standards is beneficial. This is 
not only cost beneficial, but it also supports a firm's ability to 
operate a single, consistent QC system over its whole practice, which 
the Board believes ultimately supports audit quality. Where 
appropriate, QC 1000 goes beyond ISQM 1 to incorporate more detailed or 
more stringent provisions that are specifically relevant to the U.S. 
regulatory environment and investors.
    Several commenters supported a principles-based approach to QC 
1000. However, some commenters suggested that the specified quality 
responses throughout the standard impose prescriptive requirements that 
are not consistent with maintaining a principles-based approach. Others 
expressed a different perspective, suggesting that the standard was too 
principles-based, providing the firms with too much flexibility in 
designing, implementing, and operating their QC systems. For example, 
an investor expressed concern that a principles-based approach does not 
always reflect the best interests of investors. Other investor-related 
groups expressed concerns that a principles-based approach allows audit 
firms to conduct their own risk assessment and design their own 
controls to manage risks, including making the determination of whether 
QC deficiencies exist and are remediated without any public awareness 
or accountability. One of these investor-related groups suggested that 
an emphasis on a risk-based approach will result in little to no change 
at the largest auditing firms as they believe that this approach is 
already embedded in their QC systems. Another investor-related group 
commented that the proposed standard set the bar too low and failed to 
focus on audit quality and accountability such that it would only 
perpetuate the status quo.
    The Board has retained the approach as proposed. The Board believes 
that QC 1000 strikes the right balance between mandatory and risk-based 
elements. As discussed in more detail below, QC 1000 establishes a 
mandatory minimum set of outcome-based quality objectives that apply to 
all firms. Firms generally cannot omit or modify any of the quality 
objectives set out in the standard. Therefore, firms do not determine 
the criteria by which their QC systems will be assessed, only the means 
by which they will meet those criteria. Moreover, QC 1000 establishes 
requirements with which all firms will have to comply for roles and 
responsibilities within the QC system and the firm's risk assessment 
process, monitoring and remediation process, and evaluation process, as 
well as specified quality responses applicable to all firms in areas 
that the Board believes justify a more prescriptive approach. It also 
includes evaluation and reporting requirements that the Board believes 
will add accountability and rigor to the annual evaluation.
    Within that framework, QC 1000 requires firms to develop the 
policies and procedures they need to achieve the quality objectives and 
the overall objective of the QC system. The Board believes this more 
principles-based aspect of the standard will prompt firms to identify 
and focus on the most relevant risks to quality in the context of their 
own practice and will make QC 1000 appropriately scalable. This 
approach also allows for the standard to be operable by firms of all 
sizes. Smaller PCAOB audit practices can scale down their responses to 
fit the risks associated

[[Page 49600]]

with a small practice, and as the practice grows, the firm can scale up 
to respond to new quality risks. In addition, the Board believes that 
this approach will make it less likely that the standard will need to 
be amended in the future in response to changes in the auditing 
environment, including the use of technology.
2. Components of the QC System
    Under QC 1000, the QC system consists of eight components that are 
designed to be highly integrated:

Two process components:
     The firm's risk assessment process
     The monitoring and remediation process
Six components that address aspects of the firm's organization and 
operations:
     Governance and leadership
     Ethics and independence
     Acceptance and continuance of engagements
     Engagement performance
     Resources
     Information and communication

    The risk assessment process applies to these six components, 
requiring firms to:
     Establish outcome-based ``quality objectives,'' including 
those specified throughout the standard (i.e., the desired outcomes to 
be achieved by the firm with respect to that component);\105\
---------------------------------------------------------------------------

    \105\ ``Quality objectives'' are defined in QC 1000.A10.
---------------------------------------------------------------------------

     Identify and assess ``quality risks'' to the quality 
objectives;\106\
---------------------------------------------------------------------------

    \106\ ``Quality risks'' are defined in QC 1000.A12.
---------------------------------------------------------------------------

     Design and implement ``quality responses'' (i.e., policies 
and procedures to address quality risks);\107\ and
---------------------------------------------------------------------------

    \107\ ``Quality responses'' are defined in QC 1000.A11.
---------------------------------------------------------------------------

     Establish policies and procedures to monitor internal and 
external changes that may require modifications to the quality 
objectives, quality risks, or quality responses.
    The monitoring and remediation process applies to all of the 
components of the QC system, including monitoring and remediation 
itself (i.e., firms are required to identify and remediate deficiencies 
that are observed in their monitoring and remediation activities).
    The firm is also required to evaluate and report on its QC system 
annually, based on the results of its monitoring and remediation 
activities.
    The following diagram illustrates the structure of the firm's QC 
system under QC 1000:
BILLING CODE 8011-01-P

[[Page 49601]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.000

BILLING CODE 8011-01-C
3. Quality Objectives, Quality Risks, and Quality Responses, Including 
Specified Quality Responses
    For each of the six components to which the risk assessment process 
applies, QC 1000 specifies required quality objectives. While QC 1000 
provides some flexibility with regard to the quality risks that firms 
are required to identify and the quality responses that firms are 
required to develop to address those risks, it does not provide the 
same flexibility with regard to quality objectives. Instead, quality 
objectives that will apply to all firms are specified in the standard. 
Firms can establish additional quality objectives--indeed, they are 
required to do so if necessary to achieve the objective of the QC 
system--but they generally cannot omit or modify any of the quality 
objectives set out in the standard. The Board believes that, for many 
firms, the quality objectives specified in the standard are likely to 
be comprehensive, and does not expect in the current environment that 
additional quality objectives would generally be necessary. However, 
the Board also recognizes that the nature and circumstances of a firm 
and its engagements will vary and the environment may change. 
Accordingly, firms are required to establish additional quality 
objectives, if necessary.\108\ The quality objectives established by 
this standard set forth a floor rather than a ceiling.
---------------------------------------------------------------------------

    \108\ See ``The Firm's Risk Assessment Process'' below.
---------------------------------------------------------------------------

    Firms are required to identify and assess quality risks to the 
achievement of the established quality objectives. They are required to 
develop quality responses to address the assessed quality risks. 
Quality responses are defined as policies and procedures

[[Page 49602]]

designed and implemented by the firm to address quality risks; policies 
are statements of what should, or should not, be done to address an 
assessed quality risk, and procedures are actions to implement and 
comply with policies. As proposed, the definition of quality responses 
provided that policies ``may be documented or explicitly stated in 
communications.'' In the final rule, that sentence was eliminated to 
avoid confusion or potential conflict with the documentation 
requirements set out in QC 1000.81-83.
    The correspondence across quality objectives, quality risks, and 
quality responses is generally not one-to-one. Most quality objectives 
are likely to have multiple quality risks. Some quality risks may 
affect one or more quality objectives, either within a single component 
or across several components, and may require multiple quality 
responses. Some quality responses may address multiple quality risks.
    Quality responses would typically be specific to the firm, to 
respond to its particular assessed quality risks. QC 1000 also includes 
some specified quality responses, which are mandatory for the firms to 
which they apply. Specified quality responses carry requirements from 
current PCAOB standards into QC 1000 or provide new requirements that 
the Board believes are important to a firm's QC system. The specified 
quality responses are not intended to be comprehensive; on the 
contrary, for most of the components of the firm's QC system, the 
standard includes only a few specified quality responses, and for the 
engagement performance component there are none. As a result, the 
specified quality responses alone will not be sufficient to enable the 
firm to achieve all established quality objectives; firms are required 
to design and implement their own quality responses. Both the specified 
quality responses and the quality responses the firm designs and 
implements on its own are critical in addressing quality risks. The 
following graphic illustrates the relationship between all quality 
responses (i.e., the quality responses necessary to achieve all 
established quality objectives) and the specified quality responses 
established in QC 1000:
[GRAPHIC] [TIFF OMITTED] TN11JN24.001

Terminology

    This section discusses some of the terminology used throughout QC 
1000. Appendix A to QC 1000 defines several terms used in the standard.
    Two commenters indicated that the proposed terminology was 
understandable and appropriate, but most commenters on the topic 
requested that the terminology used in QC 1000 be consistent with the 
terminology used by other standard setters, primarily to avoid 
potential confusion and ensure that the process of evaluating the QC 
system and the conclusion reached as to its effectiveness would be the 
same under both standards. The Board continues to believe that its 
proposed terminology is necessary to capture the basic concepts used in 
QC 1000, which differ in some respects from the concepts used by other 
standard setters, particularly as regards ``other participants,'' as 
the Board has defined that term, and the annual QC system evaluation 
process, which is grounded in the concepts of ``engagement 
deficiency,'' ``QC deficiency,'' and ``major QC deficiency.'' While 
this

[[Page 49603]]

approach will result in an incremental burden for firms that seek to 
comply with other QC standards as well as QC 1000, the Board believes 
that the burden is justified. The Board also believes that, just as 
firms can perform audits under different auditing standards, they can 
learn to implement and operate a QC system under different QC 
standards. Accordingly, with the clarifications described below, the 
Board adopted the terminology substantially as proposed.
1. Applicable Professional and Legal Requirements
    As discussed in more detail below, compliance with applicable 
professional and legal requirements is a fundamental concept under QC 
1000, driving the objective of the QC system as well as many quality 
objectives and specified quality responses. The proposed standard 
defined ``applicable professional and legal requirements'' as
     Professional standards, as defined in PCAOB Rule 
1001(p)(vi);
     Rules of the PCAOB that are not professional standards; 
and
     To the extent related to the obligations and 
responsibilities of accountants or auditors or to the conduct of 
engagements, rules of the SEC, other provisions of U.S. Federal 
securities law, and other applicable statutory, regulatory, and other 
legal requirements.
    Two commenters supported the definition as proposed. One commenter 
recommended including the profession's ethical standards explicitly. 
Two commenters stated the phrase ``other applicable statutory, 
regulatory, and other legal requirements'' could be read broadly and 
extend beyond regulations that directly bear on the conduct of audit 
engagements. Another commenter suggested amending the definition of 
``professional standards'' in PCAOB Rule 1001(p)(vi) to refer to 
``quality control standards'' rather than ``quality control policy and 
procedures.''
    In response to comments, the Board made changes to the third, more 
general clause of the definition. As one commenter suggested, the Board 
expanded the definition to explicitly mention ethics laws and 
regulations.\109\ While the definition as proposed encompassed 
applicable ethics requirements, the Board believes an express reference 
will help to remind firms and individuals of the centrality of ethics 
considerations. The Board also refined the definition to make clear 
that it encompasses statutory, regulatory, and other legal requirements 
beyond professional standards and other PCAOB rules ``[t]o the extent 
related to the obligations and responsibilities of accountants or 
auditors in the conduct of engagements or in relation to the QC 
system.'' This change is designed to limit the breadth of the 
definition to the relevant circumstances.
---------------------------------------------------------------------------

    \109\ These include those arising under state law or the law of 
other jurisdictions (e.g., obligations regarding client 
confidentiality). See QC 1000 footnote 10.
---------------------------------------------------------------------------

    The phrase ``quality control policies and procedures,'' used in 
PCAOB Rule 1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley. 
The Board believes its rule should continue to align with that 
statutory provision.
    This definition captures all professional and legal requirements 
specifically related to engagements under PCAOB standards of issuers 
and SEC-registered broker-dealers, including relevant accounting, 
auditing, and attestation standards, PCAOB and SEC rules, other 
provisions of Federal securities law, other relevant laws and 
regulations (e.g., state law and rules governing accountants), 
applicable ethics law and rules, and other legal requirements related 
to the obligations and responsibilities of accountants or auditors in 
the conduct of the firm's engagements or in relation to the QC 
system.\110\ It does not encompass requirements that apply to 
businesses generally, such as tax laws, safety regulations, and 
employment law.
---------------------------------------------------------------------------

    \110\ For avoidance of doubt, the requirements relating to 
compliance with applicable professional and legal requirements are 
meant to make clear that, as relates to engagements subject to PCAOB 
standards, all applicable professional and legal requirements must 
be followed. The requirement does not suggest that application of 
``other applicable statutory, regulatory, and other legal 
requirements'' could supersede rules of the SEC, other provisions of 
U.S. Federal securities law, rules of the PCAOB that are not 
professional standards, or PCAOB professional standards. On the 
contrary, requirements relating to ``applicable professional and 
legal requirements'' are meant to highlight the importance of 
adhering to other requirements when those requirements do not 
conflict with or abridge requirements of Federal securities laws, 
PCAOB rules, or PCAOB standards.
---------------------------------------------------------------------------

2. Engagement
    The proposed standard defined ``engagement'' as (1) any audit, 
attestation, review, or other engagement under PCAOB standards 
performed by a firm, or (2) any engagement in which a firm ``play[s] a 
substantial role in the preparation or furnishing of an audit report'' 
as defined in PCAOB Rule 1001(p)(ii).\111\ In the final standard, the 
term ``engagement'' encompasses the same scope as it did in the 
proposal--when the firm leads an engagement as lead auditor or 
practitioner, or plays a substantial role--but the definition has been 
restructured for clarity.
---------------------------------------------------------------------------

    \111\ Generally, and as described in more detail in Rule 
1001(p)(ii), a firm plays a substantial role in the preparation or 
furnishing of an audit report if (1) its engagement hours or fees 
constitute 20% or more of the total engagement hours or fees or (2) 
it performs the majority of the audit procedures with respect to a 
subsidiary or component whose assets or revenues constitute 20% or 
more of the consolidated assets or revenues of the issuer, broker, 
or dealer.
---------------------------------------------------------------------------

    The final standard defines ``engagement'' as any audit, 
attestation, review, or other engagement performed under PCAOB 
standards:
     Led by a firm; or
     In which a firm ``play[s] a substantial role in the 
preparation or furnishing of an audit report'' as defined in PCAOB Rule 
1001(p)(ii).
    The definition covers not only circumstances in which the firm 
serves as the lead auditor or the ``practitioner'' for an attestation 
engagement, which is what is customarily meant by the term engagement, 
but also any substantial role work the firm undertakes. The Board's 
view is that this additional breadth is appropriate because playing a 
substantial role in an engagement for an issuer or broker-dealer is 
sufficient to require a firm to register with the PCAOB. The definition 
covers all engagements under PCAOB standards performed by the firm, 
whether the application of PCAOB standards is legally required (e.g., 
for audits of issuers and broker-dealers) or undertaken pursuant to 
contractual agreement, where permitted but not required under SEC 
rules, or for any other reason.
    Commenters on the definition of ``engagement'' generally supported 
it. One commenter requested clarification as to why the definition does 
not include work performed at less than a substantial role, given that 
the standard includes requirements regarding such work.
    The Board defined ``engagement'' to exclude work performed on other 
firms' PCAOB engagements at less than a substantial role because it 
believes the auditor responsibilities associated with such work, and 
the risks posed by it, are materially different than the 
responsibilities and risks associated with a firm leading an engagement 
or playing a substantial role.\112\ QC 1000 contains provisions 
specifically applicable to work performed on other firms' PCAOB 
engagements at less than

[[Page 49604]]

a substantial role, which have been tailored to reflect those 
responsibilities and risks. The Board believes this tailored approach 
is appropriate.
---------------------------------------------------------------------------

    \112\ PCAOB registration rules reflect this difference in risk 
profile: PCAOB registration is required for firms that lead 
engagements or play a substantial role in audits of issuers and 
broker-dealers, but not for work performed on other firms' 
engagements at less than a substantial role. See PCAOB Rule 2100, 
Registration Requirements for Public Accounting Firms.
---------------------------------------------------------------------------

    Also grounded in the Board's views on relative risk and the 
investor interests at stake, the concept of ``engagement'' marks an 
important distinction in the level of responsibility created under QC 
1000: while all registered firms are required to design a QC system 
that complies with QC 1000, the threshold for a firm to implement and 
operate the QC system is when the firm has responsibilities under 
applicable professional and legal requirements with respect to a firm 
engagement. The distinction between scaled applicability under QC 1000 
(for firms that do not have responsibilities with respect to 
engagements) and full applicability of QC 1000 (for firms that do 
perform engagements) is discussed in more detail below.
    The Board notes, however, that just because work performed on other 
firms' PCAOB engagements at less than a substantial role is not 
considered an ``engagement'' does not mean it is disregarded under the 
QC system. This work, by itself, does not trigger the requirement to 
implement and operate the QC system under QC 1000. However, once a firm 
is required to implement and operate the QC system, the system will 
operate over all work performed by the firm under PCAOB standards, 
including work performed on other firms' PCAOB engagements at less than 
a substantial role. If a firm is required to implement and operate a QC 
system under QC 1000, the Board believes that the QC system should 
address every engagement under PCAOB standards in which the firm 
participates.
3. Firm Personnel
    The proposed standard defined ``firm personnel'' as individual 
proprietors, partners, shareholders, members or other principals, 
accountants, and professional staff of a registered public accounting 
firm whose responsibilities include assisting with: (1) the performance 
of the firm's engagements; or (2) the design, implementation, or 
operation of the firm's QC system, including engagement quality 
reviews. Professional staff refers not only to employees, but also to 
other individuals who work under the firm's supervision or direction 
and control and function as the firm's employees. For example, 
secondees and leased staff would fall under the definition of ``firm 
personnel.''
    Two commenters agreed with the definition as proposed. Some firms 
and related groups objected to including non-employee contractors and 
consultants as firm personnel, in particular because they are not 
subject to the firm's performance evaluation or promotion process. 
These commenters suggested that such persons be classified as other 
participants instead. One commenter expressed concern about potential 
exposure due to the differences between QC 1000 and the definitions of 
employees with Federal, State, and local tax and labor laws.
    The Board continues to believe it is appropriate for the definition 
of firm personnel to include individuals, such as non-employee 
contractors and consultants, who work under the firm's supervision or 
direction and control and function as the firm's employees. In light of 
the range of legal structures and arrangements used by firms in 
acquiring and deploying staff, the Board believes a definition based 
exclusively on legal employment would be too narrow. Instead, the final 
rule retains an approach based on the functional role played by the 
individual rather than a specific legal relationship.
    When the firm is identifying quality risks to quality objectives 
that include firm personnel, it may identify different risks associated 
with non-employee contractors and consultants than other firm 
personnel, and accordingly would have to develop different policies and 
procedures for them. For example, non-employee contractors and 
consultants may be evaluated through the contracting process to 
determine whether the firm should retain them instead of through the 
firm's formal evaluation framework.
    While the Board expresses no view on any tax or labor law 
consequences, it notes that the definition does not conflate ``firm 
personnel'' with employees. On the contrary, the Board acknowledges 
that firm personnel includes some non-employees.
    Some commenters, generally firms and related groups, were opposed 
to the definition including anyone who ``assists with'' engagements or 
the quality control system, as it may include administrative staff. The 
Board revised the definition of firm personnel to clarify that 
``professional staff does not include persons engaged only in clerical 
or ministerial tasks,'' which aligns with the definition of ``Person 
Associated With a Public Accounting Firm (and Related Terms)'' in PCAOB 
Rule 1001(p)(i).\113\
---------------------------------------------------------------------------

    \113\ By aligning the QC 1000 definition of ``firm personnel'' 
with the definition of ``Person Associated with a Public Accounting 
Firm (and Related Terms)'' in this regard, the Board does not mean 
to suggest that only ``firm personnel'' can be associated persons. 
``Other participants'' can also be associated persons.
---------------------------------------------------------------------------

4. Other Participants
    Over the years, audits of issuers have increasingly involved the 
use of entities and individuals outside the firm in performing audit 
procedures and evaluating audit evidence. In the context of amending 
the standards governing the involvement of other auditors in an audit, 
the Board discussed the increasing prevalence and importance of the use 
of other audit firms and individual accountants outside the firm, such 
as an EQR not employed by the firm, and the use of auditor-engaged 
specialists.\114\ While it may be beneficial, and in many cases 
essential, to use other participants in some engagements, these 
arrangements can pose risks because other participants may not be 
subject to the same quality controls as firm personnel (for example, 
with regard to personnel assignments, training, supervision, and 
monitoring).
---------------------------------------------------------------------------

    \114\ See Planning and Supervision of Audits Involving Other 
Auditors and Dividing Responsibility for the Audit with Another 
Accounting Firm, PCAOB Rel. No. 2022-002 (June 21, 2022), at 13; 
Amendments to Auditing Standards for Auditor's Use of the Work of 
Specialists, PCAOB Rel. No. 2018-006 (Dec. 20, 2018), at 10-15.
---------------------------------------------------------------------------

    With respect to work performed in connection with the firm's QC 
system or the performance of its engagements, QC 1000 defines ``other 
participants'' as accounting firms (foreign or domestic, registered or 
unregistered), accountants, and other professionals \115\ or 
organizations, other than firm personnel, whose responsibilities 
include assisting with the performance of the firm's engagements or the 
design, implementation, or operation of the firm's QC system, including 
engagement quality reviews.\116\
---------------------------------------------------------------------------

    \115\ In this context, ``professionals'' refers broadly to 
workers who perform other than clerical or ministerial tasks.
    \116\ It should be noted that ``referred-to auditors,'' as that 
term is defined in the amendments to AS 2101, Audit Planning, 
adopted in PCAOB Rel. No. 2022-002, are not ``other participants'' 
under QC 1000 because the referred-to auditor performs its own 
engagement and does not participate in the engagement of the lead 
auditor.
---------------------------------------------------------------------------

    Some commenters expressed concerns with the use of ``other 
participants'' throughout the standard. Many commenters said the 
proposed responsibilities of the firm with regard to other participants 
were too broad. A few commenters suggested removing the reference to 
other participants from certain specified quality responses and 
allowing firms to tailor their responses to quality objectives for 
other participants. Some commenters were

[[Page 49605]]

specifically concerned about the inclusion of internal auditors and 
external specialists in the standard through other participants, and 
believe they are adequately addressed in other standards. Some 
commenters argued that other participants should not be included in 
another firm's quality control system because they are covered by their 
own firm's quality control system.
    Some commenters suggested bifurcating the definition into other 
participants whose responsibilities include assisting with the 
performance of the firm's engagements and other participants whose 
responsibilities include assisting with the design, implementation, and 
operation of the firm's QC system, on the basis that this would enhance 
clarity regarding to whom the requirements apply. One commenter said 
the policies and procedures related to other participants would differ 
depending on the type of other participant (for example, an internal 
auditor providing direct assistance differs from an auditor, 
specialist, or engagement quality reviewer) and QC 1000 imposes the 
same requirements for each type. One commenter supported the 
definition. One commenter agreed with separately defining ``other 
participants'' and ``third-party providers.''
    The final standard reflects the Board's view that, in designing, 
implementing, and operating its QC system, the firm will have to 
address not only firm personnel but also other auditors \117\ and other 
professionals or organizations that the firm uses in connection with 
the firm's QC system or the performance of its engagements. References 
to other participants are included throughout QC 1000 in a tailored and 
context-specific way that recognizes the key roles that other 
participants play.
---------------------------------------------------------------------------

    \117\ See AS 1205, Part of the Audit Performed by Other 
Independent Auditors, and AS 1201 (which takes effect for audits of 
financial statements for fiscal years ending on or after Dec. 15, 
2024).
---------------------------------------------------------------------------

    The Board recognizes that some other participants may be covered by 
their own firm's quality control system, and that fact may inform the 
firm's risk assessment with respect to their participation. But the 
firm's own QC system must address all the work done on the firm's 
engagements and in connection with the design, implementation, and 
operation of the firm's QC system itself, regardless of who does it.
    Commenters correctly pointed out that specific performance 
standards exist related to the use of certain types of other 
participants in an audit, such as other auditors,\118\ internal 
auditors,\119\ and specialists,\120\ but that does not mean that QC 
over their use in the firm's engagements is unnecessary. In part, the 
QC system operates to assure compliance with those specific audit 
standards. But it must also provide more general assurance about the 
performance of audits in which those types of other participants are 
involved. For example, the Board expects that the firm's policies and 
procedures would cover, if applicable, engaging specialists, 
determining their compliance with ethics and independence requirements, 
and communicating with them as part of the firm's quality control 
system.
---------------------------------------------------------------------------

    \118\ See, e.g., AS 1201, and AS 1206, Dividing Responsibility 
for the Audit with Another Accounting Firm.
    \119\ See, e.g., AS 2605, Consideration of the Internal Audit 
Function.
    \120\ See, e.g., AS 1210, Using the Work of an Auditor-Engaged 
Specialist.
---------------------------------------------------------------------------

    The Board does not believe it is necessary for QC 1000 to bifurcate 
other participants between those that participate in engagements and 
those that are involved with the QC system. Just because a quality 
objective or other provision of QC 1000 refers to all types of other 
participants in the same way does not mean that the firm should respond 
by treating all types of other participants in the same way. On the 
contrary, the firm's policies and procedures addressing other 
participants should differentiate based on the types and roles of other 
participants to the extent necessary to be responsive to the firm's 
quality risks. When designing quality responses, the firm will address 
the specific risks posed by the other participants and their 
responsibilities within the firm's engagements and QC system. For 
example, a firm that uses a network as a resource in many areas, such 
as independence tracking and monitoring, engagement performance, 
information and communication, and monitoring and remediation, would 
have many quality risks and quality responses related to their use of 
the network. A smaller firm that only uses one individual from outside 
the firm as an engagement quality reviewer may have fewer quality risks 
and quality responses related to other participants to address in its 
quality control system.
    The following diagram provides QC 1000's definitions of ``firm 
personnel'' and ``other participants'' and provides examples of each 
type:
BILLING CODE 8011-01-P

[[Page 49606]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.002


[[Page 49607]]


BILLING CODE 8011-01-C
    As noted in the diagram, the persons performing some roles, such as 
an EQR or personnel at shared service centers, may be firm personnel or 
other participants, depending on their relationship to the firm. For 
example, an EQR employed by the firm would be considered firm 
personnel, whereas an EQR contracted from outside the firm that is not 
functioning as a firm employee would be an other participant. 
Similarly, personnel at shared service centers may be firm personnel 
(if they are employed by the firm or function as firm employees) or 
other participants (if they are personnel of another organization, such 
as a network affiliate).
5. Networks
    QC 1000 acknowledges that networks of firms may be structured in a 
variety of ways and could include arrangements between firms for 
sharing knowledge; developing and implementing consistent policies, 
tools, and methodologies; conducting multi-location engagements; or 
executing other types of business or administrative matters. Through 
its oversight activities, the PCAOB has observed that some networks 
provide or require use of a wide range of resources and services and 
may involve various levels of personnel, composed of a mix of the 
firm's national and local office personnel. Some examples of resources 
and services that networks provide include:
     Audit methodologies;
     Technology tools;
     Training;
     Risk management activities;
     Consultations on accounting, auditing, and SEC matters;
     Preventive engagement-level monitoring and coaching;
     Support for inspections; and
     Root cause analysis and remediation.
    Since networks may involve a wide variety of different arrangements 
and different degrees of coordination and cooperation across firms, 
rather than attempting to define the term ``network,'' QC 1000 
describes these types of arrangements in more general terms.\121\ Under 
the standard, networks may include a combination of registered and 
unregistered accounting firms and other entities.
---------------------------------------------------------------------------

    \121\ In the standard, references to a ``network'' encompass all 
of the memberships and affiliations that registered firms must 
report to the PCAOB in Item 5.2 of their annual report on Form 2, 
including certain networks, arrangements, alliances, partnerships, 
and associations. See Item 5.2, PCAOB Form 2 (describing reporting 
requirements for memberships, affiliations, and similar 
arrangements).
---------------------------------------------------------------------------

6. Third-Party Providers
    Commenters on this topic supported the definition of third-party 
providers as proposed.
    The standard addresses resources used by the firm that are sourced 
from third-party providers. Third-party providers are individuals or 
organizations, other than other participants, as defined above, that 
provide resources to the firm that are specifically designed for use in 
the performance of engagements or to assist in the operation of its QC 
system.\122\ The following diagram provides QC 1000's definition of 
``third-party providers'' and several examples of them:
---------------------------------------------------------------------------

    \122\ Providers of resources that are not specifically designed 
for use in the performance of engagements or to assist in the 
operation of firms' QC systems (e.g., general word processing and 
spreadsheet software) are not ``third-party providers'' as the Board 
has defined that term.
[GRAPHIC] [TIFF OMITTED] TN11JN24.003


[[Page 49608]]



Scalability

    The approximately 1,600 firms registered with the PCAOB differ 
significantly based on their nature and circumstances:
     Approximately 53% of firms are located in foreign 
jurisdictions, representing 89 foreign jurisdictions;
     Approximately 20% of total firms, and 40% of firms located 
in foreign jurisdictions, belong to one of six global networks that 
contain the largest number of registered, non-U.S. firms that share 
resources such as methodology and monitoring activities; \123\
---------------------------------------------------------------------------

    \123\ The six global networks that contain the largest number of 
registered, non-U.S. firms as reported on Form 2s filed in 2023 are: 
BDO International Limited, Deloitte Touche Tohmatsu Limited, Ernst & 
Young Global Limited, Grant Thornton International Limited, KPMG 
International Cooperative, and PricewaterhouseCoopers International 
Limited (the member firms of these networks are collectively 
referred to herein as ``GNFs'').
---------------------------------------------------------------------------

     Approximately 60 firms are sole proprietorships;
     Approximately 650 firms, or 41% of firms, performed an 
engagement under PCAOB standards for an issuer or broker-dealer during 
the 12 months ended June 2023;
     Approximately 70 only played a substantial role in such 
engagements in the past year;
     Approximately 140 performed audits of only broker-dealers 
in the past year;
     Approximately 130 firms that did not perform an engagement 
under PCAOB standards for an issuer or broker-dealer in 2022 did 
perform such an engagement in the past five years; and
     Approximately 51% of firms have not performed an 
engagement under PCAOB standards for an issuer or broker-dealer in the 
past five years.\124\
---------------------------------------------------------------------------

    \124\ The data were obtained from Audit Analytics and publicly 
available data from the PCAOB's Registration, Annual and Special 
Reporting (RASR) available at https://rasr.pcaobus.org. The PCAOB 
does not collect information about whether registered firms perform 
engagements under PCAOB standards other than for issuers and broker-
dealers. Firms may be engaged, for example, in connection with the 
audit of a reporting company that does not meet the Sarbanes-Oxley 
definition of ``issuer'' described in footnote 2 above, in 
connection with certain offerings of securities that are exempt from 
registration under the Securities Act (e.g., offerings under 
Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to 
a contractual obligation such as a loan covenant, or on an entirely 
voluntary basis.
---------------------------------------------------------------------------

    While the Board believes the basic objectives of the QC system 
ought to be the same across all firms, the Board believes the QC 
standard needs to be appropriately scalable, so that firms of different 
sizes and characteristics can appropriately design their QC system to 
address the risks associated with their own practice.
    The specific policies and procedures necessary to achieve the 
objectives of the QC system may vary significantly across firms, 
depending on their size, the types of engagements they perform, and 
other factors. The Board believes that QC 1000 is sufficiently 
principles-based and scalable that firms will be able to pursue an 
approach to QC that is appropriate in light of their specific 
circumstances.
    In the Board's view, firms that perform engagements under PCAOB 
standards should generally be subject to the same QC requirements. In 
particular, the Board does not believe the historical distinction 
between firms that were members of the SECPS in 2003 and those that 
were not has continuing relevance in determining the QC standards that 
should apply today. Accordingly, the Board eliminated that distinction. 
As discussed in more detail below, QC 1000 incorporates certain SECPS 
requirements, making them applicable to all firms, and eliminates 
others. However, the Board also believes there are specific areas, such 
as firm governance, where firms with larger PCAOB audit practices 
should be subject to enhanced requirements. QC 1000 includes several 
requirements that apply only to the firms that meet the statutory 
threshold for annual PCAOB inspection.
    The Board is aware that there is a significant number of registered 
firms that do not perform engagements under PCAOB standards every 
year--they only participate in other firms' engagements at less than 
the level of a substantial role or have no involvement in issuer or 
broker-dealer engagements. The Board believes that the risk to investor 
protection is minimal if the firm is not performing engagements under 
PCAOB standards for issuers and SEC-registered broker-dealers, and that 
it is appropriate to provide for more limited QC obligations in those 
circumstances. Under QC 1000, all registered firms are required to 
design a QC system but only firms that are subject to applicable 
professional and legal requirements with respect to a PCAOB engagement 
are required to implement and operate the QC system.
1. Scaled Applicability vs. Full Applicability
    The Board created a fundamental distinction in QC 1000 between the 
obligation to design a QC system in compliance with the standard, which 
will apply to all firms,\125\ and the obligation to implement and 
operate an effective QC system, which, broadly speaking, will apply 
only to firms that perform engagements under PCAOB standards.
---------------------------------------------------------------------------

    \125\ QC 1000.06, discussed below, sets out the requirements for 
QC system design.
---------------------------------------------------------------------------

    Under the standard, firms are required to implement and operate an 
effective QC system--that is, comply with all provisions of QC 1000--at 
all times that the firm is required to comply with applicable 
professional and legal requirements with respect to any of the firm's 
engagements.\126\
---------------------------------------------------------------------------

    \126\ QC 1000.07.
---------------------------------------------------------------------------

    As noted above, many registered firms do not perform engagements 
every year. However, a firm that is not currently performing any 
engagements may nevertheless have to comply with applicable 
professional and legal requirements with respect to a previous or 
future firm engagement. For example, procedures for the acceptance of a 
new engagement have to be performed before the engagement is conducted. 
Responsibilities may also arise with respect to completed engagements 
long after the issuance of the auditor's report--for example, if the 
issuer requests the auditor's consent to include its report in a 
registration statement, if an engagement deficiency is identified that 
requires remediation, or if the auditor becomes aware of facts that may 
have existed at the date of the auditor's report which may have 
affected the report. In the Board's view, whenever a firm has 
responsibilities under applicable professional and legal requirements 
with respect to an engagement, those responsibilities should be 
performed under a QC system that is implemented, is operating, and 
complies with PCAOB standards.
    Importantly, if a firm is required to implement and operate an 
effective QC system, the firm would not necessarily have to implement 
and operate every QC policy or procedure that it has designed. An 
effective QC system provides reasonable assurance that the firm is 
complying with ``applicable'' professional and legal requirements. The 
extent of ``applicable'' requirements could change depending on the 
firm's circumstances, and the QC system policies and procedures that 
the firm would have to implement and operate could change in response. 
For example, if a firm last performed an engagement (as defined in the 
standard) five or six years ago and has no current responsibilities 
with respect to any other firms' engagements, it might be subject only 
to requirements regarding

[[Page 49609]]

the retention of certain engagement-related documentation.\127\ In such 
a circumstance, an effective QC system--i.e., a system that provides 
reasonable assurance that the firm is complying with applicable 
professional and legal requirements regarding such documentation--could 
be scaled back to address only engagement-related documentation 
retention, as well as ongoing evaluation, reporting, and documentation 
requirements with respect to the QC system itself. The Board asked in 
the proposing release whether it was clear how a firm's 
responsibilities under QC 1000 may change depending on the extent of 
applicable professional and legal requirements to which the firm is 
subject at a particular time, and commenters that responded on the 
issue were generally supportive.
---------------------------------------------------------------------------

    \127\ See AS 1215; 17 CFR 210.2-06.
---------------------------------------------------------------------------

    If the firm has no more responsibilities with respect to any 
engagement, the firm is required to continue operating the QC system 
until the next September 30 (the annual evaluation date). This would 
ensure that the firm would be required to evaluate and report on the QC 
system for any year during which the QC system was required to 
operate.\128\
---------------------------------------------------------------------------

    \128\ QC 1000.07. The proposed requirements for evaluation of 
and reporting on the QC system are discussed below.
---------------------------------------------------------------------------

    Firms that are not subject to the requirement to implement and 
operate the QC system are still subject to the requirement to design a 
QC system that complies with QC 1000.\129\ Paragraph .06 of QC 1000, 
discussed below, sets out the requirements for design of the QC system 
in more detail.
---------------------------------------------------------------------------

    \129\ The standard makes clear that any existing obligations 
under QC 1000 (for example, reporting obligations with respect to 
prior periods when the firm was required to implement and operate 
the QC system) would continue.
---------------------------------------------------------------------------

    The Board believes it is appropriate to limit the application of 
the requirements of QC 1000 for firms that have no obligations under 
applicable professional and legal requirements with respect to firm 
engagements. Indeed, in those situations it is hard to see how a firm 
could, as a practical matter, ``implement'' or ``operate'' its QC 
system. Implementation and operation contemplate, among other things, 
the application of QC policies and procedures to the firm's 
engagements, monitoring of work performed on engagements, and 
identification and remediation of engagement deficiencies. Without 
``engagements,'' as the standard defines that term, implementation and 
operation of a QC system would be largely hypothetical. Moreover, the 
population of firms that are subject only to the design requirements of 
QC 1000 is comprised entirely of firms that are not required to be 
registered with the PCAOB--because they do not participate in 
engagements under PCAOB standards or do so only below the level of a 
substantial role.\130\
---------------------------------------------------------------------------

    \130\ If a firm requests leave to withdraw from PCAOB 
registration and is permitted to do so, the firm, upon its 
withdrawal from registration, would no longer be subject to an 
obligation to design, implement, or operate a QC system in 
accordance with QC 1000.
---------------------------------------------------------------------------

    Many commenters, including firms and related groups, investor-
related groups, academics, and others, did not support requiring firms 
that are not required to comply with applicable professional and legal 
requirements to design a QC system under QC 1000. Several of these 
commenters expressed concerns that this would be unnecessarily costly 
to those firms, or suggested that there could be challenges associated 
with implementing and operating a QC system based on hypothetical risks 
that could differ from the actual risks at the time the firm accepts 
and performs engagements pursuant to PCAOB standards. Some commenters 
suggested that this requirement may cause firms to deregister with the 
PCAOB, decline to assist U.S. firms in executing their global audits, 
or create a potential barrier to entry for new firms in the 
marketplace. One firm-related group commented that as this aspect of 
the proposal affects such a large number of firms, the potential 
political impacts deserve further consideration. The firm-related group 
further commented that foreign firms could see this as an accelerator 
to a decision to not service specific audit markets, which potentially 
impacts audit markets beyond the U.S., and that policy makers in other 
countries may view the potential for further market concentration more 
significantly.
    Firms and a related group raising cost concerns with the proposed 
QC system design requirements suggested allowing firms that do not 
perform engagements the flexibility to design their QC system in 
accordance with another QC standard, such as ISQM 1 or SQMS 1. One of 
these firms further suggested that firms transitioning to performing 
engagements under PCAOB standards be given an additional six months to 
one year from their annual evaluation date to file their Form QC for 
the transition period. The firm asserted that even if a firm has 
complied with the design requirements, implementing and operating a QC 
system that complies with the standard would involve significant 
effort. Another firm suggested that it would be more appropriate to 
have a transition period for the registered public accounting firm to 
update their system of quality control to adhere to the incremental 
requirements of the PCAOB. An academic suggested that the design 
requirements for firms that have not performed and do not plan to 
perform engagements pursuant to PCAOB standards should be limited to 
client acceptance components. One firm suggested that the standard 
could include a requirement that firms are not allowed to perform an 
engagement under PCAOB standards until they have designed and 
implemented QC 1000. Other commenters suggested that registered firms 
that do not intend to conduct PCAOB audits should not be required to do 
anything under QC 1000.
    Other commenters suggested a variety of approaches for when firms 
should be required to implement and operate a QC 1000-compliant QC 
system. One firm suggested that firms that only perform a substantial 
role in more than a certain threshold (presumably to be specified by 
the PCAOB) of PCAOB engagements could be permitted to comply with ISQM 
1 instead of being subject to full applicability of QC 1000. Another 
commenter suggested that smaller firms (e.g., triennially inspected 
firms with fewer than 100 issuer engagements) be permitted the option 
of complying with ISQM 1 or SQMS 1 as an alternative to QC 1000. 
Another firm suggested that the PCAOB should permit non-U.S. firms to 
comply with ISQM 1 rather than adopting QC 1000. Another commenter 
suggested that the criteria for full applicability of the standard 
should be based on whether the engagements individually or in the 
aggregate involve a material amount of market capitalization. The 
commenter suggested that under such an approach, the requirement to 
operate the QC system could be optional for registered firms auditing 
companies with a smaller market capitalization.
    Some commenters, including a firm, a firm-related group, and an 
investor, commented that the requirement to design a QC 1000-compliant 
QC system is appropriate for any registered firm, even if it is not 
performing engagements or playing a substantial role in other firms' 
engagements. One firm-related group agreed that whenever a firm has 
responsibilities under applicable professional and legal requirements 
with respect to an engagement, those responsibilities should be 
performed under a fully implemented and operating QC system that 
complies with

[[Page 49610]]

PCAOB standards. However, the commenter asked for clarification on the 
circumstances that trigger the need for a firm to implement and operate 
a QC system in compliance with QC 1000, and suggested targeted guidance 
in that area would be helpful.
    The Board continues to believe that requiring all registered firms 
to design a QC system that complies with the standard, regardless of 
whether they have obligations with respect to engagements, is 
consistent with the PCAOB's statutory mandate and historical practice. 
Sarbanes-Oxley directs the PCAOB to include in its QC standards 
requirements related to numerous topics for ``every'' registered public 
accounting firm.\131\ The statute also directs the PCAOB that 
applications for registration with the PCAOB must contain ``a statement 
of the quality control policies of the [applicant] for its accounting 
and auditing practices.'' \132\ Consistent with that directive, as a 
condition to registration, applicants are required to furnish ``a 
narrative, summary description, in a clear, concise and understandable 
format, of the quality control policies of the applicant for its 
accounting and auditing practices, including procedures used to monitor 
compliance with independence requirements,'' \133\ and that description 
must provide an overview of the applicant's quality control policies 
regarding each element of quality control.\134\ Therefore, firms that 
register with the Board are already required to provide a summary of 
the design of their QC system regardless of whether they have 
obligations with respect to engagements.\135\
---------------------------------------------------------------------------

    \131\ Section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 
7213(a)(2)(B).
    \132\ Section 102(b)(2)(D) of Sarbanes-Oxley, 15 U.S.C. 
7212(b)(2)(D).
    \133\ Item 4.1 of PCAOB Form 1 (``Applicant's Quality Control 
Policies''). The Board modified the information about QC required in 
Form 1. See below.
    \134\ See Frequently Asked Questions Regarding Registration with 
the Board, PCAOB Rel. No. 2003-011F (Dec. 4, 2017) (Question #32), 
available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/registration/information/documents/registration_faq.pdf?sfvrsn=c50d7356_0. As part of this rulemaking 
the requirements in Form 1 are being amended.
    \135\ In a separate rulemaking, the Board proposed to create a 
new form, Form QC--Policies and Procedures (``Form QCPP''), to 
require that, once QC 1000 becomes effective, any firm that 
registered with the Board prior to the date that QC 1000 becomes 
effective must submit an updated statement of the firm's quality 
control policies and procedures pursuant to QC 1000. See Firm 
Reporting, Rel. No. 2024-003 (Apr. 9, 2024) at 41.
---------------------------------------------------------------------------

    The Board also believes that requiring all firms to design a QC 
system that complies with all provisions of QC 1000, and not just 
limiting the requirement to certain components such as acceptance and 
continuance of engagements, is consistent with its investor protection 
mandate. While the Board acknowledges that there could be challenges 
associated with implementing and operating a QC system based on 
hypothetical risks, it continues to believe that it is important for 
registered firms to design a QC system based on the quality risks the 
firm likely would face if it were to perform engagements. Because 
registering with the PCAOB enables a firm to issue audit reports or 
play a substantial role on audits performed under PCAOB standards for 
issuers and broker-dealers, and because investors and companies 
considering engaging the firm could reasonably expect that any firm 
that could pursue such an engagement would already have a PCAOB-
compliant QC system designed and ready for implementation and 
operation, the Board believes that imposing a design requirement on all 
registered firms promotes its mission of protecting investors and 
promoting the public interest.
    As discussed in more detail below, QC 1000 includes requirements 
that do not appear in other QC standards or that are more prescriptive 
or more specifically tailored to the PCAOB's legal and regulatory 
environment than the provisions of ISQM 1 or SQMS 1. Because of these 
key differences, the Board does not believe that a QC system design 
based on ISQM 1 or SQMS 1, as suggested by some commenters, would be 
sufficient. Furthermore, the Board believes that compliance with ISQM 1 
may not be the regulatory baseline within certain jurisdictions. The 
PCAOB has observed other standard setters and regulators adopt 
variations of ISQM 1, which typically include more detailed and 
stringent requirements.\136\ Therefore, the Board believes that audit 
firms within some jurisdictions will already have to design and operate 
a QC system that goes beyond the requirements of ISQM 1, and it would 
not be appropriate for the Board to permit compliance with a less 
stringent quality system than the one required in the local regulatory 
environment. Similarly, the Board does not believe that it would be 
appropriate for it to permit firms to comply with their locally 
applicable variation of ISQM 1 as this would result in the PCAOB 
requiring and managing compliance with a multitude of different QC 
standards.
---------------------------------------------------------------------------

    \136\ See, e.g., International Standard on Quality Management 
(UK) 1, adopted by the Financial Reporting Council (March 2023).
---------------------------------------------------------------------------

    The Board also continues to believe that, whenever a firm has 
responsibilities under applicable professional and legal requirements 
with respect to a firm engagement, those responsibilities should be 
performed under a QC system that is implemented, is operating, and 
complies with PCAOB standards. Given the unique features of QC 1000, 
compliance with ISQM 1 or SQMS 1 would not, in the Board's view, be an 
adequate substitute, nor would the Board's regulatory purposes be 
served by providing firms with an extended compliance period after they 
take on an engagement.
    The Board does not believe that this requirement will result in 
disruption to competition in the audit market. Firms that are subject 
to applicable professional and legal requirements with respect to 
engagements, including substantial role engagements, are required to 
implement and operate a QC 1000-compliant QC system. If a registered 
firm that has not led an engagement or played a substantial role in the 
past anticipates the possibility of transitioning to performing 
engagements, the Board believes the requirement to design a QC system 
that complies with QC 1000 will facilitate timely implementation and 
operation of their QC 1000 QC system, which will in turn facilitate 
appropriate performance of the engagements; appropriate monitoring and, 
if necessary, remedial action; and timely evaluation and reporting on 
Form QC.\137\ QC 1000 shares a basic structure and approach with ISQM 1 
and SQMS 1, so designing for the incremental features unique to QC 1000 
should not be unduly burdensome for firms that are subject to either or 
both of those other QC standards (which the Board believes will be the 
case for a very substantial majority of firms that are in a position to 
perform PCAOB engagements).\138\
---------------------------------------------------------------------------

    \137\ The Board understands that the actual quality risks the 
firm faces when it takes on an engagement may differ from the 
hypothetical risks considered in designing the QC system. QC 1000 
requires the firm to establish policies and procedures to monitor, 
identify, and assess changes to conditions, events, and activities 
that indicate modifications to the firm's quality objectives, 
quality risks, or quality responses may be needed, and to make 
timely modifications as needed. See QC 1000.22-23.
    \138\ See Section D.
---------------------------------------------------------------------------

    The Board does not believe that QC 1000 conflicts with the 
requirements of other standard setters or that anything prevents firms 
from developing a single QC system for their entire practice that 
satisfies both PCAOB requirements and other professional standards to 
which the firm is subject. The Board

[[Page 49611]]

acknowledges certain differences between QC 1000 and the quality 
management standards set by other standard setters, in particular areas 
where QC 1000 establishes additional or more stringent requirements. 
However, the Board believes that quality responses developed by firms 
under QC 1000 can be considered by firms for the purposes of other 
quality management standards to which they are subject, reducing the 
need for two or more separate QC systems.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.004

BILLING CODE 8011-01-C
    Firms participating in a PCAOB engagement below the level of a 
substantial role do not require registration with the PCAOB. If such a 
firm does not lead and does not plan to lead engagements or play a 
substantial role in engagements pursuant to PCAOB standards, then the 
Board believes that the firm should assess whether the costs of 
complying with the design requirement are commensurate with their 
perceived benefit of being registered with the PCAOB.
2. Other Scalability Considerations
    Aspects of QC 1000 are risk-based, which makes them inherently 
scalable. Firms are required to apply a risk-based approach to the 
design, implementation, and operation of the QC system in the context 
of their own audit practice. The standard provides that the firm will 
tailor the design of its QC system to its specific facts and 
circumstances, such as:
     The size and complexity of the firm;
     The types and variety of engagements it performs;
     The types of companies for which it performs engagements; 
and

[[Page 49612]]

     Whether it is a member of a network and, if so, the nature 
and extent of the network relationship.
    Several commenters, including firms and a firm-related group, 
suggested that the proposed standard was too prescriptive. Many of 
these commenters suggested that, to promote further scalability, 
specified quality responses could be replaced with quality objectives 
to allow each firm to develop quality responses appropriate to the 
circumstances and risks for their firm. One of these firms stated that 
it disagreed with the notion in the proposing release that a specified 
quality response suggests that every firm has the same or similar 
quality risks and that the responses to those risks will also be the 
same or similar. Another firm suggested that the specified quality 
responses make the standard inherently less scalable and could be a 
barrier to entry for smaller firms. The firm further suggested that an 
overreliance on specified quality responses could discourage firms from 
performing robust risk assessments and developing tailored quality 
responses. Other commenters also suggested that more scalability could 
be incorporated into the standard through consideration of concepts 
such as professional judgment, relevance, or reliability. Some 
commenters suggested that further alignment of QC 1000 to ISQM 1 or 
SQMS 1 would promote further scalability. One firm stated that the 
standard was overly prescriptive and suggested that specific guidance 
be provided to small and medium-sized firms focused on operationality 
of the standard. Several commenters expressed concern that the 
prescriptive nature of QC 1000 would negatively affect smaller firms.
    As discussed above, some specified quality responses carry 
requirements from current PCAOB standards into QC 1000, while others 
provide new requirements that the Board believes are important to a 
firm's QC system. The Board believes that this approach is appropriate 
and that the specified quality responses are required to address 
certain quality risks that are present in all firms that perform PCAOB 
engagements and to assure that the QC system is designed, implemented, 
and operated with an appropriate level of rigor. The inclusion of 
specified quality responses in the standard should not be interpreted 
to suggest that the Board believes all firms have the same or similar 
quality risks overall; the specific risks addressed by specified 
quality responses are likely a small subset of the overall population 
of quality risks identified by a firm, and the Board expects 
potentially wide variation in the full set of risks faced by different 
firms.
    The Board believes that the standard incorporates the concepts of 
professional judgment, relevance and reliability where it is 
appropriate, for example, in the ability to exercise professional 
judgment in the determination of whether a major QC deficiency exists, 
or the discussion in the information and communication component noting 
that information would have to be both relevant and reliable such that 
it supports the operation of the firm's QC system and the performance 
of the firm's engagements in accordance with applicable professional 
and legal requirements. The Board continues to believe that the 
inclusion of prescriptive requirements in certain areas promotes its 
mission of protecting investors and promoting the public interest.
    An investor-related group commented that it supports a risk-based 
approach up to a point, but it expressed concern that the standard 
placed too much emphasis on scalability and recommended the development 
of a set of minimum requirements for the establishment of quality 
control systems. Another commenter stated that the PCAOB should not let 
scalability concerns get in the way of driving change and improving 
quality, further suggesting that smaller-firm considerations should not 
get in the way of doing the right thing for the largest audit firms. 
One commenter suggested more specific requirements relating to the 
audits of broker-dealers, commenting that a high deficiency rate in 
broker-dealer audits suggests the need for more specific requirements 
with respect to audits of broker-dealers, such as requirements for 
specific expertise in the conduct of broker-dealer audits, or, to the 
extent that the broker-dealer is a subsidiary of an issuer, 
requirements relating to coordination between the broker-dealer audit 
team and the audit team of the issuer parent company.
    The final standard establishes a set of minimum requirements that 
all firms must follow in the establishment of their QC system. As 
discussed in more detail below, while QC 1000 provides some flexibility 
with regard to the quality risks that firms identify and the quality 
responses that firms develop to address those risks, it does not 
provide the same flexibility with regard to quality objectives or 
specified quality responses. Instead, quality objectives and specified 
quality responses that will apply to all firms are specified in the 
standard. Firms can establish additional quality objectives--indeed, 
they are required to do so if necessary to achieve the reasonable 
assurance objective--but they generally cannot omit or modify any of 
the quality objectives or specified quality responses set out in the 
standard.
    Within a uniform basic structure to be used by all firms, QC 1000 
reflects a risk-based, scalable approach, particularly in the risk 
assessment process and the monitoring and remediation process. The 
nature and extent of these processes would be commensurate with the 
firm's quality risks and would therefore vary across firms in nature, 
scope, and complexity. The Board believes it is crucial that the 
standard be scalable so that firms of different sizes and 
characteristics can appropriately design their QC system to address the 
risks associated with their own practice, including specific risks 
relating to the types of companies that they audit, such as broker-
dealers. The Board believes that an appropriate balance between quality 
objectives and specified quality responses is the best approach to 
improve quality across firms of all sizes that perform engagements 
pursuant to PCAOB standards, whether these be issuer or broker-dealer 
engagements. Similarly, the form, content, and extent of required 
documentation related to the QC system will be driven by a firm's 
nature and circumstances. QC 1000 contains both provisions that scale 
down, by tailoring for smaller PCAOB audit practices, and provisions 
that scale up, by focusing on risks faced by the largest firms.
    Some provisions of QC 1000 focus particularly on firms with a 
smaller PCAOB audit practice. These include:
     Depending on the nature and circumstances of the firm 
(including its size and structure), a single individual may be assigned 
more than one of the QC system oversight roles required under the 
standard; and
     If the firm issued engagement reports with respect to five 
or fewer engagements for issuers, brokers, and dealers during the prior 
calendar year, engagement monitoring activities may include monitoring 
audits not performed under PCAOB auditing standards. For firms with 
this number of engagements performed under PCAOB standards, the Board 
understands that requiring a firm to annually monitor its engagements 
that are performed under PCAOB standards increases the likelihood of 
the same partner being inspected every year under QC 1000. The Board 
believes this could disincentivize partners from serving as the 
engagement partner and ultimately affect competitive conditions in the 
market.

[[Page 49613]]

    Other provisions of QC 1000 impose incremental requirements on 
firms that issued audit reports for more than 100 issuers in the prior 
calendar year, including:
     An external oversight function for the QC system composed 
of one or more persons who are not partners, shareholders, members, 
other principals, or employees of the firm;
     A program for collecting and addressing complaints and 
allegations that includes confidentiality protections;
     An automated system for identifying investments in 
securities that might impair independence; and
     A requirement to perform in-process monitoring of 
engagements.
    These incremental requirements specifically target and respond to 
potential quality risks that the Board believes are more likely to 
arise in audit practices of a certain size and complexity. Firms that 
audit fewer than 100 issuers may still determine that the incremental 
requirements are an appropriate quality response for quality risks that 
they have identified specific to their firm, but these are not 
mandatory for these smaller PCAOB audit practices to promote 
scalability of the standard.
    Several commenters, including firms, suggested that the threshold 
for any incremental requirements be raised to 500 issuers, to align 
with the existing SECPS requirement that firms that audit more than 500 
SEC registrants have an automated system to identify investment 
holdings of partners and managers that might impair independence.\139\ 
One of these firms also suggested a dual-threshold approach that would 
consider both the number of issuers audited and the market 
capitalization of the issuers. Two commenters, including an investor-
related group and an academic, suggested that there should not be a 
threshold for incremental requirements, and all requirements of the 
standard should apply to all firms regardless of the size of the firm. 
The academic suggested that the incremental requirements may give rise 
to actual or perceived differences in audit quality between larger 
audit firms that issue audit reports for more than 100 issuers and 
smaller audit firms that issue audit reports for fewer than 100 
issuers. One firm suggested that the incremental requirements only 
apply to those firms subject to annual inspection under the PCAOB's 
rules (in case the 100-issuer threshold for regular inspection in Rule 
4003, Frequency of Inspections, ever were changed), and another firm 
suggested that these should only apply to the top six firms.
---------------------------------------------------------------------------

    \139\ See SECPS 1000.46 (requirement 4).
---------------------------------------------------------------------------

    Two investor-related groups suggested that if the final standard 
does include a threshold for certain incremental requirements, the 
threshold should relate to the market capitalization of the issuers 
that the firm's audit practice covers rather than the number of issuer 
audit reports the firm issues. Other commenters were also supportive of 
a market capitalization-based threshold.
    Several commenters suggested that the nature of the firm's audit 
practice be taken into consideration when determining the applicability 
of the incremental requirements, and that just looking to the number of 
issuers may not be an appropriate measure for the size or complexity of 
the audit practice. One commenter suggested that the proportion of the 
PCAOB audits to the size of the practice within a firm is also a 
relevant factor to consider. Some commenters suggested that imposing a 
threshold of 100 issuers could impose a barrier to entry for firms that 
wish to expand their audit practices beyond 100 issuers and, as a 
result, firms may manage their practice to stay below the 100-issuer 
threshold.
    The Board believes that requiring certain incremental requirements 
of firms with larger PCAOB audit practices is appropriate and that the 
complexities inherent to large and complex firms are likely to give 
rise to quality risks for which the incremental requirements would be 
appropriate quality responses. Based on the comments received, the 
Board considered whether alternative measures could be used that looked 
to the nature and complexity of the issuers being audited, for example, 
through a market capitalization-based threshold. The Board believes it 
is appropriate to retain the threshold as proposed, based on the size 
of a firm's issuer audit practice rather than referencing the size of 
the companies subject to audit by the firm.
    In general, the Board believes that the number of issuers is the 
most indicative measure of a firm's size and the complexity of its 
audit practice. Under a market capitalization measure, a firm that 
audits a single very large issuer could look like a large firm, but its 
practice may well be less complex than a firm that audits a large 
number of small issuers. The incremental requirements in QC 1000 
respond to specific issues or risks--firm governance, confidential 
handling of complaints and allegations, tracking investments that may 
bear on independence, and monitoring of in-process engagements--that 
the Board believes are more significant in complex practices handling 
large numbers of engagements. Therefore, the threshold was adopted as 
proposed.
    In addition, the Board believes that larger PCAOB audit practices 
that audit a greater number of issuers are more likely to have the 
resources to be able to effectively comply with the incremental 
requirements at a level commensurate to the risk.
    The Board also believes that firms are familiar with the proposed 
threshold of issued audit reports for more than 100 issuers, because it 
is used to determine which firms are subject to annual PCAOB 
inspection.\140\ The Board does not believe it to be appropriate to 
increase the threshold to 500 issuers or to specifically limit the 
requirements to certain firms. The Board believes that firms that audit 
between 100 and 500 issuers are sufficiently large such that potential 
quality risks may arise as a result, and that the incremental 
requirements would be responsive to these risks.
---------------------------------------------------------------------------

    \140\ See section 104(b)(1)(A) of Sarbanes-Oxley, 15 U.S.C. 
7214(b)(1)(A); PCAOB Rule 4003, Frequency of Inspections.
---------------------------------------------------------------------------

    Several commenters suggested that a cut-off date for the 
measurement of the size of the firm's issuer practice relative to the 
100-issuer threshold, and a related transition period after a firm 
passes the 100-issuer threshold, be specified in the standard to allow 
time for firms to implement the incremental requirements. One of these 
commenters specifically requested consideration of the effective date 
for the implementation and operation of the incremental requirements 
if, because of a merger or acquisition, the resultant firm performs 
audits of more than 100 issuers.
    The standard specifies a measurement cut-off date for the 100-
issuer threshold of the prior calendar year-end. Therefore, if a firm 
has issued audit reports with respect to more than 100 issuers in the 
period January 1 to December 31, in any given year, the firm must 
implement the incremental requirements beginning the following January 
1 and evaluate compliance with the incremental requirements as of the 
following September 30. The Board believes that firms continuously 
track the size of their issuer audit practice for the purpose of 
monitoring the threshold for annual inspection by the PCAOB. Therefore, 
prior to the calendar year-end measurement cut-off date, the Board 
expects that firms should have an informed view as to whether they will 
need to design, implement, and operate the incremental requirements for 
the

[[Page 49614]]

following year. Similarly, the Board believes that a merger or 
acquisition between firms would take time to finalize such that the 
firms would have an informed view of whether the incremental 
requirements would be applicable to the successor firm, providing 
additional time for the firms to design, implement, and begin operating 
the incremental requirements. In addition, the Board does not believe 
that it is appropriate or consistent with its investor protection 
mandate to allow a firm that audits over 100 issuers to not operate the 
incremental requirements beginning the calendar year following the date 
of the merger or acquisition if that merger or acquisition resulted in 
the firm auditing more than 100 issuers. The Board believes that 
specific quality risks could arise as the result of a merger or 
acquisition; for example, a sudden increase in the size of the firm 
could exacerbate the potential quality risks that exist as a result of 
a firm's size, to which the incremental requirements would be 
responsive. Furthermore, there is nothing in the standard that prevents 
firms from implementing the incremental requirements earlier than 
required, if they believe it to be likely that the threshold will be 
met.

QC 1000: A Firm's System of Quality Control

Introduction

    This section describes the requirements of QC 1000 and highlights 
the key differences between the final standard and current QC 
standards. Terms defined in Appendix A to QC 1000, Definitions, are 
italicized throughout QC 1000.
    The introduction section of the standard sets up the structure for 
providing the standard's requirements. Paragraphs .01-.02 describe the 
risk-based approach to the firm's QC system and acknowledge the 
important role of the QC system--supporting consistent performance of 
engagements in accordance with applicable professional and legal 
requirements--in protecting investors through the preparation of 
informative, accurate, and independent engagement reports. To emphasize 
the auditor's role in investor protection, the Board added language to 
the final standard reminding auditors that the firm's QC system 
enhances investors' ability to rely on engagement reports. The Board 
also reversed the order of paragraphs .01 and .02 to improve flow.
    One commenter suggested a risk-based approach to quality control 
with minimum requirements integrated into it, instead of a purely risk-
based approach. The Board agrees that a purely risk-based approach 
would be inappropriate. As proposed and as adopted, QC 1000 is not a 
purely risk-based standard. It establishes mandatory quality objectives 
that every firm is required to achieve; lays out detailed, required 
processes for risk assessment, monitoring and remediation, and annual 
evaluation of the QC system; requires specified quality responses in 
many areas; and fosters accountability and rigor through mandated key 
roles for the QC system with specified individual responsibility and 
accountability and required reporting to the PCAOB.

The Firm's QC System

1. QC 1000
a. Objective of the QC System (QC 1000.05)
    The proposal asked if the reasonable assurance objective was 
appropriate and if there were additional objectives that the QC system 
should achieve. Many commenters, including firms, supported the 
reasonable assurance objective and did not support additional 
objectives for the QC system.
    Some commenters, including investors and investor-related groups, 
said there should be an explicit acknowledgement that auditing serves a 
public purpose and that the system of quality control therefore should 
serve investors. Other investors and investor-related groups suggested 
that the quality control system should seek a higher performance 
standard than mere compliance. Two commenters suggested that the 
objective should be expanded, so that in addition to complying with 
applicable professional and legal requirements, engagements should be 
performed in a manner that is responsive to the needs of investors by 
ensuring high-quality financial reporting. Another suggested that the 
foundation of the system should promote high-quality and ``useful'' 
financial and non-financial information and achieve a high level of 
transparent financial reports. The commenter also suggested removing 
the qualifier ``reasonable'' and emphasizing that the term 
``assurance'' refers to a high level of assurance.
    The Board agrees with these commenters that QC 1000 should frame 
auditor responsibilities in terms of investor protection, and revised 
paragraph .05 to reinforce that, as discussed in more detail below. The 
Board also considered broadening the objective of the QC system beyond 
compliance in a number of ways, as suggested by commenters.
    For example, the Board considered adding explicit references to 
``investor needs'' to the QC system objective. However, the Board are 
concerned that the concept of ``investor needs'' is too vague and 
indefinite to be interpreted consistently as an objective of the QC 
system. Consistent with the reasonable assurance objective, the Board 
believes that all investors want informative, accurate, and independent 
engagement reports. But beyond that, investors are not monolithic and 
may have different preferences. For example, the needs of a large 
institutional investor with an actively managed portfolio are different 
from those of a retail investor holding index funds. Investor needs 
could also vary across issuers and different types of financial 
instruments, as well as with changes in market conditions. As a result, 
the Board does not believe that a QC system objective that was 
expressly phrased in terms of satisfying ``investor needs'' would be 
capable of consistent interpretation or would provide firms with 
sufficient notice or direction about the conduct required of them.
    The Board believes that ``high-quality'' and ``useful'' financial 
reporting suffer from the same issues. These terms are subjective, 
indefinite, and would mean different things to different financial 
statement users and in different situations. In addition, grounding 
auditor obligations in the quality or utility of financial reporting 
risks conflating the role of the auditor with the role of the preparer. 
The fundamental responsibility for financial reporting lies with the 
company. The auditor enhances investors' ability on company financial 
information through the preparation and issuance of informative, 
accurate, and independent engagement reports, but the company prepares 
the financial statements and retains ultimate responsibility for them.
    The Board considered one commenter's suggestion of phrasing the 
objective in terms of ``assurance,'' rather than ``reasonable 
assurance.'' However, the Board believes that this would weaken, rather 
than strengthen, the standard, in that it could be read to suggest that 
any level of assurance, even if less than reasonable assurance, would 
be appropriate. As proposed, the final standard includes a note 
emphasizing that reasonable assurance is a high level of assurance.
    Accordingly, the Board has not revised the objective of the QC 
system as these commenters suggested. The Board continues to believe 
that investor needs will be best served through an objective that is 
grounded in auditors' existing obligations and can be

[[Page 49615]]

interpreted clearly and applied consistently. Auditor obligations under 
applicable professional and legal requirements address investors' 
fundamental priority: that the financial statements be free of material 
misstatement. They also clearly delineate what conduct is required, 
which enables both the Board and the firms that the Board regulates to 
interpret and apply them on a consistent basis.
    The Board has, however, made revisions to paragraph .05 that the 
Board believes will be clarifying. The final rule specifies expressly 
that the firm's objective is to design, and if applicable, implement 
and operate an effective QC system. Further, although the Board 
concluded that it could not express the objective of the QC system in 
such terms, the Board does believe firms should be prompted to remember 
their critical role in investor protection. With that in mind, the 
Board revised paragraph .05 to explicitly acknowledge that a properly 
conducted engagement and related report enhance the confidence of 
investors and other market participants in the company's information to 
which the firm's report relates. The Board also revised the paragraph 
to remind auditors that an effective QC system protects investors by 
facilitating the consistent preparation and issuance of informative, 
accurate, and independent engagement reports in accordance with 
applicable professional and legal requirements.
    Paragraph .05 specifies that an effective QC system consistently 
provides a firm with reasonable assurance that the firm, each member of 
firm personnel, and each other participant conduct each engagement and 
fulfill their other responsibilities in compliance with applicable 
professional and legal requirements, and that each engagement report 
issued by the firm complies with applicable professional and legal 
requirements. The Board revised the provision to refer to ``each member 
of'' firm personnel, ``each'' other participant, ``each'' engagement, 
and ``each'' engagement report. This change clarifies that the QC 
system provides reasonable assurance, not just over the pool of firm 
personnel, the pool of other participants, and the portfolio of 
engagements, but over each individual and each engagement. The 
objective is still reasonable assurance, not absolute assurance. But an 
effective QC system has to be designed, implemented, and operate in 
such a way that the firm has reasonable assurance that each individual 
who performs work on behalf of the firm and each engagement the firm 
undertakes will comply with applicable professional and legal 
requirements.
    One commenter asserted that some prescriptive aspects of the 
standard result in absolute assurance instead of reasonable assurance. 
The Board disagrees, as it believes this is a misunderstanding of the 
standard. Specifically, the reasonable assurance objective under QC 
1000 is broadly consistent with the Board's current QC standards, as 
well as ISQM 1 and SQMS 1, all of which contemplate that the system of 
QC should provide reasonable assurance.\141\ The Board believes that 
the combination of quality objectives and specified quality responses 
in QC 1000 establishes a balance between prescriptive requirements and 
a risk-based approach that contributes to the firm obtaining reasonable 
assurance, but does not require absolute assurance. Of course, nothing 
precludes a firm from going beyond the requirements in QC 1000 when 
designing its QC system.
---------------------------------------------------------------------------

    \141\ See ISQM 1.14; SQMS 1.15.
---------------------------------------------------------------------------

    One commenter suggested that the concept of reasonable assurance 
was not clear and could be clarified by retaining a footnote from QC 20 
that reinforces that deficiencies in individual engagements do not, in 
and of themselves, indicate a firm's quality control system is 
insufficient to provide reasonable assurance. The Board has not 
retained that footnote. The concept of reasonable assurance should be 
familiar to auditors; it is a basic concept under the Board's current 
standards and the Board believes it can be interpreted and applied 
consistently. In addition, in light of QC 1000's detailed process for 
the evaluation of the QC system, including the new defined terms ``QC 
deficiency'' and ``major QC deficiency,'' discussed below, the Board 
does not believe such a footnote is necessary. Under QC 1000, firms 
will determine whether the QC system meets the reasonable assurance 
objective by determining whether any ``major QC deficiencies'' exist. 
The existence of major QC deficiencies indicates that the QC system 
does not provide reasonable assurance, whereas the existence of QC 
deficiencies that do not meet the definition of major QC deficiency 
does not. Since that conclusion is apparent from the definitions, the 
Board does not believe that the existing footnote is needed.
    The ``reasonable assurance objective'' of the firm's QC system is 
similar to the objective of the QC system under existing PCAOB 
standards, except that the current standard requires reasonable 
assurance as to compliance with applicable requirements and ``the 
firm's standards of quality'' (i.e., the firm's policies and 
procedures),\142\ whereas QC 1000's reasonable assurance objective 
refers only to applicable requirements. This change reflects the 
different role played by firm policies and procedures under the Board's 
current QC standards compared to QC 1000. Firm policies and procedures 
are the linchpin of current PCAOB QC standards: Most of the Board's 
current QC standards simply require firms to establish, communicate, 
document, and monitor specified policies and procedures. Policies and 
procedures also play an important role under QC 1000, but they would 
have a different context because of the significant differences in the 
way in which the standard is structured.
---------------------------------------------------------------------------

    \142\ See QC 20.03; QC 20.17.
---------------------------------------------------------------------------

    QC 1000 is grounded in the firm's risk assessment process, whereby 
the firm's quality objectives and the risks to achieving them are 
identified and addressed by the firm in an ongoing, structured fashion. 
This risk assessment process drives how the firm develops and refines 
its policies and procedures; the ``quality responses'' are designed and 
implemented to address quality risks. As such, policies and procedures 
are a means to an end--addressing quality risks--rather than an end in 
themselves. QC 1000 provides more detailed requirements regarding the 
structure, scope, and functioning of the firm's QC system, particularly 
in the monitoring and remediation component, than the Board's current 
QC standards.
    This does not mean that firms' QC policies and procedures are no 
longer important. On the contrary, they are critical to addressing 
quality risks and thereby achieving quality objectives and the 
reasonable assurance objective. However, firms may no longer rely on 
simply promulgating policies and procedures as the central, and 
sometimes only, component of their QC system. Compliance with the QC 
standard ultimately is based on whether the firm has met its quality 
objectives and the reasonable assurance objective--which are driven by 
whether the firm's policies and procedures have in fact been effective 
in addressing quality risks--and on whether the firm has complied with 
the requirements of the standard in the design, implementation, and 
operation of the QC system. Another commenter suggested that the QC 
system should not address firm policies and procedures that go beyond 
applicable professional and legal requirements, on the basis that it 
might undermine investor protection by disincentivizing firms from 
developing policies and procedures that

[[Page 49616]]

go beyond what is required. For the reasons discussed above, the Board 
has not included policies and procedures in the reasonable assurance 
objective. However, because policies and procedures play an important 
role in the firm achieving the reasonable assurance objective, the 
Board has determined that some quality objectives have to incorporate 
compliance with firm policies and procedures as well as applicable 
professional and legal requirements.
    The reasonable assurance objective also reflects the view that the 
purpose of the QC system is to drive overall compliance by the firm, 
each member of firm personnel, and each other participant with 
applicable professional and legal requirements, and not necessarily to 
drive more narrow compliance with firm policies and procedures.
    Under QC 1000, the reasonable assurance objective of the firm's QC 
system is generally consistent with the objective of the QC system 
under the Board's existing QC standards but, in addition to the changes 
discussed above, it places more emphasis in three key areas:
     Expressly reminding auditors that an effective QC system 
protects investors by facilitating the consistent preparation and 
issuance of informative, accurate, and independent engagement reports;
     Specifying that responsibilities be fulfilled not only 
with respect to professional standards, but also with respect to legal 
requirements to the extent they apply (e.g., SEC and PCAOB rules, other 
provisions of U.S. Federal securities law, and other applicable legal 
and regulatory requirements); and
     Expressly mentioning compliant engagement reporting (an 
existing responsibility under PCAOB standards), given the explicit 
reference to audit reports in Sarbanes-Oxley.\143\
---------------------------------------------------------------------------

    \143\ See, e.g., section 103(a)(1) of Sarbanes-Oxley, 15 U.S.C. 
7213(a)(1); section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 
7213(a)(2)(B).
---------------------------------------------------------------------------

    Responsibilities in this context include all responsibilities that 
are subject to applicable professional and legal requirements--for 
example, in relation to the firm's engagements, work the firm does on 
other firms' engagements, training, independence monitoring, and other 
activities that are part of or subject to the firm's QC system.
    In addition, the objective covers the activities of a broader group 
than current standards. It applies not only with respect to firm 
personnel and other auditors, but also to other participants involved 
in the firm's engagements and QC activities whose work is performed at 
the direction of the firm. As discussed above, the Board believes that 
QC 1000 should reach such other participants in light of, among other 
things, the increasing prevalence and importance of the use of 
professionals and organizations outside the firm, such as auditor-
engaged specialists and service centers, in audits performed under 
PCAOB standards. Many commenters, generally firms and related groups, 
expressed concern about the inclusion of other participants in the 
reasonable assurance objective. The Board believes that the firm's own 
QC system must address all the work done on the firm's engagements and 
in connection with the design, implementation, and operation of the 
firm's QC system, regardless of who does it. The reasonable assurance 
objective in QC 1000 appropriately reflects that scope.
b. Requirements To Design, Implement, and Operate a QC System (QC 
1000.06-.07)
    QC 1000 requires all firms to design a QC system that complies with 
the standard. This entails assigning QC-related roles and 
responsibilities as provided in paragraphs .10-.17; establishing 
quality objectives, at least annually identifying and assessing quality 
risks to the achievement of those objectives, and designing quality 
responses to address those risks, as provided in paragraphs .18-.57; 
designing a monitoring and remediation process that, upon 
implementation, would comply with paragraphs .58-.76; and documenting 
the design of the QC system as provided in paragraphs .81-.86. The 
design of the QC system is based on the quality risks the firm likely 
would face if it performed engagements.
    The PCAOB received a significant volume of comments on this aspect 
of the proposal, which is discussed above. In addition, one commenter 
suggested emphasizing the concept of professional judgment by 
incorporating it in paragraph .06 or .07 and defining it in Appendix A 
of QC 1000. It is true that under QC 1000, judgment may have to be 
exercised in areas of the QC system, such as assessing risk and 
evaluating QC deficiencies. However, the basic approach of QC 1000, 
which specifies quality objectives to be achieved through specified 
risk assessment and monitoring and remediation processes, is outcome-
based and not simply a matter of professional judgment. Moreover, under 
paragraph .10, all activities related to the QC system must be 
performed with due professional care. This means that even in 
judgmental areas, professional judgment is not unbounded; individuals 
must exercise professional skepticism and use the requisite knowledge, 
skill, and ability to diligently (and in good faith and with integrity) 
obtain and objectively evaluate information. Accordingly, the Board 
adopted these requirements as proposed.
    In addition to the obligation to design the QC system, firms are 
required under paragraph .07 to implement and operate an effective QC 
system (i.e., comply with all provisions of the standard) at all times 
that the firm is required to comply with applicable professional and 
legal requirements with respect to any of the firm's engagements.\144\ 
This would occur, for example, whenever the firm has responsibilities 
with respect to the acceptance of an engagement, the performance of an 
engagement, remediation of deficiencies in an engagement, or matters 
associated with an engagement that arise or continue after issuance of 
the engagement report, such as retention of audit documentation, 
issuance of reports included in Securities Act filings (including 
consent to the inclusion of such reports),\145\ other engagement 
deficiencies,\146\ and subsequently discovered facts.\147\ Once a firm 
no longer has any responsibilities under applicable professional and 
legal requirements with respect to any firm engagements, the firm will 
be required to continue operating the QC system until the next 
September 30 (the next date as of which the firm is required to 
evaluate the QC system). This ensures that the firm will evaluate and 
report on the QC system for any year during which the QC system was 
required to operate.\148\
---------------------------------------------------------------------------

    \144\ Note, however, that the firm would not necessarily have to 
implement and operate every QC policy and procedure it has designed. 
See Scalability above.
    \145\ See AS 4101, Responsibilities Regarding Filings Under 
Federal Securities Statutes.
    \146\ See AS 2901. The Board amended AS 2901 in connection with 
this rulemaking to expand auditor responsibilities with respect to 
engagement deficiencies. See Amendments to AS 2901, Consideration of 
Omitted Procedures After the Report Date, and Related Amendments 
below for additional discussion.
    \147\ See AS 2905, Subsequent Discovery of Facts Existing at the 
Date of the Auditor's Report.
    \148\ The requirements for evaluating and reporting on the QC 
system are discussed below.
---------------------------------------------------------------------------

    Note that firms may not have lengthy advance notice before 
responsibilities arise under applicable professional and legal 
requirements with respect to an engagement. For example, a firm may be 
contacted by an affiliated firm to play a substantial role in an 
engagement or may be asked to consent to the inclusion of a previously 
issued audit report in

[[Page 49617]]

the registration statement of a company previously audited by the firm. 
Under the standard, registered firms will have to stand ready to have 
their QC system implemented and operating over such responsibilities 
whenever they arise.
    Although all PCAOB-registered firms are required to design a QC 
system that complies with the standard, the obligation to implement and 
operate that system applies only when the firm is required to comply 
with applicable professional and legal requirements with respect to the 
firm's engagements. Implementing and operating a QC system means that 
assigned personnel are fulfilling their QC-related roles and 
responsibilities under QC 1000, the relevant quality responses (i.e., 
policies and procedures) and monitoring and remediation process that 
the firm has designed are operational, and the firm is documenting the 
implementation and operation of its QC system. As noted above in the 
discussion of scalability, the scope of the QC system is driven by the 
professional and legal requirements that apply to the firm and its 
engagements and the relevant risks, which may vary depending on the 
nature and extent of the firm's practice.
    The standard also makes clear that existing obligations under QC 
1000, such as the obligation to evaluate and report on the QC system 
for periods in which the QC system was required to be implemented and 
operating, are not extinguished when a firm transitions from full 
applicability to scaled applicability.
    As discussed in more detail above, the Board's view is that 
requiring all registered firms to design a QC system that complies with 
QC 1000 is consistent with the PCAOB's statutory mandate, historical 
practice, and investor protection mission, and that scaling back 
obligations under QC 1000 to the design of the QC system, as described 
under paragraph .06, is justified in cases where a firm is not subject 
to any obligations under applicable professional and legal standards 
with respect to any firm engagement.
b. Risk-Based Approach (QC 1000.08-.09)
    The Board did not receive comments specifically on these paragraphs 
and adopted them as proposed. These paragraphs require a firm to employ 
a risk-based approach to quality control, such that the firm 
proactively manages its QC system and the quality of the work it 
performs on engagements.
    Under the standard, the firm is required to design, implement, and 
operate a QC system that reflects and responds to the firm's particular 
risks through two process components.
     The firm's risk assessment process--establishing quality 
objectives, identifying, and assessing quality risks to the achievement 
of those objectives, and designing and implementing quality responses 
to address the identified quality risks--is applied to all of the 
aspects of the firm's organization and operations that are covered by 
the QC system and thus is tailored to each firm's specific facts and 
circumstances.
     The monitoring and remediation process is carried out in a 
way that is informed by and responsive to risks--for example, quality 
risks influence both the selection of engagements to monitor and the 
design and extent of monitoring activities.
    The requirement to evaluate the effectiveness of the QC system 
supports continued improvement in these risk assessment and monitoring 
and remediation processes by requiring the firm to evaluate and report 
on whether the quality objectives and the reasonable assurance 
objective have been achieved. These requirements are discussed in more 
detail below.
    The aspects of QC 1000 that are risk-based are inherently scalable. 
In applying a risk-based approach, the firm is required to tailor its 
QC system to the firm's specific facts and circumstances, including the 
size and complexity of the firm, the types and variety of engagements 
it performs, the types of companies for which it performs engagements, 
and whether it is a member of a network (and if so, the nature and 
extent of the relationship between the firm and the network). 
Accordingly, a large, complex firm that performs a wide variety of 
engagements will likely be required to have a more complex QC system 
than a small firm that performs a small number of less complex 
engagements.
2. Current PCAOB Standards
    As described above, under current QC standards, a QC system is 
broadly defined as a process to provide a firm with reasonable 
assurance that its personnel comply with professional standards 
applicable to its accounting and auditing practice and the firm's 
standards of quality.\149\ The QC system encompasses the firm's 
organizational structure, policies adopted, and procedures established 
to provide that reasonable assurance.\150\ Registered firms are 
required to design, implement, and operate a system of quality control 
to provide this reasonable assurance.
---------------------------------------------------------------------------

    \149\ See QC 20.03.
    \150\ See QC 20.04.
---------------------------------------------------------------------------

Roles and Responsibilities

    Expectations of individuals within the QC system are established 
through the assignment of roles and responsibilities that are essential 
to a well-functioning QC system. This aspect of the QC system creates 
clearer lines of communication and decision-making authority and 
greater accountability for those assigned to such roles. One commenter 
on the overall requirements supported them as proposed. Some firm 
commenters also supported the proposed roles and offered operational 
suggestions, while other firm commenters asserted that the proposed 
roles and responsibilities were not clear and appropriate for the 
reasons described in the following subsections.
1. QC 1000
a. Due Professional Care (QC 1000.10)
    Paragraph .10 of the standard addresses due professional care in 
performing responsibilities in relation to the QC system. Due 
professional care, applicable to all firm personnel and other 
participants, includes professional skepticism. The concept of due 
professional care imposes a responsibility upon firm personnel and 
other participants to observe relevant professional standards 
including, in the context of quality control, QC 1000. The Board 
believes that this provision is a helpful clarification because the 
PCAOB standards describing due professional care do not specifically 
mention QC activities.\151\
---------------------------------------------------------------------------

    \151\ A new auditing standard, AS 1000, is being adopted to 
combine and update the four standards that set forth the general 
principles and responsibilities of the auditor, including AS 1015, 
Due Professional Care in the Performance of Work. See Auditor 
Responsibilities Release.
---------------------------------------------------------------------------

    One commenter urged the PCAOB to clarify the need for professional 
skepticism by leadership in quality control roles. The Board does not 
believe specific provisions are needed in that regard, because 
paragraph .10 applies to all individuals performing QC roles, including 
those in leadership roles.
    The Board has adopted this provision with modifications to align 
with the descriptions of due professional care and professional 
skepticism being adopted in AS 1000.\152\
---------------------------------------------------------------------------

    \152\ Id.
---------------------------------------------------------------------------

b. Assignment of Roles and Responsibilities (QC 1000.11-13)
    The Board proposed to require the highest-ranking executive in the 
firm to bear ultimate responsibility and

[[Page 49618]]

accountability for the QC system as a whole. If a firm has co-principal 
executive officers, each of them would bear such ultimate 
responsibility and accountability. The PCAOB did not prescribe the 
substantive qualifications the highest-ranking executive in the firm 
should have; the proposal did not include any such criteria (unlike the 
assigned roles under paragraph .12, which only may be assigned to 
personnel who have the experience, competence, authority, and time to 
carry out their responsibilities). The Board's intention was to 
establish accountability for QC at the highest level within the firm 
and underscore the critical importance of the QC system. One commenter 
supported this requirement, as it is analogous to the CEO being jointly 
responsibly for the SEC certifications with respect to the financial 
statements and internal controls. One commenter requested clarification 
on the structure of smaller firms where the firm's CEO may not be an 
audit practitioner and may rely on others to fulfill the requirements 
of the QC system. The Board believes it is important for the firm's 
principal executive officer, irrespective of whether that person is an 
audit practitioner, to be ultimately responsible and accountable for 
the firm's QC system, because the Board believes that this will lead to 
more vigorous oversight of the audit practice; benefiting investors and 
other stakeholders that rely on the firm's work.
    The requirement in paragraph .12 of QC 1000 is limited to roles 
that are expected to exist in any firm and allows each firm to assign 
these roles based on the nature and circumstances of the firm, provided 
that those assigned have the experience, competence, authority, and 
time to enable them to carry out their assigned responsibilities. This 
approach also addresses scalability; as the note to paragraph .12 makes 
clear, depending on the nature and circumstances of the firm, one 
individual may be assigned to more than one of the roles in paragraphs 
.11 and .12.
    A number of commenters suggested that the roles in paragraph .12 
should be able to be split into multiple roles or assigned to multiple 
people. Commenters asserted that the roles, such as operational 
responsibility for the ethics and independence component, are complex 
enough to require two individuals. Several of the same commenters 
expressed that the requirement is generally too prescriptive. Several 
firms indicated that many firms in larger networks may commonly have 
these specified roles filled by individuals outside of the firm and the 
restriction of these roles to firm personnel may be problematic 
operationally.
    For the roles specified in paragraph .12, the final standard 
retains the requirement that only one individual may be assigned 
responsibility for each role. A firm may have multiple individuals or 
multiple layers of personnel supporting these roles, but the 
responsibility for the assigned role may not be delegated and will 
remain with the one assigned individual. For example, a firm could 
assign one person to ethics-related matters and another person to 
independence-related matters, as long as both of these individuals 
report to the person with operational responsibility for the firm's 
compliance with ethics and independence requirements. The Board 
acknowledges that some firms may seek assistance from their network or 
other participants in performing some of their QC-related activities, 
but the Board believes a single individual within the firm should 
remain responsible for the operational responsibilities of the assigned 
roles. Regardless of whether specific tasks are delegated to others, 
the individual assigned to a specified role remains responsible and 
accountable for the role's related responsibilities.
    Commenters generally supported allowing one person to hold multiple 
responsibilities under certain circumstances, such as smaller firms 
with limited resources. Two commenters supported the roles as proposed 
and one commenter suggested the firm's head of audit practice also be 
included as a role.
    The Board's view is that the roles specified in paragraph .12 would 
be appropriate for every firm. Provided that the criteria in paragraph 
.12 of QC 1000 are met, the individual assigned ultimate responsibility 
and accountability for the QC system also may assume responsibility for 
all aspects of the QC system, including operational responsibility for 
the QC system, the firm's compliance with ethics and independence 
requirements, and the monitoring and remediation process. The Board has 
not been specific about who should be assigned the roles identified in 
paragraph .12. A firm may determine, based on its nature and 
circumstances, that it is appropriate to assign already established 
leaders to one or more of these roles, such as the head of audit 
practice as suggested by a commenter.
    One commenter requested clarification of the intended role in .12d. 
The role in paragraph .12d allows firms to assign operational 
responsibility for other components (e.g., the resources component) 
based on the nature and circumstances of the firm. The standard 
provides firms the ability to add additional roles and 
responsibilities, if appropriate, and the flexibility to assign one 
individual to more than one of the roles specified.
    The proposal asked if firms would have difficulty filling the 
assigned roles. Two commenters were optimistic these roles could be 
filled in light of the requirements. Commenters cited increased 
liability or workload associated with these roles as potential 
disincentives that may keep qualified individuals from accepting these 
roles. Specifically, some commenters asserted that the proposal would 
lower the threshold for individual liability compared to current 
requirements, and that the threat of enforcement sanctions would deter 
individuals from accepting the roles.\153\ One commenter sought 
clarification on the supervision obligations prescribed under QC 1000 
and the Board's authority to bring enforcement actions for failure to 
reasonably supervise under section 105(c)(6) of Sarbanes-Oxley. One 
commenter recommended amending paragraph .11 to acknowledge that 
individuals assigned ultimate responsibility for the QC system as a 
whole can rely on information provided to them and their responsibility 
is governed by a good faith standard. Two commenters expressed concern 
that firms, especially smaller issuer or broker-dealer practices, would 
have difficulty filling the specified roles. One commenter was 
concerned with increased accountability and suggested balancing 
accountabilities such that processes and outcomes, as well as rewards 
and penalties, are more appropriately weighted.
---------------------------------------------------------------------------

    \153\ Analogous concerns were also raised by commenters in 
relation to the separate rulemaking Proposed Amendments to PCAOB 
Rule 3502 Governing Contributory Liability, available on the Board's 
website in Docket 053.
---------------------------------------------------------------------------

    Current QC standards generally impose responsibilities directly on 
the firm rather than on individuals. Enforcement actions related to the 
failure to comply with current QC standards can be brought against 
individuals for contributing to violations by the firm\154\ or for 
failing to

[[Page 49619]]

reasonably supervise an associated person of the firm who commits 
certain violations.\155\
---------------------------------------------------------------------------

    \154\ See PCAOB Rule 3502, Responsibility Not to Knowingly or 
Recklessly Contribute to Violations. The Board has proposed to amend 
Rule 3502 in certain ways, including by changing the standard of 
conduct for associated persons' contributory liability from 
recklessness to negligence. See Proposed Amendments to Rule 3502 
Governing Contributory Liability, PCAOB Rel. No. 2023-007 (Sept. 19, 
2023).
    \155\ See Sarbanes-Oxley sec. 105(c)(6), 15 U.S.C. 7215(c)(6).
---------------------------------------------------------------------------

    Under QC 1000, the individuals who are assigned specific 
responsibilities with respect to the QC system could be charged with 
violations if they fail to comply with those enumerated 
responsibilities, as well as for contributing to firm violations or 
failing reasonably to supervise.\156\ As discussed further in the 
sections that follow, the individuals who fill the roles specified in 
paragraphs .11 and .12 of QC 1000 have specified responsibilities 
spelled out in paragraphs .14 through .17 of the final standard. Those 
individuals must exercise due professional care (see paragraph .10), 
and their failure to properly discharge their duties--for example, to 
establish or direct the establishment of certain QC-system reporting 
lines (see paragraph .14b), to certify the firm's Form QC report to the 
PCAOB (see paragraphs .14d and .15b), or to timely communicate certain 
information to others (see paragraphs .16b and .17b)--would constitute 
violations of QC 1000. So while current QC standards generally require 
either a primary violation by the firm to trigger an individual's 
potential liability under Rule 3502 or a primary violation by another 
associated person to trigger a supervisory person's potential liability 
under section 105(c)(6) of Sarbanes-Oxley, QC 1000 creates a framework 
in which an individual's failure to discharge prescribed 
responsibilities could give rise to individual liability without regard 
to whether primary violations were committed by another.
---------------------------------------------------------------------------

    \156\ See PCAOB Rel. No. 2023-007.
---------------------------------------------------------------------------

    That is not to say, however, that the individuals filling the roles 
specified in paragraphs .11 and .12 of QC 1000 no longer can be charged 
with contributing to violations by the firm or for failing to 
reasonably supervise an associated person who commits certain 
violations. Because of the important role played by the individuals 
filling those roles, their failure to properly fulfill their 
responsibilities may contribute to violations by their firm. 
Furthermore, paragraphs .15a, .16a, and .17a of the final standard make 
clear that the individuals who fill the roles discussed therein are 
supervisory persons who have supervisory responsibilities under the 
Board's QC standards, for purposes of section 105(c)(6) of Sarbanes-
Oxley.
    The Board believes that providing another basis for enforcement 
against responsible individuals could enhance their accountability for 
the QC system. Enhanced accountability emphasizes the importance of the 
firm assigning roles to firm personnel who have the experience, 
competence, authority, and time needed to carry out their assigned 
responsibilities. Although the Board recognizes that some commenters 
expressed concern about whether individuals would be willing to assume 
these specified roles, the Board believes that these roles are 
necessary and appropriate for every firm. The Board also believes that, 
with appropriate incentives, firms should be able to fill these roles. 
The PCAOB is adopting these requirements as proposed.
    The Board discusses each of the QC roles identified in the standard 
in the subsections that follow. Paragraph .13 provides that individuals 
assigned operational responsibilities under paragraph .12 should have a 
direct line of communication to the individual with ultimate 
responsibility and accountability for the QC system. This line of 
communication would provide these individuals the information necessary 
to perform their assigned roles. One commenter supported a feedback 
loop between the individuals assigned responsibilities under paragraphs 
.11 and .12, but sought clarity regarding whether individuals in the 
roles in paragraph .12 are required to report to the firm's principal 
executive officer. The Board has not prescribed the firm's reporting 
structure related to those roles, as it may vary based on the nature 
and circumstances of the firm.
c. Ultimate Responsibility and Accountability for the QC System as a 
Whole (QC 1000.14)
    The individual assigned ultimate responsibility and accountability 
for the QC system as a whole reinforces the responsibility and 
accountability of firm personnel by demonstrating a commitment to 
quality. The standard emphasizes the role of that individual--by the 
individual recognizing and reinforcing professional ethics, values, and 
attitudes through the individual's actions, behaviors, and 
communications--in establishing a firm's tone at the top and attitude 
towards quality.
    The individual assigned ultimate responsibility and accountability 
is responsible for establishing, or directing the establishment of, 
structures, reporting lines, and authorities and responsibilities for 
the roles involving operational responsibility for aspects of the QC 
system and the QC system as a whole. For each firm, the approach to 
fulfilling these responsibilities will be dependent on the firm's 
nature and circumstances. For example, in a smaller firm where there 
are fewer individuals with assigned roles, structures may be less 
formal. Conversely, for a larger firm, it may be necessary to have 
multiple individuals in roles with assigned responsibilities or to have 
multiple layers of personnel supporting different activities. However, 
ultimate responsibility and accountability cannot be delegated.
    Also, the individual assigned ultimate responsibility and 
accountability is accountable for the design, implementation, and 
operation of the firm's QC system in accordance with applicable 
professional and legal requirements and the firm's policies and 
procedures, as well as for the firm's annual QC system evaluation. The 
functions performed by the individual with ultimate responsibility and 
accountability may vary across firms. For example, in a smaller firm, 
the individual assigned ultimate responsibility and accountability may 
be directly involved in aspects of the QC system, such as the firm's 
monitoring and remediation process. In a larger firm, this person may 
supervise others who perform these activities.
    Lastly, the Board proposed requiring the individual assigned 
ultimate responsibility and accountability for the QC system as a 
whole, along with the individual assigned operational responsibility 
and accountability for the firm's QC system as a whole, to certify the 
firm's annual evaluation of its QC system in a report to the PCAOB. One 
commenter expressed concern that the certification requirements may 
create a barrier to firms operating in environments that do not have 
Sarbanes-Oxley-style reporting requirements. The same commenter also 
emphasized the certifications may have a disproportional impact on 
smaller firms that have fewer resources. One commenter suggested that 
certification by the firm's CEO is an ineffective incentive and a more 
appropriate incentive would be compensation that was heavily weighted 
towards effective QC systems.
    As discussed further below, the Board believes such certification 
will lead to increased discipline in the evaluation process and 
reinforce the accountability of the certifying individuals, and has 
adopted that requirement as proposed. The Board believes certifications 
are commonly known among issuers within the regulatory environment and 
would be familiar to their auditors. The Board also believes the 
certification requirements will complement the revised provisions in 
paragraphs .25b and .44g of the final standard, which

[[Page 49620]]

address compensation incentives based on an effective QC system.
d. Operational Responsibility and Accountability for the QC System as a 
Whole (QC 1000.15)
    This requirement did not draw comment and the Board adopted it as 
proposed. The individual assigned operational responsibility and 
accountability for the QC system as a whole is accountable for 
supervising the design, implementation, and operation of the firm's QC 
system. This includes overseeing the operation of the QC system in 
achieving the reasonable assurance objective. Depending on the nature 
and circumstances of the firm, this individual may be the same person 
assigned ultimate responsibility and accountability for the QC system, 
or may be assigned other operational responsibilities, such as for 
ethics and independence or monitoring and remediation.
    In carrying out the specified responsibilities, the individual 
assigned operational responsibility and accountability for the QC 
system as a whole may be supported by the individuals assigned 
operational responsibility for the firm's compliance with ethics and 
independence requirements, the monitoring and remediation process, or 
other components of the QC system. This includes receiving information 
from such individuals regarding violations of ethics and independence 
requirements and the results of the monitoring and remediation process.
    Along with the individual assigned ultimate responsibility and 
accountability for the QC system as a whole, and for similar reasons, 
the Board has required the individual assigned operational 
responsibility and accountability for the QC system as a whole to 
certify the firm's annual report to the PCAOB on the evaluation of its 
QC system, as discussed below.\157\
---------------------------------------------------------------------------

    \157\ If the same person were assigned both ultimate 
responsibility and accountability and operational responsibility and 
accountability for the QC system, that person would sign the 
certification in both capacities.
---------------------------------------------------------------------------

e. Operational Responsibility for the Firm's Compliance With Ethics and 
Independence Requirements (QC 1000.16)
    Compliance with ethics and independence requirements is essential 
to the performance of engagements and, in some situations, presents 
challenging, novel, or complex issues. The current requirements for 
former SECPS member firms include designating a senior-level partner to 
oversee the firm's independence policies and consultation process, 
among other independence-related activities. Like in the proposal, in 
the final standard the individual assigned operational responsibility 
for compliance with ethics and independence requirements will supervise 
the areas addressed by the ethics and independence component of QC 
1000, which include the firm's risk assessment process for ethics and 
independence and the design, implementation, and maintenance of the 
firm's policies and procedures related to ethics and independence.
    Within the ethics and independence component, there are quality 
objectives and specified quality responses that address potential 
violations of ethics and independence requirements, including a quality 
objective that potential violations are communicated to the individual 
with operational responsibility for ethics and independence 
requirements. That individual is then responsible for communicating 
such violations to the individuals assigned operational responsibility 
for the monitoring and remediation process and operational 
responsibility and accountability for the QC system as a whole.
    Paragraph .16b, as well as several other requirements in the 
standard, refers to actions being taken on a ``timely basis.'' In each 
of these cases, what constitutes ``timely'' would depend on the 
underlying matter to which the action relates, including the matter's 
nature, scope, and impact. Timely communication and action should be 
sufficiently prompt to achieve its objective. In some cases, for 
example, where there is a high risk of a severe or pervasive problem, 
communication and action may have to be immediate to be timely. The 
only commenter on this term agreed that what constitutes ``timely'' 
would depend on the underlying matter to which action relates. The 
commenter also wanted clarification that the firm's policies and 
procedures assist in promoting communication such that the appropriate 
individuals with responsibilities over the firm's QC system become 
aware of relevant matters in a timely manner, as appropriate for the 
size and the scale of the firm and relative nature of the matter. 
Insofar as the comment may be read to suggest that the size and scale 
of the firm, on its own, is a factor in determining timeliness, the 
Board disagrees. In the Board's view, timeliness is a function of the 
nature and significance of the issue (appreciating that the size and 
scale of the firm may be relevant in gauging the nature and 
significance of an issue).
    One commenter expressed concern that the prescriptiveness of the 
communication requirements may detract from the achievement of the 
intended objectives. Specifically, the commenter was concerned that it 
may not be appropriate to require communication of all violations to 
the individual with operational responsibility and accountability for 
the QC system as a whole.
    The specified communications are intended to enable these 
individuals to take timely and appropriate actions in accordance with 
their responsibilities. In the Board's view, in order to do that, they 
need to be apprised of ethics and independence violations. Ethics or 
independence violations may take a variety of forms, and therefore the 
nature and extent of the communication may also take a variety of forms 
commensurate to the severity and pervasiveness of the violation. 
Leaving aside the question of whether a violation of ethics or 
independence requirements could ever be insignificant, individual 
violations may evidence problems within specific areas of the firm's 
policies and procedures or an overall pattern of disregard for ethics 
and independence requirements that requires timely intervention. The 
Board has adopted these requirements as proposed.
f. Operational Responsibility for the Monitoring and Remediation 
Process (QC 1000.17)
    The monitoring and remediation process is a critical part of a 
firm's QC system because it creates a feedback loop to inform the 
firm's risk assessment process, results in an approach that drives 
continuous improvement, and provides the firm with information about 
whether the QC system is operating effectively. As proposed, the 
individual assigned operational responsibility for the monitoring and 
remediation process would be responsible for supervising the design, 
implementation, and operation of the monitoring and remediation process 
component and the evaluation of the QC system. This individual would 
also be responsible for overseeing actions taken to respond to 
identified engagement deficiencies, QC deficiencies, and major QC 
deficiencies.
    One commenter was concerned that it would be a conflict of interest 
for this individual to oversee both the monitoring and remediation 
process and the evaluation process. Another commenter recommended that 
the responsibility for the annual evaluation

[[Page 49621]]

be shared between the individual with operational responsibility for 
the QC system as a whole, who recommends the evaluation conclusion, and 
the individual with operational responsibility for the monitoring and 
remediation process, who concurs or recommends changes to the 
conclusion. The Board understands that in a smaller firm these roles 
may all be performed by the same individual. In a larger firm that 
assigns different individuals to the roles, the individual with 
operational responsibility for the monitoring and remediation process 
supervises the evaluation process. Although the individual overseeing 
the monitoring and remediation process also oversees the evaluation 
process, other aspects of QC 1000 drive accountability for the 
evaluation. Paragraph .14c makes the individual assigned ultimate 
responsibility and accountability for the QC system as a whole 
accountable for the annual evaluation. Additionally, paragraphs .14d 
and .15b impose certification requirements that also drive 
accountability for the evaluation process. The Board has adopted this 
requirement as proposed.
    The individual assigned operational responsibility for the 
monitoring and remediation process is also responsible for 
communicating, on a timely basis, matters related to monitoring and 
remediation to the individuals assigned ultimate responsibility and 
accountability for the QC system as a whole and operational 
responsibility and accountability for the QC system as a whole. These 
communications would include key aspects of the monitoring and 
remediation process, such as the monitoring activities performed, 
results of the monitoring activities, and the remedial actions taken. 
The communication of this information to the individual assigned 
ultimate responsibility and accountability for the QC system as a whole 
facilitates and supports that individual's overall accountability for 
the evaluation of the QC system.
2. Current PCAOB Standards
    QC 20.22 requires the assignment of responsibility for the design 
and maintenance of QC policies and procedures to appropriate 
individuals but does not specify the role or roles to which such 
responsibilities should be assigned. In addition, members of the SECPS 
are required to designate a senior-level partner responsible for, among 
other things:
     Overseeing the functioning of the firm's independence 
policies and consultation process;
     Maintaining the restricted entity list and providing it to 
all professionals; and
     Supervising the monitoring system related to overseeing 
that independence violations are addressed.
    QC 1000 retains and expands on these concepts. However, rather than 
specifying that a senior-level partner be responsible for independence 
matters, the standard takes a more functional approach, requiring a 
person with the experience, competence, authority, and time needed to 
enable that person to carry out the assigned responsibilities.
    Another key difference, as discussed above, is that QC 1000 imposes 
specific responsibilities on the individuals assigned the specific 
roles, such that enforcement action could be brought against them 
individually if they fail to meet those responsibilities.

The Firm's Risk Assessment Process

    The risk assessment process is the basis for a risk-based approach 
to the design, implementation, and operation of the firm's QC system. 
The firm's risk assessment process, in combination with the monitoring 
and remediation process, creates a feedback loop to drive continuous 
improvement of the firm's QC system.
    The proposal included a risk assessment process that would be 
principles-based and could be tailored to the size and complexity of 
the firm and the types and variety of engagements it performs. Several 
commenters, including firms, were generally supportive of a risk-based 
approach to the firm's QC system. One commenter, an investor-related 
group, expressed concern that a principles-based approach would allow 
audit firms too much discretion in conducting their own risk 
assessment. Another commenter noted that while they generally supported 
a risk-based, scalable approach, they supported a more prescriptive 
approach for the resources and monitoring and remediation components.
    The Board has retained the approach as proposed because it believes 
that applying a risk-based approach to the design, implementation, and 
operation of the QC system will prompt firms to identify and focus on 
the most relevant risks to quality in the context of their own practice 
and will make QC 1000 appropriately adaptable to future changes in 
technology, regulation, and the business environment. It will also 
ensure scalability, allowing firms to right-size their QC systems as 
their practices grow and change. As discussed above, QC 1000 contains a 
balance of prescriptive and risk-based elements.
    One commenter requested clarity on whether QC 1000 would operate 
separately or in concert with other quality control standards, 
specifically whether the risk assessment process would apply only to 
engagements performed under PCAOB standards or to the firm's overall 
risk assessment of all its engagements, including those performed under 
other standards. Consistent with the way the term ``engagement'' is 
defined in QC 1000,\158\ the requirements of QC 1000, including those 
regarding the firm's risk assessment process, generally apply only to 
work performed under PCAOB standards. However, nothing prevents a firm 
from designing, implementing, and operating a single risk assessment 
process for its entire audit and assurance practice that satisfies both 
QC 1000 and the other quality control standards that apply to the firm.
---------------------------------------------------------------------------

    \158\ See Terminology discussed above.
---------------------------------------------------------------------------

    The risk assessment process should be familiar to firms because it 
is analogous to existing auditor responsibilities for identifying, 
assessing, and responding to risks of material misstatement of the 
financial statements. Audit procedures for identifying and assessing 
risks of material misstatement include information-gathering procedures 
to identify risks (e.g., obtaining an understanding of the company, its 
environment, and its internal control), assessment of risks based on 
information obtained, and design and implementation of responses to 
address the identified risks.\159\ The standard creates analogous 
responsibilities in relation to the QC system. Similarly, as the 
auditor is required by auditing standards to modify the overall audit 
strategy and the audit plan if circumstances change during the course 
of the audit,\160\ the firm is required by QC 1000 to monitor, 
identify, assess, and respond to changes in relevant conditions, 
events, and activities that affect the firm's QC system.
---------------------------------------------------------------------------

    \159\ See generally AS 2110, Identifying and Assessing Risks of 
Material Misstatement.
    \160\ See AS 2110.74.
---------------------------------------------------------------------------

1. QC 1000.18
    The firm's risk assessment process applies to the six components of 
the firm's QC system that specify quality objectives. To design, 
implement, and operate this process, the firm is required to:
     Establish quality objectives;
     Identify and assess quality risks to the achievement of 
the quality objectives; and

[[Page 49622]]

     Design and implement quality responses to address the 
identified quality risks.
    The process for establishing quality objectives, identifying, and 
assessing quality risks, and designing and implementing quality 
responses is iterative, and the requirements of the standard would not 
necessarily be addressed in a linear manner. For example, in 
identifying and assessing quality risks, the firm may determine that 
one or more additional quality objectives are required; in designing 
and implementing quality responses, the firm may identify additional 
quality risks. The risk assessment process is also iterative and 
ongoing, so that new or developing risks are identified and addressed 
as they emerge. For smaller and less complex firms, the risk assessment 
process may be centralized and involve only a few individuals. For 
larger and more complex firms, the risk assessment process may be more 
structured and decentralized, involving multiple layers and groups. The 
Board believes that the risk assessment approach will prompt firms to 
proactively identify, assess, and respond to quality risks, while at 
the same time allowing them to apply judgment when identifying and 
assessing quality risks.
a. Establish Quality Objectives (QC 1000.19)
    The standard defines quality objectives as the desired outcomes in 
relation to the components of the QC system to be achieved by the firm. 
Establishing quality objectives is the first step in the risk 
assessment process and forms the basis for the identification and 
assessment of quality risks and the design and implementation of 
quality responses. The quality objectives are outcome-based and the 
risk assessment process provides firms the ability to determine how the 
quality objectives are to be achieved.
    One investor-related group expressed concern with the lack of 
specificity in the proposed standard regarding the design of an audit 
firm's quality control system, suggesting that the proposed standard 
would enable firms to design a QC system that could too easily be 
certified as working properly. The Board believes that the quality 
objectives specified in QC 1000 will promote an appropriate level of 
rigor in the QC system. While QC 1000 provides some flexibility with 
regard to the quality risks that firms identify and the quality 
responses that firms develop to address those risks, it does not 
provide the same flexibility with regard to quality objectives. 
Instead, quality objectives that will apply to all firms are specified 
in the standard. Firms can establish additional quality objectives--
indeed, they are required to do so if necessary to achieve the 
reasonable assurance objective--but they generally cannot omit or 
modify any of the quality objectives set out in the standard. 
Therefore, firms do not determine the criteria by which their QC 
systems will be assessed, only the means by which they will meet those 
criteria.
    Quality objectives are specified in the standard for six of the 
components of the QC system: governance and leadership, ethics and 
independence, acceptance and continuance of engagements, engagement 
performance, resources, and information and communication. A firm may 
determine that it is necessary to establish quality objectives for its 
monitoring and remediation process. In those circumstances, the firm's 
risk assessment process would also apply to the monitoring and 
remediation process. Otherwise, although monitoring and remediation 
would not be subject to the firm's risk assessment process as described 
in the standard, it would nevertheless be carried out in a way that is 
informed by and responsive to quality risks.\161\
---------------------------------------------------------------------------

    \161\ See Monitoring and Remediation Process below. For example, 
quality risks and the reasons for their assessment are factors a 
firm would take into account when determining the nature, timing, 
and extent of its monitoring activities.
---------------------------------------------------------------------------

    The Board believes that, for many firms, the quality objectives 
specified in the standard are likely to be comprehensive and it does 
not expect, in the current environment, that additional quality 
objectives would generally be necessary. However, the Board also 
recognizes that the nature and circumstances of a firm and its 
engagements will vary and conditions may change. Accordingly, a firm is 
required to establish additional quality objectives if necessary to 
achieve the reasonable assurance objective.
    The requirement for the firm to establish quality objectives 
necessary to achieve the reasonable assurance objective is designed to 
prompt ongoing reexamination of the quality objectives and modification 
as needed, which should enable the firm's QC system to adapt to a 
changing environment and remain fit for purpose. If a firm determines 
that its quality objectives need to be more specific, it could 
establish sub-objectives to provide a more direct link to quality risks 
and support the development of more comprehensive or better-targeted 
responses.
b. Identify and Assess Quality Risks (QC 1000.20)
    The proposal defined quality risks as risks that, individually or 
in combination with other risks, have a reasonable possibility of 
adversely affecting the firm's achievement of one or more quality 
objectives if the risks were to occur, and are either (i) risks that 
have a reasonable possibility of occurring or (ii) risks of intentional 
acts by firm personnel and other participants to deceive or to violate 
applicable professional and legal requirements. The ``reasonable 
possibility'' term in the definition of quality risks is aligned with 
use of the term in PCAOB standards: \162\ there is a reasonable 
possibility of an event when the likelihood of the event is either 
``reasonably possible'' or ``probable,'' as those terms are used in the 
FASB Accounting Standards Codification (``FASB ASC'') Topic 450, 
Contingencies.\163\
---------------------------------------------------------------------------

    \162\ See generally, e.g., AS 1105, Audit Evidence; AS 2101; AS 
2201, An Audit of Internal Control Over Financial Reporting That Is 
Integrated with An Audit of Financial Statements.
    \163\ See FASB ASC paragraph 450-20-25-1; see also, e.g., 
footnote 4 to AS 1105.12, which incorporates the ASC definition.
---------------------------------------------------------------------------

    A number of commenters raised questions or made suggestions about 
the proposed treatment of intentional acts in the definition of quality 
risks. One commenter suggested that intentional misconduct should not 
be explicitly addressed in the definition because the necessary 
response, especially as it relates to colleagues' behavior, may 
negatively impact the trust among colleagues and could constrain the 
achievement of quality objectives. Instead, this commenter suggested 
that the risk of intentional misconduct may be more effectively 
considered and responded to as part of the broader understanding of 
quality risks. Another firm expressed concern that requiring 
consideration of all illegal acts would contradict a risk-based 
approach.
    Several firms agreed that the definition of quality risks should 
explicitly address the risk of intentional misconduct but suggested 
that the definition should also address the possibility of occurrence 
related to acts of intentional misconduct. Several commenters, 
including firms, firm-related groups, and an academic, recommended that 
the threshold of ``reasonable possibility of occurring'' should apply 
to all quality risks, including risks of intentional misconduct. Many 
of these commenters said that not applying the threshold of 
``reasonable possibility of occurring'' to

[[Page 49623]]

the risk of intentional misconduct would not be practical and could 
harm audit quality as this would divert time, resources, and attention 
from addressing more reasonably possible risks. Some commenters 
referenced the inclusion of the ``reasonable possibility of occurring'' 
threshold in AS 2110 and suggested that the same principle should apply 
to the risk of intentional misconduct in QC 1000. Two of these 
commenters suggested that not applying the threshold of ``reasonable 
possibility of occurring'' to the definition of quality risks would be 
inconsistent with AS 2401, Consideration of Fraud in a Financial 
Statement Audit, and could impose a threshold on firms that exceeds the 
current auditing standards over auditors' identification and assessment 
of fraud risks. Several commenters also stated that the inclusion of 
other participants in addressing every conceivable risk of intentional 
misconduct may be impractical as firms may have limited access to 
information on the conduct of other participants. One firm suggested 
that additional guidance may be beneficial with regard to assessing and 
responding to risks of intentional misconduct by other participants 
that are not part of the firm.
    A firm-related group suggested that not applying the threshold of 
``reasonable possibility of occurring'' to intentional misconduct 
appeared to go beyond the reasonable assurance objective and expressed 
concern that, without further clarification of how firms should deal 
with risks of intentional misconduct with less than a reasonable 
possibility of occurring, a disproportionate level of resources could 
be allocated to this area, to the detriment of other quality risks with 
more than a remote possibility of occurring.
    After considering the comments received, the Board revised the 
definition of quality risks such that the threshold of ``reasonable 
possibility of occurring'' applies to all risks, including risks of 
intentional misconduct by firm personnel and other participants. 
However, the Board continues to believe that firms should be explicitly 
prompted to consider risks of intentional misconduct in their risk 
assessment process, because without such a prompt, firms may discount 
the possibility that intentional misconduct may occur and omit or 
underweight these types of risks in their risk assessment process. 
Therefore, the final definition provides that, for all risks, whether 
or not related to intentional misconduct, the firm would assess the 
possibility of occurrence and the possibility that the risks would have 
an adverse effect on the achievement of its quality objectives.
    One firm suggested that while the threshold of ``adversely 
affecting'' is reasonably understood, additional guidance or examples 
would be welcomed. Another commenter noted that more examples serve as 
helpful interpretive guidance to those implementing the standard. Two 
firms believed the threshold is sufficiently clear and did not have 
specific requests for further guidance. The Board will monitor the 
implementation of the new standard by audit firms, and, if appropriate, 
consider the need for additional guidance.
    The standard requires the firm to identify and assess quality risks 
for each quality objective it establishes. Most quality objectives are 
likely to have multiple quality risks. Some quality risks may relate to 
multiple quality objectives, either within a single component or across 
several components. The nature and extent of the firm's risk assessment 
process would be commensurate with the firm's quality risks and 
therefore will vary across firms in nature, scope, and complexity. In 
assessing risks, the firm would consider how often the quality risks 
may occur and the magnitude of the impact of the quality risks on the 
related quality objectives. The firm would then take this information 
into account in determining the nature, timing, and extent of the 
quality response(s) needed to address the quality risk.
    One commenter requested clarification of whether the Board expects 
firms to categorize the identified risks (for example as lower, higher, 
or significant). While there is nothing in QC 1000 that requires such 
categorization, firms that find such an approach helpful could 
certainly use it.
    The standard requires the identification and assessment of quality 
risks annually. Requiring an assessment annually, as well as when 
matters come to the firm's attention, drives a systematic, disciplined, 
and proactive approach to assessing the firm's quality risks. Through 
the Board's oversight activities, it has observed that many firms 
update their QC systems on an ad hoc basis, in response to changes in 
regulatory requirements or deficiencies identified by internal or 
external inspections, and do not have a systematic process of risk 
assessment. This reactive approach can result in firms taking 
corrective actions only after deficient audits have been identified. 
The annual identification and assessment requirement will instill a 
regular and disciplined approach to performing the risk assessment 
process and to identifying new quality risks that require modifications 
to the firm's quality responses or quality risks identified in a prior 
year that may no longer be sufficient or relevant.
    The standard does not specify quality risks that must be assessed 
and responded to by all firms; rather it includes factors for the firm 
to consider in its risk assessment process. The Board believes that 
such an approach would result in the firm identifying and assessing the 
quality risks that are most relevant in light of its facts and 
circumstances.
i. Obtain an Understanding of the Conditions, Events, and Activities 
That May Adversely Affect the Achievement of the Firm's Quality 
Objectives
    The standard requires the firm, as part of identifying and 
assessing quality risks, to obtain an understanding of the conditions, 
events, and activities that may adversely affect the achievement of the 
firm's quality objectives. This understanding underpins the firm's 
identification and assessment of the quality risks that are most 
relevant to the achievement of the firm's quality objectives. Appendix 
B of the standard provides examples related to the nature and 
circumstances of the firm and its engagements that may give rise to 
quality risks.
    The considerations highlighted in paragraph .20a. and Appendix B 
could assist the firm in identifying one or more quality risks to the 
achievement of one or more quality objectives. For example, 
consideration of changes in a firm's structure may be relevant for a 
firm that has recently completed an acquisition of another firm. This 
consideration may result in the identification of a number of quality 
risks, such as a quality risk that the audit methodology used by the 
acquired firm may not be compatible with the acquirer's methodology or 
a quality risk that the firm is unable to retain personnel post-
acquisition, which may pose risks to quality objectives in areas like 
engagement performance and resources.
    Several commenters, including firms, noted that the examples 
provided in Appendix B were helpful. Two commenters expressed concern 
with the language used in paragraph .20a., specifically, that it was 
not sufficiently clear that the specific examples in Appendix B are 
meant to be illustrative rather than a checklist for every firm to 
consider. As the Board stated in connection with the proposal, the list 
in paragraph .20a. is not intended to be

[[Page 49624]]

exhaustive and the specific examples provided in Appendix B are meant 
to be illustrative rather than a checklist for every firm to consider. 
Whether particular conditions, events, and activities are relevant, and 
result in one or more quality risks, depends upon the nature and 
circumstances of the firm and its engagements and how the conditions, 
events, and activities relate to or affect the operation of the firm's 
QC system and the performance of its engagements. The firm may also 
identify quality risks that do not relate to the list in paragraph 
.20a. or to any of the specific examples.
    One firm expressed concern with the inclusion of proposed paragraph 
B10b. in Appendix B, which discusses the extent of alignment of a 
third-party provider's standards of conduct with those of the firm. The 
firm suggested that the example may imply that third-party providers 
from outside the public accounting profession may not be appropriate or 
sufficient, because they may not be subject to a centrally governed 
code of conduct. Nothing in the Board's standards requires a third-
party provider to have a centrally governed code of conduct and the 
Board has added the phrase ``if any'' to the example to eliminate any 
ambiguity in that regard. However, the Board does believe that the 
existence of such a code of conduct, and the extent to which it aligns 
with the firm's own standards of conduct, is a relevant example that 
could be considered by a firm in assessing whether there exist 
conditions, events, or activities, as a result of its use of resources 
or services obtained from third-party providers, that may adversely 
affect the achievement of its quality objectives.
(1) The Nature and Circumstances of the Firm
    The standard includes a list of considerations related to the 
nature and circumstances of the firm. Appendix B of the standard 
provides specific examples of each consideration in paragraphs .B2 
through .B11.
    The Board continues to believe that to consistently execute quality 
audits, it is important that a commitment to audit quality is embedded 
in the firm's culture and exists throughout the firm. In connection 
with this, the Board has added a new paragraph .20a.(1)(d) and 
paragraph .B5 to provide firms with an additional risk assessment 
consideration relating to the culture of the firm, and the extent to 
which a culture of integrity and a commitment to audit quality, 
including ethics and independence, is promoted within the firm and 
embraced by firm personnel across all levels of the firm.
    In addition, the Board has added paragraph .B6e. to highlight that 
in understanding the resources of the firm, the firm may also have to 
consider the risks associated with technological resources, including 
their susceptibility to cybersecurity breaches.
(2) The Nature and Circumstances of The Firm's Engagements
    In obtaining an understanding of the nature and circumstances of 
the firm's engagements, the firm considers the types of engagements 
performed by the firm as well as the types of entities for which such 
engagements are undertaken. Paragraph .B12 of Appendix B of the 
standard contains a list of examples of these considerations. For 
instance, a firm that conducts audits of broker-dealers may consider 
information from relevant authorities, like the SEC and Financial 
Industry Regulatory Authority (``FINRA''), in identifying risks 
associated with such audit engagements. The Board added an example to 
paragraph .B12a. to highlight that in understanding the nature and 
circumstances of the firm's engagements, the firm may also consider the 
laws and regulations to which the companies it audits are subject.
(3) Other Relevant Information
    Other relevant information captures other information sources that 
help the firm to identify quality risks. One such source is the firm's 
monitoring and remediation activities. Consideration of information 
from those activities creates a feedback loop within the QC system by 
informing the firm of the results of the monitoring and remediation 
process that may help the firm identify quality risks.
    Other sources are external inspections and oversight activities by 
regulators, and other external reviews, such as peer reviews. For 
example, the results of an external inspection may identify a high rate 
of noncompliance with independence requirements within a specific 
office of the firm or within a certain employee staff level, which the 
firm would take into account when identifying and assessing quality 
risks for the ethics and independence component.
ii. Identify and Assess Quality Risks Based on the Understanding 
Obtained
    Under the standard, identifying and assessing quality risks is an 
ongoing, iterative process. The firm assesses risks as part of the 
initial design and implementation of the QC system, and thereafter 
annually, including in response to new information or changes in its 
circumstances and environment.
    The standard requires the firm to identify and assess quality risks 
for each of the quality objectives established by the firm, based on 
the understanding of the relevant factors and other relevant 
information and taking into account whether, how, and the degree to 
which the achievement of the quality objectives may be adversely 
affected. The note clarifies that this assessment is based on inherent 
risk, without regard to the effect of any related quality responses. 
The assessment is similar to the determination made under AS 2201 as to 
whether an account or disclosure is significant based on inherent risk, 
without regard to the effect of controls.\164\ One commenter agreed 
with the clarification provided in the note that the assessment is 
based on inherent risk, but expressed concern that the note may not be 
sufficient to prompt or remind auditors of the independence of quality 
risks from quality responses. The Board believes that the note to 
paragraph .20b. provides clear direction for assessing quality risks 
without regard to the effect of quality responses. The Board will 
monitor the implementation of the new QC standard, and, if appropriate, 
consider the need for additional guidance. Quality risks may affect one 
or more quality objectives, either within a single component or across 
several components. For example, a quality risk that the firm may not 
be able to attract and retain qualified personnel would affect several 
quality objectives in the resources component, and may also affect 
quality objectives in other components, such as engagement performance 
or engagement acceptance and continuance.
---------------------------------------------------------------------------

    \164\ See AS 2201.A10.
---------------------------------------------------------------------------

    Under the definition of quality risks, the firm would not be 
required to identify every conceivable risk, but only those that have a 
reasonable possibility of occurring and, if they were to occur, a 
reasonable possibility of adversely affecting the firm's achievement of 
one or more quality objectives. The identification of quality risks 
takes into account individual risks as well as combinations of risks. 
For example, a risk that has a reasonable possibility of occurring but 
individually does not have a reasonable possibility of adversely 
affecting the achievement of the quality objective may meet the 
proposed definition of a quality risk when analyzed in combination with 
other risks.
    The firm may undertake the quality risk assessment separately or

[[Page 49625]]

concurrently with risk identification. Assessing the identified quality 
risks involves consideration of the frequency with which the quality 
risks may occur and the magnitude of the impact of the quality risks on 
the related quality objective(s). Identifying quality risks with the 
appropriate degree of specificity (not too narrowly or too broadly) 
would help the firm design quality responses that reduce to an 
appropriately low level the risk that the quality objective will not be 
achieved. Quality risks that are defined too broadly may result in 
quality responses that are not sufficiently targeted to the actual 
quality risk. Conversely, if quality risks are defined too narrowly, 
the quality responses may not sufficiently address the full extent of 
the actual quality risk.
    The process of identifying and assessing quality risks is depicted 
below.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.005


[[Page 49626]]


BILLING CODE 8011-01-C
c. Design and Implement Quality Responses (QC 1000.21)
    The standard requires the firm to design and implement quality 
responses that address quality risks in order to achieve the quality 
objectives. Quality responses are defined as policies and procedures 
designed and implemented by the firm to address quality risks. Under 
the definition, policies are statements of what should, or should not, 
be done to address assessed quality risks. Procedures are actions to 
implement and comply with policies.
    Under the principles-based approach of the standard, the nature, 
timing, and extent of quality responses depend on the underlying 
quality risks and the reasons why these risks were assessed as quality 
risks. For example, a quality risk that is tied to an event that is 
expected to occur multiple times per year, or that could have a very 
significant impact, requires a more extensive response than a quality 
risk tied to a specific event that is expected to occur only once and 
have a less significant impact.
    The firm may decide to implement quality responses at the firm 
level or the engagement level, or through a combination of responses at 
the firm and engagement levels, depending on the nature of the quality 
risk. Quality responses may address multiple quality risks related to 
one or more QC components.
    Quality responses may vary depending on to whom they apply. For 
example, based on the quality risks that are being addressed, the firm 
may develop some policies and procedures that are applicable to all 
firm personnel and others that apply only to firm leadership or 
personnel in a particular function or geographic location. Similarly, 
the firm's policies and procedures regarding other participants may be 
different for different types of other participants (e.g., network 
affiliates, engaged specialists).
    Information obtained from the identification and assessment of 
quality risks enables the firm to develop quality responses that 
appropriately and adequately respond to the quality risks. In assessing 
risks, the firm would consider how often the quality risks may occur 
and the magnitude of the impact of the quality risks on the related 
quality objectives. The firm would then take this information into 
account in determining the nature, timing, and extent of the quality 
response(s) needed to address the quality risk.
    In addition to the quality responses designed by the firm, the 
standard requires certain specified quality responses for all firms. 
Some specified quality responses are drawn from existing PCAOB 
requirements \165\ or from the specified responses in ISQM 1,\166\ and 
have been included either to carry existing requirements into the new 
standard or to create other obligations that would have to be met in 
designing, implementing, and operating the QC system. Other specified 
quality responses are new provisions that the Board believes are 
sufficiently important to merit an explicit requirement. The specified 
quality responses are not intended to be comprehensive; on the 
contrary, for most of the components of the firm's QC system, QC 1000 
includes only a few specified quality responses, and for the engagement 
performance component there are none. As a result, the specified 
quality responses alone would not be sufficient to enable the firm to 
achieve all established quality objectives, and firms must design and 
implement their own quality responses in addition to the specified 
quality responses. The specified quality responses and the quality 
responses the firm designs and implements on its own are critical in 
addressing quality risks.
---------------------------------------------------------------------------

    \165\ See, e.g., QC 20.10, .13a, .13b, and .15a.
    \166\ See paragraph .34 of ISQM 1.
---------------------------------------------------------------------------

    For example, the specified quality response requiring mandatory 
training \167\ may address some of the quality risks related to certain 
quality objectives in the resources component (e.g., hiring, 
developing, and retaining firm personnel).\168\ However, mandatory 
training alone will not be sufficient to address all the quality risks 
that may be identified for that quality objective and will have to be 
combined with additional firm-developed quality responses.
---------------------------------------------------------------------------

    \167\ See QC 1000.48.
    \168\ See QC 1000.44a.
---------------------------------------------------------------------------

d. Modifications to the Quality Objectives, Quality Risks, or Quality 
Responses (QC 1000.22-.23)
    The standard requires firms to take proactive measures to address 
new quality risks that may come up between the firm's periodic risk 
assessments. To the extent practical, these policies and procedures 
would be not just retrospective, but also forward-looking, so the firm 
could anticipate and plan for significant changes. For example, a new 
accounting standard may result in a firm identifying a new quality risk 
that firm personnel may misinterpret the new standard. Identifying this 
risk prior to the next annual risk assessment may prompt the firm to 
revisit its quality responses that are affected by this event, and thus 
avoid potential problems in future engagements.
    One commenter suggested that it may be cost beneficial to require 
or encourage audit firms' QC leaders to stay current with developments 
in auditing literature to put them in a better position to triage newly 
identified quality risks and identify engagements susceptible to those 
risks. Another commenter recommended that firms be required to create 
an individual or other entity charged with maintaining situational 
awareness.
    The Board notes that paragraph .22 of QC 1000 requires firms to 
establish policies and procedures for monitoring changes to conditions, 
events, and activities that indicate modifications to the firm's 
quality objectives, quality risks, or quality responses may be needed. 
In addition, the individual(s) responsible for monitoring such changes 
are subject to the general due professional care standard of QC 
1000.10, which requires a critical assessment of the relevant 
information (which would include relevant literature). In light of 
these overarching requirements, the Board does not consider it 
necessary to add the specific provisions that commenters suggested. 
Rather, the Board believes that allowing flexibility for firms to 
establish policies and procedures to monitor, identify, and assess 
changes to conditions, events, and activities encourages firms to 
concentrate their efforts on the risks most relevant to them and 
contributes to the standard being appropriately scalable. A firm may of 
course determine, based on its nature and circumstances, that it is 
appropriate to establish specific policies and procedures for the 
monitoring of developments in auditing literature or to charge a 
specific individual with maintaining situational awareness.
    Policies and procedures in this area may vary, depending on the 
size and complexity of the firm and the types and variety of 
engagements it performs. For a larger firm operating in a complex 
environment and auditing a wide range of different types of companies, 
such policies and procedures would be extensive. For example, they 
could involve periodic meetings with teams across the firm to gather 
and analyze the necessary information to enable the firm to identify 
changes to conditions, events, and activities that may require 
modification of the firm's quality objectives, quality risks, or 
quality responses. Smaller and less complex firms, operating in a less 
varied and more stable environment, may have a

[[Page 49627]]

less extensive set of policies and procedures.
    If the firm identifies changes to conditions, events, or activities 
indicating modifications to the quality objectives, quality risks, or 
quality responses may be needed, the standard requires the firm to 
determine what, if any, modifications are needed, and to make them on a 
timely basis. The timing depends on the nature and extent of the 
modification needed. In some circumstances, immediate action may be 
required, whereas in other cases, if the impact on risk is less urgent, 
immediate action is not necessary. Modifications not implemented in a 
timely manner may fail to prevent quality risks from occurring and 
adversely affecting the quality objective. For example, in the case of 
a new accounting standard, the firm would need to implement any 
necessary modifications to its quality responses in time so that, once 
the standard became effective, firm personnel would be able to apply it 
properly.
2. Current PCAOB Standards
    Under current PCAOB QC standards, firms have a responsibility to 
establish and maintain a QC system to provide the firm with reasonable 
assurance that its personnel comply with applicable professional 
standards and the firm's standards of quality. The current QC standards 
make few explicit statements about risk assessment.\169\
---------------------------------------------------------------------------

    \169\ See, e.g., QC 20.16 (explaining that a firm's policies and 
procedures should provide for obtaining an understanding with the 
client about the services to be performed, to minimize the risk of 
misunderstandings); QC 30.05 (identifying risks associated with the 
firm's practice as a consideration in determining the need for and 
extent of internal inspection procedures in monitoring the firm's QC 
system).
---------------------------------------------------------------------------

Governance and Leadership

    The governance and leadership component of the firm's QC system 
addresses the environment that enables the effective operation of the 
QC system and directs the firm's culture, decision-making processes, 
organizational structure, and leadership. A firm's culture and tone, as 
set by leadership, can and should promote the importance of quality.
    The PCAOB has long considered firm governance and leadership to be 
an important aspect of firms' QC systems. For example, PCAOB 
inspections have historically covered the firm's tone at the top, a 
foundational aspect of governance and leadership, during the process 
for reviewing firms' QC systems.\170\ PCAOB inspection procedures focus 
on how firm management is structured and whether actions and 
communications by the firm's leadership--the tone at the top--
demonstrates a commitment to audit quality.\171\
---------------------------------------------------------------------------

    \170\ See, e.g., Report on the PCAOB's 2004, 2005, 2006, and 
2007 Inspections of Domestic Annually Inspected Firms, PCAOB Rel. 
No. 2008-008 (Dec. 5, 2008) at 6, available at https://pcaobus.org/Inspections/Documents/2008_12-5_Release_2008-008.pdf; Staff 
Inspection Brief, Vol. 2017/3: Information about 2017 Inspections 
(Aug. 2017) at 8, available at https://pcaobus.org/Inspections/Documents/inspections-brief-2017-3-issuer-scope.pdf.
    \171\ See https://pcaobus.org/oversight/inspections/inspection-procedures for information related to the PCAOB's inspection 
procedures.
---------------------------------------------------------------------------

1. QC 1000
a. Governance and Leadership Quality Objectives (QC 1000.24)
    Under QC 1000, a firm is required to establish quality objectives 
for the governance and leadership component in several different areas:
     The firm's commitment to quality;
     Organization and governance structure; and
     Resources.
i. The Firm's Commitment to Quality (QC 1000.25.a-d)
    The firm's commitment to quality is an important factor in 
influencing the behavior of firm personnel and the conduct of 
engagements. The Board believes that the firm's commitment to quality 
is most effectively demonstrated through the communications, actions, 
behaviors, and directives of leadership at all levels of the firm. 
Accordingly, the quality objectives related to commitment to quality 
are directed at the communications, actions, and accountability of firm 
leadership.
    Frequent and consistent communication from leadership to firm 
personnel regarding the commitment to quality is important in order to 
create an appropriate culture and tone at the top. Paragraph .25a. 
focuses on communicating and promoting key professional attributes by 
recognizing and reinforcing the firm's role in protecting the interests 
of investors and the public interest by meeting the firm's 
responsibilities; the importance of adhering to appropriate standards 
of conduct; the importance of professional ethics, values, and 
attitudes; and expected behavior and responsibility of firm personnel 
for quality both in QC-related activities and the performance of 
engagements. Collectively, these attributes and expected behaviors are 
the foundation of an effective QC system.
    To achieve an appropriate tone at the top, however, it is not 
enough for firm leadership to ``talk the talk.'' They also have to 
``walk the walk.'' Accordingly, paragraphs .25b. and .25c. establish 
objectives with regard to leadership's responsibility for and 
commitment to quality, including through leadership's own behavior. For 
example, leadership would demonstrate a commitment to quality by acting 
in a manner consistent with the firm's communications described in 
paragraph .25a. regarding expectations of firm personnel. Conversely, 
repeated failure to take steps to address known quality concerns would 
demonstrate a lack of commitment to quality.
    One commenter sought clarification on the term ``leadership,'' 
including whether it relates only to the specified roles in paragraph 
.11 and .12, or to all partners and equivalents in the firm. Under QC 
1000, leadership is not limited only to those in specified QC roles. 
While the composition of leadership may vary due to the nature and 
circumstances of the firm and its engagements and how the firm chooses 
to organize itself, it includes firm-wide leadership; the executive 
team; regional, office, and industry segment leadership; and any other 
levels of leadership the firm may establish. Not all partners or 
partner equivalents are necessarily leadership; it would depend on the 
role of the individual.
    Firms and firm-related groups were broadly supportive of the 
Board's proposed quality objectives for governance and leadership. 
However, several commenters, mostly investors and investor-related 
groups, urged the Board to go further in stressing the role of firm 
leadership and the QC system as a counterbalance to the economic 
incentives that may drive firms to compromise on quality. Some 
suggested that compensation plans should weigh quality as much as, or 
more than, revenue generation. One investor-related group suggested 
that the standard should increase accountability for the firm and firm 
leadership's quality control efforts. Another investor stated that 
audit quality should be required to be considered at the time of the 
appointment of firm leadership. One commenter suggested that 
leadership's accountability should not be limited to deficiencies and 
outcomes but extended to acknowledge positive behaviors and processes.
    After considering these comments, the Board revised paragraph .25b 
to explicitly mention performance evaluation and compensation in the 
context of defining leadership's responsibility for quality and holding 
leadership accountable. The Board believes this will drive increased 
clarity

[[Page 49628]]

about the scope of leadership's responsibilities and increased 
accountability for an effective QC system, and will prompt firms to 
focus on their expectations for leadership behavior and the incentives 
that drive it. Firms can use a variety of different means to define the 
responsibility for quality and drive accountability--from firmwide 
communications and policies to individualized job descriptions, 
performance targets, promotion criteria, compensation schemes, and 
sanctions--and can acknowledge both outcome-based and process-based 
measures and both positive and negative behaviors. The revised quality 
objective reflects that performance evaluation and compensation play a 
necessary role in that process.
    While the Board agrees with the commenter that quality 
considerations should be taken into account in the appointment of firm 
leadership, the Board believes other quality objectives already address 
that issue, such as paragraph .44g of QC 1000. Additionally, the 
criteria for appointing firm leadership may appropriately vary based on 
the size of the firm and the nature of its practice, so the Board has 
avoided being prescriptive in that regard. For example, a larger firm 
may have numerous candidates for leadership roles with many criteria 
considered for appointment, but smaller PCAOB audit practices may have 
limited personnel eligible for leadership roles.
    As noted in the proposal, paragraph .25d. focuses on the firm's 
commitment to quality in relation to its strategic decisions and 
actions, which include matters such as the firm's financial goals, 
growth of the firm's market share, industry specialization, business 
combinations, new geographic markets, and new service offerings. The 
quality objective emphasizes that a firm's strategic decisions and 
actions should be consistent with and support the firm's commitment to 
quality.
    One commenter expressed concern that strategic actions may take 
extended periods of time to yield benefits to quality, and it may be 
challenging for firms to demonstrate that such actions are consistent 
with a commitment to quality. The Board notes, however, that this 
quality objective does not prescribe any specific time horizon, and the 
Board believes it is wholly consistent with both short-term measures 
and long-term investments in technology, training, knowhow, and other 
means of strengthening a firm's audit practice that may take an 
extended period to yield measurable improvements.
    Some investors and investor-related groups suggested that the Board 
require a clear separation of duties between those responsible for 
audit quality and those responsible for commercial interests. Two of 
those commenters cited the regulation of credit ratings agencies as an 
example of appropriate separation of regulated activity and commercial 
interests.\172\ Another commenter cited with approval the 2007 
amendments to the AICPA QC standard, which included application 
material to the effect that QC leaders should have the authority to 
implement policies and procedures to ensure that others within the firm 
will not override those policies to meet short-term financial goals (a 
concept that does not appear in other QC standards).\173\
---------------------------------------------------------------------------

    \172\ See 17 CFR 240.17g-5(c)(8), pursuant to which ratings 
agencies are prohibited from having any person who participates in 
determining or monitoring a credit rating, or developing or 
approving procedures or methodologies used for determining a credit 
rating, also participate in sales or marketing or be influenced by 
sales or marketing considerations.
    \173\ See AICPA, QC Section 10, A Firm's System of Quality 
Control, paragraph .A5.
---------------------------------------------------------------------------

    The Board considered mandating a greater degree of separation 
between decision-making about QC and potential commercial motivations, 
as these commenters suggested, but the Board does not believe such 
separation can be achieved by all firms, especially firms with smaller 
PCAOB audit practices with limited leadership roles. As discussed in 
more detail below, the Board is requiring firms with larger PCAOB audit 
practices to include an element of independent oversight of their QC 
system. Moreover, the Board does not believe it would be appropriate to 
mandate a fully separate or independent QC function. Potential 
conflicts of interest at the engagement level are addressed in numerous 
ways in the Board's regulatory scheme: through independence 
requirements,\174\ ethical requirements of integrity and 
objectivity,\175\ and the basic requirement of professional skepticism, 
a critical aspect of due professional care.\176\ At the firm level, the 
Board believes that those conflicts can best be addressed by 
emphasizing the responsibility and accountability of firm leadership. 
QC 1000 requires that responsibility for QC reside at the highest 
levels of firm leadership, and that leaders are evaluated and 
compensated in a way that creates accountability. In the Board's view, 
appropriately incentivized firm leadership are best positioned to set 
the tone and establish a quality-focused culture throughout the firm. 
Rather than requiring firms to segregate the governance of the firm's 
audit practice from the firm's other commercial interests, the Board 
believes the quality objectives described in paragraph .25 will promote 
responsibility for and commitment to quality, while allowing firms to 
develop quality responses appropriate to their particular governance 
structure.
---------------------------------------------------------------------------

    \174\ See PCAOB Rule 3500T, Interim Ethics and Independence 
Standards.
    \175\ See EI 1000, Integrity and Objectivity.
    \176\ The general principles and responsibilities of the auditor 
when conducting an audit, including professional skepticism and due 
professional care, are being reaffirmed and combined in AS 1000, as 
adopted. See Auditor Responsibilities Release.
---------------------------------------------------------------------------

    Lastly, one commenter suggested the governance and leadership 
component should promote diversity, equity, and inclusion in recruiting 
talented leaders, a governance body, and auditors. Another commenter 
suggested leadership can demonstrate its commitment to quality through 
providing ongoing, meaningful support of scholarly audit and accounting 
research. The Board has not revised the standard to reflect these 
specific suggestions; however, firms may identify quality risks and 
design and implement quality responses in these areas to achieve the 
quality objective in paragraph .25a or other quality objectives 
established by the firm.
ii. Organizational and Governance Structure (QC 1000.25.e)
    Establishing and maintaining appropriate firm organizational 
structures provides an institutional framework supporting the firm's QC 
system and the performance of the firm's engagements. Organizational 
structures may include operating units, operational processes, 
divisions, and geographical locations.
    Firm organizational structures may differ based on the size and 
complexity of the firm in order to be flexible, scalable, and 
proportionate to the circumstances of the firm. Some firms may 
concentrate or centralize processes or activities and other firms may 
have a decentralized approach. Some firms may use internal shared 
service centers in the operation of the firm's QC system or to enable 
the performance of its engagements.
    A firm's governance structure may include a governing board or 
committee with representation from various service lines, or with 
members who are independent of the firm.\177\ Such a

[[Page 49629]]

governing board may have subcommittees to assist it with managing 
specific areas, such as strategic planning, resource planning, the 
firm's risk assessment process, and the monitoring and remediation 
process.
---------------------------------------------------------------------------

    \177\ When the Board refers to independence in the context of 
firm governance, it means the criteria typically applied to 
independent directors of issuers. See, e.g., New York Stock Exchange 
(``NYSE'') Listed Company Manual, Section 303A.01-.02; Nasdaq Rule 
5605(a)(2). This is distinct from the requirements for auditor 
independence from the audit client, discussed below.
---------------------------------------------------------------------------

    Paragraph .25e., which did not attract specific comment and the 
Board adopted as proposed, will drive a firm's organizational and 
governance structure to enable the design, implementation, and 
operation of the QC system and support performance of the firm's 
engagements in accordance with applicable professional and legal 
requirements. This results-oriented approach focuses on whether the QC 
system actually works as intended and allows firms to tailor the 
establishment of their governance structure. Additionally, the firm 
would consider the complexity and operating characteristics of the firm 
as part of performing its risk assessment process and identifying 
quality risks.\178\
---------------------------------------------------------------------------

    \178\ Appendix B includes an example regarding the existence and 
extent of governance structures providing oversight of leadership. 
See QC 1000.B2.g.
---------------------------------------------------------------------------

    The assignment of roles, responsibilities, and authority within the 
firm's organizational structure is a key aspect of the design, 
implementation, and operation of the QC system. Establishing clear 
roles and responsibilities and clear lines of authority helps to 
translate the broad institutional objectives of the QC system into 
individual actions to be performed and monitored, and for which 
individuals can be held accountable. The assignment of roles and 
responsibilities may vary across firms depending on the nature and 
circumstances of the firm and its engagements.\179\ For example, in a 
smaller firm with a limited number of individuals in leadership roles, 
the individual with oversight of the firm may assume all of the roles 
and responsibilities related to the QC system. A larger firm may have 
multiple levels of leadership that align to the firm's organizational 
structure.
---------------------------------------------------------------------------

    \179\ See Roles and Responsibilities above, for a discussion of 
specific roles and responsibilities that are required to be 
assigned.
---------------------------------------------------------------------------

iii. Resources (QC 1000.25.f)
    The firm's resources \180\ enable the operation of the firm's QC 
system and the performance of the firm's engagements. Firm leadership 
influences the nature and extent of the resources that the firm 
obtains, develops, uses, and maintains, and how those resources are 
allocated or assigned, including the timing of when they are used. This 
quality objective, which did not draw comment and which the Board 
adopted as proposed, emphasizes the importance of the firm having the 
necessary resources, and allocating them appropriately, such that the 
firm's QC system is designed, implemented, and operated effectively and 
the firm's engagements are performed in accordance with applicable 
professional and legal requirements.
---------------------------------------------------------------------------

    \180\ See Resources below, for a discussion of the different 
types of resources.
---------------------------------------------------------------------------

b. Governance and Leadership Specified Quality Responses (QC 1000.26-
29)
    The proposal included three specified quality responses in the 
governance and leadership component, discussed in greater detail below. 
Some firms and a firm-related group objected generally that the 
specified quality responses were overly prescriptive and unnecessary, 
and suggested they should be reformulated as risk-based quality 
objectives. Other firms generally supported including specified quality 
responses.
    The Board believes the specified quality responses address 
important risks that justify specific requirements and has retained 
them in the final standard. Firms are required to include these 
specified quality responses when designing and implementing quality 
responses to address the quality risks in the governance and leadership 
component.
    Proposed QC 1000 included a requirement for the firm to establish 
and maintain clear lines of responsibility and supervision within its 
QC system. A commenter argued that the quality objective in paragraph 
.25e is sufficient and the specified quality response was not 
necessary. While paragraph .27 may address a portion of the firm's 
quality response to .25e, the Board believes paragraph .27 provides 
additional direction that is appropriate for all firms. Establishing 
and maintaining structures within the firm--including defining 
authorities, responsibilities, accountabilities, and supervisory and 
reporting lines for roles within the firm--will support the effective 
design and operation of the QC system and the performance of the firm's 
engagements, regardless of the size of the firm or the types of 
engagements it performs. The requirement also complements the 
documentation requirements of QC 1000.\181\
---------------------------------------------------------------------------

    \181\ See QC 1000.82a. for the documentation requirements 
related to lines of responsibility and supervision.
---------------------------------------------------------------------------

    One commenter expressed concern that this requirement, in 
combination with the requirements of paragraph .12, could result in a 
prescriptive, hierarchical approach that would not be desirable or 
practical. The requirement in the final standard is intended to enhance 
supervision within the context of firms' existing QC systems and 
supervisory structures. It does not require firms to develop or adopt 
any particular supervisory structure and would be compatible with a 
range of different approaches, including very flat structures.
    The commenter also expressed concern that individuals acting in a 
supervisory capacity could face liability beyond what exists under 
Sarbanes-Oxley, which may disincentivize teaming. As discussed above, 
paragraphs .15, .16, and .17 of the final standard prescribe specific 
supervisory roles within a firm's QC system, and the individuals who 
fill those roles are supervisory persons who must exercise reasonable 
supervision for purposes of section 105(c)(6) of Sarbanes-Oxley. 
Additionally, to the extent that other individuals are assigned 
supervisory responsibilities in light of paragraph .27's specified 
quality response, those individuals, like all who are involved in the 
design, implementation, and operation of the QC system, must exercise 
due professional care as set forth in paragraph .10 of the final 
standard.
    Another commenter recommended that individuals in supervisory roles 
should be held liable only for knowing or reckless violations. The 
Board notes that paragraph .27 does not itself create responsibilities 
for supervisory personnel or prescribe standards of liability that 
apply when those responsibilities are not met. Those issues are 
addressed elsewhere in the PCAOB's standards and rules, including in 
the roles and responsibilities component of QC 1000 and PCAOB Rule 
3502,\182\ as well as in section 105(c)(6) of Sarbanes-Oxley.\183\ In 
the

[[Page 49630]]

Board's view, the requirement to establish and maintain clear lines of 
authority and supervision primarily serves to clarify how the QC system 
is structured and how it operates, by laying out clearly the 
authorities, responsibilities, accountabilities, supervisory and 
reporting lines, and who is responsible for each element of the QC 
system. If the requirement has consequences in terms of individual 
accountability and liability, that would only be because it removes any 
doubt about which individuals are acting in a supervisory capacity and 
the scope of their respective responsibilities, thereby clarifying how 
these other provisions should be applied.
---------------------------------------------------------------------------

    \182\ See PCAOB Rule 3502. The Board has proposed to amend Rule 
3502 to change the standard of conduct for associated persons' 
contributory liability from recklessness to negligence and to 
provide that an associated person contributing to a violation need 
not be an associated person of the registered firm that commits the 
primary violation. See PCAOB Rel. No. 2023-007.
    \183\ Under section 105(c)(6) of Sarbanes-Oxley, if an 
associated person of a registered public accounting firm violates 
any provision of law, rules, or standards referenced in section 
105(c)(6), the Board may impose sanctions on the firm or its 
supervisory persons if the Board finds that there was a failure 
reasonably to supervise that associated person with a view to 
preventing such a violation. The Board has adopted a rule related to 
section 105(c)(6) that provides for commencing a disciplinary 
proceeding if it appears that a firm or its supervisory personnel 
have failed reasonably to supervise an associated person who has 
committed a violation. See PCAOB Rule 5200, Commencement of 
Disciplinary Proceedings, at (a)(2); see also, e.g., In the Matter 
of Scott Marcello, CPA, PCAOB Rel. No. 105-2022-004 (Apr. 5, 2022) 
(imposing sanctions under section 105(c)(6)); In the Matter of WWC, 
P.C., PCAOB Rel. No. 105-2022-006 (Apr. 19, 2022) (same); In the 
Matter of KPMG Inc., Cornelis Van Niekerk, and Coenraad Basson, 
PCAOB Rel. No. 105-2022-015 (Aug. 29, 2022) (same).
---------------------------------------------------------------------------

    The proposal included a specified quality response to incorporate 
an oversight function for the audit practice including at least one 
person from outside the firm, which would apply to firms that issue 
audit reports with respect to more than 100 issuers. See Scalability 
above, for a discussion of the 100-issuer threshold.
    Comments were mixed on the need for and potential breadth of this 
requirement. The Board received several comments, primarily from 
investors and investor-related groups, suggesting that the proposed 
requirement did not go far enough. Some commenters stated that the 
oversight function should not be limited to one individual but instead 
a larger number (such as three) of independent non-employee members 
should be required, or potentially an advisory council or committee of 
the firm's board of directors with multiple or even a majority of 
independent non-employee members. Some of these commenters asserted 
that requiring only one person with undefined authority to serve in an 
oversight role makes it unlikely to be effective and falls short of the 
2008 recommendations of the U.S. Treasury Department's Advisory 
Committee on the Auditing Profession, which suggested consideration of 
``firms appointing independent members with full voting power to firm 
boards and/or advisory boards with meaningful governance 
responsibilities.'' \184\ One commenter objected that the requirement 
only mandates practices that are already in place at the largest firms, 
and so will not generate any change. Another commenter asserted that 
there is little merit in requiring an independent member of the firm's 
oversight function without also considering the balance of the 
oversight function and the contribution of the independent member. 
Others called for more specificity about the individual's role, 
including specific powers, such as the power to meet with firm 
management and obtain relevant information. Some investor-related 
groups also called for transparency on the role of the non-employee 
members.
---------------------------------------------------------------------------

    \184\ U.S. Treasury Department, Advisory Committee on the 
Auditing Profession Final Report (Oct. 6, 2008) at VII.8.
---------------------------------------------------------------------------

    Many commenters, including some larger firms, supported the 
oversight role. Two commenters suggested that the requirement for an 
independent oversight function be extended to apply to all firms that 
issue audit reports for issuers and one of these commenters suggested 
having firms consider whether an independent function is an appropriate 
response to achieving the quality objectives.
    Other commenters, including some mid-sized firms, did not support 
the specified quality response and suggested it should be a quality 
objective instead. One firm suggested that the objective could be 
better accomplished by designating an ``audit quality expert'' on a 
firm's board (similar to a ``financial expert'' on an audit committee) 
or by hiring independent external QC advisers. Some commenters 
expressed concern about the lack of specificity and clarity regarding 
the role, including questions regarding the individual's authority and 
function. One noted that the individual was not required to be a CPA 
and asserted that the need for and benefits of the role had not been 
sufficiently articulated; on that basis, the commenter did not support 
it. Another commenter did not see the linkage between the specified 
quality response and the quality objectives and suggested that the lack 
of definition of the role, coupled with a lack of clarity about which 
quality objectives were being addressed, would make implementation 
challenging. Other commenters stated that finding individuals to fill 
this role may be challenging.
    Some commenters requested guidance on how to implement the 
requirement, including with respect to the qualifications or roles of 
the individuals. One firm sought clarity on whether supervisory 
liability under Sarbanes-Oxley section 105(c)(6) would apply equally to 
members with an oversight or advisory function. Some commenters, 
including firms, expressed concern about the potential scope and 
meaning of the terms such as ``governance structure,'' ``independent 
judgment,'' and ``oversight function,'' and requested confirmation that 
current practices such as independent advisory boards are a permissible 
approach. One firm requested an extended implementation period to allow 
time for firms to design and implement the oversight function, 
including identifying and onboarding appropriate individuals.
    Based on the comments received, the Board refined the proposed 
requirement to provide additional specificity and clarity. The final 
rule refers to an ``external'' oversight function ``for the QC system 
composed of one or more persons,'' none of whom has a disqualifying 
relationship with the firm. This more precise language clarifies that 
the focus is on the QC system and emphasizes that the function is to be 
carried out entirely by one or more persons external to the firm, who 
are not principals or employees of the firm and do not have any other 
relationship with the firm that would interfere with the exercise of 
independent judgment with regard to QC-related matters. The Board also 
added a name for the position--External QC Function, or EQCF--which it 
believes clarifies and underscores that the person or persons are 
external to the firm and serve in a QC-focused role.\185\ The Board 
also conformed the provision to the descriptions in QC 1000.12 of other 
specified QC system roles by providing that the EQCF should have the 
experience, competence, authority, and time necessary to enable them to 
carry out the responsibilities assigned to them by the firm.
---------------------------------------------------------------------------

    \185\ Firms may assign other functions to the person or persons 
serving in the EQCF role so long as the specified QC function can be 
carried out as set forth in the standard and discussed in this 
release.
---------------------------------------------------------------------------

    To clarify what is entailed in ``an external oversight function for 
the QC system,'' the final standard also specifies a baseline 
requirement that the EQCF's responsibilities should include evaluating, 
at a minimum, the significant judgments made and the related 
conclusions reached by the firm when evaluating and reporting on the 
effectiveness of its QC system. The Board believes this addition is 
responsive to commenters who requested clarification of the proposal, 
as well as those suggesting that the

[[Page 49631]]

standard include some specific requirements with respect to the role. 
The Board expects that firms will make a number of significant 
judgments in performing and reporting on their QC system evaluation. 
The Board expects that the person or persons serving in this external 
oversight function will evaluate judgments made by firm personnel in 
the firm's evaluation of the firm QC system and the required reporting.
    The evaluation performed by the EQCF will be in some respects 
analogous to the EQR's evaluation of significant judgments made by the 
engagement team and the related conclusions reached in forming the 
overall conclusion on the engagement and in preparing the engagement 
report.\186\ Like the EQR, the EQCF will review and evaluate work 
performed by others, not redo the work, and must exercise due 
professional care in performing their responsibilities.\187\
---------------------------------------------------------------------------

    \186\ See AS 1220.09.
    \187\ See QC 1000.10; AS 1220.12.
---------------------------------------------------------------------------

    However, there are important differences between the requirements 
for the EQR and the EQCF. Unlike the EQR standard, QC 1000 does not 
impose specific limits on the length of service of the EQCF, though 
firms should consider the potential for arrangements relating to length 
of service, such as term limits and protections against removal, to 
prevent the creation of a relationship with the firm that impairs 
independent judgment. QC 1000 also does not specify the procedures the 
EQCF should perform to evaluate the significant judgments made and 
related conclusions reached. These may vary based on the circumstances 
of the firm and the design, implementation, and operation of its QC 
system, but must be sufficient to enable the EQCF to perform their 
evaluation with due professional care. In addition, unlike the EQR 
standard, QC 1000 does not require that the EQCF provide concurring 
approval of reporting, although firms would be free to establish such 
concurring approval as a matter of policy. Documentation will have to 
be prepared and maintained in sufficient detail to evidence how the 
quality response operated.\188\ This will form part of the QC 
documentation supporting the firm's ongoing risk assessment and 
monitoring and remediation efforts, as well as the Board's oversight 
activities. Under QC 1000.65, firms will be required to consider the 
EQCF's evaluation in their ongoing monitoring of the QC system 
(including monitoring of the evaluation process).
---------------------------------------------------------------------------

    \188\ QC 1000.83b. The board expects such documentation to 
include both (1) how the EQCF evaluated the significant judgments 
made and the related conclusions reached by the firm when evaluating 
and reporting on the effectiveness of its QC system and (2) the 
results of the EQCF'2 evaluation.
---------------------------------------------------------------------------

    Separately, the Board carefully considered commenter suggestions to 
increase the required number of independent individuals and to 
establish specific eligibility criteria for them. Given the oversight 
responsibility of an EQCF, the Board believes at least one person is 
always necessary and firms may determine, based on their circumstances, 
that more than one person is needed to appropriately carry out the 
function. The Board believes the requirement will respond to the 
quality objective in paragraph .25e by ensuring an independent 
perspective on QC matters, but it does not supplant firm leadership or 
relieve them of their fundamental responsibility to instill and 
maintain a firm culture that appropriately prioritizes QC. Accordingly, 
the Board does not believe it would be appropriate to mandate a 
specific number of individuals or the specific credentials they must 
have (besides their ability to exercise independent judgment with 
regard to matters related to the QC system and the general requirement 
that they have the experience, competence, authority, and time 
necessary to enable them to carry out their assigned responsibilities). 
Rather, the decision will be based on specific skillsets of the person 
or persons in this function to be able to carry out the requirements of 
the function. In that regard, firms may conclude that one or persons 
appointed to the EQCF should be non-auditors to bring a greater 
diversity of perspectives to the function.
    Beyond the minimum responsibilities specified in the standard, the 
Board gave firms flexibility in establishing other responsibilities of 
the EQCF, enabling the function to best respond to the nature and 
circumstances of the firm. For example, if the firm has experienced an 
increase in recurring engagement deficiencies, the firm may charge the 
EQCF with reviewing and evaluating the firm's remediation actions and 
monitoring plan. As another example, a firm may assign the EQCF with 
strategic responsibilities, such as maintaining situational awareness 
through the identification and monitoring of emerging risks or trends 
that could potentially affect the firm's QC system. While QC 1000 
specifies that the EQCF exercise oversight over the QC system, the firm 
may also choose to extend its authority more broadly. The 
responsibilities assigned to the EQCF will in turn drive decisions 
about the scope of the EQCF's authority. At a minimum, that will entail 
sufficient access to information, documentation, and firm personnel to 
enable evaluation of the significant judgments made and the related 
conclusions reached by the firm when evaluating and reporting on the 
effectiveness of its QC system, but it could be broader depending on 
the scope of the EQCF's responsibilities as assigned by the firm.\189\ 
Consideration of the experience, competence, and time necessary to 
serve in the role will likewise depend on the responsibilities assigned 
by the firm.
---------------------------------------------------------------------------

    \189\ The scope of the firm policies and procedures regarding 
the EQCF will also depend on its role and the associated risks. For 
example, pursuant to QC 1000.53g, firms will have to develop 
policies and procedures regarding information communicated to and 
obtained from the EQCF.
---------------------------------------------------------------------------

    The firm may consider many matters when establishing an EQCF. Such 
matters could include:
     The responsibilities assigned by the firm to the EQCF, 
including those specified in QC 1000;
     The qualifications required of the individual(s) assigned 
to fulfill those responsibilities, including those specified in QC 
1000;
     The scope of authority afforded to the EQCF in light of 
the assigned responsibilities;
     Whether to establish a direct line of communication from 
the EQCF to the individual assigned ultimate responsibility and 
accountability for the QC system as a whole, or the individual assigned 
operational responsibility for the QC system as a whole, or both;
     Whether to require that the EQCF comply with independence 
requirements applicable to auditors; \190\
---------------------------------------------------------------------------

    \190\ See Regulation S-X Rule 2-01(b)-(c), 17 CFR 210.2-01(b)-
(c), and PCAOB Rules under Section 3, Auditing and Related 
Professional Practice Standards, Part 5--Ethics and Independence.
---------------------------------------------------------------------------

     The level of external transparency of the EQCF's role and 
responsibilities;
     The compensation structure for the EQCF; and
     The term of service for the EQCF, including restrictions 
on removal and limits on length of service.
    In making these determinations, the firm should be mindful of the 
requirement that members of the EQCF not have any relationship with the 
firm that would interfere with the exercise of independent judgment 
with regard to matters related to the QC system.
    The EQCF could be, but would not be required to be, in the ``chain 
of command'' under the SEC independence rule.\191\ The Board does not 
believe that the EQCF would be a ``supervisory person'' under Sarbanes-
Oxley section 105(c)(6) solely by virtue

[[Page 49632]]

of having evaluated the significant judgments made and related 
conclusions reached by the firm when evaluating and reporting on the 
effectiveness of the firm's QC system. However, depending on the nature 
and degree of their responsibility, ability, or authority to affect the 
conduct of the firm's associated persons, as established by the firm, 
the EQCF could be subject to Sarbanes-Oxley section 105(c)(6).
---------------------------------------------------------------------------

    \191\ See 17 CFR 210.2-01(f)(8).
---------------------------------------------------------------------------

    The Board has not required the results of the EQCF's evaluation to 
be publicly disclosed.\192\ However, nothing set forth in this release 
would limit or prohibit firms from disclosing any information about the 
EQCF's activities--including the EQCF's practices, methods, or 
procedures, or the manner or results of the EQCF's evaluation--if the 
firm chooses.
---------------------------------------------------------------------------

    \192\ For a discussion of certain legal constraints imposed by 
Sarbanes-Oxley on the Board's ability to require public disclosure 
of certain QC-related information, see Section IV.L.1.c.ii. As part 
of a separate project, the Board has proposed a requirement for 
firms that have an EQCF to disclose the identity of the person or 
persons, an explanation for the basis of the firm's determination 
that each such person is independent of the firm (including the 
criteria used for such determination), and the nature and scope of 
each such person's responsibilities. See PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

    Based on comments received and experience with inspections of 
firms' systems of quality control, the Board believes that investors, 
audit committees, and other stakeholders will benefit from the EQCF's 
evaluation even in the absence of public disclosure. An external 
oversight function should enhance the discipline with which the firm 
carries out its own QC system evaluation. As the Board observe the 
implementation and performance of the EQCF through its inspection 
activities, the PCAOB may publish observations or good practices. For 
these reasons, the Board believes that the EQCF will support 
improvements in firms' systems of quality control, ultimately 
benefiting investors, audit committees, and other stakeholders.
    People internal and external to the firm can help a firm identify 
instances of noncompliance with applicable professional and legal 
requirements earlier than might be possible through the firm's own 
monitoring.\193\ The proposal included a specified quality response 
requiring policies and procedures for addressing potential 
noncompliance with applicable professional and legal requirements and 
with the firm's policies and procedures with respect to the QC system, 
the firm's engagements, firm personnel, or other participants.
---------------------------------------------------------------------------

    \193\ In addition, through this process information may be 
received regarding noncompliance with laws and regulations by 
companies that engage the firm.
---------------------------------------------------------------------------

    This would include clearly defining channels within the firm that 
enable reporting of complaints and allegations by firm personnel and 
external parties (e.g., employees of companies or other participants) 
and establishing procedures for appropriately investigating and 
addressing such complaints and allegations, including complying with 
any applicable reporting or other requirements.\194\
---------------------------------------------------------------------------

    \194\ A firm's program for addressing complaints and allegations 
may be subject to requirements under applicable law regarding 
whistleblowers (such as, for example, N.Y. Labor Law Section 740). 
However, such a program should not be confused with a whistleblower 
program established and administered by the Federal government, 
including the program administered by the SEC, which has its own 
requirements and protections. See, e.g., 17 CFR 240.21F-1 through 
.21F-18. To the extent a firm's program for addressing complaints 
and allegations provides protective measures, such as 
confidentiality and non-retaliation, based only on firm policy and 
not on law, such protective measures may not create legally 
enforceable rights.
---------------------------------------------------------------------------

    The proposal sought comment on the appropriateness of this 
specified quality response, and whether any additional specified 
quality responses should be considered. Two firms that commented 
supported the specified quality response. Two other firms expressed 
concern with the prescriptiveness of other participants being included 
in the requirement. One investor suggested there should be an explicit 
requirement for a whistleblower mechanism with key protections such as 
confidentiality and protection against retaliation, and that the 
individual responsible for the firm's QC system be responsible for the 
investigation of whistleblower complaints and remediation of QC issues 
identified by whistleblowers.
    The Board adopted the specified quality response with some 
modifications, described below. The Board believes that establishing 
policies and procedures that support the reporting and investigation of 
potential noncompliance will assist firms in complying with applicable 
professional and legal requirements. It will also assist them in 
identifying and dealing with individuals, including those in 
leadership, who fail to comply with applicable professional and legal 
requirements or the firm's policies and procedures. Finally, it may 
result in firm personnel or external parties identifying and 
communicating deficiencies in the QC system.
    The final provision retains the reference to other participants, as 
the Board believes it is important for the firm to capture any 
potential noncompliance with applicable professional and legal 
requirements, including with regard to work performed by other 
participants that relates to the firm's QC system or the firm's 
engagements.
    The Board has expanded the requirements related to the firm's 
policies and procedures for collecting and addressing complaints and 
allegations to explicitly require that they:
     Be made available to all firm personnel and other 
participants;
     Address processes and responsibilities for receiving, 
investigating, and addressing complaints and allegations; and
     Include protecting persons making complaints and 
allegations from retaliation.
    The Board also expanded the specified quality response to require 
firms that issued audit reports with respect to more than 100 issuers 
during the prior calendar year to include confidentiality protections 
in their policies and procedures.
    The firm's policies and procedures regarding complaints and 
allegations should be made available to all firm personnel and other 
participants, which could occur by posting them on an intranet site or 
providing such policies and procedures to other participants upon 
engagement. The policies and procedures should include identifying who 
is responsible for receiving, investigating, and addressing complaints 
and allegations; describing the process for submitting complaints and 
allegations; and describing how the firm will investigate and address 
complaints and allegations received. The Board also specified that the 
policies and procedures should explicitly address protection against 
retaliation of persons making complaints and allegations, which the 
Board believes is a critical element of any effective program for 
receiving complaints and allegations.
    The required policies and procedures regarding investigating and 
addressing complaints and allegations allow scalability. The process 
for investigating and addressing a complaint or allegation would vary, 
commensurate with and responsive to the significance of the complaint 
or allegation.
    For firms that issued audit reports with respect to more than 100 
issuers during the prior calendar year, the policies and procedures 
will have to provide a confidential and anonymous submission process 
for complaints and allegations, similar to the requirements for audit 
committees under the Exchange Act.\195\ For example, a firm

[[Page 49633]]

may have a confidential and anonymous submission process through a 
website, toll-free number, or mobile app, and could manage the process 
in-house or through a third-party provider. The firm's policies and 
procedures will also have to provide for protection, during the 
investigation, of the confidentiality of individuals and entities who 
make complaints and allegations. The Board believes this requirement 
specifically targets and responds to potential quality risks that are 
more likely to arise in audit practices of a certain size and 
complexity. However, firms that are not subject to this express 
requirement may nevertheless determine that such requirements are a 
necessary or appropriate quality response to address their quality 
risks.
---------------------------------------------------------------------------

    \195\ See 15 U.S.C. 78j-1(m).
---------------------------------------------------------------------------

2. Current PCAOB Standards
    Existing PCAOB QC standards contain limited references to firm 
governance and leadership. For example:
     QC 20 acknowledges that the QC system includes the firm's 
organizational structure; \196\
---------------------------------------------------------------------------

    \196\ See QC 20.04.
---------------------------------------------------------------------------

     The SECPS member requirements on independence quality 
controls provide that the importance of compliance with such 
independence standards, and the QC standards, should be reinforced by 
management of the member firm, thereby setting the appropriate tone at 
the top and instilling its importance into the professional values and 
culture of the member firm; \197\ and
---------------------------------------------------------------------------

    \197\ See SECPS 1000.46.
---------------------------------------------------------------------------

     The SECPS member requirements provide that member firms 
should communicate to all professional firm personnel the broad 
principles that influence the firm's quality control and operating 
policies and procedures on, at a minimum, matters related to the 
recommendation and approval of accounting principles, present and 
potential client relationships, and the types of services provided, and 
inform professional firm personnel periodically that compliance with 
those principles is mandatory.\198\
---------------------------------------------------------------------------

    \198\ See SECPS 1000.08(l).
---------------------------------------------------------------------------

Ethics and Independence

    This component addresses the fulfillment of firm and individual 
responsibilities under relevant ethics and independence requirements. 
Adhering to such requirements is a foundational concept that not only 
promotes audit quality but also safeguards the vital role that auditors 
play within the capital markets.
    The ethics and independence component of the standard has been 
tailored to the ethics and independence requirements that apply to 
engagements performed under PCAOB standards. Under the standard, ethics 
and independence requirements include the PCAOB's ethics and 
independence standards and rules, the SEC's rule on auditor 
independence, and other applicable requirements regarding accountant 
ethics and independence, such as those arising under state law or the 
law of other jurisdictions (e.g., obligations regarding client 
confidentiality).\199\ The Board clarified that the reference to other 
applicable requirements is limited to those that are relevant to 
fulfilling auditor obligations and responsibilities in the conduct of 
engagements or in relation to the QC system. The standard requires 
firms to establish quality objectives related to ethics and 
independence requirements and design and implement specified quality 
responses.
---------------------------------------------------------------------------

    \199\ Footnote 10 to QC 1000 provides: Ethics and independence 
requirements include PCAOB independence and ethics standards and 
rules, the U.S. Securities and Exchange Commission (``SEC'') rule on 
auditor independence, and other applicable requirements regarding 
accountant ethics and independence that are relevant to fulfilling 
their obligations and responsibilities in the conduct of engagements 
or in relation to the QC system, such as those arising under state 
law or the law of other jurisdictions. See, e.g., 17 CFR 210.2-01, 
and PCAOB Rules under Section 3. Auditing and Related Professional 
Practice Standards, Part 5--Ethics and Independence.
---------------------------------------------------------------------------

1. QC 1000
a. Ethics and Independence Quality Objectives (QC 1000.31)
    Understanding of and compliance with ethics and independence 
requirements are fundamental to the auditor's role. Adherence to 
standards of professional ethics is as important as adherence to 
requirements regarding auditor independence, and firms' QC systems 
should address both. Under the standard, firms are required to 
establish quality objectives that address understanding of and 
compliance with ethics and independence requirements. While maintaining 
independence and adhering to ethical requirements is each individual's 
responsibility, the firm also has responsibility and plays a critical 
role in ensuring that individuals understand those requirements and 
have the tools and resources they need to comply.
    One firm suggested that the Board clarify the ethical requirements 
that are subject to the responsibility of the individual assigned 
operational responsibility for the firm's compliance with ethics and 
independence requirements. The firm specifically commented that 
competence and due care are characteristics required by both ethical 
standards and QC standards, and as a result, there could be confusion 
over whether such requirements are ethical requirements or quality 
control requirements when determining the responsibility of the 
individual assigned operational responsibility for the firm's 
compliance with ethical and independence requirements. In some cases, a 
matter may be applicable to the responsibilities of both the individual 
assigned operational responsibility for the firm's compliance with 
ethics and independence requirements and the individual assigned 
operational responsibility and accountability for the QC system as a 
whole. A firm could divide responsibilities based on the specific 
issues involved, so long as the lines of responsibility are clear (for 
example, duties of competence and due care in the context of the audit, 
codified under the PCAOB's ethics rules, could be assigned to the 
individual with operational responsibility for compliance with ethics 
and independence requirements, while duties of competence and due care 
in the context of QC system activities, codified in QC 1000, could be 
assigned to the individual with operational responsibility for the QC 
system).
    Under the standard, the firm is required to establish a quality 
objective to identify conditions, relationships, events, and activities 
that could result in violations of ethics and independence requirements 
and evaluate and respond to such conditions, relationships, events, and 
activities on a timely basis. This will help the firm reduce the risk 
of noncompliance by identifying potential violations of ethics and 
independence requirements in time to prevent many violations and to 
quickly remediate violations that do occur. For example, a firm that 
plans to acquire another firm could identify the acquisition as an 
event that could result in independence violations by the personnel of 
the acquired entity. This could prompt the firm to develop policies and 
procedures that address onboarding processes for firm personnel of 
acquired entities around independence. These policies and procedures 
would assist in identifying and resolving potential independence 
violations before the acquisition is completed. One firm commented that 
as the proposed quality objectives for ethics and independence are 
broadly consistent with other jurisdictional and international quality 
control/management standards, it

[[Page 49634]]

believes that they are appropriate, and no further changes are needed.
    An investor-related group expressed concern that the proposal did 
not sufficiently address conflicts of interest, such as when an audit 
firm performs other services for the audited company. The investor-
related group further commented that without clear separation between 
those responsible for quality control and those responsible for 
maintaining client relationships and winning consulting contracts, 
investors can have less than full confidence the system of quality 
control will ensure the necessary level of audit quality. The Board 
acknowledges that QC 1000 does not create new requirements regarding 
auditor independence. However, in relation to the commenter's specific 
concern about the performance of non-audit services, QC 1000 requires 
the QC system to operate over compliance with numerous restrictions on 
non-audit services that exist under current independence rules enacted 
in response to previous independence conflicts.\200\
---------------------------------------------------------------------------

    \200\ See, e.g., 17 CFR 210.2-01(c)(4); PCAOB Rules 3522-3526.
---------------------------------------------------------------------------

    QC 1000 establishes quality objectives that apply to all firms. 
Within the ethics and independence component, firms are required to 
establish quality objectives that address both personal and firm-level 
compliance. Personal violations include such matters as owning stock in 
companies that are audit clients of the firm or its affiliated entities 
while a ``covered person in the firm.'' \201\ Firm-level violations 
include such matters as providing prohibited services or failing to 
obtain required audit committee pre-approval. The Board has also 
included specified quality responses that directly address the firm's 
policies and procedures for identifying and monitoring firm and 
personal relationships with audit clients to help mitigate the risk of 
potential violations. In addition, the roles and responsibilities 
requirements direct firms to assign an individual operational 
responsibility for the firm's compliance with ethics and independence 
requirements to provide oversight specifically focused on this area.
---------------------------------------------------------------------------

    \201\ See 17 CFR 210.2-01(f)(11).
---------------------------------------------------------------------------

    The quality objectives address compliance with ethics and 
independence requirements not just by firm personnel, but also by 
others who may be subject to ethics and independence requirements in 
relation to work they perform on behalf of the firm. These others may 
include, for example, ``persons associated with a public accounting 
firm'' as defined in PCAOB rules \202\ or ``covered persons in the 
firm'' under the SEC independence rule.\203\ The Board notes that these 
and other concepts used in the ethics and independence rules do not map 
directly to the terminology the Board generally uses in QC 1000. (For 
example, some ``other participants,'' such as other accounting firms, 
are subject to independence requirements, while others, such as engaged 
specialists and the company's internal auditors, are not.) To ensure 
that the requirements for this component of the QC system align with, 
and do not go beyond, the ethics and independence requirements over 
which the QC system would operate, in this component the Board uses 
terminology that incorporates or refers back to the underlying ethics 
and independence requirements. For example, rather than having quality 
objectives address compliance by ``other participants,'' in this 
component the quality objective addresses compliance by ``others 
subject to [ethics and independence] requirements.''
---------------------------------------------------------------------------

    \202\ See PCAOB Rule 1001(p)(i).
    \203\ For example, because the definition of ``accounting firm'' 
under 17 CFR 210.2-01(f)(2) includes associated entities, ``covered 
persons in the firm'' may include personnel of network affiliates in 
addition to firm personnel.
---------------------------------------------------------------------------

    One firm commented that it supported the direction of the quality 
objectives, but asserted that some of the terms were confusing as it 
related to ``others subject to ethics and independence requirements.'' 
The firm questioned whether these correspond to other participants as 
defined in the standard. The firm further commented that the 
terminology used for others subject to ethics and independence 
requirements could create operational challenges because those terms 
are open to interpretation and requested that the Board clarify the 
language the standard used. The firm suggested that the proposed 
requirements that contain this language could go beyond the intended 
applicability of the independence rules to the various parties 
contemplated. Again, the Board uses terminology in this component that 
incorporates or refers back to the terminology used in ethics and 
independence rules, terminology which it believes is well understood in 
those contexts. The Board uses it precisely to avoid going beyond the 
scope of existing ethics and independence requirements, and to ensure 
that QC 1000 addresses exactly the same population as the ethics and 
independence rules themselves.
    One firm commented that while the proposed quality objectives for 
ethics and independence are appropriate and important, further 
clarification may be needed of how the objectives apply to firm 
personnel. Specifically, the firm argued that it could be inferred that 
the ethics and independence requirements extend to all individuals 
involved in the operation of the firm's QC system, including those 
individuals who are not subject to the requirements under the existing 
PCAOB and SEC independence rules, for example, data research teams. QC 
1000 does not impose ethics and independence requirements on 
individuals who are not currently subject to them. References in the 
standard to ``requirements'' and ``obligations'' are to existing 
requirements and obligations which themselves specify to whom they 
apply. However, firms may choose to implement broader policies 
regarding ethical behavior that impose requirements on individuals who 
are not subject to the ethics and independence rules of the PCAOB and 
the independence rule of the SEC.
    With respect to the timing of communication of violations to the 
individual assigned operational responsibility for the firm's 
compliance with applicable ethics and independence requirements, the 
quality objective states that such actions should take place on a 
timely basis. One firm agreed that timely communication of ethics and 
independence related matters within the firm is important for audit 
quality, but expressed concern that the prescriptive nature of the 
requirements addressing communications may detract from the achievement 
of the intended objectives. The firm suggested that it is important to 
recognize that the evaluation of certain matters would be done in 
accordance with the firm's policies and procedures, which are designed 
to strike a balance between prematurely alerting individuals to matters 
for which the facts and potential impacts are not sufficiently known 
and making sure those with ultimate responsibility for decisions are 
made aware on a timely basis. The final standard does not specify that 
all violations need to be communicated immediately. However, the Board 
believes timely communication and action should be sufficiently prompt 
to achieve its objective. In some cases, for example, where there is a 
high risk of a severe or pervasive problem, communication and action 
may have to be immediate to be timely.
b. Ethics and Independence Specified Quality Responses (QC 1000.32-.36)
    The specified quality responses are primarily based on existing 
PCAOB ethics and independence requirements and SEC independence 
requirements,

[[Page 49635]]

including the provisions regarding independence quality controls that 
currently apply to SECPS member firms.\204\ The Board incorporated 
these SECPS member requirements into QC 1000, with some refinements, 
and extending those requirements to all firms. The Board's view is that 
the SECPS requirements address matters that are generally relevant to a 
QC system operating over compliance with SEC and PCAOB independence 
rules. Since those rules apply to all firms that perform engagements 
for issuers and broker dealers, the Board believes it is appropriate to 
extend the SECPS requirements to all firms.
---------------------------------------------------------------------------

    \204\ See SECPS 1000.46.
---------------------------------------------------------------------------

    Under the standard, the firm is required to design, implement, and 
maintain policies and procedures for the following:
     General ethics and independence matters;
     Certain specific matters that may reasonably be thought to 
bear on independence;
     Communication regarding ethics and independence policies 
and procedures; and
     Mandatory training on ethics and independence.
    One firm commented that it generally supports the specified quality 
responses and believes that it is appropriate to have the same set of 
independence requirements apply for all firms. Another firm suggested 
that the specified quality responses are not necessary to achieve the 
objectives of QC 1000. Instead of prescriptive specified responses, the 
firm suggested that the standard include more specified quality 
objectives which would promote scalability and allow for future 
adaptations to technological or other innovations. Another commenter 
said that the proposal expanded on the independence requirements in a 
granular manner and suggested that the details be moved into an 
appendix or practice aid or provided as additional guidance to help 
reduce differences between QC 1000 and other standard setters. The 
specified quality responses for the ethics and independence component 
primarily carry forward existing requirements from the PCAOB's QC 
standards and extend certain existing requirements to all firms. The 
Board believes that the specified quality responses relate to risks 
that apply to all firms and therefore should be addressed by all firms. 
The Board intends them to be obligations of all firms and have 
therefore codified them within the rule text rather than as guidance.
i. QC Policies and Procedures About General Ethics and Independence 
Matters (QC 1000.33)
    The standard requires the adoption of policies and procedures 
regarding general ethics and independence matters, carrying forward 
current PCAOB and SEC requirements.
    The proposed requirement in QC 1000.33.a did not draw comment and 
was adopted as proposed.
    The phrase ``may reasonably be thought to bear on independence'' is 
used in PCAOB Rule 3526 \205\ and should be familiar to all firms. It 
is taken from an independence standard that predates the existence of 
the PCAOB,\206\ and, as the Board noted in connection with the adoption 
of Rule 3526, it focuses auditors on the perceptions of reasonable 
third parties when making independence determinations. It is consistent 
with the SEC's general standard on independence.\207\ The firm's 
policies and procedures are required to address all matters that may 
reasonably be thought to bear on the independence of the firm, firm 
personnel, and affiliates of the firm under SEC and PCAOB rules.
---------------------------------------------------------------------------

    \205\ See PCAOB Rule 3526 (requiring auditors to describe to the 
audit committee relationships that may reasonably be thought to bear 
on independence).
    \206\ See Independence Standards Board Standard No. 1, 
Independence Discussions with Audit Committees. ISB No. 1 was 
included in the Board's interim standards until it was superseded by 
the adoption of Rule 3526.
    \207\ See 17 CFR 210.2-01(b).
---------------------------------------------------------------------------

    In addition to the broad concept of matters that ``may reasonably 
be thought to bear on independence,'' SEC and PCAOB rules address 
certain specific matters that bear on independence. For example, 17 CFR 
210.2-01(c) sets forth a non-exclusive list of circumstances that the 
SEC considers to be inconsistent with independence.\208\ Such 
circumstances include, among others, certain financial relationships, 
employment relationships, business relationships, non-audit services, 
contingent fees, and circumstances related to partner rotation. PCAOB 
rules also list certain prohibited tax transactions and tax services 
that would make the firm not independent of its client.\209\
---------------------------------------------------------------------------

    \208\ See 17 CFR 210.2-01(c).
    \209\ See PCAOB Rule 3522, Tax Transactions; PCAOB Rule 3523, 
Tax Services for Persons in Financial Reporting Oversight Roles.
---------------------------------------------------------------------------

    The underlying facts and circumstances and relevant requirements 
will determine what actions need to be taken by the firm to address a 
matter that may reasonably be thought to bear on independence. For 
example, in some situations, it will be sufficient to communicate the 
matter to the audit committee. In other situations, further action may 
be required.
    The proposed requirements in QC 1000.33.b-c did not draw comment 
and were adopted substantially as proposed.
    Integrity and objectivity are important ethical concepts currently 
addressed in QC 20.\210\ Under the existing standard, integrity 
requires personnel to be honest and candid within the constraints of 
client confidentiality, whereas objectivity imposes the obligation to 
be impartial, intellectually honest, and free of conflicts of interest.
---------------------------------------------------------------------------

    \210\ See QC 20.10.
---------------------------------------------------------------------------

    As discussed in more detail below, the Board rescinded the interim 
ethics and independence standard, ET 102, Integrity and Objectivity, 
and replacing it with a new standard, EI 1000, Integrity and 
Objectivity.\211\ QC 1000 includes a reference to that new rule and to 
PCAOB Rule 3500T, Interim Ethics and Independence Standards.
---------------------------------------------------------------------------

    \211\ See Rescission of ET Section 102; adoption of EI 1000; 
related amendments.
---------------------------------------------------------------------------

    The final standard clarifies that firm personnel are expected to 
demonstrate integrity and objectivity in carrying out all of their 
professional responsibilities associated with the QC system and the 
performance of engagements. This includes activities ranging from the 
design and implementation of the QC system, monitoring and remediation, 
and evaluation of the QC system, to training and professional 
development; planning, performing, and supervising engagements; and 
internal and external communications. The Board also believes that it 
is important for the firm's policies and procedures to address 
obligations related to integrity and objectivity for associated persons 
of the firm, other than firm personnel, who perform work on behalf of 
the firm.
    The proposed requirement in QC 1000.33.d did not draw comment and 
was adopted as proposed.
    Establishing a consultation process on independence matters is an 
existing concept under SECPS independence requirements. Currently, 
SECPS member firms are required to designate a senior-level partner 
responsible for overseeing the adequate functioning of the firm's 
independence policies and consultation process.\212\
---------------------------------------------------------------------------

    \212\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

    The Board expanded this concept in QC 1000 by covering not only 
independence matters, but also ethics matters, and by expressly 
requiring the firm's policies and procedures to address the 
identification of ethics and independence matters that require 
consultation. The Board believes the

[[Page 49636]]

specific focus on identifying matters requiring consultation should 
prompt firm personnel and others subject to such requirements to more 
effectively identify ethics and independence issues that are new, 
challenging, or complex and that would benefit from evaluation by 
subject matter experts. The Board applied the requirement to all firms, 
not just SECPS member firms.
    Under existing SECPS requirements, member firms are required to 
establish a monitoring system to determine that corrective actions are 
taken on all apparent independence violations reported by firm 
personnel.\213\ Under those requirements, the monitoring system should 
include procedures to provide reasonable assurance that (i) investments 
of the firm and its benefit plans are in compliance with the firm's 
policies and (ii) information received from its partners and managers 
is complete and accurate. The SECPS requirements do not prescribe 
specific activities for the monitoring system, other than stating that 
generally it includes auditing, on a sample basis, selected information 
such as brokerage statements, or alternative procedures that accomplish 
the same objective. One firm requested clarification of whether 
auditing, on a sample basis, selected information such as brokerage 
statements, will be mandatory under QC 1000. The standard does not 
prescribe specific activities to monitor compliance with ethics and 
independence requirements and the firm's ethics and independence 
policies. This allows scalability based on the firm's size and specific 
circumstances. The Board expects that firms that have developed 
monitoring systems to comply with SECPS requirements would continue to 
use these systems as one aspect of monitoring compliance under the 
standard. While auditing brokerage statements is not mandatory under QC 
1000, the firm must design, implement, and maintain policies and 
procedures to monitor compliance with applicable ethics and 
independence requirements and related firm policies and procedures. 
Based on the firm's size and specific circumstances, a firm can choose 
which monitoring activities are an effective response to meet the 
quality objective.
---------------------------------------------------------------------------

    \213\ See SECPS 1000.46 (requirement 7.d).
---------------------------------------------------------------------------

    With respect to compliance with applicable ethics and independence 
requirements by the firm and its affiliates, the Board understands that 
firms employ various manual and automated tools for evaluating whether 
the firm and its affiliates comply with SEC and PCAOB independence 
requirements and the firm's independence policies and procedures. Some 
examples of such tools include having a centralized process to monitor 
business relationships, establishing an independence confirmation 
process that includes detailed guidance and questions related to 
independence and prohibited non-audit services, and periodic review of 
the completeness and accuracy of information reported on independence 
confirmations.
    A firm may establish ethics and independence policies and 
procedures that are more restrictive than the rules of the SEC and 
PCAOB--for example, to comply with requirements of other jurisdictions 
or to simplify compliance with SEC and PCAOB requirements by setting 
bright-line policies and reducing the range for individual judgment. 
Under the standard, the firm's evaluation of compliance covers 
applicable ethics and independence requirements as well as the firm's 
policies and procedures.
    The proposed requirements in QC 1000.33.f were adopted 
substantially as proposed.
    As previously discussed, QC 1000 includes the existing SECPS 
requirement for firms to have policies and procedures that address 
independence violations and expands the requirement to cover all firms 
and to include ethics violations.
    Under the standard, the firm is required to establish policies and 
procedures addressing violations and potential violations of ethics and 
independence requirements. These types of policies and procedures are 
intended to be preventive, detective, and corrective by nature.
    The firm's policies and procedures are required to address 
identifying conditions, events, relationships, or activities that could 
constitute ethics or independence violations involving the firm, firm 
personnel, and, with respect to work performed on behalf of the firm, 
others subject to such requirements. For example, if a firm or its 
network is contemplating a reorganization or restructuring that would 
affect the relationships among affiliated firms or other entities, 
identifying post-reorganization investment activities as such an 
activity could assist the firm in designing and implementing 
appropriate policies to prevent independence violations.
    With respect to ethics and independence violations that do or could 
occur, the firm's policies and procedures are required to address the 
taking of preventive and corrective actions to address violations on a 
timely basis. Such policies and procedures could specify the 
individuals responsible for taking preventive and corrective actions 
(at the engagement or firm level), the timing of preventive and 
corrective actions, and any potential sanctions against firm personnel 
or other individuals for violating ethics and independence 
requirements. While one firm supported bringing greater attention and 
accountability to the ethics and independence component, it suggested 
that the level of prescription may create operational challenges that 
could be detrimental to audit quality. Specifically, with regards to 
paragraph .33f.(2), the firm commented that ethical or independence 
violations may take a variety of forms and that dictating that 
preventive and corrective actions must be taken does not promote a 
risk-based approach. The standard requires that a firm's policies and 
procedures address, with respect to violations and potential 
violations, the taking of preventive and corrective actions, as 
appropriate. Ethics or independence violations may take a variety of 
forms, and therefore the nature and extent of the preventive and/or 
corrective actions may also take a variety of forms commensurate to the 
severity and pervasiveness of the violation.
    The firm's policies and procedures are required to address 
reporting of ethics and independence violations. QC 1000 requires that 
firm personnel and others performing work on behalf of the firm that 
are subject to the ethics and independence requirements report both 
their own violations and other violations of which they become aware 
that may affect the firm. The Board revised the language in proposed 
paragraph .33f.(3) to clarify that the requirement applies to others 
performing work on behalf of the firm that are subject to the ethics 
and independence requirements.
    The standard takes a principles-based approach, which allows each 
firm to determine which reporting mechanisms best fit its structure and 
address its quality risks. Through the Board's oversight activities, it 
has observed that firms employ various mechanisms for firm personnel to 
report violations. Some examples include direct communication lines to 
an ethics and independence group, designated individuals within the 
human resources department or the legal department, and whistleblower 
hotlines.\214\ Firms may assess each case individually and involve 
appropriate subject matter experts, depending on the nature of the

[[Page 49637]]

violation. Some firms also establish escalation protocols for certain 
types of ethics and independence violations (e.g., violations involving 
a partner in the firm).
---------------------------------------------------------------------------

    \214\ See, e.g., paragraph .29 of QC 1000, discussed above, for 
requirements regarding firm processes for addressing complaints and 
allegations.
---------------------------------------------------------------------------

    In addition, the firm's policies and procedures are required to 
address any communications that need to take place as a result of a 
violation of ethics and independence requirements. For example, PCAOB 
Rule 3526 requires certain communications to the audit committee 
regarding matters that are thought to bear on the firm's independence, 
including violations of independence requirements.
ii. QC Policies and Procedures About Certain Matters That May 
Reasonably Be Thought To Bear on Independence: Restricted Entities, 
Independence and Ethics Certifications, and Matters Requiring Audit 
Committee Pre-Approval
    Under the standard, the firm's policies and procedures on matters 
that may reasonably be thought to bear on the independence of the firm 
are required to address, among other things, (1) restricted entities, 
including the maintenance and dissemination of the list of restricted 
entities; (2) independence and ethics certifications; and (3) matters 
requiring audit committee pre-approval.
(1) Restricted Entities (QC 1000.34.a-d)
    Most of the requirements related to restricted entities come from 
existing SECPS member requirements,\215\ which will now apply to all 
firms. Under the standard, as under current requirements, restricted 
entities include all audit clients (including affiliates of the audit 
client) of the firm and affiliates of the firm. One firm commented that 
the proposal did not define ``affiliates'' and recommended either 
referencing the definition provided in PCAOB Rule 3501 or defining the 
term in the standard in a manner similar to Rule 3501. ``Audit 
client,'' ``affiliate of the audit client,'' and ``affiliate of the 
accounting firm'' are terms defined in existing PCAOB and SEC 
rules.\216\ As proposed, paragraph .34 includes a footnote referring to 
those definitions.
---------------------------------------------------------------------------

    \215\ The SECPS term ``restricted entities'' includes all audit 
clients of the firm (and, where applicable, its foreign-associated 
firms) that are SEC registrants, along with other entities that the 
firm is required to be independent of under the applicable SEC 
requirements.
    \216\ ``Audit client'' is defined for purposes of SEC rules in 
17 CFR 210.2-01(f)(6), and for purposes of PCAOB rules in PCAOB Rule 
3501(a)(iv). ``Affiliate of the audit client'' is defined in PCAOB 
Rule 3501(a)(ii) as having the same meaning as defined in 17 CFR 
210.2-01(f)(4). ``Affiliate of the accounting firm'' is defined in 
PCAOB Rule 3501(a)(i) and, for purposes of the Note to paragraph 
.34a., ``accounting firm,'' which includes the firm's associated 
entities, is defined in 17 CFR 210.2-01(f)(2).
---------------------------------------------------------------------------

    Existing SECPS requirements require firms that audit more than 500 
SEC registrants to have an automated system to identify investment 
holdings of partners and managers that might impair independence.\217\ 
As proposed, the Board required an automated system for firms that 
issued audit reports with respect to more than 100 issuers during the 
prior calendar year. The Board understands that firms that audit more 
than 500 SEC registrants already have automated systems in place, based 
on the SECPS requirements to have an automated system 17 CFR 210.2-
01(d).\218\ Firms that issued audit reports for 100 or fewer issuers 
are required to consider whether the system needs to be automated, 
taking into account the quality risks and the nature and circumstances 
of the firm. For example, a firm with close to 100 issuers and a 
significant number of managers and partners may assess timely 
identification of personal investments that may impair independence as 
a quality risk, and a quality response to address that risk may include 
an automated system to help facilitate a more timely relationship-
checking process.
---------------------------------------------------------------------------

    \217\ See SECPS 1000.46 (requirement 4).
    \218\ 17 CFR 210.2-01(d) provides that a firm's independence is 
not impaired solely because a covered person in the firm is not 
independent of an audit client, provided the covered person did not 
know of the circumstances giving rise to the violation, the 
violation was corrected as promptly as possible, and the firm 
maintains a quality control system meeting specified standards. 17 
CFR 210.2-01(d)(4), describes, for firms that provide audit, review, 
or attest services to more than 500 SEC registrants, features 
necessary for the firm's QC system to meet the specified standards, 
including an automated system to identify investment holdings of 
partners and managers that might impair independence.
---------------------------------------------------------------------------

    One firm commented that the specified quality response to have an 
automated process for identifying direct or material indirect financial 
interests is appropriate, and another firm commented that it did not 
object to the requirement. However, a firm and a firm-related group 
recommended that the PCAOB consider if the existing SEC requirements 
are sufficient such that no additional PCAOB requirements are needed, 
and several firms commented that the costs of implementing the 
requirement would be significant and instead the threshold should be 
increased to 500 issuers to be consistent with the SEC requirements. 
Some of these firms suggested that the cost may be a potential barrier 
to entry for firms approaching the 100-issuer audit client threshold. 
One of these firms commented further that some firms that audit over 
100 issuers will consider decreasing the size of their practice due to 
the associated cost of the requirement. This firm suggested that the 
specified quality response be removed and instead, if necessary, 
implement a quality objective that firms could address through their 
risk assessment process. Several firms suggested that firms that audit 
more than 100 but no more than 500 issuers could consider implementing 
such a process, but it should not be required. One firm-related group 
suggested that the threshold for requiring an automated independence 
system be reduced further, given the number of repeated independence 
issues among all firms.
    One firm expressed concerns with both the proposed requirement in 
paragraph .34a.(1) and the suggestion in paragraph .34a.(2) to automate 
this process, suggesting that this would be cost prohibitive and firms 
should design processes that reflect their respective size, 
complexities and risks identified. Another firm commented that firms 
subject to the current SECPS requirements have likely invested 
significant capital and resources to implement and maintain tools that 
enable compliance with those requirements, and while the firm views 
that investment as worthwhile and believes the procedures have 
contributed to audit quality over the years, it expressed concerns for 
the cost of the requirement to firms that audit between 100 and 500 
issuers. Another firm commented that it has such an automated system in 
place, however it suggested that the implementation of such a system 
within the timeframe set out in the proposed standard may be 
challenging and costly. One firm commented that the determination of 
whether or not to implement an automated process for identifying and 
tracking direct and material indirect financial interests should be 
risk-based and not include a prescriptive requirement based on an 
arbitrary count of greater than 100 issuers. The firm specifically 
commented that the size, scope, nature, and complexity of firms' issuer 
practices can vary significantly among the annually inspected firms, 
noting for example that a large portion of its issuer client count 
consists of Form 11-K audits and smaller reporting companies. Another 
firm commented that while the size of the firm's client base is one 
factor to consider in determining an appropriate quality response, the 
nature and circumstances of the firm and the firm's clients are also

[[Page 49638]]

factors that should be taken into consideration, as well as the firm 
structure, industries served, and number of managers and partners.
    Some firms sought clarity as to whether an automated process would 
be required for other financial relationships, for example, employment 
relationships, business relationships, or non-audit services, and 
commented that the identification of certain financial relationships 
cannot be easily automated. Instead, the firms suggested limiting the 
requirement to automate the process for identifying investments in 
securities that might impair independence, to align with the SEC 
requirement. A number of firms and a firm-related group requested 
clarity on what ``automated'' means and what the Board's expectations 
are with regards to the nature, extent and scope of automation.
    After consideration of the comments, the Board adopted the 100-
issuer threshold as proposed. The Board believes it is important to 
maintain a consistent threshold for the incremental requirements in QC 
1000. As discussed in more detail above, the Board believes that the 
100-issuer threshold is appropriate, and while the nature of each 
firm's audit client list may vary, there still exist complexities 
inherent to firms with a large number of issuer audit clients that may 
give rise to quality risks that apply to the firm's independence, for 
which the automated system would be an appropriate quality response.
    The Board clarified in the final standard that the requirement for 
an automated process is limited to the process to identify investments 
in securities that might impair the independence of the firm or firm 
personnel, the same scope as required under 17 CFR 210.2-01(d). The 
Board has observed through its oversight activities that some firms 
have systems that automate the identification of their professionals' 
investment holdings through direct broker feeds, but a direct broker 
feed is not the only type of automated process that would meet the 
Board's requirement. As discussed in a December 9, 1999, letter from 
the SEC's Chief Accountant,\219\ firms need to develop a system that 
tracks audit engagements and financial investments held by 
professionals such that the conflict verification process is automated. 
Such a system may rely on firm professionals accurately self-reporting 
and entering their investments into the system in a timely manner. 
These holdings would automatically be compared to the list of 
restricted entities to identify any relationships with restricted 
entities. Based on the size of the firm and other characteristics, a 
firm may determine that a direct broker feed is an appropriate quality 
response (for example, if the firm's monitoring activities found high 
rates of non-compliance by firm personnel with the firm's policies and 
procedures for reporting financial investments), but a direct broker 
feed is not expressly mandated for firms subject to the requirement to 
implement an automated process. The Board also made a change to require 
that the process described in paragraph .34a.(1) must be automated to 
conform the degree of responsibility that the requirement imposes on 
the auditor to that required under paragraph .34.
---------------------------------------------------------------------------

    \219\ See Letter From the Chief Accountant: Issues Related to 
Independence/Quality Control to SEC Practice Section (II) (Dec.9, 
1999), available at https://www.sec.gov/info/accountants/staffletters/calt129a.htm.
---------------------------------------------------------------------------

    One firm suggested that a longer transition period be provided for 
firms that are not currently subject to a requirement to implement an 
automated system. The firm commented that if two firms merged and one 
or both of the firms had previously not been subject to the 
requirement, it is unlikely that a system of this nature could be 
implemented and tested for effectiveness in the time period provided. 
The Board believes that firms continuously monitor the size of their 
audit practice relative to the 100-issuer threshold, and if a firm is 
considering a transaction such as a merger that would increase its 
number of issuer audit clients significantly, then the firm could begin 
to implement such a system in advance of the end of the calendar year 
in which the firm first surpasses the 100-issuer threshold. Indeed, for 
a transaction such as a merger of audit firms, the Board believes that 
there could exist specific risks to independence as a result, which in 
itself may result in a firm developing an automated system as a quality 
response.
    Current SECPS requirements require timely (generally monthly) 
communication of additions to the Restricted Entity List.\220\ The 
proposal contemplated requiring that firms have policies and procedures 
for maintaining and making available the list of restricted entities to 
firm personnel and others performing work on behalf of the firm who are 
subject to independence requirements, and updating and communicating 
changes to the list of restricted entities at least monthly to such 
persons.
---------------------------------------------------------------------------

    \220\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

    Several firms and a firm-related group suggested the specified 
quality response be replaced with a quality objective regarding updates 
to and awareness of changes in the restricted entity list. Two of these 
firms suggested that the requirement be amended to limit communications 
to additions to the restricted entity list. Another firm suggested 
communications be limited to firm personnel subject to independence 
requirements and the requirements should allow for flexibility in the 
nature, timing, and extent of communications. QC 1000 does not enlarge 
the population of individuals who are subject to ethics and 
independence requirements. References in the standard to 
``requirements'' and ``obligations'' are to existing requirements and 
obligations which themselves specify to whom they apply. In addition, 
after consideration of the comments received, the Board amended the 
standard to limit the required communications to additions to the list 
of restricted entities, rather than all changes.
    Some firms did not support this communication to ``others 
performing work on behalf of the firm,'' and suggested that 
communications should be limited to potential covered persons affected 
by the additions. Two of these firms commented that these individuals 
would likely not be considered covered persons for engagements other 
than the engagement they are working on, and suggested that the Board 
allow firms to take a risk-based approach when determining the scope 
and frequency of the communications. Another firm suggested that QC 
1000 does not need to specifically address certain communications to 
other participants where this is required by another standard, 
specifically AS 2101 (as in effect for audits of fiscal years ending on 
or after December 15, 2024) paragraph .06D, which includes a ``written 
description of all relationships between the other auditor and the 
audit client of persons in financial oversight roles at the audit 
client that may reasonably be thought to bear on independence. Another 
firm commented that the goal of alerting others performing work on 
behalf of the firm to specific engagement independence requirements 
could be achieved through engagement-specific independence 
certifications.
    After consideration of the comments received, the Board amended the 
standard to require at least monthly communication of additions to the 
list of restricted entities to firm personnel and others performing 
work on behalf of the firm whose relationships and arrangements with 
such additional restricted entities may reasonably be thought to bear 
on the independence of

[[Page 49639]]

the firm. The Board believes that it is appropriate to limit 
communications of additions to the list of restricted entities to firm 
personnel and others performing work on behalf of the firm to those 
additions that could reasonably be thought to bear on the independence 
of the firm. For example, additions to the affiliate list for an issuer 
would be relevant for an individual who is performing work on behalf of 
the firm on that issuer, or a partner who is located in the same office 
of the firm in which the lead audit engagement partner primarily 
practices in connection with the audit. This communication should be 
made as frequently as necessary, and on an at least monthly basis, 
through the period that the individual is subject to the independence 
requirements.
    Several firms and a firm-related group commented that the 
requirement to communicate the restricted entity list would not be more 
effective than the automated systems already in place at larger firms. 
Two firms also commented that smaller firms with infrequent changes to 
the restricted entity list may not need to communicate changes monthly. 
One of these firms suggested that many firms already have policies 
where individuals are required to review the restricted entities list 
prior to purchasing stock/during proposal/acceptance procedures to 
determine whether an independence conflict would exist, and that many 
firms also make those restricted lists readily available to employees 
as part of their current QC systems. The Board believes, and has 
observed through its oversight activities, that such automated systems 
may not fully mitigate quality risks associated with the timely 
reporting of financial relationships by firm personnel, for example, if 
the automated system is not equipped to identify certain financial 
relationships, or if the firm is reliant on its professionals making 
timely reporting of these relationships into the firm systems. The 
Board believes that requiring the communication of additions to the 
list of restricted entities to firm personnel whose relationships and 
arrangements with such additional restricted entities may reasonably be 
thought to bear on the independence of the firm on an at least monthly 
basis may prompt firm personnel to report a previously unreported 
relationship. If there are no additions, there is no required 
communication.
    One firm commented that it is unclear whether communication is 
intended to mean a distributed communication (e.g., email of the 
updated list) or communication can be made available (e.g., a website 
that hosts such list and is readily available to access). Some firms 
may decide to communicate updates to the list of restricted entities on 
a more frequent basis, as changes are being made, or in more targeted 
ways (such as to particular offices or engagement teams). The standard 
does not prescribe the method of communication. Through the Board's 
oversight activities, it have observed that some firms comply with 
existing SECPS requirements by communicating additions to the list of 
restricted entities to all firm personnel weekly via email. These firms 
could continue that practice to comply with the standard. However, 
other methods that result in an effective communication may also be 
acceptable; for example, a firm might communicate that there have been 
additions to the list of restricted entities via email, and include 
within the email a link to an accessible website-hosted list of 
additions.\221\ While the standard requires communications of additions 
to those individuals whose relationships and arrangements with such 
additional restricted entities may reasonably be thought to bear on the 
independence of the firm, the firm may choose to extend the 
communications of additions more broadly. In addition, if the firm 
communicates additions to less than all firm personnel, then the firm 
must have correctly identified the group of people whose relationships 
and arrangements with such additional restricted entities may 
reasonably be thought to bear on the independence of the firm.
---------------------------------------------------------------------------

    \221\ Firms are required to communicate additions to the list of 
restricted entities. For periods where there were no changes, no 
such communication would be required.
---------------------------------------------------------------------------

    The standard does not prescribe a specific process for maintaining 
and making available the list of restricted entities to firm personnel 
and other individuals. Firms are able to determine the specific methods 
and tools needed to keep the list of restricted entities up to date and 
to ensure that any additions are communicated on a timely basis to firm 
personnel and other individuals. This determination is based on factors 
such as the size of the firm, the number of audit clients, and the 
complexity of those clients (e.g., the number of audit client 
affiliates). For example, a smaller firm with a small group of 
professionals, a stable portfolio of audit clients, and a manual 
process for maintaining the list of restricted entities may decide to 
communicate changes monthly. For a larger firm with many audit clients 
and firm affiliates, an automated tool could help facilitate more 
frequent updates to the list of restricted entities. The firm is 
required to notify relevant professionals of additions to the list at 
least monthly.
    The Board recognizes that some firms are members of networks that 
may develop systems, processes, and controls to monitor network firms' 
compliance with independence requirements, including maintaining a 
database of restricted entities. As described above, the standard does 
not prescribe a specific process for maintaining a database of 
restricted entities, so this process could potentially be performed by 
a network or outsourced to a third party. At the same time, the 
standard requires each firm to establish its own quality objective, 
which places responsibility on the firm with respect to resources or 
services provided by the network or a third-party provider.\222\
---------------------------------------------------------------------------

    \222\ See below for a discussion of the firm's responsibilities 
when it uses resources or services provided by a network or third-
party provider.
---------------------------------------------------------------------------

    The Board incorporated into QC 1000 the existing SECPS requirements 
for firm personnel \223\ to review the list of restricted entities 
prior to obtaining any security or other financial interest in an 
entity, but with the following refinements:
---------------------------------------------------------------------------

    \223\ SECPS requirements use the term ``professionals,'' which 
means professional staff, including partners. See SECPS 1000.46 
(requirement 1.a).
---------------------------------------------------------------------------

     Require firm personnel to review the list of restricted 
entities, not only before they or their relevant family members \224\ 
obtain a direct or material indirect financial interest in an entity or 
enter into a direct or material indirect relationship with an 
entity,\225\ but also after additions to the list of restricted 
entities are communicated by the firm, upon firm personnel's employment 
at the firm, prior to changes in position (e.g., going into a chain of 
command or other covered person role \226\), and prior to entering into 
or modifying any business or employment relationships.
---------------------------------------------------------------------------

    \224\ Context determines which family members would be relevant. 
See, e.g., 17 CFR 210.2-01(f)(9) (defining ``close family 
members''); 17 CFR 210.2-01(f)(13) (defining ``immediate family 
members''); see generally 17 CFR 210.2-01(c) (referring to ``close 
family member'' or ``immediate family member'' depending on the 
context).
    \225\ The Board is using the terms direct and material indirect 
in the same sense as 17 CFR 210.2-01(c).
    \226\ ``Covered persons in the firm'' is defined in 17 CFR 
210.2-01(f)(11).
---------------------------------------------------------------------------

     Require the firm and firm personnel to take required 
actions on a timely basis if the review of the list of restricted 
entities indicates that action is required under applicable 
professional and legal requirements or the firm's policies and 
procedures.
    Under this approach, the firm's policies and procedures will 
require

[[Page 49640]]

that the list of restricted entities be reviewed before the firm enters 
into any relationship, engagement to perform non-audit services, or fee 
arrangement that might affect compliance with independence 
requirements. This requirement serves the same purpose as review of the 
list of restricted entities by the firm personnel and helps the firm to 
identify relationships that may result in noncompliance with applicable 
professional or legal requirements.
    One firm commented that, rather than requiring that the list of 
restricted entities be reviewed before the firm enters into any 
relationships, engagements to perform non-audit services, or fee 
arrangements that might affect compliance with independence 
requirements, firms should be permitted to develop quality responses to 
identify prohibited relationships and fee arrangements that 
appropriately respond to quality risks, based on the firm's facts and 
circumstances. The firm also suggested that the requirement for firm 
personnel to review the list of restricted entities after changes to 
the list are made should be deleted since firm personnel would already 
be notified of changes based on paragraph .34b. The Board believes 
these specified quality responses are appropriate and should be 
addressed by all firms, regardless of the specific facts and 
circumstances of the firm. In addition, the Board views the 
requirements of paragraph .34b for the firm to maintain and make 
available the list of restricted entities, and paragraph .34d for firm 
personnel to review the list of restricted entities, as separate.
(2) Independence and Ethics Certifications (QC 1000.34.e)
    Certifications are intended to drive greater accountability for 
firm personnel's compliance with independence requirements and to deter 
independence violations. The certification requirement is similar to an 
existing SECPS requirement, which requires each professional to certify 
near the time of initial employment and at least annually thereafter 
that he or she (1) has read the member firm's independence policies, 
(2) understands their applicability to his or her activities and those 
of his or her spouse and dependents, and (3) has complied with the 
requirements of the member firm's independence policies since the prior 
certification.\227\
---------------------------------------------------------------------------

    \227\ See SECPS 1000.46 (requirement 7.b).
---------------------------------------------------------------------------

    The proposal contemplated obtaining certifications from firm 
personnel regarding familiarity and compliance with SEC and PCAOB 
independence requirements and the firm's independence policies and 
procedures (1) upon employment, (2) at least annually thereafter, and 
(3) upon any change in personal circumstances, such as firm role, 
geographic location, or marital status, that is relevant to 
independence.
    Several commenters, including firms, did not support the 
requirement to obtain additional certifications upon changes in 
personal circumstances, and three firms raised practical concerns when 
the changes involved marital status. One firm suggested that the 
standard should emphasize that a firm's independence certification 
process should consider timeliness in addressing the quality objective, 
and instead encourage firms to consider the appropriateness of 
obtaining periodic certifications throughout the year. One firm 
commented that a firm should have flexibility to determine its own 
policies and procedures for certifications beyond requiring them at 
employment and annually thereafter; the firm suggested that, for 
example, quarterly certification accompanied by training on the impact 
of life events may be more effective and practicable than event-driven 
review and certification. Another firm recommended that firms be 
allowed to develop their own quality responses based on their own 
unique quality risks when personal circumstances change rather than 
requiring certification upon changes in personal circumstances as a 
quality response. Another firm suggested that this requirement should 
instead be managed through proper education and awareness of relevant 
independence requirements. Another firm suggested that these items 
would be better suited as examples of considerations included in 
implementation guidance. One firm suggested that the certification 
requirements should be applicable for firms with over 500 issuers that 
already have an automated independence system. The firm further 
commented that the requirement is onerous in terms of being able to 
identify the data on a timely basis and suggested a semi-annual 
representation period instead of circumstance-driven.
    In addition, the proposing release sought feedback on whether the 
standard should require annual written certification regarding 
familiarity and compliance with ethics requirements and the firm's 
ethics policies and procedures, in addition to those regarding 
independence. The proposing release further asked whether firms should 
be required or encouraged to adopt firm-wide codes of ethics or similar 
protocols. One firm did not support a specific quality response that 
includes a certification process for ethics requirements and 
procedures. The firm suggested that firms should be permitted to adopt 
a quality response that addresses the risks within their own practice, 
and that a certification requirement that applies to all firm practice 
staff could turn into a ``check-the-box'' compliance exercise that 
would not benefit audit quality. One firm commented that such 
requirements would already be addressed by the requirement for 
mandatory training in paragraph .36. Other commenters, including firms, 
investors, and investor-related organizations, supported the 
requirement to obtain a written annual certification regarding 
familiarity and compliance with ethics requirements and the firm's 
ethics policies and procedures. One of these investors commented that 
the main argument against such certifications is that it imposes a cost 
and that it becomes a ``tick-the-box exercise,'' but in the investor's 
view the cost is de minimis given other annual declarations needed by 
firm personnel, and firm leadership can send an appropriate signal by 
embracing the ethics code to stop such annual declarations becoming a 
perfunctory exercise. One firm and an investor-related organization 
supported a requirement that firms should adopt firm-wide codes of 
ethics.
    After consideration of the comments received, the Board made two 
changes to the final standard. First, the Board removed from the 
standard the requirement to obtain a certification from firm personnel 
regarding familiarity and compliance with SEC and PCAOB independence 
requirements and the firm's independence policies and procedures upon 
any change in personal circumstances, and replaced this with the 
requirement that such a certification must be obtained for any change 
in professional circumstances that is relevant to independence. Rather 
than include examples of such changes in the text of the standard, the 
Board provided in this release some examples of changed professional 
circumstances that may be relevant to the independence of the firm's 
personnel under applicable independence rules. These examples include 
changes within the firm such as promotions, moving offices, or changing 
practice groups (e.g., changes to covered person status). Although, in 
connection with this change, the Board removed a certification 
requirement with regard to changes in personal circumstances, such 
changes can have independence implications under SEC and PCAOB

[[Page 49641]]

independence requirements, and a firm's QC system must provide 
reasonable assurance of compliance with those requirements. Secondly, 
the Board added a requirement for certification by firm personnel 
regarding familiarity and compliance with the applicable ethics 
requirements and the firm's ethics policies and procedures as the Board 
believes such certification will enhance individual accountability and, 
ultimately, compliance. The Board not added a requirement for firms to 
adopt a firm-wide code of ethics or similar protocol, because it 
believes that firms should have flexibility to determine whether this 
would assist them in meeting the relevant quality objectives.
    The standard does not prescribe a checklist of specific content for 
the certifications, focusing instead on general concepts of familiarity 
and compliance. It is possible that the form of certification called 
for by the existing SECPS requirement would satisfy the standard. In 
addition, the standard expands on the existing SECPS requirement by 
requiring firms to obtain certifications every time firm personnel have 
a change in professional circumstances that is relevant to 
independence, such as a change in role or geographic location. Changes 
within the firm such as promotions, moving offices, or changing 
practice groups may have consequences under independence rules (e.g., 
changes to covered person status) and result in noncompliance. The 
Board continues to believe that a specified quality response requiring 
specific event-driven independence and ethics certifications 
appropriately considers timeliness in addressing the quality objective 
and applies to quality risks that exist in all firms.
(3) Matters Requiring Audit Committee Pre-Approval (QC 1000.34.f)
    The proposed requirement did not draw comment and was adopted as 
proposed. QC 1000 contains a new requirement regarding firm policies 
and procedures for identifying matters that require pre-approval by the 
audit committee and obtaining such approval. The primary responsibility 
for identifying matters that require audit committee pre-approval and 
obtaining such pre-approval resides at the engagement level. The firm's 
policies and procedures, however, provide tools and guidance that 
enable engagement teams to properly identify the relevant matters and 
obtain necessary pre-approvals on a timely basis. Through the Board's 
oversight activities, it has observed numerous instances where firms 
did not have an effective mechanism in place for monitoring whether 
matters that require audit committee pre-approval were properly 
disclosed to audit committees. The new requirement should lead to more 
consistent compliance.
iii. Communication of Changes to Ethics and Independence Policies and 
Procedures (QC 1000.35)
    The proposed requirement did not draw comment and was adopted as 
proposed. The final standard incorporates existing SECPS requirements 
regarding the dissemination of the firm's independence policies and 
procedures and expands the requirements to cover ethics policies and 
procedures.
    When deciding how to make ethics and independence policies and 
procedures available, firms would consider how to make firm personnel 
and others performing work on behalf of the firm aware of where and how 
to find these policies and procedures in a way that supports those 
individuals' ongoing compliance with certification and other 
requirements. The standard requires the firm to communicate any 
substantive changes to its ethics and independence policies and 
procedures on a timely basis.
iv. QC Policies and Procedures About Mandatory Ethics and Independence 
Training (QC 1000.36)
    The proposed requirement did not draw comment and was adopted as 
proposed.
    The standard includes a requirement for mandatory periodic training 
on ethics and independence, which expands on the existing SECPS 
requirements that cover training on independence. The mandatory 
training requirement promotes awareness and understanding of the ethics 
and independence requirements, which should lead to better compliance 
with such requirements. Under existing SECPS requirements, firms are 
required to establish a training program for professionals to complete 
near the time of initial employment and periodically thereafter.\228\
---------------------------------------------------------------------------

    \228\ See SECPS 1000.46 (requirement 3).
---------------------------------------------------------------------------

    The specific content and extent and timing of the training will be 
determined by the firm, but the program is required to cover both the 
relevant professional and legal requirements (for example, regarding 
financial interests, business relationships, employment relationships, 
proscribed services, and fee arrangements) and the firm's related 
policies and procedures.
    By not specifying the content for such mandatory training, the 
standard allows firms the ability to develop training programs based on 
their circumstances. For example, a firm may develop its training to 
place a greater emphasis on areas with recurring ethics and 
independence findings across the firm, or it may target specific ethics 
and independence findings in different regions. Similarly, the standard 
does not specify how the firm would provide such training. A firm may 
develop and deliver its own training, contract with others to provide 
training, or provide access to third-party training.
    Under the standard, the firm is required to provide such training 
at least annually, or more often as needed.
2. Current PCAOB Standards
    QC 20 provides that policies and procedures should be established 
to provide the firm with reasonable assurance that personnel maintain 
independence (in fact and in appearance) in all required circumstances, 
perform all professional responsibilities with integrity, and maintain 
objectivity in discharging professional responsibilities.\229\ The 
SECPS member requirements regarding independence quality controls apply 
only to certain firms. The requirements for ethics and independence 
discussed above are more detailed than the existing requirements in QC 
20 and Appendix L of the SECPS and would apply to all firms.
---------------------------------------------------------------------------

    \229\ See QC 20.09.
---------------------------------------------------------------------------

Acceptance and Continuance of Engagements

    This component addresses the firm's processes when considering 
whether to accept or continue an engagement.
1. QC 1000
a. Acceptance and Continuance of Engagements Quality Objectives (QC 
1000.38)
    The proposal described the quality objectives related to acceptance 
and continuance of engagements. Several commenters, including firms, 
were generally supportive of the proposed quality objectives.
    A commenter on the AS 1000 rulemaking objected to the use of the 
term ``client'' in that standard to refer to the company and its 
management. The commenter suggested ``company under audit'' instead. 
The Board agrees with the commenter that the terminology used in the 
PCAOB standards should help to remind auditors that they work for the 
benefit of investors, not the management of the company.

[[Page 49642]]

Accordingly, the Board generally replaced references to the ``client'' 
with references to the ``company'' or eliminated them altogether (for 
example, this component, called ``Acceptance and Continuance of Client 
Relationships and Specific Engagements'' in proposed QC 1000, is 
``Acceptance and Continuance of Engagements'' in the final standard). 
The Board, however, retained references to the ``client'' where that 
aligns with other rules, such as in the area of independence.
    The quality objectives in this component were adopted substantially 
in the form proposed, with the exception of the change throughout to 
focus on the engagement instead of the client relationship and the 
other clarifications discussed below.
    Acceptance and continuance of engagements is an aspect of a firm's 
compliance and risk management process. Each firm, depending on its 
nature and circumstances, may approach acceptance and continuance of 
engagements differently. The acceptance and continuance of engagements 
process assists the firm in mitigating reputational, business, and 
litigation risk. The quality objectives stress the importance of 
focusing the acceptance and continuance of engagements process on the 
firm's ability to perform an engagement in accordance with applicable 
professional and legal requirements.
i. Timing (QC 1000.38.a(1))
    The proposed standard required the firm's judgment about whether to 
accept or continue an engagement to be made as part of or before 
performing preliminary engagement activities. Preliminary engagement 
activities, which are activities the auditor should perform at the 
beginning of the audit, are described in AS 2101.06.
    One commenter stated that the proposed requirement implied that the 
judgment was only made during preliminary activities and not throughout 
the engagement. The Board clarified the quality objective in paragraph 
.38a(1) to specify that the initial judgment is to be made as part of 
or before preliminary engagement activities. QC 1000.40, discussed 
below, addresses the firm's obligation to continue to address 
situations that could have caused it to decline the engagement had the 
information been known prior to acceptance and continuance.
ii. Independence and Permissibility of Services (QC 1000.38.a(2)(a) and 
(b))
    This proposed quality objective did not draw significant comment 
and was adopted as proposed.
    The firm's ability to perform the engagement includes considering 
whether the firm is independent and whether the services are 
permissible. These are threshold considerations for acceptance and 
continuance, because in general, under PCAOB standards the firm is not 
allowed to accept an engagement unless it is independent of the company 
for which the engagement will be performed and the services are 
permissible under applicable professional and legal requirements 
(including obtaining audit committee pre-approval where that is 
required).
    The firm's policies for acceptance and continuance in the areas of 
independence, permissibility of services, and pre-approval relate to 
and to some extent overlap with the ethics and independence component. 
The requirements in the ethics and independence component more 
generally address the ongoing evaluation of compliance with applicable 
professional and legal requirements relating to the independence of the 
firm, firm personnel, and others subject to such requirements.
iii. Access to Company Information and Company Personnel (QC 
1000.38.a.(2)(c))
    This proposed quality objective did not draw significant comment 
and was adopted substantially as proposed.
    The firm's ability to perform an engagement in accordance with 
applicable professional and legal requirements depends on the firm's 
ability to obtain information from the company and gain access to 
individuals at the company who can respond to the firm's inquiries. 
Restricted or limited access to company information or personnel--for 
example, due to language differences, physical location, or local law 
restrictions--could impair the firm's ability to perform the engagement 
in accordance with applicable professional and legal requirements.
iv. Resources (QC 1000.38.a(2)(d))
    Another aspect of the firm's ability to complete the engagement in 
accordance with applicable professional and legal requirements is the 
resources available to the firm. The Board believes it is important for 
a firm to have the right resources available so that the engagement can 
be performed in accordance with applicable professional and legal 
requirements. This includes the availability of resources like the 
following, either internal or external to the firm:
     Firm personnel or other participants with competence to 
perform procedures (e.g., industry experience or experience with new or 
specialized accounting pronouncements that apply to the company) and 
sufficient availability to meet audit timing requirements;
     Engagement partners;
     Specialists;
     EQRs;
     Technology to be used in the performance of the 
engagement, such as technology for testing the implementation and 
effectiveness of automated processes; and
     Intellectual resources needed in the performance of the 
engagement (e.g., industry-specific audit programs).
    One commenter suggested that consideration should be given to the 
availability of industry-specific resources at the partner and manager 
level and the Board agrees that industry-specific resources are 
important in certain audits. However, the Board believes that issue is 
adequately addressed by the general reference to ``resources to perform 
the engagement,'' which includes industry-specific resources where 
those would be needed. The Board adopted this quality objective as 
proposed.
v. Other Relevant Factors (QC 1000.38.a(2)(e))
    This proposed quality objective did not draw comment and was 
adopted as proposed.
    The firm's ability to perform engagements in accordance with 
applicable professional and legal requirements may also be affected by 
other factors associated with providing professional services in the 
particular circumstances. Accordingly, the standard, by directing firms 
to consider such other relevant factors, retains the breadth and 
inclusiveness of QC 20.15b, which requires the firm to establish 
policies and procedures to provide reasonable assurance that the firm 
appropriately considers the risks associated with providing 
professional services in the particular circumstances.
v. Information About the Nature and Circumstances of the Engagement, 
Including the Integrity and Ethical Values of the Company (QC 
1000.38.a(3))
    In order for the firm to make appropriate judgments about whether 
to accept or continue an engagement, the

[[Page 49643]]

firm needs to obtain sufficient information about the nature and 
circumstances of the engagement (e.g., the nature of the company and 
the environment in which it operates) and the integrity and ethical 
values of the company, including its management and audit 
committee.\230\ This information is relevant because it can help 
identify potential risks to performing the engagement that may result 
in the firm not being able to perform the engagement in accordance with 
applicable professional and legal requirements. The nature and 
circumstances of the engagement may, for example, reveal the need for 
specialized expertise that the firm does not have. A lack of management 
integrity may affect the reliability of the company's accounting 
records. Designing and implementing policies and procedures that direct 
and standardize the collection and evaluation of such information could 
help the firm in consistently making appropriate judgments about 
whether to accept or continue an engagement. Additionally, information 
obtained during the firm's acceptance and continuance process about the 
nature and circumstances of the engagement and the integrity of 
management and the audit committee would in many cases be relevant when 
planning and performing the engagement.\231\
---------------------------------------------------------------------------

    \230\ For a prospective engagement, this includes evaluating 
information obtained from a predecessor firm. See generally, e.g., 
AS 2610, Initial Audits--Communications Between Predecessor and 
Successor Auditors.
    \231\ See, e.g., AS 2110.41-.45.
---------------------------------------------------------------------------

    One commenter requested clarification of whose integrity and 
ethical values are relevant to the consideration of ``the integrity and 
ethical values of the company (including management and the audit 
committee)''--for example, whether consideration could be limited to 
the audit committee chair. Since members of management and the audit 
committee all have influence over the company's financial reporting, 
the Board believes their integrity and ethical values are important to 
the judgment of accepting or continuing an engagement. Therefore, 
consistent with the proposal, the final standard does not include such 
a limitation.
    The quality objective in QC 1000.38.b retains the concept in QC 
20.16 of having policies and procedures regarding obtaining an 
understanding with the company about the engagement and aligns with 
similar requirements under PCAOB auditing and attestation 
standards.\232\ Achieving this objective should minimize the risk of 
misunderstandings regarding the nature and scope of the engagement and 
any limitations associated with it.
---------------------------------------------------------------------------

    \232\ See paragraph .05 of AS 1301, Communications with Audit 
Committees, and paragraph .46 of AT Section 101, Attest Engagements.
---------------------------------------------------------------------------

c. Acceptance and Continuance of Engagements Specified Quality Response 
(QC 1000.39-.40)
    The proposal included a specified quality response regarding 
policies and procedures to address situations where the firm learns of 
information that would have caused it to decline a previously accepted 
engagement. Two commenters were generally supportive of the proposed 
specified quality response.
    Under this specified quality response, the firm's policies and 
procedures are required to address situations in which the firm becomes 
aware of relevant contrary information after the firm's decision to 
accept or continue an engagement. This contrary information may have 
existed at the time of the decision to accept or continue an engagement 
but not been known by the firm at the time, or it may have emerged 
subsequent to that decision. Depending on the circumstances, 
appropriate responses may include such actions as:
     Consulting with legal counsel or others within the firm to 
determine if the firm is able to continue the engagement;
     Discussing the information with management and the audit 
committee to determine if the firm is able to continue the engagement;
     Including this information in the auditor's risk 
assessment procedures so that any additional risks are responded to 
during the audit; and
     Withdrawing from the engagement and notifying appropriate 
regulatory authorities as required under applicable professional and 
legal requirements.
    One commenter suggested that specific circumstances should require 
an immediate reconsideration of client continuance, such as illegal 
acts, fraud, or material omissions of fact. Existing auditing 
standards, such as AS 1301, include requirements related to evaluating 
the continuation of the client relationship. The QC system would 
address compliance with these requirements.
    Under the proposal, a firm would be deemed to have become ``aware'' 
of information if any partner, shareholder, member, or other principal 
of the firm was aware of such information, the same standard that 
applies with respect to the reporting of specified events on Form 3. 
One commenter stated that the concept of when a firm becomes ``aware'' 
should take into account the size and scale of the firm, and the nature 
of the matters related to the QC system, suggesting that alignment with 
the requirements of Form 3 may be inappropriate because of Form 3's 
relatively limited scope compared to the matters addressed by QC 1000. 
The Board continues to believe that it would be inappropriate to 
differentiate among firm principals in this regard; all firm principals 
should be responsible for promptly communicating and acting upon 
relevant information. Accordingly, the class of persons whose awareness 
is attributed to the firm was not been narrowed.
    Another commenter recommended clarifying the timing of when a firm 
becomes ``aware'' of information subsequent to accepting or continuing 
a client relationship. Footnote 26 of the final standard reflects the 
suggested clarification that the firm is deemed ``aware'' of 
information when any partner, shareholder, member, or other principal 
of the firm ``first becomes aware'' of such information.\233\
---------------------------------------------------------------------------

    \233\ This approach aligns with the instructions to Form 3, 
under which a firm is deemed aware of reportable facts on the first 
day that any partner, shareholder, principal, owner, or member of 
the firm first becomes aware of the facts. See Form 3, Note to 
Instructions to Part II.
---------------------------------------------------------------------------

2. Current PCAOB Standards
    The quality objectives of QC 1000 paragraph .38 do not 
fundamentally change a firm's existing responsibilities regarding 
acceptance and continuance decisions under QC 20.\234\ The quality 
objectives expand on the requirements in QC 20 with regard to 
considering the necessary information and making appropriate judgments 
about the associated risks and the firm's ability to mitigate those 
risks and perform an engagement in accordance with applicable 
professional and legal requirements.
---------------------------------------------------------------------------

    \234\ See QC 20.14-.16.
---------------------------------------------------------------------------

Engagement Performance

    This component addresses the firm's processes relating to the 
performance of the firm's engagements in accordance with applicable 
professional and legal requirements. Engagement performance encompasses 
the activities of firm personnel and other participants in all phases 
of the design and execution of the engagement--planning, performing, 
supervising, and documenting the engagement; conducting an engagement 
quality review; and making

[[Page 49644]]

communications regarding the engagement.\235\ In order for the firm to 
consistently deliver compliant engagements, including when performing 
work on other firms' engagements, firm personnel and other participants 
need to understand and fulfill their responsibilities in accordance 
with applicable professional and legal requirements.
---------------------------------------------------------------------------

    \235\ See QC 20.18.
---------------------------------------------------------------------------

1. QC 1000
    The proposal described the quality objectives for the engagement 
performance component and asked if there should be any specified 
quality responses for this component. Firms that commented were 
generally supportive of the proposed quality objectives. Two commenters 
wanted clarity on why some concepts in auditing standards were or were 
not included in QC 1000. One of these commenters, an investor-related 
group, suggested the standard address certain areas like fraud 
protection, crypto assets, climate change, and critical audit matters. 
The Board believes these areas are engagement-level specific, whereas 
QC 1000 focuses on the firm-level controls over engagement 
responsibilities. Commenters, including firms and related groups, were 
also supportive of not providing specified quality responses in this 
component. The Board adopted these provisions substantially as 
proposed.
    Under QC 1000, a firm is required to establish quality objectives 
for the engagement performance component in the following areas:
     Engagement responsibilities;
     Consultations and differences in professional judgment; 
and
     Engagement documentation.
a. Engagement Responsibilities (QC 1000.42.a)
    This proposed quality objective did not draw comment and was 
adopted as proposed.
    The standard uses the term ``engagement partner'' with its existing 
meaning under PCAOB audit and attestation standards: the member of the 
engagement team \236\ with primary responsibility for the audit, 
examination, or review, as the case may be.\237\ The definition of 
``engagement'' under QC 1000, under which substantial role work is 
defined as an engagement, does not change the meaning of engagement 
partner or affect the responsibilities of individuals involved in 
substantial role engagements. No comments were received on the use of 
this term.
---------------------------------------------------------------------------

    \236\ The term ``engagement team'' is used as defined in the 
amendments to AS 2101, Audit Planning, adopted in PCAOB Rel. No. 
2022-002, which takes effect for audits of financial statements for 
fiscal years ending on or after Dec. 15, 2024.
    \237\ See AS 1201.A2; AT No. 1 at paragraph .07 note; AT No. 2 
at paragraph .06 note. AT 101 uses the term ``practitioner with 
final responsibility for the engagement,'' which the Board construes 
as having the same meaning.
---------------------------------------------------------------------------

i. Responsibilities of the Engagement Partner (QC 1000.42.a(1))
    The engagement partner is responsible for the engagement and its 
performance, including managing and achieving consistent compliance 
with applicable professional and legal requirements on the engagement. 
This quality objective focuses firms on partner involvement throughout 
the engagement, including appropriately supervising firm personnel and 
other participants.\238\
---------------------------------------------------------------------------

    \238\ See generally, e.g., AS 1201.
---------------------------------------------------------------------------

ii. Due Professional Care (QC 1000.42.a(2)(a))
    Due professional care means acting with reasonable care and 
diligence, exercising professional skepticism, acting with integrity, 
and complying with applicable professional and legal requirements.\239\ 
In the context of engagement performance, professional skepticism is an 
attitude that includes a questioning mind and critical assessment of 
audit evidence and other information that is obtained to comply with 
PCAOB standards and rules. Exercising professional skepticism improves 
the quality of judgments made while performing the engagement and is 
key to performing an engagement in good faith and with integrity. PCAOB 
oversight activities have suggested that the lack of professional 
skepticism contributes to some of the QC deficiencies identified during 
PCAOB inspections.\240\ As an example, a firm's policies and procedures 
did not provide reasonable assurance that engagement partners 
supervised engagements with due professional care, which contributed to 
the failure to identify deficiencies in those engagements.
---------------------------------------------------------------------------

    \239\ The general principles and responsibilities of the auditor 
when conducting an audit, including professional skepticism and due 
professional care, are being reaffirmed and combined in AS 1000, as 
adopted. See Auditor Responsibilities Release.
    \240\ See, e.g., 2022 Broker-Dealer Inspection Report, at 31.
---------------------------------------------------------------------------

    The quality objective related to due professional care, including 
professional skepticism, enables appropriate conclusions to be reached 
that are supported by sufficient appropriate evidence.\241\
---------------------------------------------------------------------------

    \241\ See Roles and Responsibilities above.
---------------------------------------------------------------------------

iii. Supervision (QC 1000.42.a.(2)(b))
    Proper supervision aims to ensure that work is performed as 
directed and supports the conclusions reached.\242\ The quality 
objective emphasizes the importance of firm personnel and other 
participants being supervised properly, consistent with AS 1201 and AT 
No. 1.
---------------------------------------------------------------------------

    \242\ See AS 1201.02.
---------------------------------------------------------------------------

iv. Reporting and Other Communications (QC 1000.42.a(3))
    PCAOB standards and rules impose a number of requirements relating 
to reporting and communicating the results of the engagement.\243\ The 
engagement report and communications to the audit committee are 
typically prepared at the engagement level and may include information 
provided by the firm. For example, the firm may provide information 
related to independence to be communicated in accordance with PCAOB 
Rule 3524 or PCAOB Rule 3526. This quality objective emphasizes the 
importance of auditor reporting and communication in accordance with 
applicable requirements.
---------------------------------------------------------------------------

    \243\ See generally, e.g., AS 3101, The Auditor's Report on an 
Audit of Financial Statements When the Auditor Expresses an 
Unqualified Opinion; AS 2201.85-.89; AS 1301; paragraphs .34-.38 of 
AT No. 1; and AT 101.63-.90.
---------------------------------------------------------------------------

b. Consultations and Differences in Professional Judgment (QC 
1000.42.b-.c)
    Consultations are an important aspect of engagement performance, as 
they provide a mechanism to discuss and resolve complex, unusual, or 
unfamiliar matters with individuals who have the requisite knowledge, 
skill, and ability. Under current PCAOB standards, QC 20.19 highlights 
the significance of consultations, requiring appropriate policies and 
procedures. The quality objective should drive firms to continue to 
focus on the importance of consultation and resolution before the 
issuance of an engagement report.
    The quality objective in the proposed standard provided that 
consultations on complex, unusual, or unfamiliar accounting and 
auditing matters are undertaken with qualified individuals from within 
or outside the firm.
    One commenter suggested that the standard require firms to adopt 
policies that identify situations when national office consultation is 
required. The Board does not believe it is appropriate to include such 
prescriptiveness in the standard, as not all firms have national 
offices. Additionally, the quality objective provides that the firm 
will identify the risks specific to their

[[Page 49645]]

engagements and determine whether there are specific situations that 
always require consultation.
    Another commenter said that the reference to ``unfamiliar'' 
accounting and auditing matters was unclear and was concerned that it 
creates an unnecessary level of prescription that will be difficult to 
operationalize. The commenter also expressed concern that an unintended 
consequence could be that auditors may infer that consultations may 
compensate for lack of competence on the engagement team. The final 
standard retains the term, consistent with the use of ``unfamiliar'' in 
current QC 20.19. It is noted that inclusion of that term in paragraph 
.42 does not modify or limit auditor obligations to have the competence 
necessary to conduct the engagement established elsewhere in PCAOB 
standards.
    Differences in professional judgment may occur when there is a 
concern or disagreement regarding the application of applicable 
professional and legal requirements during the performance of the 
engagement. The quality objective underscores the importance of having 
and adhering to appropriate procedures for the resolution of 
differences in professional judgment during the performance of 
engagements such that the firm, firm personnel, and other participants 
comply with applicable professional and legal requirements.
    The proposed quality objective provided that differences in 
professional judgment related to the engagement are brought to the 
attention of the individual(s) with responsibility and authority for 
resolving such matters and are resolved before the issuance of an 
engagement report. One commenter suggested clarifying that if the 
engagement partner does not agree with the conclusions arising from the 
consultation (addressed above), that would be treated as a difference 
in professional judgment that would require compliance with the quality 
objective regarding differences of professional judgment. The final 
standard clarifies that point.
c. Engagement Documentation (QC 1000.42.d)
    This proposed quality objective did not draw significant comment 
and the Board adopted as proposed.
    AS 1215 contains the general requirements for the documentation the 
auditor should prepare and retain in connection with engagements. 17 
CFR 210.2-06 also addresses documentation retention requirements.\244\ 
The quality objective regarding engagement documentation in proposed QC 
1000 is meant to drive firms to focus on compliance with these 
requirements.
---------------------------------------------------------------------------

    \244\ 17 CFR 210.2-06.
---------------------------------------------------------------------------

2. Appendix K Requirements
    Existing PCAOB standards (referred to as Appendix K requirements) 
require SECPS member firms that are associated with international firms 
or networks to seek adoption of policies and procedures by their 
associated international firms or network regarding filing reviews, 
inspection procedures, and disagreements between the engagement partner 
and the reviewer.\245\ As noted in the proposal, the Board believes 
that the purposes originally intended to be served by Appendix K have 
either been eliminated (through the elimination of the U.S. GAAP 
reconciliation) or otherwise addressed (through requirements for 
engagement quality review). Accordingly, the Board proposed to not 
retain requirements like those in Appendix K.
---------------------------------------------------------------------------

    \245\ See SECPS 1000.08(n) (cross-referencing the objectives set 
forth in Appendix K, SECPS 1000.45). The types of SEC filings 
subject to review under Appendix K are registration statements, 
annual reports on Form 20-F and Form 10-K, and other filings that 
include or incorporate the foreign associated firm's audit report on 
the financial statements of an SEC registrant.
---------------------------------------------------------------------------

    The proposal asked whether the PCAOB should eliminate Appendix K 
and rely exclusively on a risk-based approach. Commenters had mixed 
views regarding the retention of Appendix K requirements. Some 
commenters supported the elimination of Appendix K requirements and 
reliance on a risk-based approach. Other commenters asserted that the 
Appendix K requirements are beneficial and should be retained or made 
even more prescriptive. The Board believes it unnecessary to retain the 
Appendix K requirements because under the risk-based approach, firms 
will have to assess and respond to quality risks including, if 
applicable, a relative lack of experience in performing engagements 
under U.S. professional and legal requirements.
    Some commenters expressed concern that in a risk-based approach, a 
person performing a limited review function similar to the current 
Appendix K reviewer would be considered part of the engagement team, 
while another commenter requested clarification that such a reviewer 
would not necessarily be a member of the engagement team. Under QC 
1000, the firm's assessment of quality risks will determine the nature 
and extent, if any, of additional resources or reviews that would need 
to be performed over engagements to ensure compliance with PCAOB and 
SEC requirements. In some circumstances, the response might involve 
adding one or more additional members to the engagement team. In other 
circumstances, the response might involve resources that would not 
constitute members of the engagement team because they perform a 
contemporaneous quality control function and do not perform audit 
procedures or help plan or supervise the audit work.\246\
---------------------------------------------------------------------------

    \246\ See PCAOB Rel. No. 2022-002 at A4-5.
---------------------------------------------------------------------------

    One commenter expressed concern that reviewers' firms would be 
considered ``other accounting firms'' and reviewers' hours would be 
included for purposes of Form AP filings. Specific to Form AP filing 
requirements, firms should review the Note to Item 3.2 of the Form AP 
Instructions regarding the reporting of other accounting firms.\247\
---------------------------------------------------------------------------

    \247\ See id. at A3-19.
---------------------------------------------------------------------------

3. Current PCAOB Standards
    Under current QC standards, engagement performance covers all 
phases of the design and execution of the engagement, and engagement 
quality reviews.\248\ QC 20 contains general requirements regarding 
engagement performance, including planning, performing, supervising, 
reviewing, documenting, and communicating the results of each 
engagement; referring to authoritative literature; and consulting with 
qualified individuals when appropriate. QC 20 provides that policies 
and procedures should be established to provide reasonable assurance 
that the engagement is performed in accordance with applicable 
professional standards. QC 1000 retains these concepts from the extant 
standards.
---------------------------------------------------------------------------

    \248\ See QC 20.18.
---------------------------------------------------------------------------

    As discussed above, QC 1000 does not contain provisions similar to 
the Appendix K requirements that currently apply to former SECPS member 
firms.

Resources

    This component addresses the firm's responsibilities for obtaining, 
developing, using, maintaining, allocating, and assigning resources--
including people, financial, technological, and intellectual 
resources--to enable the design, implementation, and operation of the 
firm's QC system and the performance of its engagements.

[[Page 49646]]

1. QC 1000
a. Resources Quality Objectives (QC 1000.44)
    The proposal asked if the Board's proposed quality objectives for 
resources were appropriate. Commenters that responded to this question 
generally supported the quality objectives. One commenter suggested 
that the risks associated with the resources component are greater and 
that a prescriptive approach would be warranted. The Board believes the 
combination of quality objectives and specified quality responses 
appropriately provides for scalability and prescriptiveness.
    Under QC 1000, a firm is required to establish quality objectives 
for the resources component in several different areas:
     People;
     Technological resources;
     Intellectual resources; and
     Resources from a network or third-party provider.
i. People (QC 1000.44.a-.g)
    The quality objectives in QC 1000.44.a-.b are similar to the 
personnel management element of quality control addressed in QC 20 and 
QC 40, and the Board adopted them as proposed with one change. The 
proposed standard included a note that describes what competence 
comprises--knowledge, skill, and ability--which is derived from QC 
40.04.\249\ Two commenters suggested deleting the last sentence in the 
note, which as proposed stated that ``The measure of competence is 
qualitative rather than quantitative . . .,'' on the basis that it 
would discourage the use of quantitative performance metrics. The Board 
believes that QC 40 should be understood as saying, not that 
quantitative measures are wholly irrelevant, but that competence is not 
measured exclusively on a quantitative basis because quantitative 
measurement alone may not accurately reflect the nature of experience 
gained over time. The note in the final standard has been revised to 
clarify that competence can be measured both qualitatively and 
quantitatively.
---------------------------------------------------------------------------

    \249\ See QC 40.04 (competencies are not measured by periods of 
time because such quantitative measurement may not accurately 
reflect the kinds of experiences gained in any given time period).
---------------------------------------------------------------------------

    These two quality objectives work together in addressing competence 
from the perspective of both the firm and individual. The firm and its 
personnel have responsibilities for developing and maintaining 
competence that will support the operation of the firm's QC system and 
the performance of the firm's engagements in accordance with applicable 
professional and legal requirements and the firm's policies and 
procedures.
    Understanding the competence needed to carry out responsibilities 
for the operation of the firm's QC system and the performance of the 
firm's engagements assists a firm in identifying its personnel needs. 
This understanding also assists a firm in identifying areas for 
personnel development. Competence can be developed through an 
appropriate combination of education, professional experience in 
accounting and auditing with proper supervision, and training such as 
CPE.
    A commitment to quality can be demonstrated through a person's 
actions and behaviors, including consistent adherence to firm policies 
and procedures, demonstrating key professional attributes like 
objectivity, integrity, and due professional care, and taking the 
initiative to develop and maintain competence. Conversely, a lack of 
commitment to quality can be seen through actions and behaviors such as 
inconsistent compliance with professional standards, cheating on 
professional development and compliance exams, or a ``check the box'' 
approach to professional development.
    The quality objectives in QC 1000.44.c-.e address the assignment of 
firm personnel and individuals who are other participants, in the 
firm's engagements, QC roles, and other firms' engagements. As 
discussed previously, the firm's people resources may include firm 
personnel (generally, employees of the firm) or resources from outside 
the firm (other participants). For example, EQRs or personnel at 
service centers may be considered either firm personnel (if employed by 
the firm or functioning as firm employees) or other participants (if 
contracted by the firm).\250\ One commenter was concerned that the 
inclusion of other participants in the firm's QC system may create 
cross-jurisdictional legal issues, such as employment information that 
may be protected by privacy laws. The Board believes it is important 
for the QC system to assess the competence of other participants, which 
may include having policies and procedures on what to do if the firm is 
unable to make such assessment due to legal issues. One commenter 
mentioned that the responsibilities related to the use of specialists 
engaged by the firm, other auditors, and internal auditors providing 
direct assistance are addressed in existing auditing standards as 
engagement team responsibilities and are not needed within this quality 
objective. While it is acknowledged that there are auditing standards 
that address those topics at the engagement level, the quality 
objectives relate to the firm's processes for assigning the appropriate 
individuals to engagements and QC activities.
---------------------------------------------------------------------------

    \250\ See QC 1000.A5 and .A7.
---------------------------------------------------------------------------

    One commenter emphasized the need for firm resources to have time 
to fulfill their assigned responsibilities. Another commenter suggested 
a prescriptive approach to human capital management, including 
monitoring assignments and time requirements, utilization, and 
engagements with high turnover and workloads. Given the wide range of 
firms based on their size, scope, and nature of practice, the Board 
does not believe prescriptive requirements in this area are 
appropriate. The Board clarified paragraphs .44c and .44e by adding 
``needed'' to the quality objective to increase the focus on sufficient 
competency, objectivity, time, and when appropriate, the authority 
needed to fulfill their assigned responsibilities. The PCAOB has also 
separately proposed new reporting requirements regarding firm and 
engagement metrics that, if adopted by the Board and approved by the 
SEC, would enhance transparency about, among other things, firms' human 
capital management.\251\
---------------------------------------------------------------------------

    \251\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

    The quality objectives focus on three key aspects of the ability to 
fulfill the assigned role: competence, objectivity, and time. 
Individuals need to have competence to fulfill their assigned roles in 
accordance with applicable professional and legal requirements and the 
firm's policies and procedures. As previously discussed, both the 
individual and the firm play a part in developing a person's 
competence. The ability to maintain objectivity is essential to 
performing QC activities or engagements; a lack of objectivity may, for 
instance, create an unconscious bias that directly affects quality. 
Individuals' ability to devote appropriate time to their assignments 
also affects quality.
    In addition to the competence, objectivity, and time needed to 
perform engagement and QC activities, individuals need to have the 
requisite authority to perform effectively. In the context of 
engagement activities, the auditing standards already provide authority 
structures with respect to, for example, supervision and the 
responsibilities of the engagement partner, and those standards are 
augmented by firm policies on matters such as consultation. For QC 
activities,

[[Page 49647]]

the need for appropriate authority is specified in the quality 
objective.
    The QC 1000.44.f quality objective to comply with the firm's 
policies and procedures did not attract comment and was adopted as 
proposed.
    This quality objective is based on a concept embedded in QC 20: 
that firm personnel should adhere to the firm's own standards of 
quality. The Board believes that this should remain among the firm's 
objectives, and also that it would play an important role in the 
operation of the QC system under QC 1000.
    The firm's QC-related policies and procedures are essential to the 
proper functioning of an effective QC system. By definition, those 
policies and procedures are the ``quality responses'' the firm has 
designed and implemented to address quality risks. Firm personnel need 
to understand those policies and procedures and operate in compliance 
with them in order for the QC system to operate as designed and achieve 
its objectives. Additionally, firm personnel need to understand and 
comply with firm policies and procedures in order for the firm's work 
on its own engagements and other firms' engagements to be performed 
appropriately.
    Evaluations help support and promote the continuous development of 
the competence of firm personnel. Some commenters, generally investor-
related groups, suggested the standard address incentives in partner 
compensation relative to quality control systems and weight it at least 
as much as revenue growth. After considering comments, the Board 
revised paragraph .44g to add ``including through compensation plans 
and decisions in which quality considerations play a critical part.'' 
The Board believes this change will prompt firms to appropriately 
weight quality concerns in their organization-wide compensation plans 
and individual compensation decisions. The Board believes his change, 
along with the change to the quality objective in paragraph .25b, 
should result in firms giving appropriate weight to quality in 
compensation plans and decisions regarding performance for both firm 
leadership and firm personnel.
    The quality objective contemplates that evaluations should be 
performed at least annually. Many firms currently utilize an annual 
performance review process in order to facilitate such evaluations. A 
firm may have multiple quality responses to address the quality risks 
associated with the different types of firm personnel. For example, 
non-employee contractors and consultants, who work under the firm's 
supervision or direction and control and are considered firm personnel, 
may be evaluated through the contracting process to determine whether 
the firm should retain them. The quality objective does not specify the 
format of or approach to periodic evaluations.
    The quality objective in QC 1000.44.g, which refers to 
accountability and incentives, is principles-based, and firms will be 
able to design and implement incentive systems based upon their nature 
and circumstances. The ``appropriate standards of conduct'' identified 
in the quality objective include fulfilling engagement and QC 
responsibilities with competence, integrity, objectivity, and due 
professional care and complying with applicable professional and legal 
requirements and the firm's policies and procedures, as described in 
paragraph .46 of the standard.
ii. Technological Resources (QC 1000.44.h)
    Technological resources cover many aspects that collectively 
comprise a firm's technological environment, including information 
technology applications, infrastructure, and processes (e.g., firm 
processes to manage access to the IT environment, program changes, 
changes to the IT environment, or IT operations). Technological 
resources may be developed by the firm or obtained, for example, from 
the firm's network or a third-party provider.
    The nature and extent of the use of technological resources differs 
across firms. For example, some audit firms are making significant 
investments in technological resources and expanding their use of 
technology-based audit tools, such as software used to perform data 
analytics or to access information from a distributed ledger. Some 
technology facilitates the operation of firms' QC systems, such as 
monitoring individual financial investments for purposes of compliance 
with independence rules. The availability of ``off-the-shelf'' 
technological resources continues to evolve, leading to an increase in 
firms of all sizes employing technology to assist in operating their QC 
systems or planning and performing engagements.
    The quality objective in QC 1000.44.h highlights that the proper 
use of technological resources, in a manner that enables the operation 
of the firm's QC system and the performance of its engagements in 
accordance with applicable professional and legal requirements and the 
firm's policies and procedures, is the firm's responsibility. The 
proposal asked if the quality objective and specified quality responses 
related to technological resources provide sufficient direction to 
enable the appropriate use of emerging technologies. Commenters that 
addressed this question, generally firms, indicated the proposed 
quality objectives and specified quality responses provide sufficient 
direction. One commenter suggested that the standard does not create 
incentives to use technology to improve audit quality.
    The technology environment is dynamic, and firms' use of 
technological resources will likely continue to evolve in the future. 
The Board believes that principles-based standards are more adaptable 
to future developments, less likely to become obsolete, and less likely 
to discourage the use of emerging technologies. As a result, QC 1000 
does not include any prescriptive requirements related to how firms 
address emerging technology. Instead, it includes a risk factor to 
prompt consideration of technology as part of the firm's risk 
assessment process.\252\ Separately, the Board has proposed certain 
amendments to PCAOB auditing standards that address certain aspects of 
designing and performing audit procedures using technology-assisted 
data analysis of information in electronic format.\253\
---------------------------------------------------------------------------

    \252\ See paragraph .20a.(1)(e) and Appendix B paragraph .B6 of 
QC 1000.
    \253\ See Proposed Amendments Related to Aspects of Designing 
and Performing Audit Procedures that Involve Technology-Assisted 
Analysis of Information in Electronic Form, PCAOB Rel. No. 2023-004 
(June 26, 2023).
---------------------------------------------------------------------------

    The Board adopted the technological resources quality objective as 
proposed. The Board believes the risk-based approach creates incentives 
for firms to obtain or develop, implement, maintain, and use 
technological resources throughout the firm based on the size and 
nature of the firm.
iii. Intellectual Resources (QC 1000.44.i)
    The quality objective in QC 1000.44.i related to intellectual 
resources did not attract comment and was adopted substantially as 
proposed. The Board revised the note to add ``to enable the operation 
of the firm's QC system,'' consistent with the quality objective.
    Intellectual resources generally include the information the firm 
uses to promote consistency in the execution of the firm's QC system 
and the performance of engagements. Intellectual resources may be made 
available through a variety of media, including via written manuals or 
technological resources (e.g., the firm's methodology may be embedded 
in the information technology application that enables the operation of 
the firm's QC

[[Page 49648]]

system and facilitates the performance of the engagement).
    Intellectual resources may be obtained or developed internally, or 
acquired externally (for example, a commercially available audit or QC 
methodology or a subscription data feed). Regardless of how 
intellectual resources are acquired, the firm remains responsible for 
ensuring they are fit for purpose and properly implementing and 
maintaining them. For example, if a firm acquired its QC methodology 
from a vendor, the firm is responsible for choosing a methodology and 
implementing it (including appropriately identifying risks and 
designing, implementing, and operating appropriate responses) in a way 
that enabled the firm's engagements to be properly performed and the 
firm's QC system to operate in accordance with QC 1000. If a firm 
developed methodology to direct the performance of its engagements in 
accordance with applicable professional and legal requirements, and a 
new auditing standard were issued after that methodology was 
implemented by the firm, the methodology would need to be updated to 
properly address the applicable professional and legal requirements.
    The quality objective related to intellectual resources in the 
final standard is similar to the technological resources quality 
objective, as both objectives relate to resources enabling the 
operation of the firm's QC system and the performance of its 
engagements in accordance with applicable professional and legal 
requirements and the firm's policies and procedures.
iv. Resources From a Network or Third-Party Provider (QC 1000.44.j)
    In some circumstances, the firm may use resources provided by a 
network or a third-party provider. Such resources may include 
methodologies, applications, and tools used in the firm's QC system or 
the performance of its engagements.
    The proposal included a quality objective in QC 1000.44.j related 
to the resources provided by a network or a third-party provider. One 
commenter requested the objective be broken into two quality 
objectives, as a firm's approach to each of these groups may be 
significantly different. The Board agrees that a firm's approach to 
resources provided by the network may be different from resources 
provided by a third-party provider, and that the approach to different 
types of third-party providers could also vary. But the Board does not 
believe that such differences compel separate quality objectives. A 
firm may identify multiple quality risks and develop multiple quality 
responses related to a single quality objective.
    For example, a firm may use multiple third-party providers for a 
variety of different resources, such as an audit methodology provider 
or a confirmation intermediary. If these different types of third-party 
providers or resources present different risks, the firm would be 
required to develop different quality responses. In that scenario, the 
firm could have different policies and procedures applicable to 
different types of third-party providers and/or different types of 
resources. A firm that is not affiliated with a network is not required 
to establish a quality objective related to network-provided resources 
and therefore would not identify quality risks or related quality 
responses.
    Notwithstanding that a firm may use resources from a network or a 
third-party provider, the firm remains responsible for the use of these 
resources in the QC system and performance of its engagements.
    Consideration of the nature of the resources provided by the 
network or third-party providers, how and to what extent the resources 
will be used, and the general characteristics of the third-party 
provider will assist the firm in determining whether it needs to 
supplement or adapt such resources. For example, the firm may obtain 
its methodology from a third-party provider under an arrangement 
whereby the third-party provider agrees to update the methodology when 
new standards are issued. In this scenario, the firm remains 
responsible for verifying that such changes are incorporated into the 
methodology and supplementing the methodology if such changes are not 
made, so that the firm's resources support its performance of compliant 
engagements. As another example, the firm may obtain a service from a 
third-party provider that provides a System and Organization Controls 1 
(SOC 1) report. The firm would be responsible for verifying that the 
controls are designed effectively at the third-party provider and for 
designing and implementing any complementary user entity controls 
identified in the report.
    The firm is also responsible for taking any necessary actions in 
using a resource from a network or third-party provider to enable the 
resource to function effectively. For example, the network or third-
party provider may need information related to the firm's restricted 
entities so that it can facilitate independence confirmations. In 
addition, if the firm discovered a problem with the design or operation 
of the resource, it may need to communicate such problems to the 
network or third-party provider so that the resource can effectively 
operate.
b. Resources Specified Quality Responses (QC 1000.45-.51)
    The proposal asked if the specified quality responses for resources 
were appropriate. Two commenters that addressed this question supported 
the specified quality responses. Two other commenters objected that the 
specified quality responses were too prescriptive and suggested they be 
rewritten as risk-based quality objectives.
    One commenter stated that certain of these requirements relate 
closely to auditing standards and requested clarity on how QC 1000 is 
intended to interact with engagement-related auditing standards. QC 
1000 focuses on firm-level controls over compliance with auditing 
standards, including those related to engagement performance.
    The Board adopted the specified quality responses as proposed, with 
one modification suggested by commenters. These specified quality 
responses carry provisions from the PCAOB's existing QC standards into 
QC 1000 or establish firm-level requirements that align with existing 
engagement-level requirements. They also include new requirements that 
the Board believes are important to a firm's QC system.
    The specified quality response related to appropriate standards of 
conduct did not attract comment and was adopted as proposed.
    The reference to ``appropriate standards of conduct'' reflects a 
number of concepts in existing PCAOB standards, including:
     Fulfilling responsibilities with professional competence; 
\254\
---------------------------------------------------------------------------

    \254\ See, e.g., QC 20.13a, .13b, and .15a.
---------------------------------------------------------------------------

     Integrity and objectivity; \255\
---------------------------------------------------------------------------

    \255\ See, e.g., QC 20.10.
---------------------------------------------------------------------------

     Due professional care (including the exercise of 
professional skepticism); \256\ and
---------------------------------------------------------------------------

    \256\ The general principles and responsibilities of the auditor 
when conducting an audit, including professional skepticism and due 
professional care, are being reaffirmed and combined in AS 1000, as 
adopted. See Auditor Responsibilities Release.
---------------------------------------------------------------------------

     Complying with applicable professional and legal 
requirements and the firm's policies and procedures.\257\
---------------------------------------------------------------------------

    \257\ See, e.g., QC 20.03.
---------------------------------------------------------------------------

    Firm personnel are individually responsible for complying with the 
firm's standards of conduct, and the firm's policies and procedures 
around these standards of conduct are intended to result in firm 
personnel being held accountable for their behavior and actions. This 
includes evaluating firm personnel's adherence to such standards

[[Page 49649]]

of conduct, addressing deviations, and holding personnel accountable 
for fulfilling their engagement and QC responsibilities, including 
through the firm's incentive system. The Board believes the standards 
of conduct included in this specified quality response are foundational 
to fulfilling not only engagement responsibilities, but also QC 
responsibilities.
    QC 40 addresses requirements regarding the competencies of 
engagement partners and, by extension, EQRs.\258\ The proposed 
standard, in QC 1000.47, required that firms' QC policies and 
procedures address certain enumerated competencies, as well as other 
competencies as necessary in the circumstances. Some commenters 
suggested that the competencies identified in proposed paragraph .47a-h 
be moved to a quality objective or staff guidance and argued that they 
were redundant to the auditing standards. The Board believes that the 
competencies in paragraph .47 are applicable to all firms and 
accordingly are appropriate as specified quality responses. One 
commenter asked for clarification of the expectation of ``including an 
understanding of'' and suggested that the standard include 
consideration of ``other competencies as necessary in the 
circumstances,'' consistent with QC 40.08. The Board believes that 
auditors should be familiar with the concept of obtaining an 
understanding, and note that the construct of QC 40 is a restrictive 
list whereas the list of competencies in this requirement is identified 
as ``including'' and not intended to be comprehensive, so the Board 
does not believe a reference to other competencies is necessary.
---------------------------------------------------------------------------

    \258\ See, e.g., QC 40.08; AS 1220.05.
---------------------------------------------------------------------------

    One commenter indicated that the firm would not be in a position to 
impose the specific requirements in paragraph .47 on individuals that 
are not part of the firm. The Board has narrowed the requirement to 
apply only to firm personnel, rather than ``others participating in an 
engagement,'' as proposed. It is noted, however, that other quality 
objectives, such as those in paragraphs .44c and .44e, continue to 
apply with respect to individuals outside of the firm as well as firm 
personnel. As discussed in more detail above in the Acceptance and 
Continuance of Engagements discussion, the Board also revised 
``client'' to ``company'' in paragraph .47.
    Paragraph .47 of QC 1000 both expands the required competencies for 
engagement partners and requires certain competencies for other firm 
personnel in engagement roles commensurate with their responsibilities. 
This includes applying existing requirements for engagement partners--
an understanding of, among other things, the importance of exercising 
sound judgment, the role of the firm's QC system in the performance of 
engagements, and the industry in which the company operates--to 
everyone in an engagement role, at a level commensurate with their 
responsibilities.
    To reflect changes in the environment since the existing QC 
standards were issued, the Board required competencies related to 
understanding the subject matter of attestation engagements, the 
internal control framework and technology used by the company, and the 
technological and intellectual resources used in performing engagement 
procedures. Regarding technological and intellectual resources, the 
Board required an understanding of how and whether it is appropriate to 
use these resources in performing the engagement. This specified 
quality response does not imply that the engagement partner or other 
firm personnel participating on an engagement need to be knowledgeable 
about how such resources are developed.
    QC 20 provides that policies and procedures are required to be 
established to provide the firm with reasonable assurance that 
personnel participate in CPE and other professional development 
activities that enable them to fulfill responsibilities assigned and 
satisfy applicable CPE requirements.\259\ In addition, SECPS member 
requirements provide that member firms are required to ensure that (1) 
all professionals in the firm residing in the United States, including 
CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE 
every year and at least 120 hours every three years and (2) 
professionals who devote at least 25 percent of their time to 
performing audit, review or other attest engagements, or who have the 
partner- or manager-level responsibility for the overall supervision or 
review of any such engagements, must obtain at least 40 percent (eight 
hours in any one year and 48 hours every three years) of their required 
CPE in subjects relating to accounting and auditing.\260\
---------------------------------------------------------------------------

    \259\ See QC 20.13; QC 40.02, .05.
    \260\ See SECPS 1000.08(d), 8000. The SECPS member requirements 
provide that ``accounting and auditing subjects'' should be broadly 
interpreted, and include, for example, subjects relating to the 
business or economic environments of the entities to which the 
professional is assigned.
---------------------------------------------------------------------------

    Through the PCAOB's oversight activities, the Board has observed 
situations where a lack of understanding of professional standards 
appears to have contributed to audit deficiencies. These problems have 
been observed in domestic firms and international firms, including 
firms that were not SECPS members.
    One commenter requested the standard set out more specific 
requirements with respect to training, identify areas or categories 
that must be regularly addressed, and not eliminate the CPE obligation 
in the existing standard. Another commenter requested the standard 
include minimum requirements related to training of audit staff. The 
Board believes it is important for firms to provide training focused on 
areas where firm personnel need to develop or maintain their competence 
so that they may fulfill their QC and engagement roles. If the Board 
were to set specific requirements with respect to training, firms may 
not evolve their training over time to respond to changes in the firm 
or in the needs of firm personnel. The Board maintained the principles-
based approach to training.
    Under the specified quality response in QC 1000.48, the firm is 
required to provide training, including training on applicable 
professional and legal requirements, that is mandatory for all firm 
personnel on an annual basis. This specified quality response provides 
firms the ability to determine the type and extent of training 
necessary based on their personnel and the nature and circumstances of 
the firm and its engagements. For example, a firm may determine that 
training is necessary on a wide array of topics for a certain level of 
staff within the firm. Another firm may determine that training is 
necessary for one or more staff in a certain area due to a new 
engagement or as a result of an area of development identified as part 
of a performance evaluation. A firm may also decide that it is 
necessary to repeat training as a periodic reminder of existing 
requirements, such as those relating to internal control over financial 
reporting. Ultimately, the type and extent of training should be 
directed at whatever is necessary to enable firm personnel to fulfill 
their assigned QC and engagement roles in accordance with applicable 
professional and legal requirements and the firm's policies and 
procedures.
    This specified quality response in QC 1000.49 did not attract 
comment and was adopted as proposed.
    This specified quality response relates to the quality objective in 
paragraph .44g., which provides that firm personnel are evaluated at 
least

[[Page 49650]]

annually, incentivized to fulfill their assigned responsibilities and 
adhere to appropriate standards of conduct, including through 
compensation plans and performance decisions regarding performance that 
appropriately prioritize quality considerations, and held accountable 
for their actions and failures to act.
    Specific to the individuals assigned ultimate responsibility and 
accountability for the QC system as a whole and operational 
responsibility and accountability for the QC system as a whole, the 
firm's periodic performance evaluations of these individuals are 
required to take into account the results of the firm's evaluation of 
its QC system.\261\ A firm will be able to determine its approach to 
comply with this specified quality response. For example, the firm may 
set targets and measure the outcome of the evaluation of the QC system 
against those targets. As another example, the firm may consider the 
individual's actions taken in response to identified QC deficiencies or 
major QC deficiencies, including the timeliness and effectiveness of 
such actions. The periodic performance evaluation of these individuals 
may be informal in a less complex firm or undertaken by a special 
committee in a more complex firm.
---------------------------------------------------------------------------

    \261\ Evaluation of a firm's QC system is addressed in 
paragraphs .77-.78 of QC 1000 and discussed below.
---------------------------------------------------------------------------

    No comments were received on the specified quality response in QC 
1000.50 and it was adopted as proposed.
    Laws or regulations may establish requirements for the professional 
licensing or other qualifications of the firm and firm personnel. Under 
this specified quality response, the firm is required to have policies 
and procedures regarding licensure such that the firm and firm 
personnel hold the required licenses or qualifications. The policies 
and procedures address such matters as (1) the jurisdiction(s) where 
firm and firm personnel are required to hold licenses or other 
qualifications, and (2) whether the firm and such firm personnel comply 
with the jurisdictions' requirements.
    The quality objective in paragraph .44h. provides that 
technological resources are obtained or developed, implemented, 
maintained, and used to enable the firm's QC system and the performance 
of its engagements. As part of the firm's quality response to this 
quality objective, the firm's technological resources should also have 
the characteristics described in paragraph .51. One commenter stated 
that the quality objective in proposed paragraph .44h is sufficient and 
this specified quality response should be removed. The Board believes 
the firm's policies and procedures should address its technological 
resources having the capacity (resource requirements for the necessary 
output), integrity (guarding against improper information 
modification), resiliency (ability to operate and recover under adverse 
conditions), availability (ensuring timely and reliable access to and 
use of information), reliability (ability to function consistently), 
and security (protection against intentional subversion).\262\ These 
characteristics enable the ongoing operation of the firm's QC system 
and performance of its engagements. The Board believes this specified 
quality response provides additional direction and has retained it in 
the final standard.
---------------------------------------------------------------------------

    \262\ See, National Institute of Standards and Technology 
Glossary, available at https://csrc.nist.gov/glossary.
---------------------------------------------------------------------------

    Also related to technology, the proposal asked if the standard 
should include a specified quality response that would require the use 
of technological resources by the firm to respond to the risks related 
to the use of certain technology by the companies for which the firm 
performs engagements. Several commenters did not support inclusion of 
such a specified quality response. One commenter requested a 
requirement to design and implement controls to prevent unauthorized 
access to data and technology. The Board did not make any changes or 
additions to the quality objective or specified quality responses 
related to technological resources because it believes the more general 
provisions appropriately address this issue, and more specific 
provisions are at risk of quickly becoming outdated as technology 
evolves.
2. Current PCAOB Standards
    QC 1000 largely covers the same areas addressed in QC 20 and QC 40 
for personnel management and assignment of responsibilities.\263\ 
Existing PCAOB QC standards do not provide specific direction on the 
use of intellectual resources or technological resources, except for 
one application regarding independence.\264\
---------------------------------------------------------------------------

    \263\ See QC 20.13 and .22.
    \264\ See SECPS 1000.46 (requirement 4).
---------------------------------------------------------------------------

Information and Communication

    This component addresses the firm's processes for obtaining, 
generating, sharing, and using information to enable the design, 
implementation, and operation of the QC system and the performance of 
the firm's engagements, and for communicating information within the 
firm and to external parties.\265\ As discussed in more detail below, 
the Board made some changes in response to commenter input but adopted 
most provisions as proposed.
---------------------------------------------------------------------------

    \265\ Other aspects of the standard also include specific 
provisions regarding communication (see, e.g., paragraphs 16-.17 in 
Roles and Responsibilities, and paragraphs .31 and .35 in Ethics and 
Independence).
---------------------------------------------------------------------------

1. QC 1000
    The information and communication area of the firm's operations 
serves the critical function of generating, gathering, and 
disseminating the information needed for the firm, including the QC 
system, to function. The process of determining information needs is 
iterative and ongoing; as the nature and circumstances of the firm 
change, information needs also change. The information and 
communication component of the QC system operates over this area of the 
firm's operations.
    One firm suggested that the information and communication component 
refer to ``relevant and reliable'' information to convey that not all 
information is intended to be obtained and disseminated to the relevant 
individuals or roles. The firm disagreed that relevance and reliability 
is implied within the context of the proposed requirements, and argued 
that the term ``information'' needs parameters and qualifying language 
to provide boundaries to the vast amount of information that exists or 
could be created in the context of a firm's QC system. The firm further 
argued that without appropriate qualifiers, the breadth of information 
to be considered and/or communicated within a QC system will inhibit 
firm leaders from identifying and focusing on information most relevant 
to the successful operation of the QC system. As discussed in the 
proposal, in determining specific information to be communicated to 
firm personnel, including the nature and extent of such communication, 
the firm may consider the type of information that is relevant to the 
recipients given their roles and responsibilities within the firm. The 
Board continues to believe that information would have to be relevant 
and reliable to support the operation of the firm's QC system and the 
performance of the firm's engagements in accordance with applicable 
professional and legal requirements, so that a reference in the 
standard to ``relevant and reliable'' information is unnecessary.

[[Page 49651]]

a. Information and Communication Quality Objectives
    The standard requires the firm to establish a number of quality 
objectives for the information and communication component. These 
objectives are discussed in more detail below. One firm commented that, 
as the proposed quality objectives for information and communication 
are broadly consistent with other jurisdictional and international 
quality control/management standards, they are appropriate, and no 
further changes are needed.
i. Identifying, Capturing, Processing, and Maintaining Information (QC 
1000.53.a)
    Identifying, capturing, processing, and maintaining information is 
an ongoing process necessary to support the firm's QC activities and 
the performance of its engagements in accordance with applicable 
professional and legal requirements. Information systems vary from firm 
to firm and encompass various sets of activities involving people, 
processes, data, or technology, or some combination thereof. Some 
firms' information systems may be heavily reliant on IT aspects while 
other information systems may require more manual intervention. Firms 
are able to determine the type of information systems necessary to 
achieve their quality objectives.
    One commenter suggested that the information and communication 
component could be enriched by explicitly integrating academic audit 
and accounting studies as a vital source of information to be used by 
firms to inform their QC system. The Board believes that the quality 
objectives within the information and communication component 
sufficiently establish the desired outcomes for the identification of 
external information to support the operation of the firm's QC system. 
A firm may determine that the conclusions of certain academic studies 
inform the design or operation of its QC system. Furthermore, depending 
on the nature and circumstances of the firm and its engagements, the 
firm may consider any applicable academic studies in the firm's risk 
assessment process as it obtains an understanding of the conditions, 
events, and activities that may adversely affect the achievement of its 
quality objectives. The requirement was adopted as proposed.
ii. Exchange of Information (QC 1000.53.b-.c)
    Information is essential to firm personnel being able to understand 
and fulfill their responsibilities relating to the QC system and the 
performance of the firm's engagements. For example, through the Board's 
oversight activities, it observed improved audit quality when there was 
regular, consistent communication among members of the engagement 
team.\266\ The quality objective prompts firms to tailor the nature, 
timing, and extent of information communicated based on firm 
personnel's responsibilities, including those related to the firm's 
policies and procedures.
---------------------------------------------------------------------------

    \266\ See, e.g., 2019 Inspection Observations Preview at 5.
---------------------------------------------------------------------------

    Communication is generally an ongoing process that involves all 
firm personnel. For example, the firm communicates information to 
engagement teams, such as information obtained during the firm's 
acceptance and continuance process that is relevant in performing the 
engagement. Engagement teams also communicate information to the firm--
for example, information about the company obtained during engagement 
performance that may assist the firm when evaluating whether to 
continue the engagement. Two-way communication may also occur among 
firm personnel. For example, firm personnel performing engagements may 
exchange information directly with firm personnel performing activities 
within the firm's QC system, such as information to facilitate 
compliance with the firm's independence policies and procedures. The 
standard emphasizes the need for two-way communication within the firm 
and the responsibility of all firm personnel to communicate 
information.
    One commenter addressed the quality objectives set out in 
paragraphs .53b.-.53c. of the proposed standard related to the timely 
exchange of information between firm personnel and leadership, 
including those with responsibilities for the firm's QC system. The 
commenter recommended that the final release clarify that the firm's 
policies and procedures assist in promoting communication such that the 
appropriate individuals with responsibilities over the firm's QC system 
become aware of relevant matters in a timely manner, as appropriate for 
the size and the scale of the firm and relative nature of the matter. 
As discussed above, the Board believes timely communication and action 
should be sufficiently prompt to achieve its objective and that 
timeliness is a function of the nature and significance of the issue. 
These requirements were adopted as proposed.
iii. External Parties (QC 1000.53.d-.e)
    There are many circumstances in which firms communicate information 
about themselves and their performance to external parties. Some 
external communications are required by law or regulation, such as the 
transparency reporting that is required in some jurisdictions, and 
others are made by firms voluntarily, for example, in connection with 
marketing or recruitment efforts.
    The standard requires the firm to establish a quality objective 
that addresses communications to external parties in accordance with 
applicable professional and legal requirements. This quality objective 
focuses firms on providing the necessary communications to external 
parties when required. Among other things, this objective (paragraph 
.53d.) covers the completeness, accuracy, and timeliness of a firm's 
existing annual and periodic reporting to the PCAOB (i.e., Forms 2 and 
3, Form AP, and Form QC). It would also cover reporting under the 
Board's proposed revised reporting requirements and metrics 
requirements \267\ if those are ultimately adopted by the Board and 
approved by the SEC.
---------------------------------------------------------------------------

    \267\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

    An investor expressed concern with the absence of references to 
investors or the public from the examples of external parties, and 
further commented that the proposal makes no mention of the role of 
quality control with respect to critical audit matters. This provision 
relates to communications to external parties that are required under 
applicable professional and legal requirements. Under current 
requirements, the only required communication from the audit firm to 
investors is the audit report. Audit reporting is part of engagement 
performance, is covered by a separate quality objective relating to 
engagement performance,\268\ and is not addressed by this quality 
objective. To the extent that a communication to a regulator is 
ultimately available to the public (as is the case with, for example, 
various forms filed with the PCAOB), such communications would be 
covered by this quality objective, thus providing

[[Page 49652]]

downstream benefits for investors and the public.
---------------------------------------------------------------------------

    \268\ See paragraph .42a.(3): ``Responsibilities are understood 
and fulfilled . . ., including, as applicable . . . Responsibilities 
for reporting and other communications with respect to the 
engagement.''
---------------------------------------------------------------------------

    A firm recommended that the scope of the requirement be limited to 
information or communications regarding a firm's audit practice and 
engagements performed in accordance with PCAOB standards. As discussed 
in more detail above, the definition of applicable professional and 
legal requirements in the final rule has been more narrowly tailored to 
address engagements, as defined in QC 1000, and the QC system itself. 
The Board believes this change addresses the commenter's concern about 
the possible overbreadth of the quality objective, and the Board 
adopted it as proposed.
    The PCAOB also observed that some firms make public communications 
about firm-level or engagement-level information, such as firm metrics 
and financial data. For example, some firms publish transparency or 
audit quality reports, either voluntarily or in response to the 
requirements of other jurisdictions, that contain data such as:
     Revenue breakdown by service line, by year, or by 
geographic segment;
     Professional staff ratios;
     Staff turnover ratios;
     Average training hours per professional; and
     Partner workload.
    In addition to transparency or audit quality reports, firms may 
communicate these data via web pages or other media, such as 
promotional publications, social media, interviews, or presentations 
via webcast or video. Furthermore, if adopted, the Firm and Engagement 
Metrics proposal will require firms to publicly report certain metrics 
relating to their audits and their audit practices.
    Regardless of the form of communication and the type of information 
presented, the Board believes that firms' QC systems should address the 
integrity of firms' external communications about themselves and the 
performance of their engagements. Such information can influence the 
views of relevant stakeholders, including audit committees determining 
whether to engage or retain an auditor and investors determining 
whether to ratify such an appointment.
    The proposed standard contemplated that the firm would establish a 
specific quality objective that firm-level or engagement-level 
information communicated externally is accurate and not misleading and, 
with respect to any performance metrics, that the communication 
explains in reasonable detail how the metrics were determined and, if 
applicable, how the metrics or the method of determining them changed 
since performance metrics were last communicated. The Board's view is 
that a specific quality objective in this area will prompt firms to 
implement targeted policies and procedures that address, for example, 
the quality and consistency of data and the need for context or 
explanation. This in turn will improve the informativeness, 
reliability, and comparability of such communications and avoid 
misleading the intended audience.
    Several commenters, including firms and related groups, broadly 
supported the quality objectives or agreed that it is important to 
address communications to stakeholders about a firm's or engagement's 
performance, and that such communications should be accurate and not 
misleading. However, many of the commenters on this topic raised 
concerns with regard to the proposed quality objective addressing the 
firm's external communications relating to metrics.
    Several commenters suggested that additional clarification be 
provided on the metrics and communications that are in scope for the 
quality objective. Some commenters recommended that the scope of the 
requirement be limited to metrics related to audit quality that are 
required to be communicated under applicable professional, legal, or 
other regulatory requirements and are communicated publicly. One firm 
recommended that the scope of metrics be limited to those related to 
the effectiveness of the firm's QC system or audit quality, and that 
the scope of the communications be limited to ``formal'' external 
reporting such as audit quality reports, transparency reports, 
communications with audit committees, and other published reports. 
Another firm recommended that the external communications in scope for 
the objective should be limited to communications externally about 
audit quality and should not extend to other external information 
issued by the firm that is not specifically related to audit quality 
such as marketing communications or recruiting information. The firm 
further argued that this limitation on scope to only audit-quality-
related external communications should also apply to the communication 
of how metrics were determined and explanations of year-on-year 
changes. Another firm recommended that the scope be limited to 
information or communications regarding a firm's audit practice and 
engagements performed in accordance with PCAOB standards.
    One firm expressed concern regarding firms' ability to design and 
implement quality responses to address the risk of every type and form 
of information communicated given the broad scope of the requirement. 
The firm recommended that the scope should be limited to information 
resulting from and regarding the evaluation of the firm's QC system, 
which will allow firms to focus efforts on the information that is most 
meaningful to stakeholders, which in turn will enhance the reliability 
of such information.
    One firm commented that in addition to recommending limiting the 
quality objective to engagements performed under PCAOB standards that 
would be subject to the firm's QC system, it may not be practicable to 
communicate in reasonable detail how a metric was determined in all 
situations (e.g., if the metric was provided in a speech). The firm 
asserted that it should be allowed to present the information about how 
a metric was determined and, if necessary, how it changed, in a single, 
publicly available location (e.g., on the firm's website). One firm 
commented that the level of disclosure that would be required may 
create confusion or may not ultimately be necessary, in particular in 
instances when the metric does not relate to audit quality. Further, 
the firm stated that the disclosures may conflict with requirements 
that may apply to registered firms outside of the U.S. Another firm 
recommended that the words ``explains in reasonable detail how the 
metrics were determined and, if applicable, how the metrics or the 
method of determining them changed since performance metrics were last 
communicated'' be removed from the quality objective. The firm asserted 
that this requirement may discourage smaller firms from including many 
quality metrics in their audit quality, transparency, and similar 
reports given limited time and resources available to produce their 
voluntary report. Some commenters, including firms and a related group, 
recommended that considerations related to metrics in QC 1000 be taken 
up as part of the PCAOB's research project on firm and engagement 
performance metrics.
    After consideration of the comments received, the Board continues 
to believe it is appropriate that all firm communications to external 
parties regarding themselves and their audit practice, in whatever 
medium, meet the minimum standard of being accurate and not misleading.
    However, in response to commenters, the Board clarified the quality 
objective in certain respects. It has clarified that the quality 
objective is limited to communications regarding the firm's audit 
practice, firm personnel, or engagements and removed the word

[[Page 49653]]

``performance'' from the phrase ``performance metrics,'' to align with 
the terminology use in the Board's proposed metrics requirements.\269\ 
Additionally, the Board revised the quality objective to provide that 
only metrics communicated in writing require an explanation of how the 
metrics were determined and, if applicable, how the method of 
determining them changed since metrics were last communicated. The 
Board believes this will address commenter concerns about the 
feasibility of providing such explanations for metrics communicated 
orally. In addition, the Board removed the requirement to explain in 
reasonable detail, if applicable, how the metrics themselves have 
changed since they were last communicated. The Board believes that 
requiring an explanation of how the metrics were determined and, if 
applicable, how the method of determining the metric changed since it 
was last communicated will enhance the understandability and 
comparability of the metrics made available to external parties. 
However, the Board does not believe it to be necessary to require 
narrative discussion of numeric changes in the metric period over 
period if there has been no change in the underlying calculation 
method.
---------------------------------------------------------------------------

    \269\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

    These disclosures may be incremental to requirements that could 
apply to registered firms outside of the U.S., however, the Board does 
not believe that these requirements will operate in conflict. The Board 
has observed variation and complexities in how metrics are defined and 
calculated by firms, as well as changes in the calculation method over 
time such that it believes this quality objective is necessary to 
improve the informativeness, reliability, and comparability of such 
communications and avoid misleading the intended audience. In addition, 
over 100 unique qualitative disclosures and quantitative audit quality 
metrics have been observed by the Center for Audit Quality (``CAQ'') in 
its analysis of the CAQ's eight Governing Board firms' most recent 
audit quality reports.\270\ The Board believes this indicates both a 
demand for and an ability to supply metrics, which further emphasizes 
the need for consistency and comparability of the metrics.
---------------------------------------------------------------------------

    \270\ See Audit Quality Reports Analysis: A Year in Review, 
available at https://www.thecaq.org/aqr-analysis-yir/.
---------------------------------------------------------------------------

    The Board considered whether it would be appropriate to allow for 
additional disclosures relating to metrics to be presented in a single 
public location such as the firm's website. However, the Board believes 
that by limiting the requirement to written communications, it has 
eliminated the concern about how to present such information with 
respect to an oral communication, and given the importance of the 
information to the intended audience, that this should be presented in 
the same written communication as the disclosed metrics.
    The Board received feedback from a number of commenters, including 
investors and related groups, criticizing the proposal for failing to 
include required metrics or audit quality indicators. The Board has 
proposed a separate standard on firm and engagement metrics \271\ and 
it has addressed these comments in that proposal.
---------------------------------------------------------------------------

    \271\ See PCAOB Rel. No. 2024-002.
---------------------------------------------------------------------------

iv. Networks (QC 1000.53.f)
    If the firm belongs to a network, exchange of information between 
the firm and the network may play an important role in supporting the 
operation of the firm's QC system and the performance of its 
engagements. For example, if the network performs certain monitoring 
activities relating to the firm's QC system, the network's 
communication of information (e.g., results of its monitoring 
activities or any changes to its activities from the prior year) may 
result in the firm adjusting the nature, timing, and extent of its own 
monitoring activities. On the other hand, the firm may need to 
communicate to the network when there are changes to the firm's QC 
system that may affect the network's monitoring activities.
    The Board did not receive comment on the proposed quality objective 
relating to the exchange of information between a firm and a network 
and adopted it as proposed.
v. Other Participants (QC 1000.53.g-.h)
    Many firms have increasingly involved parties outside the firm in 
QC functions, such as independence compliance, and engagement 
functions, such as performing audit procedures and evaluating audit 
evidence. Working with other participants can differ from working with 
individuals within the firm. For example, auditor-engaged specialists 
\272\ may have different professional training and experience and may 
operate under a different type of QC system, or none at all. Firms may 
experience differences in local norms and expectations when working 
with firms based in other jurisdictions. These and other factors give 
rise to risks in the communication between firm personnel and other 
participants, including the potential for misunderstandings regarding 
the audit effort needed to meet the objective of the other 
participant's work.\273\ It is therefore imperative that appropriate 
communications take place between the firm and other participants to 
enable the other participants to understand and carry out their 
responsibilities relating to activities within the firm's QC system and 
the performance of its engagements in accordance with applicable 
professional and legal requirements and the firm's policies and 
procedures.
---------------------------------------------------------------------------

    \272\ AS 1210, establishes requirements regarding the use of a 
specialist engaged by the auditor's firm (``auditor-engaged 
specialist'') to assist the auditor in obtaining or evaluating audit 
evidence with respect to a relevant assertion of a significant 
account or disclosure.
    \273\ See, e.g., PCAOB Rel. No. 2022-002.
---------------------------------------------------------------------------

    The Board broadened the language of the quality objective to 
clarify that it applies to the use of participants in both the firm QC 
system and in engagements.
    For other participants that are firms, the Board proposed that 
information obtained from the other participants should include the 
conclusion of the most recent evaluation of its QC system and a brief 
overview of remedial actions taken and to be taken, as well as a 
footnote clarifying that the most recent evaluation of the other 
participant firm's QC system refers to that firm's evaluation under 
paragraph .77 of QC 1000 as of the most recent evaluation date, if such 
an evaluation was performed, and otherwise to the most recent QC 
evaluation performed by the other participant firm under any 
professional standard.\274\
---------------------------------------------------------------------------

    \274\ See, e.g., ISQM 1 paragraphs .53-.54; and SQMS 1 
paragraphs .54-.55.
---------------------------------------------------------------------------

    One commenter stated that audit firms monitor the quality of member 
firms but have typically been reluctant to share negative information 
about a member firm, and that requiring transparency in such 
information would be beneficial. However, several firms and related 
groups expressed concerns about the impact of having other participant 
firms share the most recent evaluation of their QC system based on the 
confidentiality protections set out in Sarbanes-Oxley or other relevant 
local laws and regulations. Two firms commented that these concerns 
would be alleviated if the definition of QC deficiency was updated to 
align with the definition in ISQM 1 and SQMS 1. One firm commented that 
the proposed quality objective addressing information and communication 
related to other participants is appropriate, however if

[[Page 49654]]

information is to be shared at the deficiency level, the firm is 
concerned that this would violate the confidentiality provision within 
Sarbanes-Oxley. Another firm suggested limiting the extent of 
information shared to only what is necessary for firms to achieve the 
reasonable assurance objective. This firm agreed with obtaining and 
considering the other participant firm's overall conclusion of the most 
recent evaluation of the QC system, however it argued that this should 
not include information regarding deficiencies, if any, and remedial 
actions taken and to be taken. Some commenters argued that firms should 
be able to take a risk-based approach in determining whether it is 
necessary to request specific information regarding an other 
participant firm's QC system.
    One firm-related group argued that certain international 
legislation may be an issue for firms when reporting clients' or 
individuals' personal information. The commenter further expressed 
concerns that those firms applying QC 1000 fully and reporting 
thereunder may be selected in preference to those using other 
standards. Another firm-related group expressed concern that a firm-
level QC inspection finding might result in the best firm for the 
component auditor role being bypassed. The commenter further suggested 
that guidance is needed for when the evaluation and/or overview of 
remedial actions is not forthcoming.
    Some commenters, including firms and a related group, argued 
practical concerns regarding the application of the requirement to 
other participants not registered with the PCAOB. One firm commented 
that, while it is not aware of any legal or regulatory concerns with 
other participants sharing the most recent evaluation of their QC 
system, it suggested that the PCAOB state that firms will not violate 
this requirement if local laws or regulations exist that prevent 
compliance.
    After consideration of the comments received, the Board amended the 
standard to limit the information that should be obtained to only the 
conclusion of the most recent evaluation of the QC system. The Board 
believes that this addresses commenter concerns relating to the risk of 
communicating privileged information. Furthermore, the Board continues 
to believe that obtaining the communication of the conclusion of the 
other participant's most recent evaluation may assist a firm in 
determining the nature and extent of supervision of the work of other 
participants or deciding whether other participants are fit to 
participate in the firm's engagements, including ensuring that the best 
firm for the job is not bypassed. If necessary, the firm may discuss 
the conclusion with the other participant firm to seek to gain a better 
understanding of the basis for such conclusion.
    The Board believes that in practically all cases, the firm would be 
able to obtain the conclusion of the most recent evaluation of the 
other participant's QC system. However, if a firm is unable to obtain 
this (for example, if the other participant has not performed an 
evaluation, or if local laws forbid them from sharing it), then the 
firm should assess what other procedures are necessary to achieve the 
quality objective.\275\
---------------------------------------------------------------------------

    \275\ See PCAOB Rule 3101(a)(2).
---------------------------------------------------------------------------

    One firm commented that paragraph 53f. specifically addressed 
networks, while .53g. addresses other participants, and that it was 
unclear whether paragraph .53g. also applies to networks given their 
inclusion in the definition of ``other participants'' or if the Board 
intends for paragraph .53g. to apply to any other party defined within 
``other participants.'' Paragraph .53g. applies to firms within a 
network to the extent that the firm is an other participant, as defined 
in QC 1000.A7 and discussed in more detail above.
    Another firm expressed concerns that it may not be able to 
practically apply paragraph .53g. to all ``other participants.'' 
Specifically, the firm requested clarification as to the expectation 
regarding the extent to which firms design policies and procedures to 
ensure other participants comply with applicable professional and legal 
requirements, including bifurcation of participants that are part of 
the engagement team as compared to participants in the firm's quality 
control system. Another firm suggested it would be impractical to 
suggest that a firm's QC system can be applied to other participants or 
that they would explicitly comply with the firm's policies and 
procedures as if they were part of the firm. As discussed in more 
detail above, just because a quality objective or other provision of QC 
1000 refers to all types of other participants in the same way, this 
does not mean that the firm should respond by treating all types of 
other participants in the same way. The firm's policies and procedures 
addressing other participants should differentiate based on the types 
and roles of other participants to the extent necessary to be 
responsive to the firm's quality risks (for example, the firm would 
have different policies for the use of engaged specialists versus 
external EQRs).
    The proposed requirement in paragraph .53.h did not draw comment 
and was adopted as proposed.
    The firm may also participate in another firm's engagement as an 
other participant. For the same reasons that apply when the firm is 
issuing the engagement report and using the work of other participants, 
it is important that there is an appropriate exchange of information in 
order to enable the firm serving as an other participant to fulfill its 
role in accordance with applicable professional and legal requirements.
d. Information and Communication Specified Quality Responses (QC 
1000.55-.56)
    One firm commented that the proposed specified quality responses 
for information and communication are appropriate. Other comments that 
are specific to each specified quality response are discussed below.
    The requirement in paragraph .55 carries forward an existing 
requirement from the PCAOB's QC standards and extends it to cover other 
participants, not just firm personnel.\276\ One firm suggested that, as 
it relates to other participants, the quality objective in paragraph 
.53g. was sufficient, and the specified quality response was not 
needed. Another firm commented that it is concerned that expanding the 
requirement to communicate quality control policies and procedures 
beyond firm personnel to include other participants may not be 
operational due to the size, content, and methods of accessing the 
policies and procedures. The firm further asserted that the proposed 
standard may inappropriately blur the lines between a firm's system of 
quality control and engagement-level requirements that are already 
addressed through existing PCAOB standards and rules. The Board 
believes that other participants play an important role in the 
operation of the firm's QC system and the performance of its 
engagements and that it is imperative for these other participants to 
be aware of the firm's policies and procedures to the extent required 
to enable them to carry out their responsibilities. For that reason, 
the Board believes it is necessary to expand the existing requirement 
to include other participants in a specified quality response.
---------------------------------------------------------------------------

    \276\ See QC 20.23.
---------------------------------------------------------------------------

    To address the concern about the volume of material required to be 
shared with other participants, the Board clarified the requirement by 
providing that policies and procedures should be

[[Page 49655]]

communicated ``to the extent'' and in a manner reasonably designed to 
enable firm personnel and other participants to carry out their 
responsibilities; in other words, the requirement is to communicate 
what firm personnel and other participants need to know, not 
necessarily all of the firm's policies and procedures. For example, a 
firm would communicate to an EQR contracted by the firm its policies 
and procedures related to EQR review and independence. In addition, 
although the wording of the requirement is different, the substance of 
the existing requirement \277\ is unchanged. Reference to ``reasonably 
designed and implemented'' captures the existing requirement to 
communicate in ``a manner that provides reasonable assurance that those 
policies and procedures are understood and complied with'' without 
repeating the reasonable assurance already captured by the overarching 
objective of the QC standard.
---------------------------------------------------------------------------

    \277\ See QC 20.18.
---------------------------------------------------------------------------

    Another commenter requested clarification as to whether the 
communication of policies and procedures is required in narrative, 
flowchart, or other form. The Board believes that the policies and 
procedures should be in writing and in a manner that is reasonably 
designed to enable firm personnel and other participants to understand 
and carry out their responsibilities relating to activities within the 
firm's QC system and the performance of its engagements. The format of 
these policies and procedures may vary depending on the specific 
responsibilities being addressed and how the firm wants to communicate 
them.
    Under the existing PCAOB standard, the firm is also required to 
make timely communications to appropriate personnel regarding changes 
to its established quality control policies and procedures. The Board 
does not think it is necessary to address changes to policies and 
procedures separately; the requirement is to communicate policies and 
procedures as in effect, which includes changes to such policies and 
procedures over time. If the firm needs to communicate changes to its 
policies and procedures to enable firm personnel and other participants 
to understand and carry out their responsibilities, then the specified 
quality response will require such communication.
    Given the importance of information generated from the monitoring 
and remediation process, paragraph .56 includes a specified quality 
response that requires the firm to communicate such information to firm 
personnel to enable them to take timely action. In determining specific 
information to be communicated to firm personnel, including the nature 
and extent of such communication, the firm may consider the type of 
information that is relevant to the recipients given their roles and 
responsibilities within the firm. For example, information communicated 
to engagement teams may be focused on a description of identified 
engagement deficiencies and related remedial actions that are likely to 
be relevant to such firm personnel and their engagements. Information 
communicated to all firm personnel may relate to deficiencies 
identified through QC system-level monitoring activities, such as 
compliance issues in connection with the firm's ethics and independence 
policies and procedures.
    One firm asserted that the requirement to communicate identified 
engagement deficiencies and QC deficiencies to firm personnel could 
hold firms to a higher standard than may be prudent, and that a 
perceived requirement to communicate each engagement deficiency seems 
imbalanced to appropriately influence change. The specified quality 
response requires that such communications be made to enable firm 
personnel to take timely action in accordance with their 
responsibilities. Based on the results of the monitoring and 
remediation process, the firm can assess the nature and extent of the 
communications to be made, and this should be commensurate with the 
risk that other similar unidentified engagement deficiencies exist; for 
example, for engagement deficiencies related to the examination of 
broker-dealer compliance reports, the firm may limit the communications 
to firm personnel working on broker-dealer engagements and adjacent 
industry sectors.
    In addition, under paragraph .57 the firm is required to 
communicate the results of the annual evaluation of its QC system to 
certain individuals in firm leadership positions. These individuals may 
use this information in various ways, for example, as a basis for 
further communications to firm personnel about the importance of 
quality or to address concerns about the QC system in a timely manner. 
The requirement reinforces firm leadership's responsibility and 
accountability for the firm's QC system.
2. Current PCAOB Standards
    Existing PCAOB QC standards focus principally on communication of 
certain information, specifically:
     Firm QC policies and procedures; \278\
---------------------------------------------------------------------------

    \278\ See QC 20.23.
---------------------------------------------------------------------------

     Weaknesses identified in the QC system or the level of 
understanding or compliance therewith; \279\
---------------------------------------------------------------------------

    \279\ See QC 30.03.
---------------------------------------------------------------------------

     Internal inspection findings; \280\
---------------------------------------------------------------------------

    \280\ See QC 30.06.
---------------------------------------------------------------------------

     Principles that influence the firm's policies and 
procedures on matters related to the recommendation and approval of 
accounting principles, present and potential client relationships, and 
the types of services provided; \281\
---------------------------------------------------------------------------

    \281\ See SECPS 1000.08(l), 1000.42.
---------------------------------------------------------------------------

     Additions to the Restricted Entity List; \282\ and
---------------------------------------------------------------------------

    \282\ See SECPS 1000.46 (requirement 5).
---------------------------------------------------------------------------

     Notification to the SEC of resignations and dismissals 
from audit engagements for SEC registrants.\283\
---------------------------------------------------------------------------

    \283\ See SECPS 1000.08(m); see also Appendix 5 for a proposed 
new standard, AS 1310, Notification of Termination of the Auditor-
Issuer Relationship, that would retain existing requirements of 
SECPS 1000.08(m) and apply those requirements to all firms.
---------------------------------------------------------------------------

    QC 1000, by contrast, more broadly addresses the firm's 
responsibilities regarding its information system and internal and 
external communications.

Monitoring and Remediation Process

1. QC 1000
a. Overview (QC 1000.58)
    The monitoring and remediation process is an integral part of an 
effective QC system because it creates a feedback loop to inform the 
firm's risk assessment process. The feedback loop will help the firm 
identify and assess new and evolving quality risks and design and 
implement effective quality responses. It drives a firm's focus on 
continuing to improve its QC system, with a view to preventing future 
engagement deficiencies. The monitoring and remediation process applies 
to the design, implementation, and operation of all QC system 
components, including the monitoring and remediation component, and 
provides the basis for a firm's evaluation of whether its QC system is 
effective and for reporting on the QC system.\284\
---------------------------------------------------------------------------

    \284\ For further discussion of the evaluation of a firm's QC 
system, see below.
---------------------------------------------------------------------------

    The Board has observed through its oversight activities that some 
firms have made significant efforts to enhance their monitoring and 
remediation process, which has led to improvements in the firms' QC 
systems and in audit quality. These efforts include increased attention 
to ongoing monitoring activities, internal monitoring of both in-
process and completed engagements,

[[Page 49656]]

root cause analysis of both positive outcomes and QC deficiencies, and 
remedial actions to address QC deficiencies. However, PCAOB inspections 
continue to identify deficiencies for some firms, suggesting that not 
all firms have made meaningful improvements in these areas.
    Under QC 1000, the monitoring and remediation process addresses the 
following:
     General requirements;
     Engagement monitoring activities;
     QC system-level monitoring activities;
     Monitoring activities performed by a network;
     Determining whether engagement deficiencies exist;
     Responding to engagement deficiencies;
     Determining whether QC observations exist;
     Determining whether QC deficiencies exist;
     Responding to QC deficiencies; and
     Monitoring the implementation and operating effectiveness 
of remedial actions.
    Under the standard, a firm performs monitoring activities to 
determine whether its quality responses are properly designed and 
operating as intended, such that the firm's quality risks are 
sufficiently mitigated and its quality objectives are achieved. As 
described later, the results of the firm's monitoring and remediation 
process are to be evaluated annually as part of the evaluation of the 
QC system. Therefore, the monitoring activities conducted need to be 
sufficient to support the conclusions reached during such an 
evaluation.
b. General Requirements (QC 1000.59-.61)
    The standard specifies three goals for the monitoring and 
remediation process:
     Relevant, reliable, and timely information. Monitoring and 
remediation must provide information about the design, implementation, 
and operation of the firm's QC system that is relevant, reliable, and 
timely. The information obtained from monitoring activities informs a 
firm about actions, behaviors, or conditions that contributed to issues 
that need to be addressed and may also provide insights as to factors 
that help prevent deficiencies from occurring. For example, information 
obtained about actions, behaviors, and conditions related to an 
engagement that was subject to internal or external monitoring 
activities where no deficiencies were identified may provide insights 
about good practices to use when addressing issues on similar 
engagements.
     Reasonable basis for timely detection of engagement 
deficiencies and QC deficiencies. The standard uses the concept of 
``reasonable basis,'' which is present throughout PCAOB auditing 
standards, including the standards governing the auditor's report.\285\ 
Therefore, this concept is well understood by the profession. 
``Timely'' as it relates to the detection of engagement deficiencies 
means that the firm's monitoring activities are designed to identify 
deficiencies as promptly as practicable. For example, the Board expects 
that the firm's monitoring activities will generally enable the firm to 
identify deficiencies in calendar year-end engagements in time to 
include them in its evaluation of the QC system as of the following 
September 30.
---------------------------------------------------------------------------

    \285\ See, e.g., AS 3101.09f (noting that one of the elements in 
the Basis for Opinion section of the auditor's report is ``[a] 
statement that the auditor believes that the audit provides a 
reasonable basis for the auditor's opinion'').
---------------------------------------------------------------------------

     Timely remediation. The firm's monitoring and remediation 
process must enable timely remediation of identified engagement 
deficiencies and QC deficiencies. What constitutes ``timely'' depends 
on the deficiency's nature, scope, and impact. For example, where there 
is a high risk of severity or pervasiveness, remedial actions may have 
to be immediate to be timely.
    The first element of monitoring and remediation is designing and 
performing monitoring activities for engagements and the QC system 
itself. The Board believes that the selected frequency and timing of 
the firm's monitoring activities (e.g., a combination of ongoing and 
periodic monitoring activities) are important elements in achieving an 
overall effective monitoring and remediation process. Ongoing 
monitoring activities are generally those activities that are routine 
in nature, built into the firm's processes, and performed on a real-
time basis. Periodic monitoring activities, by contrast, are conducted 
from time to time at set intervals. The use of ongoing and periodic 
monitoring activities would vary by firm and be influenced by the 
nature and circumstances of the firm.
    The other elements of the monitoring and remediation process 
specified in the standard are:
     Determining whether engagement deficiencies exist and 
responding to them.
     Determining whether QC observations exist.
     Determining whether QC deficiencies exist.
     Performing root cause analysis of QC deficiencies.
     Designing and implementing remedial actions to respond to 
QC deficiencies and determining whether such actions are implemented as 
designed and operate effectively.
    These other elements are discussed below, in relation to the 
requirements of paragraphs .61-.76.
BILLING CODE 8011-01-P

[[Page 49657]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.006

BILLING CODE 8011-01-C
    QC 1000 requires that the firm's QC system include both engagement 
monitoring activities and QC system-level monitoring activities. The 
standard differentiates engagement monitoring activities from QC 
system-level monitoring activities. The two types of activities would 
provide different kinds of information and, in the Board's view, a firm 
would need both in order to have a reasonable basis for detecting 
engagement and QC deficiencies and evaluating its QC system. Engagement 
monitoring activities are monitoring procedures performed on 
engagements, including in-process and completed engagements. QC system-
level monitoring activities are monitoring procedures regarding aspects 
of a firm's QC system, including the firm's risk assessment and 
monitoring and remediation processes.
    Notwithstanding the differences between engagement monitoring 
activities and QC system-level monitoring activities, a firm could 
design and perform dual-purpose monitoring activities--i.e., activities 
directed at individual engagements that also address aspects of the 
firm's QC system. For example, a firm could perform engagement 
monitoring activities related to acceptance and continuance of 
engagements that would also address the design, implementation, and 
operation of the acceptance and continuance of engagements component of 
the firm's QC system.
    QC 1000 defines ``engagement'' as any audit, attestation, review, 
or other engagement performed under PCAOB standards (1) led by a firm 
or (2) in which a firm plays a substantial role in the preparation or 
furnishing of an engagement report. Under the standard, substantial 
role engagements that the firm undertakes would be required to be 
included in the population of engagements on which the firm performs 
monitoring activities. In situations where the firm participates in 
another firm's engagement but does not play a substantial role, while 
such work would not be treated as the firm's own ``engagement'' for 
purposes of the standard, any firm that was required to implement and 
operate an effective QC system under the standard is required to extend 
its QC system to all audit, attestation, review, and other work it 
performs under PCAOB standards, including other firms' engagements in 
which the firm plays less than a substantial role.
    In general, for purposes of QC 1000, engagement monitoring 
activities are performed only on ``engagements'' as

[[Page 49658]]

that term is defined in the standard. One firm suggested that audit 
quality should consistently be measured for all engagements, whether 
performed under the PCAOB standards or other auditing standards, and 
therefore a firm's QC system should provide reasonable assurance of 
performing all such engagements in compliance with applicable laws and 
professional requirements. This firm urged the Board to consider 
whether the monitoring-related requirements in QC 1000 that use the 
term ``engagements'' (as defined in QC 1000) may result in a lost 
opportunity to fully capitalize on the expected benefits of a more 
comprehensive monitoring program. Given the limits of the Board's 
statutory authority under Sarbanes-Oxley, the Board does not believe it 
would be appropriate to expand the scope of the term ``engagements'' to 
include work performed under standards of other standard-setters. 
However, nothing prevents firms from developing a single QC system for 
their entire audit practice that satisfies both PCAOB requirements and 
other professional standards to which the firm is subject, which could 
include performing the same types of monitoring activities for both 
PCAOB engagements and other audits.
    The Board also understands that firms that perform only a small 
number of issuer and broker-dealer engagements would be significantly 
affected by a requirement to perform monitoring activities over PCAOB 
``engagements'' every year.\286\ In the extreme case, a firm that 
issues an audit report for only one issuer would have to monitor the 
same engagement every year. The prospect of annual monitoring could 
disincentivize partners from serving as the engagement partner and 
ultimately affect competitive conditions in the market. Accordingly, 
paragraph .61a includes a note that permits firms that issued 
engagement reports for five or fewer issuers, brokers, and dealers in 
the previous year to include audits not performed under PCAOB auditing 
standards in their engagement monitoring activities for purposes of QC 
1000, so long as the audits are selected taking into account the 
factors in determining the nature, timing, and extent of engagement 
monitoring activities set forth in paragraph .64. This accommodation 
takes into consideration the structure of the SEC's partner rotation 
requirements exemption for small firms,\287\ and is limited to audits 
rather than attestation work because audits are performed under more 
rigorous standards. These firms will still have to design, implement, 
and operate a monitoring and remediation process that meets the 
requirements of QC 1000, including the requirements regarding the 
objectives and elements of the monitoring and remediation process set 
forth in paragraphs .59 and .60, which focus on ``engagements'' as 
defined in the standard. The firms will also be subject to the 
requirement under paragraph .62b to inspect at least one completed 
PCAOB engagement for each engagement partner on a cyclical basis, as 
discussed below.
---------------------------------------------------------------------------

    \286\ Firms that issued audit opinions for between one and five 
issuers or broker-dealers represented 38% of all registered firms in 
2022, 39% in 2021, and 43% in 2020.
    \287\ See 17 CFR 210.2-01(c)(6)(ii).
---------------------------------------------------------------------------

    Current PCAOB QC standards provide that, in some circumstances, 
individuals may perform monitoring procedures over the same areas for 
which they are responsible.\288\ Such monitoring procedures are a type 
of self-assessment and under the proposed standard, self-assessments 
would not have been permissible. Individuals would lack the requisite 
objectivity if they reviewed engagements in which they participated 
(or, in the case of audits, for which they performed the engagement 
quality review), or monitoring activities for which they participated 
in the design, implementation, or operation of the activity.
---------------------------------------------------------------------------

    \288\ See QC 30.10, which applies to small firms with a limited 
number of management-level individuals.
---------------------------------------------------------------------------

    Two commenters agreed that self-assessment should not be permitted 
in QC 1000. Other commenters, including firms and a related group, 
raised concerns regarding the proposal's disallowance of self-
assessments as part of a firm's monitoring and remediation process. 
Specific concerns included the impact of this requirement on smaller 
firms and the resource constraint that may be very difficult for firms 
to overcome if individuals who may be involved in an engagement through 
consulting with engagement teams, evaluating engagement team progress, 
or monitoring turnover on the engagement team are ineligible to perform 
monitoring activities.
    While the Board appreciates the concerns around resource 
constraints raised by commenters, allowing individuals to review their 
own work is inconsistent with the quality objective in paragraph .44e 
that individuals assigned to perform activities within the QC system 
have the objectivity needed to perform such activities in accordance 
with applicable professional and legal requirements and the firm's 
policies and procedures. Taking into account commenter feedback, the 
Board added a note to the standard to clarify that the restriction on 
self-assessment is grounded in that quality objective. The note further 
explains the implication, in the context of the monitoring and 
remediation process, that individuals generally cannot perform 
monitoring activities over their own work, for example by performing 
engagement monitoring activities on an area of an engagement in which 
they participated. The impact of this restriction will depend on the 
role that the individual played in the engagement. For example, 
individuals who have consulted on a particular area of an engagement 
would be permitted to perform monitoring activities on other areas of 
an engagement that were unrelated to the consultation. However, 
individuals that served as the engagement quality reviewer on an 
engagement may not perform monitoring activities on that engagement, 
even if they did not review every area of the engagement.
e. Engagement Monitoring Activities (QC 1000.62-.64)
    Engagement monitoring activities provide valuable information to 
firms on whether engagement or QC system-level areas may require 
additional attention. For example, monitoring procedures may highlight 
an area on an audit engagement where insufficient audit evidence was 
obtained to support the auditor's opinion. More broadly, engagement 
monitoring activities may identify pervasive issues where a number of 
engagements have similar problems, possibly highlighting the need to 
revise methodology, provide additional training, or take other actions 
at the QC-system level.
i. Monitoring Completed Engagements (QC 1000.62)
    Similar to the proposal, the final standard requires firms to 
perform engagement monitoring activities on completed engagements. Two 
commenters expressed support for the requirement to monitor completed 
engagements. One commenter suggested that paragraph .62 be amended to 
permit the legacy flexibility of QC 20 for a firm to have pre-issuance 
or post-issuance, or both, monitoring programs, depending on the 
individual firm's risk assessment. This commenter asserted that some 
smaller firms, in particular, have already implemented robust pre-
issuance quality monitoring reviews on substantially all issuer audits.
    The Board continues to believe that the information derived from 
performing inspections of completed

[[Page 49659]]

engagements provides the firm a perspective on its engagements that 
cannot be obtained through other monitoring activities. The Board also 
noted that the standard does not prescribe specific monitoring 
activities, so firms will be able to determine what activities to 
perform when monitoring completed engagements. Based on PCAOB oversight 
activities, the Board has observed that most firms perform engagement 
monitoring activities on their completed engagements as part of their 
existing QC practices. Requiring the inspection of completed 
engagements would therefore not change practice for most firms and, 
accordingly, seems unlikely to impose incremental costs in most 
instances.
    The proposed standard also included a requirement for firms to 
establish a cyclical basis for monitoring completed engagements such 
that each engagement partner would have at least one engagement subject 
to monitoring in each cycle. Some firms and a related group supported 
that requirement in principle. Some commenters suggested that firms 
should be permitted to include all of the engagements within a 
particular engagement partner's portfolio of engagements, not only 
PCAOB engagements, since the firm operates a single QC system. One 
commenter stressed that if firms are not permitted to consider all 
engagements in an engagement partner's portfolio, it may unnecessarily 
drive firms to two separate cyclical inspection programs (that is, 
doubling inspection program activities) based on the applicable set of 
professional standards. This commenter also suggested that the standard 
should allow firms to consider whether engagement partners have been 
subjected to external inspections/reviews when determining if, and 
when, to subject them to an internal inspection.
    Similar to the proposal, the final standard requires firms to 
inspect at least one completed PCAOB engagement for each engagement 
partner over a cyclical period. Although, as discussed above, firms 
with five or fewer issuer and broker-dealer engagements may be 
permitted to include non-PCAOB engagements in their monitoring 
activities, inspections under this paragraph must be of ``engagements'' 
as defined in QC 1000. This will ensure that firms regularly evaluate 
the work of every partner under PCAOB standards to determine whether 
engagement deficiencies or QC deficiencies have occurred and can design 
and implement appropriate remedial actions. The note to the final 
standard clarifies that point.
    The proposed standard also included a note stating that if a firm 
uses a cycle longer than three years, the firm would be required to 
demonstrate how its cycle is adequate to provide the firm with a 
reasonable basis for detecting engagement deficiencies and QC 
deficiencies, taking into account the factors in paragraph .64. Several 
commenters, including an investor-related group, disagreed with this 
aspect of the proposal, suggesting that each firm should be allowed to 
determine the appropriate cycle for engagement partner selection. Some 
of these commenters stated that requiring a set interval for engagement 
partner selection could actually result in a reduced ability by the 
firm to incorporate unpredictability into the selection process. One 
firm further stated that the proposed requirement regarding the 
engagement partner selection cycle could also decrease the frequency of 
other monitoring activities, such as in-process reviews, or curb 
investment and innovation in pre-issuance monitoring programs.
    The Board continues to believe it is appropriate to incorporate an 
expectation that each engagement partner will be subject to inspection 
at least every three years and adopted that aspect as proposed. A 
three-year period appears to be a norm for other standard setters and, 
based on PCAOB oversight activities, is common in practice.\289\ The 
Board appreciates that requiring a set interval could make the timing 
of selection predictable for an engagement partner, so a three-year 
cycle is a baseline expectation, not a requirement. Firms can of course 
adopt a shorter cycle, or can adopt a longer cycle if they are able to 
demonstrate how that cycle is adequate to provide a reasonable basis 
for detecting engagement deficiencies and QC deficiencies. Regardless 
of the cyclical period used by the firm, risks or other circumstances 
related to an engagement or an engagement partner may trigger the need 
for the firm to inspect an engagement partner's completed engagement(s) 
more than once during the cyclical period.
---------------------------------------------------------------------------

    \289\ The application material accompanying the IAASB and AICPA 
QC standards provide an example of a three-year inspection cycle for 
engagement partners performing financial statement audits. See ISQM 
1 paragraph A153, SQMS 1 paragraph A165.
---------------------------------------------------------------------------

    The proposed note to paragraph .62b also included language 
requiring firms to consider incorporating a level of unpredictability 
when determining when, during the cyclical period, an engagement 
partner has an engagement selected for monitoring and which completed 
engagement(s) to select. This was intended to make it less likely that 
engagement partners would be in a position to manage engagements with 
the expectation that they would or would not be inspected. However, 
commenters, including firms and investors and related groups, suggested 
that this language should be strengthened to require that the firm 
``should'' incorporate unpredictability into the selection process. One 
of these commenters went further to suggest that the PCAOB also 
incorporate language requiring unpredictability in the focus areas 
subject to internal inspection monitoring, in addition to the timing of 
such monitoring. The Board agreed with the comments raised with respect 
to requiring firms to incorporate unpredictability into their selection 
process and this change is reflected in the note to paragraph .62b. 
Additionally, in order to allow sufficient flexibility for firms to 
determine how to incorporate unpredictability in the selection process, 
language has been added to the note to clarify that the firm should 
include an element of unpredictability in ``at least one of'' the 
elements listed in the note to paragraph .62b.
    The firm's selection of completed engagements should be responsive 
to information obtained from various sources, including prior 
monitoring activities. The standard, in paragraph .64 (discussed 
further below), includes factors for a firm to take into account when 
selecting engagements for monitoring. These factors will assist a firm 
when determining its cyclical basis and selecting at least one 
engagement to inspect for each engagement partner.
ii. Monitoring In-Process Engagements and Other Work (QC 1000.63)
    Monitoring in-process engagements can help firms detect and prevent 
potential engagement deficiencies before an engagement report is 
issued, resulting in a more proactive, preventive monitoring approach. 
Through its oversight activities, the PCAOB has observed a variety of 
different in-process engagement monitoring activities, including:
     Monitoring activities on a specific area of the audit 
after the engagement team has conducted certain audit procedures or 
used a specific tool or template (e.g., an in-process reviewer 
evaluates an engagement team's testing of management's earnings 
forecast used in an impairment analysis);
     Engagement team coaching by an individual who is not part 
of the engagement team (e.g., a member of the firm's national office 
works with an engagement team to review their audit

[[Page 49660]]

approach, including the nature, timing, and extent of planned audit 
procedures);
     Evaluating an engagement team's progress against certain 
defined milestones or metrics and taking appropriate action when such 
milestones or metrics are not achieved (e.g., if an engagement partner 
did not review an engagement team's planning memo before interim audit 
procedures were to start, adjusting the engagement team's schedule so 
that the document could be reviewed and comments addressed before 
starting interim work; if an engagement team's hours exceed a certain 
weekly threshold, taking action by identifying the issue and adding 
additional resources to the team); and
     Monitoring engagement team turnover during the engagement 
and taking appropriate action when issues arise (e.g., if more 
experienced or senior personnel on the engagement, such as the manager 
or senior manager, leaves the firm during the engagement and prior to 
the completion of procedures, taking actions to ensure the engagement 
team has the necessary resources to complete the engagement).
    The proposed standard contemplated that firms that issue audit 
reports with respect to more than 100 issuers during the prior calendar 
year would be required to monitor in-process engagements. The proposal 
noted the Board's understanding that monitoring in-process engagements 
may be challenging for some firms based on their size and nature, so 
the proposed standard also included a ``should consider'' requirement 
to provide sufficient scalability for firms that issue audit reports 
with respect to 100 or fewer issuers. Under the proposed standard, 
firms that audit 100 or fewer issuers would be expected to reach a 
conclusion about whether to monitor in-process engagements in light of 
identified quality risks and quality responses.
    Firms that commented on this requirement supported the concept of 
monitoring in-process engagements and the flexibility the standard 
provided for firms to design their in-process monitoring based on the 
nature and circumstances of the firm. Two firms stated that the 
purposes of in-process monitoring are clear and appropriate and that 
the proposed standard clearly distinguished between in-process 
engagement monitoring and engagement quality reviews under AS 1220. Two 
firms suggested that the 100-issuer threshold is not necessary, and 
that all firms should only be required to consider whether to monitor 
in-process engagements.
    The Board believes that differentiating a firm's obligation based 
on the number of issuer clients is appropriate because, in its view, 
firms with larger, more complex audit practices generally are subject 
to quality risks for which in-process monitoring is an appropriate 
quality response. The Board based the requirement on the size of a 
firm's issuer audit practice rather than its broker-dealer audit 
practice, as it believes the number of a firm's issuer clients is more 
indicative of the firm's size and the complexity of its practice. And, 
as noted above, firms are familiar with the threshold of more than 100 
issuer audit reports. The majority of firms with 100 or fewer issuers 
do not perform in-process engagement monitoring activities. Requiring 
these firms to perform such monitoring activities could significantly 
change current practice and is not justified by the circumstances of 
every firm. However, due to the benefits of this proactive engagement 
monitoring, the standard requires that firms that do not meet the 100-
issuer threshold should consider monitoring in-process engagements. The 
Board believes that this approach strikes an appropriate balance 
between prescriptiveness and scalability, and adopted the requirement 
as proposed.
    One individual commenter suggested that audit firms would find it 
cost prohibitive to build in ``in process'' controls that would be akin 
to doing an inspection of an audit in process, with the exception of 
certain circumstances, but the PCAOB did not receive any specific 
comments from firms expressing that concern. In addition, firms with 
over 100 issuer clients typically have the resources to implement such 
procedures, and based on PCAOB oversight activities, the majority of 
them already monitor in-process engagements to some extent.\290\
---------------------------------------------------------------------------

    \290\ In 2023, 11 of the 14 annually inspected firms performed 
some in-process engagement monitoring activities.
---------------------------------------------------------------------------

    In situations where the firm participates in another firm's 
engagement but does not play a substantial role, paragraph .63c 
provides that the firm should consider performing monitoring activities 
on such work. Some commenters agreed with the requirement for firms to 
consider performing monitoring activities on their work on other firms' 
engagements. When deciding whether and when to do so, and what 
monitoring activities to perform, firms would take into account the 
factors identified in paragraph .64, such as the firm's monitoring and 
external inspection history and the risks associated with the 
performance of the work. In addition, if a substantial portion of the 
firm's activities that are subject to the QC system relate to work 
performed on other firms' engagements at less than a substantial role, 
the firm would have to make that decision in light of the overall 
objectives of the QC system.\291\
---------------------------------------------------------------------------

    \291\ See QC 1000.05a.(2).
---------------------------------------------------------------------------

    One commenter requested clarification as to whether the in-process 
monitoring activities the Board has observed would be sufficient to 
meet the requirement, or whether the Board expects such activities to 
be expanded or enhanced. The standard does not specify any particular 
monitoring activities, so the firm has discretion to select activities 
based on the nature and circumstances of the firm and its engagements 
and the scope and nature of its other monitoring activities. For 
example, when determining which engagements to select for in-process 
monitoring, a firm would leverage the factors presented in paragraph 
.64 of the standard to identify engagements where there is a greater 
risk of noncompliance with applicable professional or legal 
requirements. Similarly, these factors will also assist a firm in 
determining the riskier areas of such engagements upon which to perform 
in-process engagement monitoring activities.
i. Designing Engagement Monitoring Activities, Including Selecting 
Which Engagements To Monitor (QC 1000.64)
    Similar to the proposal, the final standard requires a firm to take 
into account certain factors when determining the nature, timing, and 
extent of engagement monitoring activities, including which completed 
or in-process engagements to select for monitoring. These factors 
reflect aspects of a firm and its engagements that could create a 
greater risk of noncompliance with applicable professional and legal 
requirements. A firm will need to tailor its monitoring activities to 
address the particular circumstances of the firm and select engagements 
for monitoring based upon their specific risks.
    The factors are:
     Quality risks and the reason for their assessments, and 
quality responses. For example, the complexity of or changes to 
applicable professional and legal requirements and the firm's policies 
and procedures may present a quality risk that the firm may not timely 
communicate the required use of a practice aid for planning audit 
procedures when certain fraud risk factors are present. In response to 
this risk, the firm would design its

[[Page 49661]]

engagement monitoring activities to verify the engagement team's use of 
the practice aid. The earlier these monitoring activities are 
performed, the more proactive the firm could be in planning audit 
procedures that address audit issues as they arise. Regarding the 
proposed factor in paragraph .64b related to the ``design of the 
quality responses,'' the final standard has removed the word ``design'' 
from the factor and made other edits to clarify that the firm should 
also take into account the scope and operation of quality responses, 
for example related to information about how those quality responses 
operated in previous years.
     The nature, timing, extent, and results of previous 
monitoring activities. This includes insights learned from previous 
engagements and QC system-level monitoring activities that are applied 
when determining engagement monitoring activities to perform. For 
example, in selecting engagements for monitoring, the firm would take 
into account deficiencies identified in previous engagements for the 
same client and other engagements where a similar deficiency may exist. 
As another example, engagement deficiencies related to inventory 
obsolescence testing identified by a firm through prior year engagement 
monitoring activities may prompt a firm to monitor the testing of 
inventory obsolescence on more engagements in the current year. One 
commenter recommended a clarifying revision to paragraph .64c to change 
the reference to ``inspections of in-process engagements'' to 
``monitoring of in-process engagements.'' The commenter explained that 
the characterization of in-process engagement monitoring as an 
``inspection'' is not consistent with how in-process engagement 
monitoring was described in the proposal, as the in-process monitoring 
activities observed by the PCAOB do not include inspections of in-
process engagements. The Board agreed and included this revision in the 
final standard.
     Information obtained from oversight activities by 
regulators, other external inspections or reviews, and, if applicable, 
monitoring activities performed by a network. Information obtained from 
network monitoring activities or external reviews provides a firm 
direction as to, for example, the type of procedures to perform or when 
to perform them. The results of network monitoring activities or 
information obtained from external reviews could also identify issues 
that may exist on other similar engagements of the firm, prompting a 
decision to monitor some or all of these other engagements. For 
example, if an engagement was recently inspected through network 
monitoring activities or an external review, a firm may determine that 
selecting the same engagement for internal inspection would be 
unnecessary.
    The proposal included a note that a firm cannot rely solely on 
network monitoring activities or external inspections by regulators of 
individual engagements without performing its own inspections of 
completed engagements. One commenter, a firm, agreed with the proposed 
requirements for firms to perform their own monitoring activities 
rather than solely relying on the monitoring activities performed by 
the network. Another firm disagreed and recommended that the standard 
permit networks to perform monitoring activities on behalf of a member 
firm, including in certain circumstances as the sole source of a firm's 
QC engagement monitoring. This commenter stated that monitoring of 
completed and in-process engagements by the network may provide member 
firms in the network with more objective and experienced monitoring 
resources, and that smaller member firms may not have the resources to 
perform objective monitoring on completed and/or in-process engagements 
without leveraging the network. Similar to what is described below as 
it relates to a firm's QC system and the extent of monitoring 
activities performed by a network, regardless of whether a network 
performs engagement monitoring activities on a firm's engagements, the 
firm is ultimately responsible for its QC system and for evaluating any 
information it obtains from the network about any engagement monitoring 
activities the network performs. The firm would take into account the 
nature and extent of activities performed by a network in designing and 
implementing its own activities but all firms are required to perform 
some level of engagement monitoring. The final standard includes a 
clarifying revision to this note that replaces ``inspections of 
completed engagements'' with ``engagement monitoring activities.''
     Characteristics of a particular engagement. Factors such 
as the industry, the type of engagement (e.g., issuer audit, broker-
dealer audit, attestation), the location(s) or jurisdiction(s) in which 
the client is located or the work is to be performed, whether it is a 
new engagement for the firm, and the experience and competence of the 
engagement team could affect conduct and outcomes of the engagement. 
For example, if the engagement team members are all new to the 
engagement, their lack of historical knowledge may present an 
additional risk for that engagement and provide a basis for its 
selection for monitoring.
     Characteristics of particular engagement partners. Factors 
such as the experience and competence of engagement partners, the 
results of internal and external inspections of their work, and the 
firm's cycle for inspecting their engagements could affect the quality 
risks associated with an engagement, whether positively or negatively. 
For example, an engagement partner's lack of experience in an industry 
the company under audit recently entered may create additional risks to 
complying with applicable professional and legal requirements. 
Therefore, performing engagement monitoring activities on such 
engagements may be appropriate.
     Other information relevant to the quality risks. The 
standard includes a non-exhaustive list of examples. For clarity, this 
factor was rephrased in terms of ``quality risks'' rather than ``risks 
of noncompliance with applicable professional and legal requirements.'' 
The standard also includes a footnote referencing footnote 26, which 
explains that the firm is deemed ``aware'' of information when any 
partner, shareholder, member, or other principal of the firm first 
becomes aware of such information.
    The requirement is both principles-based and risk-centered, rather 
than prescriptive. It provides for scalability by including factors for 
firms to take into account when determining the nature, timing, and 
extent of engagement monitoring activities. In addition to the factors 
included in the standard, a firm may identify other factors that are 
also relevant based on the nature and circumstances of the firm and its 
engagements.
d. QC System-Level Monitoring Activities (QC 1000.65)
    Similar to the proposal, the final standard requires a firm to take 
into account certain factors when determining the nature, timing, and 
extent of QC system-level monitoring activities.
    Due to their nature, some of the factors are consistent with the 
factors a firm is required to take into account when determining the 
nature, timing, and extent of engagement monitoring activities, such as 
the quality responses, including their timing, frequency, scope and 
operation. Regarding the proposed factor in paragraph .65b related to 
the ``design of the quality responses,'' conforming to the change made 
in paragraph .64b, the word ``design'' was

[[Page 49662]]

removed from the factor and made other edits to clarify that the firm 
should also take into account the scope and operation of quality 
responses, for example related to information about how those quality 
responses operated in previous years. The specific features of a firm's 
quality responses are also relevant for a firm to consider when 
designing QC system-level monitoring activities. For example, a firm's 
quality responses related to acceptance and continuance of engagements 
might include a policy that firm personnel complete a checklist and 
assemble information evaluated by the engagement partner before making 
a recommendation to firm leadership on whether to continue with an 
engagement for the upcoming year. Based on this quality response, a 
firm might design QC system-level monitoring activities that include a 
review of the checklist and documentation for a selection of 
engagements.
    Some other factors the standard requires firms to take into account 
when determining the nature, timing, and extent of QC system-level 
monitoring activities include:
     The design of a firm's risk assessment and monitoring and 
remediation processes. The design of these processes is relevant when 
designing monitoring activities to evaluate if such processes are 
implemented and operating effectively. For example, a firm may monitor 
the cyclical basis determined by the firm for inspecting engagement 
partners' completed engagements. A firm's monitoring activities in this 
area could include whether the firm is complying with the established 
period for selecting completed engagements as well as evaluating 
whether changes to the period may be necessary based on the results of 
other monitoring activities. The firm could also develop metrics for 
its QC system and use them in its monitoring and remediation process.
     Changes in the QC system. As a firm's QC system is 
continuously evolving in response to changes in risks, the firm would 
have to consider whether and how such changes necessitate changes to 
the nature, timing, and extent of QC-system level monitoring 
activities. For example, changes to a quality response would be an 
indication that changes to the activities that monitor the design, 
implementation, and operation of such response may be necessary. It 
should be noted that, even in the absence of changes in the QC system, 
for example in cases where the firm determines that there have been no 
changes related to a particular quality response, the firm would still 
need to consider whether previous monitoring activities related to that 
quality response continue to provide the firm with a reasonable basis 
to evaluate the QC system, including the appropriateness of the firm's 
monitoring activities for the current period.
     When applicable, services provided by other participants 
in the firm's QC system. A firm may use other participants in its QC 
system (for example, other participants may assist with engagement 
quality reviews). The firm would take that into account when deciding 
what QC system-level monitoring activities to undertake (for example, 
assessing other participants' compliance with PCAOB standards regarding 
engagement quality reviews).\292\
---------------------------------------------------------------------------

    \292\ See generally, e.g., AS 1220.
---------------------------------------------------------------------------

    A firm's monitoring activities are likely to vary over time as a 
firm takes into account the factors included in the standard (see 
paragraphs .64-.65). Since a firm's QC system is a continuous and 
iterative process, such factors will generally lead a firm to perform 
different monitoring activities or employ different monitoring 
approaches over time.
    Several commenters, including investor-related groups, suggested 
that the standard should require that the monitoring and remediation 
process, or more generally QC 1000, provide for use of quantitative 
metrics. QC 1000 does not require firms to use quantifiable metrics in 
their monitoring activities or suggest the use of any particular 
metrics. The Board has recently proposed a new set of firm reporting 
requirements that includes both firm-level and engagement-level 
metrics, and the comments regarding metrics received in response to the 
QC 1000 proposal are addressed in that proposing release.\293\
---------------------------------------------------------------------------

    \293\ See PCAOB Rel. No. 2024-002 at 12-13.
---------------------------------------------------------------------------

    Other than removing the word ``performance'' from the phrase 
``performance metrics,'' to align with the terminology used in the 
PCAOB's proposed metrics requirements, the Board adopted as proposed 
paragraph .65c, which requires the firm to take into account any 
metrics that the firm may use in its QC system when determining the 
nature, timing, and extent of QC system-level monitoring activities. 
This could include, but is not required to include, any metrics firms 
would be required to report if the metrics proposal is ultimately 
adopted by the Board and approved by the SEC, as well as any additional 
metrics a firm may develop. Depending on their circumstances, firms may 
find that developing metrics to monitor engagements and the QC system 
would enhance their ability to identify deficiencies, measure whether 
quality objectives have been met, and evaluate the effectiveness of 
remediation activities.
e. Monitoring Activities Performed by a Network (QC 1000.66)
    The Board adopted substantially as proposed the requirements that 
apply when networks perform monitoring activities relating to a firm's 
QC system or engagements. Networks employ a variety of different 
approaches to monitoring firm QC systems. Some networks perform 
monitoring activities either directly on the firm's QC system, such as 
monitoring a firm's compliance with QC policies and procedures 
established by the network and adopted by the firm, or on tools or 
other resources developed or purchased by the network and used by the 
firm, such as an independence tracking system. Other networks perform 
no monitoring activities.
    The nature and extent of a network's monitoring activities will 
inform a firm's approach to monitoring. To illustrate, if a firm used a 
network independence tracking system to identify matters that may bear 
on the independence of firm personnel, and if the network monitored the 
design and operation of the tracking system and provided the firm with 
relevant information about those activities, the firm is required to 
evaluate the monitoring activities performed by the network on the 
tracking system. In performing its evaluation, the firm needs to 
understand the scope of the network monitoring activities, such as 
whether the firm's personnel were selected for monitoring procedures, 
and if so, whether the population selected was sufficient to provide a 
reasonable basis for detecting engagement and QC deficiencies. To the 
extent provided, the firm is also required to evaluate the results of 
the testing performed by the network, and if deficiencies were 
identified, the remedial actions, if any, taken or proposed to be taken 
by the network. Under this example, the firm would also determine its 
responsibilities in assisting the network with any monitoring or 
remediation activities related to the tracking system.
    Regardless of any QC monitoring activities that a network may 
perform on behalf of the firm, the firm is ultimately responsible for 
its QC system. Therefore, under the standard, the firm is responsible 
for evaluating any information it obtains from the network

[[Page 49663]]

about any QC monitoring activities the network performs. Some 
commenters, all of which were firms, supported the proposed 
requirements related to monitoring activities performed by a network.
    A firm is required to adjust its monitoring activities as 
necessary, based on the scope of the network's monitoring activities 
and the information the firm receives (or does not receive) from the 
network about those activities. One commenter expressed concern that 
the proposal allows the firm to request certain categories of 
information from a network but does not require that the information 
actually be received. In situations where a firm does not receive 
information requested from the network about the monitoring activities 
the network performed, the firm would not be in a position to take such 
activities into account in planning its own activities. To illustrate, 
a network may provide information to a firm regarding the results of 
member firms' internal engagement monitoring activities, which the firm 
uses to evaluate the competence of other network firm personnel and 
their ability to participate in the firm's engagements. If, due to a 
change in a particular network firm's local privacy laws, the network 
is unable to provide such information regarding that member firm, the 
firm will need to evaluate that member firm's competence and ability 
using a different approach.\294\ To illustrate another case, if a firm 
requests but does not receive any information from the network 
regarding QC monitoring activities related to independence that the 
network performed on behalf of the firm, and the firm does not perform 
any monitoring activities related to its QC system in that area, the 
firm would have no basis for concluding that the quality objectives 
related to independence were achieved.
---------------------------------------------------------------------------

    \294\ Irrespective of how the evaluation is performed, the 
engagement partner's responsibility for the engagement and its 
performance would not change. See AS 1201.03.
---------------------------------------------------------------------------

f. Determining Whether Engagement Deficiencies Exist (QC 1000.67)
    The requirements for determining whether engagement deficiencies 
exist did not draw comment and were adopted with one modification, 
described below.
    As defined by the standard, an engagement deficiency is an instance 
of noncompliance with applicable professional or legal requirements by 
the firm, firm personnel, or other participants with respect to an 
engagement of the firm, or by the firm or firm personnel with respect 
to an engagement of another firm. Engagement deficiencies include:
     Instances of noncompliance in which a firm did not 
adequately support its opinion--because the firm did not perform 
sufficient procedures, obtain sufficient appropriate evidence, or reach 
appropriate conclusions with respect to relevant financial statement 
assertions;
     Instances in which the firm did not fulfill the objective 
of its role in the engagement, such as not performing attestation 
services in accordance with AT No. 2; and
     Other instances of noncompliance with applicable 
professional and legal requirements with respect to a firm's 
engagement, which may include, for example, not satisfying applicable 
independence requirements,\295\ not making required communications to 
the audit committee,\296\ or not filing Form AP.\297\
---------------------------------------------------------------------------

    \295\ See generally, e.g., 17 CFR 210.2-01; PCAOB rules under 
Section 3. Auditing and Related Professional Practice Standards, 
Part 5--Ethics and Independence.
    \296\ See generally AS 1301.
    \297\ See PCAOB Rule 3211, Auditor Reporting of Certain Audit 
Participants.
---------------------------------------------------------------------------

    The standard requires a firm to evaluate a variety of information 
in making its determination about whether an engagement deficiency 
exists, including internally developed information from monitoring 
activities, information from external parties like regulators and peer 
reviewers, and other relevant information of which the firm becomes 
aware. Beyond the sources specified in the standard, a firm is not 
expected to seek out other sources of information that may indicate an 
engagement deficiency exists. However, if the firm becomes aware of 
such information, the firm is expected to evaluate it. For purposes of 
the standard, the firm is deemed ``aware'' of information when any 
partner, shareholder, member, or other principal of the firm first 
becomes aware of such information. The Board made a change to the 
proposed note in paragraph .67e item (4) to clarify that complaints the 
firm becomes aware of, that may indicate the existence of an engagement 
deficiency, could be related to either a company or the firm. The 
language was also broadened to clarify that complaints are not limited 
to those submitted through a formal whistleblower program.
    The standard does not specify how a firm would evaluate information 
to determine whether an engagement deficiency exists. Rather, it 
provides firms the ability to develop an approach for such evaluation. 
A determination that an engagement deficiency exists due to the firm 
not complying with a PCAOB reporting requirement may be relatively 
simple to make. For example, evaluating whether the firm filed a Form 
AP in accordance with PCAOB Rule 3211 would not require a significant 
amount of effort. However, evaluating information indicating the firm 
did not perform the necessary audit procedures for an issuer's revenue 
transactions to determine whether an engagement deficiency exists could 
be more complex, and therefore require a more in-depth analysis.
    A firm's determination that an engagement deficiency exists may 
pertain to an in-process engagement, a completed engagement, or work 
performed on other firms' engagements.
    If a firm obtains information about a potential deficiency in an 
in-process engagement, whether from monitoring activities or other 
sources, the firm is expected to evaluate the information to determine 
whether an engagement deficiency exists before the engagement report is 
issued. In that regard, it should be noted that identifying a problem 
while an engagement is in process may enable the firm to rectify the 
problem before an engagement deficiency could arise. Many professional 
and legal requirements that apply to performing an engagement impose 
ongoing responsibilities that are not completed until the engagement 
itself is completed. In relation to such ongoing responsibilities, if a 
problem is identified in an in-process engagement but resolved before 
the engagement is completed, no engagement deficiency would arise. For 
example, if an engagement team initially failed to obtain sufficient 
appropriate audit evidence in its testing of revenue because it failed 
to perform a necessary procedure, the engagement team could still 
perform the procedure at a later time during the engagement; as long as 
sufficient appropriate audit evidence was obtained prior to the 
issuance of the report, there would be no engagement deficiency. QC 
1000 does not have specific provisions to address remediation of this 
type of problem because the auditor's responsibility is already 
addressed by applicable professional and legal requirements. However, 
even in instances where an engagement deficiency does not arise because 
a problem was identified and corrected prior to issuance of an 
engagement report, a firm would still need to consider whether the 
existence of the problem constitutes a QC observation--an observation 
about the design, implementation, or operation of

[[Page 49664]]

the firm's QC system that may indicate one or more QC deficiencies 
exist--and, ultimately, a QC deficiency.
    By contrast, some applicable professional and legal requirements 
(such as those relating to preliminary engagement activities, including 
engagement acceptance procedures, and certain required communications 
to the audit committee) are required to be complied with prior to or at 
the beginning of the engagement. With respect to those requirements, an 
engagement deficiency would arise if the required time for performance 
had passed and the required activities were not performed 
appropriately, even if the engagement was still in process.
    The standard requires determinations to be made on a timely basis. 
For completed engagements, the timeliness of the determination depends 
on the nature of the information subject to evaluation. For example, if 
the information suggested other engagements may present a similar 
issue, then it would be expected that determination would be made 
sooner so that the risk of engagement deficiencies on other 
engagements--whether in-process or completed--is mitigated.
    The final standard was revised to clarify that the evaluation and 
determination of whether engagement deficiencies exist must both be 
done on a timely basis.
g. Responding to Engagement Deficiencies (QC 1000.68)
    Under the final standard, when a firm determines an engagement 
deficiency exists, the firm is required to take action to address the 
deficiency. The action taken would depend on whether the engagement 
deficiency related to an in-process engagement, a completed engagement, 
or work performed by the firm on other firms' engagements. In some 
instances, a firm may find it beneficial to perform a root cause 
analysis to determine what action to take.
i. Engagement Deficiency Related to an In-Process Engagement
    For an engagement deficiency related to an in-process engagement, 
the proposed standard provided that the firm take action to address the 
deficiency in accordance with applicable professional and legal 
requirements. The nature of the engagement deficiency would determine 
what a firm would need to do to address it and the timing of the 
required action. For engagement deficiencies that could affect the 
auditor's report, under the proposed standard, remedial action would be 
required before the engagement report is issued, such that the 
engagement report issued is appropriate in the circumstances. In other 
instances, action would still be required to address the deficiency, 
but the firm would have more flexibility regarding when such actions 
are performed; action could be performed either before the report is 
issued or afterwards (if afterwards, the provisions of paragraph .68b 
would apply). The Board adopted substantially as proposed the 
requirement for responding to an engagement deficiency on an in-process 
engagement.
ii. Engagement Deficiency Related to a Completed Engagement
    For an engagement deficiency related to a completed engagement, the 
proposed standard included a requirement for firms to take action to 
address the engagement deficiency in accordance with applicable 
professional and legal requirements (discussed in more detail below in 
connection with paragraph .70). However, under the proposed 
requirement, no action would have been required if it was probable that 
the engagement report was not being relied upon.\298\
---------------------------------------------------------------------------

    \298\ The use of ``probable'' in the note to paragraph .68 is 
consistent with how the term is used in FASB ASC, Contingencies 
Topic, paragraph 450-20-25-1, which provides that an event is 
``probable'' when it is likely to occur.
---------------------------------------------------------------------------

    The proposed standard included a note that stated the firm must 
treat an auditor's report as being relied upon if the auditor's report 
is included in the most recent SEC filing on a form that requires its 
inclusion. Because this note also appeared in the proposed amendments 
to AS 2901 in paragraph .01, refer to the detailed discussion below for 
commenter feedback and the Board's responses. The note to paragraph 
.68b. was revised to provide that, in the absence of circumstances 
indicating that reliance is impossible or unreasonable (e.g., cessation 
of a trading market for issuer securities), inclusion of an engagement 
report in the most recent filing on an SEC form that requires inclusion 
of such an engagement report generally evidences that the report is 
being relied upon. The Board believes this is responsive to commenter 
concerns and allows for sufficient flexibility for such circumstances. 
The note was also revised to clarify that an engagement report can be 
included in an SEC filing either directly or through incorporation by 
reference.
iii. Engagement Deficiency Related to Work Performed on Other Firms' 
Engagements
    For an engagement deficiency related to work performed on other 
firms' engagements, the standard requires a firm to communicate to the 
other firm the engagement deficiency. The communication needs to be 
sufficient to enable the other firm to develop a response commensurate 
with the extent of noncompliance. These engagement deficiencies, while 
there may or may not be additional remedial actions for the firm to 
take related to the particular work performed, should be included in 
the population of QC observations to be evaluated to determine whether 
QC deficiencies exist. The Board did not receive comment on this aspect 
of the proposal and adopted it as proposed.
iv. Evaluating Whether Similar Engagement Deficiencies Exist
    The proposed standard also required a firm to evaluate whether 
similar engagement deficiencies exist in other in-process engagements, 
completed engagements (unless it is probable that the engagement report 
is not being relied upon), and work performed on other firms' 
engagements, and if so, to take actions as required by paragraphs 
.68a.-c. for in-process engagements, completed engagements, and any 
other work performed by the firm on other firms' engagements at less 
than a substantial role. Understanding the nature of the engagement 
deficiency will assist the firm in determining the extent of the 
necessary evaluation. To illustrate, if the engagement deficiency was 
caused by an error in the firm's methodology for auditing a company's 
loan valuation allowance, then the firm would evaluate whether similar 
engagement deficiencies exist on engagements that were also using that 
methodology. As another example, if engagement team members did not 
comply with PCAOB standards when auditing accounts receivable because 
they failed to perform certain procedures in the firm's audit program, 
the firm would evaluate whether the person(s) who were responsible for 
performing the procedures and the person(s) supervising the work 
participated in any other audit engagement's accounts receivable 
testing, and if so, whether similar engagement deficiencies exist.
    One commenter requested that the Board provide additional examples 
of engagement deficiencies, as the concept of applicability to other 
in-process engagements could be subject to different interpretations. 
The Board will

[[Page 49665]]

consider whether application guidance in this area would be 
appropriate.
    Another commenter stated that the expectation of what ``evaluate,'' 
as used in this context, may require is not clear and suggested that 
the evaluation be limited to certain engagements based on a risk-based 
assessment, taking into consideration the root cause of the identified 
engagement deficiency. As noted above, understanding the nature of the 
engagement deficiency would assist the firm in determining the extent 
of the actions to take in order to evaluate whether similar engagement 
deficiencies exist on other engagements.
    The Board adopted this aspect of the standard as proposed.
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN11JN24.007


[[Page 49666]]


BILLING CODE 8011-01-C
v. Addressing Engagement Deficiencies (QC 1000.69-70)
    Paragraph .69 of the standard requires firms to respond to 
engagement deficiencies by taking into account the nature and severity 
of the engagement deficiency. In other words, the response should be 
targeted based on the nature of the problem and proportionate to the 
severity of the problem.
    Understanding the nature and severity of an engagement deficiency 
could assist firms in:
     Developing an appropriate response to the engagement 
deficiency;
     Determining whether an engagement deficiency could relate 
to other engagements; and
     Assessing whether the engagement deficiency, which 
represents a QC observation, is also a QC deficiency.
    The actions taken by the firm to respond to engagement deficiencies 
may include preventive or corrective actions (or a combination of these 
actions):
     Corrective actions are actions taken to rectify an 
identified deficiency in a current or completed engagement (for 
example, performing a procedure that had been omitted, designing and 
performing additional or alternative procedures if audit evidence is 
insufficient, or filing a required report).
     Preventive actions are actions taken to prevent the 
occurrence of a deficiency in future engagements (for example, 
training, developing audit tools, or enhancing audit methodology).
    The proposed note to this requirement also appeared in the proposed 
amendments to AS 2901.04 and a detailed discussion of commenter 
feedback and the Board's views appears below. As adopted, the note in 
paragraph .69 includes clarifying changes. The requirement was 
otherwise adopted as proposed.
    The proposed requirement in paragraph .70 did not draw comment and 
the Board adopted it as proposed. Firms should comply, as applicable, 
with other standards related to engagement deficiencies on completed 
engagements.
     AS 2901 addresses auditor responsibilities with respect to 
engagement deficiencies on completed audit engagements. AS 2201.99 
directs the auditor to comply with AS 2901 as it relates to audits of 
internal control over financial reporting.
     AS 2905 deals with auditor responsibilities when, 
subsequent to the date of a report on audited financial statements, the 
auditor becomes aware of facts that might have affected the report had 
he or she then been aware of such facts before issuing the report. AS 
2201.98 is a similar provision relating to auditor's reports on 
internal control over financial reporting.
     AT No. 1 and AT No. 2 incorporate responsibilities similar 
to those required under AS 2901 for attestation engagements relating to 
certain broker-dealer reports.
    The amendments to AS 2901 are discussed below.
h. Determining Whether QC Observations Exist (QC 1000.71)
    The proposed standard would have required firms to determine the 
existence of ``QC findings,'' defined as ``[a] finding about the 
design, implementation, or operation of the firm's QC system that may 
indicate one or more QC deficiencies exist. Engagement deficiencies are 
QC findings.''
    Commenter feedback on this defined term was in most instances 
directly related to the last sentence in the defined term, urging that 
engagement deficiencies should not automatically be considered QC 
findings. The Board was concerned that commenters may have 
misinterpreted ``QC findings'' as akin to ``QC deficiencies,'' whereas 
the intention is only to designate matters that have to be evaluated as 
potential QC deficiencies. To alleviate the potential confusion, the 
defined term was changed to ``QC observation'' and the definition 
reworded. The definition of a QC observation in the final standard is 
``(1) An engagement deficiency; or (2) Any other observation about the 
design, implementation, or operation of the firm's QC system that may 
indicate one or more QC deficiencies exist.'' \299\
---------------------------------------------------------------------------

    \299\ QC deficiencies are defined and discussed in the next 
subsection. See below.
---------------------------------------------------------------------------

    Under the definition, any information that may indicate a problem 
with the design, implementation, or operation of the firm's QC system 
would be a QC observation. Because a QC system provides reasonable 
assurance that engagements are conducted in accordance with applicable 
professional and legal requirements, all engagement deficiencies would 
be QC observations. Examples of other QC observations include an error 
in the design or operation of a technology tool or methodology, or 
information suggesting that a firm may not have achieved a quality 
objective.
    The determination of QC observations involves collecting 
observations and related evidence that may indicate a QC deficiency 
exists, including information from monitoring activities, information 
from external parties like regulators and peer reviewers, and other 
relevant information of which the firm becomes aware.
    Under the standard, the results of all monitoring activities 
performed by the firm, and if applicable, those performed by a network 
relating to the firm's QC system or its engagements, are required to be 
analyzed by the firm to determine if there are QC observations. It is 
possible that a firm's engagement monitoring activities could identify 
not only engagement deficiencies, but also QC observations that are not 
engagement deficiencies. For example, if, as part of the firm's quality 
response related to technological resources, the firm's technology 
leader must review and approve all software audit tools used on 
engagements, and if a firm's engagement monitoring activities reveal 
that an engagement team did not receive the appropriate authorization 
to use a specific tool, that observation would be a QC observation, 
regardless of whether the use of the tool also gave rise to an 
engagement deficiency.
    Oversight activities by regulators and external inspections or 
reviews include activities of the PCAOB and other regulators. As a firm 
typically has one QC system for its entire audit practice, the results 
of the inspections, reviews, and other oversight activities performed 
by these external parties would likely be relevant to a firm's 
determination of whether QC observations exist.
    Other relevant information of which the firm becomes aware would 
comprise information obtained from within and outside the firm. A firm 
would not be expected to seek out such other sources of information; 
however, if other relevant information came to the firm's attention, a 
firm is expected to determine whether it is a QC observation. For 
example, the firm may become aware of an issue with a formula in a 
practice aid used to assist engagement teams in auditing stock-based 
compensation if a member of an engagement team communicates that issue 
to firm personnel supporting the firm's QC system.
    The final standard has been revised to clarify that the evaluation 
and determination must both be done on a timely basis.
i. Determining Whether QC Deficiencies Exist (QC 1000.72)
    The standard requires firms to determine whether QC deficiencies 
exist, and (except for the change in terminology to ``QC observation'') 
was adopted as proposed.

[[Page 49667]]

i. Definition of QC Deficiency
    In response to commenter input, the Board made changes to the 
definition of the term ``QC deficiency.'' As proposed, the definition 
provided in part that a QC deficiency was a QC finding that results in 
``a reduced likelihood of the firm achieving the reasonable assurance 
objective or one or more quality objectives,'' and included a note 
providing examples of circumstances where that likelihood could be 
reduced. Two commenters questioned the operability of that aspect of 
the proposed definition of QC deficiency, in particular its linkage to 
the definition of an internal control deficiency under COSO in its 
integrated framework through the phrase ``reduced likelihood.'' Two 
commenters suggested that the definition of QC deficiency should 
incorporate the concept of ``a significantly reduced likelihood.'' 
Another commenter requested guidance relative to the application of the 
``reduced likelihood'' model. Other commenters suggested that the 
definition should be more closely aligned with that of other standard 
setters, for example ISQM 1, by incorporating the concept of an 
``acceptably low level.''
    Taking into account commenter feedback, the standard defines a QC 
deficiency as a QC observation that, based on the evaluation under 
paragraph .72, individually, or in combination with one or more other 
QC observations, evidences:
     That the likelihood of the firm not achieving the 
reasonable assurance objective or one or more quality objectives has 
not been reduced to an acceptably low level;
    Note: The likelihood of not achieving the reasonable assurance 
objective or one or more quality objectives would be above an 
acceptably low level if, for example, a quality objective is not 
established, a quality risk is not properly identified or assessed, or 
a quality response is not properly designed or implemented or is not 
operating effectively.
     Noncompliance with requirements of this standard, other 
than those under ``Documentation''; or
     Noncompliance with requirements of this standard under 
``Documentation'' that adversely affects the firm's ability to comply 
with any of the other requirements of this standard.
    The first subparagraph of the definition of QC deficiency 
incorporates an existing concept of ``acceptably low level'' that is 
currently used in PCAOB auditing standards \300\ so this concept should 
be familiar to firms. In addition, it aligns more closely with similar 
definitions of other standard setters, for example the definition of 
``deficiency'' in ISQM 1. The Board made conforming changes to the note 
that follows subparagraph (1) of the definition.
---------------------------------------------------------------------------

    \300\ See, e.g., AS 2315, Audit Sampling.
---------------------------------------------------------------------------

    Similar to the proposal, the definition of QC deficiency in the 
final standard also includes noncompliance with the requirements of the 
proposed standard other than documentation requirements, such as the 
requirements related to roles and responsibilities, the firm's risk 
assessment process, the monitoring and remediation process, and the 
evaluation of the QC system. Two commenters expressed concern with this 
requirement, stating that there may be instances where the firm may not 
comply with a requirement in the standard but the quality objectives 
and specified quality responses were met, and a firm should be able to 
apply judgment to determine whether a QC deficiency exists under those 
circumstances. The Board continues to believe that compliance with the 
requirements of QC 1000 is a baseline element of any firm's QC system, 
such that failure to comply is always a QC deficiency, and adopted this 
aspect of the QC definition as proposed.
    The definition also includes noncompliance with the documentation 
requirements of QC 1000, to the extent that such noncompliance 
adversely affects the firm's ability to comply with any of the other 
requirements of the proposed standard, while excluding other 
documentation issues. For example, a firm's failure to document some 
details of its monitoring activities, in a context where the firm 
otherwise sufficiently documents the evaluation of the results from its 
monitoring activities, would not meet the definition of a QC 
deficiency. The Board received no comment on this aspect of the 
definition of QC deficiency and adopted it as proposed.
    Under the final standard, the determination of whether something 
identified as a QC observation meets the definition of a QC deficiency 
would be based on the nature, severity, and pervasiveness of the 
underlying matter; the likelihood that it could affect other 
component(s) of the QC system or other engagements; and the severity of 
such an effect if it were to occur. In the case of engagement 
deficiencies, this evaluation would take account of the basis for the 
firm's determination of the actions required under paragraph .68 of QC 
1000, including any root cause analysis performed. These considerations 
are discussed, in turn, in the following subsections.
    The final standard has been revised to clarify that the evaluation 
and determination must both be done on a timely basis.
ii. Nature, Severity, and Pervasiveness of the Matter That Gave Rise to 
the QC Observation
    The nature, severity, and pervasiveness of the matter that gave 
rise to the QC observation should be taken into account when 
determining whether a QC deficiency exists. For a QC observation that 
is also an engagement deficiency, the results of the firm's evaluation 
of whether a similar engagement deficiency exists on other in-process 
and completed engagements would provide useful information to the firm 
when determining whether a QC deficiency exists.
    The standard explains that the nature, severity, and pervasiveness 
of the matter that gave rise to the QC observation includes:
     The component(s) of the QC system, quality objective(s), 
or quality risk(s) to which the QC observation relates. Depending on 
the quality risks that a firm identifies, some components may play a 
greater role in its QC system than others. For example, for a small 
firm that audits one issuer and has no intention to expand its issuer 
audit practice, the engagement performance component would have a 
greater role than acceptance and continuance of engagements because the 
quality risks associated with the new engagement would be mitigated by 
the firm's policy of not taking on new issuer audit engagements. Based 
on the firm's risk assessment, certain quality risks may pose a greater 
threat to the firm's QC system than others. In addition, some QC 
observations may relate to a single component of the QC system or a 
single quality objective, while others may relate to multiple 
components of the QC system or multiple quality objectives. For 
example, an engagement deficiency may relate to the resource component 
(e.g., competence and training of firm personnel, firm methodology), 
the information and communication component (e.g., failure to 
communicate changes to the methodology), or the engagement performance 
component (e.g., failure to consult when required), or all three of 
those components.
     Whether the QC observation is in the design, 
implementation, or operation of the QC system. For example, a matter 
that gave rise to a QC observation in the design of a process has a 
greater likelihood of being pervasive to a firm's practice than a

[[Page 49668]]

process that did not operate as designed on one occasion.
     The frequency with which the QC observation occurred. 
Frequency relates to the number of times the matter that gave rise to 
the QC observation occurred--for example, on engagements within a 
particular industry sector or practice group, a particular office, or 
firmwide. It might also relate to the number of times the observation 
was identified, the number of firm personnel involved, or the number of 
quality objectives affected. When related to the execution of a firm's 
quality response, it would also include relative frequency of QC 
observations compared to the number of times the procedure was executed 
properly.
    The duration of time that the QC observation existed. Duration 
addresses how long the matter that gave rise to the QC observation 
existed. In order to understand duration, a firm would need to 
understand whether there were other instances prior to those initially 
identified by the firm as QC observations.
iii. Likelihood That the Matter That Gave Rise to the QC Observation 
Could Affect Other Component(s) of the QC System or Other Engagements, 
and the Severity of Such an Effect
    Whether a QC observation is a QC deficiency would also depend on 
the likelihood that the matter that gave rise to the QC observation 
could affect other QC system components or other engagements.
    Other engagements include in-process engagements, completed 
engagements, engagements to be performed in the future, as well as work 
performed on other firms' engagements. A firm may design and implement 
mitigating actions to address an engagement deficiency when such a 
deficiency comes to the firm's attention. When considering the 
likelihood that future engagements could be affected (for purposes of 
determining whether a QC deficiency exists), a firm would not take into 
account any mitigating actions, even if they have been implemented. 
This is because the determination of whether a QC deficiency exists 
must be made based on the nature, severity, and pervasiveness of the 
matter that gave rise to the QC observation, viewed on its own. That 
shows the extent to which the QC system failed in allowing the 
underlying matter to occur. Whether the firm was subsequently able to 
partially or fully remediate the QC deficiency does not eliminate the 
fact that the failure occurred.
    In addition to the likelihood of a matter's recurrence, the 
standard also requires a firm to evaluate the matter's severity if it 
were to affect other component(s) or engagements.
    One commenter suggested that the standard address the concept of 
compensating responses as a factor when considering QC findings in 
proposed paragraph .72. In considering whether a QC observation is a QC 
deficiency (on the basis that the likelihood of the firm not achieving 
the reasonable assurance objective or one or more quality objectives 
has not been reduced to an acceptably low level) the firm could 
consider compensating responses that address the same quality risk. 
Additional discussion in response to this commenter's feedback appears 
below in the context of discussion of remedial actions.
BILLING CODE 8011-01-P

[[Page 49669]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.008

BILLING CODE 8011-01-C
j. Responding to QC Deficiencies
i. Root Cause Analysis (QC 1000.73-.74)
    The requirement to perform root cause analysis on all identified QC 
deficiencies did not draw comment and was adopted as proposed.
    Root cause analysis is a widely used concept in QC frameworks.\301\ 
Identifying and understanding the underlying causes of a problem 
supports developing solutions that address those causes, rather than 
just the symptoms. Proper determination of the causal factors that led 
to QC deficiencies is essential to developing effective remedial 
actions. For example, a policy or procedure could be inappropriately 
designed or implemented or a person may not have complied with a policy 
or executed a procedure as it was intended. As another example, an 
audit tool may not have operated as intended. Root cause analysis looks 
for different types of causes through investigating the patterns of 
negative effects, finding hidden flaws in the QC system, and 
discovering specific actions that contributed to the problem. 
Improvements in audit quality have generally been observed through 
PCAOB oversight activities where a firm has established an effective 
root cause analysis program.\302\ Many different types of causes may 
contribute to a problem.
---------------------------------------------------------------------------

    \301\ See Spotlight: Root Cause Analysis--An Effective Practice 
to Drive Audit Quality (April 2024) available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/root-casue-spotlight.pdf?sfvrsn=55f82206 2.
    \302\ See 2018 Inspection Observations Preview.

---------------------------------------------------------------------------

[[Page 49670]]

    A firm might find it helpful when performing root cause analysis to 
leverage information obtained from its evaluation of whether a QC 
deficiency exists. That is, information about the nature, severity, or 
pervasiveness of the matter that gave rise to the QC observation and 
the likelihood that the matter that gave rise to the QC observation 
could affect other components of the QC system or other engagements may 
provide evidence of what caused the problem to occur.
    Root cause analysis procedures could take different forms depending 
on the circumstances, which allows for scalability. Some key elements 
that the PCAOB has observed that may lead to more robust and 
comprehensive root cause analysis include: \303\
---------------------------------------------------------------------------

    \303\ See June 2014 SAG Briefing Paper at 2.
---------------------------------------------------------------------------

     Monitoring audit deficiencies identified and performing 
root cause analysis on a continual basis. This allows firms to obtain 
information that allows them to react more timely and implement 
remedial actions to reduce recurring deficiencies in other audits.\304\
---------------------------------------------------------------------------

    \304\ See Staff Inspection Brief, Vol. 2017/4: Preview of 
Observations from 2016 Inspections of Auditors of Issuers (Nov. 
2017), at 16, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/inspections/documents/inspection-brief-2017-4-issuer-results.pdf?sfvrsn=c216d8a7_0.
---------------------------------------------------------------------------

     Process mapping at the engagement level and the firm level 
of the underlying work flows of how a firm conducts its practice. A 
well-defined process makes it easier to analyze negative events to 
determine what went wrong.
     Consideration of both positive and negative quality events 
(i.e., actions, behaviors, or conditions that resulted in positive or 
negative outcomes) to identify whether such actions, behaviors, or 
conditions were present on engagements where QC deficiencies were 
identified.
     Measuring, in real time, the effectiveness of remedial 
actions and audit quality improvement plans or initiatives to identify 
whether remedial efforts are effective.
    The standard does not require firms to perform root cause analysis 
on QC observations that are not QC deficiencies.
    Paragraph .74 of the standard requires that the nature, timing, and 
extent of the root cause analysis be commensurate with the nature, 
severity, and pervasiveness of the QC deficiency. This provision did 
not draw comment and was adopted as proposed.
    A QC deficiency that could affect multiple engagements may require 
more urgent root cause analysis, depending on the circumstances. To 
illustrate, a QC deficiency related to a firm's approach to testing 
business combinations would be more urgent if a firm's clients 
regularly enter into such transactions. Taking into account the nature, 
severity, and pervasiveness of the QC deficiency, root cause analysis 
may be performed at different points in time or, depending on the size 
and nature of the firm, operate as more of a continual process. At 
times, it might be effective to combine similar QC deficiencies and 
perform root cause analysis on them collectively rather than on an 
individual basis.
    In some instances, the causal factors may be relatively apparent 
and therefore require less analysis than in a situation where the cause 
of the deficiency is complex and requires significant investigation and 
analysis. As previously mentioned, there may be multiple causes 
contributing to a QC deficiency. Generally, the more thorough the 
analysis, the more likely the causal factors will be identified and the 
greater the likelihood that a firm could design and implement 
remediation efforts that will be effective in preventing similar QC 
deficiencies from occurring again.
    It is important for firms to have well-defined processes in order 
to perform sufficient root cause analysis. The better delineated the 
underlying processes, the less work that may be necessary to determine 
why the QC deficiency occurred.
ii. Remedial Actions (QC 1000.75)
    The requirement to design and implement timely remedial action for 
QC deficiencies did not attract comment and was adopted as proposed.
    The timing of a firm's efforts to design and implement remedial 
actions depends on the results of the firm's root cause analysis and 
the nature, severity, and pervasiveness of the QC deficiency. The Board 
expects a firm to respond in a manner that would mitigate the 
occurrence of additional QC deficiencies related to similar underlying 
causes.
    In some circumstances, due to the extent of remedial actions 
necessary to address the QC deficiency, a firm might design and 
implement temporary remedial actions until permanent actions can be 
designed and implemented. For example, a firm could design and 
implement supplemental audit practice aids to address QC deficiencies 
until the firm is able to revise its comprehensive audit methodology. 
In some situations, a complex QC deficiency may result in the firm 
developing a multi-step plan with milestones necessary to be achieved 
as the firm designs and implements its remedial actions.
    In other situations, the extent of remedial actions the firm needs 
to take to address a particular QC deficiency may be reduced by other 
compensating responses that the firm has in place. If the remedial 
actions, including any relevant compensating responses, have been 
tested and found effective in addressing the issue, the firm might 
determine, based on the facts and circumstances, that no further 
remedial action is necessary.
    The process of identifying QC observations, determining QC 
deficiencies, performing root cause analysis, and designing and 
implementing remedial actions is iterative. For example, a firm may 
learn information from performing root cause analysis that may identify 
issues that would have been relevant when evaluating a different QC 
observation had such information been known at the time. If this were 
to occur, a firm would further evaluate the other QC observation to 
determine if a QC deficiency exists based on this new information. As 
another example, the work entailed in a root cause analysis could 
potentially help a firm identify other quality objectives that are not 
being met. To illustrate, the firm's root cause analysis may show that 
a lack of training caused deficiencies in a complex audit or accounting 
area that is common to the firm's engagements, and may also lead to the 
identification of other problems in the same area, such as inadequate 
audit methodology or a missed consultation due to the lack of a well-
understood, robust consultation process.
    PCAOB oversight activities have identified that some firms evaluate 
positive quality events associated with engagements where no engagement 
deficiencies were identified. For example, certain procedures, 
techniques, or voluntary practice aids may have contributed to an 
engagement performed in accordance with applicable professional and 
legal requirements. These firms use the information obtained from such 
evaluations to assess the actions of individuals on engagements with 
deficiencies, ultimately highlighting potential actions to prevent 
future engagement deficiencies. The Board believes that evaluating 
positive outcomes could contribute to the success of the firm's root 
cause analysis and remediation efforts. Therefore, the standard 
includes a note highlighting that it may be beneficial for firms to 
consider actions, behaviors, or conditions that resulted in positive

[[Page 49671]]

outcomes, such as where aspects of the firm's QC system operated 
effectively or where no engagement deficiencies were identified for 
individual engagements.
    In some circumstances, a firm may determine the root cause of a QC 
deficiency is related to the use of a resource or service provided by a 
third-party provider. If this were to occur, under the standard, the 
firm is responsible for addressing the effect of the deficiency on its 
QC system. This could include, among other things, working with the 
third-party provider to design and implement remedial actions or 
deciding to end the relationship with the third-party provider and, as 
part of the firm's remedial actions, revising its policies and 
procedures in the area affected. Irrespective of the approach taken and 
the extent of participation by third parties, the firm remains 
responsible for its QC system.
    If a firm belongs to a network and uses network resources or 
services to enable the operation of the firm's QC system or the 
performance of its engagements, a root cause of a QC deficiency could 
be related to the network resource or service. Similar to a firm's use 
of resources or services provided by a third-party provider, a firm is 
responsible for addressing the effect of the deficiency on its QC 
system regardless of whether the remedial actions taken by the firm are 
coordinated with the network or designed and implemented exclusively by 
the firm. Further, the firm remains responsible for determining whether 
the actions taken by the network sufficiently remediate the QC 
deficiency.
    Under the standard, firms are able to design their approach to 
conducting root cause analysis and developing remedial actions. Firms' 
approaches will vary based on the nature and circumstances of the firm 
and its engagements. In addition, approaches will likely change as new 
technologies become available and other techniques develop.
k. Monitoring the Implementation and Operating Effectiveness of 
Remedial Actions (QC 1000.76)
    The requirement to monitor the implementation and operating 
effectiveness of remedial action for QC deficiencies did not attract 
comment and was adopted as proposed.
    Under the final standard, a firm monitors the effectiveness of its 
remedial actions through engagement monitoring activities and/or QC 
system-level monitoring activities, depending on the nature of the QC 
deficiency. If a firm determines the remedial actions were not properly 
implemented or operating effectively, the firm would be required to 
take timely actions until the monitoring activities indicate the QC 
deficiency was remediated. Timely actions could include, among others, 
one or more of the following:
     Adjusting the implemented remedial actions;
     Designing and implementing additional remedial actions; or
     Performing additional root cause analysis to determine if 
other causes exist and, if so, designing and implementing remedial 
actions to address such causes.
    Once additional actions are taken, a firm is required to perform 
monitoring activities on such changes to determine whether the QC 
deficiency was remediated.
BILLING CODE 8011-01-P

[[Page 49672]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.009

BILLING CODE 8011-01-C
2. Current PCAOB Standards
    Current PCAOB QC standards require firms to establish policies and 
procedures to provide the firm with reasonable assurance that the 
policies and procedures relating to each of the other QC elements are 
suitably designed and are being effectively applied.\305\ The standards 
also address how a firm implements the monitoring element of a QC 
system in its accounting and auditing practice.\306\ The standards 
discuss various monitoring procedures that a firm may perform, such as 
reviewing engagements before or after the engagement reports are 
issued, reviewing selected administrative and personnel records 
pertaining to the QC elements, considering systemic causes of findings 
that indicate improvements are needed, determining corrective actions, 
and following up to ensure that any necessary modifications are made to 
the firm's QC policies and procedures on a timely basis.\307\ Although 
current PCAOB QC standards provide that monitoring procedures taken as 
a whole should enable firms to obtain reasonable assurance that their 
QC systems are effective,\308\ there are no express obligations for 
firms to perform any specific types of monitoring.
---------------------------------------------------------------------------

    \305\ See QC 20.20.
    \306\ See generally QC 30.
    \307\ See QC 30.03; QC 30.06.
    \308\ See QC 30.03.
---------------------------------------------------------------------------

Evaluation of and Reporting on the QC System

1. QC 1000
a. Annual Evaluation of the Effectiveness of the QC System (QC 1000.77)
    A firm's evaluation of the results of its monitoring and 
remediation process helps the firm identify the areas within the QC 
system that are designed, implemented, and operating effectively, as 
well as areas that require attention. This perspective will assist firm 
leadership in allocating resources to address QC deficiencies and 
provide them with a basis for communicating to others--within or 
outside the firm--the status of the firm's QC system.
    Current PCAOB QC standards do not require such an evaluation. The 
Board

[[Page 49673]]

understands that some firms already evaluate their QC systems, either 
voluntarily or in response to other requirements.\309\ However, not all 
firms evaluate their QC systems, and those that do may not apply the 
same degree of rigor.
---------------------------------------------------------------------------

    \309\ See, e.g., NYSE Listed Company Manual, Section 
303A.07(b)(iii)(A); Section 2(d) of Article 13, Regulation (EU) 537/
2014.
---------------------------------------------------------------------------

i. Evaluation Requirement
    The proposed standard included a requirement for the firm to 
evaluate annually whether its QC system is effective, is effective 
except for one or more unremediated QC deficiencies that are not major 
QC deficiencies, or is not effective (i.e., one or more major QC 
deficiencies exists). Pursuant to proposed paragraph .07c, firms that 
were not required to implement and operate a QC system at any time 
within the previous 12 months would not be subject to the requirement 
to evaluate and report on their QC system.
    Some commenters expressed support for the proposed annual 
evaluation requirement. However, several commenters suggested that the 
Board conform the terminology to ISQM 1, such that the conclusions 
reached in evaluating the QC system would be the same under both 
standards. Some commenters expressed concern about the potential for 
stakeholder confusion because the criteria and terminology used in QC 
1000 differ from ISQM 1. One commenter expressed concern that the more 
stringent criteria of QC 1000 would create a competitive disadvantage.
    One commenter recommended that the Board eliminate the middle 
category (effective except for one or more unremediated QC deficiencies 
that are not major QC deficiencies), so that a firm's QC system would 
be evaluated as either effective or not effective based on whether any 
unremediated major QC deficiencies exist as of the evaluation date, 
such that the reasonable assurance objective has not been achieved. The 
commenter analogized to ICFR reporting, where management is only 
required to report material weaknesses.
    The Board adopted the evaluation requirements as proposed. The 
Board does not believe there is any likelihood of confusion among 
external stakeholders arising from differences in evaluation criteria 
between QC 1000 and ISQM 1 because, under the final PCAOB standard, the 
conclusion reached about the effectiveness of a firm's QC system is not 
required to be made public. The same is true under ISQM 1. Therefore, 
if a firm were to evaluate its QC system under both standards and reach 
different conclusions, market participants would be unaware of that 
fact unless the firm chose to make the results of its evaluation public 
(in which case, it could also choose to provide an explanation of the 
difference). Additionally, while ISQM 1 requires communication to those 
charged with governance about how the system of quality management 
supports the consistent performance of quality audit engagements, QC 
1000 does not require any such communication to the audit 
committee.\310\ Firms would of course be free to discuss the evaluation 
of their QC system with the audit committee, potentially as part of the 
report required under listing standards that may apply to the 
issuer.\311\ The Board believes most audit committee members are 
already well acquainted with reviewing information prepared under 
different frameworks, e.g., financial statements prepared under U.S. 
GAAP and under IFRS, and could readily understand that the more 
stringent criteria under QC 1000 could lead to a different conclusion 
about the effectiveness of the QC system.
---------------------------------------------------------------------------

    \310\ See Reporting to the audit committee, discussed below.
    \311\ See NYSE Listed Company Manual, Section 
303A.07(b)(iii)(A).
---------------------------------------------------------------------------

    Similarly, the Board believes that firms that are required to 
perform multiple QC system evaluations will be able to train their 
personnel and acquire other resources as necessary to avoid confusion 
among internal stakeholders and perform the evaluation under QC 1000 
appropriately. A firm will be subject to both QC 1000 and other QC 
standards only if it is performing audits under multiple sets of 
auditing standards. Just as such firms manage the differences in audit 
requirements and methodology associated with different auditing 
standards, the Board believes they will be capable of managing 
differences in the QC system requirements under QC 1000 and other QC 
standards, including differences in the criteria and terminology used 
in evaluating the QC system.
    The Board also believes that requiring three categories for the QC 
system evaluation, as proposed--effective, effective except for one or 
more unremediated QC deficiencies that are not major QC deficiencies, 
and ineffective--will result in a more rigorous QC system evaluation, a 
greater incentive for firms to address QC deficiencies promptly, and 
more detailed and informative reporting to the PCAOB. Given that 
reporting is only to the PCAOB, the Board does not believe an analogy 
to management's public reporting regarding ICFR, where only material 
weaknesses are required to be reported, is appropriate.
    Firms will be required to perform an evaluation of their QC system 
annually. The firm's evaluation is based on data and evidence provided 
by the firm's monitoring and remediation activities. An annual 
evaluation will provide leadership with timely information to 
facilitate an effective feedback loop.\312\ This approach highlights 
the importance of the QC system in driving continuous improvement in 
firms' ability to perform compliant engagements on a consistent basis. 
The evaluation requirement will drive firms to collect and analyze the 
results of their monitoring and remediation processes in order to 
identify deficiencies and will provide an additional incentive for 
firms to focus on areas requiring the most immediate attention and 
improvement.
---------------------------------------------------------------------------

    \312\ Firms could decide to evaluate the QC system more 
frequently than required under the standard. For example, a firm 
with one or more major QC deficiencies may decide to perform a mid-
year evaluation to gauge the effectiveness of its remedial actions.
---------------------------------------------------------------------------

    The evaluation requirement also reinforces the responsibility and 
accountability of leadership for the firm's QC system.\313\ As 
discussed above, the individual charged with ultimate responsibility 
and accountability for the QC system as a whole will be accountable for 
the annual evaluation, and both that individual and the individual 
charged with operational responsibility and accountability for the QC 
system as a whole will be required to certify the firm's annual report 
regarding the evaluation of its QC system.\314\ The Board believes this 
will send a clear message about the importance of the evaluation and 
incentivize firm leadership to take ownership of both the annual 
evaluation of the QC system and the results.
---------------------------------------------------------------------------

    \313\ See QC 1000.13-.17.
    \314\ See QC 1000.14c.-d. and .15b.
---------------------------------------------------------------------------

    While the Board adopted as proposed a requirement for annual 
evaluation of the QC system, it made some changes in response to 
commenter input, as described below.
ii. Evaluation Frequency and Date
    The proposed standard would have required the firm to evaluate its 
QC system annually as of November 30 and conclude on whether any 
unremediated QC deficiencies (including major QC deficiencies) exist as 
of that date.

[[Page 49674]]

    One commenter, an investor-related group, supported the proposed 
November 30 evaluation date and opposed allowing firms to set their own 
reporting date.
    Many commenters, generally firms and firm-related groups, suggested 
that firms should be permitted to choose their own evaluation date, 
primarily because it would enable them to choose a date based on their 
own operating and business cycle or inspection cycle. These commenters 
also noted other considerations, such as alignment with the firm's 
fiscal year end or the date already chosen for the evaluation required 
under ISQM 1. Several commenters suggested that firms should be able to 
choose a date that would allow them sufficient time to perform root 
cause analysis, remediate identified issues, and test the effectiveness 
of their remediation efforts. One commenter noted that firms could 
choose a date with a view to enabling real-time conversations with 
audit committees. Another commenter suggested that additional 
flexibility on the evaluation date would enhance the scalability of the 
standard. Some commenters stated that requiring a specific evaluation 
date could lead firms to perform assessments twice a year. Several 
commenters also raised a concern about potential resource limitations 
in performing the evaluation on the timetable the Board proposed.
    Other commenters suggested various options for potential 
alternative evaluation dates:
     March 31, on the basis that it is better aligned with a 
natural business cycle for many firms or aligns with the Form 2 
reporting date. (These commenters generally preferred allowing firms to 
choose their own evaluation date over a mandated date applicable to all 
firms and suggested March 31 as a second-best approach.)
     September 30, which would allow firms to report to the 
PCAOB by November 15 and, in turn, report to audit committees before 
the end of the calendar year.
     September 30 or October 31, if the proposed January 15th 
reporting date is implemented, to allow additional time to complete 
reporting.
     February 28, to allow reporting by April 1, in advance of 
the April/May proxy season.
     A window, for example, November to March, within which 
firms could choose a date.
    Taking into account commenter feedback on the proposed evaluation 
date of November 30, the evaluation date was revised to September 30 
for all firms. The Board believes this earlier date addresses commenter 
concerns that the November 30 date would have caused potential resource 
limitations during the traditional busy period for many firms. Further, 
the Board believes an evaluation date of September 30 would provide the 
firm with enough time to identify and potentially remediate any QC 
deficiencies identified from the most recent calendar year-end 
engagements, which might not be possible if an earlier date were 
selected.
    As summarized above, some firms expressed concern that a firm that 
has already chosen its evaluation date under ISQM 1 would be required 
to perform two QC system evaluations per year since the PCAOB's 
evaluation date differs from ISQM 1's. The Board believes firms can 
build on work already done for the purpose of complying with the 
requirements of one QC standard in performing the other, to the extent 
applicable. However, since the nature of the two evaluations is 
inherently different (e.g., the determination of major QC deficiencies, 
the differing definitions of QC deficiency under QC 1000 vs. deficiency 
under ISQM 1), the Board believes that there would always be some 
differences between the evaluation required under QC 1000 and the 
evaluation required under ISQM 1. While there could be additional costs 
associated with multiple evaluations if a firm chose to have separate 
evaluation dates for purposes of QC 1000 and other QC standards to 
which it is subject, firms would be free to change their evaluation 
date under other QC standards so that the evaluation dates coincide.
    The proposed standard also included a note clarifying what 
unremediated means in the context of this requirement: remedial actions 
that completely address the QC deficiency have not been fully 
implemented, tested, and found effective. While this note did not draw 
specific comment, one commenter suggested that the framework afforded 
by section 104(g)(2) of Sarbanes-Oxley, which the commenter said 
focuses on substantial good faith progress instead of complete 
remediation, is necessary and should be retained. The Board disagrees 
as, in its view, the two provisions serve fundamentally different 
purposes and a different approach is appropriate for firm evaluation 
and reporting under QC 1000.
    Sarbanes-Oxley section 104(g)(2) governs the circumstances under 
which the PCAOB is permitted to make portions of an inspection report 
dealing with quality control criticisms and potential defects public. 
It forbids publication if the criticisms or defects ``are addressed by 
the firm, to the satisfaction of the Board,'' not later than 12 months 
after the date of the report. In describing its process for determining 
whether a matter has been addressed to its satisfaction, the Board 
indicated that a ``favorable Board determination reflects the Board's 
assessment that the firm has demonstrated substantial, good faith 
progress toward achieving the relevant quality control objectives, 
sufficient to merit the result that the criticisms remain nonpublic. A 
favorable determination does not necessarily mean that the firm 
completely and permanently cured any particular quality control 
defect.'' \315\
---------------------------------------------------------------------------

    \315\ PCAOB Rel. No. 104-2006-077 at 6.
---------------------------------------------------------------------------

    By contrast, reporting on Form QC is simply factual: as of the 
evaluation date, has each identified QC deficiency been fully 
remediated or not? Under QC 1000, firms will perform a self-evaluation, 
based on the process and criteria set forth in the standard. This is 
very different from the process by which the Board determines whether a 
matter has been remediated to its satisfaction for purposes of section 
104(g)(2),\316\ not least because it involves the firm's self-
assessment rather than the Board's judgment. Moreover, the Board does 
not believe the consequences of a firm reporting an unremediated QC 
deficiency to the PCAOB would be the same as the consequences of the 
PCAOB publishing QC criticisms in an inspection report; in particular, 
the Board does not believe that the legislative policy choice reflected 
in section 104(g)(2), which, as the Board has said, favors ``the 
correction of quality control problems over the exposure of them,'' 
\317\ applies in this context, given the nonpublic nature of the Form 
QC reporting. Accordingly, the Board adopted the note to paragraph .77 
as proposed.
---------------------------------------------------------------------------

    \316\ See PCAOB Rule 4009, Firm Response to Quality Control 
Defects.
    \317\ PCAOB Rel. No. 104-2006-007 at 2.
---------------------------------------------------------------------------

b. Determining Whether Major QC Deficiencies Exist (QC 1000.78)
    The standard requires firms to evaluate unremediated QC 
deficiencies as of the evaluation date to determine whether major QC 
deficiencies exist. While the identification of QC deficiencies will be 
an ongoing process throughout the year, the determination of whether 
any of those QC deficiencies, alone or in combination, constitute major 
QC deficiencies will be required only as part of a firm's annual 
evaluation of its QC system.

[[Page 49675]]

i. Definition of a Major QC Deficiency
    The proposed standard provided that a major QC deficiency was ``an 
unremediated QC deficiency or combination of unremediated QC 
deficiencies, based on the evaluation under paragraph .78, that 
severely reduces the likelihood of the firm achieving the reasonable 
assurance objective or one or more quality objectives.'' One commenter 
supported the concept of major QC deficiency. However, a number of 
commenters expressed concern with that proposed definition:
     Several commenters expressed concern that the definition 
could cause a firm to come to a different conclusion about its QC 
system during the annual evaluation process under QC 1000 than the 
conclusion a firm may reach under ISQM 1 and suggested that the 
definition be revised to include the concepts of severe and pervasive, 
similar to the concepts that appear in relation to the evaluation of QC 
deficiencies under ISQM 1.
     One commenter stated that it was unclear why a new term, 
``major QC deficiency,'' would be necessary and questioned the need for 
a reference to a threshold other than ``achieving reasonable 
assurance.''
     Another commenter was concerned that the concept of major 
QC deficiency, which other QC standards do not use, will redirect time 
and resources to analyzing the level of a deficiency instead of the 
important elements to remediate the deficiency such as root cause 
analysis and implementing timely changes to a firm's system.
     Another commenter stated that the phrase ``severely 
reduces the likelihood'' in the definition of major QC deficiency is 
vague and not sufficiently defined in the proposed QC standards and 
suggested that the phrase be replaced with the phrase ``prevents the 
firm from concluding.''
    The Board considered the commenter feedback and determined to adopt 
this language as proposed. The Board agrees it is possible that firms 
could reach different conclusions as to the effectiveness of their QC 
system under QC 1000 and ISQM 1 or SQMS 1. However, the concept of 
severe and pervasive, which commenters suggested be incorporated in the 
definition, appears in the factors for firms to consider when 
determining the existence of a major QC deficiency (see paragraph .78b. 
below). The Board believes that including this concept in the factors 
clarifies the process firms will need to go through in making their 
determination of whether a major QC deficiency exists.
    The defined term ``major QC deficiency'' is unique to QC 1000, but 
the concept it embodies--that the QC system does not provide the firm 
with reasonable assurance that the objectives of the QC system have 
been met--is not, and appears in both ISQM 1 and SQMS 1. Accordingly, 
the Board does not believe that phrasing the requirements as it has, 
including the use of a defined term, will require a different 
evaluation process than if it had simply required a determination that 
the QC system was ineffective. The standard does not require the 
determination of major QC deficiencies to be performed at any time 
other than the evaluation date. However, firms may choose to perform 
such an analysis ahead of the annual evaluation date to enable 
sufficient time to design, implement, and test remedial actions related 
to the QC deficiencies that have the greatest potential impact on the 
QC system.
    As with the defined term ``QC deficiency,'' the defined term 
``major QC deficiency'' is analogous to a term in COSO's integrated 
framework, major deficiency, which includes the concept of ``severely 
reduces the likelihood.'' The Board believes that this concept is 
already well-understood by firms.
    Another commenter expressed concern that a major QC deficiency 
would exist if there was a severely reduced likelihood that the firm 
did not achieve a single quality objective, even when the firm had in 
fact achieved the reasonable assurance objective. In the Board's view, 
this concern is more theoretical than real. The quality objectives in 
QC 1000 relate to compliance with applicable professional and legal 
requirements in each component of the QC system and in the aspects of 
the firm's practice that are addressed by each component. Failing to 
achieve such a quality objective implies that the reasonable assurance 
objective has not been achieved. Some quality objectives, particularly 
in the resources component, also relate to compliance with the firm's 
policies and procedures. These quality objectives are directed to the 
QC system itself: compliance with policies and procedures is necessary 
for the QC system to operate as designed. While failure to comply with 
firm policies and procedures does not necessarily imply failure to 
comply with applicable professional and legal requirements, it does 
mean that the QC system is not operating as designed, which may raise 
questions about the level of assurance it provides.
    In response to commenter feedback regarding the proposed concept of 
presumed major QC deficiencies (discussed in the next section), the 
lead-in language of paragraph .78 was revised to clarify that the 
factors in paragraph .78b are to be applied by the firm both (i) when a 
presumption arises that a major QC deficiency exists and the firm 
attempts to rebut the presumption, and (ii) in instances where no 
presumption arises.
ii. Presumed Major QC Deficiency (QC 1000.78.a)
    The proposed definition of a major QC deficiency provided for two 
circumstances that would be presumed to evidence a major QC deficiency. 
These circumstances included an unremediated QC deficiency or 
combination of unremediated QC deficiencies that:
     Relates to the firm's governance and leadership that 
affect the overall environment supporting the operation of the QC 
system. Firm governance and leadership establish the environment that 
determines how firm personnel carry out responsibilities for the 
operation of a firm's QC system and the performance of its engagements. 
Because of the pervasive impact of leadership and the ``tone at the 
top,'' one or more unremediated QC deficiencies related to firm 
governance and leadership that affect the overall environment 
supporting the operation of the QC system would almost always severely 
reduce the likelihood of the firm achieving the reasonable assurance 
objective or one or more quality objectives.
     Results in or is likely to result in one or more 
significant engagement deficiencies in engagements that, taken 
together, are significant in relation to the firm's total portfolio of 
engagements conducted under PCAOB standards. A significant engagement 
deficiency exists when (1) the engagement team failed to obtain 
sufficient appropriate evidence in accordance with the standards of the 
PCAOB or failed to perform interim review or attestation procedures 
necessary in the circumstances, (2) the engagement team reached an 
inappropriate overall conclusion on the subject matter of the 
engagement, (3) the engagement report is not appropriate in the 
circumstances, or (4) the firm is not independent of its client.\318\ 
An unremediated QC deficiency that would likely result in one or more 
of these deficiencies in engagements that, taken together, are 
significant in relation to the firm's total portfolio of engagements

[[Page 49676]]

conducted under PCAOB standards would give rise to a presumption that a 
major QC deficiency exists. The definition included examples of 
quantitative and qualitative criteria that may signal such 
significance.
---------------------------------------------------------------------------

    \318\ See Notes to AS 1220.12, .17, .18B.
---------------------------------------------------------------------------

    One commenter argued that the proposed presumption regarding 
deficiencies in the governance and leadership component was 
unnecessary, on the basis that not every deficiency in governance and 
leadership was necessarily a major QC deficiency. Other commenters 
expressed concern that the circumstances presumed to evidence a major 
QC deficiency remove the auditor's ability to apply professional 
judgment. Another commenter suggested that the presumptions could be 
replaced with indicators of a major QC deficiency, similar to how AS 
2201 treats material weaknesses. Another commenter stated that it is 
not appropriate to include in the proposed definition circumstances 
when a major QC deficiency is presumed to exist because the factors 
provided in paragraph .78 are sufficient to make the evaluation of 
whether a QC deficiency is a major QC deficiency. Another commenter 
suggested that these presumed major QC deficiencies could be relocated 
from the definition and into paragraph .78 and achieve the same 
objective.
    The Board considered the commenter feedback. However, as described 
above, the Board continues to believe that because of the pervasive 
impact of leadership and the ``tone at the top,'' one or more 
unremediated QC deficiencies related to firm governance and leadership 
that affect the overall environment supporting the operation of the QC 
system would almost always severely reduce the likelihood of the firm 
achieving the reasonable assurance objective or one or more quality 
objectives--that is, would almost always result in a major QC 
deficiency.
    The Board also noted that, consistent with the proposal, the 
presumptions are not conclusive and can be rebutted by the firm in 
appropriate circumstances. The note to paragraph .78a clarifies that in 
order to rebut a presumption that a major QC deficiency exists, a firm 
must demonstrate, by taking into account both of the factors in 
paragraph .78b. (including all of the listed examples in paragraph 
.78b.(1)), that a major QC deficiency does not exist.\319\ The standard 
thus allows for circumstances in which a deficiency related to one of 
the presumptions does not amount to a major QC deficiency, and creates 
an opportunity for firms to exercise professional judgment in deciding 
whether to attempt to rebut the presumption and, if so, how to apply 
the paragraph .78b factors. However--appropriately, in the Board's 
view--the presumptions shift the burden of proof to the firm, which 
will have to demonstrate that circumstances generally reflecting a 
major QC deficiency do not constitute a major QC deficiency in its 
case. The Board believes the term ``presumption'' achieves this burden 
shifting more clearly than ``indicators'' or other terms would do.
---------------------------------------------------------------------------

    \319\ When circumstances exist that are presumed to evidence a 
major QC deficiency, but the firm demonstrates that it does not have 
a major QC deficiency, the firm will be required to disclose the 
basis for its determination in its report to the PCAOB on Form QC, 
as discussed further below. See Form QC, Report on the Evaluation of 
the Firm's System of Quality Control, Item 2.5.
---------------------------------------------------------------------------

    The Board agrees with the commenter that suggested that the 
presumed major QC deficiencies should not be included in the definition 
of major QC deficiency and have taken another commenter's suggestion to 
relocate the presumption to paragraph .78. Accordingly, the Board made 
the following revisions to paragraph .78:
     Relocated the circumstances presumed to evidence a major 
QC deficiency from the definition into paragraph .78a, so they are 
explicitly part of the process of determining whether a major QC 
deficiency exists.
     Included a note to clarify what the firm has to 
demonstrate in order to rebut the presumption that a major QC 
deficiency exists.
    Importantly, the circumstances where a major QC deficiency is 
presumed to exist are not an exhaustive list of possible major QC 
deficiencies. For example, any deficiency that requires significant 
effort and resources to remediate may be a major QC deficiency.
    One firm requested clarification of the relationship between the 
definitions of ``engagement deficiencies'' and ``significant engagement 
deficiencies.'' As is evident from their respective definitions, 
significant engagement deficiencies are a subset of engagement 
deficiencies. QC 1000 defines an engagement deficiency as ``an instance 
of noncompliance with applicable professional and legal requirements by 
the firm, firm personnel, or other participants with respect to an 
engagement of the firm, or by the firm or firm personnel with respect 
to an engagement of another firm.'' As the footnote to paragraph .78 of 
the standard provides, ``A significant engagement deficiency exists 
when (1) the engagement team failed to obtain sufficient appropriate 
evidence in accordance with the standards of the PCAOB or failed to 
perform interim review or attestation procedures necessary in the 
circumstances, (2) the engagement team reached an inappropriate overall 
conclusion on the subject matter of the engagement, (3) the engagement 
report is not appropriate in the circumstances, or (4) the firm is not 
independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.''
iii. Factors for Consideration
    To help firms make the determination of whether a major QC 
deficiency exists, the standard provides factors on which to base the 
determination, which assist firms in applying the definition. Several 
commenters expressed general support for the proposed factors, and the 
Board adopted them as proposed.
    The Board did not receive comments on the examples that illustrated 
the proposed factors, and adopted this aspect of the proposal 
substantially as proposed, with one addition, in a renumbered paragraph 
.78b.(1)(d). The added example relates to the persistence of an 
unremediated QC deficiency or combination of unremediated QC 
deficiencies over time. Through its oversight activities the PCAOB has 
observed repeat or persistent criticisms--appearing in consecutive 
inspections, or occurring consistently over multiple years, even if not 
every year--which the Board believes may be indicative of a problem so 
pervasive and/or so severe that the firm has been unable to effectively 
remediate it, or of significant failures in the firm's remediation 
process. Firms will need to consider whether and how the existence of a 
persistent unremediated QC deficiency or combination of unremediated QC 
deficiencies year over year might indicate the existence of a major QC 
deficiency.
    Under the standard, the factors for determining whether a major QC 
deficiency exists are:
     The severity and pervasiveness of the unremediated QC 
deficiency or combination of unremediated QC deficiencies. A firm 
assesses an unremediated QC deficiency, considering both quantitative 
and qualitative implications. For example, a firm will assess how many 
of the components of its QC system, quality objectives, and quality 
responses are affected by the deficiency, the number of root causes, 
and the number of affected engagements or engagements likely to be 
affected in the future, as well as the impact on those engagements, 
including engagements

[[Page 49677]]

where the opinion was not appropriately supported or the financial 
statements or management's internal control assessment had to be 
revised or restated. The firm would also consider the implications of 
the deficiency for the QC system overall, based on ways in which the 
design or operation of other aspects of the QC system may be affected, 
the pervasiveness of the root causes, and the risk of the firm issuing 
inappropriate engagement reports or otherwise performing deficient 
engagements in the future. Viewed this way, for example, an 
unremediated QC deficiency that affects engagements only in a single 
industry, where the firm has few clients and no intention to acquire 
more and the engagements represent an insignificant portion of the 
firm's total portfolio of engagements under PCAOB standards, is less 
likely to be severe or pervasive. The Board views the concepts of 
severity and pervasiveness as overlapping and the factors in paragraph 
.78b.(1) that indicate the severity and pervasiveness of an 
unremediated QC deficiency, or combination of unremediated QC 
deficiencies, represent both aspects. The standard does not require the 
firm to determine that an unremediated QC deficiency is both severe and 
pervasive in order for it to constitute a major QC deficiency, nor is 
the list of examples exhaustive.
     The extent to which remedial actions have been 
implemented, tested, and found to be effective. Before the annual 
evaluation date, a firm may implement remedial actions that reduce the 
severity or pervasiveness of an unremediated QC deficiency. To 
illustrate, if a firm identifies an issue with its audit software, it 
could develop a temporary ``work around'' to mitigate the unremediated 
QC deficiency until a permanent solution is employed. For this factor 
to be relevant for a firm when determining whether a major QC 
deficiency exists as of the annual evaluation date, the remedial 
actions have to be tested and the results have to show that such 
remedial actions are operating effectively.
BILLING CODE 8011-01-P

[[Page 49678]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.010


[[Page 49679]]


[GRAPHIC] [TIFF OMITTED] TN11JN24.011


[[Page 49680]]


[GRAPHIC] [TIFF OMITTED] TN11JN24.012

BILLING CODE 8011-01-C
c. Firm Reporting on QC System Evaluation (QC 1000.79-.80)
i. Reporting to the PCAOB
(1) Annual Reporting
    Under the proposal, firms were to report to the Board annually the 
outcome of the evaluation of the firm's QC system with respect to any 
period during which the firm was required to implement and operate the 
QC system. Many commenters supported the proposed annual reporting 
requirement. However, one commenter stated that this annual firm 
reporting would be of no meaningful incremental benefit to the PCAOB 
and has the potential to create an adversarial dynamic that would not 
promote audit quality or well serve investor protection goals. Another 
commenter suggested that if the required reporting on Form QC to the 
PCAOB would lead to follow-on requests from the PCAOB to furnish more 
detailed information as to specific findings, then confidentiality 
legislation may be an issue for firms. Other commenters argued that, 
because the PCAOB could obtain the same information through the 
inspections process, reporting to the PCAOB would be unnecessarily 
duplicative. Another commenter argued that all unremediated QC 
deficiencies should not have to be reported on Form QC, specifically 
commenting that the PCAOB already has the ability to access QC 
documentation for all registered firms to view this information. 
Another commenter suggested that the value of the report when not 
accompanied by independent attestation is likely to be limited.
    The Board acknowledges that it has the ability to request from 
firms information relating to their QC systems. However, the Board 
continues to believe that annual reporting to the Board will provide 
the PCAOB with important information about firm QC systems in a timely 
and structured way and will provide an effective and efficient means of 
gathering information about firm QC systems. Currently, only 14 of the 
approximately 1,600 registered firms are subject to annual inspection. 
Approximately 640 registered firms are required to be inspected on a 
triennial basis, of which approximately one third are inspected in any 
given year.\320\ Therefore, the Board does not believe that collecting 
firms' QC information during an inspection would provide timely 
information regarding the majority of registered firms' QC systems. 
Data collected by the PCAOB will inform its inspections process, 
including decisions about the selection of firms and engagements as 
well as focus areas to inspect and the nature and extent of its 
inspection procedures (both for QC processes and individual 
engagements), and will enable the PCAOB not only to make more refined 
data requests from the firms, but also to focus its inspection 
resources on those firms and engagements with the greatest risk. The 
Board believes that this will help better advance its investor 
protection mandate. Additionally, the Board believes that a formal 
reporting process will result in enhanced accountability of firm 
leadership for QC and an additional incentive for prompt remediation of 
identified QC deficiencies. While the standard does not require 
attestation over the firm's evaluation process, the Board believes that 
the requirements regarding the form, including required certifications, 
will provide sufficient incentive for firms to report accurately and 
completely (and enforcement remedies will be available if they do not). 
The incremental effort for a firm to report its evaluation to the PCAOB 
will not be substantial, as the firm is simply communicating the 
results of its evaluation process and any related remediation 
activities, which it is required to conduct and document under QC 1000 
in any case.
---------------------------------------------------------------------------

    \320\ The data were obtained from Audit Analytics and publicly 
available data from the PCAOB's Registration, Annual and Special 
Reporting (RASR) available at https://rasr.pcaobus.org.
---------------------------------------------------------------------------

    One firm suggested that the Board only require reporting to the 
PCAOB if a firm performed engagements in accordance with PCAOB 
standards during the one-year period ending on the evaluation date. The 
Board considered whether this change would be of significant benefit to 
firms and would further enhance the scalability of the standard. 
However, firms that are not currently performing engagements may have 
responsibilities with respect to past engagements.\321\ Moreover, 
regardless of whether they are required to report the results of the 
annual evaluation, firms will still be required to perform an 
evaluation pursuant to QC 1000 in such a circumstance. On that basis, 
the Board believes that reporting would be valuable even for firms that 
did not perform an engagement during the year preceding the evaluation 
date, and that reporting should not constitute an undue burden.
---------------------------------------------------------------------------

    \321\ See, e.g., AS 2901; AS 2905.
---------------------------------------------------------------------------

(2) Reporting Mechanism: Form QC
    As proposed and under the final rules, firms are required to report 
their annual QC evaluation on a new form, Form QC. Several commenters 
supported the use of a separate Form QC, with some of these commenters 
asserting that because firms should be allowed to select their own 
evaluation date, this would necessitate the use of Form QC, rather than 
an existing form such as Form 2. Another commenter supported the view 
that expanding Form 2 to incorporate QC information

[[Page 49681]]

was not favorable as this would make the form longer and more complex. 
The Board continues to believe that separate reporting on new Form QC 
remains appropriate. The contents of Form QC are the result of a 
separate evaluation process by a firm and the Board believes that it is 
simpler for the results of the annual evaluation to be reported on a 
separate form. In addition, as discussed in more detail above, QC 1000 
requires firms to conduct an annual evaluation of their QC system as of 
September 30. The use of a separate Form QC for reporting the results 
of the annual evaluation will facilitate closer alignment of the timing 
of the reporting and the annual evaluation date. For example, the 
submission deadline for Form 2 is June 30, which is nine months after 
the annual evaluation date of September 30. Furthermore, Form 2 
reporting is public and, as discussed in more detail below, Form QC 
will not be publicly available.
    The proposal asked whether Form QC should be permitted to be filed 
in XML or another machine-readable format. In response, one commenter 
supported the PCAOB permitting widely accepted formats that support 
usability. Another commenter supported that the web-based system for 
submitting the information be navigable and easy to use. Reporting to 
the PCAOB will be done using the same platform as its other reporting 
forms (currently, its web-based RASR system and, in the future, 
potentially new means of information exchanges as the PCAOB continues 
to modernize its reporting technology aimed at simplifying and 
automating data collection, processing, and interoperability).
(3) Contents of Form QC
    The contents of Form QC will address the matters listed in 
paragraphs .79-.80. In addition, Form QC will elicit certain 
information about the firm and the individuals responsible for the QC 
system, aggregated information about the items required to be reported 
in paragraph .80, the areas of QC to which any unremediated QC 
deficiencies relate, and a certification of the evaluation of the QC 
system by certain designated individuals (discussed below).
    One firm asserted that the requirement to report unremediated 
deficiencies is at too granular a level to be meaningful. The Board 
considered several alternatives, including requiring firms to report to 
the Board on the outcome of the annual evaluation of the firm's QC 
system only when the firm identifies a major QC deficiency. While this 
approach could reduce some of the costs associated with preparing the 
annual evaluation to the PCAOB, it would also significantly reduce the 
value of the reporting of the firm's annual evaluation to the PCAOB, as 
well as potentially affecting the rigor of the firm's evaluation 
process. As noted above, reporting on all unremediated QC deficiencies 
will inform various aspects of the Board's oversight activities. In 
addition, to the extent that reporting may increase firm leadership's 
focus on their responsibility and accountability for quality, reduced 
reporting would be less beneficial. Therefore, the Board decided that 
annual reporting to the PCAOB of the results of firms' annual 
evaluation of the QC system, including unremediated QC deficiencies, is 
the appropriate approach.
    One commenter supported the inclusion of Item 4.1 of Form QC on 
whether the Board should inform a party of a subpoena for information 
on Form QC, but another commenter argued that it was unnecessary, may 
interfere with investigations, may create a potential ground for firms 
to sue the Board in the event notification did not occur, or 
potentially involve the PCAOB in private litigation. Because Form QC 
will be nonpublic, the Board believes that firms should be given the 
opportunity to request such notification, consistent with the PCAOB's 
treatment of the other nonpublic form filed with the PCAOB.\322\
---------------------------------------------------------------------------

    \322\ See General Instructions 5 to PCAOB Form 1-WD, Request for 
Leave to Withdraw from Registration.
---------------------------------------------------------------------------

    An investor suggested firms should also affirm to the PCAOB on Form 
QC that any information that the firm voluntarily released (e.g., in 
transparency reports, audit quality reports, and CEO speeches) over the 
time period covered by Form QC was consistent with the state of their 
quality control system, as of the time of the voluntary disclosure. 
This commenter also suggested that the affirmation should be publicly 
available. An investor-related group suggested that firms should report 
publicly on Form QC how an independent QC board committee (established 
under paragraph .28 of QC 1000) carries out its responsibilities. As 
discussed in more detail below, Form QC will not be publicly available, 
so there would be no benefit to the public in adding this information 
to Form QC. However, the Board remains committed to finding additional 
ways of providing public disclosure to better inform investors about 
firms, and to that end, has separately proposed to amend Form 2 to 
identify whether the firm has an external oversight function for the 
audit practice (established under paragraph .28 of QC 1000) and, if so, 
the identity of the person or persons and an explanation for the basis 
of the firm's determination that each such person is independent 
(including the criteria used for such determination) and the nature and 
scope of each such person's responsibilities.\323\
---------------------------------------------------------------------------

    \323\ See PCAOB Rel. No. 2024-003 at 29.
---------------------------------------------------------------------------

    Some commenters indicated that there might be circumstances in 
which information required by Form QC may be restricted from disclosure 
by the operation of legal requirements (such as data protection laws). 
Two of these commenters suggested that the instructions to Form QC 
should include a provision found in other PCAOB forms allowing firms to 
decline to provide information if the firm believes that providing such 
information would violate non-U.S. law. Another commenter, while 
acknowledging that it was not aware of non-U.S. laws that would 
prohibit reporting the information required on Form QC, suggested that 
the Board state that firms would not violate the requirement to file 
Form QC if laws or regulations exist in the jurisdiction(s) of the firm 
that prevent compliance with this requirement.
    The Board acknowledges that certain PCAOB forms include a general 
instruction for assertions of conflicts with non-U.S. law. In these 
circumstances, the instructions identify the specific parts and items 
within the form for which the firm may withhold responsive information 
on the basis that the firm could not provide such information without 
violating non-U.S. law. Form QC, however, calls for certain discrete 
information that the Board does not believe, and that no commenter has 
suggested, would be restricted from disclosure under non-U.S. law 
(e.g., the firm's name, the evaluation date, the overall conclusion of 
the firm's evaluation, the number of unremediated QC deficiencies, and 
for each unremediated QC deficiency, whether it is or is not major and 
the areas of the QC system to which it relates). Beyond that, Form QC 
requires firms to provide narrative information, including a 
description of each unremediated QC deficiency, the basis for the 
firm's QC deficiency determination, a summary of remedial actions, and 
the firm's major QC deficiency presumption analysis (if applicable). 
The Board believes that the narrative information required to be 
reported in Form QC can be provided at a sufficiently summarized level 
such that the reporting of such information

[[Page 49682]]

by the firm would not require disclosure of information that could be 
restricted by legal requirements such as data protection laws. For 
example, if a firm reports an unremediated QC deficiency on Form QC, 
the Board believes that the firm could provide a description of the 
deficiency and a summary of the remedial actions taken and planned to 
be taken without violating non-U.S. law.
    Some commenters suggested that the standard should clarify that 
firms submit Form QC in connection with an inspection under section 104 
of the Sarbanes-Oxley Act and that Form QC should receive the same 
confidentiality protections of section 105(b)(5)(A) of the Act that 
other inspections-based documents and information receive. One of these 
commenters further suggested that the Board should make clear that all 
of Form QC and its contents benefit from the privilege established by 
section 105(b)(5)(A), regardless of how a deficiency has come to light. 
Another commenter suggested that the Board consider requesting firms to 
provide the information proposed to be in Form QC through the 
inspection process, and that such requests could be made at any time to 
facilitate the PCAOB's inspections. The commenter explained that under 
this suggested alternative approach, Part II and the related exhibits 
of Form QC could be removed and instead, the PCAOB could request this 
as part of the inspection process, to allow the information to be 
privileged under section 105(b)(5), while retaining the certification.
    The Board does not believe that it is appropriate to specify that 
Form QC is provided in connection with an inspection. The obligation to 
furnish Form QC to the PCAOB does not derive from a request from PCAOB 
inspection staff; instead, that obligation arises expressly from 
paragraph .79 of QC 1000. And while Form QC, like other forms filed 
with the PCAOB (such as annual reports on Form 2), may be used to 
inform the PCAOB inspection process, that is not the only purpose of 
the form; it may be used, for example, in connection with PCAOB 
standard-setting processes, its economic and risk analysis, and its 
registration program, to name a few examples. Furthermore, Form QC 
submissions may not directly relate to an inspection. For example, 
triennially inspected firms are required to report on Form QC annually, 
including in years in which they are not subject to inspection. Firms 
that are no longer performing engagements making them subject to PCAOB 
inspection may still be required to report on Form QC in light of their 
post-issuance QC responsibilities, such as their audit documentation 
retention obligations under AS 1215. Accordingly, the Board does not 
believe that Form QC is received by the Board in connection with an 
inspection for purposes of section 105(b)(5)(A) of the Act, though it 
notes, as discussed further below, that certain information contained 
within a Form QC may be subject to the protections of section 
105(b)(5)(A).
(4) Reporting Date
    The proposal contemplated that firms would have until January 15 of 
the year following the November 30 evaluation date to file Form QC. 
This provided firms 46 days from the evaluation date to the reporting 
date. As adopted, the standard provides that firms have until November 
30 to report on Form QC to the PCAOB. This provides firms with 61 days 
after the evaluation date of September 30 to file Form QC. A general 
instruction was added to Form QC to clarify the reporting period 
covered by the firm's evaluation. The reporting period is the period 
beginning on October 1 of the year preceding the year in which Form QC 
is required to be filed (or, if a firm's obligation to implement and 
operate a QC system arises under paragraph .07a after October 1 of that 
year, the date on which that obligation arises)) and ending September 
30 of the year Form QC is required to be filed. Under this provision, 
the reporting period will generally be 12 months long, but will be 
shorter if the obligation to implement and operate the QC system arises 
mid-period (whether by virtue of the effective date of QC 1000 or the 
firm's otherwise becoming subject to the requirement to implement and 
operate the QC system).
    Several commenters suggested a 90-day period from the evaluation 
date to the reporting date would be appropriate because this would 
allow for testing of controls that operate at the evaluation date, and 
allow firms to perform thorough and detailed evaluations. Several 
commenters suggested that additional time is required for Form QC 
preparation beyond 45 days to be able to compile relevant information, 
including information on remedial actions, with some commenters 
supporting a 60-day period that would align with the shortest due date 
applicable to issuers to report on their conclusion on internal control 
over financial reporting. Another commenter suggested that reporting 
should be in advance of the April/May proxy season, suggesting a 
reporting date of April 1 using an evaluation date of February 28. One 
commenter did not support a January 15 reporting deadline, suggesting 
that this would be close to the conclusion of the audit and, if there 
are matters to be reported to the audit committee, would leave the 
audit committee with little time to consider and respond to the 
information before the due date of the issuer's Form 10-K. The 
commenter also suggested that for firms subject to both ISQM 1 and QC 
1000, having different reporting dates would create unnecessary 
complexities for audit committees receiving reports under different 
standards and different points in time. Several commenters suggested 
that a January 15 reporting deadline would be challenging for many 
firms given the proximity to year-end holidays. One commenter suggested 
that coinciding the reporting date of January 15 with the PCAOB's 
inspection process should not be a key consideration for firms in 
determining the most appropriate date for their annual assessment.
    The Board believes that extending the number of days from the 
evaluation date to the reporting date to 61 days will provide firms 
sufficient time to complete their evaluation and report to the PCAOB. 
In addition, the reporting date of November 30 as adopted is prior to 
the calendar year end and the traditional busy period for many firms, 
which the Board believes will further benefit firms in performing their 
evaluations.
ii. Form QC: Not Publicly Available
    The proposed standard contemplated that Form QC would be nonpublic. 
Many commenters, including firms, supported requiring the contents of 
Form QC to be nonpublic. One firm commented that to require public 
reporting would be inconsistent with the balance that Congress struck 
in sections 104(g)(2) and 105(b)(5) of Sarbanes-Oxley. One commenter 
asserted that the PCAOB should not use rulemaking to cause firms to 
disclose quality control matters that the PCAOB is prohibited by 
Sarbanes-Oxley from disclosing or cause firms to otherwise disclose 
information that would be confidential under statute. Another commenter 
suggested that public disclosure of unremediated QC criticisms could 
allow companies that have a lower demand for audit quality to select a 
lower quality auditor.
    Other commenters, generally investors and investor-related groups, 
objected to the lack of public disclosure. Two investors commented that 
the proposed disclosure to audit committees but not to the public 
leaves investors in the dark, and that disclosure requirements provide 
an effective incentive for remediation of identified quality control 
issues. Another

[[Page 49683]]

commenter asserted that if the PCAOB is permitted to compel firms to 
disclose quality control information to audit committees, then they 
expect that the PCAOB could also compel disclosure of such information 
to the public. The commenter suggested that QC disclosures only to 
audit committees may have unintended consequences for the public 
markets as companies will have more information regarding the quality 
of their auditors than individual investors. Some investors and 
investor-related groups commented that the proposal provides little 
public accountability with no mandated or meaningful disclosures about 
the operation of the QC system. Two investors and an investor-related 
group commented that firms furnish a statement of the quality control 
policies of the firm when registering with the PCAOB, however this 
information is not required to be updated and can quickly become out of 
date. Therefore, providing the public with additional disclosure about 
a firm's quality control system will act as an updating function.
    One firm suggested that it would be difficult for the public to 
synthesize in a useful manner the information in Form QC without the 
right level of context. However, three investor-related groups did not 
support the view that partial disclosure of Form QC would result in 
potentially incomplete or misleading picture of a firm's QC system, and 
favored disclosing elements of Form QC and leaving to investors the 
assessment of the relative importance of the information. One of the 
investors further suggested a restructuring of Form QC that would allow 
confidential information to remain confidential while sharing decision-
useful information with investors. Another investor suggested that 
investors would directly benefit from the disclosure of firm-identified 
deficiencies that omits PCAOB-identified deficiencies, further 
commenting that to the extent firms do not disclose any deficiencies to 
the public, investors may have concern that the system of quality 
control was not sufficient to proactively identify deficiencies.
    The Board continues to recognize the desire of investors and other 
stakeholders for information related to audit quality and the 
effectiveness of firms' QC systems. But its ability to require firms to 
publicly disclose their QC deficiencies is subject to certain legal 
constraints imposed by Sarbanes-Oxley.
    As a threshold matter, some or all of the unremediated QC 
deficiencies identified during a firm's annual evaluation may have been 
identified as QC criticisms or potential defects during a PCAOB 
inspection.\324\ Furthermore, the Board believes that the QC 
deficiencies identified during PCAOB inspections are likely to be 
important information from the perspective of investors and other 
stakeholders, especially because PCAOB inspection teams customize their 
QC-related procedures based on, among other things, the firm's 
structure, procedures performed in prior inspections, past and current 
inspection observations, the size of the firm, and an assessment of 
risk related to each focus area. Notably, however, section 104(g)(2) of 
Sarbanes-Oxley provides that if a quality control criticism or 
potential defect identified during a PCAOB inspection is addressed by 
the firm to the Board's satisfaction within 12 months of the date of 
the Board's inspection report, no portions of the inspection report 
that deal with that criticism or potential defect will be made 
public.\325\ Making or requiring public disclosure through a publicly 
available form of QC deficiencies that have been identified during a 
PCAOB inspection would be inconsistent with this provision of Sarbanes-
Oxley, if disclosure were required before the Board has determined 
whether it is satisfied with the firm's remediation efforts or after 
the Board has determined that the firm has satisfactorily addressed the 
deficiencies.
---------------------------------------------------------------------------

    \324\ See QC 1000.71b.
    \325\ See section 104(g)(2) of Sarbanes-Oxley, 15 U.S.C. 
7214(g)(2); see also PCAOB Rule 4009.
---------------------------------------------------------------------------

    The limitation imposed by section 104(g)(2) is a significant one. 
In light of section 104(g)(2), it appears that even if the PCAOB were 
to require Form QC to be publicly available, the PCAOB could not 
require the disclosure of information regarding the existence or nature 
of QC deficiencies that are still subject to the Board's remediation 
determination. However, if information reported by a firm on Form QC 
informs a QC criticism contained within an inspection report, and if 
that QC criticism is not addressed to the Board's satisfaction within 
12 months of the date of that report, then the QC criticism would be 
made public in accordance with section 104(g)(2).
    The Board believes that the omission of deficiencies that are still 
subject to the Board's remediation determination (or as to which the 
Board has made a favorable remediation determination) would result in a 
publicly available Form QC that supplies an incomplete and potentially 
misleading picture of the effectiveness of the firm's QC system. This 
view is guided by the familiar principle that omitting material facts 
from a disclosure can cause the statements that are made to be 
misleading.\326\ The Board's decision not to mandate public disclosure 
of Form QC, in a context where material information (namely, the 
existence and nature of QC deficiencies that are still subject to the 
Board's remediation determination) may often be omitted, is motivated 
in part by that concern, not by any lack of confidence in investors' 
ability to interpret the information provided to them. For example, a 
firm may have self-identified a number of relatively minor QC 
deficiencies in its own evaluation, while QC deficiencies identified by 
the PCAOB are more severe or could be of greater public interest. In a 
partial disclosure scenario, the firm would disclose the minor matters, 
but not the more significant ones that are still subject to the Board's 
remediation determination, creating a misleading picture of the state 
of its QC system.
---------------------------------------------------------------------------

    \326\ See, e.g., 17 CFR 240.10b-5(b).
---------------------------------------------------------------------------

    The Board was also concerned that, in certain circumstances, even 
such partial disclosure would conflict with section 104(g)(2) of 
Sarbanes-Oxley. For example, assume firms were required to disclose the 
conclusion of their most recent evaluation and any QC deficiencies that 
were self-identified, but not any PCAOB-identified QC deficiencies that 
remain subject to the Board's remediation determination. Under such an 
approach, if a firm had PCAOB-identified QC deficiencies but no 
additional self-identified QC deficiencies, then the firm would not 
disclose any specific QC deficiencies but would disclose an overall 
conclusion (either ``effective except for one or more QC deficiencies 
that are not major QC deficiencies'' or ``ineffective,'' depending on 
the nature of the PCAOB-identified deficiencies) that nonetheless 
reveals that the firm has unremediated QC deficiencies, without 
specifically identifying them. In such a scenario, the Board would be 
indirectly requiring firms to disclose the existence of PCAOB-
identified QC deficiencies that are still subject to the Board's 
remediation determination, notwithstanding section 104(g)(2) of 
Sarbanes-Oxley.
    Moreover, public disclosure of portions of Form QC may in some 
cases be subject to other legal constraints imposed by Sarbanes-Oxley. 
Depending on how a QC deficiency has come to light, certain information 
contained within a Form QC might be confidential pursuant to section 
105(b)(5)(A) of Sarbanes-Oxley, which addresses documents and 
information prepared or received by or specifically for the Board

[[Page 49684]]

in connection with an inspection or investigation.\327\ Additionally, 
Form QC requires firms to report on remedial actions that in certain 
(though likely rare) circumstances may be subject to laws relating to 
the confidentiality of proprietary, personal, or other information, or 
might reasonably be identified by a firm as proprietary. In such a 
scenario, the Board, in accordance with section 102(e) of Sarbanes-
Oxley, would need to honor a firm's properly substantiated request for 
confidential treatment of such information.\328\
---------------------------------------------------------------------------

    \327\ See section 105(b)(5)(A) of Sarbanes-Oxley, 15 U.S.C. 
7215(b)(5)(A).
    \328\ See section 102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e); 
PCAOB Rule 2300(b).
---------------------------------------------------------------------------

    The Board also believes that firms may be in a better position to 
report fully and candidly to the PCAOB about their annual evaluation--
more effectively supporting both their own remediation efforts and 
PCAOB oversight activities--if they are confident that the information 
would be understood and used in the context of a broader understanding 
of their overall audit practice and an ongoing dialogue between the 
firm and the PCAOB.
    Accordingly, the Board adopted Form QC as a nonpublic form, as 
proposed.
    To that end, the Board adopted new PCAOB Rule 2203A, which 
establishes the Form QC reporting requirement and specifies that the 
Board will not make a filed Form QC or the contents thereof (including 
any amendment thereto) public.\329\ The rule does not, however, 
prohibit a firm from voluntarily disclosing its Form QC or the contents 
thereof to the public or to particular stakeholders. Nor does the rule 
prohibit the PCAOB from sharing Form QCs or their contents and related 
documentation with the SEC or other entities, consistent with Sarbanes-
Oxley.\330\ The rule expressly provides that Form QCs and their 
contents may be publicly disclosed in enforcement proceedings.\331\
---------------------------------------------------------------------------

    \329\ Sections 102(b)(2) and (d) of Sarbanes-Oxley authorize the 
Board to adopt rules requiring firms to periodically update the 
information contained in their registration applications or provide 
to the Board information as necessary or appropriate in the public 
interest or for the protection of investors. See section 
102(b)(2)(D), (b)(2)(H), and (d) of Sarbanes-Oxley, 15 U.S.C. 
7212(b)(2)(D), (b)(2)(H), and (d). section 102(e) of Sarbanes-Oxley, 
in turn, permits the Board to designate in its rules the portions of 
registration applications and annual reports that will be made 
available for public inspection (subject to applicable laws relating 
to the confidentiality of proprietary, personal, or other 
information, and provided that the Board shall protect from public 
disclosure information reasonably identified by the firm as 
proprietary information). See section 102(e) of Sarbanes-Oxley, 15 
U.S.C. 7212(e); see also PCAOB Rule 2300(a)(2) (providing that forms 
filed pursuant to Part 1 or Part 2 of Section 2 of the Board's rules 
will be publicly available ``except to the extent otherwise 
specified in the Board's rules or the instructions to the form'').
    \330\ See, e.g., section 105(b)(5)(B) of Sarbanes-Oxley, 15 
U.S.C. 7215(b)(5)(B).
    \331\ On Form QC, firms may elect to request notification from 
the Board if the Board is requested by legal subpoena or other legal 
process to disclose information contained in Form QC. The Board will 
make reasonable efforts to honor such a request. This notification 
process does not apply to the PCAOB's or the SEC's use of Form QC or 
its contents in an enforcement proceeding, because those scenarios 
do not involve Board disclosure of Form QC information in response 
to a legal subpoena or other legal process.
---------------------------------------------------------------------------

    One commenter noted that Form QC or its contents may not be 
relevant to all enforcement proceedings and suggested that the Board 
explicitly clarify in the final standard that the Form QC may become 
public as part of an enforcement proceeding where Form QC or its 
content is relevant to the respective enforcement proceeding. The Board 
does not believe that such a clarification is necessary. When a Form QC 
or its content is relevant to an enforcement proceeding, it would be 
admissible, and when it is not relevant to an enforcement proceeding, 
PCAOB adjudication rules already specify that it shall be 
excluded.\332\
---------------------------------------------------------------------------

    \332\ See PCAOB Rule 5441, Evidence: Admissibility.
---------------------------------------------------------------------------

    The rule also provides that the Board may publish Form QC 
information in summaries, compilations, or other general reports, 
provided that the firm or firms to which particular Form QC information 
relates are not identified (unless the information has previously been 
made public by the firm or firms involved or by other lawful means). 
Two commenters suggested that the Board could publish Form QC 
information in summaries, compilations, or other general reports, 
provided that the firms are not identified. However, another commenter 
did not support aggregated anonymized information and suggested that 
this would depart from the spirit and letter of the confidentiality 
provisions of Sarbanes-Oxley. The Board believes that summaries, 
compilations, or general reports that present relevant QC-related 
information on an aggregated and anonymized basis may provide useful 
insight to investors, audit committees, firms, and other stakeholders 
about firm QC systems, the implementation of QC 1000, and related 
matters. The Board also continues to believe that presenting such data 
on an aggregated and anonymized basis would not run afoul of any 
limitations of Sarbanes-Oxley.\333\
---------------------------------------------------------------------------

    \333\ For comparison, see PCAOB Rule 4010, Board Public Reports, 
which provides, in pertinent part, that the Board may publish 
summaries, compilations, or other general reports concerning the 
findings and results of its inspections, including discussion of QC 
criticisms or potential QC defects, provided that no such published 
report shall identify the firm or firms to which such criticisms 
relate, or at which such defects were found, unless that information 
has previously been made public in accordance with PCAOB Rule 4009, 
by the firm or firms involved, or by other lawful means.
---------------------------------------------------------------------------

    While firm reporting on Form QC will be nonpublic due to the 
aforementioned legal constraints and policy considerations, the Board 
notes that other aspects of QC 1000 and related requirements promote 
transparency about firm QC systems within the confines of those 
constraints. For example, the PCAOB has observed the emerging practice 
of firm transparency reporting, including that the nature and content 
of these reports continues to evolve and expand in response to market 
demand. Advances in thinking about firm and engagement metrics could 
also affect what financial statement users demand and what firms could 
usefully provide. QC 1000 requires that the QC system operate over any 
public reporting that firms do provide, including any public reporting 
of metrics. Firms have to establish a specific quality objective with 
regard to their public reporting, including that any firm-level or 
engagement-level information with respect to the firm's audit practice, 
firm personnel, or engagements communicated to external parties be 
accurate and not misleading, and--as with any quality objective--they 
have to monitor their performance in relation to that objective and 
remediate identified deficiencies.
    As part of their annual reporting on Form 2, all registered firms 
will also be required to provide an annual confirmation with regard to 
the design of their QC system under QC 1000 and whether they were 
required to implement and operate the QC system. The Board believes an 
annual confirmation will be a useful reminder to all firms of their 
responsibilities regarding the design, implementation, and operation of 
an effective QC system. The Board also believes that the public will 
benefit from being able to determine whether a particular firm has been 
required to implement and operate its QC system from year to year. Such 
information on Form 2 will be publicly available on the PCAOB website 
and will be accessible to investors and other financial statement 
users, audit committees, and other stakeholders. It will also inform 
PCAOB oversight efforts.
    To accompany the changes to Form 2, a similar confirmation has been 
added to the application for PCAOB

[[Page 49685]]

registration, Form 1. The Board believes such a confirmation will 
appropriately put applicants on notice of their obligations with 
respect to their QC systems, which would apply from and after the time 
that their registration is approved.
iii. Certification of the Evaluation of the Firm's QC System by Firm 
Leadership
    As proposed, the Board required that both the individual assigned 
ultimate responsibility and accountability for the QC system as a whole 
and the individual assigned operational responsibility and 
accountability for the firm's QC system as a whole (the ``QC 
certifiers'') certify the firm's report to the PCAOB on the evaluation 
of its QC system.\334\ Several commenters were supportive of the 
certification requirement, including a commenter that stated that 
individual certifications are likely to focus the mind and it seems 
likely that improvements will be seen as a result of such a 
requirement.
---------------------------------------------------------------------------

    \334\ See QC 1000.14d and .15b.
---------------------------------------------------------------------------

    Some commenters opposed the certification requirement, saying it 
adds little value to the evaluation of the QC system, may not provide a 
full view of the subject matter it purports to be certifying to and may 
create an unjust reliance by a third party on the certification, or is 
an ineffective incentive for making quality control a higher priority 
within a firm. Another suggested that while certification may sharpen 
an individual's sense of accountability, this may not necessarily lead 
to and cannot guarantee enhanced engagement quality. Another commenter 
suggested that certification requirements could act as a barrier to 
registration for firms operating in environments in which there are no 
Sarbanes-Oxley style reporting requirements,\335\ and that it could 
have a disproportionate impact on smaller firms.
---------------------------------------------------------------------------

    \335\ Under SEC rules adopted pursuant to section 302 of 
Sarbanes-Oxley, CEOs and CFOs of issuers are required to certify, 
for each quarterly or annual report of the issuer, among other 
things, that (1) they have reviewed the report; (2) based on the 
officer's knowledge, the report does not contain any untrue 
statement of a material fact or omit to state a material fact 
necessary to make the statements made not misleading; (3) based on 
the officer's knowledge, the financial statements and other 
financial information included in the report fairly present in all 
material respects the financial condition and results of operations 
of the issuer; (4) they (a) are responsible for establishing and 
maintaining internal control over financial reporting, (b) have 
designed ICFR to ensure that material information is made known to 
them, (c) have evaluated the effectiveness of ICFR, and (d) have 
presented their conclusions about the effectiveness of ICFR in the 
report; and (5) they have disclosed to the issuer's auditors and 
audit committee any significant deficiencies in ICFR and any fraud 
involving management or others involved with ICFR. See 17 CFR 
240.13a-14(a), 240.15d14(a).
---------------------------------------------------------------------------

    The Board continues to believe that, analogous to the CEO and CFO 
certifications required under Sarbanes-Oxley, certification of Form QC 
will lead to increased discipline in the evaluation process and will 
reinforce the accountability of the certifying individuals, which in 
turn should improve the quality of the firm's evaluation. The text of 
the certification, which is unchanged from the proposal, appears in 
Item 3.2 of Form QC. That item requires certification of certain 
information regarding the design and evaluation of a firm's QC system, 
including that each QC certifier reviewed the Form QC and that the 
disclosures made in the Form QC are complete and accurate in all 
material respects to the individual's knowledge.\336\
---------------------------------------------------------------------------

    \336\ See e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys, 
Corporate Governance Reform and Executive Incentive: Implications 
for Investments and Risk Taking, 30 Contemporary Accounting Research 
1298 (2013) (finding that their sample of firms significantly 
reduced investments in risky projects in the period following SOX); 
Hsihui Chang, Jengfang Chen, Woody M. Liao, and Birendra K. Mishra, 
CEOs'/CFOs' Swearing by the Numbers: Does it Impact Share Price of 
the Firm?, 81 The Accounting Review 22 (2006) (concluding that the 
SEC order requiring filing of sworn statements by CEOs and CFOs had 
a positive effect on the market value of certifying firms); Gerald 
J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting 
Increase after the Sarbanes-Oxley Act? Initial Evidence, 20 
Accounting Horizons 57 (2006).
---------------------------------------------------------------------------

    As proposed, the final rules require certification from both the 
individual assigned ultimate responsibility and accountability for the 
QC system (i.e., the firm's principal executive officer(s)) and the 
individual assigned operational responsibility and accountability for 
the QC system. One commenter suggested that certification be required 
only from the individual with ultimate responsibility and 
accountability for the firm's QC system on the basis that, in the event 
of differences of opinion between the two certifiers, the individual 
responsible for the operational responsibility and accountability for 
the QC system could be subject to excessive pressure from the firm's 
principal executive officer. However, under EI 1000, certifiers will be 
subject to a duty to act with integrity, which includes not 
subordinating their professional judgment, and the individual with 
ultimate responsibility and accountability for the firm's QC system 
will have a number of obligations (for example, under QC 1000.14a.) 
that are inconsistent with the exercise of undue influence over a 
subordinate.
    The Board does not require similar certifications from other 
personnel in the QC system, but firms may choose to institute policies 
that require levels of certification internal to the firm to assist 
those certifying Form QC.
    Some commenters raised concerns about the potential liability of 
the QC certifiers. Several requested clarification on whether the QC 
certifiers could be held personally liable for an inaccurate statement 
only if they made the statement knowing it was false or recklessly not 
knowing it was false. One of these commenters further stated it had 
concerns about the potential for unnecessary and excessive liability 
that the certification could impose upon the QC certifiers, and the 
effect that this could have on firms' ability to recruit qualified 
professionals to serve. The commenter further suggested that the final 
adopting release expressly state that while the QC certifiers are 
responsible for exercising professional competence in connection with 
the design and operation of the firm's QC system (and may face 
consequences for failure to do so), the QC certifiers shall not be held 
responsible for inevitable system errors or the wrongful acts of others 
which may, in limited circumstances, overcome the best of those 
efforts.
    If a QC certifier fails to certify the firm's Form QC, such conduct 
would constitute a violation of the individual's obligation under 
either paragraph .14d or .15b of QC 1000, as applicable to the 
particular individual. The Board believes this requirement is important 
for creating accountability within the firm to achieve the reasonable 
assurance objective.
    Beyond that, QC certifiers' potential liability for statements 
contained within the Form QC certification is informed by the 
particular language of those statements. Certain statements in the 
certification reflect objective facts that the Board believes are 
readily knowable by the individual. Paragraph 1 of the certification, 
for instance, recites that the individual reviewed the firm's report on 
Form QC. Paragraph 3(a) of the certification contains an 
acknowledgement that the individual is responsible and accountable for 
the firm's QC system as a whole and has designed, or caused to be 
designed, the QC system to ensure that it meets QC 1000's reasonable 
assurance objective. Notably, this paragraph is not tantamount to a 
certification that the firm's QC system in fact meets QC 1000's 
reasonable assurance objective; on the contrary, Form QC contemplates 
that a firm might conclude, and report on its certified Form QC, that 
its QC

[[Page 49686]]

system is not effective. Rather, in paragraph 3(a), the QC certifiers 
acknowledge their role in designing (or causing to be designed) the 
firm's QC system. Paragraph 3(b) of the certification states that the 
individual evaluated the effectiveness of the firm's QC system and has 
presented in Form QC the conclusions reached. With respect to each of 
these statements in the Form QC certification, the Board believes that 
the QC certifiers can and should reach a conclusion about their 
accuracy through the exercise of due professional care. In light of the 
nature of these statements, the Board does not agree with the 
commenters that a showing of recklessness or knowing misconduct is 
necessary to establish a violation with respect to these aspects of the 
Form QC certification.
    The other statements in the Form QC certification are subject to 
knowledge qualifiers. In paragraph 2, the QC certifier states that the 
disclosures made in Part II of Form QC regarding the evaluation of the 
effectiveness of the firm's system of quality control are complete and 
accurate in all material respects ``[b]ased on my knowledge.'' 
Similarly, paragraph 3(c) states that the QC certifier has disclosed, 
based on the evaluation of the QC system, all unremediated QC 
deficiencies ``of which I am aware.'' These statements would be 
inaccurate, and the QC certifier's certification would therefore 
constitute violative conduct, only if they were knowingly false (if the 
QC certifier knew that Part II was not complete and accurate in all 
material respects, or if the QC certifier was aware of undisclosed 
unremediated QC deficiencies), or if they were made recklessly not 
knowing they were false.
    One commenter suggested that the certification say ``to the best of 
my knowledge'' rather than ``based on my knowledge,'' and another 
commenter suggested that the wording of the certification be updated to 
``in my capacity as the individual assigned [ultimate/operational] 
responsibility'' rather than ``who have been assigned [ultimate/
operational] responsibility.'' After consideration of these comments, 
the Board believes that the proposed language is clear, appropriate, 
and likely to be easily understood, and does not believe that the 
proposed certification text requires amending.
    One commenter did not support the clause in the proposed 
certification that states that the firm has disclosed all unremediated 
quality control deficiencies. The commenter, while acknowledging that 
this statement is subject to a knowledge qualifier, suggested that this 
certification could lead to unnecessary disputes over what the QC 
certifiers should have known in a particular circumstance and suggested 
that obtaining a certification from the firm (not the individual) may 
sufficiently address this item without discounting the standards to 
which auditors are held. As discussed above, the inclusion of ``of 
which I am aware'' in paragraph 3(c) of certification means that 
liability would arise with respect to that paragraph only if the QC 
certifier made the statement knowing it was false or recklessly not 
knowing it was false.
    Another commenter also suggested that the standards clarify that 
such certification relates to the ``firm's evaluation'' of its QC 
system, and not a specific individual's evaluation of the quality 
management system. As reflected in paragraph .77 of QC 1000, the annual 
evaluation is conducted by the firm, but the firm, as a legal entity, 
acts through individuals, and the QC certifiers are the individuals 
who, under the standard, are responsible and accountable for the QC 
system as a whole and are required to certify the firm's report to the 
PCAOB on its annual evaluation.
    Another commenter asserted that the text of the certification 
suggests that a certifying individual should be considered to have 
violated QC 1000 only to the extent that the inaccuracy in a submitted 
certification is material to an investor's or reasonable auditor's 
understanding of the QC system as a whole, and asked that the Board 
confirm that is the case. The Board does not agree with this 
characterization of Form QC. Some statements in Form QC, such as the 
one in paragraph 2, are expressly conditioned on materiality, while 
other statements, such as that in paragraph 3(b), are not.
    One commenter suggested that creating a potential Sarbanes-Oxley 
type certification for privately held accounting firms and making this 
available to the public could create market confusion as to what 
exactly is being certified and the level of reliance users should place 
on such a certification. The certification does not contain the outcome 
of the firm's annual evaluation of its QC system or identify any 
unremediated QC deficiencies, but rather certifies the completeness and 
accuracy of the information being reported to the PCAOB on Form QC. 
That information is set forth elsewhere in Form QC and, as explained 
above, that information is treated as nonpublic. Because the certified 
information is treated as nonpublic, the Item 3.2 certifications are 
likewise treated as nonpublic; in the Board's view, the certifications 
do not present a full or useful picture of a firm's QC system without 
the underlying information.
iv. Requirement for Form QC Amendments
    The proposed general instructions for Form QC included provisions 
detailing when amendments of Form QC should be filed. Those 
instructions indicate that Form QC should be amended only to correct 
information that was incorrect at the time that the form was filed or 
to provide information that was omitted from the form and was required 
to be provided at the time the form was filed. The Board considered 
commenters' feedback, and retained the language regarding amendments in 
the proposed general instructions for Form QC, which mirrors the 
standard for amending certain other PCAOB forms.
    Two commenters requested clarification on how firms should consider 
information that comes to their attention after the evaluation date or 
the reporting date that is relevant to the firm's conclusion on Form 
QC, including how this interacts with relevant provisions in proposed 
EI 1000. Other commenters suggested that revisions to Form QC not be 
required for inconsequential matters. Other commenters requested 
guidance on when an amendment to Form QC would be required, and some 
suggested that a threshold be developed for potential amendments.
    QC 1000 requires firms to conduct the annual evaluation of their QC 
system's effectiveness as of September 30 and to file their report on 
Form QC regarding that evaluation by November 30. Consequently, annual 
evaluations under QC 1000 should conclude sometime between October 1 
and November 30 of each year. Information that relates to the firm's QC 
system as of the evaluation date (September 30), and that comes to the 
firm's attention after the evaluation date but before the firm has 
filed Form QC, should be factored into the firm's evaluation and 
reflected, if and as appropriate, in Form QC. In contrast, any 
information that relates to the firm's QC system as of the evaluation 
date, but that comes to the firm's attention after the firm has filed 
its Form QC, would not need to be reflected on Form QC or on an 
amendment to Form QC (although it may constitute a QC observation to be 
considered in the next annual evaluation of the QC system).
    In other words, Form QC captures, and conveys to the Board, the 
conclusions reached by the firm as a result of its completed annual 
evaluation, and that evaluation cannot disregard information that comes 
to light before Form QC has been filed.

[[Page 49687]]

Therefore, when Form QC is filed, it should be complete and accurate as 
of the date of its filing. Similar to PCAOB staff guidance on Form 2 
reporting,\337\ if a firm discovers that it provided incorrect 
information in a filed Form QC or omitted information that should have 
been included based on information that the firm was aware of at the 
time of filing, then the firm should file an amended Form QC. That 
amendment obligation is not subject to any materiality or other 
thresholds, because the Board believes it is entitled to receive Form 
QCs that contain information that is correct and that do not omit 
information that was required to be provided. The Board does not 
believe that any of the information on Form QC is inconsequential.
---------------------------------------------------------------------------

    \337\ See Staff Questions and Answers Annual Reporting on Form 
2, at Q34, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/registration/rasr/documents/staff_qa-annual_reporting.pdf?sfvrsn=5e7259ff_0.
---------------------------------------------------------------------------

v. Reporting to the Audit Committee
    In connection with the proposal of QC 1000, the Board also proposed 
amendments to AS 1301, Communications with Audit Committees, which 
contemplated communication to the audit committee of certain 
information about the firm's most recent evaluation of its QC system. 
Several commenters supported the amendments as proposed. Other 
commenters supported limiting the communications to the conclusion of 
the annual evaluation or limiting communication of deficiencies to only 
major QC deficiencies. One commenter expressed concern with reporting 
to audit committees about all unremediated QC deficiencies that exist 
as of the evaluation date, in part because of the interaction of such 
communications with the confidentiality restrictions under section 
105(b)(5)(A) of Sarbanes-Oxley. The commenter further suggested that 
requiring all QC deficiencies to be communicated would create more 
extensive communication requirements for firms related to QC 
deficiencies than what auditors are required to communicate to audit 
committees in an audit of ICFR, and in addition, this approach would 
differ from management's external reporting on its ICFR to its 
stakeholders, which solely discloses deficiencies that are material 
weaknesses.
    One commenter asserted that audit committees are likely to find 
more value in understanding quality matters specific to the engagement 
and having a broader dialogue about the firm's approach to quality 
control. Two commenters argued that a firmwide report on audit quality 
would have little utility to each individual audit committee. One of 
these commenters suggested instead that audit committees would be more 
influenced by an independent verification of the QC system such as the 
PCAOB inspection report on their auditor, and information relating to 
the auditor's performance on their engagement, including audit quality 
indicators. The other commenter recommended that firms report relevant 
human resource metrics to the audit committee and explain what was done 
to assure audit quality was not compromised. One commenter asserted it 
could be extremely challenging for audit committees to understand and 
reconcile the information that would be communicated to them under the 
proposed changes to AS 1301, especially given the considerable time 
period between the issuance of public portions of firm inspection 
reports and the potential release of nonpublic inspection findings. One 
commenter did not support the requirement to disclose a firm's QC 
deficiencies to audit committees, and stated that QC deficiencies may 
have little to no impact on a given reporting issuer's audit or that 
area of the firm's practice. Another commenter questioned whether or 
not the audit committee would be inclined to seek a new auditor based 
only on a firm-wide evaluation of quality control furnished to the 
audit committee by the auditor. One commenter was generally supportive 
of the requirements but expressed concern with the timing of the 
required communication due to existing important year-end 
communications. The commenter expressed concern that not communicating 
QC deficiencies known at a January 15 reporting date could potentially 
introduce legal considerations that could place tension on the 
engagement team and the firm's obligation to comply with other existing 
required communications under AS 1301. One commenter recommended 
specifying that this communication is not required to be in writing due 
to confidentiality concerns, and two commenters did not support any 
required communication of the annual evaluation of the QC system to the 
audit committee.
    One commenter asserted that requiring firms to communicate to audit 
committees about their most recent annual QC evaluations is 
inconsistent with the Congressional balance struck in Sarbanes-Oxley 
section 104(g)(2). In addition, the commenter suggested that the 
requirement indirectly regulates the actions of audit committees and 
imposes a fiduciary duty of care on audit committees, regardless of 
whether quality control issues relate to the performance of the 
engagement, which is beyond the scope of the PCAOB's jurisdiction. 
Another commenter asserted that the proposed communication could also 
be construed as contradictory to the PCAOB's conclusion that Form QC 
would be treated as nonpublic.
    Several commenters were concerned about the proposed requirement to 
discuss remedial actions taken and to be taken, and suggested that some 
of this information may be protected by section 104(g)(2) or section 
105(b)(5)(A) of Sarbanes-Oxley. One commenter suggested that the 
communication of a brief overview of remedial actions taken or to be 
taken should only be required upon the determination that substantial 
good faith progress has not been made on the remedial actions.
    After consideration of the comments received, the Board determined 
not to adopt the proposed amendments to AS 1301. Although the Board 
continues to believe that firms could communicate the overall 
conclusion of their annual evaluation and their planned remedial 
actions to audit committees without expressly disclosing information 
subject to section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley, 
the Board recognizes that such a disclosure obligation could present 
implementation challenges. Specifically, and as discussed in more 
detail above, there may be challenges associated with compelling firms 
to publicly disclose certain information about their QC systems while 
simultaneously preserving their ability not to disclose other related 
information that may be subject to confidentiality protections, 
privileges, or prescribed disclosure procedures under Sarbanes-Oxley. 
The Board believes that the same challenges could arise if firms were 
compelled to make disclosures to audit committees.
    The Board also recognizes that firms and audit committees have 
direct interaction, so while PCAOB standards do not require firms to 
make disclosures to audit committees, an audit committee may ask a firm 
to voluntarily disclose information about its QC system. As the Board 
has previously noted, such inquiries could include requesting the firm 
to keep the audit committee apprised of the status of the quality 
control remediation process (including whether the firm made a 
submission to the Board responding to inspection report quality control 
criticisms by the 12-month deadline) and whether the

[[Page 49688]]

Board has made a final remediation determination (including a negative 
determination that has not yet become public).\338\
---------------------------------------------------------------------------

    \338\ See Information for Audit Committees about the PCAOB 
Inspection Process, PCAOB Rel. No. 2012-003, at 11 (Aug. 1, 2012), 
available at https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf.
---------------------------------------------------------------------------

2. Current PCAOB Sstandards
    Current PCAOB QC standards do not require firms to evaluate their 
QC systems or to report on any such evaluations. As previously noted, 
some firms conduct evaluations and share their results in published 
reports, either voluntarily or under other regulatory requirements.

Documentation

    Documentation supports a firm's QC system in a number of ways. It 
helps provide clarity around roles and responsibilities and the firm's 
policies and procedures, which promotes consistent compliance by firm 
personnel and other participants. Documentation enables proper 
monitoring and supports the evaluation and continuous improvement of a 
firm's QC system. It makes it easier to train firm personnel and other 
participants and facilitates the retention of organizational knowledge, 
providing a history of the basis for decisions made by the firm about 
its QC system. Further, documentation assists others conducting reviews 
of the firm's QC system by providing evidence of the system's design, 
implementation, and operation. Current PCAOB standards provide only 
general direction on the nature and extent of QC documentation and 
specific requirements for documentation of certain items.\339\
---------------------------------------------------------------------------

    \339\ See, e.g., QC 20.21, .24-.25.
---------------------------------------------------------------------------

    Through its oversight activities, the PCAOB has observed that the 
nature and extent of firms' documentation of their QC systems vary 
greatly. Some firms have detailed documentation for all areas of their 
QC systems. Other firms have significantly less documentation. For 
example, some firms have documentation only in areas that have been 
subject to PCAOB inspections, such as remediation, root cause analysis, 
or internal inspections. QC 1000 establishes more comprehensive 
requirements for firms to document their QC systems.
1. QC 1000
    The proposal included an overarching documentation requirement that 
captured the design, implementation, and operation of the firm's QC 
system and the annual evaluation of the QC system. The scope of that 
requirement was then specified in proposed paragraphs .82 and .83.
    The documentation of the design and implementation of the QC system 
captures decisions made regarding ``the who, what, when, where, why, 
and how'' of the QC system. This aspect of documentation will help firm 
personnel and others understand what is expected of them in fulfilling 
their responsibilities and support consistent implementation and 
operation of the firm's QC system. For example, documentation of the 
design of policies and procedures regarding general and specific 
independence matters would enable a consistent understanding by firm 
personnel and others about who is responsible for what, when the 
responsibilities are triggered, and why certain actions are 
necessary.\340\ Such documentation will allow for consistent actions by 
firm personnel and others in implementing the design of those policies.
---------------------------------------------------------------------------

    \340\ See, e.g., QC 1000.33-.34.
---------------------------------------------------------------------------

    The documentation of the operation of the firm's QC system enables 
the firm to determine if the policies and procedures were operated in 
the manner that the firm intended.\341\ It would also provide evidence 
of compliance with the specified quality responses and other 
requirements of QC 1000. For example, it would provide evidence of how 
the firm complied with specific communication requirements related to 
the operation of the firm's QC system and the performance of its 
engagements \342\ and whether the quality responses implemented by the 
firm operated as designed.
---------------------------------------------------------------------------

    \341\ Firms that are not required to implement and operate their 
QC system would not be expected to have anything to document with 
respect to the operation of the QC system.
    \342\ See, e.g., QC 1000.55-.57.
---------------------------------------------------------------------------

    The Board received no comments on the general obligation to prepare 
and retain documentation regarding the QC system and paragraph .81 was 
adopted as proposed. The comments received regarding the scope of the 
proposed documentation requirement are addressed below, in connection 
with the discussion of paragraphs .82 and .83.
    The proposal included a list of specific matters that firms would 
be required to document. Documentation of the lines of responsibilities 
and supervision within the QC system should reduce operational 
ambiguity and provide clarity about who within the firm is accountable 
for various firm supervisory responsibilities within the firm's QC 
system. One firm suggested that the phrase ``successive senior levels'' 
may not be clear. As discussed in more detail above, under QC 1000.27, 
the firm should establish and maintain clear lines of responsibility 
and supervision--including defining authorities, responsibilities, 
accountabilities, and supervisory and reporting lines for roles within 
the firm, up to and including the principal executive officer(s)--
within the QC environment. A description of these successive lines of 
responsibility and supervision must be included in the documentation of 
the QC system, and a reference to paragraph .27 was added to clarify 
that point.
    The requirement for the firm to document aspects of its risk 
assessment process ensures that the firm will have adequate evidence to 
support its annual risk assessment. Specifically, the firm is required 
to document identified quality risks, reasons these risks were 
identified, and policies and procedures the firm had put in place in 
response. This documentation is valuable in subsequent risk assessments 
and could help to support decisions about, for example, whether to 
establish additional quality objectives, identify new or modified 
quality risks, or design and implement new quality responses.
    The requirements for the firm to document aspects of its monitoring 
and remediation process will also support its monitoring and 
remediation activities. For example, a firm's documentation of 
engagement and QC system-level monitoring activities performed, its 
evaluation of the results of those monitoring activities, actions taken 
to address engagement deficiencies, and identified QC deficiencies 
would demonstrate the firm's approach to complying with certain 
requirements of the standard for the monitoring and remediation process 
component. This documentation will also assist the firm in monitoring 
its monitoring and remediation process and in making its annual 
evaluation of the effectiveness of the QC system pursuant to paragraph 
.77.
    The standard also requires the firm to document the basis for the 
conclusion it reached in evaluating the effectiveness of its QC system 
pursuant to paragraph .77. This documentation provides evidence of the 
decisions made in reaching the conclusion about the effectiveness of 
the firm's QC system, which may be valuable in future evaluations and 
in establishing compliance with the firm's reporting obligations to the 
PCAOB.
    The standard requires the firm to document certain matters if the 
firm uses resources or services provided by a network or a third-party 
provider in the firm's QC system or the performance

[[Page 49689]]

of the firm's engagements. When a firm uses resources or services 
provided by a network or a third-party provider, the standard requires 
the firm to document how the resources or services are developed and 
maintained and, if such services or resources were supplemented or 
adapted, how and why they were supplemented or adapted. Firms will also 
have to document how the resources or services were implemented and 
operated. Documentation of such matters will serve as evidence of 
decisions made regarding resources or services used by the firm.
    Some networks or third-party providers may provide documentation 
about their services or resources to the firm. For example, the firm 
may obtain an understanding of how the resources were developed and 
maintained by the network through documentation provided by the 
network. This documentation may need to be supplemented by the firm 
depending on various factors, including the extent of the documentation 
provided and whether the firm supplements or adapts the resource or 
service.
    As discussed above, a reference to paragraph .27 was added to 
paragraph .82a. to clarify that a description of the successive lines 
of responsibility and supervision must be included in the documentation 
of the QC system. Paragraph .82 was otherwise adopted as proposed.
    Requiring documentation to be in sufficient detail to support a 
consistent understanding of the QC system by firm personnel, including 
an understanding of their roles and responsibilities with respect to 
the firm's QC system, will help to clarify the firm's expectations of 
its personnel and promote consistent compliance with the firm's QC 
policies and procedures.
    One firm expressed concern that this ``consistent understanding'' 
threshold may not be easily understood. The Board believes that firms 
will be able to determine the nature and extent of the documentation 
needed to facilitate a consistent understanding by firm personnel based 
on the functioning of their QC system. Based on the requirements in 
paragraph .83a, firms would initially determine the appropriate level 
of detail of documentation based on the experience they already have in 
implementing and operating a QC system under current standards and 
whether their personnel understand their roles and responsibilities, 
and modify documentation as needed over time based on their monitoring 
and remediation activities and the results of their QC system 
evaluations.
    As described previously, documentation supports a firm's QC system 
in a number of ways. For example, it provides clarity around the firm's 
policies and procedures, enables proper monitoring, and supports the 
evaluation and continuous improvement of a firm's QC system. 
Documentation also facilitates the retention of organizational 
knowledge, providing a history of the basis for decisions made by the 
firm about its QC system. Further, it assists others conducting reviews 
of the firm's QC system by providing evidence of the system's design, 
implementation, and operation.
    In particular, the Board believes that appropriate documentation of 
the QC system is necessary for the PCAOB to fulfill its statutory 
mandate to protect investors and the public interest. Sarbanes-Oxley 
requires that, in conducting an inspection of a registered public 
accounting firm, the PCAOB evaluates the sufficiency of the quality 
control system of the firm and the manner of the documentation and 
communication of that system by the firm.\343\ Sarbanes-Oxley further 
authorizes the PCAOB to perform such other testing of quality control 
procedures as are necessary or appropriate in light of the purpose of 
the inspection and the responsibilities of the Board.\344\ In addition, 
the Board's rules provide that a regular inspection will include, but 
is not limited to, the steps and procedures as specified in sections 
104(d)(1) and (2) of Sarbanes-Oxley and any other tests of the audit, 
supervisory, and quality control procedures of the firm as the Director 
of the Division of Registration and Inspections or the Board determines 
appropriate.\345\ As part of the Board's inspection procedures, firms 
will be expected to provide the PCAOB with evidence relating to the 
effectiveness of the QC system.
---------------------------------------------------------------------------

    \343\ See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C 
7214(d)(2).
    \344\ See section 104(d)(3) of Sarbanes-Oxley, 15 U.S.C 
7214(d)(3); see also Rule 4001, Regular Inspections.
    \345\ See Rule 4001, Regular Inspections.
---------------------------------------------------------------------------

    Given that mandate, the level of documentation that would be 
sufficient to enable PCAOB inspectors to evaluate the effectiveness of 
a firm's QC system through an inspection may be different from the 
level of documentation that would be sufficient for the firm to support 
its annual evaluation. Under QC 1000, a firm must evaluate the 
effectiveness of its QC system based on the results of its monitoring 
and remediation activities,\346\ and firms can determine the nature, 
timing, and extent of QC system-level monitoring activities taking into 
account a number of factors.\347\ There could be certain quality 
responses, or certain instances of the operation of quality responses, 
that are not monitored by the firm within a given year and not 
considered in connection with the firm's annual evaluation. If the firm 
were required to prepare and retain documentation only to the extent 
related to its own annual evaluation, the firm might not prepare and 
retain documentation to evidence that these quality responses operated 
effectively. However, in light of the scope of the PCAOB's statutory 
mandate, its inspection procedures cannot be limited to quality 
responses (and, to the extent applicable, samples of the operation of 
quality responses) that the firm chose to monitor in the period. On the 
contrary, firms will be expected to provide evidence of the operating 
effectiveness of any quality responses selected for inspection in 
connection with the PCAOB's evaluation of the effectiveness of the 
firm's QC system.
---------------------------------------------------------------------------

    \346\ See QC 1000.77.
    \347\ See QC 1000.65.
---------------------------------------------------------------------------

    Therefore, the proposed standard contemplated that, in order to 
effectively support the firm's QC system, the documentation of the QC 
system needs to be at the level of detail to enable an experienced 
auditor that understands QC systems but has no experience with the 
design, implementation, and operation of the firm's QC system to 
understand the design, implementation, and operation of the QC system, 
including the quality objectives, quality risks, quality responses, 
monitoring activities, remedial actions, and basis for the firm's 
conclusions reached in the evaluation of the QC system (``experienced 
auditor threshold''). Incorporating the experienced auditor threshold 
when describing the extent of detail firms are required to document and 
maintain regarding their QC system is appropriate because that level of 
detail will facilitate the firm's monitoring activities and external 
monitoring, including PCAOB inspections conducted in accordance with 
Sarbanes-Oxley. Two firms agreed that the experienced auditor threshold 
was appropriate.
    Several commenters, including firms and a related group, argued 
that the proposed documentation requirements were too broad, and 
suggested a variety of different limitations to narrow their scope. 
Some firms suggested that the standard differentiate data relating to

[[Page 49690]]

the operation of the QC system from data relating to the design, 
implementation, and annual evaluation of the QC system, with a shorter 
retention period for the former. Other commenters, including firms and 
a related group, recommended that the documentation requirements be 
comparable to the documentation requirements that Sarbanes-Oxley 
imposes on issuers with regard to management's assessment of the 
effectiveness of the issuer's internal control over financial 
reporting.\348\ Another firm suggested that the documentation 
requirements be comparable and analogous to the documentation retention 
requirements set out in the SEC's rules for issuer audits and related 
interpretive guidance.\349\ One firm and a related group suggested that 
the documentation requirements be limited to the evidence to support 
the annual evaluation of the QC system and related monitoring. Two 
firms suggested that additional guidance or clarity would be necessary 
in order for firms to appropriately adopt documentation retention 
policies related to the operation of controls that meet the 
expectations of the proposed standard.
---------------------------------------------------------------------------

    \348\ See 17 CFR 229.308 (requiring issuers to maintain 
evidential matter, including documentation, to provide reasonable 
support for management's assessment of the effectiveness of ICFR).
    \349\ See 17 CFR 210.2-06(a) (requiring, for audits or reviews 
of an issuer's financial statements, retention of records relevant 
to the audit or review, including workpapers and other documents 
that form the basis of the audit or review, and memoranda, 
correspondence, communications, other documents, and records 
(including electronic records), which: (1) Are created, sent or 
received in connection with the audit or review, and (2) Contain 
conclusions, opinions, analyses, or financial data related to the 
audit or review).
---------------------------------------------------------------------------

    The Board does not believe that any of the more narrowly scoped 
documentation requirements suggested by commenters would be 
appropriate. QC 1000's documentation requirements need to be aligned 
with the PCAOB's mandate, provided by Congress, to ``evaluate the 
sufficiency of the quality control system of a firm'' through its 
inspection procedures.\350\ Therefore, the Board believes that it is 
imperative that documentation that enables the experienced auditor to 
evaluate the operation of the quality responses should be included in 
the documentation that is prepared and retained by the firm.
---------------------------------------------------------------------------

    \350\ See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C. 
7214(d)(2).
---------------------------------------------------------------------------

    To clarify the level of detail of the documentation relating to the 
operation of the QC system that is to be prepared and retained under QC 
1000, paragraph .83 was revised to include a note to .83b. stating that 
with respect to the operation of the QC system, the documentation must 
include documentation that enables the experienced auditor to evaluate 
the operation of the quality responses. As discussed in connection with 
paragraph .86 below, the Board continues to believe that all of the 
documentation required under the standard should be retained for seven 
years.
    Commenters also expressed concern that firms would be required to 
retain large volumes of documentation. Several commenters suggested 
that the costs associated with retaining documentation of the operation 
of the QC system would be burdensome, and some further commented that 
the data relating to the operation of the QC system could include 
sensitive data, and a requirement to prepare and retain all such data 
could also introduce heightened data security risks. One firm suggested 
the Board consider adding language that appears in SQMS 1 clarifying 
which matters require documentation, specifically referencing SQMS 1 
paragraphs A224 and A227.\351\
---------------------------------------------------------------------------

    \351\ Paragraph A224 of SQMS 1 states that it is neither 
necessary nor practicable for the firm to document every matter 
considered, or judgment made, about its system of quality 
management. Furthermore, compliance with this SQMS may be evidenced 
by the firm through its information and communication component, 
documents or other written materials, or IT applications that are 
integral to the components of the system of quality management. 
Paragraph A227 of SQMS 1 states that the firm is not required to 
document the consideration of every condition, event, circumstance, 
action, or inaction for each quality objective or each risk that may 
give rise to a quality risk. However, in documenting the quality 
risks and how the firm's responses address the quality risks, the 
firm may document the reasons for the assessment given to the 
quality risks (that is, the considered occurrence and effect on the 
achievement of one or more quality objectives) to support the 
consistent implementation and operation of the responses.
---------------------------------------------------------------------------

    In considering commenters' concerns that the documentation to 
support that the quality responses operated effectively in every 
instance would result in a substantial volume of documentation, the 
Board believes that the ability to effectively monitor whether the 
firm's quality responses are properly designed and operating 
effectively should not be restricted by the documentation requirements 
of the standard. Furthermore, the Board believes that the new note to 
paragraph .83b clarifies that the firm need not prepare and retain 
excessively voluminous documentation of the day-to-day operation of 
every action of its QC system, provided the information is not required 
to satisfy the requirements of paragraphs .82-.83.
    The Board believes that the extent of documentation sufficient to 
evidence whether the quality responses operated effectively would scale 
with the size of the firm's PCAOB practice and the risks and 
complexities of their engagements and, in turn, the assessed quality 
risks and the quality responses established to address them. Therefore, 
the documentation requirements of the standard should be less costly 
and burdensome for firms with smaller PCAOB audit practices, which the 
Board believes is appropriate.
    In addition, firms are able to evaluate the nature and extent of 
the documentation that is necessary to evidence the operation of the 
quality responses. In determining the sufficiency of the detail and 
extent of the QC documentation, the firm may identify quality responses 
for which the evidence required to be able to demonstrate that the 
quality response operated effectively may not entail retention of all 
the information produced in the day-to-day operation of the QC system. 
For example, in the event that a large volume of automated emails sent 
by the firm to its employees are evidence supporting that a quality 
response operated, the firm could evaluate whether alternative evidence 
(such as email delivery reports or other aggregated data) would provide 
sufficient support regarding the operation of the quality response--
without having to prepare and retain all of the individual emails 
within the QC documentation. In addition, to the extent that the 
operation of the firm's QC system includes sensitive data, the firm has 
flexibility to not include the sensitive data fields in the 
documentation that is prepared and retained to the extent that they are 
not necessary to evidence that the quality response operated 
effectively. Furthermore, informed by its oversight activities, the 
PCAOB has observed that firms currently archive and retain 
documentation for extended periods of time and are able to implement 
processes to appropriately safeguard the information. The PCAOB has 
also observed instances where firms have migrated systems and still 
maintained the appropriate documentation through archives or through 
migration of the information onto the new systems.
    As the note to paragraph .83b makes clear, documentation of every 
aspect of the operation of the firm's QC system may not be required to 
evidence that each quality response operated effectively. For example, 
there may be certain documentation, such as emails or meeting 
invitations that are sent as part of the day-to-day operation of the

[[Page 49691]]

QC system, that may not be necessary to enable an experienced auditor 
to evaluate the effective operation of the quality responses. In these 
circumstances, the firm may determine it is not required to prepare and 
retain this information within the documentation of its QC system. 
However, the Board also believes that there may be circumstances in 
which an email or meeting invitation needs to be retained because it 
evidences how a quality response operated to address a quality risk and 
is necessary to enable an experienced auditor to evaluate the operation 
of the quality response.
    Although some commenters suggested the documentation requirements 
be analogous to the SEC's ICFR documentation retention guidance, the 
Board does not believe that is an appropriate threshold. The SEC's 
guidance indicates that management's documentation needs to provide 
``reasonable support'' for its ICFR assessment and that management's 
documentation need not include all controls that exist within a process 
that impacts financial reporting, but should be focused on those 
controls that management concludes are adequate to address the 
financial reporting risks.\352\ QC 1000 is not a ``reasonable support'' 
standard and instead requires documentation to understand how the 
firm's quality responses are designed to address the quality risks and 
evidence the operation of the QC system.
---------------------------------------------------------------------------

    \352\ See Commission Guidance Regarding Management's Report on 
Internal Control Over Financial Reporting Under section 13(a) or 
15(d) of the Securities Exchange Act of 1934, SEC Rel. No. 33-8810 
(June 27, 2007), available at https://www.sec.gov/files/rules/interp/2007/33-8810.pdf.
---------------------------------------------------------------------------

    The standard's approach to documentation requirements is 
principles-based and provides for scalability. When determining the 
form, content, and extent of documentation, the firm will consider, 
among other things, the nature and circumstances of the firm and the 
nature and complexity of the matter being documented. For example, for 
a large multi-office firm that performs many audits under PCAOB 
standards, the extent of documentation would be greater than for a 
small, single-office firm with a few firm personnel that audits one 
issuer or broker-dealer. The firm's documentation may take the form of 
formal written manuals and checklists or may be informally documented 
(e.g., in email communications), subject to the requirement of 
paragraph .83 that the documentation be in sufficient detail to support 
a consistent understanding of the QC system by firm personnel and for 
an experienced auditor to understand the design, implementation, and 
operation of the QC system. The firm may determine that a detailed memo 
is a more appropriate form of documentation for more complex matters, 
whereas, for less complex matters, briefer communications, such as 
email, may suffice. The nature and circumstances of the firm and the 
nature and complexity of the matter being documented are not the only 
factors that could drive the form, content, and extent of 
documentation. There may be other factors, such as the nature of the 
firm's engagements or the frequency and extent of changes in the firm's 
QC systems. The Board believes this principles-based approach provides 
for scalability and that providing specific guidelines and detailed 
examples of various types of documentation would potentially limit 
firms' flexibility unnecessarily.
    The proposal contemplated that firms would have to concurrently 
file their Form QC and assemble their documentation for retention by 
the same date. As adopted, the standard provides that firms have an 
additional 14 days after the date that the firm is required to file 
Form QC to assemble their documentation. Several commenters expressed 
concern with having the QC documentation completion date be concurrent 
with the date that the firm must report annually to the PCAOB on Form 
QC pursuant to paragraph .79. Many of these commenters recommended a 
document completion date 45 days after the reporting date, with some of 
these commenters suggesting that 45 days would ensure consistency with 
the requirements of AS 1215. One firm suggested that a full 45 days to 
assemble a complete and final set of documentation was not necessary, 
but the time period needed to assemble documentation should be built 
into an evaluation of the length of the reporting period if the final 
standard retained a document completion date concurrent to the 
reporting date.
    After consideration of the comments received, the Board revised 
paragraph .84 to provide firms up until December 14 (a total of 75 days 
after the evaluation date) to complete a final set of QC documentation. 
This includes an additional 14 days after the date that the firm is 
required to report to the PCAOB on Form QC. The 14-day period aligns 
with the changes to PCAOB requirements for engagement 
documentation.\353\ The Board believes that larger PCAOB audit 
practices with more complex and scaled up QC systems will employ the 
use of electronic tools in the assembly of the documentation of the QC 
system, and therefore a 14-day period to the QC documentation 
completion date is feasible. In addition, for smaller PCAOB audit 
practices with scaled down QC systems, the Board expects that the 
volume of documentation to be assembled will be smaller such that a 14-
day period is also feasible for those firms. Furthermore, the Board 
notes that, because the final rule includes a longer period from 
evaluation date to reporting date than proposed, under the final 
standard firms will have 75 days after the evaluation date to assemble 
their documentation, rather than 45 days as proposed.
---------------------------------------------------------------------------

    \353\ Amendments to the engagement documentation requirements in 
AS 1215 are addressed in a separate release. See Auditor 
Responsibilities Release.
---------------------------------------------------------------------------

    The standard permits additional documentation supporting a firm's 
QC system to be added after the QC documentation completion date in a 
manner similar to the addition of audit evidence to audit documentation 
under AS 1215.16. When this occurs, the standard requires a firm to 
indicate the date the information was added, the name of the person who 
prepared the additional documentation, and the reason for adding it. 
The standard also requires all previously retained documentation 
supporting the firm's evaluation of its QC system to remain intact and 
not be discarded.
    The proposed standard contemplated that the firm would retain QC 
documentation for seven years from the QC documentation completion 
date, unless a longer period is required by law.
    Two firms commented that they believed the seven-year retention 
period to be cost-prohibitive. One of these firms commented that if the 
firm changed its systems, for example, it will have to maintain 
additional licenses for old systems to access and use the data and pay 
for up to seven years' worth of storage, and it believes that 
maintaining that much data would introduce unnecessary cost as well as 
increased cybersecurity risk. The firm also commented that the seven-
year retention period goes beyond the retention requirements of the 
quality management standards set forth by the

[[Page 49692]]

AICPA \354\ and IAASB,\355\ and that this difference could cause 
operational challenges. The firm recommended aligning the documentation 
requirements with the firm's inspection and remediation cycle or 
allowing the firm to use a risk-based approach based on its judgment. 
Two firms opposed the seven-year period and suggested that it be based 
on the most recent inspection (for example, one year from the most 
recent inspection period), or until the inspection for a particular 
period has been completed.
---------------------------------------------------------------------------

    \354\ SQMS 1 requires the firm to establish a period of time for 
the retention of documentation for the system of quality management 
that is sufficient to enable the firm and its peer reviewer to 
monitor the design, implementation, and operation of the firm's 
system of quality management or for a longer period if required by 
law or regulation. See paragraph 61. Of SQMS 1.
    \355\ ISQM 1 requires the firm to establish a period of time for 
the retention of documentation for the system of quality management 
that is sufficient to enable the firm to monitor the design, 
implementation and operation of the firm's system of quality 
management, or for a longer period if required by law or regulation. 
See paragraph 60. of ISQM 1.
---------------------------------------------------------------------------

    As discussed in the proposal, the Board was concerned that 
requiring the retention period to be aligned with the PCAOB inspection 
cycle would be too short. A firm's remediation activities may span 
multiple years and the actions taken by the firm in certain areas may 
be informed by prior actions. Further, the objective of the 
documentation requirement is much broader than providing evidence for 
inspection purposes or enabling proper remediation. As described in the 
proposal, the Board believes that the documentation may also be useful 
for training purposes, ensuring the retention of organizational 
knowledge, and providing a history of the basis for decisions made by 
the firm about its QC system. One firm commented on these purposes and 
suggested that firms should determine what documentation has continuing 
relevance based on the circumstances. Another firm suggested that this 
could be reasonably handled by firms on a case-by-case basis, and any 
necessary documentation that could impact or inform future periods 
could be specifically retained. The firm further commented that some 
information would become stale over time and that it does not 
anticipate information retained early on being used for training or the 
retention of organizational knowledge in later years. A firm and a 
related group commented that a seven-year retention requirement is 
appropriate as it pertains to documentation that supports a firm's 
evaluation of its system of quality control and the related testing.
    After consideration of the comments received, together with the 
amendment made to paragraph .83. of the standard, the Board adopted the 
requirement to retain documentation for seven years from the QC 
documentation completion date, unless a longer period of time is 
required by law, as proposed. Paragraph .86 was amended to clarify that 
the documentation to be retained for this period is the documentation 
of its QC system required under paragraphs .81-.83 and paragraph .85. 
This requirement aligns the QC document retention requirement with 
other requirements in PCAOB standards and SEC rules (such as 17 CFR 
210.2-06). Furthermore, the documentation relating to the firm's 
engagements must be retained for seven years,\356\ and the Board 
believes that it is appropriate for the firm to also retain 
documentation of the QC system that operated over those engagements for 
the same time period. For consistency and practical application, the 
retention period is the same for all firms and applies to all 
documentation the firm is required to accumulate to meet the 
documentation requirements of the standard.
---------------------------------------------------------------------------

    \356\ See AS 1215.14.
---------------------------------------------------------------------------

2. Current PCAOB Standards
    Existing QC 20 provides that:
     Appropriate consideration should be given to the extent to 
which QC policies and procedures, and compliance with them, should be 
documented.\357\
---------------------------------------------------------------------------

    \357\ See QC 20.21.
---------------------------------------------------------------------------

     The form, content, and extent of documentation depends on 
relevant factors, including the size, structure, and nature of the 
firm's practice.\358\
---------------------------------------------------------------------------

    \358\ See QC 20.24-.25.
---------------------------------------------------------------------------

     A firm should prepare appropriate documentation to 
demonstrate compliance with its policies and procedures for the QC 
system.\359\
---------------------------------------------------------------------------

    \359\ See QC 20.25.
---------------------------------------------------------------------------

     Documentation should be retained for a period sufficient 
to enable those performing monitoring procedures and a peer review to 
evaluate the extent of the firm's compliance with its QC policies and 
procedures.\360\
---------------------------------------------------------------------------

    \360\ See QC 20.25.
---------------------------------------------------------------------------

    QC 30 and the SECPS membership requirements include documentation 
requirements for certain items such as findings from certain monitoring 
activities, CPE, notification of cessation of client relationships, 
filing reviews under Appendix K, and corrective actions to address 
apparent independence violations.\361\
---------------------------------------------------------------------------

    \361\ See, e.g., QC 30.08; SECPS 1000.08(m), 1000.45, 1000.46, 
8000.
---------------------------------------------------------------------------

Additional Amendments

    QC 1000 supersedes the existing PCAOB interim QC standards in their 
entirety. Currently, Rule 3400T requires registered firms and their 
associated persons to comply with the AICPA's quality control standards 
as in existence on April 16, 2003, to the extent not superseded or 
amended by the Board. Rule 3400T identifies the AICPA's Statements on 
QC Standards (QC 20, QC 30, QC 40) and certain of the AICPA's SECPS 
membership requirements, which are applicable only to firms that were 
members of the AICPA SEC Practice Section on April 16, 2003. The Board 
rescinded Rule 3400T. In consequence, the interim quality control 
standards referenced in Rule 3400T are no longer part of PCAOB 
standards. Rule 3400T is replaced with Rule 3400, which describes the 
auditor's responsibilities for complying with quality control standards 
adopted by the Board and approved by the SEC.
    Other amendments to PCAOB standards, rules, and forms are described 
below.

Amendments to AS 2901, Consideration of Omitted Procedures After the 
Report Date, and Related Amendments

1. Background
    Currently, AS 2901 applies when the auditor concludes, after 
issuing its report on the financial statements, that procedures 
``considered necessary at the time of the audit in the circumstances 
then existing'' were omitted from an audit of the financial statements, 
but there is no indication that the financial statements are not fairly 
presented.\362\ Existing AS 2901 requires remedial action if (i) the 
auditor concludes that the omitted procedures impair its ability to 
support the previously issued opinion, and (ii) people are likely to 
rely on the report. If remedial action is required but the auditor is 
not able to perform the omitted procedures or alternative procedures 
that support the opinion, the standard directs the auditor to consult 
with counsel. Existing AS 2901 does not apply to ICFR audits or to 
attestation engagements.
---------------------------------------------------------------------------

    \362\ AS 2905, rather than AS 2901, applies if the auditor 
subsequently learns of facts regarding the financial statements 
existing at the date of its report that might have affected its 
opinion. Paragraph .98 of AS 2201 is an analogous provision in the 
context of ICFR audits.
---------------------------------------------------------------------------

2. Amendments to AS 2901
    The Board believes that amendments to AS 2901 are appropriate to 
modernize the standard, incorporate the concepts and terminology 
introduced in QC 1000, and bring the standard into alignment

[[Page 49693]]

with the auditor's existing responsibility to obtain sufficient 
appropriate audit evidence to support the opinion.
    QC 1000 introduces a new term, ``engagement deficiency,'' defined 
as an instance of noncompliance with applicable professional or legal 
requirements by the firm, firm personnel, or other participants with 
respect to an engagement of the firm, or by the firm or firm personnel 
with respect to an engagement of another firm. For an engagement 
deficiency related to a completed engagement, QC 1000 requires firms to 
take action to address the engagement deficiency ``in accordance with 
applicable professional and legal requirements'' (e.g., AS 2901, AS 
2905, AS 2201.98-.99).
    The Board broadened the scope of AS 2901 to incorporate this new 
terminology, so that remedial action is required for engagement 
deficiencies for both financial statement audits and ICFR audits unless 
it was probable that the engagement report is not being relied 
upon.\363\ Reflecting this broader scope, the name of the standard was 
also changed to ``Responding to Engagement Deficiencies After Issuance 
of the Auditor's Report.''
---------------------------------------------------------------------------

    \363\ See QC 1000.68b.
---------------------------------------------------------------------------

a. Scope and Applicability (AS 2901.01-.02)
    Note that, under PCAOB Rule 1001(a)(xii), ``auditor'' as used in AS 
2901 means both firms and their associated persons.
i. Engagements Covered
    Existing AS 2901 predates ICFR audit requirements and applies only 
to financial statement audits. The Board proposed to extend the scope 
of AS 2901 to cover engagement deficiencies in ICFR audits as well. 
Several commenters, generally firms, agreed with the proposal to extend 
the scope of AS 2901 to include engagement deficiencies in ICFR audits, 
and the Board adopted that change in scope.
    Similar to the concept in existing AS 2901, the Board proposed that 
the revised standard would not apply to engagements where it is 
probable that the audit report is not being relied upon.\364\ The 
proposed standard included a note providing that the firm must treat an 
engagement report as being relied upon if the engagement report is 
included in the most recent SEC filing on a form that requires its 
inclusion. One commenter pointed out that the use of the term ``must'' 
in the proposed note did not allow for the auditor to take into account 
situations that may indicate an auditor's report is not being relied 
upon even when the auditor's report is included in the most recent 
filing on an SEC form. Two commenters suggested that the standard 
should also exclude engagements where the issuance of the subsequent 
year's auditor's report is imminent.
---------------------------------------------------------------------------

    \364\ Under current AS 2901, the test is whether the auditor 
believes there are persons currently relying, or likely to rely, on 
the audit report. Under the final standard, the test would be 
whether it is probable that no one is relying, without reference to 
the auditor's belief. The term ``probable'' has the same meaning as 
described in the FASB ASC paragraph 450-20-25-1.
---------------------------------------------------------------------------

    The Board agrees that the standard should allow for circumstances 
where the auditor's report is included in the most recent filing on an 
SEC report, but the auditor may nonetheless conclude that the auditor's 
report is no longer being relied upon. However, in the Board's view, 
the fact that the issuance of the subsequent year's auditor's report is 
imminent is not determinative of whether the report continues to be 
relied upon.
    The Board revised the note to paragraph .01 to provide that, in the 
absence of circumstances indicating that reliance is impossible or 
unreasonable (e.g., cessation of a trading market for issuer 
securities), inclusion of an auditor's report in the most recent filing 
on an SEC form that requires inclusion of such an auditor's report 
evidences that the report is being relied upon. The Board believes this 
is responsive to commenter concerns and allows for sufficient 
flexibility. The note has also been revised to clarify that an 
auditor's report can be included in an SEC filing either directly or 
through incorporation by reference.
    The determination that an auditor's report is not being relied upon 
would primarily be influenced by whether the auditor's report and 
related financial statements are readily available and whether a 
trading market exists for the company's securities. Circumstances that 
may suggest the engagement report is no longer being relied upon could 
include:
     So much time has elapsed that the financial statements 
covered by the auditor's report are no longer required to be included 
in SEC periodic reports.
     The issuer's or broker-dealer's business has been 
dissolved or gone into liquidation.
ii. Compliance With AS 2905/AS 2201.98
    Under the amendments, AS 2901 points the auditor to AS 2905 or AS 
2201.98 to the extent they apply. This preserves the difference in 
treatment that exists under current auditing standards between 
situations where financial statements and potentially the audit opinion 
may be in doubt (AS 2905 or AS 2201), and other circumstances where 
remedial action is required but there is no initial indication that the 
financial statements might be misstated (AS 2901).
iii. Deficiencies Covered
    Existing AS 2901 applies when the auditor concludes that procedures 
considered necessary at the time of the audit in the circumstances then 
existing were omitted. As proposed, AS 2901 was extended to cover all 
engagement deficiencies identified. The Board believes it is more 
consistent with the basic philosophy of QC 1000 and better supports the 
ultimate goal of improving audit quality to require remedial action for 
all engagement deficiencies, regardless of whether the audit opinion is 
unsupported.
b. Activities To Address Engagement Deficiencies
    AS 2901 currently requires remedial action when, due to omitted 
procedures that were considered necessary at the time of the audit, the 
auditor's opinion is not sufficiently supported. The required action is 
to perform the omitted procedures or alternative procedures that would 
support the opinion. If that is not possible, the auditor is directed 
to consult an attorney to determine an appropriate course of action.
    Under the proposal, remedial action would be required for all 
engagement deficiencies--both those engagement deficiencies that affect 
the auditor's opinion and those that do not. Many commenters expressed 
concern with the proposal to require remedial actions for all 
engagement deficiencies, with one commenter suggesting that remedial 
actions should only be required for major deficiencies, and another 
commenter suggesting that the need for remedial actions should be 
assessed on a case-by-case basis, taking into account the severity of 
the engagement deficiency. Several commenters suggested that firms 
should be able to exercise judgment about whether remediation is 
necessary and observed that in practice most identified engagement 
deficiencies are remediated. Other commenters considered the proposed 
requirement overly prescriptive and one commenter suggested that the 
requirement was unnecessarily burdensome for instances where the 
auditor's report is adequately supported despite an identified 
engagement deficiency. On the other hand, two commenters expressed 
support for the Board's approach to the

[[Page 49694]]

obligation to remediate engagement deficiencies, with one commenter 
stating that requiring remedial action for all identified engagement 
deficiencies, not just in situations where the auditor's opinion may be 
unsupported, would contribute to improving audit quality.
    The Board continues to believe that requiring firms to take action 
to address all engagement deficiencies, whether related to an 
unsupported auditor's opinion or not, is appropriate and reinforces a 
firm's obligation to comply with all applicable professional and legal 
requirements, and adopted this requirement as proposed. As discussed 
below, when the opinion is appropriately supported, the firm may 
determine which actions to take in response to an engagement 
deficiency.
i. Addressing Engagement Deficiencies Related to an Unsupported 
Auditor's Opinion (AS 2901.03)
    Under the proposal, in cases where the auditor did not obtain 
sufficient appropriate audit evidence to support the opinion, the 
auditor would have been required to either obtain additional evidence 
such that the opinion is adequately supported or take action to prevent 
future reliance on the report. One firm suggested that further guidance 
regarding these requirements would assist a firm in distinguishing 
between the engagement deficiencies that are subject to this provision 
rather than paragraph .04 (discussed below), or in the alternative, 
explicit alignment to the PCAOB's definition of a Part I.A or Part I.B 
deficiency.\365\ The Board is reluctant to incorporate terminology into 
its standards that does not have a fixed meaning under PCAOB rules and 
is subject to change.\366\ The Board also does not want to suggest that 
the requirements apply only to deficiencies identified by the PCAOB. 
However, in order to address this concern, paragraphs .03a and .03b 
were revised to make it explicit that the auditor's actions in 
paragraph .03b relate specifically to instances where the auditor is 
not able to obtain sufficient appropriate audit evidence to support the 
auditor's opinion.
---------------------------------------------------------------------------

    \365\ Subsequent to the date of the comment letter, the PCAOB 
created an additional category, Part I.C deficiencies. Definitions 
of Part I.A, Part I.B, and Part I.C deficiencies are available on 
the PCAOB website at https://pcaobus.org/oversight/inspections/inspection-procedures.
    \366\ As an example of how the Board's inspection reporting 
framework can change over time, in May 2023, the Board introduced 
several transparency enhancements to its inspection reports, 
including a new section of the inspection report focused on 
independence violations (Part I.C).
---------------------------------------------------------------------------

    The type of procedures that the auditor performs in response should 
be guided by the type and amount of evidence needed to support the 
auditor's opinion. If the auditor is not able to obtain sufficient 
appropriate evidence to support the opinion, the auditor is required to 
take appropriate action to prevent future reliance on the audit report. 
The Board also amended AS 2201 as part of this rulemaking to include a 
reference to AS 2901 as a reminder of auditor responsibilities under 
that section with respect to audits of internal control over financial 
reporting.\367\
---------------------------------------------------------------------------

    \367\ See Appendix 5, Other Amendments.
---------------------------------------------------------------------------

ii. Addressing All Other Engagement Deficiencies
    Under the proposed standard, for all other deficiencies on audit 
engagements, the auditor would have been required to perform remedial 
actions, similar to those described in QC 1000.69, based on the 
auditor's determination of what action (corrective, preventive, or 
both) is appropriate based upon the specific facts and circumstances. 
The proposal described the following potential responses to engagement 
deficiencies:
     Take corrective action to completely remediate the 
deficiency, where appropriate.
     For deficiencies that cannot be completely remediated, 
remediate to the extent possible and implement measures to prevent 
recurrence. For example, if a Form AP was filed late, the auditor would 
not be able to remediate the lateness but could improve the controls 
over the filing process.
     Determine, based on the facts and circumstances, that no 
further remedial action is necessary, e.g., because of remedial actions 
already taken to respond to other deficiencies.
    One commenter suggested including language in the lead-in to the 
note to paragraph .04 to further clarify that the actions a firm may 
take to remediate an engagement deficiency could be either corrective 
or preventive, or could be a combination of the two. The note in the 
final standard reflects this clarification.
    Additionally, the term ``remedial'' was removed from the final 
standard in the lead-in to the note to paragraph .04 in order to 
encompass all actions required under applicable professional and legal 
requirements, some of which (e.g., notification to the board of 
directors or regulatory agencies) may not be remedial in nature.
c. Documentation
    The proposed documentation requirement did not draw comment and was 
adopted as proposed.
    When the auditor's response to engagement deficiencies involves 
adding additional information to the auditor's working papers, the 
requirements of AS 1215.16 will apply.
    Under AS 2901, the auditor should document the actions taken 
pursuant to paragraphs .03 and .04 to address engagement deficiencies 
in an audit engagement where the audit report has previously been 
issued. This documentation requirement is consistent with the 
documentation requirements in proposed QC 1000.82c for all engagement 
deficiencies.
3. Related Amendments
    The Board proposed to add provisions similar to AS 2901 to the 
standards for broker-dealer attestation engagements, AT No. 1 and AT 
No. 2, to prompt auditors of brokers and dealers to take appropriate 
action if they discover that the opinion or conclusion in a previously 
issued attestation report was not supported. Currently, those standards 
are silent as to the responsibilities that apply when a deficiency is 
identified after the engagement report is issued.
    One commenter, who recommended changes to proposed AS 2901 
(including that remediation should be required only when the auditor's 
opinion may not be supported), suggested that the same changes be 
incorporated into AT No. 1 and AT No. 2. For the reasons discussed 
above in the context of AS 2901, the Board does not believe such a 
limitation is appropriate. However, the Board made a conforming change, 
similar to a change made to AS 2901, to the note to clarify that the 
auditor must treat reports as being relied upon when the examination 
report (in the case of AT No. 1) or review report (in the case of AT 
No. 2) is included (either directly or through incorporation by 
reference) in an SEC filing on an SEC form that requires inclusion of 
such an examination report or review report. The Board also made 
revisions to the proposed requirements in AT No. 1 and AT No. 2 by 
removing the word ``remedial'' from the lead-in language to the notes 
in each of the respective standards in order to encompass all actions 
required under applicable professional and legal requirements, some of 
which (e.g., notification to the board of directors or regulatory 
agencies) may not be remedial in nature. With these modifications, the 
Board adopted the proposed amendments to AT No. 1 and AT No. 2.
    The Board also amended AS 2201 as part of this rulemaking to 
include a reference to AS 2901 as a reminder of auditor 
responsibilities under that

[[Page 49695]]

section with respect to audits of internal control over financial 
reporting.\368\
---------------------------------------------------------------------------

    \368\ See Appendix 5, Other Amendments.
---------------------------------------------------------------------------

    The Board did not propose to amend its interim attestation 
standards to include provisions similar to AS 2901. One commenter 
encouraged the Board to consider creating a separate attestation 
standard like AS 2901 to minimize repetition within each attestation 
standard, especially if the Board plans to adopt new standards beyond 
AT No. 1 and AT No. 2 in the future. At this time, the Board did not 
amend its interim attestation standards to include provisions similar 
to AS 2901, though it may consider doing so in the future.

Rescission of ET Section 102; Adoption of EI 1000; Related Amendments

1. Rescission of ET Section 102 and Adoption of EI 1000, Integrity and 
Objectivity
    The Board rescinded an interim ethics and independence standard, ET 
102, Integrity and Objectivity, replacing it with a new standard, EI 
1000, Integrity and Objectivity. EI 1000 is based on existing ET 102, 
including its related interpretations codified as ET 102.02, .03, and 
.05, but reflects revisions that align PCAOB ethics requirements with 
the scope, approach, and terminology of QC 1000. To take one example, 
the new EI 1000 applies to registered public accounting firms and their 
associated persons rather than current AICPA ``members'' as referenced 
in ET 102.
    Integrity and objectivity are foundational to the audit and 
critical to the performance of engagements under PCAOB standards. They 
lend credibility and engender trust in financial reporting. As the U.S. 
Supreme Court pointed out in United States v. Arthur Young:

    By certifying the public reports that collectively depict a 
corporation's financial status, the independent auditor assumes a 
public responsibility transcending any employment relationship with 
the client. The independent public accountant performing this 
special function owes ultimate allegiance to the corporation's 
creditors and stockholders, as well as to the investing public. This 
``public watchdog'' function demands that the accountant maintain 
total independence from the client at all times, and requires 
complete fidelity to the public trust.\369\
---------------------------------------------------------------------------

    \369\ United States v. Arthur Young, 465 U.S. 805, 817-818 
(1984).

    The responsibility to maintain integrity and objectivity is an 
important counterbalance to the risk that the auditor may be unduly 
influenced by company management or may be subject to cognitive or 
other biases in performing the audit.\370\ In turn, an auditor's 
integrity and objectivity can help to increase investor trust in 
financial reporting and strengthen capital markets.
---------------------------------------------------------------------------

    \370\ See, e.g., Auditing Accounting Estimates, Including Fair 
Value Measurements and Amendments to PCAOB Auditing Standards, PCAOB 
Rel. No. 2018-005 (Dec. 20, 2018), at 30-35 (discussing auditor 
incentives and potential cognitive biases).
---------------------------------------------------------------------------

    Currently, paragraph .01 of ET 102 sets out three requirements that 
apply in the performance of a professional service: (i) maintaining 
integrity and objectivity, (ii) being free of conflicts of interest, 
and (iii) not knowingly misrepresenting facts or subordinating 
judgment. The remaining paragraphs of the rule and the relevant 
portions of ET 191 provide more detailed direction in specific 
contexts.
    The Board proposed creating two overarching requirements in EI 
1000: (i) maintaining integrity, which would include being honest and 
candid, not knowingly or recklessly misrepresenting facts, and not 
subordinating judgment; and (ii) maintaining objectivity, which would 
include being impartial, intellectually honest, and free of conflicts 
of interest. The proposal incorporated descriptions of integrity and 
objectivity that were substantially based on existing requirements in 
QC 20.10.\371\
---------------------------------------------------------------------------

    \371\ QC 20.10 states: ``Integrity requires personnel to be 
honest and candid within the constraints of client confidentiality. 
. . . The principle of objectivity imposes the obligation to be 
impartial, intellectually honest, and free of conflicts of 
interest.''
---------------------------------------------------------------------------

    In addition to substantially recodifying existing requirements, the 
Board also proposed to clarify the scope of the rule and more closely 
align it with the scope, approach, and terminology of QC 1000.
    With two clarifications discussed below, the Board adopted EI 1000 
as proposed and rescinded ET 102.
a. General
    As proposed, the Board modernized the standard and aligned it with 
other PCAOB standards and rules by renumbering it in accordance with 
the PCAOB's reorganized standards framework, incorporating PCAOB 
terminology, and eliminating outdated provisions.
    The final rule clarifies that the requirements of EI 1000 apply in 
connection with all responsibilities under ``applicable professional 
and legal requirements'' (as defined in QC 1000) and the firm's related 
policies and procedures, whether in relation to the firm's engagements, 
work the firm does on other firms' engagements, training, independence 
monitoring, or other activities that are part of or subject to the 
firm's QC system. In addition, EI 1000 applies to registered firms and 
their associated persons, rather than to ``members'' as ET 102 
currently provides.
    The final rule also corrects a reference in EI 1000.02.b(2) from 
``materially false and misleading'' to ``materially false or 
misleading.''
    One commenter supported the replacement of ET 102 with EI 1000, but 
recommended labeling it ``OI'' for Objectivity and Integrity. As 
described in the proposal, the Board created a designation not only for 
its standard on objectivity and integrity, but for future standards as 
well. The Board intends to use ``EI'' for all ethics and independence 
standards, just as it uses ``AS'' to designate auditing standards.
    While one commenter confirmed that the terms used in EI 1000 are 
generally clear, another commenter recommended clarifying the 
expectations for the terms ``being honest and candid'' in EI 1000.02 
and ``being intellectually honest'' in EI 1000.03. This language is 
drawn from existing QC 20.10, has a clear plain English meaning, and 
the Board believes should be well understood.
b. Integrity
    EI 1000.02 notes that, as part of maintaining integrity, a firm and 
its associated persons must be ``honest and candid.'' This requirement 
is drawn from existing QC 20.10. The Board omitted the reference to 
``within the constraints of client confidentiality'' in order to avoid 
suggesting that ``client confidentiality'' could limit a firm's or its 
associated persons' obligations to comply with the requirements of 
PCAOB rules or standards. This is consistent with the Board's 
interpretation of QC 20.10, under which a firm or its associated 
persons must be honest and candid in complying with PCAOB rules and 
standards, including during PCAOB inspections. It also confirms, among 
other things, that associated persons have the ability to report 
wrongdoing within the firm and to the appropriate regulatory 
authorities without constraints of confidentiality, consistent with 
PCAOB rules and standards. Similar to current QC 20.10, EI 1000.02 does 
not address the requirements of client confidentiality beyond the 
requirements set forth in PCAOB rules and standards and applicable 
requirements of the Federal

[[Page 49696]]

securities laws, including the Sarbanes-Oxley Act.\372\
---------------------------------------------------------------------------

    \372\ As a general matter, the Uniform Accountancy Act excludes 
from the prohibition against voluntary disclosure, in part, 
``information required to be disclosed by the standards of the 
public accounting profession in reporting on the examination of 
financial statements or as prohibiting compliance with applicable 
laws, government regulations or PCAOB requirements.'' AICPA, Uniform 
Accountancy Act (January 2018). available at https://us.aicpa.org/content/dam/aicpa/advocacy/state/downloadabledocuments/uaa-eighth-edition-january-2018.pdf.
---------------------------------------------------------------------------

    One commenter suggested that, rather than removing the reference to 
confidentiality, the Board should instead refer to IESBA Code Section 
260 related to noncompliance with laws or regulations. In general, the 
Board does not incorporate by reference the concepts and terminology 
used by other standard setters. In relation to noncompliance with laws 
and regulations in particular, the Board has proposed its own new 
standard.\373\ If a new PCAOB standard in that area is ultimately 
adopted by the Board and approved by the SEC and makes it appropriate 
for the Board to amend EI 1000, the Board would of course intend for EI 
1000 to align with its new standard rather than the IESBA code.
---------------------------------------------------------------------------

    \373\ See Proposing Release: Amendments to PCAOB Auditing 
Standards related to a Company's Noncompliance with Laws and 
Regulations And Other Related Amendments, PCAOB Rel. No. 2023-003 
(June 6, 2023).
---------------------------------------------------------------------------

    The proposal clarified that the responsibility to avoid factual 
misrepresentations covers not only knowing, but also reckless behavior, 
and that this responsibility applies to any knowing or reckless 
misrepresentation of fact, including situations where documents--such 
as work papers and communications with the PCAOB and the SEC--
containing materially false or misleading information are knowingly or 
recklessly signed, permitted or directed to be signed, or left 
uncorrected by those with authority to correct them.
    One commenter suggested that the concept of failing to correct a 
document that is materially false and misleading when having the 
authority to do so should be limited to circumstances in which the 
document was materially false and misleading ``when made.'' The Board 
agrees that the duty to correct is not unbounded, and generally applies 
at the time that a document is made (including when filed with or 
submitted to a regulatory authority). The Board notes, however, that 
while EI 1000 does not independently impose a duty to correct a 
document that was not materially false or misleading when made, such a 
duty may arise under other statutes, laws, or regulations, and the 
Board believes that in such a circumstance, the failure to discharge 
that duty should also constitute a violation of EI 1000. The Board 
added language to EI 1000.02b to clarify the circumstances under which 
failure to correct a document would constitute a knowing or reckless 
misrepresentation of facts.
    The Board proposed to broaden the responsibility to avoid 
subordination of judgment so it would apply to any dispute or 
disagreement over applicable professional and legal requirements or how 
to apply them. One commenter suggested that, as part of the provision 
on subordination of judgment, the Board should address the risk of 
supervisors exercising undue influence over subordinates in the same 
manner as under the AICPA Code of Professional Conduct.\374\ The 
relevant interpretive provision of the AICPA Code, 1.130.020, 
Subordination of Judgment, identifies undue influence by a supervisor 
as a potential threat to compliance with the AICPA's Integrity and 
Objectivity Rule \375\ and provides safeguards to be applied when the 
threat is not at an acceptable level. The safeguards to be applied are 
essentially the same as the process required under EI 1000.02c, 
including research and consultation to determine whether the 
supervisor's position is supportable, consultation with higher levels 
of management, and, if appropriate action is not taken, consideration 
of potential duties to notify third parties and consideration of the 
appropriateness of continuing a relationship with the firm. In addition 
to the provision in EI 1000, QC 1000 also addresses the risk of undue 
influence through a quality objective in the engagement performance 
component related to the appropriate resolution of differences in 
professional judgment,\376\ as well as general provisions that would 
apply to undue influence by a supervisor, including in the governance 
and leadership component,\377\ the ethics and independence 
component,\378\ and the resources component.\379\ The Board believes 
these provisions address the concerns raised by this commenter and have 
adopted the subordination of judgment provision of EI 1000 as proposed.
---------------------------------------------------------------------------

    \374\ AICPA Code of Professional Conduct 1.130.020, 
Subordination of Judgment.
    \375\ Id. at 1.100.001.
    \376\ QC 1000.42.c.
    \377\ QC 1000.25.
    \378\ QC 1000.33b, c., and f.
    \379\ QC 1000.46a.
---------------------------------------------------------------------------

c. Objectivity
    One commenter suggested that the Board could clarify the standard 
by including references to the AICPA or IESBA concepts of conflict of 
interest. As noted above, it is not generally Board policy to 
incorporate by reference the concepts and terminology used by other 
standard setters. The Board also believes that a cross reference is not 
appropriate because EI 1000 addresses essentially the same conduct as 
the AICPA and IESBA provisions.
d. Rescission of Certain AICPA Interpretations
    Additionally, the Board rescinded the former AICPA interpretations 
currently codified as ET 102.04, .06, and .07, which address members' 
obligations to their employer's external accountant, performance of 
educational services, and professional services involving client 
advocacy, respectively. These are generally not relevant to engagements 
performed under PCAOB standards. In addition, the matters addressed in 
paragraph .07 are either effectively superseded by 17 CFR 210.2-01 or 
more effectively addressed elsewhere in PCAOB standards (e.g., AS 2610, 
Initial Audits--Communications Between Predecessor and Successor 
Auditors).
2. Amendments to ET Section 191
    In connection with EI 1000, the Board also proposed amending ET 191 
by making a conforming amendment to paragraph .062 and rescinding 
paragraphs .130, .131, .170, .171, .186, .187, .198, .199, .202, and 
.203. The only commenter on this topic supported these amendments. The 
Board adopted the amendments as proposed. The interpretations the Board 
rescinded (addressing, respectively, use of the CPA designation by 
accountants not in public practice, service as a director of a bank, 
service on the board of directors of United Way or a similar federated 
fund-raising organization, providing services for company executives, 
and providing client advocacy services) are generally not relevant to 
engagements performed under PCAOB standards or are addressed elsewhere 
in PCAOB and SEC rules. The Board did not amend the portions of ET 191 
that pertain to ET 101, which is not being substantively amended in 
this rulemaking.
3. Amendments to Rule 3500T, Interim Ethics and Independence Standards, 
and ET Section 101, Independence
    The Board proposed amending paragraph (a) of Rule 3500T to 
eliminate the introductory phrase ``In connection with the preparation 
or issuance of any audit report,'' which it believes may cause the rule 
to be read unduly narrowly. The Board also proposed eliminating 
references to ET 102, Integrity and Objectivity, and

[[Page 49697]]

substituting a reference to EI 1000, Integrity and Objectivity. These 
proposed amendments did not receive any comment and were adopted as 
proposed.
    Lastly, the Board amended paragraphs .04, .13, and .16 of ET 101, 
Independence, to conform the references to ET 102, which will be 
rescinded, to EI 1000.

Other Amendments

    In connection with the adoption of QC 1000, the Board also adopted 
amendments to other professional standards, PCAOB rules, and PCAOB 
forms. As discussed in more detail below, these amendments:
     Align terminology, concepts, and cross-references with QC 
1000;
     Rescind standards that are unnecessary in light of the 
adoption of QC 1000;
     Recodify certain provisions of requirements that are 
rescinded into other PCAOB standards and rules; and
     Make other technical and clarifying amendments.
    The one commenter that addressed this topic generally supported the 
amendments and also recommended an amendment to PCAOB Rule 1001(p)(vi) 
to use the term ``quality control standards'' instead of ``quality 
control policies and procedures.'' The language used in PCAOB Rule 
1001(p)(vi) is drawn from section 110(5) of Sarbanes-Oxley and the 
Board believes its rule should continue to align with that statutory 
provision.
    These amendments are discussed further below.
1. Rescission of Rule 3400T, Interim Quality Control Standards; 
Adoption of Rule 3400, Quality Control Standards
    These rule changes did not receive any comment and were adopted as 
proposed.
    PCAOB Rule 3400T, Interim Quality Control Standards, requires 
registered public accounting firms and their associated persons to 
comply with the Board's interim quality control standards. The Board 
rescinded Rule 3400T, including all current QC standards identified in 
the rule, which the Board adopted on an interim, transitional 
basis.\380\ The Board adopted in its place a new rule, Rule 3400, to 
codify the auditor's responsibilities for complying with the Board's 
quality control standards.
---------------------------------------------------------------------------

    \380\ Under PCAOB Rule 3400T(a), all firms are required to 
comply with QC standards as described in ``the AICPA's Auditing 
Standards Board's Statements on Quality Control Standards, as in 
existence on April 16, 2003 (AICPA Professional Standards, QC 
Sec. Sec.  20-40 (AICPA 2002)), to the extent not superseded or 
amended by the Board.''. PCAOB Rule 3400T(b) requires certain firms 
to comply with QC standards as described in ``the AICPA SEC Practice 
Section's Requirements of Membership (d), (l), (m), (n)(1), and (o), 
as in existence on April 16, 2003 (AICPA SEC Practice Section Manual 
1000.08(d), (j), (m), (n)(1), and (o)), to the extent not superseded 
or amended by the Board.'' PCAOB Rule 3400T(b). The note to Rule 
3400T provides that those requirements ``only apply to those 
registered public accounting firms that were members of the AICPA 
SEC Practice Section on April 16, 2003.''
---------------------------------------------------------------------------

2. Rescission of AS 1110, Relationship of Auditing Standards to Quality 
Control Standards
    The Board received no comment on the proposed rescission of AS 1110 
and rescinded it, as proposed.
    At the time AS 1110 was issued, it served to describe the 
relationship between the then already-existing auditing standards and 
the new set of standards that governed a firm's system of quality 
control. This relationship is now well understood by firms and 
clarified within QC 1000. In addition, the first two paragraphs of AS 
1110 merely repeat the requirements to comply with the auditing and QC 
standards that are addressed by other PCAOB standards and rules. 
Accordingly, the Board rescinded AS 1110.
3. Adoption of AS 1310, Notification of Termination of the Auditor-
Issuer Relationship
    The Board adopted a new standard, AS 1310, which recodifies 
existing requirements of SECPS 1000.08(m), Notification of the 
Commission of Resignations and Dismissals from Audit Engagements for 
Commission Registrants, and applies those requirements to all firms and 
all issuer engagements. As noted above, the Board rescinded the QC 
standards that pertain only to firms that were SECPS members at the 
time the PCAOB was created. In lieu of the SECPS requirement, the Board 
adopted a new standard that requires the auditor to notify the SEC upon 
resignation or dismissal from an audit engagement of an issuer if the 
issuer does not report such change in a current report on Form 8-K.
    The only commenter to address this proposed standard agreed that it 
could provide valuable and timely information to investors to alert 
them when audit committees have failed to fulfill their reporting 
responsibilities. The Board notes, however, that notifications provided 
under the current SECPS requirement might not be made publicly 
available. Nevertheless, the Board believes that notices provided to 
the SEC under the standard could provide valuable information to the 
SEC. Therefore, the Board adopted the standard substantially as 
proposed, with a revision to conform to the precise language on Form 8-
K. This requirement applies to all issuer engagements, regardless of 
whether the firm was a member of the SECPS and regardless of whether 
the issuer is required to report on Form 8-K.
4. Amendments to AT Section 101, Attest Engagements
    These amendments did not receive any comment and were adopted as 
proposed.
    The amendments to AT Section 101 align with the rescission of AS 
1110 discussed above, by deleting the paragraphs that address the 
relationship of attestation standards to QC standards. Additionally, 
the deletion of footnote 23 removes language related to monitoring 
compliance with quality control policies and procedures, which is 
unnecessary in light of the adoption of QC 1000.
5. Amendments to Form 1, Application for Registration
    The Board proposed to amend Form 1 to (i) refer to QC 1000 in the 
instructions in order to prompt firms to consider their obligations 
with respect to QC in connection with their application for 
registration, and (ii) add a new item whereby firms confirm whether 
they have designed a QC system in accordance with PCAOB standards. The 
only commenter to address this amendment agreed that the amendments 
would be appropriate. The Board adopted these amendments as proposed.
6. Amendments to Form 2, Annual Report Form
    The Board proposed to amend Form 2 to add a new item whereby firms 
would confirm (i) that they have designed a QC system in accordance 
with PCAOB standards; and (ii) whether they were required to implement 
and operate a QC system in accordance with PCAOB standards at any time 
during the period of time covered by Form 2. The only commenter to 
address this amendment agreed that the amendments would be appropriate. 
The Board adopted these amendments as proposed.
7. Technical and Conforming Amendments
    These amendments did not receive any comment and were adopted as 
proposed.
    The Board implemented a number of technical and conforming 
amendments to align terminology and concepts in

[[Page 49698]]

existing standards and one PCAOB form with QC 1000.
    The Board also implemented a technical amendment to the 
instructions to Form AP to clarify an exclusion from disclosing the 
identity of, and hours incurred by, accounting firms in certain 
circumstances. The Board, when it adopted Form AP, stated that it 
intended to exclude the reporting of ``hours incurred in the audit of 
entities in which the issuer has . . . an investment'' using the equity 
method of accounting.\381\ Form AP currently excludes hours ``of an 
accounting firm performing the audit of entities in which the issuer 
has an investment that is accounted for using the equity method,'' but 
the Board is concerned that such language might be read to exclude all 
of the audit work performed by such an accounting firm on an audit, 
rather than only those hours spent performing the audit of entities in 
which the issuer has an investment accounted for using the equity 
method. The Board revised the instruction in Part IV of the form to 
exclude from its disclosure requirements the identity of, and hours 
incurred by, accounting firms ``in performing'' the audit of entities 
in which the issuer has an investment that is accounted for using the 
equity method, which clarifies that the identity of, and hours incurred 
by, such firms with respect to other work on the audit must be 
disclosed on Form AP, unless they are subject to other Form AP 
exclusions.
---------------------------------------------------------------------------

    \381\ See Improving the Transparency of Audits: Rules to Require 
Disclosure of Certain Audit Participants on a New PCAOB Form and 
Related Amendments to Auditing Standards, PCAOB Rel. No. 2015-008 
(Dec. 15, 2015), at 26.
---------------------------------------------------------------------------

Effective Date

    In the proposing release, the Board sought comment on the amount of 
time auditors would need before the proposed new quality control 
standard and the other proposed amendments to PCAOB standards, rules, 
and forms, if adopted by the Board and approved by the SEC, become 
effective. We proposed an effective date of December 15 of the year 
after approval by the SEC.
    One commenter agreed that the proposed effective date should be 
reasonable in practical terms. Another commenter asserted that the 
standard is not clear on the effective date as it relates to design and 
implementation and operating effectiveness, and recommended that the 
Board allow firms significant time between the release of the final 
standard and its effective date. One commenter suggested that an 11-
month period from the effective date to the first evaluation date would 
not be practicable, and firms would need time to consider whether and 
how to transition from their evaluation date previously established 
under ISQM 1.
    Several commenters suggested that if the standard is approved in 
2023, and becomes effective on December 15, 2024, this would provide 
challenges to auditors. Some of these commenters further suggested that 
the proposed effective date would be particularly challenging for 
smaller firms that might not have already implemented ISQM 1 and do not 
have to implement SQMS 1 until December 15, 2025. Commenters suggested 
alternative effective dates such as December 15, 2025; 18 months after 
approval by the SEC and no sooner than December 15, 2025; the later of 
12 months after approval by the SEC or December 15, 2025; or two years 
after SEC approval. One commenter suggested a phased approach such that 
the effective date would be different for firms that are annually 
inspected than for other firms, while other commenters suggested that 
firms that are required to implement incremental requirements based on 
the size of the firm should be provided additional time to implement 
the incremental requirements. One commenter suggested that an overly 
speedy adoption timeline could create unintended consequences such as 
disruption to QC systems and increased difficulty of getting buy-in on 
the proposed QC changes from stakeholders. Another commenter suggested 
that an additional one to two years may be needed for firms with less 
than 100 issuers, or that have not adopted ISQM 1, to develop and 
implement the additional monitoring, evaluation and remediation 
requirements. The commenter further suggested that a proposed initial 
evaluation date that is eleven and a half months after the effective 
date may not allow enough time for remediation and that the PCAOB 
should consider a longer onboarding process.
    After considering the comments received subject to approval by the 
SEC, the final standard and related amendments to auditing standards, 
rules, and forms will take effect on December 15, 2025.
    The Board believes that an effective date of December 15, 2025 
strikes an appropriate balance between the benefits to investors of 
having QC 1000 take effect as promptly as practicable, while allowing 
sufficient time for firms to design and implement robust, QC 1000-
compliant QC systems.
    One commenter suggested the Board consider how mergers and 
acquisitions of firms would impact the effective date for the standard, 
and suggested the Board consider similar guidance to the SEC that 
provides that issuers may exclude an acquired business's internal 
control over financial reporting from its assessment of internal 
control for up to one year or for one assessment. After consideration 
of the comment received, the Board appreciates that it could take time 
to fully integrate a newly acquired firm's QC system and perform an 
evaluation of its effectiveness. However, the Board does not believe 
that it is appropriate or consistent with its investor protection 
mandate to allow for a portion of a firm's QC system to be excluded 
from the annual evaluation. The Board believes that specific quality 
risks could arise as the result of a merger or acquisition, and that 
firms should be designing, implementing, and operating quality 
responses to address these as part of merger planning and execution. 
Furthermore, if, as a result of a merger or acquisition between 
registered public accounting firms, the resultant firm is unable to 
conclude that the QC system is effective as of the evaluation date, 
then the Board believes that it is essential that the firm has 
identified and is remediating the QC deficiencies that exist as a 
result of the merger or acquisition and is monitoring any impact on the 
firm's engagements.
    Unlike ISQM 1 and SQMS 1, under QC 1000, the requirements for QC 
system evaluation are not being implemented on a delayed basis. When QC 
1000 takes effect, all provisions of QC 1000 will take effect. Because 
the evaluation date of September 30 builds in over a nine-month delay 
between the effective date of the standard and the first evaluation 
date, the Board does not believe further delaying the effective date of 
the evaluation requirements would be necessary or appropriate. However, 
the first evaluation period will be of the period beginning on the 
effective date of the standard (i.e., December 15, 2025) and ending on 
the next September 30, rather than the 12-month period ending on that 
September 30.

D. Economic Considerations and Application to Audits of Emerging Growth 
Companies

    Economic analysis is an important aspect of the rulemaking process. 
This economic analysis describes the baseline for evaluating the 
economic impacts of the rulemaking, the need for rulemaking, its 
expected economic impacts (including benefits, costs, and potential 
unintended consequences), and reasonable alternatives considered. Due 
to data limitations, much of the economic analysis is qualitative in

[[Page 49699]]

nature; however, where reasonable and feasible, the analysis 
incorporates quantitative information, including information from PCAOB 
inspections of registered firms.
    The Board has sought information relevant to the economic analysis 
over the course of this rulemaking.\382\ To the extent that commenters 
expressed views related to the economic analysis, many commenters 
generally agreed with the need for QC 1000, but some commenters raised 
concerns with certain impacts of the proposed standard. Several 
commenters expressed concerns about costs associated with certain key 
requirements, such as documentation. Some commenters suggested that the 
economic analysis should more explicitly consider costs that could 
disproportionately impact smaller and mid-size firms. Some commenters 
asserted potential unintended consequences with the proposed standard, 
including demand on staff resources and potential competitive effects, 
while other commenters suggested alternatives to help manage costs 
associated with certain proposed requirements, such as the 100-issuer 
threshold and evaluation and reporting dates. Some commenters offered a 
quantitative perspective regarding impacts. Several commenters 
referenced additional academic research for the Board's consideration. 
The Board considered all the comments received, including the 
quantitative perspectives and academic research the comments 
referenced, and has developed the following economic analysis that 
evaluates the expected benefits and costs of the final requirements, 
discusses potential unintended consequences, and facilitates comparison 
to alternative actions considered.
---------------------------------------------------------------------------

    \382\ See PCAOB Rel. No. 2022-006; PCAOB Rel. No. 2019-003.
---------------------------------------------------------------------------

Baseline

    The discussion above provides an overview of current PCAOB QC 
standards; summarizes observations from PCAOB oversight activities; and 
describes developments in the auditing environment since the adoption 
of current PCAOB QC standards, including the actions of other standard 
setters. This section expands on that discussion by describing 
additional aspects of the economic baseline against which the economic 
impacts of the requirements can be considered and presenting other 
relevant information on the audit services market for issuers and 
broker-dealers. Specifically, this expanded discussion includes:
     Three complementary proxies for the level of compliance 
with professional standards applicable to the performance of 
engagements, derived from PCAOB inspections data. Analysis of these 
proxies informs the baseline for considering the expected benefits of 
the requirements (e.g., improved compliance with professional 
standards).\383\
---------------------------------------------------------------------------

    \383\ See below for further discussion.
---------------------------------------------------------------------------

     Information on resources that U.S. global network firms 
(``GNFs'') invest in their QC systems. As the requirements are expected 
to result in changes to some firms' QC systems, this information 
informs the baseline for considering the expected costs of the 
requirements.
     Changes firms have made to their QC systems to remediate 
QC deficiencies identified by PCAOB inspections staff and presents QC 
deficiencies related to firms' management of their audit practices. 
This discussion provides information on the evolution of QC systems and 
informs the evaluation of the need for and the economic impacts of the 
requirements.
     A concise survey of academic literature on quality-
threatening behaviors that suggest certain weaknesses in some QC 
systems in practice.
     Key assumptions regarding how QC systems are likely to 
evolve absent the requirements.
    In describing the baseline,\384\ the analysis presents anonymized 
and aggregated summary statistics regarding deficiencies included in 
past PCAOB inspection reports. Since PCAOB inspection reports do not 
consider broker-dealer engagements, the analysis also presents 
anonymized and aggregated summary statistics regarding audit and 
attestation engagement deficiencies included in annual reports on the 
PCAOB's interim inspection program related to audits of brokers and 
dealers. The following background information associated with this 
quantitative inspection information bears emphasizing:
---------------------------------------------------------------------------

    \384\ The scope of the information on inspections and 
remediation efforts presented in the baseline section is limited to 
those firms that are subject to inspection under Sarbanes-Oxley; 
specifically, firms that provide one or more audit reports for an 
issuer, broker, or dealer and firms that play a substantial role in 
the preparation or furnishing of such audit reports. See section 
104(a)(1), (2), and (b)(1) of Sarbanes-Oxley, 15 U.S.C. 7214(a)(1), 
(2), and (b)(1). In particular, PCAOB's analysis of deficiencies 
included in past PCAOB inspection reports does not include 
registered firms that would be subject only to design requirements 
on the basis that they do not perform ``engagements'' as defined in 
QC 1000. Based on Form 2 reporting as of June 30, 2023, 
approximately 60% of registered firms reported that they had not 
issued an audit report for an audit of an issuer or broker-dealer or 
played a substantial role in such an engagement during the preceding 
12 months.
---------------------------------------------------------------------------

     QC deficiencies presented in Part II of a PCAOB inspection 
report \385\ may relate to: (1) a firm's management of its audit 
practice or (2) a firm's performance of audit procedures.\386\ QC 
deficiencies of the first type refer to the operation of QC policies 
and procedures. For example, a QC deficiency related to a firm's 
management of its audit practice may be identified through inspection 
staff's review of how the firm considers and addresses risks in 
connection with engagement acceptance and continuance decisions. QC 
deficiencies of the second type are inferred through analysis of 
deficiencies identified during inspections of individual issuer audit 
engagements. For example, a QC deficiency related to a firm's 
performance of audit procedures may be identified through inspection 
staff review of the performance of audit procedures related to 
management's accounting estimates.\387\
---------------------------------------------------------------------------

    \385\ Part II of a firm's inspection report includes any 
criticisms of, and potential defects in, the firm's QC system, that 
were communicated to the firm as part of a PCAOB inspection. As 
required under Sarbanes-Oxley, any QC deficiencies observed during a 
PCAOB inspection are not included in the public portion of the 
relevant inspection report when first issued. If a firm does not 
address to the Board's satisfaction criticisms of, and potential 
defects in, the firm's QC system within 12 months after the issuance 
of the PCAOB inspection report, Part II of the report will be issued 
publicly to include such deficiencies. Additional information is 
available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation.
    \386\ See PCAOB Rel. No. 2012-003, at 8-9.
    \387\ See PCAOB Rel. No. 2012-003, at 8.
---------------------------------------------------------------------------

     Deficiencies presented in Part I.A of an inspection report 
represent deficiencies in issuer audits selected for inspection that 
were of such significance that the Board believes that the firm, at the 
time it issued its audit report, had not obtained sufficient 
appropriate audit evidence to support its opinion on the issuer's 
financial statements and/or internal control over financial reporting. 
As part of the PCAOB's process for reviewing firms' QC systems, PCAOB 
inspection teams evaluate whether identified deficiencies in individual 
audits indicate a defect or potential defect in a firm's QC system. 
However, a Part I.A deficiency does not, on its own, necessarily imply 
significant defects or potential defects in a firm's QC system. The 
PCAOB inspection team will consider the nature, significance, and 
frequency of deficiencies and related firm methodology, guidance, 
practices, and possible root causes when assessing whether Part I.A 
deficiencies in individual audits indicate significant

[[Page 49700]]

defects or potential defects in a firm's QC system that should appear 
in Part II of the firm's inspection report.\388\
---------------------------------------------------------------------------

    \388\ Additional information on PCAOB inspection procedures is 
available on the PCAOB website at https://pcaobus.org/oversight/inspections/inspection-procedures.
---------------------------------------------------------------------------

     The Dodd-Frank Wall Street Reform and Consumer Protection 
Act gave the PCAOB oversight of auditors of broker-dealers registered 
with the SEC. In June 2011, the PCAOB established an interim program to 
inspect these auditors and identify and address with them any 
significant issues observed in their audits and related attestation 
engagements. This interim inspection program remains in place today. 
The inspection processes for audits of issuers and broker-dealers are 
different in many respects, including the applicable laws, rules, and 
professional standards; the inspection selection process; inspection 
focus areas; and reporting of inspection results. In particular, unlike 
PCAOB inspections of issuer audits, which lead to an inspection report 
for each inspected firm, the PCAOB issues a single annual report on the 
interim inspection program related to audits of brokers-dealers, which 
summarizes the results of the PCAOB's inspections of broker-dealer 
engagements performed during the previous year.\389\
---------------------------------------------------------------------------

    \389\ See Annual Report on the Interim Inspection Program 
Related to Audits of Brokers and Dealers, PCAOB Rel. No. 2023-005 
(Aug. 10, 2023). Additional information on the interim inspection 
program is available on the PCAOB website at https://pcaobus.org/resources/information-for-audit-firms/information-for-auditors-of-broker-dealer.
---------------------------------------------------------------------------

     The analysis of QC and issuer audit deficiencies below is 
presented over a twelve-year period for three separate categories of 
firms: (1) U.S. GNFs, (2) other firms having more than five inspected 
issuer engagements, and (3) other firms having five or fewer inspected 
issuer engagements.\390\ Categorizing inspections information among 
firms of different sizes helps account for the significantly skewed 
variation in audit firm size present in the audit market.\391\ The 2011 
through 2022 period is used because information from earlier inspection 
years is less comparable and information from later inspection years 
was not completely available as of the date of this analysis. 
Information was preliminary for the 2022 inspection year as of the date 
of the PCAOB staff analysis.
---------------------------------------------------------------------------

    \390\ Time trends can help to identify associative relationships 
and may suggest how the audit market could evolve absent the 
requirements. However, time trends in PCAOB inspection deficiencies 
depend on, among other things, changes in the set of firms and 
engagements selected for inspection. Firms that issue 100 or fewer 
audit reports for issuers are, in general, inspected at least once 
every three years. Firms that issue audit reports for more than 100 
issuers are inspected annually. Therefore, the set of inspected 
firms and engagements is not fixed year over year.
    \391\ Current PCAOB QC standards recognize that the nature, 
extent, and formality of a firm's QC policies and procedures should 
take into account various factors, including the size of the firm. 
Because PCAOB QC assessments also take into account these factors, 
the number of QC deficiencies across each of the three categories of 
firms are not directly comparable. See PCAOB Rel. No. 104-2006-077, 
at 9-10.
---------------------------------------------------------------------------

     The analysis of audit and attestation engagement 
deficiencies included in annual reports on the PCAOB's interim 
inspection program related to audits of brokers and dealers below is 
presented over a 12-year period. The 2011 through 2022 period is used 
because 2011 was the first year of the interim inspection program and 
2022 is the most recent year that data are available as of the date of 
this analysis. Information on deficiencies associated with attestation 
examinations or reviews is not available prior to 2015 because 2015 was 
the first full year during which the PCAOB was able to review 
attestation engagements of brokers and dealers.
1. Proxies Related to Compliance With Professional Standards
    This subsection presents analyses of three quantitative proxies for 
the level of compliance with professional standards and thus provides 
information on the baseline for considering the key expected benefit of 
the requirements: improved compliance with professional standards. 
Specifically, it presents information on Part I.A deficiencies, QC 
deficiencies related to audit performance, and broker-dealer engagement 
deficiencies, from the audits or engagements PCAOB inspected. Overall, 
the analyses suggest that some firms' QC systems may not be providing 
the required reasonable assurance. Broker-dealer engagements and issuer 
audits performed by firms other than U.S. GNFs appear to have more room 
for improvement on average based on the period examined.
a. Part I.A Deficiencies
    Figure 1 presents for categories of PCAOB-inspected audits the 
percentage of inspected issuer audits having at least one Part I.A 
deficiency. PCAOB staff calculated the Part I.A deficiency rates by 
dividing the number of inspected issuer audits that had at least one 
Part I.A deficiency by the number of inspected issuer audits for each 
given year. The Part I.A deficiency rate should not be equated with the 
rate of audit deficiencies across the whole issuer population. It may 
understate the true rate of issuer audit deficiencies because some 
deficiencies may not rise to the level of a Part I.A deficiency and 
because PCAOB inspectors do not inspect all aspects of inspected 
audits. However, it may also overstate the true rate of issuer audit 
deficiencies because PCAOB inspectors generally focus their attention 
on, among other things, audits and audit areas with a heightened risk 
of material misstatement.
    Despite these potential biases in the Part I.A deficiency rate, the 
Board believes that the Part I.A deficiency rates presented in Figure 1 
are indicative of underlying issuer audit deficiencies. However, there 
are two caveats that may impact the interpretation of Figure 1. First, 
because the audits with deficiencies are not drawn from a random 
sample, the deficiencies could be driven in part by changes over time 
in the proportion of reviewed audits that were selected based on 
characteristics associated with high-risk audits. Second, PCAOB 
inspections staff review more focus areas during reviews of U.S. GNF 
issuer audits than they do during reviews of other firms' issuer 
audits, increasing the opportunity for a reviewed U.S. GNF issuer audit 
to have at least one Part I.A deficiency.
    For U.S. GNFs, Figure 1 shows that the percentage of inspected 
issuer audits having at least one Part I.A deficiency was 37% in 2011 
and 30% in 2022 For other firms, the percentage has remained in the 31% 
to 53% range.

[[Page 49701]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.013

    Figure 2 provides additional insight on how the percentage of 
inspected issuer audits having at least one Part I.A deficiency varies 
by firm. Each bar indicates the percentage of 2020, 2021, and 2022 firm 
inspections with a Part I.A deficiency rate within a given range. For 
example, Figure 2 indicates that 22% of all 2020, 2021, and 2022 U.S. 
GNF inspections and 11% of all 2020, 2021, and 2022 inspections of 
other firms with more than five inspected engagements had a Part I.A 
deficiency rate below 10%. Figure 2 excludes firm inspections with five 
or fewer inspected engagements because the Part I.A deficiency rate is 
a less informative proxy in these cases due to the small number of 
inspected engagements.

[[Page 49702]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.014


    Note:  During the 2020, 2021, and 2022 inspection years, there 
were in total 18 inspections of U.S. GNFs and 35 inspections of 
other firms having more than five engagements reviewed.

b. QC Deficiencies Related to Audit Performance
    Figure 3 presents the average number of QC deficiencies related to 
audit performance per inspected firm. QC deficiencies related to audit 
performance are inferred through analysis of inspections of individual 
audits and thus represent another proxy for the level of compliance 
with professional standards. To prepare Figure 3, PCAOB staff counted 
the number of distinct QC deficiencies related to audit performance in 
Part II of PCAOB inspection reports. Staff assigned a zero to firm 
inspections that resulted in no QC deficiencies related to audit 
performance. Staff then calculated averages per inspected firm by year 
and firm group, assigning equal weight to each QC deficiency regardless 
of its nature or whether it was a repeat deficiency. While the total 
number of QC deficiencies is not readily comparable across each of the 
three categories of firms because of differences in inspection 
approach, the averages have ranged between 3.3 and 15.8 for U.S. GNFs, 
between 2.9 and 8.0 for other firms having more than five engagements 
reviewed, and between 0.9 and 2.7 for other firms having five or fewer 
engagements reviewed. Two caveats may impact the interpretation of 
Figure 3. First, starting in 2019, the PCAOB revised its approach to 
identifying QC deficiencies related to audit performance. The Board 
believes this policy change reduced the number of QC deficiencies 
related to audit performance for some of the inspections of non-
affiliated firms (``NAFs'') but not for the U.S. GNFs. Second, the 
variability in the deficiency rate in the second panel may be due in 
part to year-over-year changes in the set of firms having more than 
five engagements reviewed, which may include triennial firms.\392\
---------------------------------------------------------------------------

    \392\ Firms that issued audit reports with respect to 100 or 
fewer issuers during the prior calendar year (``triennial firms'') 
must be inspected at least once every three years.

---------------------------------------------------------------------------

[[Page 49703]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.015

c. Broker-Dealer Engagement Deficiencies
    Figure 4 presents the percentage of broker-dealer audits with 
deficiencies and the percentage of attestation engagements and reviews 
with deficiencies, among the selected sample of PCAOB engagements. The 
percentages are reproduced from the PCAOB's annual reports on the 
interim inspection program related to the audits of broker-dealers. The 
percentages are equal to the number of inspected engagements for which 
there were deficiencies divided by the number of inspected engagements. 
The percentages of audits and attestation examinations with 
deficiencies have remained greater than 45%. The percentage of 
attestation reviews with deficiencies has remained in the 23% to 54% 
range.
[GRAPHIC] [TIFF OMITTED] TN11JN24.016


[[Page 49704]]


2. Resources Associated With QC systems
    Firms implement their QC systems through a set of policies and 
procedures. These policies and procedures vary across firms, reflecting 
both the principles-based nature of current QC standards and the 
variation in firms' particular circumstances. To inform the baseline 
for considering the expected costs of the requirements, PCAOB staff: 
(1) held initial discussions with U.S. GNFs to obtain qualitative 
information regarding the resources associated with their QC systems 
and (2) conducted a voluntary survey of U.S. GNFs on the resources they 
employ to design, implement, and operate QC policies and procedures. 
Overall, the information indicates the resources that U.S. GNFs are 
already devoting to the design, implementation, and operation of QC 
policies and procedures related to the ISQM 1 requirements.
    The U.S. GNF survey requested both qualitative and quantitative 
information for each of the eight QC system components specified by 
ISQM 1: risk assessment, governance and leadership, independence and 
ethics, acceptance and continuance, engagement performance, resources 
(human, intellectual, and technological), information and 
communication, and monitoring and remediation.\393\ In addition, the 
survey requested qualitative and quantitative information related to 
network requirements or network services, evaluation of the QC system, 
and documentation.\394\ The request referred to ISQM 1 explicitly in 
order to facilitate comparability of the information gathered across 
firms and to the proposed QC standard.
---------------------------------------------------------------------------

    \393\ See paragraphs 23-33 and 35-47 of ISQM 1.
    \394\ See paragraphs 48-60 of ISQM 1.
---------------------------------------------------------------------------

    All six U.S. GNFs provided qualitative information and five 
provided quantitative information. Staff received completed surveys 
between June 23 and July 6, 2021. The respondents provided the 
information as of their most recently completed fiscal year-end or QC 
system assessment date.
    The qualitative information that PCAOB staff received indicates 
that U.S. GNFs' QC policies and procedures are extensive and highly 
integrated with the audit process. Multiple groups, teams, functions, 
and individuals participate in the design, implementation, and 
operation of QC policies and procedures. Engagement teams play a key 
role in the operation of many QC policies and procedures. Among other 
QC-related responsibilities, engagement teams often assist in 
acceptance and continuance decisions; initiate consultations; help 
maintain accurate and complete information within independence systems; 
attend training; and initiate and complete individual performance 
evaluations.
    The U.S. GNFs' QC systems involve multiple IT systems that support 
QC activities and may also serve other operational functions. These QC 
systems may also rely upon work or services provided by the firm's 
global network and/or third-party vendors. Global network services may 
relate to development and maintenance of technological and intellectual 
resources (e.g., global audit methodology, global independence and 
assurance policies and procedures, etc.) or monitoring the quality of 
audit services performed by network affiliates. The firms report making 
ongoing investments in their QC systems, including implementation of 
new technology that supports QC activities.
    The quantitative portion of the survey asked the U.S. GNFs to 
estimate: (1) the number of firm personnel involved in designing, 
implementing, or operating QC policies and procedures on an annual 
basis (by partner vs. non-partner); (2) the percentage of their time 
committed; and (3) the expected percentage change in QC resource 
requirements as of December 15, 2022, when ISQM 1 became 
effective.\395\ PCAOB staff asked the firms to include in their 
estimates only those resources directly related to the design, 
implementation, and operation of QC policies and procedures over audits 
of U.S. issuers and broker-dealers. In cases where removing time spent 
on QC policies and procedures related to audits of private companies 
was prohibitively difficult or impossible, staff asked firms to include 
this time in their estimates and describe the inseparable portion. 
Firms reported that their QC policies and procedures generally apply 
across their entire audit practice and thus their estimates typically 
included resources dedicated to QC systems over engagements performed 
under PCAOB standards as well as audits performed under other 
standards.
---------------------------------------------------------------------------

    \395\ More specifically, staff asked U.S. GNFs to estimate the 
number of firm personnel who are directly involved in the design, 
implementation, or operation of each QC system component by 
commitment level (i.e., <10%, 10-40%, 40-60%, 60-90%, or >90% of the 
individual's time). If an individual committed time to multiple QC 
system components, staff asked firms to count the individual once 
for each QC component and to indicate the time committed to each 
component. For example, if an individual committed 100% of the 
individual's time to the firm's QC system, 50% to acceptance and 
continuance and 50% to monitoring and remediation, firms were asked 
to count the individual under the 40-60% commitment level for both 
components.
---------------------------------------------------------------------------

    In initial discussions with the U.S. GNFs, firms reported that 
identifying all firm personnel hours related to their QC systems would 
be an enormous challenge. To make the data request feasible, PCAOB 
staff directed firms to exclude from their quantitative estimates time 
spent by engagement teams operating QC policies and procedures (e.g., 
performing independence procedures, planning for or engaging in 
consultations, executing the firm's methodology) and facilitating 
internal inspections. Staff also asked firms to exclude: (1) time spent 
by firm personnel attending training; (2) time spent by individuals on 
compliance with personal independence policies and procedures; (3) time 
spent performing engagement quality reviews of individual engagements; 
and (4) any resources invested at the global network level to design, 
implement, or operate QC policies or procedures. The qualitative 
information received from the firms suggests that these aspects of 
their QC systems are likely resource-intensive.
    Table 1 summarizes the quantitative information received in 
aggregate form. It presents the means and standard deviations of 
partner, non-partner, and total full-time equivalents (FTEs) by QC 
system component.\396\ The means provide a sense of average scale while 
the standard deviations provide a sense of average variability across 
the firms. Overall, the means presented in Table 1 indicate that U.S. 
GNFs commit a mean of 647.9 total FTEs to designing, implementing, and 
operating their QC policies and procedures. QC policies and procedures 
related to: (1) independence and ethics utilize a mean of 189.9 total 
FTEs and (2) human,

[[Page 49705]]

intellectual, and technological resources utilize a mean of 252.6 total 
FTEs. Non-partner FTEs are roughly 3.5 times partner FTEs, but partners 
play a relatively larger role in the governance and leadership, 
engagement performance, and monitoring and remediation components of QC 
systems. The standard deviations presented in Table 1 indicate that the 
average variability across firms is 499.9 total FTEs. The average 
variability for the independence and ethics component is 173.9 total 
FTEs and for the resources component is 295.2 total FTEs.
---------------------------------------------------------------------------

    \396\ To calculate the means presented in Table 1, staff summed 
the number of individuals directly involved in the design, 
implementation, or operation of each QC system component, weighting 
individuals by the mid-point of their respective commitment level 
and divided by the number of firms that were able to provide data 
for the respective QC system component. The ``Total'' row mean is 
equal to the number of individuals directly involved in the design, 
implementation, or operation of any QC system component, weighting 
individuals by the mid-point of their respective commitment level 
divided by five (i.e., the number of firms that provided 
quantitative information). Therefore, the ``Total'' row mean does 
not equal the sum of the QC component-level means. The standard 
deviations presented in Table 1 were calculated without Bessel 
corrections. The standard deviation for the ``Other'' component is 
equal to the geometric mean of the standard deviations of the 
network requirements or network services, evaluation of the system 
of quality management, and documentation components. The Board's 
data are insufficient to account for potential covariances between 
these components.
---------------------------------------------------------------------------

    The mean ``Total'' row values presented in Table 1 may include some 
underestimation error for several reasons. First, some firms were 
unable to reasonably estimate all of the resources for certain 
components, most notably for the governance and leadership component. 
Second, firms were generally unable to reliably estimate the cost of IT 
infrastructure that supports the QC system. Third, firms were generally 
unable to reliably estimate the portion of common-pool resources 
attributable to the QC system that support broader operational or 
financial objectives of the firm. Fourth, due to estimation challenges 
as described above, firms were directed to exclude certain resources 
from their estimates, including time spent by engagement teams 
executing QC policies and procedures and time spent by firm personnel 
attending training.
    By contrast the mean ``Total'' row values may also include some 
overestimation error. For example, firms broadly reported that their QC 
policies and procedures apply to both issuer and non-issuer audits and 
it would generally be infeasible to identify firm personnel hours 
related to quality control over issuer audits only. In these cases, 
PCAOB staff asked firms to include both issuer and non-issuer QC hours 
in their estimates.
    Some firms were unable to separately break out the level of 
resources committed to designing, implementing, and operating QC 
policies and procedures for risk assessment, information and 
communication, network requirements or network services, evaluation of 
the system of quality management, and documentation. These firms 
distributed these resources across the remaining components. While this 
leads to some overestimation error to the remaining components, the 
information provided by the firms that were able to separately break 
out these components indicates that these components are relatively 
less resource-intensive and, therefore, the overestimation error is 
likely small. This overestimation error does not apply to the mean 
``Total'' row values because any errors in how the firms allocated 
across components nets out when summing.

                    Table 1--Resources Associated With U.S. GNFs' QC Policies and Procedures
----------------------------------------------------------------------------------------------------------------
                                                                                 Total (FTEs)
                                    Partner     Non-partner ----------------------------------------------------
                                  (FTEs) mean     (FTEs)                                  Mean per
                                                               Per firm      St. dev        firm       St. dev
----------------------------------------------------------------------------------------------------------------
Risk Assessment.................          2.1          1.4           4.6          2.3           6.7          2.4
Governance and Leadership.......         10.0          5.8           9.2          9.3          19.2         14.7
Independence and Ethics.........         17.7         15.7         172.2        164.2         189.9        173.9
Acceptance and Continuance......         11.5          6.1          13.7         13.8          25.2         14.2
Engagement Performance..........         38.9         23.1          52.8         29.0          91.7         49.0
Resources.......................         42.4         36.6         210.2        267.0         252.6        295.2
Information and Communication...          2.6          2.6           8.6          3.3          11.2          4.9
Monitoring and Remediation......         22.1          7.1          34.9         15.1          56.9         21.1
Other *.........................          4.1          0.6          11.6          2.5          15.6          2.8
                                 -------------------------------------------------------------------------------
    Total.......................        143.6         85.3         504.3        428.9         647.9        499.9
----------------------------------------------------------------------------------------------------------------
* The ``Other'' category includes network requirements or network services, evaluation of the system of quality
  management, and documentation.

    Most U.S. GNFs were unable to provide precise estimates regarding 
expected future changes in QC system resource requirements as of 
December 15, 2022, when ISQM 1 became effective. The qualitative 
information provided by the firms indicates that: (1) additional 
resources likely were required; (2) some of the U.S. GNFs had assigned 
teams to manage ISQM 1 implementation; and (3) the risk assessment 
component and the evaluation of the system of quality management 
component were expected to require the most additional resources.
    The Board also received information regarding non-GNFs through the 
proposal comment process that indicates that non-GNFs have devoted 
resources to the design, implementation, and operation of QC policies 
and procedures related to ISQM 1 and/or SQMS 1 requirements. One 
commenter noted that national firms with fewer than 500 issuers have 
significantly fewer resources associated with QC policies and 
procedures.\397\ One commenter noted that firms have invested 
significant time and resources to comply with the existing quality 
management standards from other standard setters, and another commenter 
noted that, at least with respect to QC roles and responsibilities, 
smaller firms have already designed their processes to accord with ISQM 
1 and SQMS 1. One firm explained that its implementation efforts of 
ISQM 1 required a great deal of evaluation of risks and related 
responses, and another firm explained that its implementation effort 
was a significant undertaking that involved a number of people across 
the firm. Another commenter suggested that non-U.S. firms may be 
incorporating quality management frameworks adopted by their local 
regulator, such as CPAB's Quality Management System framework. Several 
commenters representing non-GNF perspectives focused more generally on 
the provisions of QC 1000 that diverge from ISQM 1 and SQMS 1, which 
the Board understands as implying that these firms had expended 
resources to construct and operate quality control systems in 
compliance with those standards. However, at least one

[[Page 49706]]

commenter noted that for small firms that do not need to comply with 
ISQM 1, efforts may be ongoing to implement SQMS 1, indicating that 
some of these firms may be focused on resources for design and may not 
yet be spending resources to operate QC policies in line with SQMS 1.
---------------------------------------------------------------------------

    \397\ The commenter asserted that the mean total FTEs reported 
in Table 1 for GNFs represent approximately 10% of partners and 
employees for firms of similar size and composition to the 
commenter. However, the commenter also reported having approximately 
90% fewer partners and employees than some U.S. GNFs and 
approximately 99% fewer than other U.S. GNFs, so the resources 
reported in Table 1 would likely be scaled down accordingly for the 
commenter and similar sized firms.
---------------------------------------------------------------------------

    One commenter noted research that appears to be too tangential or 
unrelated to actual resources employed by firms to be useful for 
advancing the Board's understanding of resources associated with the 
design, implementation, and operations of their QC systems. The 
commenter noted that most academic studies related to resources 
employed by NAFs or foreign affiliates of GNFs in the design, 
implementation, and operations of their QC systems focus on either: (1) 
the contributions of internal quality reviews to audit firm quality 
\398\ or (2) the association of audit firm network arrangements, as 
proxies for resources, with audit quality.\399\ For example, one study 
suggests that when firms have formal connections via networks or large 
alliance arrangements, audits within those arrangements have similar 
levels of quality,\400\ which the commenter noted may imply that formal 
connections are a vehicle to share and enforce QC practices.
---------------------------------------------------------------------------

    \398\ See, e.g., Richard W. Houston and Chad M. Stefaniak, Audit 
Partner Perceptions of Post-Audit Review Mechanisms: An Examination 
of Internal Quality Reviews and PCAOB Inspections, 27 Accounting 
Horizons 23 (2013); Denise Hanes Downey and Kimberly D. Westermann, 
Challenging Global Group Audits: The Perspective of US Group Audit 
Leads, 38 Contemporary Accounting Research 1395 (2021); Olof Bik and 
Reggy Hooghiemstra, Cultural Differences in Auditors' Compliance 
with Audit Firm Policy on Fraud Risk Assessment Procedures, 37 
Auditing: A Journal of Practice & Theory 25 (2018).
    \399\ See, e.g., Renee Flasher and Kristy Schenck, Exploring 
PCAOB Inspection Results for Audit Firms Headquartered Outside of 
the US, 37 Journal of International Accounting, Auditing and 
Taxation 1 (2019); Philip Keejae Hong, David S. Kerr, and Casper E. 
Wiggins, PCAOB International Inspections: Updates and Extensions, 26 
International Journal of Auditing 279 (2022); Matthew S. Ege, Young 
Hoon Kim, and Dechun Wang, Do Global Audit Firm Networks Apply 
Consistent Audit Methodologies across Jurisdictions? Evidence from 
Financial Reporting Comparability, 95 The Accounting Review 151 
(2020).
    \400\ See Flasher and Schenck, Exploring PCAOB Inspection 
Results 1.
---------------------------------------------------------------------------

3. Developments in Firms' QC Policies and Procedures
    This subsection provides information on the evolution of firms' QC 
policies and procedures. First, it describes changes firms have made to 
their QC policies and procedures to remediate QC deficiencies 
identified in inspection reports. Second, it presents analyses of QC 
deficiencies related to firms' management of their audit practices. QC 
deficiencies related to firms' management of their audit practice 
relate to the operation of QC policies and procedures. Overall, the 
information suggests that QC policies and procedures are advancing.
    Many firms have implemented a number of changes to their QC systems 
to remediate their QC deficiencies.\401\ Changes brought about through 
remediation are wide-ranging and can touch upon all major elements of 
the current QC standards. The nature, extent, and formality of changes 
made by a firm vary based on the size of the firm and the nature and 
complexity of its practice. Examples of changes made by various types 
of firms include: \402\
---------------------------------------------------------------------------

    \401\ Additional information about the PCAOB remediation process 
is available on the PCAOB website at https://pcaobus.org/oversight/inspections/remediation/remediation_process.
    \402\ Examples are drawn from firms' Rule 4009 submissions. A 
Rule 4009 submission is a submission prepared by a firm, pursuant to 
PCAOB Rule 4009, concerning the ways in which a firm has addressed a 
QC criticism. For additional background, see PCAOB Rel. No. 104-
2006-077.
---------------------------------------------------------------------------

     Adding in-process review and coaching programs to assist 
engagement teams in certain challenging areas, including ICFR and 
accounting estimates;
     Creating a committee to evaluate partner performance in 
relation to audit quality and issuing an accountability framework with 
penalties for negative audit quality events;
     Implementing a new template that includes guidance to 
facilitate the assessment and documentation of partner performance, 
including guidance related to various performance metrics (such as 
technical knowledge; leadership and training skills; and compliance 
with firm quality control policies and procedures);
     Requiring audit partners to articulate specific actions 
they will take to achieve performance goals related to audit quality 
and providing additional guidance and information around partner 
workload management;
     Implementing new policies and procedures for engagement 
teams to focus on obtaining a thorough understanding of how issuers 
initiate, record, process, and report significant classes of 
transactions and how that information is recorded in the financial 
statements;
     Hiring external consultants to work with the firm to 
develop a new ICFR audit approach;
     Adding new leadership positions to the internal inspection 
program, developing new analysis and reporting of internal inspection 
findings, and beginning to disseminate findings more broadly;
     Creating a committee to provide oversight on the firm's 
audit quality initiatives and a new leadership position to drive 
consistency across regions; and
     Implementing new templates that provide guidance related 
to performing a root cause analysis, including identifying areas of a 
firm's quality control process to perform causal analysis, collecting 
relevant data, and documenting the results.
    The Board took these observations into account in developing QC 
1000.
    One commenter, an academic, referred to a recent unpublished study 
examining how firms change and manage their QC systems, which involved 
surveying QC leaders from eight U.S. accounting firms. The commenter 
reported that the three most common changes currently underway in the 
firms relate to: (1) engagement monitoring and use of data analytics; 
(2) organizational structure (e.g., a dedicated ISQM team, independent 
advisors); and (3) a more proactive approach to identifying QC 
issues.\403\
---------------------------------------------------------------------------

    \403\ The commenter also reported that the three most commonly 
described ideal changes relate to: (1) engagement monitoring and use 
of data analytics; (2) human talent-related initiatives such as 
changes to hiring and promotion practices; and (3) client risk 
assessment processes. Ideal changes are described as changes the QC 
leaders would make if the firms did not face resource constraints.
---------------------------------------------------------------------------

    Figure 5 presents the average number of QC deficiencies related to 
firms' management of their audit practice per inspected firm. To 
prepare Figure 5, PCAOB staff counted the number of distinct QC 
deficiencies related to firms' management of their audit practice in 
Part II of PCAOB inspection reports. Staff assigned a zero to firm 
inspections that resulted in no QC deficiencies related to the firm's 
management of its audit practice. Staff then calculated averages per 
inspected firm by year and firm group, assigning equal weight to each 
QC deficiency regardless of its nature or whether it was a repeat 
deficiency. While the total number of QC deficiencies are not readily 
comparable across each of the three categories of firms, the averages 
have ranged between 0.8 and 10.2 for U.S. GNFs, between 0.3 and 1.5 for 
other firms having more than five engagements reviewed, and between 0.3 
and 0.6 for other firms having five or fewer engagements reviewed.

[[Page 49707]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.017

4. Academic Literature on Quality-Threatening Behaviors and Quality 
Control
    This subsection discusses academic research on behaviors that 
suggest certain weaknesses in QC systems in practice. Over time, 
researchers have documented a variety of quality-threatening behaviors, 
including ``premature sign-off of audit procedures, failure to perform 
required procedures, inappropriate reductions in substantive testing or 
other forms of under-auditing, underreporting of time, inadequate 
adjustments of audit procedures in response to changing risk 
conditions, and over-reliance on management explanations of unusual 
deviations in analytical procedures.'' \404\
---------------------------------------------------------------------------

    \404\ Monika Causholli and W. Robert Knechel, An Examination of 
the Credence Attributes of an Audit, 26 Accounting Horizons 631, 647 
(2012).
---------------------------------------------------------------------------

    Some commenters provided additional specific examples of quality-
threatening behaviors. For example, one commenter reported that some 
academic research finds auditors may not always be objective when 
deciding on the acceptability of management's accounting choices or 
when recommending audit adjustments that would reduce reported income 
or assets.\405\ Citing a settlement between a U.S. GNF and the Federal 
Deposit Insurance Corporation, another commenter asserted that one 
firm's QC system failed when one of the firm's engagement teams 
inappropriately assigned a responsibility to an intern.
---------------------------------------------------------------------------

    \405\ See, e.g., Kathryn Kadous, Jane S. Kennedy, and Mark E. 
Peecher, The Effect of Quality Assessment and Directional Goal 
Commitment on Auditors' Acceptance of Client-Preferred Accounting 
Methods, 78 Accounting Review 759 (2003); Christopher Koch and 
Steven E. Salterio, The Effects of Auditor Affinity for Client and 
Perceived Client Pressure on Auditor Proposed Adjustments, 92 
Accounting Review 117 (2017); Lori Shefchik Bhaskar, Patrick E. 
Hopkins, and Joseph H. Schroeder, An Investigation of Auditors' 
Judgments When Companies Release Earnings before Audit Completion, 
57 Journal of Accounting Research 355 (2019).
---------------------------------------------------------------------------

    Research suggests that quality-threatening behaviors imply a 
failure of QC systems to provide reasonable assurance of 
compliance.\406\ Moreover, some research suggests that, while not 
solely responsible, certain features of firms' management of their 
audit practice may encourage quality-threatening behaviors.\407\ For 
example, experimental research suggests that certain cognitive biases 
in auditor evaluation and reward systems may inadvertently deter 
appropriate professional skepticism \408\ and other studies suggest 
that partner reward systems at some firms may weight revenue generation 
more heavily than professional competencies.\409\ Some research finds 
that reward systems oriented toward revenue generation are associated 
with lower proxies for audit quality.\410\ Synthesizing several recent 
academic studies, one commenter reported that an excessive focus on 
commercialism, rather than professionalism, continues to be a dominant 
focus within firms' cultures and may negatively impact audit 
quality.\411\ The commenter also reported that academic research 
indicates quality-threatening behaviors may be negatively associated 
with audit team leadership characteristics.\412\ For

[[Page 49708]]

example, skeptical auditors may be penalized if they do not find a 
material misstatement,\413\ audit managers sometimes reward senior 
associates for performing the unethical act of under-reporting time 
when the client is more desirable,\414\ or while internal inspections 
lead to increased auditor effort in the inspection year, positive 
internal inspection results may lead auditors to decrease effort in the 
future.\415\
---------------------------------------------------------------------------

    \406\ See, e.g., Jean C. Bedard, Donald R. Deis, Mary B. Curtis, 
and J. Gregory Jenkins, Risk Monitoring and Control in Audit Firms: 
A Research Synthesis, 27 Auditing: A Journal of Practice & Theory 
187 (2008).
    \407\ See, e.g., David P. Donnelly, Jeffrey J. Quirin, and David 
O'Bryan, Attitudes Toward Dysfunctional Audit Behavior: The Effects 
of Locus of Control, Organizational Commitment, and Position, 19 
Journal of Applied Business Research 95 (2003).
    \408\ See, e.g., Joseph F. Brazel, Scott B. Jackson, Tammie J. 
Schaefer, and Bryan W. Stewart, The Outcome Effect and Professional 
Skepticism, 91 The Accounting Review 1577 (2016).
    \409\ See, e.g., Marie-Laure Vandenhaute, Kris Hardies, and 
Diane Breesch, Professional and Commercial Incentives in Audit 
Firms: Evidence on Partner Compensation, 29 European Accounting 
Review 521 (2020).
    \410\ See, e.g., J[uuml]rgen Ernstberger, Christopher Koch, Eva 
Maria Schreiber, and Greg Trompeter, Are Audit Firms' Compensation 
Policies Associated With Audit Quality? 37 Contemporary Accounting 
Research 218 (2020); Thomas Riise Johansen and Jeppe Christoffersen, 
Performance Evaluations in Audit Firms: Evaluation Foci and 
Dysfunctional Behavior, 21 International Journal of Auditing 24 
(2017).
    \411\ See, e.g., Christina Thomas Alberti, Jean C. Bedard, Olof 
Bik, and Ann Vanstraelen, Audit Firm Culture: Recent Developments 
and Trends in the Literature, 31 European Accounting Review 59 
(2022); Chris Carter and Crawford Spence, Being a Successful 
Professional: An Exploration of Who Makes Partner in the Big 4, 31 
Contemporary Accounting Research 949 (2014); Ken H. Guo, The 
Institutionalization of Commercialism in the Accounting Profession: 
An Identity-Experimentation Perspective, 35 Auditing: A Journal of 
Practice and Theory 99 (2016); Claire-France Picard, Sylvain 
Durocher, Yves Gendron, The Colonization of Public Accounting Firms 
by Marketing Expertise: Processes and Consequences, 37 Auditing: A 
Journal of Practice & Theory 191 (2018); Jonathan S. Pyzoha, Mark H. 
Taylor, and Yi-Jing Wu, Can Auditors Pursue Firm-Level Goals 
Nonconsciously on Audits of Complex Estimates? An Examination of the 
Joint Effects of Tone at the Top and Management's Specialist, 95 The 
Accounting Review 367 (2020).
    \412\ See, e.g., Noel Harding and Ken T. Trotman, The Effect of 
Partner Communications of Fraud Likelihood and Skeptical Orientation 
on Auditors' Professional Skepticism, 36 Auditing: A Journal of 
Practice & Theory 111 (2017); Sean A. Dennis and Karla M. Johnstone, 
A Field Survey of Contemporary Brainstorming Practices, 30 
Accounting Horizons 449 (2016); Jodi L. Gissel and Karla M. 
Johnstone, Information Sharing During Auditors' Fraud Brainstorming: 
Effects of Psychological Safety and Auditor Knowledge, 12 Current 
Issues in Auditing P1 (2018).
    \413\ See, e.g., Brazel, et al., The Outcome Effect.
    \414\ See, e.g., Christopher P. Agoglia, Richard C. Hatfield, 
Tamara A. Lambert, Audit Team Time Reporting: An Agency Theory 
Perspective, 44 Accounting, Organizations & Society 1 (2015). 
Desirability in this case is determined by various situational and 
contextual factors that are inherent to the client, such as a client 
that is convenient for the audit manager's work schedule, a client 
that is easy to get to, client management that the audit manager 
gets along particularly well with personally, a client that is 
within the audit manager's industry of interest, or an engagement 
that involves an influential partner at the audit manager's office.
    \415\ See, e.g., Daniel Aobdia and Reining C. Petacchi, The 
Effect of Audit Firm Internal Inspections on Auditor Effort and 
Financial Reporting Quality, 98 The Accounting Review 1 (2023).
---------------------------------------------------------------------------

    An excessive focus on commercial objectives may also lead to undue 
focus on cost-control in the execution of audits. For example, in one 
study, audit staff report working, on average, five hours per week, and 
sometimes 20 hours per week, past the threshold where they feel audit 
quality begins to deteriorate.\416\ In another study, audit staff 
report working on average 72 hours per week during busy season.\417\ 
Other research finds that a heavier workload in the fieldwork phase of 
the audit is negatively associated with proxies for audit quality \418\ 
and that high levels of time pressure are positively associated with 
audit quality-threatening behaviors.\419\ Referring to academic 
research, one commenter reported that engagement-level pressures, 
including meeting budgets, can affect audit quality.\420\ The commenter 
also reported that academic research finds that audit partner workload 
compression is negatively associated with audit quality.\421\
---------------------------------------------------------------------------

    \416\ See Julie S. Persellin, Jaime J. Schmidt, Scott D. 
Vandervelde, and Michael S. Wilkins, Auditor Perceptions of Audit 
Workloads, Audit Quality, and Job Satisfaction, 33 Accounting 
Horizons 95 (2019).
    \417\ See Dana R. Hermanson, Richard W. Houston, Chad M. 
Stefaniak, and Anne M. Wilkins, The Work Environment in Large Audit 
Firms: Current Perceptions and Possible Improvements, 10 Current 
Issues in Auditing A38 (2016).
    \418\ See, e.g., Brant E. Christensen, Nathan J. Newton, and 
Michael S. Wilkins, How Do Team Workloads and Team Staffing Affect 
the Audit? Archival Evidence from US Audits, 92 Accounting, 
Organizations and Society 1 (2021).
    \419\ See, e.g., Tobias Svanstr[ouml]m, Time Pressure, Training 
Activities and Dysfunctional Auditor Behaviour: Evidence from Small 
Audit Firms, 20 International Journal of Auditing 42 (2016).
    \420\ See, e.g., Mark E. Peecher, M. David Piercey, Jay S. Rich, 
and Richard M. Tubbs, The Effects of a Supervisor's Active 
Intervention in Subordinate's Judgments, Directional Goals, and 
Perceived Technical Knowledge Advantage on Audit Team Judgments, 85 
Accounting Review 1763 (2010); Koch and Salterio, The Effects 117; 
and William F. Messier and Martin Schmidt, Offsetting Misstatements: 
The Effect of Misstatement Distribution, Quantitative Materiality, 
and Client Pressure on Auditors' Judgments, 93 Accounting Review 335 
(2018).
    \421\ See, e.g., Jun Chen, Wang Dong, Hongling Han, and Nan 
Zhou, Does Audit Partner Workload Compression Affect Audit Quality? 
29 European Accounting Review 1021 (2020).
---------------------------------------------------------------------------

    One commenter noted academic papers that study various factors that 
may impact audit quality but appear to be too tangential or unrelated 
to quality-threatening behaviors that suggest certain weaknesses in QC 
systems. The commenter included academic research that studies the 
relationship between audit teams' use of the work of other participants 
and audit quality.\422\ The commenter also cited research from other 
countries that finds evidence that partner-related characteristics 
influence audit quality.\423\ In addition, the commenter noted academic 
papers that find evidence that non-audit services can negatively affect 
audit quality through mechanisms other than independence 
impairment.\424\ Moreover, the commenter included research that has 
examined the association between PCAOB inspections of audit firms and 
audit quality but does not appear to relate specifically to weaknesses 
in QC systems.\425\
---------------------------------------------------------------------------

    \422\ See, e.g., Candice T. Hux, Use of Specialists on Audit 
Engagements: A Research Synthesis and Directions for Future 
Research, 39 Journal of Accounting Literature 23 (2017); Joseph F. 
Brazel, Tina D. Carpenter, and J. Gregory Jenkins, Auditors' Use of 
Brainstorming in the Consideration of Fraud: Reports from the Field, 
85 The Accounting Review 1273 (2010); J. Gregory Jenkins, Eric M. 
Negangard, and Mitchell J. Oler, Getting Comfortable on Audits: 
Understanding Firms' Usage of Forensic Specialists, 35 Contemporary 
Accounting Research 1766 (2018); Emily E. Griffith, Jacqueline S. 
Hammersley, and Kathryn Kadous, Audits of Complex Estimates as 
Verification of Management Numbers: How Institutional Pressures 
Shape Practice, 32 Contemporary Accounting Research 833 (2015); 
Nathan H. Cannon and Jean C. Bedard, Auditing Challenging Fair Value 
Measurements: Evidence from the Field, 92 The Accounting Review 81 
(2017); Steven M. Glover, Mark H. Taylor, and Yi-Jing Wu, Current 
Practices and Challenges in Auditing Fair Value Measurements and 
Complex Estimates: Implications for Auditing Standards and the 
Academy, 36 Auditing: A Journal of Practice & Theory 63 (2017); J. 
Efrim Boritz, Natalia Kochetova-Kozloski, and Linda Robinson, Are 
Fraud Specialists Relatively More Effective than Auditors at 
Modifying Audit Programs in the Presence of Fraud Risk, 90 The 
Accounting Review 881 (2015); Aleksandra ``Ally'' B. Zimmerman, 
Dereck Barr-Pulliam, Joon-Suk Lee, and Miguel Minutti-Meza, 61 
Journal of Accounting Research 1363 (2023).
    \423\ See, e.g., W. Robert Knechel, Ann Vanstraelen, and Mikko 
Zerni, Does the Identity of Engagement Partners Matter? An Analysis 
of Audit Partner Reporting Decisions, 32 Contemporary Accounting 
Research 1443 (2015); Yanyan Wang, Lisheng Yu, Yuping Zhao, The 
Association between Audit-Partner Quality and Engagement Quality: 
Evidence from Financial Report Misstatements, 34 Auditing: A Journal 
of Practice & Theory 81 (2015); W. Robert Knechel, Lasse Niemi, and 
Mikko Zerni, Empirical Evidence on the Implicit Determinants of 
Compensation in Big 4 Audit Partnerships, 51 Journal of Accounting 
Research 349 (2013); Simon Dekeyser, Ann Gaeremynck, W. Robert 
Knechel, and Marleen Willekens, The Impact of Partners' Economic 
Incentives on Audit Quality in Big 4 Partnerships, 96 The Accounting 
Review 129 (2021); Herman Van Brenk, Barbara Majoor, and Arnold M. 
Wright, The Effects of Profit-Sharing Plans, Client Importance, and 
Reinforcement Sensitivity on Audit Quality, 40 Auditing: A Journal 
of Practice & Theory 107 (2021).
    \424\ See, e.g., Erik L. Beardsley, Andrew J. Imdieke, and 
Thomas C. Omer, The Distraction Effect of Non-audit Services on 
Audit Quality, 71 Journal of Accounting and Economics 1 (2021); Dain 
C. Donelson, Matthew Ege, Andrew J. Imdieke, and Eldar Maksymov, The 
Revival of Large Consulting Practices at the Big 4 and Audit 
Quality, 87 Accounting, Organizations and Society 1 (2020).
    \425\ See, e.g., Daniel Aobdia, The Impact of the PCAOB 
Individual Engagement Inspection Process--Preliminary Evidence, 93 
The Accounting Review 53 (2018); Inder K. Khurana, Nathan G. 
Lundstrom, and K.K. Raman, PCAOB Inspections and the Differential 
Audit Quality Effect for Big 4 and Non-Big 4 US Auditors, 38 
Contemporary Accounting Research 376 (2021); Lindsay M. Johnson, 
Marsha B. Keune, and Jennifer Winchel, U.S. Auditors' Perceptions of 
the PCAOB Inspection Process: A Behavioral Examination, 36 
Contemporary Accounting Research 1540 (2019); Kimberly D. 
Westermann, Jeffrey Cohen, and Greg Trompeter, PCAOB Inspections: 
Public Accounting Firms on ``Trial'', 36 Contemporary Accounting 
Research 694 (2019); Bradley E. Hendricks, Wayne R. Landsman, and F. 
Pe[ntilde]a-Romera, The Revolving Door between Large Audit Firms and 
the PCAOB: Implications for Future Inspection Reports and Audit 
Quality, 97 The Accounting Review 261 (2022).
---------------------------------------------------------------------------

5. Assumptions Regarding the Baseline
    Absent the requirements, the Board believes that many firms would 
continue to design and implement new QC policies and procedures or 
modify existing QC policies and procedures in response to evolving 
audit market conditions, technological advances, PCAOB oversight 
activities, internal monitoring, and actions of other standard 
setters.\426\ The Board believes that most firms have either 
implemented ISQM 1 or will implement SQMS 1 when it goes into effect. 
PCAOB-registered firms with an international presence or that are part 
of a global network will likely find it efficient to design and 
implement a QC system that complies with both PCAOB standards and ISQM 
1 and have that

[[Page 49709]]

system operate over their entire assurance practice. For similar 
reasons, PCAOB-registered firms with a private company audit practice 
will likely find it efficient to design and implement a QC system that 
complies with both PCAOB standards and SQMS 1 and have that system 
operate over their entire assurance practice.
---------------------------------------------------------------------------

    \426\ See above for additional background on the actions of 
other standard setters.
---------------------------------------------------------------------------

    Supporting that view, comment letters on the proposing release 
suggest that some firms have already designed and implemented, or are 
in the process of designing and implementing, QC policies and 
procedures consistent with the requirements of other QC standards. For 
example, one commenter said that nearly all firms are subject to 
multiple QC standards, including ISQM 1. Another commenter said that 
firms in Europe have invested heavily to implement ISQM 1. Another 
commenter said that nearly all firms that will need to adopt QC 1000 
are also subject to other QC standards, including ISQM 1 and SQMS 1, 
and that firms have already invested significant time and resources to 
comply with them. Another commenter presented its recent survey 
research that finds firms have started to prepare for ISQM 1 and SQMS 1 
implementation but that there is variation in their level of 
preparedness.\427\ Overall, the comments indicate that firms have made 
progress implementing the quality control standards of other standard 
setters.
---------------------------------------------------------------------------

    \427\ See Christie Hayne, Market E. Peecher, Jeff Pickerd, and 
Yuepin (Daniel) Zhou, Managing Quality Control Systems: How Audit 
Firms Experience and Navigate Conflicting Institutional Demands, 
available at https://ssrn.com/abstract=4339512.
---------------------------------------------------------------------------

    The Board's view is also informed by several public information 
sources. First, the AICPA website indicates that most registered firms 
that are headquartered in the U.S. were reviewed as part of the AICPA's 
Peer Review program since 2019, and therefore were required to comply 
with AICPA QC standards at that time.\428\ Second, among the U.S.-
headquartered firms that signed an issuer or broker-dealer audit 
opinion in 2021 but were not peer reviewed since 2019, most indicate on 
their web page that they perform audits or tax services that require 
them to comply with AICPA QC standards. Third, most foreign 
jurisdictions require companies to have a statutory audit performed, 
which the Board believes suggests that most registered firms 
headquartered in foreign jurisdictions likely perform audits under 
IAASB QC standards. Finally, firms' annual reports filed with the PCAOB 
on Form 2 for the April 1, 2022, through March 31, 2023, reporting 
period indicate that most firms collected fees for services aside from 
the performance of issuer audits and therefore may have performed 
services subject to AICPA or IAASB QC standards during that time. 
Overall, the Board believes these public information sources support 
its view that most firms will be complying with either ISQM 1 or SQMS 
1. Furthermore, most firms that will not be complying with ISQM 1 or 
SQMS 1 will likely be scaled-applicability firms and therefore less 
impacted by the requirements.
---------------------------------------------------------------------------

    \428\ See AICPA Peer Review web page, available at https://us.aicpa.org/interestareas/peerreview.
---------------------------------------------------------------------------

Need

1. Introduction and summary
    This section discusses the problem that the requirements are 
intended to address and explains how the requirements address it. 
Overall, three observations suggest that there is a problem that the 
requirements will help to address:
     Under current PCAOB QC standards, a firm's QC system is 
required to provide reasonable assurance that the firm's personnel 
comply with applicable professional standards, regulatory requirements, 
and the firm's standards of quality.\429\ However, the audit market 
does not currently provide sufficient incentives for all firms to 
design, implement, and operate QC systems that achieve this requirement 
on a consistent basis.
---------------------------------------------------------------------------

    \429\ See above for more discussion of current QC requirements.
---------------------------------------------------------------------------

     Current PCAOB QC standards contain higher-level principles 
and do not directly address recent developments in QC. As a result, the 
current regulatory baseline is not rigorous enough to sufficiently 
support PCAOB oversight, further undermining firms' and individuals' 
incentives to provide the required reasonable assurance.
     The lack of incentives to provide the required reasonable 
assurance is evidenced by the prevalence of audit performance 
deficiencies--i.e., Part I.A deficiencies and QC deficiencies related 
to audit performance discussed above--which, as noted in the first two 
observations above, suggest that some firms' QC systems are not 
providing the required reasonable assurance.
    The requirements of QC 1000 will help address the problem by 
establishing three overarching features, which are discussed further 
below:
     The requirements mandate firms' QC systems to more 
proactively assess risks and monitor and remediate deficiencies.
     The requirements improve accountability within firms with 
respect to the reasonable assurance objective.
     The requirements use more precise language and include 
more prescriptive requirements in key areas to reflect best practices.
2. The Audit Market Does Not Provide Sufficient Incentives for All 
Firms To Design, Implement, and Operate QC Systems That Provide 
Reasonable Assurance
    A diverse set of investors and other financial statement users need 
and request high quality audits. However, due to the presence of 
asymmetric information \430\ and positive externalities \431\ in the 
audit market, there are not sufficient incentives for all firms to 
design, implement, and operate QC systems that provide reasonable 
assurance that a firm's personnel comply with applicable professional 
standards, regulatory requirements, and the firm's standards of 
quality. This lack of incentives can lead to an inefficient allocation 
of audit services as described in the following paragraphs.
---------------------------------------------------------------------------

    \430\ See N. Gregory Mankiw, Principles of Economics 468 (6th 
ed. 2008) (``A difference in access to relevant knowledge is called 
an information asymmetry.'').
    \431\ See Mankiw, Principles of Economics 196 (``An externality 
arises when a person engages in an activity that influences the 
well-being of a bystander but neither pays nor receives any 
compensation for that effect. . . If it is beneficial, it is called 
a positive externality.'').
---------------------------------------------------------------------------

    Investors and other financial statement users cannot easily observe 
the services performed by an auditor. This information asymmetry 
creates a risk that, unbeknownst to investors and other financial 
statement users, auditors may under-audit and gather insufficient audit 
evidence to support their opinion or may otherwise depart from 
applicable requirements. Economic theory refers to this effect as moral 
hazard.\432\ While this may enable the auditor to do less work and 
reduce potential conflicts with company management and may therefore 
lead to short-run benefits for the auditor, it may also lead to a net 
welfare loss in the audit market as a whole.\433\
---------------------------------------------------------------------------

    \432\ See, e.g., Mankiw, Principles of Economics 468 (``Moral 
hazard is a problem that arises when one person, called an agent, is 
performing some task on behalf of another person, called the 
principal. If the principal cannot perfectly monitor the agent's 
behavior, the agent tends to undertake less effort than the 
principal considers desirable.'').
    \433\ See, e.g., Mankiw, Principles of Economics 145 (``Consumer 
surplus and producer surplus are the basic tools that economists use 
to study the welfare of buyers and sellers in a market. Consumer 
surplus is the benefit that buyers receive from participating in a 
market, and producer surplus is the benefit that sellers receive. It 
is therefore natural to use total surplus as a measure of society's 
economic well-being. . .Total surplus in a market is the total value 
to buyers of the goods, as measured by their willingness to pay, 
minus the total cost to sellers of providing those goods.'').

---------------------------------------------------------------------------

[[Page 49710]]

    A positive externality inherent to the current audit market may 
exacerbate this risk. The services of an auditor provide benefits to a 
variety of investors and financial statement users, including current 
shareholders, potential shareholders, investors in other companies, 
creditors, and regulators, among others. However, auditors do not 
bargain with all of these parties. Rather, Sarbanes-Oxley requires that 
the audit committee be responsible for the appointment, compensation, 
and retention of the auditor.\434\ In practice, company management may 
also play a role through its influence over the audit committee.\435\ 
This creates a de facto principal-agent relationship between the 
company and the auditor. Moreover, some beneficiaries of the auditor's 
work (e.g., investors generally, who benefit from overall confidence in 
the quality of financial information provided to the market) may have 
no influence on the auditor at all. Economic theory suggests that, in 
the presence of positive externalities such as these, markets may 
undersupply goods or services.\436\ As a result, the positive 
externality in the audit market may create an additional risk that 
auditors may gather insufficient audit evidence to support their 
opinion or otherwise depart from applicable requirements.
---------------------------------------------------------------------------

    \434\ See section 301 of Sarbanes-Oxley, 15 U.S.C 78j-1.
    \435\ See, e.g., Liesbeth Bruynseels and Eddy Cardinaels, The 
Audit Committee: Management Watchdog or Personal Friend of the CEO?, 
89 The Accounting Review 113 (2014) (finding that social ties 
between management and the audit committee are present in 39% of the 
companies in their sample and ``may reduce the quality of the audit 
committee's oversight'').
    \436\ See, e.g., Mankiw, Principles of Economics 200, 201 (``In 
the presence of a positive externality, the social value of the good 
exceeds the private value. The optimal quantity is therefore larger 
than the equilibrium quantity . . . Positive externalities lead 
markets to produce a smaller quantity than is socially 
desirable.'').
---------------------------------------------------------------------------

    A firm also faces its own management challenges in implementing its 
desired service, economic, and regulatory compliance objectives. 
Individual offices or personnel may have incentives that diverge from 
the firm's collective best interest. For example, some research 
suggests that certain partners or offices may be commercially dependent 
on particular clients and may be willing to take risks to retain those 
clients that the firm as a whole would not--a form of free riding on 
the firm's reputation and capacity to absorb potential litigation 
costs.\437\ In addition, research suggests that an audit firm's QC 
system is essential to increase audit effort and audit quality because 
it aligns incentives of individual partners with those of the 
firm.\438\ Even if QC systems were able to align the incentives of 
individual offices and personnel to the firm's collective best 
interest, some research suggests that behavioral biases (e.g., 
confirmation bias, over-optimism, and anchoring bias) may lead offices 
or personnel to act in ways contrary to both their own self-interest 
and the firm's collective best interest.\439\ One commenter presented 
its recent unpublished survey research regarding challenges firms face 
when implementing changes to their QC systems. The commenter reported 
that challenges include obtaining buy-in and acceptance from staff as 
well as managing different perspectives from various offices.\440\
---------------------------------------------------------------------------

    \437\ See, e.g., Robert A. Prentice, The Case of the Irrational 
Auditor: A Behavioral Insight into Securities Fraud Litigation, 95 
Northwestern University Law Review 133 (2000).
    \438\ See, e.g., Daniel Aobdia, The Economic Consequences of 
Audit Firms' Quality Control System Deficiencies, 66 Management 
Science 2883 (2019).
    \439\ See, e.g., Prentice, The Case of the Irrational Auditor 
133, 162.
    \440\ See Hayne, et al., Managing Quality Control Systems.
---------------------------------------------------------------------------

    Some firms may manage these challenges by adopting centralized 
control practices that may have ambiguous impacts on their QC systems. 
For example, academic research suggests that firms carefully screen new 
partners to act in the best interest of the firm\441\ and emphasize 
meeting engagement budgets--an easily monitored metric that ties 
directly to profitability.\442\ One commenter asserted that audit 
firms' financial incentives to operate too lean undermine audit 
quality. Investors and other financial statement users may have trouble 
monitoring how firms incentivize, implement, and monitor compliance 
with applicable professional requirements. These monitoring challenges, 
as well as the lack of specificity in current PCAOB QC standards, give 
firms the flexibility to design, implement, and operate QC systems that 
may not fully meet the needs of investors and other financial statement 
users.
---------------------------------------------------------------------------

    \441\ See, e.g., C. J. McNair, Proper Compromises: The 
Management Control Dilemma in Public Accounting and its Impact on 
Auditor Behavior, 16 Accounting, Organizations and Society 635 
(1991).
    \442\ See, e.g., Bernard Pierce and Breda Sweeney, Cost-Quality 
Conflict in Audit Firms: An Empirical Investigation, 13 European 
Accounting Review 415 (2004).
---------------------------------------------------------------------------

    In the absence of sufficient market incentives to achieve an 
efficient allocation of audit services,\443\ regulatory intervention 
can introduce incentives that generate changes in behavior and impact 
audit quality.\444\ For example, economic research suggests that 
auditing standards play a role in determining the amount of effort an 
auditor exerts, which ultimately impacts audit quality.\445\ In 
addition, auditing standards can introduce incentives by providing a 
baseline against which an auditor manages legal liability.\446\ 
Auditing standards also provide a benchmark for regulatory inspections 
and enforcement actions that introduce incentives for firms to initiate 
changes that impact audit

[[Page 49711]]

quality.\447\ Moreover, research suggests that PCAOB Part II inspection 
findings introduce strong incentives for firms to make changes 
necessary to remediate QC deficiencies in order to avoid public 
disclosure of the deficiencies.\448\
---------------------------------------------------------------------------

    \443\ An efficient allocation of resources occurs when total 
surplus is maximized. Total surplus is maximized when the good or 
service in question is supplied until the marginal benefit is equal 
to the marginal cost. See Mankiw, Principles of Economics 146-148.
    \444\ See, e.g., W. Robert Knechel, Do Auditing Standards 
Matter?, 7 Current Issues in Auditing A1 (2013) (explaining that 
auditing standards send a message to auditors that it is 
inappropriate to intentionally under-audit, regardless of 
incentives). Note that QC standards are not auditing standards but 
that auditing standards are a closely related form of regulatory 
intervention. Also, academic research suggests that a positive 
association among standard setting, auditor effort, and audit 
quality depends on a number of factors. See, e.g., Pingyang Gao and 
Gaoqing Zhang, Auditing Standards, Professional Judgment, and Audit 
Quality, 94 The Accounting Review 201 (2019) (showing that auditing 
standards can help align auditor incentives with investor interests 
by compelling the auditor to exert more effort, which improves audit 
quality, but that auditing standards can weaken the auditor's 
incentive to acquire expertise, which reduces audit quality); Mark 
DeFond and Jieying Zhang, A Review of Archival Auditing Research, 58 
Journal of Accounting and Economics 275 (2014) (concluding that the 
effectiveness of auditing standard setting is difficult to gauge 
since it involves broader consideration of the social welfare of all 
stakeholders).
    \445\ See, e.g., Marleen Willekens and Dan A. Simunic, Precision 
in Auditing Standards: Effects on Auditor and Director Liability and 
the Supply and Demand for Audit Services, 37 Accounting and Business 
Research 217 (2007) (showing that decreasing the precision of 
auditing standards initially incentivizes auditors to produce higher 
audit quality by exerting more effort but that decreasing precision 
beyond a certain point leads auditors to decrease effort).
    \446\ See, e.g., Ronald A. Dye, Auditing Standards, Legal 
Liability, and Auditor Wealth, 101 Journal of Political Economy 887 
(1993) (showing that an auditor who intends to comply with standards 
typically prefers higher standards when the auditor's personal 
wealth is observable by potential litigants but prefers lower 
standards when the auditor's wealth is unobservable); Causholli and 
Knechel, An Examination of the Credence 631 (explaining that 
regulation and litigation play an important role in shaping the 
audit process and an auditor's behavior); Knechel, Do Auditing 
Standards A1 (explaining that auditing standards can influence the 
likelihood and extent of under-auditing by providing a basis for 
auditor liability that is an increasing function of the extent to 
which auditor effort falls short of the standard-compliant level).
    \447\ See, e.g., Aobdia, The Impact of the PCAOB Individual 53 
(finding that firms take corrective action on engagements with PCAOB 
Part I inspection findings and the effects spillover to non-
inspected engagements); Phillip T. Lamoreaux, Michael Mowchan, and 
Wei Zhang, Does Public Company Accounting Oversight Board Regulatory 
Enforcement Deter Low-Quality Audits?, 98 The Accounting Review 335 
(2023) (finding that large audit firm offices improve audit quality 
following enforcement naming another office within their firm while 
small firm offices improve following enforcement of local small firm 
competitors).
    \448\ See, e.g., Aobdia, The Economic Consequences 2883.
---------------------------------------------------------------------------

3. Current PCAOB QC Standards Do Not Directly Address Recent QC 
Developments
    Developments in the auditing environment since the development of 
the current PCAOB QC standards by the AICPA and subsequent adoption of 
these standards on an interim basis by the Board are discussed above. 
In brief and as discussed above, the audit market has changed 
significantly since the AICPA developed the current PCAOB QC standards 
in 1997. At that time, the audit market was largely self-regulated by 
firms and QC inspections were performed through a peer review program. 
Since then, PCAOB oversight has led firms to address deficiencies 
identified during inspections, including making changes to their QC 
systems to remediate QC deficiencies.\449\ There have also been 
significant developments in the use of technology by firms in relation 
to QC activities and performing engagements. Some firm management and 
organizational structures have also evolved to include more focus on 
centralization and a globally consistent methodology. Some firms have 
strengthened their approaches to firm governance and leadership, 
incentive systems, and accountability. In addition, thought leadership 
in quality management has advanced,\450\ as have the QC standards 
adopted by other standard setters.
---------------------------------------------------------------------------

    \449\ See discussion on the developments in firms' QC policies 
and procedures within the baseline discussion above.
    \450\ See, e.g., COSO, ISO 9000, and the audit firm governance 
codes of the UK Financial Reporting Council and Japan Financial 
Services Agency.
---------------------------------------------------------------------------

    The current PCAOB QC standards are based on the higher-level 
principles described above and do not directly address the developments 
described in the previous paragraph. While research suggests that PCAOB 
oversight is associated with higher audit quality,\451\ the current 
PCAOB QC standards were not written with a view to inspection and 
enforcement by a regulator. As a result, the current PCAOB QC standards 
yield a regulatory baseline that is not rigorous enough to sufficiently 
support the Board's ability to address audit performance deficiencies 
through PCAOB inspection and enforcement activities related to firms' 
QC systems. For example, some firms have added external parties to 
oversight roles as described above, but current PCAOB QC standards 
contain limited references to firm governance and leadership. At the 
same time, the current PCAOB QC standards do not provide sufficiently 
specific requirements to directly incentivize firms and individuals to 
establish and implement QC policies and procedures that achieve the 
reasonable assurance objective as evidenced by the prevalence of audit 
performance deficiencies.
---------------------------------------------------------------------------

    \451\ See, e.g., Albert L. Nagy, PCAOB Quality Control 
Inspection Reports and Auditor Reputation, 33 Auditing: A Journal of 
Practice & Theory 87 (2014) (concluding that audit firms lose market 
share following public disclosure of PCAOB Part II inspection 
findings, suggesting that disclosure provides a credible signal of 
auditor quality). The results from this study that suggests a 
positive association between PCAOB oversight and audit quality does 
not necessarily mean that PCAOB oversight causes higher audit 
quality.
---------------------------------------------------------------------------

4. Prevalence of Audit Performance Deficiencies
    The three proxies for the level of compliance with applicable 
professional standards discussed above--i.e., Part I.A deficiencies, QC 
deficiencies related to audit performance, and deficiencies arising 
during inspections of broker-dealer engagements--as well as the recent 
PCAOB enforcement actions discussed above suggest that some firms' QC 
systems are not providing reasonable assurance as required under 
current PCAOB QC standards.\452\ To be sure, this analysis of PCAOB 
inspection activities does suggest that some improvements in audit 
performance have followed from remedial changes firms have made to 
their QC systems \453\ and that some firms have already reduced the 
number of QC deficiencies related to management of their audit 
practice.\454\ However, the Board continues to observe high rates of 
audit performance deficiencies \455\ and believes that a new QC 
standard will address these audit performance deficiencies because the 
new standard will incentivize firms to design, implement, and operate 
effective QC systems.
---------------------------------------------------------------------------

    \452\ See Background discussion above for more discussion of 
current regulatory requirements.
    \453\ This point is discussed more fully in below.
    \454\ See Figure 5 above.
    \455\ See Figures 1 and 3 above.
---------------------------------------------------------------------------

5. How the Requirements Address the Need
    The requirements provide substantial additional direction to firms 
regarding the design, implementation, and operation of their QC systems 
that the Board believes address the need for standard-setting. Three 
overarching features of the requirements help address the problem. The 
first feature pertains to the mandate for a more integrated, proactive, 
and risk-based QC system. The second pertains to the enhancements to 
accountability within the firm to achieve the reasonable assurance 
objective. The third pertains to more precise language and more 
prescriptive requirements in several key areas.
    Regarding the first feature, the new risk assessment process, 
coupled with a detailed monitoring and remediation process, form a 
feedback loop designed to foster a proactive approach to QC that drives 
continuous improvement. For example, the risk assessment process 
requires the firm to obtain an understanding of the conditions, events, 
and activities that may adversely affect the achievement of its quality 
objectives; identify and assess quality risks; and then design and 
implement quality responses. The monitoring and remediation process 
will help the firm evaluate whether the QC system is working 
effectively in practice. This more proactive approach to QC should help 
address the positive externality problem in the audit market by leading 
firms to implement QC systems that more consistently satisfy the 
interests of all beneficiaries of the audit. Additionally, as discussed 
above, information asymmetry may cause investors and other financial 
statement users not to have sufficient information to understand 
whether their issuer's audit firm has an effective QC system that 
consistently produces high-quality audits, and investors and other 
financial statement users may not have a sufficient voice in the 
financial reporting ecosystem to be able to demand or incentivize audit 
firms to implement one. Requiring the auditor to implement a robust QC 
system substitutes a compliance incentive for the insufficient market 
incentive.
    Regarding the second feature, the Board believes QC 1000 will 
improve accountability within the firm to achieve the reasonable 
assurance objective. Several of the requirements that improve 
accountability within the firm address the positive externality

[[Page 49712]]

problem directly by leading firms to implement QC systems that more 
consistently satisfy the interests of all beneficiaries of the audit. 
For example, QC 1000 requires the firm to document and assign roles and 
responsibilities; communicate information related to the monitoring and 
remediation process to firm personnel to enable them to take timely 
action in accordance with their responsibilities; and establish a 
quality objective to incentivize individuals to fulfill their assigned 
responsibilities, through means such as performance evaluations and 
compensation. Leadership will also be accountable for the design, 
implementation, and operation of the firm's QC system, including 
through means such as their performance evaluation and compensation, 
and the firm will be required to establish a quality objective that 
leadership communicate and promote the firm's role in protecting the 
interests of investors and the public interest. The requirements that 
improve accountability within the firm will help address the 
information asymmetry problem by requiring the firm's QC system to 
operate over any public reporting regarding firm or engagement metrics 
that the firm provides.\456\ Overall, this second feature reinforces 
the first through an additional incentive that is personal to 
responsible individuals within the firm and reinforces the general 
incentives for the firm to comply with the standard.
---------------------------------------------------------------------------

    \456\ See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

    Regarding the third feature, while the requirements provide 
substantial additional guidance to firms regarding the design, 
implementation, and operation of their QC systems, QC 1000 also 
provides more precise and prescriptive requirements that will enhance 
the Board's ability to inspect and enforce and incentivize firms to 
design, implement, and operate effective QC systems. For example, QC 
1000 includes more unconditional responsibilities than current PCAOB QC 
standards and specifies precise conditions under which a firm must 
design, implement, and operate an effective QC system. Together with 
the features described above--i.e., a more integrated, proactive, and 
risk-based QC system and enhanced accountability within the firm to 
achieve the reasonable assurance objective--these features establish a 
regulatory baseline that more directly incentivizes firms and 
individuals to comply in order to avoid enforcement.

Economic Impacts

    This section discusses the expected benefits and costs, and the 
potential unintended consequences, that may result from the 
requirements. The expected impacts of several key provisions are 
highlighted. These provisions relate to:
     Scaled applicability;
     In-process monitoring activities;
     Firm governance structure;
     The automated independence process;
     Complaints and allegations policies and procedures;
     Reporting the annual QC system evaluation;
     Certification of the annual QC system evaluation;
     Responding to engagement deficiencies identified after 
issuance of the audit report; and
     SECPS requirements.
    While the analysis of economic impacts is largely qualitative in 
nature due to data limitations, the analysis does, in part, use PCAOB 
inspections data to help evaluate the expected benefits. Technical 
details regarding the quantitative analysis of the expected benefits 
are included in a separate staff white paper.\457\
---------------------------------------------------------------------------

    \457\ See PCAOB, Staff White Paper, The Impact of Quality 
Control System Remediation on Audit Performance and Financial 
Reporting Quality (Nov. 18, 2022), (``QC White Paper''), available 
at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/qc-staff-white-paper-november-2022.pdf?sfvrsn=ddb22504_4.
---------------------------------------------------------------------------

    The economic impacts of the requirements will arise out of changes 
firms will make to their QC systems that they would not otherwise make 
but for the requirements. As discussed above, the Board expects that, 
absent the requirements, many firms would continue to make changes to 
their QC systems in response to evolving audit market conditions, 
advances in technology, PCAOB oversight activity, internal monitoring, 
and the actions of other standard setters. This attenuates both the 
benefits and the costs attributable to the requirements.
1. Benefits
    The expected benefits of the requirements are described using four 
complementary views: (1) the benefits of quality management frameworks 
generally; (2) the direct benefits of the requirements in the form of 
improved compliance with applicable professional and legal 
requirements; (3) the indirect benefits of the requirements in the form 
of improved financial reporting quality and capital market efficiency; 
and (4) the benefits of key provisions.
a. Benefits of Related Frameworks
    QC 1000 bears resemblance to existing quality management and 
enterprise risk management frameworks (e.g., ISO 9000 and COSO). These 
frameworks share several features in common with QC 1000, including 
embedding risk in decision making, proactive involvement of leadership, 
clearly defined objectives, objective-oriented processes, monitoring, 
and remediation. Using a variety of proxies (e.g., market reaction), 
academic research has found that these frameworks improve company 
performance.\458\ In particular, researchers have found that the COSO 
framework--the closest antecedent to QC 1000--effectively improves 
financial reporting.\459\ Similarly, research finds that markets 
penalize public companies with weaker internal control systems and 
reward the remediation of those weaknesses.\460\ While differences 
between QC 1000 and existing frameworks as well as differences between 
audit firms and other companies may limit the relevance of this 
research to some extent, this research suggests that QC 1000 may help 
firms design, implement, and operate more effective QC systems.
---------------------------------------------------------------------------

    \458\ See, e.g., I[ntilde]aki Heras[hyphen]Saizarbitoria and 
Olivier Boiral, ISO 9001 and ISO 14001: Towards a Research Agenda on 
Management System Standards, 15 International Journal of Management 
Reviews 47 (2013); Robert E. Hoyt and Andre P. Liebenberg, The Value 
of Enterprise Risk Management, 78 Journal of Risk and Insurance 795 
(2011).
    \459\ See, e.g., Hanwen Chen, Wang Dong, Hongling Han, and Nan 
Zhou, A Comprehensive and Quantitative Internal Control Index: 
Construction, Validation, and Impact, 49 Review of Quantitative 
Finance and Accounting 337 (2017); Ifeoma Udeh, Observed 
Effectiveness of the COSO 2013 Framework, 16 Journal of Accounting & 
Organizational Change 31 (2020).
    \460\ See, e.g., Hollis Ashbaugh[hyphen]Skaife, Daniel W. 
Collins, William R. Kinney, Jr., and Ryan Lafond, The Effect of SOX 
Internal Control Deficiencies on Firm Risk and Cost of Equity, 47 
Journal of Accounting Research 1 (2009).
---------------------------------------------------------------------------

b. Improved Compliance With Applicable Professional and Legal 
Requirements
    The Board expects the requirements will benefit investors and other 
financial statement users by improving compliance with applicable 
professional and legal requirements via a more detailed QC standard. As 
described above, the requirements are expected to achieve this through 
three principal mechanisms. First, they explicitly connect the 
components of the QC system into an integrated cycle of risk 
assessment, performance monitoring, and remediation. Second, several of 
the new requirements will support the effectiveness of QC systems by

[[Page 49713]]

emphasizing accountability to the reasonable assurance objective. 
Third, more precise and prescriptive requirements will enhance the 
Board's ability to inspect and enforce. Broker-dealer engagements and 
issuer audits performed by firms other than U.S. GNFs may see more 
improvement because they appear to have more room for improvement on 
average. However, the recent uptick in deficiencies for U.S. GNFs 
suggests that QC 1000 will also be a valuable resource for these firms 
to address those deficiencies and, thus, further protect investors.
    Some commenters described how a risk-based QC standard would 
improve audit quality. However, one commenter argued that the 
requirements are too risk-based (e.g., they could result in too little 
change at the larger firms) and suggested an even stronger prescriptive 
approach to certain aspects of the standard (e.g., training and 
supervision). The Board believes the standard reflects a balanced 
approach that includes prescriptive requirements where appropriate.
    PCAOB staff analysis of PCAOB inspections data supports the view 
that more effective QC policies and procedures will lead to improved 
compliance with applicable professional and legal requirements. Staff 
examined the historical association between satisfactory remediation of 
QC deficiencies and subsequent Part I.A deficiencies for triennial 
firms. Satisfactory remediation of a QC deficiency reflects substantial 
good-faith progress toward achieving a quality control objective.\461\ 
As such, an association between historical satisfactory remediation 
efforts and a subsequent decrease in Part I.A deficiencies would 
suggest that more effective QC policies and procedures lead to improved 
compliance with applicable professional and legal requirements. After 
controlling for auditor and issuer characteristics that may also drive 
Part I.A deficiencies using standard statistical techniques, the staff 
analysis indicates that, on average, satisfactory remediation is 
associated with reduced likelihood of subsequent Part I.A deficiencies. 
This suggests that more effective QC policies and procedures may lead 
to improved compliance with applicable professional and legal 
requirements.\462\ One commenter reported observing that satisfactory 
remediation of QC deficiencies results in fewer audit failures and 
asserted that this was in line with certain key findings of the staff 
analysis.
---------------------------------------------------------------------------

    \461\ See Staff Guidance Concerning the Remediation Process 
(Nov. 18, 2013), available at https://pcaobus.org/Inspections/Pages/Remediation_Process.aspx.
    \462\ For additional details, including definitions of all 
control variables, see QC White Paper.
---------------------------------------------------------------------------

    The staff analysis is subject to several important caveats. First, 
remedial actions typically target specific aspects of a firm's QC 
system. By contrast, implementation of QC 1000 may require a broader 
set of changes. Second, due to the transformational nature of QC 1000, 
the changes firms will make to their QC systems could be substantially 
different from firms' historical satisfactory remedial actions. Third, 
U.S. GNFs were intentionally excluded from the analysis, potentially 
limiting its applicability to the U.S. GNFs. However, though 
association does not imply causation, the historical association 
between the number of QC deficiencies related to U.S. GNFs' management 
of their audit practice \463\ and U.S. GNFs' compliance with applicable 
professional standards \464\ suggests that, even among the U.S. GNFs, 
more effective QC systems could lead to improved compliance with 
applicable professional and legal requirements.\465\ Overall, the Board 
expects the association between satisfactory remediation and subsequent 
Part I.A deficiencies among triennial firms more likely understates the 
impact of QC 1000 due to its transformational nature.
---------------------------------------------------------------------------

    \463\ See Figure 5 above.
    \464\ See Figures 1 and 3 above.
    \465\ Several nuances of smaller firms' QC systems and the PCAOB 
inspections process may explain the absence of such an association 
for these firms. First, although there is a downward trend in QC 
deficiencies related to management of the audit practice (Figure 5 
above), smaller firms' QC systems may be deficient in certain 
important respects that render them less effective overall. Second, 
the roughly increasing trend in QC deficiencies related to audit 
performance for the smallest firms (Figure 3 above) may be driven in 
part by deficiencies in the application of new auditing requirements 
by these firms. Third, the inspection approach to QC assessments for 
the smaller firms is simplified and does not lend itself to such a 
correlation analysis.
---------------------------------------------------------------------------

    Observations from PCAOB inspections and academic research also 
suggest that the requirements may improve compliance with applicable 
professional and legal requirements. PCAOB inspectors have observed 
that root cause analyses, effective design and implementation of 
remedial actions, and appropriate governance practices related to 
leadership's tone can drive audit quality,\466\ and one academic study 
reports that, as perceptions of the strength of the QC system increase, 
the likelihood of ``reduced audit quality behaviors'' decreases.\467\ 
These findings likewise support the view that the requirements, which 
place greater emphasis on root cause analysis, remediation, and 
governance practices, if successfully implemented, will lead to 
improved compliance with applicable professional and legal 
requirements.
---------------------------------------------------------------------------

    \466\ See, e.g., 2018 Inspection Observations Preview
    \467\ See, e.g., Charles F. Malone and Robin W. Roberts, Factors 
Associated with the Incidence of Reduced Audit Quality Behaviors, 15 
Auditing: A Journal of Practice & Theory 49 (1996).
---------------------------------------------------------------------------

c. Improved Financial Reporting Quality and Capital Market efficiency
    Academic research provides evidence that compliance with auditing 
standards is positively associated with proxies for financial reporting 
quality.\468\ Research also finds a positive association between firms' 
successful remediation of QC deficiencies--a proxy for adopting 
effective QC system practices--and the financial reporting quality of 
their issuer clients.\469\ PCAOB staff analysis also provides some 
evidence that successful remediation may be associated with improved 
financial reporting quality.\470\ The fact that the results from each 
of these studies that suggest a positive association with financial 
reporting quality does not necessarily mean that auditing standards or 
remediation of deficiencies cause better financial reporting quality.
---------------------------------------------------------------------------

    \468\ See, e.g., Daniel Aobdia, Do Practitioner Assessments 
Agree with Academic Proxies for Audit Quality? Evidence from PCAOB 
and Internal Inspections, 67 Journal of Accounting and Economics 144 
(2019); Katherine A. Gunny and Tracey Chunqi Zhang, PCAOB Inspection 
Reports and Audit Quality, 32 Journal of Accounting and Public 
Policy 136 (2013).
    \469\ See, e.g., Aobdia, The Economic Consequences 2883.
    \470\ See QC White Paper.
---------------------------------------------------------------------------

    Investors and other financial statement users may benefit from 
improved issuer financial reporting quality because it helps solve 
information asymmetries and agency problems inherent to capital 
markets. Economic theory suggests that investors face a separation-of-
ownership-and-control problem whereby issuer management may 
misappropriate investors' capital.\471\ Relevant and accurate financial 
reporting can alleviate these problems by providing investors and other 
financial statement users with more accurate information regarding the 
financial position and operating results of companies. Investors may 
use this information to improve the efficiency of their capital

[[Page 49714]]

allocation decisions (e.g., investors may more accurately identify 
companies with the strongest prospects for generating future risk-
adjusted returns and allocate their capital accordingly). Investors may 
also perceive less risk in capital markets generally, leading to an 
increase in the supply of capital. An increase in the supply of capital 
could increase capital formation while also reducing the cost of 
capital to companies.\472\ While some uncertainty remains regarding the 
economic impacts of financial reporting,\473\ empirical academic 
research has affirmed this basic premise under certain conditions.\474\ 
Moreover, some studies have identified a direct association between 
auditors' compliance with PCAOB standards and capital market 
efficiency.\475\
---------------------------------------------------------------------------

    \471\ See, e.g., Michael C. Jensen and William H. Meckling, 
Theory of the Firm: Managerial Behavior, Agency Costs and Ownership 
Structure, 3 Journal of Financial Economics 305 (1976); Adolf 
Augustus Berle and Gardiner Coit Means, The Modern Corporation and 
Private Property (1991).
    \472\ See, e.g., Richard Lambert, Christian Leuz, and Robert E. 
Verrecchia, Accounting Information, Disclosure, and the Cost of 
Capital, 45 Journal of Accounting Research 385, 387 (2007) 
(discussing how increasing the quality of mandated disclosures 
should in general move the cost of capital to the risk-free rate for 
all firms in the economy); William Robert Scott and Patricia C. 
O'Brien, Financial Accounting Theory (2003), 412 (explaining that 
regulation is intended to improve the operation of capital markets 
by enhancing public confidence in their fairness).
    \473\ See, e.g., Christian Leuz and Peter D. Wysocki, The 
Economics of Disclosure and Financial Reporting Regulation: Evidence 
and Suggestions for Future Research, 54 Journal of Accounting 
Research 525 (2016) (explaining the relative rarity of evidence on 
causal effects of disclosure and reporting regulation); Matthias 
Breuer, Christian Leuz, and Steven Vanhaverbeke, Mandated Financial 
Reporting and Corporate Innovation, No. w26291. National Bureau of 
Economic Research (2020), at 41 (reporting evidence consistent with 
the notion that mandatory reporting deters firms' incentives to 
innovate and generate proprietary know-how because of concerns about 
the loss of proprietary information).
    \474\ See, e.g., Christian Leuz and Robert E. Verrecchia, The 
Economic Consequences of Increased Disclosure, 38 Journal of 
Accounting Research 91 (2000) (finding that German companies that 
elect to commit to International Accounting Standards or U.S. GAAP 
exhibit lower percentage bid-ask spreads and higher share turnover 
than firms using German GAAP); Utpal Bhattacharya, Hazem Daouk, and 
Michael Welker, The World Price of Earnings Opacity, 78 The 
Accounting Review 641 (2003) (finding that an increase in overall 
earnings opacity in a country is linked to an economically 
significant increase in the cost of equity and an economically 
significant decrease in trading in the stock market of that country 
based on financial statements from 34 countries for the period 1984-
1998). Because U.S. institutions differ from other countries and the 
studies pre-date Sarbanes-Oxley, the results may not be directly 
relevant to all PCAOB-registered firms.
    \475\ See, e.g., Nemit Shroff, Real Effects of PCAOB 
International Inspections, 95 The Accounting Review 399 (2020).
---------------------------------------------------------------------------

    The requirements may also lead to improved compliance with 
applicable professional and legal requirements on broker-dealer audit 
engagements and, in turn, improved financial reporting quality and 
investor protection. An auditor's work on these engagements, if 
appropriately performed, should make it more likely that a broker-
dealer will maintain appropriate controls over compliance and less 
likely that there will be material reporting errors. The auditor's work 
also has the potential to make it more difficult for broker-dealers to 
engage in fraud and other misconduct. Improved broker-dealer financial 
reporting quality also gives industry overseers, such as the SEC and 
FINRA, as well as other users of broker-dealer financial information, 
such as the Securities Investor Protection Corporation, more accurate 
information relevant to a broker-dealer's financial condition, its 
ability to continue as a going concern, and its handling of customer 
securities and cash. This, in turn, enhances the ability of these 
organizations to carry out their responsibilities in ways that protect 
investors. Compliance with applicable professional and legal 
requirements may also contribute to the early identification or 
prevention of broker-dealer failures. Failures of large broker-dealers 
can have a negative impact on the stability and liquidity of financial 
markets, and failures caused by misconduct may damage investor 
confidence. A reduction in such failures could help improve the 
strength and safety of the financial system.
d. Benefits of Key Provisions
i. Scaled Applicability
    QC 1000 will require that a firm implement and operate an effective 
QC system at all times when the firm is required to comply with 
applicable professional and legal requirements with respect to any of 
the firm's engagements, and thereafter through the next September 
30.\476\ The discussion above provides further information on this 
provision. As of June 30, 2023, up to 60% of firms may not meet this 
criterion but will be required to design a QC system in compliance with 
QC 1000.\477\ Because registering with the PCAOB enables a firm to 
issue audit reports or play a substantial role on audits performed 
under PCAOB standards for issuers and broker-dealers, and because 
investors and companies considering engaging the firm could reasonably 
expect that any firm that could pursue such an engagement would already 
have a PCAOB-compliant QC system designed and ready for implementation 
and operation, the Board believes that imposing a design requirement on 
all registered firms promotes its mission of protecting investors and 
promoting the public interest. The Board also believes that designing 
the QC system will better position these firms to accept and perform 
engagements in compliance with applicable professional and legal 
requirements to the extent that the firm will have a PCAOB-compliant QC 
system ready for implementation and operation.
---------------------------------------------------------------------------

    \476\ See QC 1000.07.
    \477\ The 60% reported here is based on Form 2 reporting as of 
June 30, 2023, and reflects registered firms that reported they had 
not issued an audit report for an audit of an issuer or broker-
dealer or played a substantial role in such an engagement during the 
preceding 12 months. As noted above, approximately 51% of firms have 
not performed an engagement under PCAOB standards for an issuer or 
broker-dealer in the past five years. The PCAOB does not collect 
information about whether registered firms perform engagements under 
PCAOB standards other than for issuers and broker-dealers. Firms may 
be engaged, for example, in connection with the audit of a reporting 
company that does not meet the Sarbanes-Oxley definition of 
``issuer'' described in footnote 2 above, in connection with certain 
offerings of securities that are exempt from registration under the 
Securities Act (e.g., offerings under Regulation A, Regulation D, or 
Regulation Crowdfunding), pursuant to a contractual obligation such 
as a loan covenant, or on an entirely voluntary basis.
---------------------------------------------------------------------------

ii. In-Process Monitoring Activities
    QC 1000 will require firms that issued audit reports with respect 
to more than 100 issuers during the prior calendar year to monitor in-
process engagements and will require all other firms to consider 
monitoring in-process engagements.\478\ The discussion above provides 
further information on this provision. Monitoring in-process 
engagements can help firms detect and prevent engagement deficiencies 
before the engagement report is issued, resulting in a more proactive 
and preventive monitoring approach that has the potential to benefit 
investors through improved audit quality. The benefits will depend on 
the extent to which firms already have in-process monitoring activities 
in place. Information gathered through PCAOB inspection activities 
indicates that 11 out of 14 annually inspected firms perform some in-
process engagement monitoring activities.
---------------------------------------------------------------------------

    \478\ See QC 1000.63.
---------------------------------------------------------------------------

iii. Firm Governance Structure
    QC 1000 will require firms that issued audit reports with respect 
to more than 100 issuers during the prior calendar year to incorporate 
into their governance structure an external oversight function for the 
QC system composed of one or more persons who are not principals or 
employees of the firm and do not otherwise have a commercial, familial, 
or other relationship with the firm that would interfere with the 
exercise of

[[Page 49715]]

independent judgment with regard to matters related to the QC system 
(i.e., EQCF).\479\ The final standard specifies a baseline requirement 
that the EQCF's responsibilities should include, at a minimum, 
evaluating the significant judgments made and the related conclusions 
reached by the firm when evaluating and reporting on the effectiveness 
of its QC system. The discussion above provides further information on 
this provision. Such an oversight function could reduce negative 
impacts of commercial considerations on decision making by firms about 
their QC system and thereby improve incentives to implement QC systems 
that more fully meet the interests of investors and other financial 
statement users. Some academic research finds that the level of board 
of directors independence is associated with certain benefits, such as 
improved operating performance and company value, which implies 
independent oversight in a firm`s governance structure could 
potentially improve the quality of audit services provided by the 
firm.\480\
---------------------------------------------------------------------------

    \479\ See QC 1000.28.
    \480\ See, e.g., Anzhela Knyazeva, Diana Knyazeva, and Ronald W. 
Masulis, The Supply of Corporate Directors and Board Independence, 
26 The Review of Financial Studies 1561 (2013). Other academic 
research indicates that a tradeoff of more independent board of 
directors may be less efficient monitoring by directors. See, e.g., 
Praveen Kumar and K. Sivaramakrishnan, Who Monitors the Monitor? The 
Effect of Board Independence on Executive Compensation and Firm 
Value, 21 The Review of Financial Studies 1371 (2008).
---------------------------------------------------------------------------

iv. The Automated Independence Process
    QC 1000 will require firms that issued audit reports with respect 
to more than 100 issuers during the prior calendar year to automate the 
process to identify investments in securities that might impair the 
independence of the firm or firm personnel that are managerial 
employees or partners, shareholders, members, or other principals.\481\ 
The discussion above provides further information on this provision. 
Automating this process should help firms more effectively and 
efficiently identify such investments. The automated process could also 
indirectly improve compliance with other relevant independence 
requirements. For example, automating this process may lead firms to 
maintain and make available the list of restricted entities more 
efficiently and effectively.
---------------------------------------------------------------------------

    \481\ See QC 1000.34a.
---------------------------------------------------------------------------

v. Complaints and Allegations Policies and Procedures
    QC 1000 will require firms to design, implement, and maintain 
policies and procedures that address processes and responsibilities for 
receiving, investigating, and addressing complaints and allegations and 
include protecting persons making complaints and allegations from 
retaliation.\482\ Firms that issued audit reports with respect to more 
than 100 issuers during the prior calendar year will be required to 
include confidentiality protections in their policies and procedures. 
The discussion above provides further information on this provision. 
Overall, the Board expects the policies and procedure regarding 
complaints and allegations will help reduce information asymmetry 
within the firm by alerting responsible individuals to instances of 
non-compliance of which they may otherwise be unaware. Some academic 
research suggests that the complaints and allegations provisions will 
increase the likelihood that individuals will submit complaints and 
allegations related to potential non-compliance. For example, one 
survey of public company auditors finds that (1) greater protection of 
individual identity and (2) trust that the firm would investigate and 
act on a report are both positively associated with intention to report 
non-compliance with auditing standards.\483\ A survey of accounting 
students finds that a weaker threat of retaliation is positively 
associated with the propensity to submit a complaint.\484\ The Board 
acknowledges that some experimental research finds that explicit 
protections may unintentionally deter internal complaints and 
allegations because the protections signal to potential persons making 
complaints that retaliation is a risk.\485\ However, overall, the Board 
expects the complaints and allegations provisions will benefit 
investors by reducing non-compliance with auditing standards and, thus, 
improving audit quality.
---------------------------------------------------------------------------

    \482\ See QC 1000.29.
    \483\ See Mary B. Curtis and Eileen Z. Taylor, Whistleblowing in 
Public Accounting: Influence of Identity Disclosure, Situational 
Context, and Personal Characteristics, 9 Accounting and the Public 
Interest 191 (2009).
    \484\ See Gregory Liyanarachchi and Chris Newdick, The Impact of 
Moral Reasoning and Retaliation on Whistle-Blowing, 89 Journal of 
Business Ethics 37 (2009).
    \485\ See James Wainberg and Stephen Perreault, Whistleblowing 
in Audit Firms: Do Explicit Protections from Retaliation Activate 
Implicit Threats of Reprisal?, 28 Behavioral Research in Accounting 
83 (2016).
---------------------------------------------------------------------------

vi. Reporting the Annual QC System Evaluation
    QC 1000 will require firms to report to the PCAOB about the annual 
evaluation of their QC system.\486\ The discussion above provides 
further information on this provision. This requirement will help the 
Board obtain more timely, structured, and consistent information 
regarding the effectiveness of firms' QC systems relative to what could 
be gathered through the inspections process, especially for the 
triennial firms. The Board will use this information to support its 
oversight activities (e.g., to select firms, audits, or focus areas for 
review). Reporting to the PCAOB will also improve incentives within a 
firm to design, implement, and operate an effective QC system.
---------------------------------------------------------------------------

    \486\ See QC 1000.79.
---------------------------------------------------------------------------

vii. Certification of the Annual QC System Evaluation
    QC 1000 will require certain individuals in firms' leadership to 
certify the annual evaluation of their firm's QC system.\487\ The 
discussion above provides further information on this provision. This 
requirement will help address the positive externality problem in the 
audit market by creating greater accountability within firm leadership 
to implement an effective QC system. As noted in the proposal, PCAOB 
staff reviewed academic literature on the impacts of CEO and CFO 
certification requirements in the U.S. and engagement partner signature 
requirements in the United Kingdom and found both supportive and 
unsupportive findings.\488\ One commenter noted academic research that 
has found there is little, if any, effect of CEO and CFO certifications

[[Page 49716]]

required under Sarbanes-Oxley.\489\ Citing academic literature on 
accountability frameworks, the same commenter noted that imposition of 
accountability is largely positive \490\ but that the increased 
accountability that would result from the certification requirement 
could have negative consequences.\491\ As discussed below, the Board 
acknowledges that increased accountability could lead to potential 
unintended consequences. However, the Board continues to believe that 
the certification requirement will benefit investors by increasing 
discipline in the evaluation process and reinforcing the accountability 
of the certifying individuals.
---------------------------------------------------------------------------

    \487\ See QC 1000.14d. and .15b.
    \488\ See, e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. 
Lys, Corporate Governance Reform and Executive Incentive: 
Implications for Investments and Risk Taking, 30 Contemporary 
Accounting Research 1298 (2013) (finding that their sample of firms 
significantly reduced investments in risky projects in the period 
following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and 
Birendra K. Mishra, CEOs'/CFOs' Swearing by the Numbers: Does it 
Impact Share Price of the Firm?, 81 The Accounting Review 1, 22 
(2006) (concluding that the SEC order requiring filing of sworn 
statements by CEOs and CFOs had a positive effect on the market 
value of certifying firms); Jeffrey R. Cohen, Colleen Hayes, Ganesh 
Krishnamoorthy, Gary S. Monroe, and Arnold M. Wright, The 
Effectiveness of SOX Regulation: An Interview Study of Corporate 
Directors, 25 Behavioral Research in Accounting 61 (2013) 
(discussing that CEO certification was viewed as having led to 
heightened ownership and diligence on the part of decision agents 
throughout the financial reporting decision hierarchy but was also 
identified as a source of the costly resource-intensive reaction to 
Sarbanes-Oxley).
    \489\ See, e.g., Paul A. Griffin and David H. Lont, Taking the 
Oath: Investor Response to SEC Certification Under Sarbanes-Oxley, 1 
Journal of Contemporary Accounting & Economics 27 (2005); Gerald J. 
Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase 
after the Sarbanes-Oxley Act? Initial Evidence, 20 Accounting 
Horizons 57 (2006); Utpal Bhattacharya, Peter Groznik, and Bruce 
Haslem, Is CEO Certification of Earnings Numbers Value-Relevant?, 14 
Journal of Empirical Finance 611 (2007).
    \490\ See, e.g., Andrew Quinn and Barry R. Schlenker, Can 
Accountability Produce Independence? Goals as Determinants of the 
Impact of Accountability on Conformity, 28 Personality and Social 
Psychology Bulletin 472 (2002); Virginia R. Stewart, Deirdre G. 
Snyder, and Chia-Yu Kou, We Hold Ourselves Accountable: A Relational 
View of Team Accountability, 183 Journal of Business Ethics 691 
(2023); Angela T. Hall, Michael G. Bowen, Gerald R. Ferris, M. Todd 
Royle, Dale E. Fitzgibbons, The Accountability Lens: A New Way to 
View Management Issues, 50 Business Horizons 405 (2007); Marko 
Pitesa and Stefan Thau, Masters of the Universe: How Power and 
Accountability Influence Self-Serving Decisions under Moral Hazard, 
98 Journal of Applied Psychology 550 (2013); Constantine Sedikides, 
Deletha Hardin, Kenneth Herbst, and Gregory Dardis, Accountability 
as a Deterrent to Self-Enhancement: The Search for Mechanisms, 83 
Journal of Personality & Social Psychology 592 (2002).
    \491\ See, e.g., Jennifer J. Dose and Richard J. Klimoski, Doing 
the Right Thing in the Workplace: Responsibility in the Face of 
Accountability, 8 Employee Responsibilities & Rights Journal 35 
(1995); Jennifer S. Lerner and Philip E. Tetlock, Accounting for the 
Effects of Accountability, 125 Psychological Bulletin 255 (1999); 
Randall A. Gordon, Richard M. Rozelle, and James C. Baxter, The 
Effect of Applicant Age, Job Level, and Accountability on 
Perceptions of Female Job Applicants, 123 Journal of Psychology 59 
(1989); Philip E. Tetlock, The Impact of Accountability on Judgment 
and Choice: Toward a Social Contingency Model, 25 Advances in 
Experimental Social Psychology 331 (1992); Angela T. Hall, Dwight D. 
Frink, and M. Ronald Buckley, An Accountability Account: A Review 
and Synthesis of the Theoretical and Empirical Research on Felt 
Accountability, 38 Journal of Organizational Behavior 204 (2017); 
Sheldon Adelberg and Daniel C. Batson, Accountability and Helping: 
When Needs Exceed Resources, 36 Journal of Personality and Social 
Psychology 343 (1978); Mark E. Peecher, Ira Solomon, and Ken T. 
Trotman, An Accountability Framework for Financial Statement 
Auditors and Related Research Questions, 38 Accounting, 
Organizations and Society 596 (2013); Angela T. Hall, M. Todd Royle, 
Robert A. Brymer, Pamela L. Perrew[eacute], Gerald R. Ferris and 
Wayne A. Hochwarter, Relationships Between Felt Accountability as a 
Stresser and Strain Reaction: The Neutralizing Role of Autonomy 
Across Two Studies, 11 Journal of Occupational Health Psychology 87 
(2006).
---------------------------------------------------------------------------

viii. Responding to Engagement Deficiencies Identified After Issuance 
of the Audit Report
    The amendments to AS 2901, Consideration of Omitted Procedures 
After the Report Date, include: (1) addressing engagement deficiencies 
in addition to omitted procedures and (2) including the ICFR audit 
within its scope. Relatedly, the amendments to AT No. 1 and AT No. 2 
mirror the amendments to AS 2901. The discussion above provides further 
information on this provision. The Board expects these amendments will 
lead auditors to perform additional procedures to obtain sufficient 
appropriate evidence or take additional action to prevent future 
reliance on insufficiently supported audit opinions (or review reports 
in the case of review engagements) that are being relied on. In such 
cases, PCAOB standards will require firms to advise their client to 
make appropriate disclosure of the newly discovered facts and their 
impact on the financial statements (or examination or review reports in 
the case of attestation engagements) to persons who are known to be 
currently relying or who are likely to rely on the financial statements 
and the related auditor's report (or review report in the case of a 
review engagement). Academic research on ICFR suggests that such 
disclosures will be valuable to capital market participants with 
improvements in company performance and financial reporting.\492\
---------------------------------------------------------------------------

    \492\ See discussion on economic impacts above and the research 
cited therein.
---------------------------------------------------------------------------

ix. SECPS Requirements
    The requirements will refine, integrate into QC 1000, and extend to 
all firms the SECPS member requirements currently required under PCAOB 
Rule 3400T. Based on current registration data, approximately 13% of 
PCAOB-registered firms are already subject to these requirements under 
PCAOB Rule 3400T. The discussion above provides an overview of these 
requirements. The Board expects that this feature of the rulemaking 
will benefit investors by enhancing audit quality through improved 
compliance with SEC and PCAOB independence rules on engagements 
performed by firms not already subject to these requirements under 
PCAOB Rule 3400T.
2. Costs
    The Board expects the requirements will result in additional direct 
and indirect costs to auditors and, potentially, indirect costs to the 
companies that they audit. The extent of these costs will depend on the 
degree to which firms otherwise have QC systems in place designed to 
comply with other QC standards and the specific policies and procedures 
adopted by the firm. The information presented above suggests that U.S. 
GNFs commit hundreds of partner and non-partner FTEs to their QC 
systems, including, individually, each of the major QC system 
components specified in ISQM 1. Resources are particularly utilized in 
the areas of independence, ethics, and resources. As discussed above, 
the Board believes most firms are subject to other QC standards. In 
designing, implementing, and operating their QC systems, firms that are 
subject to both PCAOB standards and other QC standards can leverage the 
investments they make to comply with the requirements of the other 
standards. Therefore, the Board expects that a portion of the overall 
costs of designing, implementing, and operating policies and procedures 
to comply with QC 1000 have been or will be incurred by most firms 
regardless of whether QC 1000 is adopted. As a consequence, for most 
firms, the Board expects the costs discussed below will derive 
primarily from the provisions in QC 1000 that go beyond the 
requirements of other QC standards.
    Several commenters noted there will be costs and challenges to 
implement and operate features of QC 1000 that are incremental to the 
systems firms have established to comply with other QC standards. One 
commenter said that the need to accommodate nuances among different 
standards results in firms maintaining different methodologies, 
practices, and procedures that puts pressure on limited firm resources. 
Several commenters asserted that firms that audit between 100 and 500 
issuers will be significantly impacted by costs associated with some or 
all of QC 1000's incremental requirements for firms that issue audit 
reports for more than 100 issuers, and some of the commenters noted 
resource differences between GNFs and annually inspected NAFs. Since QC 
systems are resource-intensive, the efforts required to respond to the 
additional provisions in QC 1000 or to otherwise adapt the QC system to 
the auditing environment for issuers and SEC-registered broker-dealers 
could be significant.

[[Page 49717]]

    While the PCAOB lacks data to quantify the costs that could result 
from QC 1000, some studies have estimated costs associated with ICFR 
under Sarbanes-Oxley section 404.\493\ The Board acknowledges 
differences between section 404 and QC 1000, but section 404 is similar 
to QC 1000 in that section 404 was a policy shock that led large public 
companies to improve their internal control practices. In addition, 
while QC 1000 is not an internal control framework per se, it does 
reflect similar principles as COSO, the industry standard control 
framework that was widely relied upon to implement section 404. One 
commenter observed that the requirements under QC 1000 are similar in 
certain ways to the requirements related to ICFR under Sarbanes-Oxley 
for companies and suggested that the impacts of QC 1000 on auditors 
will be similar to the impact Sarbanes-Oxley had on companies 
notwithstanding key differences between a company's ICFR and an audit 
firm's QC system.
---------------------------------------------------------------------------

    \493\ Based on a sample of companies that voluntarily disclosed 
Section 404 cost information in their SEC filings during the period 
Jan. 2003 to Sept. 2005, one study found that the mean total 
compliance costs for Section 404 was $2.2 million ($3.7 million 
adjusted for inflation), and the median was $1.2 million ($2.0 
million adjusted for inflation). See Jagan Krishnan, Dasaratha Rama, 
and Yinghong Zhang, Costs to Comply with SOX Section 404, 27 
Auditing: A Journal of Practice & Theory 169 (2008). Using a sample 
of Fortune 1000 companies, another study estimated the companies 
spent an average of $5.9 million ($9.6 million adjusted for 
inflation) to comply with Section 404 in the first year of 
implementation. See Charles River Associates, Sarbanes-Oxley 404 
Costs and Remediation of Deficiencies: Estimates from a Sample of 
Fortune 1000 Companies (2005). Another study found that direct costs 
of Section 404 fell by as much as 40% by the second year after 
implementation and varied significantly by company size. See John C. 
Coates IV, The Goals and Promise of the Sarbanes-Oxley Act, 21 
Journal of Economic Perspectives 91 (2007). Another study reported 
an SEC survey sample that showed an overall average Section 404 
compliance expense of $1.2 million ($1.7 million adjusted for 
inflation) in the latest fiscal year before the survey (Dec. 2008 to 
Jan. 2009) and respondents reported a decline over time in such 
costs. See Cindy R. Alexander, Scott W. Bauguess, Gennaro Bernile, 
Yoon-Ho Alex Lee, and Jennifer Marietta-Westberg, Economic Effects 
of SOX Section 404 Compliance: A Corporate Insider Perspective, 56 
Journal of Accounting and Economics 273 (2013). To adjust results 
from the studies for inflation, PCAOB staff used an inflationary 
factor as of the third quarter 2023 from the current dollar index 
number of the Employment Cost Index for private workers employed in 
the professional, scientific, and technical services industry 
published by the U.S. Bureau of Labor Statistics (available at 
https://www.bls.gov/eci/data.htm). This inflationary adjustment does 
not account for any potential differences between QC 1000 costs and 
Section 404 costs or any potential structural changes over time.
---------------------------------------------------------------------------

a. Direct and Indirect Costs of the Proposed Requirements
    The Board expects the requirements will lead to several direct and 
indirect costs. There will be a direct cost to audit firms to design a 
QC system that complies with QC 1000. For example, firms will likely 
spend time reviewing QC 1000; assigning roles and responsibilities; 
identifying staffing and training needs; and developing a set of 
quality objectives, quality risks, and quality responses. Once a QC 
system is designed, firms will incur costs to monitor, identify, and 
assess changes to conditions, events, and activities that indicate 
modifications to the firm's quality objectives, quality risks, or 
quality responses may be needed. Some firms may outsource certain 
aspects of QC system design. The Board also expects that customization 
will be necessary to ensure that each QC system design appropriately 
addresses each firm's circumstances. The extent of the design costs 
will likely depend on facts and circumstances unique to each firm. 
Among firms that will be subject to other QC standards, which the Board 
believes represents most firms, the design costs will likely be reduced 
and limited to incremental requirements around ethics, independence, 
monitoring, and remediation.
    For full applicability firms--those that will be required to 
implement and operate an effective QC system--there will likely be 
additional costs. Firms may need to implement fixed resources (e.g., 
people, financial, technological, or intellectual) prior to operating 
their QC system. For example, a firm may need to invest in an IT system 
or train individuals having QC roles or responsibilities. Several 
commenters identified significant implementation costs and called for 
an extended implementation period due to these costs. Describing the 
results of its recent survey of assurance service QC leaders, one 
commenter reported that obtaining ``buy in'' and acceptance from 
organizational members is the most common challenge firms face when 
implementing changes to their QC systems.\494\ As discussed, the Board 
agrees there will be implementation costs; however, these 
implementation costs will be reduced to the extent that firms already 
implement the requirements to comply with the actions of other standard 
setters or due to other developments. Furthermore, the Board expects 
the design and implementation costs will be largely fixed in nature and 
will decline over time.
---------------------------------------------------------------------------

    \494\ See Hayne, et al., Managing Quality Control Systems.
---------------------------------------------------------------------------

    Firms may also incur new operating costs, at the firm level and the 
engagement level. At the firm level, firms may require additional 
resources to administer new or revised quality responses after they are 
implemented, execute the annual risk assessment, perform the annual 
evaluation of the QC system, report the results of the evaluation to 
the PCAOB using the same PCAOB platform as the other reporting forms, 
and prepare and retain the required documentation. Several commenters 
identified significant operating costs. For example, one commenter 
argued that the proposed independent oversight function could entail 
insurance costs. At the engagement level, engagement team time may be 
required to execute new or revised quality responses. For example, an 
engagement team may carry out procedures regarding continuance of the 
firm's relationship with the client served by that engagement team. 
These operating costs will be reduced for firms that would be subject 
to other standard setters or other developments.
    Several commenters asserted that the documentation costs, as 
originally proposed, could be particularly onerous. For example, 
several commenters asserted that firms would be required to retain 
large volumes of documentation to support the operation of the firm's 
quality responses for each instance related to all years for which 
firms are required to maintain such documentation. One commenter noted 
that information evidencing the operation of a firm's QC system can 
vary in size, type, and storage requirements and that the costs of 
modifying the firm's existing IT systems to comply with the 
documentation requirement could be significant. Some commenters noted 
that the amount of documentation to be retained is expected to require 
considerably more storage space for each evaluation period, which the 
commenters suggested translates to a need for new servers and extended 
licensing agreements. One commenter said that firms that change their 
systems will have to maintain licenses for old systems for up to seven 
years. The same commenter said the seven-year retention period goes 
well beyond the retention requirements of ISQM 1 and SQMS 1 and 
asserted that firms with a significant private company client base 
would be challenged to have different documentation retention policies 
since many aspects of quality control relate to the firm as a whole. 
Some commenters suggested that retaining sensitive information 
introduces heightened

[[Page 49718]]

cybersecurity risks for firms, firm personnel, clients, and other 
stakeholders. The Board acknowledges that the documentation requirement 
could create costs for firms, including costs related to retention and 
cybersecurity infrastructure. To clarify the expected cost burden, the 
discussion above notes that documentation of every aspect of the 
operation of the firm's QC system may not be required to evidence that 
each quality response operated effectively.
    Several commenters asserted that smaller firms may be especially 
affected by the new QC requirements, including requirements incremental 
or alternative to ISQM 1 and SQMS 1. One commenter said that smaller 
firms will need to hire consultants or additional staff for the 
monitoring, remediation, and evaluation functions, notwithstanding the 
scalability of QC 1000. Another commenter asserted that QC 1000 will 
impose disproportionate costs on smaller firms but noted that the 
commenter did not analyze in detail the cost of each incremental 
requirement and therefore did not have an estimate of the 
disproportionate costs. Relatedly, research finds that implementation 
and operating costs of internal control frameworks precipitated by 
Sarbanes-Oxley are proportionally greater for smaller companies.\495\
---------------------------------------------------------------------------

    \495\ See, e.g., John C. Coates and Suraj Srinivasan, SOX after 
Ten Years: A Multidisciplinary Review, 28 Accounting Horizons 627 
(2014).
---------------------------------------------------------------------------

    The Board acknowledges that the direct costs will likely vary 
depending on the size of the firm and the nature of its audit practice. 
Larger PCAOB audit practices that already have extensive QC systems in 
place may benefit from economies of scale or scope when incorporating 
the new requirements into their existing systems, which would decrease 
the cost of QC 1000 per engagement. Larger PCAOB audit practices will 
be able to distribute fixed implementation costs over a larger number 
of engagements, while smaller practices will distribute fixed 
implementation costs over a smaller number of engagements. On the other 
hand, it may also be difficult for firms with more complex clients and 
diverse client portfolios--characteristics of larger PCAOB audit 
practices--to implement effective QC systems. To the extent that 
smaller firms may be disproportionately impacted as commenters have 
suggested, the Board continues to believe that the principles-based 
features and scalable nature of QC 1000, described in greater detail 
above, as well as the 100-issuer threshold for some provisions, help to 
mitigate their costs because smaller firms will rely on proportionally 
fewer resources for design, implementation, and operation of their QC 
systems.
    In addition to the direct costs to auditors to comply with the 
requirements, indirect costs may arise. To the extent that compliance 
with the requirements will improve compliance with applicable 
professional and legal requirements at the engagement level, costs may 
increase for the affected engagements. For example, in bringing their 
work into compliance with PCAOB auditing standards, some engagement 
teams may gather additional or more persuasive audit evidence and 
prepare more documentation than they previously did. However, firms 
should be incurring these costs already.
    Audited companies may also incur indirect costs related to the 
requirements. For example, some commenters asserted that the 100-issuer 
threshold could deter triennially inspected firms from accepting new 
public company audit engagements or encourage firms to resign from 
existing audit engagements to avoid crossing the 100-issuer threshold. 
Although the Board recognizes this possibility, for context regarding 
the number of firms currently around the 100-issuer threshold, PCAOB 
staff analysis of audit reports included in SEC filings indicates that, 
during the 2022 calendar year, two NAFs audited between 80 and 100 
issuers and two NAFs audited between 100 and 120 issuers. Firms may 
pass on part of any increased costs they incur at the firm or 
engagement level by raising the fees they charge their clients. In 
addition, to the extent that the requirements improve compliance with 
applicable professional and legal requirements, some audited companies 
could face additional costs to respond to their auditors' requests for 
additional or more extensive audit evidence. Audited companies may 
incur other costs due to changes in audit firm QC policies and 
procedures. For example, if QC 1000 results in changes to firms' client 
acceptance and continuance practices, firms may require greater fees or 
refuse to accept or retain high-risk clients. While this outcome would 
represent a cost to audited companies, the result could be a more 
efficient audit market if riskier companies pay more. These indirect 
costs will be reduced to the extent that firms will have already 
implemented the requirements in response to similar actions of other 
standard setters or due to other developments.
b. Costs of Key Provisions
i. Scaled Applicability
    Scaled-applicability firms will incur the design costs discussed 
above. Should a scaled-applicability firm ever become subject to the 
implementation and operation requirements, the firm will then incur the 
implementation and operation costs discussed above. As with other 
registered firms, the costs to scaled-applicability firms will be less 
to the extent they will already be complying with ISQM 1 or SQMS 1. 
Firms and a related group suggested allowing firms that do not perform 
engagements the flexibility to design their QC system in accordance 
with another QC standard, such as ISQM 1 or SQMS 1, to help manage 
costs. However, the Board expects the design costs for those firms to 
be limited to incremental requirements around ethics, independence, 
monitoring, and remediation. Furthermore, scaled-applicability firms 
may choose to avoid the design costs by withdrawing from PCAOB 
registration given that they are not required to be registered.
ii. In-Process Monitoring Activities
    The Board believes the in-process monitoring requirement may 
contribute to the direct and indirect costs discussed above such as: 
(1) developing documentation, (2) providing training, (3) gathering 
additional audit evidence, and (4) other potential indirect costs such 
as the time required of issuers to provide their auditor with 
additional or more extensive audit evidence. The costs will depend on 
the extent to which firms already have in-process monitoring activities 
in place. In addition, in-process monitoring may result in increased 
audit fees. Information gathered through PCAOB inspection activities 
indicates that 11 out of 14 annually inspected firms perform some in-
process engagement monitoring activities.
iii. Firm Governance Structure
    The Board believes there could be costs to design, implement, and 
operate the oversight function (i.e., EQCF). For example, firms that 
are required to incorporate the oversight function into their 
governance structure for the first time may incur costs when retaining 
appropriate individuals from outside of the firm.\496\ Firms with an 
existing

[[Page 49719]]

oversight function may incur costs to find different individuals to 
fill the role. In addition, firms with an existing oversight function 
may incur incremental costs to incorporate the baseline requirement to 
evaluate, at a minimum, significant judgments made and the related 
conclusions reached by the firm when evaluating and reporting on the 
effectiveness of its QC system.
---------------------------------------------------------------------------

    \496\ According to Spencer Stuart, the average compensation per 
non-employee director was $327,764 in 2023. See 2023 U.S. Spencer 
Stuart Board Index (2023), available at https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf (analyzing 489 DEF-14A proxy statements 
filed by S&P 500 companies with the SEC between May 1, 2022, and 
Apr. 30, 2023). PCAOB staff notes that variation between the 
responsibilities of an oversight function and a non-employee 
director function may limit the relevance of this cost reference to 
some extent.
---------------------------------------------------------------------------

    Several commenters expressed concern that the oversight function 
would be costly or difficult to fulfill, especially for firms that 
audit between 100 and 500 issuers. One commenter suggested the 
oversight function could add costs that ultimately have to be passed on 
through higher audit fees, which investors in smaller issuers are 
unlikely to support, particularly when the costs are spread over a 
small amount of invested public capital in a firm's issuer audits 
clients. Conversely, one commenter said that the costs of the oversight 
function could be reduced by engaging an independent accounting firm to 
provide weekly advisory services.
    To help address these cost concerns, the requirement will allow 
firms to implement an oversight function into their QC system suitable 
for their circumstances. Costs, as well as the associated benefits, 
could be attenuated for U.S. GNFs by the fact that all of the U.S. GNFs 
indicate, as of the 2020 inspection cycle, that they already have a 
governance structure that includes a non-employee.
iv. The Automated Independence Process
    The Board believes there could be costs to design, implement, and 
operate the required automated process to identify investments in 
securities that might impair independence. The costs will depend on the 
extent to which firms already have such an automated process in place. 
Information gathered through PCAOB inspection activities indicates that 
nine out of 14 annually inspected firms already have one in place. The 
remaining five have processes in place that are not fully automated. 
Firms will be able to automate the process in a way that is suitable to 
their unique facts and circumstances. Most firms will likely need to: 
(1) convert their restricted entity list into a searchable electronic 
form; (2) maintain the electronic restricted entity list; and (3) 
develop queries that can compare a manager's or partner's relevant 
investments in securities to the electronic restricted entity list. 
Some firms may choose to integrate the automated process with existing 
systems related to client acceptance or time and expense. Firms with 
simple restricted entity lists (e.g., fewer clients, fewer 
subsidiaries) or simpler QC policies and procedures for restricted 
entities (e.g., any investment in any security of a restricted entity 
is restricted) may require less investment in software and expertise 
than other firms.
    Several commenters said that the proposed automated process will 
entail significant costs. One commenter emphasized that there will be 
upfront and ongoing investments in technology and other overhead to 
operate such a process. Another commenter noted that implementing and 
maintaining an automated independence monitoring system is costly for 
smaller firms, which audit predominantly privately held companies and 
have not previously been subject to the automated independence system 
requirement under SEC rules. One commenter said it was unaware of any 
truly off-the-shelf system responsive to the proposed requirement. One 
commenter emphasized that for firms that audit between 100 and 500 
issuers, the main potential downside of an automated process is the 
associated time and incremental cost to develop an efficient and 
effective system. The commenter noted that, in addition to software 
costs, there will be costs to oversee the system to ensure the data 
entered are correct and firm personnel are trained to use the system. 
Another commenter noted that the six largest firms represent 60% of 
issuers and approximately 98.7% of the capital markets and asserted 
that the automated independence process will nearly triple the number 
of firms required to implement automated investment tracking systems 
but pick up less than 15% of issuers, which represent less than 1% of 
the capital markets. The same commenter also asserted that the 
differences in size, scope, nature, and complexity between the six 
largest annually inspected firms and other annually inspected firms can 
be immense and that more than 80% of the commenter's issuer client 
count consists of either Form 11-K audits or audits of smaller 
companies, which have less impact on capital markets. While the 
commenter provided these figures in response to costs of the automated 
independence process, the same figures could apply to the costs and 
benefits of each of the key policy provisions that invoke the 100-
issuer threshold.
    To help address these views, the final standard clarifies that the 
required automated process: (1) will apply only to the identification 
of relevant investments in securities and (2) will permit firms to rely 
on firm professionals accurately self-reporting and entering their 
investments into the system (e.g., direct brokerage feeds will not be 
expressly mandated). In addition, the Board believes that existing 
software products likely could be adapted to respond to the 
requirements. Furthermore, off-the-shelf systems more tailored to the 
requirements may enter the market in the future. Notwithstanding the 
commenters' views, the Board retained the automated independence 
process requirement, and acknowledges there will be costs to design, 
implement, and operate it.
v. Complaints and Allegations Policies and Procedures
    The Board expects the policies and procedures regarding complaints 
and allegations will entail direct costs to firms to design, implement, 
and maintain. Most notably, firms will incur additional variable costs 
to receive, investigate, and address complaints and allegations. Firms 
that issued audit reports with respect to more than 100 issuers during 
the prior calendar year will incur costs to implement confidentiality 
protections. The costs will depend on the extent to which firms already 
have policies and procedures regarding complaints and allegations in 
place. Information gathered through PCAOB inspection activities 
indicates that 10 out of 14 annually inspected firms already have 
hotlines in place that may satisfy certain of the complaints and 
allegations requirements.\497\
---------------------------------------------------------------------------

    \497\ According to one hotline vendor that posted their service 
prices online, the annual fee for a hotline that covers up to 75 
employees starts at $1,200 and the annual fee for a hotline that 
covers more than 5,000 employees starts at $7,000 (see https://www.allvoices.co/basic-purchase). The Board notes that the 
complaints and allegations provisions include more than having a 
hotline.
---------------------------------------------------------------------------

vi. Reporting the Annual QC System Evaluation
    The Board expects the requirement to report the annual QC system 
evaluation to the PCAOB will entail an additional annual cost to firms 
to prepare Form QC. However, since firms will already be required to 
perform and document the evaluation, any additional costs associated 
with preparing Form QC should be minimal. The requirement may also 
result in some increased

[[Page 49720]]

litigation risk to the extent that information reported to the PCAOB is 
not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, and 
to the extent that reporting of this information to a third party may 
vitiate other privileges that otherwise could have been used to protect 
the information from compelled disclosure in third-party actions. Non-
protected material may become subject to compulsory production, which 
could impose indirect costs on firms to the extent that legal or other 
consequences may flow from that production.
vii. Certification of the Annual QC System Evaluation
    The certification requirement itself may not impose much direct 
cost on firms because the evaluation activities precede certification. 
However, to the extent that firms choose to implement a more robust 
internal compliance infrastructure (e.g., by requiring sub-
certifications from personnel with direct responsibility for certain 
functions), those costs could also be attributable to the certification 
requirement. Moreover, firms may be exposed to litigation costs because 
the certifications in Form QC are not subject to privilege under 
section 105(b)(5) of Sarbanes-Oxley, meaning that third parties may be 
able to compel production of the certifications, and the certifications 
may have an impact in third-party litigation. For example, the threat 
of liability for negligent conduct could lead to costs if individuals 
demand additional remuneration or take additional steps to act 
reasonably and demonstrate that they have acted reasonably (e.g., 
assuring themselves that the QC system is appropriately designed) or to 
defend against enforcement allegations. The Board believes, however, 
that the internal compliance exercise, and even potentially the threat 
of third-party litigation, can reinforce the importance of the firm's 
QC system within the firm, which in turn can help produce the benefits 
the Board expects this provision will generate.
viii. Responding to Engagement Deficiencies Identified After Issuance 
of the Audit Report
    The amendments to AS 2901, Consideration of Omitted Procedures 
After the Report Date, and related amendments to AT No. 1 and AT No. 2 
will contribute to the engagement-level costs discussed above to the 
extent auditors will perform additional procedures to obtain sufficient 
appropriate evidence or take additional action to prevent future 
reliance on insufficiently supported audit opinions (or review reports 
in the case of review engagements) that are being relied on. The Board 
expects the requirement to extend the scope of AS 2901 to include the 
ICFR audit within its scope will be particularly impactful because the 
audit of internal control over financial reporting is both resource-
intensive \498\ and a common and recurring area of deficiency.\499\
---------------------------------------------------------------------------

    \498\ See, e.g., U.S. Securities and Exchange Commission Office 
of Economic Analysis, Study of the Sarbanes-Oxley Act of 2002 
Section 404 Internal Control over Financial Reporting Requirements 
(Sept. 2009), at Table 8 (reporting that roughly one-third of total 
audit fees may be attributable to the ICFR audit).
    \499\ See, e.g., 2020 Inspection Observations Preview.
---------------------------------------------------------------------------

vii. SECPS Requirements
    The requirements will refine, integrate into QC 1000, and extend to 
all firms the SECPS member requirements currently required under PCAOB 
Rule 3400T. The Board expects this will increase development, 
implementation, and operating costs for firms not already subject to 
these requirements. However, the Board believes the costs should be 
minimal because, based on its oversight activities, the Board believes 
these firms already have in place policies and procedures related to 
compliance with SEC and PCAOB independence rules.
3. Unintended Consequences
    The requirements could give rise to unintended consequences. 
Overall, however, the Board expects any potential unintended 
consequences will be mitigated by other factors.
a. Human Capital
    Some firms may require additional staff resources to implement the 
requirements. To meet this demand, firms may transfer personnel from 
engagement-level roles to QC roles. This could create a risk that 
engagements are insufficiently staffed. Alternatively, some firms may 
assign more junior staff to QC roles or to new openings on engagements. 
This could create a risk that QC system or engagement personnel lack 
sufficient training or experience. One commenter reported the 
commenter's own analysis to demonstrate that audits are largely 
conducted by non-CPAs with limited experience in the field of auditing. 
QC 1000 includes quality objectives that mitigate these risks. For 
example, firms will be required to establish quality objectives that 
individuals who are assigned to engagements or perform QC system 
activities have the competence, objectivity, authority (in the case of 
activities within the QC system), and time to perform their 
responsibilities in accordance with applicable professional and legal 
requirements and the firm's policies and procedures.\500\
---------------------------------------------------------------------------

    \500\ See QC 1000.44c. and e.
---------------------------------------------------------------------------

    Some commenters argued that the costs of QC 1000 would be 
especially significant due to labor shortages. One commenter asserted 
that an aggressive enforcement atmosphere may create disincentives for 
individuals to join the profession, harming the talent pipeline that is 
necessary for the production of high-quality audits. Another commenter 
raised concerns that recruiting and retaining partners and employees 
for a firm's QC system will be a tremendous challenge for firms willing 
and able to absorb additional costs to properly implement the 
requirements of QC 1000 given the tight labor market. One commenter 
reported that some market research indicates significant declines in 
the number of new CPA candidates and annual accounting degree 
completions.\501\ The commenter also reported commentary from a survey 
that reveals the largest accounting firms regularly score low along 
dimensions that are most indicative of their desirability as places to 
work.\502\ Another commenter cited news articles \503\ and academic 
research \504\ that suggest attracting and retaining talent is a 
serious concern for accounting firms and university accounting 
programs. However, based on its preliminary survey research, another 
commenter reported that some QC leaders do not feel resource 
constrained.\505\
---------------------------------------------------------------------------

    \501\ See AICPA Trends Report.
    \502\ See Mark Kolakowski, Best Accounting Firms (Vault Top 50 
Accounting Firms) (Jan. 14, 2020).
    \503\ See, e.g., Lindsay Ellis, Why so Many Accountants are 
Quitting, Wall St. J. (Dec. 28, 2022); Stephen Foley, Accountants 
Work to Shed ``Boring'' Tag Amid Hiring Crisis, Financial Times 
(Oct. 3, 2022).
    \504\ See, e.g., Hermanson, et al., The Work Environment in 
Large Audit Firms A38; Dana R. Hermanson, Heather M. Hermanson, 
Susan D. Hermanson, Where is Public Company Auditing Headed?, 90 CPA 
Journal 54 (2020); Westermann, et al., PCAOB Inspections 694.
    \505\ See Hayne, et al., Managing Quality Control.
---------------------------------------------------------------------------

    The Board acknowledges the commenters' concerns about the potential 
impact on staff resources. However, the potential impact on staff 
resources is likely the result of the interplay among numerous factors 
in the labor market, such as the rigor of qualifying for and completing 
the requirements for CPA licensure and the relatively low starting 
salaries being cited by college students as one of the main hurdles to 
choosing accounting as a major. To meet increased demand for staff 
resources, some firms may choose to hire additional experienced staff. 
It is

[[Page 49721]]

possible that the labor demand shock could result in increased wages 
and potentially higher audit fees, which could be exacerbated by the 
concentration of large firms in the audit market. Higher wages could in 
turn help firms attract and retain a skilled workforce or encourage 
qualified individuals to take essential roles at firms.\506\ The 
principles-based features and scalable nature of QC 1000 described 
above, as well as the 100-issuer threshold for some provisions, help 
mitigate this risk because fewer resources will be required for firms 
based on those features.
---------------------------------------------------------------------------

    \506\ There are some indications that retention and recruitment 
of staff is currently a challenge for audit firms. See, e.g., 
Persellin, et al., Auditor Perceptions 95; AICPA Private Companies 
Practice Section, 2021 PCPS CPA Top Issues Survey; AICPA, 2021 
Trends: A Report on Accounting Education, the CPA Exam and Public 
Accounting Firms' Hiring of Recent Graduates (``AICPA Trends 
Report'') (Apr. 2022).
---------------------------------------------------------------------------

b. Competition
    The requirements could also cause firms to exit the public company 
audit market or deter other firms from future entry. Entry deterrence 
could be exacerbated by the fact that being registered with the PCAOB 
will subject firms to certain QC requirements even if they do not 
perform engagements. Several commenters agreed that the proposed 
requirements, if adopted, could impact competition. One commenter 
expressed concern that the incremental requirements of QC 1000 relative 
to other QC standards could lead smaller high-quality firms to exit the 
market. One commenter asserted that the certification requirement would 
be an especially significant driver of exit, particularly for smaller 
firms. Some commenters suggested that the design requirement for 
scaled-applicability firms could lead some scaled-applicability firms 
to deregister with the PCAOB or create a barrier to entry. One 
commenter added that the design requirement for scaled-applicability 
firms could impact audit markets beyond the U.S. by creating a 
disincentive for foreign firms to serve specific audit markets. Another 
commenter suggested that further enhancing the scalability of QC 1000 
may be helpful for smaller firms to stay competitive. One commenter 
noted that QC 1000 requirements may serve as an impediment to audit 
firm mergers and acquisitions and otherwise perturb market activity. 
Correspondingly, less consolidation could mitigate concentration or 
help preserve a competitive dynamic amongst firms. Nevertheless, the 
presence of fewer firms could reduce competition in the public company 
audit market even in light of additional scalability or fewer mergers 
and acquisitions. Some commenters said that some firms may resign 
existing issuer clients or decline new ones to avoid incremental QC 
1000 requirements for firms that issue more than 100 audit reports. 
This could lead to a further reduction in competition for engagements 
that these firms would otherwise compete. This reduction in competition 
would likely only apply to actual or potential issuer clients of firms 
that are close to the 100-issuer threshold. As noted above, PCAOB staff 
analysis of audit reports included in SEC filings indicates that, 
during the 2022 calendar year, the number of firms currently around the 
100-issuer threshold includes two NAFs that audited between 80 and 100 
issuers and two NAFs that audited between 100 and 120 issuers.
    Confirming the widely held view that audit firms compete on price, 
some research suggests that reduced competition is indeed associated 
with higher audit fees.\507\ However, any exit would likely be limited 
primarily to firms with small market shares and to the smaller issuer 
or broker-dealer audit markets, which research suggests tend to be 
competitive.\508\ For example, firms that would manage their client 
portfolio to avoid incremental QC 1000 requirements would likely prefer 
to resign (or decline to accept) smaller issuer clients than larger 
issuer clients. Moreover, some research suggests that reduced 
competition may have a positive impact on audit quality because it 
curtails issuers' opportunity to opinion shop.\509\ Compounding this 
effect, the requirements may further deter opinion shopping as a basis 
for competition to the extent they would improve auditors' compliance 
with professional standards. One commenter argued that opinion shopping 
is not prevalent and any reduction in opinion shopping would be 
minimal.
---------------------------------------------------------------------------

    \507\ See, e.g., Joshua L. Gunn, Brett S. Kawada, and Paul N. 
Michas, Audit Market Concentration, Audit Fees, and Audit Quality: A 
Cross-Country Analysis of Complex Audit Clients, 38 Journal of 
Accounting and Public Policy 1 (2019).
    \508\ While research generally has focused on competition for 
the largest public company audits and the corresponding 
concentration amongst the largest audit firms, less is known about 
market forces within the smaller audit firm market. However, some 
research has studied competitive aspects of the smaller firm market. 
See, e.g., Tracy Ti Gu, Dan A. Simunic, Michael T. Stein, Minlei Ye, 
and Ping Zhang, The Market for Audit Services: The Role of Market 
Power, 19 Journal of International Accounting Research 3 (2020) 
(concluding that small public companies can potentially purchase 
audit services from any audit firm and that the number of suppliers 
to small public companies is relatively higher than the number of 
suppliers to large public companies); Kenneth L. Bills and Nathaniel 
M. Stephens, Spatial Competition at the Intersection of the Large 
and Small Audit Firm Markets, 35 Auditing: A Journal of Practice and 
Theory 23 (2016) (concluding that smaller and larger firms compete 
locally in some cases); Andrew Kitto, Phillip T. Lamoreaux, and 
Devin Williams, Do Entry Barriers Allow Low Quality Audit Firms to 
Enter the Public Company Audit Market?, available on SSRN: https://ssrn.com/abstract=3572688(2023) (concluding that current barriers to 
entry likely deter some audit firms from entering the audit market 
but that current barriers fail to prevent entry by firms that are 
significantly lower quality compared to incumbent firms); Brant 
Christensen, Kecia Williams Smith, Dechun Wang, and Devin Williams, 
The Audit Quality Effects of Small Audit Firm Mergers in the United 
States, 42 Auditing: A Journal of Practice & Theory 75 (2023) 
(concluding that audit quality decreases post-merger based on data 
regarding mergers of very small audit firms).
    \509\ See, e.g., Nathan J. Newton, Julie S. Persellin, Dechun 
Wang, and Michael S. Wilkins, Internal Control Opinion Shopping and 
Audit Market Competition, 91 The Accounting Review 603 (2016); 
Nathan J. Newton, Dechun Wang, and Michael S. Wilkins, Does a Lack 
of Choice Lead to Lower Quality? Evidence From Auditor Competition 
and Client Restatements, 32 Auditing: A Journal of Practice & Theory 
31 (2013).
---------------------------------------------------------------------------

c. Network Resources
    Some commenters expressed concern that the requirements could 
diminish the availability of global network resources and that smaller 
firms around the world could decline to assist U.S. firms in their 
global audits. One commenter added that this could be detrimental to 
overall engagement quality. Several factors could mitigate this 
potential unintended consequence. First, staff analysis of 2021 Form AP 
filings finds that 74% of all audits (32% of Fortune 500 audits) do not 
use other auditors.\510\ Second, this potential unintended consequence 
would likely be limited primarily to firms that lack the network 
resources to implement QC 1000. One academic study finds that 94% of 
component auditors identified on Form AP are affiliated with the 
principal auditor (99% when the principal auditor is a GNF).\511\ 
Third, other auditors that do not play a substantial role on any PCAOB 
engagement would be able to deregister with the PCAOB and continue to 
perform their existing roles on the engagements. Fourth, the 
competitiveness of the smaller issuer audit market suggests that 
principal auditors would be able to retain a different component 
auditor of comparable quality. Finally, to the extent the requirements 
would lead a firm to retain a lower-quality

[[Page 49722]]

component auditor, existing PCAOB standards related to audits involving 
other auditors could help mitigate the risk that the new component 
auditor performs a low-quality component audit.\512\ It is possible 
that, despite the requirements, firms may not improve compliance with 
applicable professional and legal requirements when performing their 
engagements. For example, personnel assigned to QC roles may adopt a 
perfunctory, ``check the box'' attitude toward compliance. The firm's 
risk assessment process and monitoring and remediation process 
requirements, which require personnel assigned to QC roles to think 
proactively about the reasonable assurance objective, could help to 
mitigate this risk. As another example, engagement partners may 
overestimate the ability of their firm's QC system to support 
achievement of the reasonable assurance objective and relax their 
efforts to self-monitor or monitor others. While QC 1000 centralizes 
responsibility for QC to a degree, other requirements could mitigate 
this risk. For example, individual responsibility features prominently 
in QC 1000 and PCAOB auditing standards emphasize the responsibility of 
the engagement partner for the engagement and its performance.\513\
---------------------------------------------------------------------------

    \510\ See PCAOB Rel. No. 2022-002, at Figure 2.
    \511\ See William M. Docimo, Joshua L. Gunn, Chan Li, and Paul 
N. Nichas, Do Foreign Component Auditors Harm Financial Reporting 
Quality? A Subsidiary-Level Analysis of Foreign Component Auditor 
Use, 38 Contemporary Accounting Research 3113 (2021).
    \512\ See, e.g., PCAOB Rel. No. 2022-002.
    \513\ See, e.g., QC 1000.42a.(1); AS 1201.03. The Board has also 
proposed to clarify the engagement partner's existing 
responsibilities for supervision and review in AS 1201, AS 1215, and 
AS 2101 to provide more specificity about the engagement partner's 
responsibility to exercise due professional care related to 
supervisory and review activities required to be performed under 
existing auditor requirements. See PCAOB Rel. No. 2023-001 at 15.
---------------------------------------------------------------------------

d. Accountability
    Some commenters expressed concern that the accountability 
provisions of QC 1000 could have potentially harmful unintended 
consequences. For example, one commenter asserted that good faith 
actions with regard to supervisory responsibilities could become 
subject to PCAOB enforcement. Some commenters suggested that the roles 
and responsibilities requirements could reduce audit quality or 
increase costs by creating a disincentive for the most qualified 
individuals to take on the specified roles. One commenter noted that 
individual certification poses a potential threat of additional 
liability and could affect the recruitment of talented individuals 
needed to fill critical roles within firms. Another commenter noted 
that for firms with an issuer practice that makes up a small portion of 
the overall practice, it can be difficult to find partners to fill lead 
and engagement quality reviewer roles on engagements when those roles 
are subject to a higher risk of individual enforcement actions.
    The Board acknowledges that, in addition to positive consequences, 
accountability can have negative consequences, such as disincentives 
from taking on QC roles with greater accountability. One commenter 
suggested that the incorporation of rewards into the firms' 
accountability model could mitigate this potential unintended 
consequence. QC 1000 contemplates that the firm's compensation plans 
and performance evaluations will appropriately incentivize firm 
personnel to fulfill their assigned responsibilities \514\ and that 
firm leadership will be held accountable for quality, including through 
their performance evaluations and compensation.\515\ Depending on the 
firm's specific quality risks, including the risk that qualified 
individuals may be unwilling to take on QC roles, firms can incorporate 
both positive incentives (``carrots'') and negative incentives 
(``sticks'') in the design of their incentive plans.
---------------------------------------------------------------------------

    \514\ See QC 1000.44g.
    \515\ See QC 1000.25b.
---------------------------------------------------------------------------

e. Scalability
    One commenter expressed concern based on academic research that 
limiting the applicability of certain requirements to firms of a 
certain size could give rise to audit quality differences between 
larger and smaller firms. In general, the incremental requirements for 
larger PCAOB audit practices are less suitable to smaller PCAOB audit 
practices' QC systems. For example, a smaller firm may not need an 
automated system to track investments if it has a stable number of 
issuer clients and a small group of persons subject to independence 
requirements. But if a smaller firm does not achieve its quality 
objectives or the reasonable assurance objective, it will have to take 
remedial action, which could include implementing some or all of the 
incremental QC system features that are expressly required for larger 
PCAOB audit practices.
f. Design Requirements Under Scaled Applicability
    Some commenters expressed concern that scaled-applicability firms 
could design QC systems inappropriate for the future circumstances that 
would arise should the firm eventually become a full-applicability 
firm. One commenter cited research that suggests audit firm personnel 
designing a QC system to address hypothetical future circumstances will 
need to overcome numerous cognitive biases.\516\ The Board believes 
this potential unintended consequence is mitigated by QC 1000's 
proactive approach. For example, the firm will be required to establish 
policies and procedures to monitor, identify, and assess changes to 
conditions, events, and activities that indicate modifications to the 
firm's quality objectives, quality risks, or quality responses may be 
needed. When such changes are identified, the firm will be required to 
determine what, if any, modifications are needed to make them on a 
timely basis. In effect, a scaled-applicability firm's QC system design 
should be appropriate for its circumstances in the event it becomes a 
full-applicability firm.
---------------------------------------------------------------------------

    \516\ See, e.g., Paul J.H. Schoemaker, Forecasting and Scenario 
Planning: The Challenges of Uncertainty and Complexity, in Blackwell 
Handbook of Judgment & Decision Making, eds. D.J. Koehler and N. 
Harvey, 274 (2004); Edward J. Joyce and Gary C. Biddle, Anchoring 
and Adjustment in Probabilistic Inference in Auditing, 19 Journal of 
Accounting Research 120 (1981); Noel Harding and Ken T. Trotman, 
Improving Assessments of Another Auditor's Competence, 28 Auditing: 
A Journal of Practice & Theory 53 (2009); Byron J. Pike, Mary B. 
Curtis, and Lawrence Chui, How Does an Initial Expectation Bias 
Influence Auditors' Application and Performance of Analytical 
Procedures?, 88 The Accounting Review 1413 (2013); Amos Tversky and 
Daniel Kahneman, Judgment under Uncertainty: Heuristics and Biases, 
185 Science 1124 (1974); Steven M. Glover, James Jiambalvo, and Jane 
Kennedy, Analytical Procedures and Audit-Planning Decisions, 19 
Auditing: A Journal of Practice & Theory 27 (2000); Vicky B. Hoffman 
and Mark F. Zimbelman, Do Strategic Reasoning and Brainstorming Help 
Auditors Change their Standard Audit Procedures in Response to Fraud 
Risk?, 84 The Accounting Review 811 (2009); Tim D. Bauer, Sean M. 
Hillison, Mark E. Peecher, and Bradley Pomeroy, Revising Audit Plans 
to Address Fraud Risk: A Case of ``Do as I Advise, Not as I Do''?, 
37 Contemporary Accounting Research 2558 (2020).
---------------------------------------------------------------------------

g. Other Potential Unintended Consequences
    Because firms' QC systems will likely operate over all of their 
engagements, including those that are not subject to PCAOB standards, 
the engagement-level costs discussed above could apply to those 
engagements as well. Moreover, one commenter asserted that firms with a 
significant private company client base will be challenged by different 
documentation retention policies based on client base since many 
aspects of QC relate to the firm as a whole. Correspondingly, the 
requirements could improve compliance on those engagements because they 
would be governed by more effective QC policies and procedures. Indeed, 
one commenter said that requiring all firms to design a QC system that 
complies with QC 1000

[[Page 49723]]

could have a beneficial impact on private company audits.
    Research on other quality management and enterprise risk management 
systems suggests other potential unintended consequences. For example, 
research on ISO 9000 adoption indicates that it may reduce staff 
morale, stifle innovation, and require excessive levels of 
documentation.\517\ The principles-based features and scalable nature 
of QC 1000 described above, as well as the 100-issuer threshold for 
some provisions, help mitigate these concerns by providing firms the 
ability to design, implement, and operate policies and procedures to 
support achievement of the reasonable assurance objective based on 
their facts and circumstances.
---------------------------------------------------------------------------

    \517\ See, e.g., John Seddon, Ten Arguments Against ISO 9000, 7 
Managing Service Quality: An International Journal 162 (1997); 
Bozena Poksinska, J[ouml]rgen AE Eklund, and Jens J[ouml]rn 
Dahlgaard, ISO 9001:2000 in Small Organisations Lost Opportunities, 
Benefits and Influencing Factors, 23 International Journal of 
Quality & Reliability Management 490 (2006).
---------------------------------------------------------------------------

Alternatives Considered

    During the development of the requirements, the Board considered a 
number of alternative approaches to address the need described above. 
This section explains: (1) why standard setting is preferable to other 
policy-making approaches, such as providing interpretive guidance or 
enhancing inspection or enforcement efforts; (2) why the chosen 
standard-setting approach is preferable to other standard-setting 
approaches; and (3) key policy choices made in determining the details 
of the standard-setting approach.
1. Why Standard Setting Is Preferable to Another Approach
    As potential alternatives to standard setting, the Board considered 
whether interpretive guidance or greater focus on inspections or 
enforcement could better address the need described above.
    Interpretive guidance assists firms in the implementation of 
existing PCAOB standards and rules and can advance audit quality by 
establishing a common understanding of a firm's obligations under PCAOB 
standards and rules. For example, interpretive guidance may address, 
among other things, specific, common audit deficiencies identified 
during PCAOB inspections and the applicable requirements under PCAOB 
standards and rules. By contrast, as discussed above, some firms' QC 
systems appear to not be providing reasonable assurance of compliance 
generally. Moreover, current PCAOB QC standards were developed decades 
ago in a very different audit environment and have not been updated to 
reflect the risk-based, proactive approach to QC that the Board 
believes would be most effective. Therefore, the Board believes 
revisions to the current PCAOB QC standards are needed to require firms 
to make the necessary enhancements to their QC systems to help drive 
compliance with professional standards.
    While the PCAOB will continue to address firms' compliance with 
PCAOB standards and rules through inspection and enforcement 
activities, QC standard setting provides certain unique benefits. 
Firms' QC systems operate over all aspects of all issuer audits and 
broker-dealer engagements, whereas PCAOB inspections assess compliance 
with only certain aspects of the issuer audits and broker-dealer 
engagements selected for review. In addition, inspection and 
enforcement efforts take place after the engagement has occurred and 
after investors and other financial statement users have potentially 
suffered harm. Therefore, greater focus on inspecting and enforcing 
compliance with PCAOB standards and rules may not be as effective as 
updating the QC standards and amending other related standards.
2. Why the Chosen Standard-Setting Approach Is Preferable to Other 
Standard-Setting Approaches
    QC 1000 shares the same basic structure as ISQM 1 and SQMS 1. The 
Board also considered basing QC 1000 on a different quality management 
framework, such as COSO or ISO 9001, or developing its own risk-based 
approach. The essential features of these other quality management 
frameworks are broadly similar to ISQM 1 and SQMS 1. For example, they 
typically are risk-based and focus on monitoring and remediating 
deficiencies. However, ISQM 1 and SQMS 1 have the further advantage of 
being specifically tailored to audit firms. Furthermore, an original 
risk-based approach would likely include the same essential features as 
ISQM 1 and SQMS 1. Overall, the Board believes that the benefits of 
basing QC 1000 on a different quality management framework or an 
original PCAOB risk-based approach (e.g., improved compliance with 
applicable professional and legal requirements) would be similar to the 
benefits of using a structure similar to ISQM 1 and SQMS 1.
    Basing QC 1000 on a different quality management framework or an 
original PCAOB risk-based approach would likely be more costly. As 
highlighted above, the Board expects that many firms are familiar with 
ISQM 1 or SQMS 1 and have made, or will make, investments in their QC 
systems to comply with those requirements. Firms may be less familiar 
with other quality management frameworks than they are with ISQM 1 and 
SQMS 1. Basing QC 1000 on a different quality management framework or 
an original PCAOB risk-based approach therefore would likely require 
additional effort by firms to understand and apply the standard. Some 
firms may be required to employ or engage persons with the necessary 
expertise in the particular quality framework to facilitate appropriate 
implementation. While the largest firms may employ consultants with 
this expertise, smaller firms may not, and acquiring or engaging the 
necessary consultants could be costly. In addition, basing QC 1000 on a 
different quality management framework or an original PCAOB risk-based 
approach may introduce an element of regulatory complexity, which could 
both increase cost and detract from audit quality for firms that would 
be required to comply with ISQM 1 or SQMS 1.\518\
---------------------------------------------------------------------------

    \518\ One commenter suggested that the Board look at any lessons 
learned or studies published by the IAASB or the AICPA related to 
their quality management standards to help inform any refinements 
that might be needed or additional implementation guidance that 
might be useful for adoption of QC 1000. As discussed above, the 
Board took into consideration actions by other standard setters and 
requirements of their quality management standards in the 
development of QC 1000. PCAOB staff searched for studies but did not 
find any available. The recent effective date of ISQM 1 on Dec. 15, 
2022, and the forthcoming effective date of SQMS 1 on Dec. 15, 2025, 
may explain a dearth of lessons learned or post-implementation 
studies published by IAASB or the AICPA to date.
---------------------------------------------------------------------------

3. Key Policy Choices
    This section discusses several potential provisions that the Board 
decided against including in QC 1000. These provisions relate to: (1) 
applicability; (2) the threshold for incremental requirements; (3) firm 
governance structure; (4) self-assessment monitoring; (5) in-process 
monitoring activities; (6) the evaluation and reporting dates; (7) 
reporting the annual QC system evaluation; (8) certification of the 
annual evaluation; (9) public reporting; and (10) audit committee 
communications.
a. Applicability
    The discussion above explains the distinction between scaled 
applicability and full applicability. The Board considered requiring 
all firms to design, implement, and operate a QC system that meets the 
requirements only upon being required to comply with applicable 
professional and legal requirements with respect to a firm

[[Page 49724]]

engagement. This approach would reduce the costs of the requirements to 
firms not performing engagements by allowing them to defer the costs of 
designing their QC system. However, scaled-applicability firms may 
reduce their costs under the approach by withdrawing from PCAOB 
registration. Furthermore, any reduced costs would not address the risk 
that firms could be unprepared to accept and perform engagements in 
compliance with applicable professional and legal requirements.
    The discussion above also addresses commenters' views on 
alternative approaches to this key policy choice. For example, several 
commenters suggested allowing scaled applicability firms to design a QC 
system that complies with ISQM 1. One commenter suggested limiting the 
design requirements to acceptance and continuance policies. One 
commenter suggested limiting the design requirement to firms that 
satisfy an issuer client market capitalization criterion. While these 
alternative approaches could reduce some of the costs to scaled-
applicability firms associated with designing their QC systems, they 
could also reduce the benefit of firms having a PCAOB-compliant QC 
system ready for implementation and operation. Furthermore, as 
discussed above, firms could avoid the costs of designing a QC system 
that complies with QC 1000 by deregistering.
b. Threshold for Incremental Requirements
    The incremental requirements that will apply only to firms that 
issued audit reports for more than 100 issuers in the prior calendar 
year (e.g., requirements related to firm governance structure) are 
discussed above. Several commenters suggested alternative thresholds. 
For example, some commenters suggested the threshold should consider 
the market capitalizations of issuer clients. One commenter suggested 
that the threshold should consider the types of financial statements 
being audited.\519\ These alternative approaches could help ensure QC 
1000 is appropriately scalable to the facts and circumstances of all 
firms. However, the Board believes there could be practical challenges 
with implementing a more complex threshold. For example, market 
capitalization can be volatile and would require PCAOB and firm 
resources to track. Some firms may cross an issuer market 
capitalization threshold multiple times within a short period of time. 
Issuer count, by contrast, aligns with Rule 4003, Frequency of 
Inspections, is easier to track, and may not be as volatile as market 
capitalization. Finally, while market capitalization may be a useful 
proxy for investor exposure to the issuers audited by the firm, it 
would be a less useful proxy for the complexity of a firm's QC system.
---------------------------------------------------------------------------

    \519\ The commenter noted that a large percentage of their 
issuer audit counts consist of Form 11-K audits, which have limited 
impact on the capital markets.
---------------------------------------------------------------------------

c. Firm Governance Structure
    Specified quality responses related to governance and leadership 
are discussed above. The Board considered extending to all firms the 
requirement to incorporate into their governance structure an external 
oversight function for the QC system composed of one or more persons 
who are not principals or employees of the firm and do not otherwise 
have a commercial, familial, or other relationship with the firm that 
would interfere with the exercise of independent judgment regarding 
matters related to the QC system. However, in light of the direct cost 
of such an oversight function, which could disproportionately impact 
smaller PCAOB audit practices, and reflecting the Board's view that the 
public interest in such independent oversight is strongest in relation 
to the largest firms, the requirement applies only to firms that issued 
audit reports with respect to more than 100 issuers during the prior 
calendar year.
    Some commenters suggested that more than one independent member of 
the oversight function should be required. In support of this view, one 
commenter noted that the independent member(s) would be in the minority 
and cited academic research regarding audit committees that suggests 
oversight functions are more effective with a greater proportion of 
independent members.\520\ Another commenter referred to a report that 
cites survey research that suggests female directors improve corporate 
governance and that the positive influence is most significant when 
there are three or more female directors.\521\ The same commenter 
suggested that the oversight function should have public reporting 
responsibilities. Some commenters suggested that the independent 
oversight member should have more control. The Board acknowledges the 
commenters' views on the potential additional benefits of additional 
independent oversight requirements. However, the Board is also 
sensitive to the costs of any additional requirements, which several 
commenters suggested may be costly or difficult to fulfill.\522\
---------------------------------------------------------------------------

    \520\ See, e.g., F. Todd DeZoort, Dana R. Hermanson, Deborah S. 
Archambeault, and Scott A. Reed, Audit Committee Effectiveness: A 
Synthesis of the Empirical Audit Committee Literature, 21 Journal of 
Accounting Literature 38 (2002); Jean B[eacute]dard and Yves 
Gendron, Strengthening the Financial Reporting System: Can Audit 
Committees Deliver?, 14 International Journal of Auditing 174 
(2010); Joseph V. Carcello, Dana R. Hermanson, and Zhongxia (Shelly) 
Ye, Corporate Governance Research in Accounting and Auditing: 
Insights, Practice Implications, and Future Research Directions, 30 
Auditing: A Journal of Practice & Theory 1 (2011).
    \521\ See The Conference Board, Maximizing the Benefits of Board 
Diversity: Lessons Learned from Activist Investing at 13 (June 
2020); Alison M. Konrad, Vicki W. Kramer, and Sumru Erkut, Critical 
Mass: The Impact of Three or More Women on Corporate Boards, 37 
Organizational Dynamics 145 (2008).
    \522\ See previous discussion on economic impacts above.
---------------------------------------------------------------------------

d. Self-Assessment Monitoring
    The Board considered permitting individuals to perform monitoring 
procedures over the same areas for which they are responsible. It 
decided against this approach because the Board feels it would be 
inconsistent with the quality objective that individuals who are 
assigned to perform activities within the QC system have the 
objectivity to monitor work in accordance with applicable professional 
and legal requirements and the firm's policies and procedures.\523\ As 
emphasized above, this quality objective is important for creating 
accountability within the firm to achieve the reasonable assurance 
objective. Information gathered through PCAOB inspection activities 
indicates that roughly 3% of firms inspected between 2018 and 2020 
performed self-assessments. This suggests that relatively few firms 
would be impacted by this policy choice. The Board considered allowing 
self-assessment monitoring under certain conditions to reduce costs for 
impacted firms but ultimately decided against it out of concern that 
individuals may not be able to objectively assess their own work. In 
these circumstances, the firm may use other participants or third-party 
providers to perform monitoring activities.
---------------------------------------------------------------------------

    \523\ See QC 1000.44e.
---------------------------------------------------------------------------

e. In-Process Monitoring Activities
    In-process monitoring activities are discussed above. The Board 
considered extending the requirement to monitor in-process engagements 
to all firms but decided to limit the requirement to firms that issue 
audit reports with respect to more than 100 issuers. The Board believes 
that differentiating a

[[Page 49725]]

firm's obligation based on the number of issuer clients may be 
appropriate because, in the Board's view, firms with larger, more 
complex audit practices are generally subject to quality risks for 
which in-process monitoring is an appropriate quality response. The 
Board also understands through PCAOB oversight activities that the 
majority of smaller PCAOB audit practices do not perform in-process 
monitoring activities and may lack the resources to do so. Therefore, 
to balance these concerns, QC 1000 includes a ``should consider'' 
requirement to provide sufficient scalability for firms that issue 
audit reports with respect to 100 or fewer issuers.
f. Evaluation and Reporting Dates
    Several commenters suggested that QC 1000 should allow firms to 
choose their own evaluation date. This alternative could reduce the 
cost of QC 1000 by allowing firms to perform the evaluation when most 
convenient. For example, some firms could set their QC 1000 evaluation 
date near their ISQM 1 evaluation date and use parts of their ISQM 1 
evaluation for their QC 1000 evaluation. However, the information 
reported to the PCAOB on Form QC would be less current and therefore 
less informative to the PCAOB when it selects firms and engagements for 
inspection, inspection focus areas, and inspection procedures. Tracking 
firms' compliance with the evaluation requirements could also be more 
challenging. In addition, the inherent differences between the QC 1000 
and ISQM 1 evaluations will require incremental effort from firms to 
comply with QC 1000.
    The Board initially proposed a November 30 evaluation date followed 
by 46 days from the evaluation date to both report and document the QC 
system evaluation. This timeline would provide the PCAOB with timely 
information to inform PCAOB oversight activities. Some commenters 
expressed concern that a November 30 evaluation date could present 
costs and other challenges because some firms have already chosen an 
alternative evaluation date under ISQM 1 or because the timeframe for 
the evaluation could conflict with some firms' inspection cycles or 
business cycles and can encompass holidays and religious observances. 
The Board was persuaded that a November 30 evaluation date could have 
led to unnecessary incremental resource demands during the busy and 
holiday seasons. Accordingly, the Board instead required firms to adopt 
a September 30 evaluation date as discussed above. Some commenters 
expressed concern that 46 days would be insufficient to report on and 
document their evaluation. The Board was persuaded that 46 days to 
report on and document the QC system evaluation could have created 
unnecessary costs to firms. Therefore, under the final standard, a firm 
will have 61 days to evaluate their QC system and an additional 14 days 
after the evaluation to assemble their documentation.
g. Reporting the Annual QC System Evaluation
    Firm reporting on the QC system evaluation is discussed above. One 
commenter asserted that an explicit reporting requirement is 
unnecessary because the PCAOB inspection process provides the Board and 
staff with any relevant contemporaneous quality control information for 
both annual and triennially inspected firms. The Board considered 
obtaining the annual QC system evaluation as part of the PCAOB 
inspection process rather than an explicit reporting requirement. Under 
this alternative approach, the evaluation would be less timely, 
structured, and consistent and likely would not inform the PCAOB's 
inspection approach as effectively, especially for triennial firms. It 
could also diminish the beneficial incentive effect of mandatory 
reporting to the PCAOB. This alternative approach could eliminate or 
reduce the costs to firms associated with preparing a summary report of 
the firm's QC system evaluation. In addition, if, under this 
alternative approach, the privilege protections of section 105(b)(5) 
were determined to apply to some or all of the information generated by 
the firm pursuant to QC 1000, that could diminish the discoverability 
of such information in litigation, thereby decreasing third-party 
litigation risk. However, this alternative approach would not address 
the lost information value, particularly for the triennial firms.
    The Board also considered requiring firms to report to the Board on 
Form QC only when the firm identifies a major QC deficiency. This 
approach would reduce some of the variable costs associated with 
preparing and transmitting Form QC to the PCAOB. However, this approach 
would also reduce the value of Form QC to the PCAOB. For example, 
reporting on unremediated QC deficiencies would inform various aspects 
of PCAOB oversight activities, including focusing inspection resources 
on higher risk firms, engagements, and focus areas; designing the 
nature and extent of inspection procedures, both for QC processes and 
individual engagements; and making more refined data requests from the 
firms. This alternative approach could also diminish the beneficial 
incentive effect of mandatory reporting to the PCAOB.
    Several commenters suggested that the PCAOB clarify that Form QC is 
submitted under the PCAOB's inspections authority, as a way of 
bestowing the confidentiality protections of section 105(b)(5) upon the 
information provided therein. This would, according to commenters, 
alleviate uncertainty about the extent to which information submitted 
thereon may be subject to discovery or other disclosures, diminish a 
risk of unwarranted legal exposure, and help place the information in 
the context of the ongoing inspections dialogue. The Board acknowledges 
the commenters' concerns about these issues. However, as discussed 
above, QC 1000 is not an inspections rule; it is a QC standard that 
places obligations on all registered firms regardless of their 
inspection status (annual, triennial, or exempt), and as such the Board 
is not able to say that Form QC information is necessarily submitted 
``in connection with an inspection'' as would be necessary to trigger 
the confidentiality protections of section 105(b)(5) of Sarbanes-Oxley.
h. Certification of the Annual Evaluation
    Some commenters requested that the Board specify a heightened legal 
standard (e.g., recklessness) at which liability could be imposed on 
individuals for making a certification that is later determined to be 
false, or create safe harbors for inevitable system errors or the 
wrongful acts of others. As discussed above, the standard for liability 
turns on the particular language of each statement in the 
certification: some statements are subject to a negligence standard, 
while others (namely those with knowledge qualifiers) give rise to 
liability only if the certifier knew that the statement was false or 
recklessly did not know it was false. The Board acknowledges that 
alternative approaches urged by commenters could have saved some costs. 
Specifically, limiting liability to recklessness in all circumstances 
would provide individuals with comfort that their decisions would not 
be second-guessed in litigation. This result may make the performance 
of those services more efficient by removing an incentive to perform 
tasks that are not directly related to quality. For example, 
individuals may be less incentivized to engage in self-protective 
behaviors if a heightened legal standard (e.g.,

[[Page 49726]]

recklessness) is imposed. In addition, more staff may be willing to 
take these roles (or to take them at a lower price) if liability or 
workload would have been more limited by a heightened legal 
standard.\524\ However, that approach would have attenuated the 
benefits sought to be achieved by the certification requirement by 
removing the Board's ability to hold individuals accountable for 
conduct that fails to meet a reasonable person standard of care.
---------------------------------------------------------------------------

    \524\ See Economic benefits--improved compliance with applicable 
professional and legal requirements--above for a discussion of 
commenters' concerns regarding increased liability or workload 
associated with the roles as potential disincentives that may keep 
qualified individuals from accepting the roles.
---------------------------------------------------------------------------

i. Public Reporting
    The discussion above summarizes commenters' views on public 
reporting about firms' QC systems and legal constraints on public 
disclosure that are imposed by Sarbanes-Oxley. Some commenters 
suggested that the non-confidential portions of Form QC could be made 
publicly available. Such public reporting could in principle provide 
investors with additional information on audit quality and thereby help 
address the problem discussed above. However, the Board believes that 
significant portions of Form QC may be confidential. As a result, the 
non-confidential portions of Form QC could have been misleading and 
difficult to compare across firms. Public reporting of non-confidential 
portions of Form QC could also lead firms to be less candid in their 
Form QC reporting and thereby diminish its value to the PCAOB. Some 
commenters also expressed concern that any public reporting could be 
contrary to Sarbanes-Oxley. After considering the benefits and costs of 
alternative approaches, including those identified by commenters, the 
Board believes that firm reporting on Form QC should be nonpublic.
    Several commenters suggested that QC 1000 should require firms to 
publicly disclose information related to audit quality. As discussed 
above, the Board has proposed separate rules related to firm and 
engagement metrics as well as firm reporting.\525\
---------------------------------------------------------------------------

    \525\ See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.
---------------------------------------------------------------------------

j. Audit Committee Communications
    Commenters' views on potential required reporting to audit 
committees are discussed above. The Board initially proposed to require 
the firm to discuss with the audit committee the conclusion of the 
firm's most recent annual evaluation of its QC system and a brief 
overview of remedial actions taken and to be taken. This information 
could give audit committees greater insight into the quality of their 
auditor. Several commenters were supportive of the proposed 
requirement. However, several other commenters asserted that the 
information could be largely difficult to understand, irrelevant to an 
individual audit committee, and potentially inconsistent with Sarbanes-
Oxley. Furthermore, one commenter noted research and expressed concern 
that disclosure regarding the annual QC system evaluation to the audit 
committee only could enable audit committees to shop for lower-quality 
auditors.\526\ Similarly, another commenter expressed concern with an 
approach that would provide mandatory disclosure to audit committees 
but not to investors and the public. As discussed above, the Board 
determined not to adopt the proposed amendments to AS 1301 after 
consideration of the comments received.
---------------------------------------------------------------------------

    \526\ See, e.g., Melissa Carlisle, Wei Yu, and Bryan K. Church, 
The Effect of Small Audit Firms' Failure to Remediate the PCAOB's 
Quality Control Criticisms on Audit Market Segmentation, 41 Journal 
of Accounting and Public Policy 1 (2022).
---------------------------------------------------------------------------

Special Considerations for Emerging Growth Companies

    Pursuant to section 104 of the Jumpstart Our Business Startups 
(``JOBS'') Act, rules adopted by the Board subsequent to April 5, 2012, 
generally do not apply to the audits of emerging growth companies 
(``EGCs''), as defined in section 3(a)(80) of the Exchange Act, unless 
the SEC ``determines that the application of such additional 
requirements is necessary or appropriate in the public interest, after 
considering the protection of investors and whether the action will 
promote efficiency, competition, and capital formation.'' \527\ As a 
result of the JOBS Act, the rules and related amendments to PCAOB 
standards that the Board adopts are generally subject to a separate 
determination by the SEC regarding their applicability to audits of 
EGCs.
---------------------------------------------------------------------------

    \527\ See Public Law 112-106 (Apr. 5, 2012). Section 
103(a)(3)(C) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(3)(C), as added by 
section 104 of the JOBS Act, also provides that any rules of the 
Board requiring (1) mandatory audit firm rotation or (2) a 
supplement to the auditor's report in which the auditor would be 
required to provide additional information about the audit and the 
financial statements of the issuer (auditor discussion and analysis) 
shall not apply to an audit of an EGC. None of the rules and 
amendments would fall within either of these two categories.
---------------------------------------------------------------------------

    To inform consideration of the application of PCAOB standards to 
audits of EGCs,\528\ PCAOB staff prepares a white paper annually that 
provides general information about characteristics of EGCs.\529\ As of 
the November 15, 2022, measurement date, there were 3,031 companies 
\530\ that self-identified as EGCs and filed audited financial 
statements with the SEC between May 16, 2021, and November 15, 2022, 
that included an audit report signed by a firm. Of the 263 registered 
firms that audited EGCs, 227 firms (or 86%) performed audits for both 
EGC and non-EGC issuers.\531\ Approximately 98% of EGCs were audited by 
these 227 firms.\532\
---------------------------------------------------------------------------

    \528\ This analysis of the impact on EGCs is provided to assist 
the SEC in making the determination required under section 104 to 
the extent that the requirements apply to ``the audit of any 
emerging growth company'' within the meaning of section 104 of the 
JOBS Act.
    \529\ See PCAOB, Characteristics of Emerging Growth Companies 
and Their Audit Firms at November 15, 2022 (Feb. 20, 2024) (``EGC 
White Paper''), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/economicandriskanalysis/projectsother/documents/white-paper-on-characteristics-of-emerging-growth-companies-as-of-nov-15-2022.pdf?sfvrsn=a8294f3_2.
    \530\ The EGC White Paper uses a lagging 18-month window to 
identify companies as EGCs. Please refer to the ``Current 
Methodology'' section in the EGC White Paper for details. Using an 
18-month window enables PCAOB staff to analyze the characteristics 
of a fuller population in the EGC White Paper but may tend to result 
in a larger number of EGCs being included for purposes of the 
present EGC analysis than would alternative methodologies. For 
example, an estimate using a lagging 12-month window would exclude 
some EGCs that are delinquent in making periodic filings. An 
estimate as of the measurement date would exclude EGCs that have 
terminated their registration or that have exceeded the eligibility 
or time limits.
    \531\ See EGC White Paper, at 17.
    \532\ See id.
---------------------------------------------------------------------------

    PCAOB staff also gathered information on Part I.A deficiencies for 
the audits of EGCs between 2013 and 2022. Figure 6 presents the 
percentage of inspected EGC and non-EGC issuer audits having at least 
one Part I.A deficiency. The data suggest that Part I.A deficiencies 
are even more common among audits of EGCs, raising questions about 
whether QC systems of firms that audit EGCs are effective in preventing 
audit deficiencies for these types of audit engagements.

[[Page 49727]]

[GRAPHIC] [TIFF OMITTED] TN11JN24.018

    In general, any new PCAOB standards and amendments to existing 
standards determined not to apply to the audits of EGCs would require 
auditors to address differing requirements within their methodologies 
or policies and procedures with respect to audits of EGCs and non-EGCs, 
which would create the potential for confusion. This may not be 
practical in the context of the QC standards; while some components of 
the QC system (such as engagement monitoring) may enable different 
approaches for audits of EGCs compared to audits of other companies, 
other elements (for example, resources and governance and leadership) 
are necessarily firm-wide and cannot easily be differentiated for 
different types of audits. Even where differentiation is possible, 
maintaining separate QC system components for EGC and non-EGC audits 
and separate methodologies with respect to, for example, auditor 
obligations with respect to deficiencies in completed engagements and 
foundational ethics requirements, may add cost or lead to confusion, 
and could run counter to the objective of integrating QC practices into 
a single virtuous cycle of risk assessment, monitoring, and 
remediation. These methodology and QC system differentiation costs 
would affect at least the 227 registered firms that audit both EGCs and 
non-EGCs and that, collectively, audit approximately 98% of EGCs.
    The discussion of economic impacts of the requirements is generally 
applicable to the audits of EGCs. In particular, the benefits to 
financial reporting quality articulated above may be especially 
pertinent for EGCs, including improved efficiency of capital 
allocation, lower cost of capital, and enhanced capital formation. EGCs 
tend to be smaller \533\ and have a shorter SEC financial reporting 
history than the broader population of public companies. Academic 
research suggests that, for several reasons, smaller public companies 
tend to exhibit greater information asymmetry between management and 
investors.\534\ Accordingly, EGCs are likely to exhibit greater 
information asymmetry between management and investors and hence the 
importance of the external audit to investors in enhancing the 
credibility of EGC financial reporting may be more pronounced.
---------------------------------------------------------------------------

    \533\ See EGC White Paper, at Figure 9 and Figure 12 (indicating 
that exchange-listed EGCs have lower market capitalization and 
revenue than exchange-listed non-EGCs).
    \534\ For example, smaller public companies tend to have less 
analyst coverage and a greater share of insider holdings. See, e.g., 
Raymond Chiang and P. C. Venkatesh, Insider Holdings and Perceptions 
of Information Asymmetry: A Note, 43 Journal of Finance 1041 (1988); 
Ravi Bhushan, Firm Characteristics and Analyst Following, 11 Journal 
of Accounting and Economics 255 (1989).
---------------------------------------------------------------------------

    The requirements could impact competition in an EGC product market 
if the indirect costs to audited companies of the requirements 
disproportionately impact the EGCs relative to their competitors. EGCs 
may be forced to raise prices, thereby diverting market share toward 
their competitors. This could increase competition in markets where 
EGCs have a dominant market share and decrease competition in markets 
where EGCs have a less than dominant market share. The potential impact 
to competition in EGC product markets would be reduced to the extent 
EGC auditors will already be required to comply with ISQM 1 or SQMS 1 
or otherwise would choose not to pass on incremental costs arising from 
the requirements in the form of higher audit fees.
    The proposal sought comment on the applicability of the proposed 
requirements to audits of EGCs. Some commenters agreed that the 
proposed requirements should apply to the audits of EGCs.
    Accordingly, and for the reasons explained above, the Board 
requests that the Commission determine that it is necessary or 
appropriate in the public interest, after considering the protection of 
investors and whether the action will promote efficiency, competition, 
and capital formation, to apply QC 1000 and the related amendments to 
Board standards, rules, and forms to audits of EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period (i) as the Commission may 
designate up to

[[Page 49728]]

90 days of such date if it finds such longer period to be appropriate 
and publishes its reasons for so finding; or (ii) as to which the Board 
consents, the Commission will:
    (A) By order approve or disapprove such proposed rules; or
    (B) Institute proceedings to determine whether the proposed rules 
should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed 
rules are consistent with the requirements of Title I of the Act. 
Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
     Send an email to [email protected]. Please include 
PCAOB-2024-02 on the subject line.

Paper Comments

     Send paper comments in triplicate to Vanessa A. 
Countryman, Secretary, Securities and Exchange Commission, 100 F Street 
NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-02. This file number should 
be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method. The Commission will post all comments on the 
Commission's internet website (https://www.sec.gov/rules/pcaob). Copies 
of the submission, all subsequent amendments, all written statements 
with respect to the proposed rules that are filed with the Commission, 
and all written communications relating to the proposed rules between 
the Commission and any person, other than those that may be withheld 
from the public in accordance with the provisions of 5 U.S.C. 552, will 
be available for website viewing and printing in the Commission's 
Public Reference Room, 100 F Street NE, Washington, DC 20549, on 
official business days between the hours of 10 a.m. and 3 p.m. Copies 
of such filing will also be available for inspection and copying at the 
principal office of the PCAOB. Do not include personal identifiable 
information in submissions; you should submit only information that you 
wish to make available publicly. We may redact in part or withhold 
entirely from publication submitted material that is obscene or subject 
to copyright protection. All submissions should refer to PCAOB-2024-02 
and should be submitted on or before July 2, 2024.

    For the Commission, by the Office of the Chief Accountant.\535\
---------------------------------------------------------------------------

    \535\ 17 CFR 200.30-11(b)(1) and (3).
---------------------------------------------------------------------------

Vanessa A. Countryman,
Secretary.
[FR Doc. 2024-12692 Filed 6-10-24; 8:45 am]
 BILLING CODE 8011-01-P