[Federal Register Volume 89, Number 127 (Tuesday, July 2, 2024)]
[Notices]
[Pages 54922-54947]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14488]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-100430; File No. PCAOB-2024-03]
Public Company Accounting Oversight Board; Notice of Filing of
Proposed Rules on Amendments Related to Aspects of Designing and
Performing Audit Procedures That Involve Technology-Assisted Analysis
of Information in Electronic Form
June 26, 2024.
Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002
(``Sarbanes-Oxley,'' or the ``Act''), notice is hereby given that on
June 20, 2024, the Public Company Accounting Oversight Board (the
``Board'' or the ``PCAOB'') filed with the Securities and Exchange
Commission (the ``Commission'' or the ``SEC'') the proposed rules
described in items I and II below, which items have been prepared by
the Board. The Commission is publishing this notice to solicit comments
on the proposed rules from interested persons.
I. Board's Statement of the Terms of Substance of the Proposed Rules
On June 12, 2024, the Board adopted Amendments Related to Aspects
of Designing and Performing Audit Procedures that Involve Technology-
Assisted Analysis of Information in Electronic Form (``proposed
rules''). The text of the proposed rules appears in Exhibit A to the
SEC Filing Form 19b-4 and is available on the Board's website at
https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-052 and at the Commission's Public Reference Room.
[[Page 54923]]
II. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
In its filing with the Commission, the Board included statements
concerning the purpose of, and basis for, the proposed rules and
discussed any comments it received on the proposed rules. The text of
these statements may be examined at the places specified in Item IV
below. The Board prepared summaries, set forth in sections A, B, and C
below, of the most significant aspects of such statements. In addition,
the Board is requesting that the Commission approve the proposed rules,
pursuant to section 103(a)(3)(C) of the Act, for application to audits
of emerging growth companies (``EGCs''), as that term is defined in
section 3(a)(80) of the Securities Exchange Act of 1934 (``Exchange
Act''). The Board's request is set forth in section D.
A. Board's Statement of the Purpose of, and Statutory Basis for, the
Proposed Rules
(a) Purpose
The Board adopted amendments to AS 1105, Audit Evidence, and to AS
2301, The Auditor's Responses to the Risks of Material Misstatement,
and conforming amendments to another PCAOB auditing standard
(collectively, the ``amendments'' or ``final amendments''). The
amendments are designed to improve audit quality and enhance investor
protection by addressing the growing use of certain technology in
audits.
In particular, the amendments update PCAOB auditing standards to
more specifically address certain aspects of designing and performing
audit procedures that involve analyzing information in electronic form
with technology-based tools (i.e., technology-assisted analysis). The
amendments are designed to decrease the likelihood that an auditor who
performs audit procedures using technology-assisted analysis will issue
an auditor's report without obtaining sufficient appropriate audit
evidence that provides a reasonable basis for the opinion expressed in
the report.
Information from the PCAOB's research project on Data and
Technology indicates that some auditors are expanding their use of
technology-assisted analysis (often referred to in practice as ``data
analysis'' or ``data analytics'') in the audit. Auditors use
technology-assisted analysis in many different ways, including when
responding to significant risks of material misstatement to the
financial statements. For example, some auditors use technology-
assisted analysis to examine the correlation between different types of
transactions, compare company information to auditor-developed
expectations or third-party information, or recalculate company
information.
Existing PCAOB standards discuss certain fundamental auditor
responsibilities, including addressing the risks of material
misstatement to the financial statements by obtaining sufficient
appropriate audit evidence. However, the standards do not specifically
address certain aspects of using technology-assisted analysis in the
audit. If not designed and executed appropriately, audit procedures
that involve technology-assisted analysis may not provide sufficient
appropriate audit evidence as required by the standards.
Having considered the expanded use of technology-assisted analysis
by auditors, the Board proposed amendments in June 2023 to address
certain aspects of designing and performing audit procedures that
involve technology-assisted analysis. Commenters generally supported
the objective of improving audit quality and enhancing investor
protection by clarifying and strengthening requirements in AS 1105 and
AS 2301 related to certain aspects of designing and performing audit
procedures that involve technology-assisted analysis. In adopting the
final amendments, the Board took into account the comments received.
The amendments further specify and clarify certain auditor
responsibilities that are described in AS 1105 and AS 2301. The
amendments are focused on addressing certain aspects of technology-
assisted analysis, not specific matters relating to other technology
applications used in audits (e.g., blockchain or artificial
intelligence) or the evaluation of the appropriateness of tools under
the firm's system of quality control. The amendments are principles-
based and therefore intended to be adaptable to the evolving nature of
technology. In particular, the amendments:
Specify considerations for the auditor's investigation of
items identified when performing tests of details;
Specify that if the auditor uses an audit procedure for
more than one purpose, the auditor should achieve each objective of the
procedure;
Specify auditor responsibilities for evaluating the
reliability of external information provided by the company in
electronic form and used as audit evidence;
Emphasize the importance of controls over information
technology;
Clarify the description of a ``test of details'';
Emphasize the importance of appropriate disaggregation or
detail of information to the relevance of audit evidence; and
Update certain terminology in AS 1105 to reflect the
greater availability of information in electronic form and improve the
consistency of the use of such terminology throughout the standard.
The amendments will apply to all audits conducted under PCAOB
standards. Subject to approval by the SEC, the amendments will take
effect for audits of financial statements for fiscal years beginning on
or after December 15, 2025.
See Exhibit 3 for additional discussion of the purpose of this
project.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of the Act.
B. Board's Statement on Burden on Competition
Not applicable. The Board's consideration of the economic impacts
of the proposed rules is discussed in section D below.
C. Board's Statement on Comments on the Proposed Rules Received From
Members, Participants or Others
The Board initially released the proposed rules for public comment
in PCAOB Release No. 2023-004 (June 26, 2023). The Board received 21
written comment letters relating to its initial proposed rules. See
Exhibits 2(a)(B) and 2(a)(C). The Board has carefully considered all
comments received. The Board's response to the comments it received,
and the changes it made to the rules in response to the comments
received, are discussed below.
Background
In 2010, the Board adopted auditing standards related to the
auditor's assessment of and response to risk (the ``risk assessment
standards''), including AS 1105 and AS 2301. Although the risk
assessment standards were designed to apply to audits when auditors use
information technology, the use of information in electronic form \1\
and the
---------------------------------------------------------------------------
\1\ In this document, the term ``information in electronic
form'' encompasses items in electronic form that are described in
PCAOB standards using terms such as ``information,'' ``data,''
``documents,'' ``records,'' ``accounting records,'' and ``company's
financial records.''
---------------------------------------------------------------------------
[[Page 54924]]
use of technology-based tools \2\ by companies and their auditors to
analyze such information has expanded significantly since these
standards were adopted.
---------------------------------------------------------------------------
\2\ In this release, the term ``tool'' refers to specialized
software that is used on audit engagements to examine, sort, filter,
and analyze transactions and information used as audit evidence or
which otherwise generates information that aids auditor judgment in
the performance of audit procedures. Spreadsheet software itself
without specific programming is not inherently a tool, but a
spreadsheet may be built to perform the functions of a tool
(examining, sorting, filtering, etc.), in which case it is included
within the scope of this term. The PCAOB staff's analysis was
limited to tools classified or described by the firms as data
analytic tools. Tools may be either purchased by a firm or developed
by a firm.
---------------------------------------------------------------------------
In light of the increased use of technology by companies and
auditors, in 2017 the Board began a research project to assess the need
for guidance, changes to PCAOB standards, or other regulatory
actions.\3\ Through this research the Board found that auditors have
expanded their use of certain technology-based tools, including tools
used to perform technology-assisted analysis (as described above, also
referred to in practice as ``data analytics'' or ``data analysis''
\4\), to plan and perform audits. While the Board's research indicated
that auditors are using technology-assisted analysis to obtain audit
evidence, it also indicated that existing PCAOB standards could address
more specifically certain aspects of designing and performing audit
procedures that involve technology-assisted analysis. Consequently,
under existing standards, there is a greater risk that when using
technology-assisted analysis in designing and performing audit
procedures, auditors may fail to obtain sufficient appropriate evidence
in the audit.
---------------------------------------------------------------------------
\3\ See PCAOB's Data and Technology research project, available
at https://pcaobus.org/oversight/standards/standard-setting-research-projects/data-technology.
\4\ In this release, the terms ``data analysis'' or ``data
analytics'' are used synonymously.
---------------------------------------------------------------------------
The amendments in this release are intended to improve audit
quality through principles-based requirements that apply to all audits
conducted under PCAOB standards. They are designed to decrease the
likelihood that an auditor who performs audit procedures using
technology-assisted analysis will issue an auditor's report without
obtaining sufficient appropriate audit evidence that provides a
reasonable basis for the opinion expressed in the report. The remainder
of this section of the release provides an overview of the rulemaking
history, existing requirements, and current practice. In addition, it
discusses reasons to improve the existing standards.
Rulemaking History
In June 2023, the Board proposed to amend AS 1105 and AS 2301 to
address aspects of designing and performing audit procedures that
involve technology-assisted analysis and that the Board's research
indicated are not specified in existing PCAOB standards.\5\ The
proposed amendments were informed by the staff's research regarding
auditors' use of technology, as described above.
---------------------------------------------------------------------------
\5\ Proposed Amendments Related to Aspects of Designing and
Performing Audit Procedures that Involve Technology-Assisted
Analysis of Information in Electronic Form, PCAOB Rel. No. 2023-004
(June 26, 2023) (``proposal'' or ``proposing release'').
---------------------------------------------------------------------------
The proposed amendments: (i) specified considerations for the
auditor's investigation of items that meet criteria established by the
auditor when designing or performing substantive audit procedures; (ii)
specified that if an auditor uses audit evidence from an audit
procedure for more than one purpose the procedure needs to be designed
and performed to achieve each of the relevant objectives; (iii)
provided additional details regarding auditor responsibilities for
evaluating the reliability of external information maintained by the
company in electronic form and used as audit evidence; (iv) clarified
the differences between ``tests of details'' and ``analytical
procedures,'' and emphasized the importance of appropriate
disaggregation or detail of information to the relevance of audit
evidence; and (v) updated certain terminology in AS 1105 to reflect the
greater availability of information in electronic form and improve the
consistency of the use of such terminology throughout the standard.
The Board received 21 comment letters on the proposal. Commenters
included an investor-related group, registered public accounting firms
(``firms''), firm-related groups, academics, and others. The Board
considered all comments in developing the final amendments, and
specific comments are discussed in the analysis that follows.
Commenters generally supported the Board's efforts to modernize the
auditing standards to specifically address certain aspects of designing
and performing audit procedures that involve technology-assisted
analysis, and some commenters offered suggestions to improve and
clarify the proposed amendments.
Existing Requirements
The final amendments modify certain requirements of PCAOB standards
relating to audit evidence and responses to risk (AS 1105 and AS 2301).
AS 1105 explains what constitutes audit evidence and establishes
requirements regarding designing and performing audit procedures to
obtain sufficient appropriate audit evidence. AS 2301 establishes
requirements regarding designing and implementing appropriate responses
to identified and assessed risks of material misstatement.
The following discussion provides a high-level overview of the
areas of the PCAOB standards that the amendments address. The
discussion further below provides additional details regarding the
specific requirements that the Board amended.
Classification of Audit Procedures (See Figure 1 below)--Under
PCAOB standards, audit procedures can be classified into either risk
assessment procedures or further audit procedures, which consist of
tests of controls and substantive procedures. Substantive procedures
include tests of details and substantive analytical procedures.\6\
Existing standards provide examples of specific audit procedures \7\
and describe what constitutes a substantive analytical procedure,\8\
but do not describe what constitutes a test of details. PCAOB standards
do not preclude the auditor from designing and performing audit
procedures to accomplish more than one purpose. The purpose of an audit
procedure determines whether it is a risk assessment procedure, test of
controls, or substantive procedure.\9\
---------------------------------------------------------------------------
\6\ See AS 1105.13.
\7\ See AS 1105.15-.21.
\8\ See AS 2305, Substantive Analytical Procedures.
\9\ See AS 1105.14.
---------------------------------------------------------------------------
Figure 1. Classification of Audit Procedures
BILLING CODE 8011-01-P
[[Page 54925]]
[GRAPHIC] [TIFF OMITTED] TN02JY24.000
BILLING CODE 8011-01-C
Items Identified for Investigation in a Test of Details--Designing
substantive tests of details and tests of controls includes determining
the means of selecting items for testing. Under existing standards, the
alternative means of selecting items for testing include selecting
specific items, selecting a sample that is expected to be
representative of the population (i.e., audit sampling), or selecting
all items. The auditor may decide to select for testing specific items
within a population because they are important to accomplishing the
objective of the audit procedure or because they exhibit some other
characteristic.\10\ Existing PCAOB standards specify the auditor's
responsibilities for planning, performing, and evaluating an audit
sample,\11\ but do not specify the auditor's responsibilities for
addressing items identified when performing a test of details on
specific items, or all items, within a population.
---------------------------------------------------------------------------
\10\ See AS 1105.22-.27.
\11\ See AS 2315, Audit Sampling.
---------------------------------------------------------------------------
Relevance and Reliability of Audit Evidence--Under PCAOB standards,
audit evidence is all the information, whether obtained from audit
procedures or other sources, that is used by the auditor in arriving at
the conclusions on which the auditor's opinion is based.\12\ PCAOB
standards require the auditor to plan and perform audit procedures to
obtain sufficient appropriate audit evidence to provide a reasonable
basis for their audit opinion. Sufficiency is the measure of the
quantity of audit evidence, and appropriateness is the measure of its
quality. To be appropriate, audit evidence must be both relevant and
reliable in providing support for the auditor's conclusions.\13\
---------------------------------------------------------------------------
\12\ See AS 1105.02.
\13\ See AS 1105.04-.06.
---------------------------------------------------------------------------
[[Page 54926]]
The relevance of audit evidence depends on the design and timing of
the audit procedure. The reliability of audit evidence depends on the
nature and source of the evidence and the circumstances under which it
is obtained, such as whether the information is provided to the auditor
by the company being audited and whether the company's controls over
that information are effective.\14\ In addition, when using information
produced by the company as audit evidence, the auditor is responsible
for evaluating whether the information is sufficient and appropriate
for purposes of the audit.\15\ Existing PCAOB standards do not specify
auditor responsibilities regarding information the company received
from one or more external sources and provided in electronic form to
the auditor to use as audit evidence.
---------------------------------------------------------------------------
\14\ See AS 1105.07-.08.
\15\ See AS 1105.10.
---------------------------------------------------------------------------
Current Practice
The Board's research indicated that audit procedures involving
technology-assisted analysis are an important component of many audits.
The use of technology-assisted analysis has expanded over the last
decade as more accounting firms, including smaller firms, incorporate
such analysis as part of their audit procedures. However, the
investment in and use of technology-assisted analysis vary across
registered firms and across individual audit engagements within a
firm.\16\
---------------------------------------------------------------------------
\16\ See also further discussion below.
---------------------------------------------------------------------------
The greater availability of both information in electronic form and
technology-based tools to analyze such information has contributed
significantly to the increase in the use of technology-assisted
analysis by auditors. More companies use enterprise resource planning
(``ERP'') and other information systems that maintain large volumes of
information in electronic form, including information generated
internally by the company and information that the company receives
from external sources. Significant volumes of this information are
available to auditors for use in performing audit procedures.
Powerful technology-based tools that process and analyze large
volumes of information have become more readily available to auditors.
As a result, auditors sometimes apply technology-assisted analysis to
the entire population of transactions within one or more financial
statement accounts or disclosures. The Board's research indicated that
auditors primarily use technology-assisted analysis to identify and
assess risks of material misstatement. Technology-assisted analysis
enables the auditor to identify new risks or to refine the assessment
of known risks. For example, by analyzing a full population of revenue
transactions, an auditor may identify certain components of the revenue
account as subject to higher risks or may identify new risks of
material misstatement associated with sales to a particular customer or
in a particular location.
Increasingly, some auditors also have been using technology-
assisted analysis in audit procedures that respond to assessed risks of
material misstatement, including in substantive procedures. For
example, such analysis has been used to test the details of all items
in a population, assist the auditor in selecting specific items for
testing based on auditor-developed criteria, or identify items for
further investigation when performing a test of details. The staff has
observed that auditors' use of technology-assisted analysis occurs
mostly in the testing of revenue and related receivable accounts,
inventory, journal entries, expected credit losses, and
investments.\17\ As discussed below, some auditors use audit evidence
obtained from such analysis to achieve more than one purpose.
---------------------------------------------------------------------------
\17\ See PCAOB, Spotlight: Staff Update and Preview of 2021
Inspection Observations (Dec. 2022), at 15, available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2021-inspection-observations-spotlight.pdf?sfvrsn=d2590627_2/.
---------------------------------------------------------------------------
Audit methodologies of several firms affiliated with global
networks address the use of technology-assisted analysis by the firms'
audit engagement teams. For example, the methodologies specify audit
engagement teams' responsibilities for: (i) designing and performing
audit procedures that involve technology-assisted analysis (e.g.,
determining whether an audit procedure is a substantive procedure);
(ii) evaluating analysis results (e.g., whether identified items
indicate misstatements or whether performing additional procedures is
necessary to obtain sufficient appropriate audit evidence); and (iii)
evaluating the relevance and reliability of information used in the
analysis.
Commenters on the proposal generally agreed with the description of
the current audit practice and the auditor's use of technology-assisted
analysis. One of these commenters noted that, in addition, auditors can
also use technology-assisted analysis to help understand a company's
flow of transactions, especially given increases in the number and
complexities of a company's information systems.
Reasons To Improve the Auditing Standards
The amendments in this release are intended to improve audit
quality through principles-based requirements that apply to all audits.
1. Areas of Improvement
The amendments are designed to decrease the likelihood that an
auditor who performs audit procedures using technology-assisted
analysis will issue an auditor's report without obtaining sufficient
appropriate audit evidence that provides a reasonable basis for the
opinion expressed in the report. Observations from the PCAOB's Data and
Technology research project indicate that some auditors are using
technology-assisted analysis in audit procedures whereas others may be
reluctant to do so due to perceived regulatory uncertainty. The
research further suggests that clarifications to PCAOB standards could
more specifically address certain aspects of designing and performing
audit procedures that involve technology-assisted analysis. The Board's
Investor Advisory Group has also noted that auditors' use of
technology-assisted analysis is an area of concern due to auditors'
potential overreliance on company-produced information, and that
addressing the use of such analysis in the standards could be
beneficial.\18\
---------------------------------------------------------------------------
\18\ See Proposing Release at 12 for additional discussion of
investors' concerns.
---------------------------------------------------------------------------
Using technology-assisted analysis may enhance the effectiveness of
audit procedures. For example, analyzing larger volumes of information
and in more depth may better inform the auditor's risk assessment by
providing different perspectives, providing more information when
assessing risks, and exposing previously unidentified relationships
that may reveal new risks. At the same time, inappropriate application
of PCAOB standards when designing and performing audit procedures that
involve technology-assisted analysis has the potential to compromise
the quality of audits where the procedures are used. For example, PCAOB
oversight activities have found instances of noncompliance with PCAOB
standards related to evaluating the relevance and reliability of
company-provided information and evaluating certain items identified in
audit procedures involving technology-assisted analysis.\19\
---------------------------------------------------------------------------
\19\ See, e.g., PCAOB, Spotlight: Staff Update and Preview of
2020 Inspection Observations (Oct. 2021), at 9, PCAOB, Spotlight:
Staff Update and Preview of 2021 Inspection Observations (Dec.
2022), at 15, and PCAOB, Spotlight: Staff Update and Preview of 2022
Inspection Observations (July 2023), at 12, available at https://pcaobus.org/resources/staff-publications.
---------------------------------------------------------------------------
[[Page 54927]]
The amendments to existing PCAOB standards in this release address
aspects of designing and performing audit procedures that involve
technology-assisted analysis where the Board identified the need for
additional specificity or clarity in the existing standards.\20\ These
aspects include areas where PCAOB oversight activities have identified
instances of noncompliance with PCAOB standards and areas where
auditors have raised questions during the Board's research regarding
the applicability of PCAOB standards to the use of technology-assisted
analysis. The discussion below describes the amendments in more detail.
The discussion further below describes alternatives that the Board
considered.
---------------------------------------------------------------------------
\20\ Other PCAOB standard-setting projects may address other
aspects of firms' and auditors' use of technology in performing
audits. For example, see paragraphs .44h, .47h, and .51 of QC 1000,
A Firm's System of Quality Control, PCAOB Rel. No. 2024-005 (May 13,
2024), which discusses a firm's responsibilities related to
technological resources.
---------------------------------------------------------------------------
2. Comments on the Reasons To Improve
Commenters generally supported the Board's efforts to modernize its
auditing standards to specifically address aspects of designing and
performing audit procedures that involve technology-assisted analysis.
Several commenters highlighted that auditors' use of technologies,
including technology-assisted analysis, continues to grow, and one of
these commenters noted that the proposal is an important step forward
to address this rapidly changing environment. An investor-related group
stated that PCAOB standards should directly address auditors' use of
technology and data, and that the proposed amendments to AS 1105 and AS
2301 were responsive to their concern about auditor overreliance on
technology-assisted analysis.
Commenters also generally supported the principles-based nature of
the proposed amendments and the Board's decision not to require the use
of technology-assisted analysis. One commenter, for example, noted that
audit procedures performed using technology-based tools may not always
provide sufficient appropriate audit evidence. An investor-related
group, however, recommended that the Board consider requiring auditors
to use certain (but unspecified) types of technology-based tools that
financial research and investment management firms have used to analyze
financial statements. As discussed further below, requiring the use of
technology would have been outside the scope of the project. The Board
retained the principles-based nature of the proposed amendments within
the final amendments, so that the standards are flexible and can adapt
to the continued evolution of technology.
Several commenters stated that the Board should consider the effect
of auditors' and companies' use of technology more broadly on the
audit. One commenter stated that technology will need to be an ongoing
focus for the Board in its standard setting given the evolving nature
of technology, and that broader change may be needed. This commenter
also recommended a more holistic standard-setting approach that is
interconnected with other PCAOB projects. Other commenters stated that
as technology continues to evolve, the Board should continue to
research and evaluate the need for standard setting related to other
types of technology used in the audit, such as artificial intelligence.
Academics emphasized the need for the PCAOB to be forward-thinking to
regulate in this area.
As the Board stated in the proposal, these amendments address only
one area of auditors' use of technology--certain aspects of designing
and performing audit procedures that involve technology-assisted
analysis. Other areas continue to be analyzed as part of the Board's
ongoing research activities. In addition, the Board's Technology
Innovation Alliance Working Group continues to advise the Board on the
use of emerging technologies by auditors and preparers relevant to
audits and their potential impact on audit quality.\21\ These ongoing
activities may inform future standard-setting projects.
---------------------------------------------------------------------------
\21\ See PCAOB Technology Innovation Alliance Working Group,
available at https://pcaobus.org/about/working-groups-task-forces/technology-innovation-alliance-working-group.
---------------------------------------------------------------------------
Commenters also expressed a need for more guidance and illustrative
examples. One of these commenters stated that additional explanatory
materials or separate guidance could help maintain competition among
firms. Another stated that insights from the PCAOB's research and
oversight activities would benefit small and mid-sized accounting firms
in identifying and selecting appropriate tools.
Throughout this release, where appropriate, the Board has
incorporated examples and considerations for applying the final
amendments. The examples and considerations highlight the principles-
based nature of the amendments and emphasize that the nature, timing,
and extent of the auditor's procedures will depend on the facts and
circumstances of the audit engagement. In addition, the staff's ongoing
research activities will continue to evaluate the need for staff
guidance.
Discussion of the Final Amendments
Specifying Auditor Responsibilities When Performing Tests of Details
See paragraphs .10 and .48 through .50 of AS 2301 of the
amendments.
1. Clarifying ``Test of Details''
The Board proposed to amend AS 1105.13 and .21 to address the
differences between the terms ``test of details'' and ``analytical
procedures,'' by clarifying the meaning of the term ``test of
details.'' The proposed amendments stated that a test of details
involves performing audit procedures with respect to individual items
included in an account or disclosure, whereas analytical procedures
generally do not involve evaluating individual items, unless those
items are part of the auditor's investigation of significant
differences from expected amounts. The Board adopted the proposed
description of a ``test of details'' with certain modifications as
discussed further below, including relocating the description from AS
1105 to new paragraph .48 in AS 2301.
Under PCAOB standards, the auditor's responses to risks of material
misstatement involve performing substantive procedures for each
relevant assertion of each significant account and disclosure,
regardless of the assessed level of control risk.\22\ Substantive
procedures under PCAOB standards include tests of details and
substantive analytical procedures.\23\ Appropriately designing and
performing an audit procedure to achieve a particular objective is key
to appropriately addressing the risks assessed by the auditor. For
significant risks of material misstatement, including fraud risks, the
auditor is required to perform substantive procedures, including tests
of details that are specifically responsive to the assessed risk.\24\
PCAOB standards also state that it is unlikely that audit evidence
obtained from substantive analytical procedures alone would be
sufficient.\25\
---------------------------------------------------------------------------
\22\ See AS 2301.36.
\23\ See AS 1105.13.b(2).
\24\ See AS 2301.11 and .13 (specifying the auditor's
responsibilities for responses to significant risks, which include
fraud risks).
\25\ See AS 2305.09.
---------------------------------------------------------------------------
[[Page 54928]]
As discussed in the proposal, the use of ``data analytics'' or
``data analysis'' in practice and the use of the term ``analytical
procedures'' in PCAOB standards have led to questions about whether an
audit procedure involving technology-assisted analysis can be a test of
details (i.e., not an analytical procedure as described under PCAOB
standards). The distinction is important because of the requirement in
PCAOB standards that the auditor perform tests of details when
responding to an assessed significant risk of material misstatement.
Relying on analytical procedures alone to address an assessed
significant risk is not sufficient.
Commenters on this topic supported clarifying the meaning of tests
of details and that tests of details involve performing audit
procedures at an individual item level. However, several commenters
stated that with technology-assisted analysis, aspects of a substantive
analytical procedure may also be performed at an individual item level.
Some commenters provided examples where the auditor uses a technology-
assisted analysis to develop an expectation of recorded amounts for
individual items in an account and aggregates the individual amounts to
compare to the aggregated amount recorded by the company.
One commenter suggested clarifying the term ``individual items''
given the varying forms and level of disaggregation of data obtained
for analysis by the auditor. This commenter suggested further
clarifying that consideration be given to the objective of the audit
procedure, the nature of the procedure to be applied, and the evidence
necessary to meet the objective of the audit procedure. Another
commenter sought additional information related to circumstances where
a procedure would not be considered a test of details because it was
not applied to individual items in an account.
Some commenters, mostly firms, expressed a preference that the
standards not compare tests of details to analytical procedures. For
example:
A firm-related group stated that the proposed
clarification was unnecessarily nuanced.
Another commenter stated that the proposed description of
analytical procedures as compared to tests of details was not accurate
and could cause confusion.
Other commenters stated that analytical procedures are
clearly defined in PCAOB standards and are well understood by auditors,
and that comparing tests of details to analytical procedures is
unnecessary.
Some commenters suggested evaluating the proposed
amendments together with the Board's standard-setting project to
address substantive analytical procedures.
Other commenters stated that technology-assisted analysis continues
to make classification of procedures between tests of details and
analytical procedures more challenging because some procedures may
exhibit characteristics of both types of procedures. These commenters
suggested that the auditing standards focus on the sufficiency and
appropriateness of evidence obtained from an audit procedure instead of
clarifying the terminology of tests of details and analytical
procedures. Some commenters also stated that the development of an
expectation differentiates an analytical procedure from a test of
details.
Having considered the comments received, the Board made several
changes to the proposed description of a ``test of details.'' The final
amendments state that a test of details involves performing audit
procedures with respect to items included in an account or disclosure
(e.g., the date, amount, or contractual terms of a transaction). When
performing a test of details, the auditor should apply audit procedures
that are appropriate to the particular audit objectives to each item
selected for testing.
First, the Board relocated the description of a ``test of details''
and related requirements to a new section of AS 2301, in new paragraph
.48. The Board believes that describing a test of details within AS
2301 is appropriate because tests of details are performed as
substantive procedures to address assessed risks of material
misstatement. The description uses the term ``items included in an
account or disclosure'' instead of ``individual items.'' The change in
terminology was made to more closely align with the description of
items selected for testing in existing AS 1105.22-.23.
Second, the Board revised the amendment to clarify that when
performing a test of details, the auditor should apply the audit
procedures that are appropriate to the particular audit objectives to
each item selected for testing. This provision focuses the auditor on
the objectives of the audit procedures being performed and is
consistent with existing requirements for audit sampling.\26\ The Board
believes that an emphasis on the objectives of the audit procedures,
regardless of the means of selecting items for testing in the test of
details, continues to be important and is aligned with the final
amendments to AS 1105.14 (using an audit procedure for more than one
purpose), which are discussed below in this release.\27\
---------------------------------------------------------------------------
\26\ See AS 2315.25.
\27\ See discussion below.
---------------------------------------------------------------------------
Lastly, the final amendments do not compare tests of details to
analytical procedures, and the Board did not amend the existing
description of analytical procedures in AS 1105.21. Because of the
overlap between the description of analytical procedures and
substantive analytical procedures, further potential amendments to the
description of analytical procedures are being considered as part of
the Board's standard-setting project to address substantive analytical
procedures.\28\ In addition, comments the Board received related to the
auditor's use of substantive analytical procedures were taken into
consideration in that project.
---------------------------------------------------------------------------
\28\ The Board has a separate standard-setting project on its
short-term standard-setting agenda (https://pcaobus.org/oversight/standards/standard-setting-research-projects) related to substantive
analytical procedures. In connection with that project, the Board
has proposed changes to the auditor's responsibilities regarding the
use of substantive analytical procedures, including the requirements
described in AS 2305 and AS 1105. See Proposed Auditing Standard--
Designing and Performing Substantive Analytical Procedures and
Amendments to Other PCAOB Standards, PCAOB Rel. No. 2024-006 (June
12, 2024) (included in PCAOB Rulemaking Docket No. 56).
---------------------------------------------------------------------------
The final amendments are not intended to define ``items included in
an account or disclosure'' because such a definition is impractical
given the variety of accounts and disclosures subject to tests of
details. The auditor would determine the level of disaggregation or
detail of the items within the account or disclosure based on the facts
and circumstances of the audit engagement, including the assessed risk
and the relevant assertion intended to be addressed, and the objective
of the procedure.
In addition, the Board considered the comments suggesting that the
amendments focus on the sufficiency and appropriateness of evidence
obtained from performing audit procedures instead of describing
categories of procedures. Considering current practice and the nature
of audit procedures performed currently, the Board continues to believe
that the existing standards are sufficiently clear in describing
auditors' responsibilities for obtaining and evaluating audit evidence.
The Board's ongoing research has not identified specific examples of
substantive analytical procedures that, by themselves, would provide
sufficient appropriate audit evidence to respond
[[Page 54929]]
to a significant risk. Commenters also did not provide such examples.
Therefore, the Board believes retaining the categories of procedures as
tests of details and substantive analytical procedures continues to be
appropriate.
2. Specifying Auditor Responsibilities When Investigating Items
Identified
The Board proposed to add a new paragraph .37A to AS 2301 that
specified matters for the auditor to consider when investigating items
identified through using criteria established by the auditor in
designing or performing substantive procedures on all or part of a
population of items. Under the proposed paragraph, when the auditor
establishes and uses criteria to identify items for further
investigation, as part of designing or performing substantive
procedures, the auditor's investigation should consider whether the
identified items:
Provide audit evidence that contradicts the evidence upon
which the original risk assessment was based;
Indicate a previously unidentified risk of material
misstatement;
Represent a misstatement or indicate a deficiency in the
design or operating effectiveness of a control; or
Otherwise indicate a need to modify the auditor's risk
assessment or planned audit procedures.
The proposed requirement included a note providing that inquiry of
management may assist the auditor and that the auditor should obtain
audit evidence to evaluate the appropriateness of management's
responses.
The Board adopted the proposed provisions with certain
modifications as discussed further below, including relocating the
requirements from proposed paragraph .37A to new paragraphs .49 and .50
in AS 2301. The Board also made a conforming amendment to paragraph .10
of AS 2301 to include a reference to paragraphs .48 through .50.
As discussed above, designing substantive tests of details and
tests of controls includes determining the means of selecting items for
testing. The alternative means of selecting items for testing consist
of selecting all items; selecting specific items; and audit sampling.
As discussed in the proposal, the Board's research has indicated that
auditors use technology-assisted analysis to identify specific items
within a population (e.g., an account or class of transactions) for
further investigation. For example, auditors may identify all revenue
transactions above a certain amount, transactions processed by certain
individuals, or transactions where the shipping date does not match the
date of the invoice. Because technology-assisted analysis may enable
the auditor to examine all items in a population, it is possible that
the analysis may return dozens or even hundreds of items within the
population that meet one or more criteria established by the auditor.
Considering current practice, the Board stated in the proposal that
PCAOB standards should be modified to address the auditor's
responsibilities in such scenarios more directly. The auditor's
appropriate investigation of identified items is important both for
identifying and assessing the risks of material misstatement and for
designing and implementing appropriate responses to the identified
risks.
Commenters were supportive of the principles-based nature of the
proposed amendment and agreed with the Board's decision not to
prescribe the nature, timing, or extent of investigation procedures.
However, commenters also asked for further clarification, guidance, and
examples to address different scenarios that the auditor encounters
when 100 percent of a population is tested, given that certain
requirements in proposed AS 2301.37A exist in the standards today. Some
commenters said it was unclear how proposed AS 2301.37A was different
from requirements in existing standards related to the auditor's
ongoing risk assessment, and the auditor's responsibility to revise
their risk assessment under certain scenarios and to evaluate the
results of audit procedures. Several commenters noted that existing
standards address auditors' responsibilities when investigating items
under certain scenarios. These commenters observed, for example, that
AS 2110, Identifying and Assessing Risks of Material Misstatement,
applies when the auditor uses technology-assisted analysis to identify
and assess risks of material misstatement, and AS 2110.74 and AS
2301.46 apply when the items identified by the auditor when using
technology-assisted analysis indicate a new risk of misstatement or a
need to modify the auditor's risk assessment. One commenter asked
whether identifying items for further investigation was intended to
describe only scenarios where specific items are selected for testing.
One commenter noted that the proposed amendment implied that
technology-assisted analysis could be used only for purposes of risk
assessment or selecting specific items for testing. Another commenter
stated that it is important for the auditor's investigation of items to
include determining whether there is a control deficiency.
Several commenters asked that the Board clarify whether sampling
can be applied to items identified for investigation or whether the
auditor is expected to test 100 percent of the identified items. Some
commenters also asked the Board to clarify whether the evidence
obtained would be considered sufficient and appropriate, or if the
auditor would be required to perform further procedures, in situations
where a technology-assisted analysis over an entire population (e.g.,
matching quantities invoiced to quantities shipped) did not identify
any items for investigation. One commenter recommended that the
amendments be extended to address the auditor's responsibilities over
other items in the population not identified for investigation. Two
commenters asked the Board to clarify how the proposed amendment and
existing standard would apply when the technology-assisted analysis is
modified after the original analysis is complete.
Consistent with the proposal, the final requirements are
principles-based and intended to be applied to all means of selecting
items for a test of details (e.g., selecting all items, selecting
specific items, and audit sampling). The Board continues to believe
that appropriately addressing the items identified by the auditor for
further investigation in a test of details is an important part of
obtaining sufficient appropriate audit evidence, because these items
individually or in the aggregate may indicate misstatements or
deficiencies in the design or operating effectiveness of a control. In
response to comments received, the final amendments reflect several
modifications from the proposal.
First, the Board reframed the requirements to focus on the
auditor's investigation of items when performing a test of details as
part of the auditor's response to assessed risks. The Board narrowed
the requirement to apply only to tests of details because, as
commenters noted, existing PCAOB standards describe the auditor's
responsibility to investigate items identified when performing
substantive analytical procedures.\29\ In addition, the Board did not
repeat the considerations related to the auditor's risk assessment that
are required under existing PCAOB standards as described above. The
Board believes these changes alleviate potential confusion about how
the
[[Page 54930]]
requirements are intended to be applied. The Board also removed the
proposed note requiring the auditor to obtain audit evidence when
evaluating the appropriateness of management's responses to inquiries,
because existing PCAOB standards already address this point by noting
that inquiry alone does not provide sufficient appropriate evidence to
support a conclusion about a relevant assertion.\30\
---------------------------------------------------------------------------
\29\ See AS 2305.20-.21 (providing that the auditor should
evaluate significant unexpected differences when performing a
substantive analytical procedure). See also PCAOB Rel. No. 2024-006
(proposing amendments to AS 2305).
\30\ See AS 1105.17 and AS 2301.39.
---------------------------------------------------------------------------
Second, the requirements have been relocated into two new
paragraphs (.49 and .50) in AS 2301, which are designed to work
together. Paragraph .49 applies to all tests of details, regardless of
the means of selecting items used by the auditor. The requirement
states that when performing a test of details, the auditor may identify
items for further investigation. For example, an auditor may identify
balances or transactions that contain, or do not contain, a certain
characteristic or that are valued outside of a range. The final
amendment emphasizes that when such items are identified, audit
procedures that the auditor performs to investigate the identified
items are part of the auditor's response to the risks of material
misstatement. The auditor determines the nature, timing, and extent of
such procedures in accordance with PCAOB standards. The final amendment
also provides that the auditor's investigation of the identified items
should include determining whether the items individually or in the
aggregate indicate (i) misstatements that should be evaluated in
accordance with AS 2810 or (ii) deficiencies in the company's internal
control over financial reporting.
When the auditor identifies items for further investigation in a
test of details, the final amendment does not prescribe the nature,
timing, and extent of audit procedures to be performed regarding the
identified items, including whether those procedures are performed on
the items individually or in the aggregate. Prescribing specific
procedures would be impracticable considering the multitude of possible
scenarios encountered in practice. The nature of the identified items
and likely sources of potential misstatements are examples of factors
that would inform the auditor's approach. To comply with PCAOB
standards, the nature, timing, and extent of the audit procedures
performed, including the means of selecting items, should enable the
auditor to obtain evidence that, in combination with other relevant
evidence, is sufficient to meet the objective of the test of details.
In some cases, an auditor may be able to group the identified items
(e.g., items with a common characteristic) and perform additional audit
procedures to determine whether the items indicate misstatements or
control deficiencies by group.\31\ In other cases, it may not be
appropriate to group the items identified for investigation.\32\
Further, the auditor's investigation could also identify new relevant
information (e.g., regarding the types of potential misstatements) and
the auditor may need to modify the audit response.
---------------------------------------------------------------------------
\31\ For example, in a test of revenue, the auditor may discover
that the identified differences between customer invoices and
payments are caused by variations in the exchange rate, but such
differences are both in accordance with the terms of the customer
contracts and appropriately accounted for by the company. In this
example, grouping the differences for the purpose of performing
additional procedures may be appropriate.
\32\ For example, in circumstances where the identified items
are unrelated to each other, it may not be appropriate for the
auditor to group these items for the purpose of performing
additional procedures.
---------------------------------------------------------------------------
When a test of details is performed on specific items selected by
the auditor,\33\ the final amendments discuss the auditor's
responsibilities for addressing the remaining items in the population.
When the auditor selects specific items in an account or disclosure for
testing, new paragraph .50 provides that the auditor should determine
whether there is a reasonable possibility that remaining items within
the account or disclosure include a misstatement that, individually or
when aggregated with others, would have a material effect on the
financial statements.\34\ If the auditor determines that there is a
reasonable possibility of such a risk of material misstatement in the
items not selected for testing, the auditor should perform substantive
procedures that address the assessed risk.\35\ As discussed in the
proposing release, the auditor's responsibilities over other items in
the population are described in existing PCAOB standards, and the final
requirement (AS 2301.50) reminds the auditor of those responsibilities.
---------------------------------------------------------------------------
\33\ See AS 1105.25-.27.
\34\ See AS 2110.
\35\ See AS 2301.08 and .36.
---------------------------------------------------------------------------
The final amendments do not specify, as suggested by some
commenters, whether the evidence obtained would be considered
sufficient and appropriate, or whether the auditor would be required to
perform further procedures, in situations where a technology-assisted
analysis over an entire population did not identify any items for
investigation. Because facts and circumstances vary, it is not possible
to specify scenarios that would provide sufficient appropriate audit
evidence. Consistent with existing standards, for an individual
assertion, different types and combinations of substantive procedures
might be necessary to detect material misstatements in the respective
assertions.\36\ For example, in addition to performing a technology-
assisted analysis of company-produced information to match quantities
invoiced to quantities shipped, other audit procedures, such as
examining a sample of information that the company received from
external sources (e.g., purchase orders and cash receipts), may be
necessary to obtain sufficient appropriate audit evidence for the
relevant assertion. The auditor would be required to document the
purpose, objectives, evidence obtained, and conclusions reached from
the procedures in accordance with the existing provisions of AS 1215,
Audit Documentation.\37\
---------------------------------------------------------------------------
\36\ See AS 2301.40.
\37\ See AS 1215.04-.06.
---------------------------------------------------------------------------
Specifying Auditor Responsibilities When Using an Audit Procedure for
More Than One Purpose
See paragraph .14 of AS 1105 of the amendments.
The Board proposed to amend paragraph .14 of AS 1105 by adding a
sentence to specify that if an auditor uses audit evidence from an
audit procedure for more than one purpose, the auditor should design
and perform the procedure to achieve each of the relevant objectives of
the procedure.
The proposed amendment was intended to supplement existing PCAOB
standards because the Board's research indicated that: (i) technology-
assisted analysis could be used in a variety of audit procedures,
including risk assessment and further audit procedures (such as tests
of details and substantive analytical procedures); (ii) an audit
procedure that involves technology-assisted analysis may provide
relevant and reliable evidence for more than one purpose (e.g.,
identifying and assessing risks of material misstatement and addressing
assessed risks); and (iii) questions have been raised about whether the
evidence obtained from an audit procedure that involves technology-
assisted analysis can be used for more than one purpose. The Board
adopted the amendment substantially as proposed, with certain
modifications to clarify and simplify the sentence, as discussed below.
As amended, the sentence added to paragraph .14 provides that ``[i]f
the auditor uses an audit procedure for more than one
[[Page 54931]]
purpose, the auditor should achieve each objective of the procedure.''
Under existing PCAOB standards, the purpose of an audit procedure
determines whether it is a risk assessment procedure, test of controls,
or substantive procedure.\38\ Although AS 1105 describes specific audit
procedures, it does not specify whether an audit procedure may be
designed to achieve more than one purpose; nor does it preclude the
auditor from designing and performing multi-purpose audit
procedures.\39\ In fact, other PCAOB standards have long permitted
auditors to use audit evidence for more than one purpose through the
performance of properly designed ``dual-purpose'' procedures in certain
scenarios.\40\
---------------------------------------------------------------------------
\38\ See AS 1105.14.
\39\ This interpretation was highlighted in a 2020 PCAOB staff
publication. See PCAOB, Spotlight: Data and Technology Research
Project Update (May 2020), at 4, available at https://pcaobus.org/Documents/Data-Technology-Project-Spotlight.pdf.
\40\ See, e.g., AS 2110.39 (``The auditor may obtain an
understanding of internal control concurrently with performing tests
of controls if he or she obtains sufficient appropriate evidence to
achieve the objectives of both procedures'') and AS 2301.47
(discussing performance of a substantive test of a transaction
concurrently with a test of a control relevant to that transaction
(a ``dual-purpose test'')).
---------------------------------------------------------------------------
Considering the variety of applications of technology-assisted
analysis throughout the audit, the Board stated in the proposal that
PCAOB standards could be modified to more specifically address when an
auditor uses audit evidence from an audit procedure for more than one
purpose, to facilitate the auditor's design and performance of audit
procedures that provide sufficient appropriate audit evidence. The
proposal explained that audit procedures involving technology-assisted
analysis are not always multi-purpose procedures. For example, a
technology-assisted analysis that is used to analyze a population of
revenue transactions to identify significant new products may provide
audit evidence only to assist the auditor with identifying and
assessing risks (a risk assessment procedure). But if the procedure
also involves obtaining audit evidence to address the risk of material
misstatement associated with the occurrence of revenue, the procedure
would be a multi-purpose procedure.
Commenters, including an investor-related group, supported the
objective of the amendment to specify the auditor's responsibilities
when using audit evidence for more than one purpose. One commenter
stated that the proposed amendment appears to prohibit an auditor from
using audit evidence obtained later in the audit. In that commenter's
view, the amendment implied that the auditor must intend to use the
audit procedure for more than one purpose, which could be viewed as
contradicting the principle that risk assessment should continue
throughout the audit.
Several commenters stated that the proposed amendment implied that,
for an auditor to use audit evidence for more than one purpose, the
auditor would need to know all of the purposes initially when designing
the procedure. These commenters added that audit procedures that use
technology-assisted analysis can be more iterative in nature and may
not be designed for all the purposes that they ultimately fulfill
through the nature of the evidence they generate. For example, one
commenter noted that when using technology-assisted analysis to
substantively test a population of transactions, the auditor may
identify a sub-population of transactions that exhibit different
characteristics than the rest of the population and use that
information to modify the risk assessment of the sub-population.
Another commenter noted that an audit procedure may be designed as a
risk assessment procedure, but the technology-assisted analysis may
provide audit evidence for assertions about classes of transactions or
account balances or other evidence regarding the completeness and
accuracy of information produced by the company used in the performance
of other audit procedures. These commenters suggested that the
amendment be revised by focusing on evaluating the audit evidence
obtained from the procedure.
The proposed amendment was not intended to imply that the auditor
should not evaluate or consider information obtained from an audit
procedure that the auditor was not aware of when initially designing
the procedure or that the auditor obtains after a procedure is
completed. As noted in the proposal, an auditor may use audit evidence
from an audit procedure that involves technology-assisted analysis to
achieve one or more objectives, depending on the facts and
circumstances of the company and the audit. Further, the auditor would
be required to consider and evaluate such information under existing
PCAOB standards. For example, as one commenter noted, existing AS 1105
states that audit evidence is all the information, whether obtained
from audit procedures or other sources, that is used by the auditor in
arriving at the conclusions on which the auditor's opinion is
based.\41\ Another commenter observed that existing PCAOB standards
provide that the auditor's assessment of the risks of material
misstatement, including fraud risks, continues throughout the
audit.\42\
---------------------------------------------------------------------------
\41\ See AS 1105.02.
\42\ See, e.g., AS 2110.74 and AS 2301.46.
---------------------------------------------------------------------------
The Board continues to believe that in order for an auditor to use
an audit procedure for more than one purpose (i.e., as more than a risk
assessment procedure, test of controls, or substantive procedure
alone), the auditor would need to determine that each of the objectives
of the procedure has been achieved. Therefore, after considering the
comments received, the Board retained the requirement but removed the
reference to ``design and perform the procedure.'' The auditor's
responsibilities for designing and performing procedures are already
addressed in AS 2110 and AS 2301. Therefore, the final amendment to
paragraph .14 of AS 1105 states that ``[i]f the auditor uses an audit
procedure for more than one purpose, the auditor should achieve each
objective of the procedure.''
As noted in the proposal, the purpose, objective, and results of
multi-purpose procedures should be clearly documented. Under existing
PCAOB standards, audit documentation must contain sufficient
information to enable an experienced auditor, having no previous
connection with the engagement, to understand the nature, timing,
extent, and results of the procedures performed, evidence obtained, and
conclusions reached.\43\ Accordingly, audit documentation should make
clear each purpose of the multi-purpose procedure, the results of the
procedure, the evidence obtained, the conclusions reached, and how the
auditor achieved each objective of the procedure.
---------------------------------------------------------------------------
\43\ See AS 1215.04-.06.
---------------------------------------------------------------------------
Commenters were supportive of acknowledging the auditor's
documentation responsibilities when using audit evidence for more than
one purpose. An investor-related group commented that the audit
planning documentation should support how each procedure will achieve
each objective and that the audit work papers should document that the
work performed achieved each objective. Another commenter also
concurred with the notion that the purpose, objective, and results of
multi-purpose procedures should be clearly documented. One commenter
noted it was unclear whether there are any incremental
[[Page 54932]]
documentation expectations in comparison to current practice.
Under PCAOB standards, audit documentation should be prepared in
sufficient detail to provide a clear understanding of its purpose,
source, and the conclusions reached.\44\ This applies also for
procedures performed that involve technology-assisted analysis.
Therefore, the Board believes that specifying further documentation
requirements is unnecessary.
---------------------------------------------------------------------------
\44\ See AS 1215.04.
---------------------------------------------------------------------------
Some commenters suggested that the Board provide an example of
using audit evidence from an audit procedure to achieve more than one
purpose, including two commenters suggesting an example similar to
examples issued by the American Institute of Certified Public
Accountants (``AICPA'').\45\ Given the evolving nature of the auditor's
use of technology, the Board did not include a specific example in the
text of the final amendments to AS 1105.14. The proposing release,
however, discussed an example where a technology-assisted analysis of
accounts related to the procurement process could both: (i) provide the
auditor with insights into the volume of payments made to new vendors
(e.g., a risk assessment procedure to identify new or different risks);
and (ii) match approved purchase orders to invoices received and
payments made for each item within a population (e.g., a test of
details to address an assessed risk associated with the occurrence of
expenses and obligations of liabilities).\46\ The Board believes this
example illustrates how auditors would apply the principles-based
amendments consistently. If the procedure performed does not achieve
each of the intended objectives, other procedures would need to be
performed (e.g., other substantive procedures to address assessed risks
of material misstatement).
---------------------------------------------------------------------------
\45\ Examples referenced by commenters included examples issued
by the AICPA in AU-C 500, Audit Evidence.
\46\ See Proposing Release at 19.
---------------------------------------------------------------------------
Lastly, two commenters suggested that the Board clarify that the
specific audit procedures discussed in AS 1105.14 are not an all-
inclusive list, to allow for the use of additional types of procedures,
or combination of procedures, in the future as technology evolves. The
Board believes the existing language is sufficiently clear because it
does not indicate that the specific audit procedures described in the
standard are the only types of audit procedures the auditor can
perform.
Specifying Auditor Responsibilities for Evaluating the Reliability of
Certain Audit Evidence and Emphasizing the Importance of Appropriate
Disaggregation or Detail of Information
See paragraphs .07, .08, .10, .10A, .15, .19, and .A8 of AS 1105 of
the amendments.
1. Evaluating the Reliability of External Information Provided by the
Company in Electronic Form
The Board proposed to add paragraph .10A to AS 1105 to specify the
auditor's responsibility for performing procedures to evaluate the
reliability of external information maintained by the company in
electronic form when using such information as audit evidence. The
proposed paragraph provided that the auditor should evaluate whether
such information is reliable for purposes of the audit by performing
procedures to: (a) obtain an understanding of the source of the
information and the company's procedures by which such information is
received, recorded, maintained, and processed in the company's
information systems; and (b) test controls (including information
technology general controls and automated application controls) over
the company's procedures or test the company's procedures.
The Board adopted the amendments substantially as proposed with
certain modifications discussed below. The Board also made a conforming
amendment to footnote 5 of paragraph .A8 of AS 1105 to include a
reference to paragraph .10A.
The Board noted in the proposal that, based on its research,
auditors often obtain from companies, and use in the performance of
audit procedures, information in electronic form. In many instances,
companies have obtained the information from one or more external
sources. PCAOB standards do not include specific requirements regarding
information received by the company from external sources, maintained,
and in many instances processed by the company, and then included in
the information provided to the auditor in electronic form to be used
as audit evidence.\47\ Because this information is maintained and
potentially can be modified by the company, the Board proposed to amend
its standards to address this risk to the reliability of audit evidence
that the auditor obtains through using this type of information.
---------------------------------------------------------------------------
\47\ For example, the company may receive information from a
customer in the form of a purchase order and provide that
information to the auditor in electronic form.
---------------------------------------------------------------------------
Commenters on this topic, including an investor-related group,
supported the Board's objective of addressing the risks that
information the company receives from one or more external sources and
provides to the auditor in electronic form to use as audit evidence may
not be reliable and may have been modified by the company. However,
several commenters also stated that further clarification of the
requirements was needed:
Some commenters asked for clarification about the
information the company received from one or more external sources and
``maintained in its information systems'' in electronic form. A few of
those commenters also asked whether the use of ``its information
systems'' was intended to be the same as the ``information system
relevant to financial reporting'' in AS 2110.\48\ Several commenters
suggested clarifying the proposed examples of the types of information
subject to these requirements that were included in the proposed
footnote to AS 1105.10A and providing more specific examples, such as a
bank statement in PDF format.
---------------------------------------------------------------------------
\48\ See AS 2110.28.
---------------------------------------------------------------------------
One commenter noted that the proposed amendment may not
clarify the difference between maintaining the reliability of the
external information received by the company and what the company does
with that information after it is received. The commenter noted that
after external information has been received, it is often recorded into
the company's information system where it is moved, processed, and
changed to the point that it is no longer considered external
information, but rather information produced by the company and subject
to transactional processes and controls. Another commenter stated that
the requirements should not focus on accuracy and completeness because
the information is provided to the company from an external source.
A number of commenters stated that the proposed amendment,
specifically the requirement in AS 1105.10A to test controls over
procedures or test the company's procedures themselves, implied that
the auditor had to test the effectiveness of internal controls in order
for the information to be determined to be reliable. Many of these
commenters asked for clarification of the distinction between testing
the company's controls and testing the company's procedures. One
commenter noted that certain smaller and mid-sized companies may not
have implemented controls that can be tested. Some commenters added
that,
[[Page 54933]]
because the proposed amendments did not include ``where applicable''
related to information technology general controls (``ITGCs'') and
automated application controls, the proposed amendments implied that
ITGCs and automated application controls always needed to be tested and
effective. Several of these commenters also provided examples of
scenarios where ITGCs and automated application controls may not need
to be tested, such as controls that reconcile information in the
company's information systems to the information the company received
from the external source. Commenters also asked whether information
from an external source provided by the company can be tested directly
(i.e., not testing a company's controls) and stated that it would be
helpful to clarify expectations of the auditor's work effort when
evaluating the reliability of such information.
One commenter indicated that it was unclear how the
requirements of footnote 3 of AS 1105.10 and proposed AS 1105.10A
interrelate when using information produced by a service organization.
Footnote 3 of AS 1105 refers the auditor to responsibilities under AS
2601, Consideration of an Entity's Use of a Service Organization, and
in an integrated audit, AS 2201, An Audit of Internal Control Over
Financial Reporting That Is Integrated with An Audit of Financial
Statements, when using information produced by a service organization
as audit evidence.
An investor-related group commented that, in addition to
the requirements for the auditor to evaluate the reliability of
external information provided by the company in electronic form, the
auditor should also be required to evaluate the reliability of digital
information maintained outside the company and used by the auditor as
audit evidence. Another commenter suggested that the auditor's
requirements should also address information obtained directly by the
auditor from external sources.
In consideration of comments received, the Board made several
modifications to the final amendments, which are described in more
detail below. The final amendment (paragraph .10A) provides that the
auditor should evaluate whether external information provided by the
company in electronic form and used as audit evidence is reliable by:
a. Obtaining an understanding of (i) the source from which the
company received the information; and (ii) the company's process by
which the information was received, maintained, and, where applicable,
processed, which includes understanding the nature of any modifications
made to the information before it was provided to the auditor; and
b. Testing the information to determine whether it has been
modified by the company and evaluating the effect of those
modifications; or testing controls over receiving, maintaining, and
processing the information (including, where applicable, information
technology general controls and automated application controls).
As discussed above, the proposed amendments described auditor
responsibilities related to evaluating the reliability of information
in electronic form provided by the company to the auditor that the
company received from external sources. Examples of such information
include, but are not limited to, bank statements, customer order
information, information related to cash receipts, and shipping
information from third-party carriers provided to the auditor in
electronic form.
The Board believes that a principles-based description of the
information subject to the requirement that does not list specific
types of information, as suggested by some commenters, is in the best
interest of audit quality and investor protection. This approach is
adaptable to evolving sources and forms of electronic information,
considering continued advancements in technology. The Board has
clarified the final amendment by removing the reference to ``maintained
in the company's information systems,'' which confused some commenters.
The use of this term in the proposal was intended to refer broadly to
information in electronic form within a company that the company could
provide to the auditor.
The Board has revised subparagraph (a) of the final amendment to
replace the term ``company's procedures'' with ``company's process.''
In the proposal the Board used ``company's procedures'' to align with
AS 2110.28(b), which describes the company's procedures to initiate,
authorize, process, and record transactions. However, the Board
believes use of the ``company's process'' is more consistent with AS
2110.30 and .31, which describe the company's business processes that
the auditor is required to understand. The Board also believe that
using ``company's process'' clarifies that the intent of the
requirement is to understand the flow of the information from the time
the company received it from the external source until the company
provided it to the auditor. Additional refinements made to this
requirement include (i) removing the word ``recorded'' because
receiving, processing, and maintaining data would encompass recording
it; and (ii) adding ``where applicable'' to address examples provided
by commenters where companies receive information from external sources
that may be maintained only--and not processed--by the company.
The Board also made revisions to clarify that, as part of
understanding how the information received from external sources is
processed by the company, the auditor should obtain an understanding of
the nature of any modifications made to the information. This revision
focuses the auditor on identifying the circumstances where the
information may have been modified or changed by the company.
The Board did not intend to imply that internal controls are
required to be tested and effective in order for the auditor to be able
to determine that external information is reliable for purposes of the
audit, as suggested by some commenters. Rather, the proposed amendment
was meant to (i) clarify the auditor's responsibility for performing
procedures to evaluate the reliability of audit evidence; and (ii)
address the risk that the company may have modified the external
information prior to providing it to the auditor for use as audit
evidence.
The Board revised the final amendment in subparagraph (b) to
require that the auditor (i) test the information to determine whether
it has been modified by the company and evaluate the effect of those
modifications; or (ii) test controls over receiving, maintaining, and
where applicable, processing the information. As discussed in the
proposing release, the auditor may determine the information has been
modified by the company by either comparing the information provided to
the auditor to (i) the information the company received from the
external source; or (ii) information obtained directly by the auditor
from external sources. Some commenters referred to comparing the
information provided by the company to the information the company
received from the external source, as testing the information
``directly'' for reliability.
For example, the auditor may obtain customer purchase order
information from the company's information systems and compare this
information to the original purchase order submitted by the customer to
determine whether any modifications were made by the company. In
another example, the auditor may obtain interest rate information from
the company's information systems and compare it to the original
information from the U.S. Department of Treasury. Under the final
[[Page 54934]]
amendments, if the auditor determines modifications were made by the
company, the auditor would have to evaluate the effect of the
modifications on the reliability of the information. For example, the
auditor may determine that certain modifications (e.g., formatting of
the date of a transaction from the European date format to the U.S.
date format) have not affected the reliability of the information.
Conversely, the auditor may determine that inadvertent or intentional
deletions, or improper alterations of key data elements by the company
(e.g., customer details, transaction amount, product quantity) have
negatively affected the reliability of information.
Finally, the Board further clarified the amendment to indicate that
if the auditor chooses to test controls instead of testing the
information as described above, the auditor should test controls over
the receiving, maintaining, and where applicable, processing of the
information that are relevant to the auditor's evaluation of whether
the information is reliable for purposes of the audit. This aligns with
the Board's intent in the proposal that described testing controls over
the company's procedures. Controls over processing the information
would include internal controls over any modifications made by the
company to the information.
Several commenters noted that in instances where controls over the
information are ineffective, or are not implemented or formalized, the
auditor may need to perform procedures other than testing internal
controls to determine the reliability of the information provided by
the company. In response to these comments, the Board believes it is
important to remind auditors that PCAOB standards already address
circumstances when the auditor encounters ineffective controls, or
controls that are not implemented or formalized. It is important for
the auditor to also understand the implications of such findings on the
nature, timing, and extent of procedures that the auditor needs to
perform in accordance with PCAOB standards.\49\
---------------------------------------------------------------------------
\49\ See, e.g., AS 1105.08, AS 2110.25 and .B1-.B6, and AS
2301.32-.34.
---------------------------------------------------------------------------
The Board also considered the comments related to specifying
requirements for the auditor to evaluate the reliability of external
information obtained directly by the auditor from external sources,
which would include digital information maintained outside the company
and used as audit evidence. Under existing standards, audit evidence
must be reliable, and its reliability depends on the nature and the
source of the evidence and the circumstances under which it is
obtained.\50\ In light of the existing requirements within AS 1105, the
Board believes that the auditor's responsibilities to evaluate the
reliability of information obtained from external sources are
sufficiently clear and that further amendments to address information
obtained by the auditor directly from external sources are not
necessary. In addition, the Board considered but decided not to address
in this project auditors' responsibilities related to using information
produced by a service organization as audit evidence.\51\
---------------------------------------------------------------------------
\50\ See AS 1105.06 and AS 1105.08. See also PCAOB, Staff
Guidance--Insights for Auditors Evaluating the Relevance and
Reliability of Audit Evidence Obtained From External Sources (Oct.
2021), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/standards/documents/evaluating-relevance-and-reliability-of-audit-evidence-obtained-from-external-sources.pdf?sfvrsn=48b638b_6.
\51\ See AS 2601 for the auditor's requirements related to the
use of a service organization. The Board has a separate standard-
setting project on its mid-term standard-setting agenda (https://pcaobus.org/oversight/standards/standard-setting-research-projects)
related to the use of a service organization, which may result in
changes to AS 2601 and the auditor's responsibilities regarding the
use of a service organization.
---------------------------------------------------------------------------
Further, as discussed below, the Board's proposed amendment was
intended to highlight the importance of controls over information
technology. The Board considered the comments received, and the final
amendment clarifies that ITGCs and automated application controls
should be tested where applicable (e.g., where controls are selected
for testing or where a significant amount of information supporting one
or more relevant assertions is electronically initiated, recorded,
processed, or reported).\52\ The Board believes testing ITGCs and
automated application controls is important to mitigate the risk that
the information provided by the company in electronic form is not
reliable. In some cases, the auditor may already be testing the
relevant ITGCs and automated application controls, while in other cases
the auditor may need to test additional controls.
---------------------------------------------------------------------------
\52\ See, e.g., AS 2301.17.
---------------------------------------------------------------------------
Consistent with the proposal, the Board did not prescribe the
nature, timing, or extent of the auditor's procedures to evaluate the
reliability of the external information. An auditor would design the
procedures considering the wide variety of types of external
information received by companies and differences in the processes for
receiving, maintaining and, where applicable, processing such
information. Further, the nature, timing, and extent of the auditor's
procedures would depend on the purpose for which the auditor uses the
information whose reliability is being evaluated. In general,
performing audit procedures to address the risks of material
misstatement involves obtaining more persuasive evidence than in
performing risk assessment procedures.\53\ Accordingly, evaluating the
reliability of information used in substantive procedures and tests of
controls would require more auditor effort than evaluating the
reliability of information used in risk assessment procedures.
---------------------------------------------------------------------------
\53\ See generally AS 2301.09(a), .18, and .39.
---------------------------------------------------------------------------
2. Emphasizing the Importance of Controls Over Information Technology
The Board proposed several amendments to AS 1105 to emphasize the
importance of controls over information technology for the reliability
of audit evidence. As noted above, auditors obtain from companies, and
use in the performance of audit procedures, large volumes of
information in electronic form. The reliability of such information is
increased when the company's controls over that information--including,
where applicable, ITGCs and automated application controls--are
effective. The Board adopted the amendments to paragraph .10 of AS 1105
as proposed, and amendments to paragraphs .08 and .15 of AS 1105
substantially as proposed, with minor modifications as described below.
Commenters on this topic supported the objective of emphasizing the
importance of controls over information technology in establishing
reliability of information used as audit evidence. Several commenters
opined that the proposed amendments, more specifically the proposed
amendments to paragraph .15 of AS 1105, implied that internal controls,
including ITGCs and automated application controls, would need to be
tested and determined effective in order to determine that the
information is reliable.
The proposed amendments were not intended to imply that (i)
internal controls are required to be tested and effective in order for
the auditor to be able to determine that information is reliable for
purposes of the audit; or (ii) testing other relevant controls is less
important or unnecessary. Rather, the proposed amendments were meant to
highlight to the auditor that certain information is more reliable when
internal controls are effective, and where applicable, those internal
controls include ITGCs and automated
[[Page 54935]]
application controls, which is consistent with existing PCAOB
standards.\54\ The Board's standards also describe scenarios where the
sufficiency and appropriateness of the audit evidence usually depends
on the effectiveness of controls.\55\ The amendments did not change
these existing principles.
---------------------------------------------------------------------------
\54\ See existing AS 1105.08.
\55\ See, e.g., AS 2301.17.
---------------------------------------------------------------------------
Further, in the proposing release the Board explained that the
proposed amendments state ``where applicable'' in relation to the
controls over information technology because information produced by
the company may also include information that is not in electronic
form, or information that is subject to manual controls. One commenter
noted that this explanation was informative and suggested incorporating
it into the amendments. Another commenter also recommended defining
``where applicable'' with clear factors or examples of when ITGCs and
automated application controls would be applicable. Because of the wide
variety of types and sources of information, and ways in which
companies use information, it would be impracticable to specify
scenarios where ITGCs and automated application controls would be
applicable.
Having considered the above comments and the Board's intent to
retain the existing principle in paragraph .08 of AS 1105 that certain
information is more reliable when controls are effective, the Board
modified paragraph .15 of AS 1105 within the final amendments to align
the language with AS 1105.08. In addition, the final amendments to
paragraph .08 were also aligned with the terminology in paragraph .10A
of AS 1105 described above.
Lastly, separate from commenting on the proposed amendments to
paragraph .08 of AS 1105 discussed above, some commenters suggested
amendments to modernize the last bullet point of the paragraph, which
describes that evidence from original documents is more reliable. Three
commenters asserted that the information may exist in different forms
(e.g., paper or electronic form) and may be in a format other than a
document (e.g., unprocessed data). In the views of two of these
commenters, no physical or original document exists when an electronic
data transmission from a customer initiates a transaction in a
company's ERP system. These commenters suggested modernizing the
language to focus on the original form of the audit evidence and any
subsequent conversion, copying, or other modifications. The Board
considered the comments received but did not amend the language because
the bullet points in paragraph .08 of AS 1105 are intended to be
examples of factors that may affect the reliability of audit evidence.
The existing language provides an example of one type of audit
evidence--original documents that have not been converted, copied, or
otherwise modified--which is consistent with the principles suggested
by the commenters.
3. Emphasizing the Importance of Appropriate Disaggregation or Detail
of Information
The Board proposed to amend paragraph .07 of AS 1105 to emphasize
that the relevance of audit evidence depends on the level of
disaggregation or detail of information necessary to achieve the
objective of the audit procedure. Whether an auditor performs tests of
details, substantive analytical procedures, or other tests, technology-
assisted analysis may enable the auditor to analyze large volumes of
information at various levels of disaggregation (e.g., regional or
global) or detail (e.g., relevant characteristics of individual items
such as product type or company division). The appropriate level of
disaggregation or detail of information that the auditor uses as audit
evidence is important for obtaining audit evidence that is relevant in
supporting the auditor's conclusions.\56\ Having considered the
comments received, the Board adopted the amendment as proposed.
---------------------------------------------------------------------------
\56\ See, e.g., PCAOB, Staff Guidance--Insights for Auditors
Evaluating the Relevance and Reliability of Audit Evidence Obtained
From External Sources (Oct. 2021) at 5, available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/standards/documents/evaluating-relevance-and-reliability-of-audit-evidence-obtained-from-external-sources.pdf?sfvrsn=48b638b_6.
---------------------------------------------------------------------------
The level of disaggregation or detail that is appropriate depends
on the objective of the audit procedure. For example, when testing the
valuation assertion of residential loans that are measured based on the
fair value of the collateral, disaggregated sales data for residential
properties by geographic location would likely provide more relevant
audit evidence than combined sales data for both commercial and
residential properties by geographic location. In another example, when
performing a substantive analytical procedure and analyzing the
plausibility of relationships between revenue and other information
recorded by the company, using revenue disaggregated by product type
would likely be more relevant for the auditor's analysis and result in
obtaining more relevant audit evidence than if the auditor used the
amount of revenue in the aggregate.
Commenters on this topic were supportive of the proposed amendment
and indicated that it aligned with current practice. Some of these
commenters suggested providing examples, stating that examples would
help auditors in understanding and applying the amendment. Consistent
with the proposal, the final amendment does not prescribe an expected
level of disaggregation or detail, as auditor judgment is needed to
determine the relevance of information based on the objective of the
audit procedure.
4. Updating Certain Terminology in AS 1105
The Board proposed to update certain terminology used to describe
audit procedures for obtaining audit evidence in AS 1105, without
changing the meaning of the corresponding requirements. For example,
considering the greater availability and use of information in
electronic form, the Board proposed to use the term ``information''
instead of the term ``documents and records'' in AS 1105.15 and .19.
Further, to avoid a misinterpretation that only certain procedures
could be performed electronically, the Board proposed to remove the
reference to performing recalculation ``manually or electronically'' in
AS 1105.19. For consistent terminology, the Board also proposed to
replace the terms ``generated internally by the company'' in AS 1105.08
and ``internal'' in AS 1105.15 with the term ``produced by the
company.'' Having considered the comments received, the Board adopted
the amendments to paragraphs .08, .15, and .19 of AS 1105 as proposed.
Commenters on this topic supported the updates to certain
terminology described above, and stated the updated terminology appears
clear and appropriate. One commenter suggested modifying the
terminology in paragraph .19 from ``checking'' to ``testing'' because
testing more clearly describes an audit procedure that is being
performed over the mathematical accuracy of information. Having
considered the comment, the Board retained the existing terminology in
paragraph .19 of ``checking'' to avoid a potential for confusion with
test of details.
Effective Date
The Board determined that the amendments will take effect, subject
to approval by the SEC, for audits of financial statements for fiscal
years
[[Page 54936]]
beginning on or after December 15, 2025.
In the proposing release, the Board sought comment on the amount of
time auditors would need before the amendments become effective, if
adopted by the Board and approved by the SEC. The Board proposed an
effective date for audits with fiscal years ending on or after June 30
in the year after approval by the SEC.
Several, mostly larger firms and firm-related groups, supported an
effective date of audits of financial statements for fiscal years
beginning on or after December 15 at least one year following SEC
approval, or for fiscal years ending on or after December 15 at least
two years following SEC approval. Two commenters supported an effective
date two years after SEC approval. These commenters indicated that this
would give firms the necessary time to update firm methodologies,
tools, and develop and implement training. In addition, several
commenters highlighted that additional time would be needed because of
the potential indirect impact on companies, especially if companies
need to implement or formalize controls or processes around information
received from one or more external sources, and auditors need to verify
that the controls have been designed and implemented appropriately.
Another commenter highlighted that the proposed effective date may be
too soon to allow auditors to update methodologies, provide appropriate
training and effectively implement the standards. In addition, multiple
commenters, mainly accounting firms, suggested that the Board consider
the effective dates for other standard-setting projects when
determining the effective date for the amendments.
The Board appreciates the concerns and preferences expressed by the
commenters. Having considered the requirements of the final amendments,
the differences between the amendments and the existing standards, the
Board's understanding of firms' current practices, and the effective
dates for other Board rulemaking projects, the Board believes that the
effective date, subject to SEC approval, for audits of financial
statements for fiscal years beginning on or after December 15, 2025
will provide auditors with a reasonable time period to implement the
final amendments, without unduly delaying the intended benefits
resulting from these improvements to PCAOB standards, and is consistent
with the Board's mission to protect investors and further the public
interest.
D. Economic Considerations and Application to Audits of Emerging Growth
Companies
Economic Considerations
The Board is mindful of the economic impacts of its standard
setting. This section describes the economic baseline, economic need,
expected economic impacts of the final amendments, and alternative
approaches considered. There are limited data and research findings
available to estimate quantitatively the economic impacts of the final
amendments. Therefore, the Board's economic discussion is largely
qualitative in nature. However, where reasonable and feasible, the
analysis incorporates quantitative information, including descriptive
statistics on the tools that firms use in technology-assisted
analysis.\57\
---------------------------------------------------------------------------
\57\ As noted above, this release uses the term ``technology-
assisted analysis'' in reference to the analysis of information in
electronic form that is performed with the assistance of technology-
based tools. Others, including firms and academics, may refer to
such analysis as ``data analysis'' or ``data analytics.'' The
Board's use of ``data analysis'' or ``data analytics'' was intended
to align with terminology used by the source cited. The terms ``data
analysis'' or ``data analytics'' should not be confused with the
term ``analytical procedures'' that is used in PCAOB standards to
refer to a specific type of audit procedure (see AS 1105.21) that
may be performed with or without the use of information in
electronic form or technology-based data analysis tools.
---------------------------------------------------------------------------
Baseline
The discussion above describes important components of the baseline
against which the economic impact of the final amendments can be
considered, including the Board's existing standards, firms' current
practices, and observations from the Board's oversight activities. The
discussion below focuses on two additional aspects of current practice
that informed the Board's understanding of the economic baseline: (i)
the PCAOB staff's analysis of the tools that auditors use in
technology-assisted analysis; and (ii) research on auditors' use of
technology-assisted analysis.
1. Staff Analysis of Tools That Auditors Use in Technology-Assisted
Analysis
PCAOB staff reviewed information provided by firms pursuant to the
PCAOB's oversight activities regarding tools they use in technology-
assisted analysis. The information identifies and describes tools used
by audit engagement teams. The staff reviewed information provided by
the U.S. global network firms (``GNFs'') as well as seven U.S. non-
affiliated firms (``NAFs'').\58\ The information was first provided for
the 2018 inspection year and was available through the 2023 inspection
year for the GNFs and NAFs analyzed.
---------------------------------------------------------------------------
\58\ The U.S. GNFs are BDO USA P.C., Deloitte & Touche LLP,
Ernst & Young LLP, Grant Thornton LLP, KPMG LLP, and
PricewaterhouseCoopers LLP. U.S. NAF firms include registered firms
that are not global network firms.
---------------------------------------------------------------------------
Firms reported using both internally developed and externally
purchased tools. Some of the externally purchased tools were customized
by the firms. The nature and number of tools varied across firms, and
their use varied with the facts and circumstances of specific audit
engagements. Some firms describe their tools by individual use case or
functionality based on how the tool has been tailored by the firm
(e.g., one tool to test accounts receivable and another tool to test
inventory using the same software program), and other firms describe
their tools grouped by software program, thus affecting the number of
unique tools reported by the firms. Some firms consolidated some of
their tools over time, thus reducing the number of unique tools they
used, although the number of audit engagements on which tools are used
has not decreased. For example, instead of having separate tools to
perform technology-assisted analysis and analytical procedures
performed as part of the auditor's risk assessment, some firms have
consolidated both functions into one tool. Firms generally do not
require the use of such tools on audit engagements.
The average number of tools used by audit engagement teams, as
reported to the PCAOB by the U.S. GNFs, increased from approximately 13
to approximately 18 per firm, or approximately 38%, between 2018 and
2023. In the 2023 inspection year, U.S. GNFs reported that 90% of their
tools are used for data visualization, summarization, tabulation, or
modeling.\59\ All the U.S. GNFs reported using tools to assist in: (i)
identifying and selecting journal entries; and (ii) selecting samples
for testing. The U.S. GNFs reported having tools that support both risk
assessment (e.g., assessing loan risk) and substantive procedures
(e.g., performing journal entry testing or fair value testing). The
U.S. GNFs developed approximately 75% of the reported tools in-house
while the rest were purchased externally. Furthermore, approximately
18% of the U.S. GNFs' tools used cloud computing. Less than 7% of the
U.S. GNFs' tools used blockchain technology, artificial intelligence,
or robotic process automation. All the U.S.
[[Page 54937]]
GNFs' tools used company data and approximately 20% also used third-
party data.
---------------------------------------------------------------------------
\59\ For example, some firms identified Microsoft Power BI and
IDEA as tools used for data visualization, summarization,
tabulation, or modelling.
---------------------------------------------------------------------------
Compared to U.S. GNFs, the U.S. NAFs within the scope of the PCAOB
staff's review reported to the PCAOB using fewer tools. In the 2023
inspection year, on average, the U.S. NAFs reported using approximately
six tools per firm. For a subset of these firms, the average number of
tools increased from approximately two tools per firm to approximately
five tools per firm between 2020 and 2023.\60\ The U.S. NAFs used the
tools to visualize, summarize, and model data. Some of the U.S. NAFs
reviewed use third-party software as their data analysis tools and used
company data (e.g., transactional and journal entry data) as inputs.
One U.S. NAF firm developed an in-house tool to assist with determining
the completeness and accuracy of journal entry data used for testing
journal entries.
---------------------------------------------------------------------------
\60\ Due to changes in the data collection process and changes
in firms' status as annually inspected, data is not available for
all firms in all years. The overall 2023 estimate is based on data
from seven U.S. NAFs, and the 2020-2023 trend data is based on data
from five U.S. NAFs.
---------------------------------------------------------------------------
One commenter asserted that the PCAOB should have information on
firms' use of technology-based tools, as well as firms' improper use of
tools, through its oversight activities. Information obtained through
PCAOB oversight activities regarding firms' use of technology-based
tools is presented here, and information related to firms' improper use
of tools is presented above. As described above, the nature and extent
of the use of technology-based tools in an audit varies by firm and by
individual audit engagement. The Board's rulemaking has been informed
by all relevant information as described in this release.
2. Research on Auditors' Use of Technology-Assisted Analysis
Academic studies regarding the prevalence of technology-based tools
used to analyze information in electronic form and the impacts of using
such tools in audits are limited. However, several recent surveys
provide insights regarding: (i) how auditors have been incorporating
data analytics into their audit approaches; and (ii) potential
impediments to auditors' further implementation of data analytics. One
commenter referenced additional academic research that was not
originally cited in the proposing release. The Board considered this
research and included references to articles that are relevant to the
analysis in this release.\61\
---------------------------------------------------------------------------
\61\ Several of the referenced papers report the results of
experiments examining the behavioral factors associated with
auditors' use of data analytics. These papers consider nuances of
auditor behavior in specific circumstances that may not be
generalizable to other settings because the results are based on
hypothetical, self-reported choices rather than real-world audit
settings. However, their results may be useful for auditors to
consider in their use and implementation of technology-assisted
analysis. See Tongrui Cao, Rong-Ruey Duh, Hun-Tong Tan, and Tu Xu,
Enhancing Auditors' Reliance on Data Analytics Under Inspection Risk
Using Fixed and Growth Mindsets, 97 The Accounting Review 131
(2022). See also Jared Koreff, Are Auditors' Reliance on Conclusions
from Data Analytics Impacted by Different Data Analytic Inputs?, 36
Journal of Information Systems 19 (2022). See also Dereck Barr-
Pulliam, Joseph Brazel, Jennifer McCallen, and Kimberly Walker, Data
Analytics and Skeptical Actions: The Countervailing Effects of False
Positives and Consistent Rewards for Skepticism, available at SSRN
3537180 (2023). See also Dereck Barr-Pulliam, Helen L. Brown-Liburd,
and Kerri-Ann Sanderson, The Effects of the Internal Control Opinion
and Use of Audit Data Analytics on Perceptions of Audit Quality,
Assurance, and Auditor Negligence, 41 Auditing: A Journal of
Practice & Theory 25 (2022).
---------------------------------------------------------------------------
Regarding incorporating data analytics into audit approaches, the
surveys indicate that while the use of data analytics presently may not
be widespread, it is becoming more common in various aspects of the
audit, primarily risk assessment and, to a lesser extent, substantive
procedures. For example, a 2017 survey of U.S. auditors reported that
auditors used data analytics in risk assessment and journal entry
testing.\62\ Also, a survey of Norwegian auditors, some of whom perform
audits under PCAOB standards, reported that data analytics were not
widely used and were used primarily as supplementary evidence. In this
survey, the respondents indicated that data analytics were used
primarily in risk assessment and various types of substantive
procedures, including analytical procedures.\63\ A 2018 to 2019 survey
of auditors in certain larger New Zealand firms reported that auditors
are more frequently encountering accessible, large company data sets
(i.e., data sets from the companies under audit). The respondents
reported that third-party tools to process the data are increasingly
available and allow auditors with less expertise in data analytics to
make effective use of data.\64\ A 2020 Australian study that focused on
big data analytics found that the use of big data analytics has reduced
auditor time spent on manual-intensive tasks and increased time
available for tasks requiring critical thinking and key judgments.\65\
A 2023 Canadian study that also focused on big data analytics found
that big data analytics improves financial reporting quality.\66\
---------------------------------------------------------------------------
\62\ See Ashley A. Austin, Tina D. Carpenter, Margaret H.
Christ, and Christy S. Nielson, The Data Analytics Journey:
Interactions Among Auditors, Managers, Regulation, and Technology,
38 Contemporary Accounting Research 1888 (2021). The survey also
states:
[A]uditors report that they strategically leverage data
analytics to provide clients with business-related insights.
However, regulators voice concerns that this pratice might impair
auditor independence and reduce audit quality.
The final amendments are not intended to suggest that when using
technology-assisted analysis in an audit, auditors do not need to
comply with PCAOB independence standards and rules, and the
independence rules of the SEC. Auditors are still expected to comply
with these standards and rules when uing tehnology-asisted analysis
on an audit engagement.
\63\ See Aasmund Eilifsen, Finn Kinserdal, William F. Messier,
Jr., and Thomas E. McKee, An Exploratory Study into the Use of Audit
Data Analytics on Audit Engagements, 34 Accounting Horizons 75
(2020). The survey appears to have been performed around 2017-2018.
\64\ See Angela Liew, Peter Boxall, and Denny Setiawan, The
Transformation to Data Analytics in Big-Four Financial Audit: What,
Why and How?, 34 Pacific Accounting Review 569 (2022).
\65\ See Michael Kend and Lan Anh Nguyen, Big Data Analytics and
Other Emerging Technologies: The Impact on the Australian Audit and
Assurance Profession, 30 Australian Accounting Review 269 (2020).
\66\ See Isam Saleh, Yahya Marei, Maha Ayoush, and Malik Muneer
Abu Afifa, Big Data Analytics and Financial Reporting Quality:
Qualitative Evidence from Canada, 21 Journal of Financial Reporting
and Accounting 83 (2023).
---------------------------------------------------------------------------
Earlier surveys reported qualitatively similar, though less
prevalent, use of data analytics. For example, a 2016 survey of
Canadian firms reported that 63% and 39% of respondents from large
firms and small to mid-sized firms, respectively, had used data
analytics, most commonly in the risk assessment and substantive
procedures phases. Both groups reported that data analytics were used
to provide corroborative evidence for assertions about classes of
transactions for the period under audit. However, only smaller and mid-
sized firms reported that data analytics were also used to provide
primary evidence for assertions about classes of transactions for the
period under audit and account balances at period end. Furthermore,
only larger firms reported that data analytics were also used to
provide corroborative evidence for assertions about account balances at
period end.\67\
---------------------------------------------------------------------------
\67\ See CPA Canada, Audit Data Analytics Alert: Survey on Use
of Audit Data Analytics in Canada (Sept. 2017) at 7, Exhibit 4 and
10, Exhibit 7.
---------------------------------------------------------------------------
A survey of 2015 year-end audits performed by U.K. firms reported
that the use of data analytics was not as prevalent as the market might
expect, with the most common application being journal entry
testing.\68\ A 2015
[[Page 54938]]
survey of U.K. and EU auditors found that data analytics were being
used in both risk assessment procedures and to perform certain specific
audit procedures (e.g., recalculation).\69\ Finally, a 2014 survey of
U.S. auditors reported that they often use information technology to
perform risk assessment, analytical procedures, sampling, internal
control evaluations, and internal control documentation. The
respondents identified moderate use of data analytics in the context of
client administrative or practice management.\70\
---------------------------------------------------------------------------
\68\ See Financial Reporting Council, Audit Quality Thematic
Review: The Use of Data Analytics in the Audit of Financial
Statements (Jan. 30, 2017) at 11.
\69\ See George Salijeni, Anna Samsonova-Taddei, and Stuart
Turley, Big Data and Changes in Audit Technology: Contemplating a
Research Agenda, 49 Accounting and Business Research 95 (2019).
\70\ See D. Jordan Lowe, James L. Bierstaker, Diane J. Janvrin,
and J. Gregory Jenkins, Information Technology in an Audit Context:
Have the Big 4 Lost Their Advantage?, 32 Journal of Information
Systems 87 (2018). The authors do not define the term ``data
analytics,'' and they present it as an application of information
technology in the audit distinct from other audit planning and audit
testing applications. However, the Board believes it is likely that
some of the applications of information technology reported in the
study would be impacted by the amendments and hence provide relevant
baseline information.
---------------------------------------------------------------------------
Regarding potential impediments to the implementation of data
analytics, surveys indicate that some firms are reluctant to implement
data analytics in their audit approach due to perceived regulatory
risks. For example, one survey found that auditors were cautious about
implementing data analytics due to a lack of explicit regulation.
Respondents reported performing both tests of details that do not
involve data analytics and those that do involve data analytics in
audits under PCAOB standards.\71\ Another survey found that auditors
did not require the use of advanced data analytic tools partly due to
uncertainty regarding how regulatory authorities would perceive the
quality of the audit evidence produced. However, the respondents tended
to agree that both standard setters and the auditing standards
themselves allow information obtained from data analytics to be used as
audit evidence.\72\ A different survey found that some auditors were
reluctant to implement data analytics because the auditing standards do
not specifically address them.\73\ These survey findings are consistent
with other surveys that find auditors structure their audit approaches
to manage regulatory risks arising from inspections, including risks
associated with compliance with PCAOB standards.\74\ One commenter on
the proposed amendments cited a study which noted that ``uncertainty
about regulators' response and acceptance of emerging technologies can
hinder its [emerging technology's] adoption.'' \75\ However, by
contrast, another survey found that the audit regulatory environment
was not commonly cited by respondents as an impediment to the use of
data analytics.\76\
---------------------------------------------------------------------------
\71\ See Austin et al., The Data Analytics Journey 1910. For
similar findings, see also Liew et al., The Transformation 579-580.
\72\ See Eilifsen et al., An Exploratory Study. For similar
findings, see also Felix Krieger, Paul Drews, and Patrick Velte,
Explaining the (Non-) Adoption of Advanced Data Analytics in
Auditing: A Process Theory, 41 International Journal of Accounting
Information Systems 1 (2021).
\73\ See Salijeni et al., Big Data 110.
\74\ See Kimberly D. Westermann, Jeffrey Cohen, and Greg
Trompeter, PCAOB Inspections: Public Accounting Firms on ``Trial,''
36 Contemporary Accounting Research 694 (2019). See also Lindsay M.
Johnson, Marsha B. Keune, and Jennifer Winchel, U.S. Auditors'
Perceptions of the PCAOB Inspection Process: A Behavioral
Examination, 36 Contemporary Accounting Research 1540 (2019).
\75\ See Dereck Barr[hyphen]Pulliam, Helen L.
Brown[hyphen]Liburd, and Ivy Munoko, The Effects of
Person[hyphen]Specific, Task, and Environmental Factors on Digital
Transformation and Innovation in Auditing: A Review of the
Literature, 33 Journal of International Financial Management &
Accounting 337 (2022). This literature review focuses on emerging
technologies broadly. Accordingly, much of the research it discusses
is not directly relevant to the baseline for these amendments.
However, several of the studies it cites are relevant and have
already been discussed in this subsection, for example, Austin et
al., The Data Analytics Journey.
\76\ See CPA Canada, Audit Data Analytics, at Exhibit 10.
---------------------------------------------------------------------------
Overall, the research suggests that auditors' use of technology-
assisted analysis in designing and performing audit procedures is
becoming increasingly prevalent. Some commenters also acknowledged that
the use of technology-assisted analysis is becoming more prevalent. An
investor-related group provided examples of expanded use of technology
by both companies and audit firms, including the use of large,
searchable databases and the development of tools for analyzing large
volumes of data. This provides a baseline for considering the potential
impacts of the final amendments. The research also suggests that some
auditors perceive regulatory risks when implementing data analytics.
Some commenters acknowledged that regulatory uncertainty has been a
factor in firms' hesitance to use technology-assisted analysis. This
provides evidence of a potential problem that standard setting may
address.
Need
Low-quality audits can occur for a number of reasons, including the
following two reasons. First, the company under audit, investors, and
other financial statement users cannot easily observe the procedures
performed by the auditor, and thus the quality of the audit. This leads
to a risk that, unbeknownst to the company under audit, investors, or
other financial statement users, the auditor may perform a low-quality
audit.\77\
---------------------------------------------------------------------------
\77\ See, e.g., Monika Causholli and W. Robert Knechel, An
Examination of the Credence Attributes of an Audit, 26 Accounting
Horizons 631, 632 (2012):
During the audit process, the auditor is responsible or making
decisions concerning risk assessment, total effort, labor
allocation, and the timing and extent of audit procedures that will
be implemented to reduce the residual risk of material
misstatements. As a non-expert, the auditee may not be able to judge
the appropriateness of such decisions. Moreover, the auditee may not
be able to ascertain the extent to which the risk of material
misstatement has been reduced even after the audit is completed.
Thus, information asymmetry exists between the auditee and the
auditor, the benefit of which acrues to the auditor. If such is the
case, the auditor may have incentives to: under-audit, or expend
less audit effort than is required to reduce the uncertainty about
misstatements in the auditee's financial statements to the level
that is appropriate for the auditee.
---------------------------------------------------------------------------
Second, the federal securities laws require that an issuer retain
an auditor for the purpose of preparing or issuing an audit report.
While the appointment, compensation, and oversight of the work of the
registered public accounting firm conducting the audit is, under
Sarbanes-Oxley, entrusted to the issuer's audit committee,\78\ there is
nonetheless a risk that the auditor may seek to satisfy the interests
of the company under audit rather than the interests of investors and
other financial statement users.\79\ This could arise, for example,
through audit committee identification with the company or its
management (e.g., for compensation) or through management influence
over the audit committee's supervision of the auditor, resulting in a
de facto principal-agent relationship between the company and the
auditor.\80\ Effective auditing standards help address these risks by
explicitly assigning responsibilities to the auditor that, if executed
properly, are expected to result in high-quality audits that satisfy
the interests of
[[Page 54939]]
audited companies, investors, and other financial statement users.
---------------------------------------------------------------------------
\78\ See section 301 of Sarbanes-Oxley, 15 U.S.C 78f(m) (also
requiring that the firm ``report directly to the audit committee'').
As an additional safeguard, the auditor is also required to be
independent of the audit client. See 17 CFR 210.2-01.
\79\ See, e.g., Joshua Ronen, Corporate Audits and How to Fix
Them, 24 Journal of Economic Perspectives 189 (2010).
\80\ See id.; see also, e.g., Liesbeth Bruynseels and Eddy
Cardinaels, The Audit Committee: Management Watchdog or Personal
Friend of the CEO?, 89 The Accounting Review 113 (2014); Cory A.
Cassell, Linda A. Myers, Roy Schmardebeck, and Jian Zhou, The
Monitoring Effectiveness of Co-Opted Audit Committees, 35
Contemporary Accounting Research 1732 (2018); Nathan R. Berglund,
Michelle Draeger, and Mikhail Sterin, Management's Undue Influence
over Audit Committee Members: Evidence from Auditor Reporting and
Opinion Shopping, 41 Auditing: A Journal of Practice & Theory 49
(2022).
---------------------------------------------------------------------------
Economic theory suggests that technology is integral to the
auditor's production function--i.e., the quantities of capital and
labor needed to produce a given level of audit quality. As technology
evolves, so do the quantities of capital and labor needed to produce a
given level of audit quality.\81\ Auditing standards that do not
appropriately accommodate the evolution of technology may therefore
inadvertently deter or insufficiently facilitate improvements to the
audit approach. Risk-averse auditors may be especially cautious about
incorporating significant new technological developments into their
audit approaches because they may be either unfamiliar with the
technology or unsure whether a new audit approach would comply with the
PCAOB's auditing standards. On the other hand, auditing standards that
are too accommodative (e.g., by not adequately addressing the
reliability of information used in a technology-based analysis) may not
sufficiently address potential risks to audit quality arising from new
audit approaches.
---------------------------------------------------------------------------
\81\ See Gregory N. Mankiw, Principles of Economics (6th ed.
2008) at 76 (discussing how technology shifts the supply curve).
---------------------------------------------------------------------------
As described above, since 2010, when the PCAOB released a suite of
auditing standards related to the auditor's assessment of and response
to risk, two key technological developments have occurred. First, ERP
systems that structure and house large volumes of information in
electronic form have become more prevalent among companies. For
example, one study reports that the global ERP market size increased by
60% between 2006 and 2012.\82\ As a result, auditors have greater
access to large volumes of company-produced and third-party information
in electronic form that may potentially serve as audit evidence.
Second, the use of more sophisticated data analysis tools has become
more prevalent among auditors.\83\ As noted above, the PCAOB staff's
analysis of the tools that firms use in technology-assisted analysis
indicated that the number of such tools used by U.S. GNFs in audits
increased by 38% between 2018 and 2023.\84\ One commenter noted that
the advancement of analytical tools has increased auditor capabilities
in data preparation and data validation.
---------------------------------------------------------------------------
\82\ See Adelin Trusculescu, Anca Draghici, and Claudiu Tiberiu
Albulescu, Key Metrics and Key Drivers in the Valuation of Public
Enterprise Resource Planning Companies, 64 Procedia Computer Science
917 (2015).
\83\ This may be caused in part by a decrease in the quality-
adjusted cost of software (i.e., the cost of software holding
quality fixed). For example, see U.S. Bureau of Economic Analysis,
``Table 5.6.4. Price Indexes for Private Fixed Investment in
Intellectual Property Products by Type'' available at https://apps.bea.gov/iTable/?reqid=19&step=3&isuri=1&nipa_table_list=330&categories=survey&_gl=1*k50itr*_ga*MTMyMjk5NTAzMS4xNzA5ODQ0OTEx*_ga_J4698JNNFT*MTcwOTg0NDkxMS4xLjAuMTcwOTg0NDkxMS42MC4wLjA (accessed June 3, 2024) (indicating
that the price index for capital formation in software by the
business sector has decreased by approximately 12% between 2010 and
2022). In preparing its price indices, the U.S. Bureau of Economic
Analysis attempts to control for changes in product quality over
time. Improvements to product quality may have contributed to some
increase in the cost of software, including some of the software
that can process large volumes of data.
\84\ See discussion above. See also Lowe et al., Information
Technology 95 (reporting an increase in the use of information
technology in audits between 2004 and 2014).
---------------------------------------------------------------------------
These recent technological developments have been changing the way
technology-assisted analysis is used in audits, as discussed in more
detail above. Although PCAOB standards related to the auditor's
assessment of and response to risk generally were designed to apply to
audits that use information technology, they may be less effective in
providing direction to auditors if the standards do not address certain
advancements in the use of technology-assisted analysis in audits.
Modifying existing PCAOB standards through the final amendments
addresses this risk, as discussed below. Many commenters, including an
investor-related group, indicated there was a need for such standard
setting given that the use of information in electronic form, and the
use of technology-based tools by companies and their auditors to
analyze such information, have expanded significantly since these
standards were developed.
The remainder of this section discusses the specific problem that
the final amendments are intended to address and how the amendments
address it.
1. Problem To Be Addressed
Audit procedures that involve technology-assisted analysis may be
an effective way to obtain persuasive audit evidence. Although the
Board's research showed that auditors are using technology-assisted
analysis to obtain audit evidence, it also indicated that existing
PCAOB standards could address more specifically certain aspects of
designing and performing audit procedures that involve technology-
assisted analysis. As discussed in detail above, these aspects include
specifying auditors' responsibilities when performing tests of details,
using an audit procedure for more than one purpose, investigating
certain items identified by the auditor when performing a test of
details, and evaluating the reliability of information the company
receives from one or more external sources that is provided to the
auditor in electronic form and used as audit evidence.
Consequently, under existing standards, there is a risk that when
using technology-based tools to design and perform audit procedures
that involve technology-assisted analysis, an auditor may issue an
auditor's report without having obtained sufficient appropriate audit
evidence to provide a reasonable basis for the opinion expressed in the
report. For example, if an auditor does not appropriately investigate
certain items identified though technology-assisted analysis when
performing a test of details, the auditor may not identify a
misstatement that would need to be evaluated under PCAOB standards. In
another example, if an auditor does not appropriately evaluate the
level of disaggregation of certain information maintained by the
company, the auditor would not be able to determine, under PCAOB
standards, whether the evidence obtained is relevant to the assertion
being tested.\85\
---------------------------------------------------------------------------
\85\ See, e.g., Helen Brown-Liburd, Hussein Issa, and Danielle
Lombardi, Behavioral Implications of Big Data's Impact on Audit
Judgment and Decision Making and Future Research Directions, 29
Accounting Horizons 451 (2015) (discussing how irrelevant
information may limit the value of data analysis). See also
Financial Reporting Council, Audit Quality.
---------------------------------------------------------------------------
Furthermore, there is a risk that auditors may choose not to
involve technology-assisted analysis in the audit procedures they
perform, even if performing such procedures would be a more effective,
and may also be a more efficient, way of obtaining audit evidence. For
example, an auditor may choose not to perform a substantive procedure
that involves technology-assisted analysis if the auditor cannot
determine whether the procedure would be considered a test of details
under existing standards.
2. How the Final Amendments Address the Need
The final amendments address the risk that the auditor may not
obtain sufficient appropriate audit evidence when addressing one or
more financial statement assertions. For example, the final amendments:
(i) specify considerations for the auditor when items are identified
for further investigation as part of performing a test of details; \86\
(ii) specify procedures the auditor should perform to evaluate the
reliability of information the company receives from one or more
external
[[Page 54940]]
sources and that is provided to the auditor in electronic form and used
as audit evidence; \87\ and (iii) clarify that if the auditor uses an
audit procedure for more than one purpose, the auditor should achieve
each objective of the procedure.\88\
---------------------------------------------------------------------------
\86\ See detailed discussion above.
\87\ See detailed discussion above.
\88\ See detailed discussion above.
---------------------------------------------------------------------------
The final amendments also address the risk that auditors may choose
not to perform audit procedures involving technology-assisted analysis
by: (i) specifying responsibilities when performing tests of details;
\89\ and (ii) clarifying that an audit procedure may be used for more
than one purpose.\90\ Collectively, the amendments should lead auditors
to perceive less risk of noncompliance with PCAOB standards when using
technology-assisted analysis.
---------------------------------------------------------------------------
\89\ See detailed discussion above.
\90\ See detailed discussion above.
---------------------------------------------------------------------------
Economic Impacts
This section discusses the expected benefits and costs of the final
amendments and potential unintended consequences. In the proposing
release, the Board noted that it expected the economic impact of the
amendments, including both benefits and costs, to be relatively modest.
Some commenters disagreed with the characterization of costs and
benefits as ``modest,'' stating that both costs and benefits of
technology-assisted analysis can be substantial. However, the Board did
not attempt to describe the overall costs and benefits of the use of
technology-assisted analysis, but rather the marginal impact of the
final amendments. It is difficult to quantify the benefits and costs
because the final amendments do not require the adoption of any
specific tools for technology-assisted analysis or that the auditor
perform technology-assisted analysis. Some firms may choose to increase
their investments in technology, and others may choose to make minimal
changes to their existing audit practices. In general, the Board
expects that firms will incur costs to implement or expand the use of
technology-assisted analysis if firms determine that the benefits of
doing so justify the costs. The Board included qualitative references
to the benefits and costs associated with the use of technology-
assisted analysis, including those raised by commenters.
1. Benefits
The final amendments may lead auditors to design and perform audit
procedures more effectively, because they clarify and strengthen
requirements of AS 1105 and AS 2301 related to aspects of designing and
performing audit procedures that involve technology-assisted analysis.
More effective audit procedures may lead to higher audit quality, more
efficient audits, lower audit fees, or some combination of the three.
To the extent the amendments lead to higher audit quality, they should
benefit investors and other financial statement users by reducing the
likelihood that the financial statements are materially misstated,
whether due to error or fraud.
An increase in audit quality should in turn benefit investors as
they may be able to use the more reliable financial information to
improve the efficiency of their capital allocation decisions (e.g.,
investors may more accurately identify companies with the strongest
prospects for generating future risk-adjusted returns and allocate
their capital accordingly). Some commenters stated that the proposed
amendments would benefit investors and the general public by reducing
audit failures. One commenter stated that the analysis in the proposing
release appeared to suggest that existing financial information and
audits are ``less reliable.'' The Board's intent was not to suggest
that existing audits are unreliable, but rather that the proposed
amendments may increase audit quality, which should in turn increase
investors' confidence in the information contained in financial
statements. In theory, if investors perceive less risk in capital
markets generally, their willingness to invest in capital markets may
increase, and thus the supply of capital may increase. An increase in
the supply of capital could increase capital formation while also
reducing the cost of capital to companies.\91\ The Board is unable to
quantify in precise terms this potential benefit, which would depend
both on how audit firms respond to the standard and on how their
response affects audit quality, factors that are likely to vary across
audit firms and across engagements. Auditors also are expected to
benefit from the final amendments because the additional clarity
provided by the amendments should reduce regulatory uncertainty and the
associated compliance costs. Specifically, the final amendments should
provide auditors with a better understanding of their responsibilities,
which in turn should reduce the risk that auditors design and perform
potentially unnecessary audit procedures (e.g., potentially duplicative
audit procedures).
---------------------------------------------------------------------------
\91\ See, e.g., Hanwen Chen, Jeff Zeyun Chen, Gerald J. Lobo,
and Yanyan Wang, Effects of Audit Quality on Earnings Management and
Cost of Equity Capital: Evidence from China, 28 Contemporary
Accounting Research 892 (2011); Richard Lambert, Christian Leuz, and
Robert E. Verrecchia, Accounting Information, Disclosure, and the
Cost of Capital, 45 Journal of Accounting Research 385 (2007).
---------------------------------------------------------------------------
Most commenters agreed that the proposed amendments would allow
auditors to design and perform audit procedures more effectively,
ultimately leading to higher quality audits. Some commenters identified
specific benefits to audit quality resulting from increased use of
technology-assisted analysis, such as the ability to automate some
repetitive tasks and to improve the performance of risk assessment
procedures and fraud and planning procedures. One commenter stated that
the proposed amendments could result in the ineffective use of
analytics if there is implicit pressure for firms to adopt technology-
assisted analysis without appropriately preparing for its use, and
another stated that the proposed amendments may not change the
likelihood of not obtaining sufficient appropriate audit evidence. As
discussed below, the final amendments are principles-based and are
intended to clarify auditors' responsibilities when using technology-
assisted analysis.
The following discussion describes the benefits of key aspects of
the final amendments that are expected to impact auditor behavior. To
the extent that a firm has already incorporated aspects of the
amendments into its methodology, some of the benefits described below
would be reduced.\92\
---------------------------------------------------------------------------
\92\ See discussion above.
---------------------------------------------------------------------------
i. Decreasing the Likelihood of Not Obtaining Sufficient Appropriate
Audit Evidence
The final amendments are expected to enhance audit quality by
decreasing the likelihood that an auditor who performs audit procedures
using technology-assisted analysis will issue an auditor's report
without obtaining sufficient appropriate audit evidence that provides a
reasonable basis for the opinion expressed in the report. For example,
the final amendments specify auditors' responsibilities for
investigating items identified when performing a test of details. In
another example, the final amendments specify auditors'
responsibilities for evaluating the reliability of certain information
provided by the company in electronic form and used as audit evidence.
As a result, auditors may be more likely to obtain sufficient
appropriate audit evidence when designing and performing audit
procedures that use
[[Page 54941]]
technology-assisted analysis, resulting in higher audit quality. As
described above, the higher audit quality should benefit investors and
other financial statement users by reducing the likelihood that the
financial statements are materially misstated, whether due to error or
fraud. These potential benefits to audit quality apply both to audit
engagements where auditors currently incorporate technology-assisted
analysis into their audit approach and audit engagements where auditors
have been previously reluctant to use technology-assisted analysis
because of the risk of noncompliance.
ii. Greater Use of Technology-Assisted Analysis
The final amendments may lead to some increase in the use of
technology-assisted analysis by auditors when designing and performing
multi-purpose audit procedures and tests of details. For example, the
final amendments clarify the description of a ``test of details.'' As a
result of this clarification, auditors may make greater use of
technology-assisted analysis when designing or performing tests of
details because they may perceive a reduction in noncompliance risk.
Notwithstanding the associated fixed and variable costs, greater
use of technology-assisted analysis by the auditor when designing or
performing audit procedures may allow the auditor to perform
engagements with fewer resources, which may increase the overall
resources available to perform audits.\93\ In economic terms, it may
increase the supply of audit quality.\94\ For example, obtaining
sufficient appropriate audit evidence by using technology-assisted
analysis may require fewer staff hours than obtaining the evidence
manually. Current labor shortages of qualified individuals and
decreases in accounting graduates and new CPA examination candidates
amplify the value of gathering sufficient appropriate audit evidence
with fewer staff hours.\95\
---------------------------------------------------------------------------
\93\ See below (discussing costs associated with greater use of
technology-assisted analysis).
\94\ For purposes of this discussion, ``audit quality'' refers
to assurance on the financial statements provided by the auditor to
the users of the financial statements. The ``supply of audit
quality'' is the relationship between audit quality and incremental
cost to the auditor. An ``increase in the supply of audit quality''
occurs when the incremental costs of audit quality decrease (e.g.,
due to technological advances) and the auditor is able to profitably
provide more audit quality at a given cost.
\95\ See, e.g., AICPA Private Companies Practice Section, 2022
PCPS CPA Top Issues Survey (2022); AICPA, 2021 Trends: A Report on
Accounting Education, the CPA Exam and Public Accounting Firms'
Hiring of Recent Graduates (2021).
---------------------------------------------------------------------------
Apart from consideration of demands from the audited company,
discussed in greater detail below, the efficiencies that may arise from
greater utilization of technology-assisted analysis would be retained
by the auditor in the form of higher profit. However, to better address
regulatory, litigation, or reputational risks, the auditor may choose
to redeploy engagement-level resources to other work. For example,
auditors may shift staff resources to audit areas or issues that are
more complex or require more professional judgment.\96\
---------------------------------------------------------------------------
\96\ See, e.g., Salijeni et al., Big Data.
---------------------------------------------------------------------------
As a result of the greater use of technology-assisted analysis by
auditors, some companies may be able to obtain a higher level of audit
quality or renegotiate their audit fee, or both. The outcome would
likely vary by company depending on the competitiveness of the
company's local audit market and the company's audit quality
expectations. For example, negotiating power may be smaller for larger
multinational companies, which may have fewer auditor choices, than for
smaller companies, which may have more auditor choices. Furthermore,
some companies may expect their auditor to reassign engagement team
staff resources from repetitive or less complex audit procedures to
more judgmental aspects of the audit. Other companies may expect the
engagement team to perform the audit with fewer firm resources (e.g.,
fewer billable hours). Some research suggests that most companies
prefer audit fee reductions in response to their auditor's greater use
of data analytics.\97\
---------------------------------------------------------------------------
\97\ See Austin et al., The Data Analytics Journey.
---------------------------------------------------------------------------
Because the final amendments do not require the auditor to use
technology-assisted analysis when designing and performing audit
procedures, the associated benefits would likely be limited to cases
where auditors determine that their benefits justify their costs,
including any fixed costs required to update the auditor's approach
(e.g., update methodologies, provide training). The fixed costs may be
significant; however, some firms may have incurred some of these costs
already.\98\ Moreover, despite the continued tendency of companies to
adopt ERP systems to house their accounting and financial reporting
data, some companies' data may remain prohibitively difficult to obtain
and analyze, thus limiting the extent to which the auditor can use
technology-assisted analysis.\99\ Some survey research also suggests
that some firms lack sufficient staff resources to appropriately deploy
data analysis.\100\ Collectively, these private costs may deter some
auditors from incorporating technology-assisted analysis into their
audit approach and thereby reduce the potential benefits associated
with greater use of technology-assisted analysis.
---------------------------------------------------------------------------
\98\ See discussion above, discussing increased availability of
data analytic tools at larger firms and Austin et al., The Data
Analytics Journey 1908.
\99\ See, e.g., Austin et al., The Data Analytics Journey 1906.
\100\ See, e.g., Saligeni et al., Big Data 108. See also CPA
Canada, Audit Data Analytics. However, some more recent survey
research suggests that auditors tend to agree that they have the
technical expertise to deploy data analytics. See Eilifsen et al.,
An Exploratory Study 84.
---------------------------------------------------------------------------
Some commenters suggested that audit fees are unlikely to decrease
as a result of increased use of technology-assisted analysis due
primarily to the costs involved with using technology-assisted
analysis. One commenter stated that the Board's analysis in the
proposal focused on reducing costs (which could put downward pressure
on audit fees), and suggested that the analysis should focus instead on
enabling auditors to shift resources to higher risk areas of the audit,
which should increase audit quality. Another commenter urged the PCAOB
not to include commentary that relates the greater use of technology-
assisted analysis to lower audit fees on the grounds that the proposing
release underestimated the costs to smaller firms of designing,
implementing, and operating technology-assisted analysis. The commenter
added that such commentary could have the unintended effect of
encouraging firms to reduce costs and therefore choose to use analytics
ineffectively or choose not to implement technology-assisted analysis.
A different commenter noted that the ``supposition that efficiencies
would accrue to the firms, potentially impacting audit efficiencies or
even audit fees, is beyond the Board's charge of improving audit
quality.'' The Board acknowledged that there can be significant costs
associated with the use of technology-assisted analysis, particularly
with the initial implementation of technology-assisted analysis tools,
which some firms may pass on to audited companies in the form of higher
audit fees, at least in the short term. However, the Board noted that
the final amendments do not require the use of technology-assisted
analysis, and academic studies suggest that greater use of data
analytics could reduce audit fees.\101\
---------------------------------------------------------------------------
\101\ See Austin et al., The Data Analytics Journey 1891.
---------------------------------------------------------------------------
[[Page 54942]]
One commenter stated that the PCAOB should be ``agnostic'' about
the use of audit technology and should focus on audit quality rather
than audit efficiency. The Board believes that the PCAOB's focus on
audit quality does not preclude it from considering the effect of audit
efficiency on the Board's stakeholders. Furthermore, audit efficiencies
in one area may allow auditors to redeploy resources to other audit
areas that are more complex or require more professional judgment,
resulting in increased audit quality.
2. Costs
To the extent that firms make changes to their existing audit
approaches as a result of the final amendments, they may incur certain
fixed costs (i.e., costs that are generally independent of the number
of audits performed), including costs to: update audit methodologies,
templates, and tools; prepare training materials; train their staff;
and develop or purchase software. GNFs and some NAFs are likely to
update their methodologies using internal resources, whereas other NAFs
are likely to purchase updated methodologies from external vendors.
In addition, firms may incur certain engagement-level variable
costs. For example, the final amendments related to evaluating whether
certain information provided by the company in electronic form and used
as audit evidence is reliable could require additional time and effort
by engagement teams that use such information in performing audit
procedures. This additional time, and therefore the resulting variable
costs, may be less on integrated audits or financial-statement audits
that take a controls reliance approach because, in these cases,
internal controls over the information, including ITGCs and automated
application controls, may already be tested. As another example, some
firms may incur software license fees that vary by the number of users.
To the extent that auditors incur higher costs to implement the
amendments and can pass on at least part of the increased costs through
an increase in audit fees, audited companies may also incur an indirect
cost.
Some commenters stated that they do not believe the fixed and
variable cost increases will be modest as stated in the proposal, and
that the evolution of technology-assisted analysis may render tools and
training obsolete, requiring renewed investment at regular intervals.
One of these commenters referenced increased resource costs such as the
need to investigate items identified through technology-assisted
analysis. One commenter stated that the proposing release
mischaracterized the costs to NAFs of implementing technology-assisted
analysis. This commenter noted that costs could include a learning
curve for new technology adoption, increased costs of hiring engagement
team members with appropriate skill sets, obtaining reliable data, and
the development or purchase of software tools. Another stated that some
audit firms already use technology, so both costs and benefits would be
modest for those firms. As the Board discussed in the proposal and as
reiterated above, the final amendments do not require the use of
technology-assisted analysis. Therefore, the costs discussed by these
commenters would occur only if firms determined it was in their best
interest to incur them.
Some aspects of the final amendments may result in more or
different costs than others. The following discussion describes the
potential costs associated with specific aspects of the amendments.
i. Potential Additional Audit Procedures and Implementation Costs
The final amendments clarify and specify auditor responsibilities
when designing and performing audit procedures that involve technology-
assisted analysis. As a result, some auditors may perform incremental
procedures to comply with the final amendments, which may lead to
incremental costs. For example, in addition to applying technology-
assisted analysis when testing specific items in the population, some
auditors may address the items not selected for testing by performing
other substantive procedures if the auditor determines that there is a
reasonable possibility of a risk of material misstatement in the items
not selected for testing (i.e., the remaining population). To the
extent that auditors currently do not fulfill their responsibilities
under existing PCAOB standards related to the remaining population when
there is a reasonable possibility of a risk of material misstatement,
those firms may incur one-time costs to update firm methodologies and
ongoing costs related to fulfilling their responsibilities. In another
example, an auditor may determine that incremental procedures are
necessary to evaluate the reliability of external information provided
by the company in electronic form.. These incremental procedures may
apply to audit engagements where auditors currently incorporate
technology-assisted analysis into their audit approach, and audit
engagements where auditors have been reluctant to use technology-
assisted analysis due to the risk of noncompliance.
At the firm level, some firms may incur relatively modest fixed
costs to update their methodologies and templates (e.g., documentation
templates) or customize their technology-based tools. Firms may also
need to prepare training materials and train their staff. Firms may
incur relatively modest variable costs if they determine that
additional time and effort on an individual audit engagement is
necessary in order to comply with the final amendments. For example, a
firm may incur additional variable costs to investigate items
identified when performing a test of details.
ii. Greater Use of Technology-Assisted Analysis
As discussed above, the final amendments do not require the use of
technology-assisted analysis in an audit. However as noted above, the
final amendments may lead to some increase in the use of technology-
assisted analysis by auditors when designing and performing multi-
purpose audit procedures and tests of details. The greater use of
technology-assisted analysis by the auditor may allow the auditor to
perform engagements with fewer resources. However, this potential
efficiency benefit would likely be offset, in part, by fixed and
variable costs to the audit firm. Fixed costs may be incurred to
incorporate technology-assisted analysis into the audit approach. For
example, some firms may purchase, develop, or customize new tools.\102\
Some firms may choose to hire programmers to develop tools internally.
Firms may also incur fixed costs to obtain an understanding of
companies' information systems.\103\ Some commenters stated that the
costs to research, develop, and implement technology-assisted analysis
can be significant. They also stated that rapid technological
advancements require continual investment by audit firms to keep pace.
Because the final amendments do not require the adoption of technology-
assisted analysis, any such investments by firms would be made only if
they determine that the benefits justify the costs.
---------------------------------------------------------------------------
\102\ See Financial Reporting Council, Audit Quality. See also
Austin et al., The Data Analytics Journey 1908.
\103\ See Eilifsen et al., An Exploratory Study 71 (discussing
how audit data analytics are used less often when the company does
not have an integrated ERP/IT system). See also Financial Reporting
Council, Audit Quality.
---------------------------------------------------------------------------
Relatively modest variable costs may be incurred to use technology-
assisted
[[Page 54943]]
analysis on individual audit engagements. For example, firms may incur
variable costs associated with preparing company data for analysis or
updating their technology-based tools. Several commenters stated that
there are costs associated with obtaining or preparing data in a format
that can be utilized by specific tools for technology-assisted
analysis. In another example, a firm may incur variable costs to obtain
specialized expertise for using technology-assisted analysis on audit
engagements. For example, a firm data analytics specialist may be used
on an audit engagement to automate certain aspects of data preparation
or design and perform a custom technology-assisted analysis. One
commenter noted that the investigation of items identified by
technology-assisted analysis requires resources such as the involvement
of personnel who are skilled in interpreting the results of technology-
assisted analysis. As a result, according to the commenter, the use of
technology-assisted analysis may not necessarily reduce costs and may
increase costs. As discussed above, auditors may increase audit fees
due to costs associated with the use of technology-assisted analysis,
passing along some of those costs to audited companies.
Several factors may limit the costs associated with greater use of
technology-assisted analysis in an audit. First, the costs would likely
be incurred by a firm only if it determined that the private benefits
to it would exceed the private costs. Second, some firms have already
made investments to incorporate technology-assisted analysis in audits.
Finally, the cost of software that can process and analyze large
volumes of data has been decreasing.\104\
---------------------------------------------------------------------------
\104\ See discussion above.
---------------------------------------------------------------------------
3. Potential Unintended Consequences
In addition to the benefits and costs discussed above, the final
amendments could have unintended economic impacts. The following
discussion describes potential unintended consequences considered by
the Board and, where applicable, factors that mitigate them. These
include actions taken by the Board as well as the existence of other
countervailing forces.
i. Reduction in the Use of Technology-Assisted Analysis
It is possible that, as a result of the final amendments, some
auditors could reduce their use of technology-assisted analysis. This
could occur if the final amendments were to lead firms to conclude that
the private benefits would not justify the private costs of involving
technology-assisted analysis in their audit approach. For example, the
final amendments specify considerations for investigating items
identified by the auditor when performing a test of details and
procedures for evaluating the reliability of certain information the
company receives from one or more external sources and used as audit
evidence. As discussed above, such additional responsibilities could
lead to fixed costs at the firm level and variable costs at the
engagement level. As a result, some auditors may choose not to use
audit procedures that involve technology-assisted analysis.
Several factors would likely mitigate any negative effects
associated with this potential unintended consequence. First, the Board
believes that any decrease in the use of technology-assisted analysis
would likely arise from a reduction in the performance of audit
procedures that would not have contributed significantly to providing
sufficient appropriate audit evidence. This development would therefore
probably benefit, rather than detract from, audit quality. For example,
currently some auditors might not appropriately investigate items
identified when using technology-assisted analysis in performing tests
of details. The amendments specify auditors' responsibilities for
investigating the items identified. If auditors view the requirement as
too costly to implement, they may instead choose to perform audit
procedures that do not involve the use of technology-assisted analysis.
If the other procedures chosen by the auditor provide sufficient
appropriate audit evidence, the reduction in the performance of audit
procedures that involve technology-assisted analysis (where auditors
did not appropriately investigate items identified) would benefit audit
quality.
Second, any reduction in the use of technology-assisted analysis
resulting from certain of the amendments, such as in the above
scenario, may be offset by the greater use of technology-assisted
analysis in other scenarios. For example, as discussed above, the final
amendments clarify the description of a ``test of details.'' As a
result, auditors may make greater use of technology-assisted analysis
in performing tests of details because they may perceive a reduction in
noncompliance risk.
Finally, because the final amendments are principles-based,
auditors will be able to tailor their work subject to the amendments to
the facts and circumstances of the audit. For example, the amendments
do not prescribe procedures for investigating items identified when
performing a test of details. Rather, the auditor will be able to
structure the investigation based on, among other things, the type of
analysis and the assessed risks of material misstatement.\105\
---------------------------------------------------------------------------
\105\ See discussion above.
---------------------------------------------------------------------------
Some commenters stated that the proposed amendments could
potentially deter auditors from using technology-assisted analysis; in
contrast, others said that the proposed amendments could potentially
pressure auditors to use technology-assisted analysis. As outlined
above, the final amendments, consistent with the proposal, do not
require the use of technology-assisted analysis, and the Board believes
that auditors will use technology-assisted analysis to the extent that
it allows them to perform audit procedures in a more efficient or
effective manner. Some commenters expressed appreciation for PCAOB
standards that allow auditors to employ appropriate audit procedures
based on the facts and circumstances of the audit engagement. They
agreed with the scalable, principles-based approach that allows for use
of technology-assisted analysis to the extent that it is effective and
efficient, taking into consideration the firm size, company size, and
other circumstances of the audit engagement.
ii. Inappropriately Designed Multi-Purpose Audit Procedures
It is possible that some auditors could view the final amendments
as allowing any audit procedure that involves technology-assisted
analysis to be considered a multi-purpose procedure. Auditors who hold
this view may fail to design and perform audit procedures that provide
sufficient appropriate audit evidence. This potential unintended
consequence would be mitigated by: (i) existing requirements of PCAOB
standards; and (ii) the amendment to paragraph .14 of AS 1105.
Existing PCAOB standards address auditors' responsibilities for
designing and performing procedures to identify, assess, and respond to
risks of material misstatement and obtaining sufficient appropriate
audit evidence.\106\ Auditor responsibilities established by existing
PCAOB standards apply to the performance of both audit procedures that
are designed to achieve a single objective and audit procedures that
are designed to achieve multiple objectives. Further, existing
standards specify auditor responsibilities in certain scenarios that
involve multi-purpose audit procedures. For example, existing PCAOB
standards provide that an audit
[[Page 54944]]
procedure may serve as both a risk assessment procedure and a test of
controls provided that the auditor meets the objectives of both
procedures.\107\ In another example, existing PCAOB standards provide
that audit procedures may serve as both a test of controls and a
substantive procedure provided that the auditor meets the objectives of
both procedures.\108\
---------------------------------------------------------------------------
\106\ See, e.g., AS 2110 and AS 2301.
\107\ See AS 2110.39.
\108\ See AS 2301.47.
---------------------------------------------------------------------------
In addition, the amendment to paragraph .14 of AS 1105 would
further mitigate the risk that auditors fail to design and perform
multi-purpose audit procedures. The amendment would emphasize the
auditor's responsibility to achieve particular objectives specified in
existing PCAOB standards when using audit evidence from an audit
procedure for multiple purposes.
iii. Disproportionate Impact on Smaller Firms
It is possible that the costs of the final amendments could
disproportionately impact smaller firms. As discussed in Section IV.C.2
above, increased use of technology-assisted analysis may require
incremental investment and specialized skills. Smaller firms have fewer
audit engagements over which to distribute fixed costs (i.e., they lack
economies of scale). As a result, smaller firms may be less likely than
larger firms to increase their use of technology-assisted analysis when
designing and performing multi-purpose audit procedures and tests of
details. Although the final amendments do not require auditors to use
technology-assisted analysis, a choice not to use it may negatively
impact smaller firms' ability to compete with larger firms (e.g., if
using technology-assisted analysis is expected by prospective users of
the auditor's report). One commenter stated that the costs of using
technology-assisted analysis could be significant and cause audits
performed by small and mid-sized accounting firms to be uneconomical.
This potential unintended negative consequence would be mitigated
by several factors. First, the fixed costs associated with the
amendments may be offset by engagement-level efficiencies which may
increase the competitiveness of smaller firms. Second, as discussed
above, the costs associated with acquiring and incorporating
technology-based analytical tools into firms' audit approaches have
been decreasing and may continue to decrease. Third, while reduced
competition may result in higher audit fees,\109\ it may also reduce
companies' opportunity to opinion shop, thereby positively impacting
audit quality.\110\ In contrast, some literature suggests that reduced
competition may have a negative effect on audit quality.\111\
---------------------------------------------------------------------------
\109\ See, e.g., Joshua L. Gunn, Brett S. Kawada, and Paul N.
Michas, Audit Market Concentration, Audit Fees, and Audit Quality: A
Cross-Country Analysis of Complex Audit Clients, 38 Journal of
Accounting and Public Policy 1 (2019).
\110\ See, e.g., Nathan J. Newton, Julie S. Persellin, Dechun
Wang, and Michael S. Wilkins, Internal Control Opinion Shopping and
Audit Market Competition, 91 The Accounting Review 603 (2016);
Nathan J. Newton, Dechun Wang, and Michael S. Wilkins, Does a Lack
of Choice Lead to Lower Quality?: Evidence from Auditor Competition
and Client Restatements, 32 Auditing: A Journal of Practice & Theory
31 (2013).
\111\ See, e.g., Jeff P. Boone, Inder K. Khurana, and K.K.
Raman, Audit Market Concentration and Auditor Tolerance for Earnings
Management, Contemporary Accounting Research 29 (2012); Nicholas J.
Hallman, Antonis Kartapanis, and Jaime J. Schmidt, How Do Auditors
Respond to Competition? Evidence From the Bidding Process, Journal
of Accounting and Economics 73 (2022).
---------------------------------------------------------------------------
Finally, any negative impact on the smaller firms' ability to
compete with larger firms would likely be limited to smaller and mid-
sized companies because smaller firms may lack the economies of scale
and multi-national presence to compete for the audits of larger
companies. Indeed, there is some evidence that smaller and larger audit
firms do not directly compete with each other in some segments of the
audit market \112\ although some research suggests that smaller and
larger firms do compete locally in some cases.\113\
---------------------------------------------------------------------------
\112\ See, e.g., GAO Report No. GAO-03-864, Public Accounting
Firms: Mandated Study on Consolidation and Competition (July 2003).
\113\ See, e.g., Kenneth L. Bills and Nathaniel M. Stephens,
Spatial Competition at the Intersection of the Large and Small Audit
Firm Markets, 35 Auditing: A Journal of Practice and Theory 23
(2016).
---------------------------------------------------------------------------
Alternatives Considered
The development of the final amendments involved considering
numerous alternative approaches to addressing the problems described
above. This section explains: (i) why standard setting is preferable to
other policy-making approaches, such as providing interpretive guidance
or enhancing inspection or enforcement efforts; (ii) other standard-
setting approaches that were considered; and (iii) key policy choices
made by the Board in determining the details of the amendments.
1. Why Standard Setting Is Preferable to Other Policy-Making Approaches
The Board's policy tools include alternatives to standard setting,
such as issuing interpretive guidance or increasing the focus on
inspections or enforcement of existing standards. The Board considered
whether providing guidance or enhancing inspection or enforcement
efforts would be effective mechanisms to address concerns associated
with aspects of designing and performing audit procedures that involve
technology-assisted analysis. One commenter stated that PCAOB staff
guidance would be preferable to standard setting to communicate the
requirements. Several commenters stated that additional guidance and
examples would be helpful for auditors when applying existing standards
and the proposed amendments when performing audit procedures that
involve technology-assisted analysis.
Interpretive guidance inherently provides additional information
about existing standards. Inspection and enforcement actions take place
after insufficient audit performance (and potential investor harm) has
occurred. Devoting additional resources to interpretive guidance,
inspections, or enforcement activities, without improving the relevant
performance requirements for auditors, would at best focus auditors'
performance on existing standards and would not provide the benefits
associated with improving the standards, which are discussed above.
The In contrast, some literature suggests that reduced competition
may have a negative effect on audit quality.amendments, by contrast,
are designed to improve PCAOB standards by adding further clarity and
specificity to existing requirements. For example, the amendments
specify auditor responsibilities for evaluating the reliability of
external information provided by the company in electronic form and
used as audit evidence. In another example, the amendments clarify
auditor responsibilities when the auditor uses an audit procedure for
more than one purpose.
2. Other Standard-Setting Approaches Considered
The Board considered, but decided against, developing a standalone
standard that would address designing and performing audit procedures
that involve technology-assisted analysis. Addressing the use of
technology-assisted analysis in a standalone standard could further
highlight the auditor's responsibilities relating to using technology-
assisted analysis. However, a new standalone standard would also
unnecessarily duplicate many of the existing requirements, because
existing PCAOB standards are already designed to be applicable to
audits performed with the use of
[[Page 54945]]
technology, including technology-assisted analysis.
Further, as the discussion above explains in greater detail, the
Board's research indicates that auditors are using technology-assisted
analysis in audit procedures. Rather than developing a new standalone
standard, the final amendments use a more targeted approach that
includes amending certain requirements of the standards where the
Board's research has indicated the need for providing further clarity
and specificity regarding designing and performing audit procedures
that involve technology-assisted analysis.
3. Key Policy Choices
i. Investigating Certain Items Identified by the Auditor
As discussed above, auditors may use technology-assisted analysis
to identify items within a population (e.g., transactions in an
account) for further investigation when performing a test of
details.\114\ The auditor's investigation may include, for example,
examining documentary evidence for items identified through the
analysis, or designing and performing other audit procedures to
determine whether the items identified individually or in the aggregate
indicate misstatements or deficiencies in the company's internal
control over financial reporting.
---------------------------------------------------------------------------
\114\ See detailed discussion above.
---------------------------------------------------------------------------
The Board considered but did not prescribe specific audit
procedures to investigate items identified by the auditor in the way
described in the above examples. Instead, the final amendments specify
that audit procedures that the auditor performs to investigate the
identified items are part of the auditor's response to the risk of
material misstatement. The auditor determines the nature, timing, and
extent of such procedures in accordance with PCAOB standards. The Board
also considered, but did not prescribe, specific audit procedures to
address items not selected for a test of details (i.e., remaining items
in the population) when the auditor's means of selecting items was
selecting specific items. Although certain audit procedures may be
effective to address the assessed risk under certain circumstances,
other audit procedures may be more effective under different
circumstances. Because of the wide range of both the analyses that the
auditor may perform to identify items for further investigation, and
the potentially appropriate audit procedures that the auditor may
perform to investigate them, the Board believes that an overly
prescriptive standard could in certain cases lead auditors to perform
audit procedures without considering the facts and circumstances of the
audit engagement.
ii. Describing a New Specific Audit Procedure
The Board considered but did not describe (or define), technology-
assisted analysis or similar terms (e.g., data analysis or data
analytics) in AS 1105 as a new specific audit procedure. Although
describing technology-assisted analysis as a specific audit procedure
might clarify certain auditor responsibilities, it could also create
confusion and unnecessarily constrain the potential use of such
analyses in the audit. As the Board's research indicates, and as
commenters have stated, auditors already incorporate technology-
assisted analysis in various types of audit procedures (e.g.,
inspection, recalculation, reperformance, analytical procedures) that
are used for various purposes (e.g., identifying risk or responding to
risk). In addition, describing technology-assisted analysis or similar
terms would present challenges because the meaning of such terms may
vary depending on the context and may further evolve as technology
evolves.
iii. Requiring Auditors' Use of Technology
The final amendments, consistent with existing PCAOB standards, are
principles-based and are intended to be applicable to all audits
conducted under PCAOB standards. An investor-related group commented
that the Board should consider requiring that auditors use certain
types of technology-based tools that financial research and investment
management firms have used to assess and verify the accuracy and
completeness of financial statements, in order to improve audit quality
and help detect fraud. In contrast, some commenters noted that
requiring the use of certain technology could have unintended
consequences for smaller companies and affect the ability of smaller
firms to compete. As one commenter noted, clients of small and mid-
sized accounting firms may rely on other processes appropriate to their
size to manage their operations and financial reporting, and the use of
technology-assisted analysis may not be as cost-effective in those
circumstances. Another commenter noted that it is important that PCAOB
standards continue to enable auditors to employ audit procedures that
are appropriate based on the engagement-specific facts and
circumstances, recognizing that technology-assisted analysis may not be
the most effective option and therefore its use should not be expected
on all audits. That commenter emphasized the need for the proposed
amendments to be scalable for firms (and the companies they audit) of
all sizes and with varying technological resources. Several other
commenters stated that the principles-based nature of the proposed
amendments was important, so that they can be applicable to all PCAOB-
registered firms and the audits they conduct under PCAOB standards,
regardless of the size of the firm or complexity of the issuer.
The Board considered the views of commenters, including those of
investors, and the Board decided not to require auditors' use of
technology as part of these amendments, which would have been outside
the scope of the project. Maintaining a principles-based approach to
these amendments is appropriate due to the ever-evolving nature of
technology; requiring the use of specific types of technology, based on
how they are used currently, could quickly become outdated. In
addition, as discussed above, the Board's Technology Innovation
Alliance Working Group continues to advise the Board on the use of
emerging technologies by auditors and preparers relevant to audits and
their potential impact on audit quality. These ongoing activities may
inform future standard-setting projects.
Application of the Proposed Rules to Audits of Emerging Growth
Companies
Pursuant to section 104 of the Jumpstart Our Business Startups
(``JOBS'') Act, rules adopted by the Board subsequent to April 5, 2012,
generally do not apply to the audits of emerging growth companies
(i.e., EGCs), as defined in section 3(a)(80) of the Exchange Act,
unless the SEC ``determines that the application of such additional
requirements is necessary or appropriate in the public interest, after
considering the protection of investors, and whether the action will
promote efficiency, competition, and capital formation.'' \115\ As a
result of the JOBS Act, the rules and related amendments to PCAOB
standards that the Board adopts are generally subject to a
[[Page 54946]]
separate determination by the SEC regarding their applicability to
audits of EGCs.
---------------------------------------------------------------------------
\115\ See Public Law 112-106 (Apr. 5, 2012). See also section
103(a)(3)(C) of Sarbanes-Oxley, as added by section 104 of the JOBS
Act (providing that any rules of the Board requiring: (1) mandatory
audit firm rotation; or (2) a supplement to the auditor's report in
which the auditor would be required to provide additional
information about the audit and the financial statements of the
issuer (auditor discussion and analysis), shall not apply to an
audit of an EGC. The amendments do not fall within either of these
two categories).
---------------------------------------------------------------------------
To inform consideration of the application of auditing standards to
audits of EGCs, the PCAOB staff prepares a white paper annually that
provides general information about characteristics of EGCs.\116\ As of
the November 15, 2022, measurement date in the February 2024 EGC White
Paper, PCAOB staff identified 3,031 companies that self-identified with
the SEC as EGCs and filed with the SEC audited financial statements in
the 18 months preceding the measurement date.\117\
---------------------------------------------------------------------------
\116\ See PCAOB, White Paper on Characteristics of Emerging
Growth Companies and Their Audit Firms at November 15, 2022 (Feb.
20, 2024) (``EGC White Paper''), available at https://pcaobus.org/resources/other-research-projects.
\117\ The EGC White Paper uses a lagging 18-month window to
identify companies as EGCs. Please refer to the ``Current
Methodology'' section in the white paper for details. Using an 18-
month window enables staff to analyze the characteristics of a
fuller population in the EGC White Paper but may tend to result in a
larger number of EGCs being included for purposes of the present EGC
analysis than would alternative methodologies. For example, an
estimate using a lagging 12-month window would exclude some EGCs
that are delinquent in making periodic filings. An estimate as of
the measurement date would exclude EGCs that have terminated their
registration, or that have exceeded the eligibility or time limits.
See id.
---------------------------------------------------------------------------
As discussed above, auditors are expanding the use of technology-
assisted analysis in audits. The final amendments, as discussed above,
address aspects of designing and performing audit procedures that
involve technology-assisted analysis. The proposed rules are
principles-based and are intended to be applied in all audits performed
pursuant to PCAOB standards, including audits of EGCs.
The discussion of benefits, costs, and unintended consequences of
the proposed rules above is generally applicable to all audits
performed pursuant to PCAOB standards, including audits of EGCs. The
economic impacts on an individual EGC audit would depend on factors
such as the auditor's ability to distribute implementation costs across
its audit engagements, whether the auditor has already incorporated
technology-assisted analysis into its audit approach, and electronic
information acquisition challenges (e.g., information availability,
legal restrictions, or privacy concerns). EGCs are more likely to be
newer companies, which are typically smaller in size and receive lower
analyst coverage. These factors may increase the importance to
investors of the higher audit quality resulting from the proposed
rules, as high-quality audits generally enhance the credibility of
management disclosures.\118\
---------------------------------------------------------------------------
\118\ Researchers have developed a number of proxies that are
thought to be correlated with information asymmetry, including small
company size, lower analyst coverage, larger insider holdings, and
higher research and development costs. To the extent that EGCs
exhibit one or more of these properties, there may be a greater
degree of information asymmetry for EGCs than for the broader
population of companies, which increases the importance to investors
of the external audit to enhance the credibility of management
disclosures. See, e.g., Steven A. Dennis and Ian G. Sharpe, Firm
Size Dependence in the Determinants of Bank Term Loan Maturity, 32
Journal of Business Finance & Accounting 31 (2005); Michael J.
Brennan and Avanidhar Subrahmanyam, Investment Analysis and Price
Formation in Securities Markets, 38 Journal of Financial Economics
361 (1995); David Aboody and Baruch Lev, Information Asymmetry, R&D,
and Insider Gains, 55 The Journal of Finance 2747 (2000); Raymond
Chiang and P. C. Venkatesh, Insider Holdings and Perceptions of
Information Asymmetry: A Note, 43 The Journal of Finance 1041
(1988); Molly Mercer, How Do Investors Assess the Credibility of
Management Disclosures?, 18 Accounting Horizons 185 (2004).
---------------------------------------------------------------------------
However, as discussed above, the use of technology-assisted
analysis appears to be less prevalent among NAFs than GNFs. Therefore,
since EGCs are more likely than non-EGCs to be audited by NAFs, the
impacts of the proposed rules on EGC audits may be less than on non-EGC
audits.\119\
---------------------------------------------------------------------------
\119\ Staff analysis indicates that, compared to exchange-listed
non-EGCs, exchange-listed EGCs are approximately 2.6 times as likely
to be audited by an NAF and approximately 1.3 times as likely to be
audited by a triennially inspected firm. Source: EGC White Paper and
Standard & Poor's.
---------------------------------------------------------------------------
The proposed rules could impact competition in an EGC's product
market if the indirect costs to audited companies disproportionately
impact EGCs relative to their competitors. However, as discussed above,
the costs associated with the proposed rules are expected to be
relatively modest. Therefore, the impact of the proposed rules on
competition, if any, is likewise expected to be limited.
Overall, the proposed rules are expected to enhance the efficiency
and quality of EGC audits that implement technology-assisted analysis
and contribute to an increase in the credibility of financial reporting
by those EGCs. To the extent the proposed rules improve EGCs' financial
reporting quality, they may also improve the efficiency of capital
allocation, lower the cost of capital, and enhance capital formation.
For example, higher financial reporting quality may allow investors to
more accurately identify companies with the strongest prospects for
generating future risk-adjusted returns and reallocate their capital
accordingly. Investors may also perceive less risk in EGC capital
markets generally, leading to an increase in the supply of capital to
EGCs. This may increase capital formation and reduce the cost of
capital to EGCs. We are unable to quantify in precise terms this
potential benefit, which would depend both on how audit firms respond
to the standard and on how their response affects audit quality,
factors that are likely to vary across audit firms and across
engagements.
Furthermore, if certain of the proposed rules did not apply to the
audits of EGCs, auditors would need to address differing audit
requirements in their methodologies, or policies and procedures, with
respect to audits of EGCs and non-EGCs. This could create the potential
for additional confusion.
Two commenters on the proposal specifically supported the
application of the amendments to EGCs. One of those commenters stated
that excluding EGCs from the proposal would be inconsistent with
protecting the public interest.
Accordingly, and for the reasons explained above, the Board will
request that the Commission determine that it is necessary or
appropriate in the public interest, after considering the protection of
investors and whether the action will promote efficiency, competition,
and capital formation, to apply the proposed rules to audits of EGCs.
III. Date of Effectiveness of the Proposed Rules and Timing for
Commission Action
Within 45 days of the date of publication of this notice in the
Federal Register or within such longer period (i) as the Commission may
designate up to 90 days of such date if it finds such longer period to
be appropriate and publishes its reasons for so finding or (ii) as to
which the Board consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules
should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed
rules are consistent with the requirements of Title I of the Act.
Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/pcaob); or
Send an email to [email protected]. Please include
PCAOB-2024-03 on the subject line.
[[Page 54947]]
Paper Comments
Send paper comments in triplicate to Vanessa A.
Countryman, Secretary, Securities and Exchange Commission, 100 F Street
NE, Washington, DC 20549-1090.
All submissions should refer to PCAOB-2024-03. This file number should
be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method. The Commission will post all comments on the
Commission's internet website (https://www.sec.gov/rules/pcaob). Copies
of the submission, all subsequent amendments, all written statements
with respect to the proposed rules that are filed with the Commission,
and all written communications relating to the proposed rules between
the Commission and any person, other than those that may be withheld
from the public in accordance with the provisions of 5 U.S.C. 552, will
be available for website viewing and printing in the Commission's
Public Reference Room, 100 F Street NE, Washington, DC 20549, on
official business days between the hours of 10 a.m. and 3 p.m. Copies
of such filing will also be available for inspection and copying at the
principal office of the PCAOB. Do not include personal identifiable
information in submissions; you should submit only information that you
wish to make available publicly.
We may redact in part or withhold entirely from publication
submitted material that is obscene or subject to copyright protection.
All submissions should refer to PCAOB-2024-03 and should be submitted
on or before July 23, 2024.
For the Commission, by the Office of the Chief Accountant.
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2024-14488 Filed 7-1-24; 8:45 am]
BILLING CODE 8011-01-P