25 © 2010 Wiley Periodicals, Inc. Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/jcaf.20591 f e a t u r e a r t i c l e Bruce Bettinghaus T his article dis- cusses the requirements of the recently proposed Public Company Accounting Over- sight Board (PCAOB) Auditing Standard No. 7 (AS 7) requir- ing the review and approval of a second audit partner of each audit. A discussion of the concerns expressed in com- ment letters to the proposed AS 7 follows the presentation of the requirements of the stan- dard. Initially this requirement will only directly affect Securi- ties and Exchange Commission (SEC) registrants, but as with other PCAOB requirements, this requirement is expected to influence non-SEC registrants as well. Therefore, AS 7 should be of concern to all audited or potentially audited companies as well as investors and creditors. SEC APPROVES NEW STANDARD On October 29, 2009, the SEC formally received Audit- ing Standard No. 7, Engage- ment Quality Review, from the PCAOB for the SEC’s approval. The SEC took a bit longer than normal to approve the new rule, but they did approve the rule on January 15, 2010. The new standard accomplishes two main goals for the PCAOB. First the new standard fulfills a require- ment that was originally included in the Sarbanes-Oxley Act (SOX). As part of the original 2002 act as passed by Congress, the legislators called for a second partner, or concurring review and approval of the audit report of a registered audit firm. Spe- cifically, the act instructed the PCAOB to include in their yet- to-be-adopted rules a require- ment that each audit of a public firm should include a review and approval, carried out either by a qualified second partner in the firm or a qualified independent reviewer. 1 Although it took the Board seven years to promulgate such a rule, the new standard ful- fills this mandate. Additionally, the Board thinks that this new standard will “increase the likelihood that a registered public accounting firm will catch any significant deficiencies before it issues its audit report.” 2 This second rea- son is echoed by then-Chairman Mark W. Olson. As part of his public statements during the open meeting where the standard was adopted, he suggests that poor-quality concurring reviews were at the heart of some audit failures. Olson indicates PCAOB inspectors have found that the range in quality and rigor of the second or concurring partner is one of the most problematic issues they face. 3 So, the Board not only was tying up a loose The author discusses the requirements of the recently proposed Public Company Accounting Oversight Board (PCAOB) auditing standard (AS 7) requiring the review and approval of a second audit partner of each audit. The PCAOB intended to get tough—the standard is designed to be rigorous. Unfortunately, the additional costs of implementing it might exceed any benefit. © 2010 Wiley Periodicals, Inc. PCAOB Gets Tough With New Audit Quality Review Standard JCAF20591.indd 25JCAF20591.indd 25 4/9/10 11:33:29 PM4/9/10 11:33:29 PM 26 The Journal of Corporate Accounting & Finance / May/June 2010 DOI 10.1002/jcaf © 2010 Wiley Periodicals, Inc. has been discovered too late and a restatement is required. A well- performed engagement quality review should significantly reduce the risk of such a problem. Anyone who has been through a restatement and re-audit will tell you that a timely, high quality engagement review is well worth the burden and cost to avoid bigger burdens and costs later. (PCAOB Member Charles D. Niemeier, July 28, 2009) The language in the last sentence of Niemeier’s statement makes it clear the Board believes the new standard to be a net benefit. His argument is based on an average cost benefit analysis; a small increase in cost that improves the audit process will lower the likelihood of a more serious audit fail- ure. If the Board is correct, then investors and creditors who are concerned with the governance of related firms should be supportive of the new standard. The actual language in the standard calls for the quality reviewer to “evaluate the sig- nificant judgments made by the engagement team and the related conclusions reached in forming the overall conclusion on the engagement and in preparing the engagement report.” 4 The standard outlines a nine-point process and instructions for communicating the work done by the EQR. Exhibit 1 summarizes the checklist for the engagement quality reviewer in an audit. The EQR should evaluate significant judgments related to engagement The standard is intended to be rigorous, because our inspection record amply demonstrates renewed rigor is jus- tified. But it’s not intended to be a re- audit. Rather, the review is simply that—a review of work already per- formed by the engage- ment team. To accom- plish this, the reviewer uses three tools: the standard expects the reviewer to talk with the engagement part- ner and team members, review certain relevant documents, and apply some critical thinking to determine whether to sign off with concurring approval. The reviewer doesn’t do any testing, request any confirma- tions, conduct any walk- throughs, or perform any other procedures that are necessary to obtain rea- sonable assurance that the financial statements are fairly stated. There’s simply no way to see this as a re-audit, which is indeed an enormous undertaking. Regrettably, in some cir- cumstances, companies do undergo re-audits, for example when a problem end from the now seven-year- old Sarbanes-Oxley Act, but they also believe that a stronger standard for a peer-based audit review would help to improve the overall quality of audits for public companies. This standard, once it is approved by the SEC, will be required for all SEC clients for both their yearly audit and their quarterly reviews. An open question is how this new standard will impact the audit practices of private firms. The members of the Board seem convinced that the new standard will be a net benefit. That is, the increase in audit quality will be a greater benefit than any increase in the cost of the audit. It is likely that the American Institute of Certified Public Accountants (AICPA) will include this second review and sign off in auditing standards for non-SEC registrants to be consistent with PCAOB require- ments. Also, if this second sign-off is considered a net benefit, private firms’ owners and lenders might also require a concurring-partner quality review as part of their audits. WHAT THE STANDARD WILL REQUIRE One of the main concerns of comment letter writers was the new standard would require the engagement quality reviewer (EQR) to essentially reaudit the client. Obviously, if this was the case, the added costs would have been substantial. Board member Charles D. Niemeier lays this concern to rest by insisting that this required review will not require the duplication of audit procedures: If the Board is correct, then investors and creditors who are concerned with the governance of related firms should be supportive of the new standard. JCAF20591.indd 26JCAF20591.indd 26 4/9/10 11:33:29 PM4/9/10 11:33:29 PM The Journal of Corporate Accounting & Finance / May/June 2010 27 © 2010 Wiley Periodicals, Inc. DOI 10.1002/jcaf planning, including the firm’s recent engagement experience with the company and risks identified in connection with the firm’s client acceptance and retention process as well as con- sideration of the company’s busi- ness, recent significant activi- ties, related financial reporting issues and risks, and judgments made about materiality and the effect of those judgments on the engagement strategy. The EQR should also evaluate the engage- ment team’s assessment of, and audit responses to, significant risks identified by the engage- ment team, including fraud risks. The EQR should evalu- ate significant judgments made about materiality and disposition of corrected and uncorrected identified misstatements and the severity and disposition of identified control deficiencies. The EQR should also consider the engagement team’s evalua- tion of the firm’s independence in relation to the engagement, the engagement completion document, and confirm with the engagement partner that there are no significant unresolved matters. Financial statements, management’s report on internal control, and the related engage- ment report should be reviewed. The EQR should read other information in documents con- taining the financial statements to be filed with the SEC and evaluate whether the engage- ment team has taken appropriate action. Based on the procedures required by this standard, the EQR should evaluate whether appropriate matters have been communicated, or identified for communication, to the audit committee, management, and other parties, such as regulatory bodies. 5 After going through the above steps, the EQR should evaluate if the engagement team responded appropriately to sig- nificant risks, and if the engage- ment documentation supports the conclusions made by the team. Finally, the reviewer’s report can provide approval for the auditors to release their audit report if the EQR does not discover any sig- nificant engagement deficiency. The audit firm is prohibited from releasing their engagement report for the client’s use until the EQR is satisfied with the quality of the audit. Finally, the EQR must supply documenta- tion that “should contain suf- ficient information to enable an experienced auditor, having no previous connection with the engagement, to understand the procedures performed by the EQR, and others who assisted the reviewer.” 6 The standard also requires essentially the same process and documentation for quarterly reviews. HOW IS THIS DIFFERENT FROM OTHER EQR STANDARDS? Other auditing standard setters have existing standards for EQR, including both the Engagement Quality Reviewer Checklist Evaluate significant judgments considering:• • Recent engagement experience • Identified risks • Company’s business • Significant activities • Materiality Evaluate engagement team’s assessment of significant risks. • Evaluate significant judgments made about: • • Materiality • Disposition identified misstatements • Severity and disposition of control deficiencies Review: • • Evaluation of independence • Completion document • Financial statements • Management’s report on internal control • Related engagement report Confirm with the engagement partner that there are no significant • unresolved matters. Read documents containing financial statements to be filed with the • SEC. Evaluate: • • Handling of material inconsistencies or misstatements of fact • Whether appropriate consultations have taken place • Whether appropriate matters have been communicated Exhibit 1 JCAF20591.indd 27JCAF20591.indd 27 4/9/10 11:33:29 PM4/9/10 11:33:29 PM 28 The Journal of Corporate Accounting & Finance / May/June 2010 DOI 10.1002/jcaf © 2010 Wiley Periodicals, Inc. accounting firm and comply with all applicable independence requirements. In addition, the standard prohibits the engage- ment quality reviewer from hav- ing had overall responsibility for the audit client for at least two years prior to serving as the review partner. Neither the IAASB nor the ASB standards require the engagement partner reviewer to comply with the two-year “cooling-off ” period, nor do they require the reviewer to be an associated person of the firm. Finally, the IAASB stan- dards do not include reviewer independence requirements. 7 IS THE STANDARD A NET BENEFIT? The process of auditing financial statements is designed to improve the usefulness of those financial statements for the end-user. However, if the audit costs are high enough, they will swamp the value of the audit to the users of the financial state- ments. Many of the comment letters to the SEC regarding the final rule suggest that auditors believe that the new require- ments will not be a net benefit (see Exhibit 3 for a list of the commenters’ main concerns). The two areas that generated complaints from commenters specifically related to subse- quent changes to, or retention of, the EQR documentation in either the IAASB or the ASB standards. The EQR standard includes a requirement that the reviewer evaluate whether the engagement documentation (1) indicates that the engagement team responded appropriately to significant risks and (2) supports the conclusion reached by the engagement team. Although the IAASB standards contain a similar documentation review requirement, the ASB standard does not contain an equivalent requirement. The EQR standard requires the engagement quality reviewer to be an associated person of the International Auditing and Assurance Standards Board (IAASB) and the Auditing Stan- dards Board (ASB). The PCAOB believes that their standard is superior to those standards. The written comments of Board member Steven B. Harris detail the differences as indicated in Exhibit 2. The EQR standard requires concurring approval of issuance by the engagement quality reviewer before an audit firm can grant permission to the client to use the audit report. Neither of the comparable stan- dards issued by the IAASB or ASB require the same level of assurance. The EQR standard requires that appropriate docu- mentation of the EQR process— including the documentation that is specifically described in the standard—be included as a part of the engagement docu- mentation, and that the require- ments be followed in AS No. 3, Audit Documentation, related to subsequent changes to audit documentation and document retention. These requirements are in direct response to docu- mentation deficiencies related to second-partner reviews identi- fied by the PCAOB inspection process. There are no provisions Differences Between AS 7 and Other Standards Requires concurring approval of issuance before use of audit report• Requires a higher level of assurance• Requires a higher level of documentation• Addresses subsequent changes to, or retention of, the EQR • documentation Requires evaluation of risk consideration and conclusions• Requires a two-year “cooling-off” period• Requires reviewer independence• Exhibit 2 Concerns of Comment Writers Reviewer reaudits client• Costs too high, so not a net benefit• Excessive and unrealistic documentation requirements• Increased legal risk from excessive documentation• Changing definition of due professional care• Exhibit 3 JCAF20591.indd 28JCAF20591.indd 28 4/9/10 11:33:29 PM4/9/10 11:33:29 PM The Journal of Corporate Accounting & Finance / May/June 2010 29 © 2010 Wiley Periodicals, Inc. DOI 10.1002/jcaf practitioners by leaving a trail enabling litigants and other adversaries to impugn the compe- tency of engagement personnel. (Comment letter to the SEC, Piercy Bowler Taylor & Kern, November 6, 2009) The other area of concern that the majority of commenters focused on was the language in the release related to “due pro- fessional care.” AU 230 spells out the general standard relating to due professional care. The standard requires that auditors act with diligence and reasonable care, but the standard does not specifically say that by using due care the auditor will catch all possible deficiencies in the audit; in fact, the stan- dard says just the opposite. A quote from Cooley on Torts is the third paragraph of the standard, and it is clear that the auditor who takes on an engagement does so “for good faith and integrity, but not for infal- libility.” 8 In light of this commonly understood auditing term, many commenters took issue with the language in the release that seemed to be rais- ing the bar on what constituted due professional care. The let- ter from Grant Thornton was a clear indictment of this release language: We agree with para- graph 12 of AS 7, which requires the engagement quality reviewer to per- form the review with due professional care. However, we believe the Board has introduced confusion in the release, which states: “A quali- fied reviewer who has could have the effect of requiring documentation of all of the interac- tions between the EQR reviewer and the engage- ment team. We do not believe this is what was intended by the stan- dard, as it would clearly be impracticable, and we believe it would be useful to confirm that the standard as written does not create such a documentation obliga- tion. (Deloitte letter to the SEC, November 24, 2009) The audit firm’s fears are spelled out in a few of the com- ment letters; the clearest state- ment comes from Piercy Bowler Taylor & Kern. These firms are all concerned that a thorough documentation of all conversa- tions between the EQR and the engagement team would result in a much higher risk of legal action. We firmly believe that documentation of defi- ciencies encountered by reviewers at any level and their resolution would be of no posi- tive value with regard to engagement quality and more significantly, would pose substantial unwarranted risks to were the Board’s interpretation of the phrase “due professional care” and the Board’s discussion of the documentation require- ments contained in AS 7. When the Board issues a new standard, they also issue a release document that explains the process and conclusions used in finalizing the new standard. It is this release document that seems to have caused the con- cern among those who wrote to the SEC to comment on the new standard. A clear majority of let- ter writers focused on language in the release that seemed to either contradict the language in the standard or add additional burdens to the EQR. With regard to the documentation required, the standard is quite clear about requiring three spe- cific items. The documen- tation should include who was on the engagement quality review, what docu- ments they examined, and when the EQR team gave their concurrence to the audit team. But the language in the release document seems to go much further than those three requirements. A number of commenters focused on the following sentence in the release as an example that modified the standard in a way that was unacceptable: “For example, if a reviewer identified a signifi- cant engagement deficiency to be addressed by the engagement team, the engagement team should document its response to the identified deficiency in accordance with AS No. 3” (AS No. 7 Release, p. 38). The letter from Deloitte requests clarification: We are concerned, however, that the state- ments in the Release The documentation should include who was on the engagement quality review, what documents they exam- ined, and when the EQR team gave their concurrence to the audit team. JCAF20591.indd 29JCAF20591.indd 29 4/9/10 11:33:30 PM4/9/10 11:33:30 PM 30 The Journal of Corporate Accounting & Finance / May/June 2010 DOI 10.1002/jcaf © 2010 Wiley Periodicals, Inc. the requirements of the proposed standard and indicated concerns expressed in comment letters. Additional costs might exceed any benefit. Potentially exces- sive documentation requirements might be unrealistic to comply with and increase exposure to risks of legal liability. Finally, the standard of due professional care might be raised to an untenable level. NOTES 1. Sarbanes-Oxley Act of 2002, 103(a)(2) (A)(ii). 2. PCAOB Release 2009-004, p. 2. 3. PCAOB Chair, Mark W. Olson, July 28, 2009. 4. AS 7, ¶ 9. 5. AS 7, ¶ 10. 6. AS 7, ¶ 19. 7. Statement of Steven B. Harris, July 28, 2009. 8. AU Section 230.03—Due Professional Care in the Performance of Work. cies will be detected, but rather that the engage- ment quality reviewer will have reasonable, but not absolute, assurance that significant engage- ment deficiencies have been discovered in the review. (Comment letter to the SEC from Grant Thornton, November 25, 2009) CONCLUDING COMMENTS AS 7, recently approved by the SEC, is being issued by the PCAOB to both comply with Sarbanes-Oxley and attempt to improve the quality of audits of SEC registrants. As with other PCAOB audit requirements, AS 7 is also likely to influence audit requirements for private com- panies. This article summarized done so will, necessarily, have discovered any significant engagement deficiencies that could reasonably have been discovered under the circumstances.” Some may interpret this as redefining “due profes- sional care.” We do not believe that the Board should set requirements in the standards, and then, in the release imply that the words in the standards do not mean what they say. To clarify that due pro- fessional care, as defined in AU sec. 230, Due Pro- fessional Care in the Per- formance of Work, does not guarantee that any or all significant deficien- Bruce Bettinghaus, PhD, is an assistant professor of accounting in Grand Valley State University’s School of Accounting (Grand Rapids, MI). His teaching and research interests focus on global financial reporting, corporate governance, and business ethics education. JCAF20591.indd 30JCAF20591.indd 30 4/9/10 11:33:30 PM4/9/10 11:33:30 PM . concurring review and approval of the audit report of a registered audit firm. Spe- cifically, the act instructed the PCAOB to include in their yet- to-be-adopted rules a require- ment that each audit. costs of implementing it might exceed any benefit. © 2010 Wiley Periodicals, Inc. PCAOB Gets Tough With New Audit Quality Review Standard JCAF20591.indd 25JCAF20591.indd 25 4/9/10 11:33:29. Accounting Oversight Board (PCAOB) auditing standard (AS 7) requiring the review and approval of a second audit partner of each audit. The PCAOB intended to get tough the standard is designed to