Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules on a Firm's System of Quality Control and Related Amendments to PCAOB Standards

Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the “Act”), notice is hereby given that on May 24, 2024, the Public Company Accounting Oversight Board (the “Board” or the “PCAOB”) filed with the Securities and Exchange Commission (the “Commission”) the proposed rules described in items I and II below, which items have been prepared by the Board. The Commission is publishing this notice to solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

On May 13, 2024, the Board adopted A Firm's System of Quality Control and Other Amendments to PCAOB Standards, Rules, and Forms (collectively, the “proposed rules”). The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b-4 and is available on the Board's website at Docket 046 | PCAOB (pcaobus.org) and at the Commission's Public Reference Room.

II. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

In its filing with the Commission, the Board included statements concerning the purpose of, and basis for, the proposed rules and discussed any comments it received on the proposed rules. The text of these statements may be examined at the places specified in Item IV below. The Board has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. In addition, the Board is requesting that the Commission approve the proposed rules, pursuant to section 103(a)(3)(C) of the Sarbanes-Oxley Act, for application to audits of emerging growth companies (“EGCs”), as that term is defined in section 3(a)(80) of the Securities Exchange Act of 1934 (“Exchange Act”). The Board's request is set forth in section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

(a) Purpose

The Board adopted a new PCAOB quality control (“QC”) standard that it believes will lead registered public accounting firms (“firms”) to significantly improve their QC systems. An effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, independent, and compliant engagement reports. Properly conducted audits and other engagements enhance the confidence of investors and other market participants in the information firms report on.

The Board adopted an integrated, risk-based standard, QC 1000, A Firm's System of Quality Control, that mandates quality objectives and key processes for all firms' QC systems, with a focus on accountability and continuous improvement. The Board has designed QC 1000 to be applied by firms of varying size and complexity. If approved by the U.S. Securities and Exchange Commission (the “SEC”), the Board believes this new standard will lead firms to better serve investors by more consistently complying with the professional and legal requirements that apply to PCAOB engagements.

In connection with the adoption of QC 1000, the Board also adopted other changes to its standards, rules, and forms. QC 1000 and the other changes adopted substantially reflect the Board's November 2022 proposal, but have been modified in response to commenter input.

In a separate release, the Board also adopted a new auditing standard, AS 1000, General Responsibilities of the Auditor in Conducting an Audit, that addresses the general principles and responsibilities of the auditor. This release includes references to AS 1000, where appropriate

Improving the Board's QC Standards

The Board strongly believes that an effective quality control system facilitates continuous improvement. Over time, the PCAOB's oversight experience suggests that firm QC systems fall short. For example, PCAOB inspectors observed that approximately 40% of the issuer audits they reviewed in 2022 had one or more deficiencies where the auditor failed to obtain sufficient appropriate audit evidence to support its opinion, an increase of six percentage points over the deficiency rate in 2021 and 11 percentage points over the rate in 2020. In all those cases, auditors issued audit opinions without completing the audit work that PCAOB standards require for them to obtain reasonable assurance about whether the financial statements were free of material misstatement and/or whether the issuers maintained, in all material respects, effective internal control over financial reporting.

Every step of this rulemaking—from the December 2019 concept release, to the proposal, to adoption—has been informed by extensive research and outreach, as well as by PCAOB inspections and enforcement activities. The PCAOB's current QC standards were developed decades ago and issued by the American Institute of Certified Public Accountants (“AICPA”) before the PCAOB was established. The auditing environment has changed significantly since that time, including evolving and greater use of technology, and increasing auditor use of outside resources, such as other accounting firms and providers of support services. Firms themselves have also changed significantly, as has the role of firm networks. And advances in internal control, quality management, and enterprise risk management suggest that factors such as active involvement of leadership, focus on risk, clearly defined objectives, objective-oriented processes, monitoring, and remediation of identified issues can contribute to more effective QC. These developments have, in part, led to PCAOB advisory groups' general support for strengthening the QC standards, including through risk-based elements and enhanced requirements for firm governance and leadership.

Taking into account those considerations, as well as the comments the Board received on the concept release and proposal, the Board believes that improving PCAOB standards will lead firms to improve their QC systems. This should result in more consistent compliance with applicable requirements, which ultimately better serves and protects investors. The specific improvements the Board adopted include:

• Emphasizing accountability, firm culture and the “tone at the top,” and firm governance through requirements for specified roles within and responsibilities for the QC system, including at the highest levels of the firm; quality objectives that link compensation to quality; and, for the largest firms, the requirement of an independent perspective in firm governance;
• Striking the right balance between a risk-based approach to QC—which should drive firms to proactively identify and manage the specific risks associated with their practice—and a set of mandates, including required risk assessment and other QC-related processes, quality objectives, and quality responses—which should assure that the QC system is designed, implemented, and operated with an appropriate level of rigor;
• Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications;
• Broadening responsibilities for monitoring and remediation of deficiencies to create a more effective ongoing feedback loop that drives continuous improvement; and
• Requiring a rigorous annual evaluation of the firm's QC system and related reporting to the PCAOB, certified by key firm personnel, to underscore the importance of the annual evaluation of the QC system, reinforce individual accountability, and support PCAOB oversight.

Framework of the QC Standard

The Board carefully considered the characteristics of an appropriate framework for a PCAOB QC standard that could accomplish its regulatory goals. As a threshold issue, section 103 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) provides that PCAOB QC standards must include requirements regarding certain specified matters, and also grants the Board broad authority to include such other requirements as it may prescribe in carrying out its investor protection mandate. The Board also considered how best to capture areas it had identified for improvement and how best to foster consistent, compliant implementation by the firms it regulates. Because the Board believes it is the best structure for accomplishing its goals, the Board adopted the QC 1000 framework as proposed.

The Board notes that the framework has commonalities with other international and domestic standards for firm QC systems, though it goes beyond those requirements in a number of areas, including with regard to firm governance of the largest firms, more specific requirements for monitoring and remediation and the evaluation of the QC system, an ethics and independence component aligned with SEC and PCAOB requirements, and more specific provisions addressing technology and externally communicated firm-level and engagement-level information and metrics. The Board believes that building on a well-understood basic framework, appropriately tailored and strengthened to address its legal and regulatory environment and its investor protection mandate, will enable firms to implement and comply with QC 1000 more effectively. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and other international or domestic QC standards—which the Board believes constitute a very substantial majority of the firms that perform engagements under PCAOB standards—can leverage the work they have already done and the investments they have already made to comply with those other requirements.

QC 1000

The Board developed QC 1000 with a view to its statutory mandate to protect the interests of investors and the public interest, and the Board believes the new standard will facilitate the consistent preparation and issuance of informative, accurate, and independent engagement reports. The final standard provides a framework for a QC system that is grounded in an ongoing process of proactively identifying and managing risks to quality, with a feedback loop from ongoing monitoring and remediation that should drive continuous improvement, an explicit focus on firm governance and leadership, firm culture, and individual accountability, and specific direction in a number of areas that current PCAOB standards do not address directly.

QC 1000 primarily consists of:

Two process components

• The firm's risk assessment process
• The monitoring and remediation process

Six components that address aspects of the firm's organization and operations

• Governance and leadership
• Ethics and independence
• Acceptance and continuance of engagements
• Engagement performance
• Resources
• Information and communication

Requirements for evaluation of and reporting on the QC system

• Annual evaluation of the effectiveness of the QC system
• Reporting to the PCAOB on the QC system evaluation

The standard also includes requirements regarding individual roles and responsibilities in the QC system and documentation requirements.

Scalability

In the Board's view, the basic objectives of the QC system should be the same for all firms, but the scope of the QC standard and how it applies should take into account the wide disparities in nature and circumstances across registered firms, in particular the extent to which their practices include engagements required to be performed under PCAOB standards and the complexity of such engagements. The risks that firms face, and therefore the specific policies and procedures necessary to appropriately serve investor interests through an effective QC system, vary significantly from the largest firms, operating as part of global networks, to local firms or sole proprietorships. QC 1000 establishes a uniform basic structure to be used by all firms, within which firms will be required to pursue an approach to quality control that is appropriate in light of the risks associated with their particular PCAOB audit practice. Aspects of the new standard are risk-based, and to that extent inherently scalable. In addition, it imposes more stringent requirements for the largest firms in some areas, while enabling smaller firms to comply with the core requirements in ways that take into account these firms' size and the complexity of audits performed by them.

Scalability: Larger PCAOB Audit Practice

The Board believes that firms with a particularly extensive PCAOB audit practice ( i.e., those that issue audit reports for more than 100 issuers per year) should be subject to enhanced requirements, given such firms' greater complexity and the relatively greater public interest implicated by the fact that they audit companies that make up a substantial majority of U.S. public market capitalization. The incremental requirements under QC 1000 for such firms include:

• An external oversight function for the QC system compose of one or more persons who can exercise independent judgment related to the QC system;
• A program for collecting and addressing complaints and allegations that includes confidentiality protections;
• An automated system to track investments that may bear on independence; and
• Required monitoring of in-process engagements.

Scalability: Smaller PCAOB Audit Practice

Many firms perform only a small number of PCAOB engagements per year and are subject to resource constraints that larger PCAOB audit practices do not face. The Board has addressed the particular needs of these firms in a number of ways, including:

• Providing that a single individual may be assigned more than one of the QC system oversight roles required under the standard; and
• Allowing firms that issue five or fewer engagement reports for issuers or broker-dealers in a year to include audits not performed under PCAOB auditing standards in some of their monitoring activities.

Scalability: Firms That Do Not Have Responsibilities in Relation to a PCAOB Engagement

All registered firms will be required to design a QC system that meets the requirements of QC 1000. Firms will be required to implement and operate the QC system in compliance with QC 1000 when they lead an engagement under PCAOB standards, play a substantial role in the preparation or furnishing of an audit report (as defined in PCAOB rules), or have current responsibilities under applicable professional and legal requirements regarding any such engagement. This approach reflects the Board's view that all firms that register with the PCAOB should be appropriately prepared to perform a PCAOB engagement, regardless of whether they are currently subject to requirements with respect to one, while limiting the costs of compliance in circumstances where the risk to investor protection is minimal.

Key Changes From the QC 1000 Proposal

Key changes from the proposal include:

• For the firms with larger PCAOB audit practices, the requirement to include an independent oversight function for their QC system has been refined. Under the final rule, the external quality control function (“EQCF”) will be composed of one or more persons who are not principals or employees of the firm and do not otherwise have a relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system. The responsibilities of the EQCF may vary across firms but include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system.
• The final rule requires firms to report on their QC system evaluation to the PCAOB, but not to the audit committee, as proposed. Legal constraints limit our ability to require public disclosures about the effectiveness of firms' QC systems at the level that some investors have requested. While the final rule recognizes the impediments to requiring public disclosure of QC system evaluation, the Board remains committed to finding additional ways of providing public disclosure to better inform investors about firms and PCAOB audit engagements. To that end, we have separately proposed a set of firm-level and engagement-level metrics across 11 areas that would be reported publicly.
• The timing of the QC system evaluation and reporting has changed. Under the final rule, the evaluation date for the annual evaluation of the QC system is September 30, rather than November 30 as proposed, with Form QC due by November 30 rather than January 15 of the following year. This shift allows more time between the evaluation date and the filing date than we proposed, but still allows sufficient time to generally enable the firm's monitoring activities to identify deficiencies in calendar year-end engagements and the results of that monitoring to be included in the evaluation.

Other Changes to PCAOB Standards, Rules, and Forms

In connection with the adoption of QC 1000, the Board also adopted other changes to PCAOB standards, rules, and forms. These include, among other changes, expanding the auditor's responsibility to respond to deficiencies on completed engagements under an amended and retitled AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor's Report, and related amendments to AT No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers, and AT No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers; and replacing the existing standard ET 102, Integrity and Objectivity, with a new standard, EI 1000, Integrity and Objectivity, to better align PCAOB ethics requirements with the scope, approach, and terminology of QC 1000.

Effective Date

If approved by the SEC, the final standard and related amendments to auditing standards, rules, and forms will take effect on December 15, 2025, with the initial evaluation of the QC system to be performed as of September 30, 2026, and initial reporting to the PCAOB by November 30, 2026. Firms will be permitted to elect to comply with the requirements of QC 1000, except reporting to the PCAOB on the annual evaluation of the QC system, before the effective date, at any point after SEC approval of the final standard and related amendments.

(b) Statutory Basis

The statutory basis for the proposed rules is Title I of Sarbanes-Oxley.

B. Board's Statement on Burden on Competition

Not applicable. The Board's consideration of the economic impacts of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From Members, Participants or Others

The Board issued a concept release regarding potential changes to quality control standards for public comment in PCAOB Release No. 2019-003 (Dec. 17, 2019). The Board received 36 written comment letters on the concept release. The Board released the proposed rule amendment for public comment in PCAOB Release No. 2022-006 (Nov. 18, 2022). The Board received 43 written comment letters on its proposal. The Board has carefully considered all comments received. The Board's response to the comments it received and the changes made to the rules in response to the comments received are discussed below.

Background

This section presents background information on this rulemaking, including an overview of existing PCAOB QC requirements and current practice, a review of other developments since the current QC requirements were adopted, a summary of relevant actions taken by other standard setters, a discussion of PCAOB research and outreach efforts related to QC, the December 2019 concept release and 2022 proposal, and a summary of the key areas the Board has identified for improvement of the QC standards.

Overview of Existing Requirements and Current Practice

1. Requirements of the Sarbanes-Oxley Act of 2002

Sarbanes-Oxley requires the Board to establish certain professional standards, including quality control standards, to be used by registered public accounting firms in the preparation and issuance of audit reports for issuers, brokers, and dealers. Furthermore, Sarbanes-Oxley requires the PCAOB's QC standards to address:

• Monitoring of professional ethics and independence from issuers, brokers, and dealers on behalf of which the firm issues audit reports;
• Consultation within the firm on accounting and auditing questions;
• Supervision of audit work;
• Hiring, professional development, and advancement of personnel;
• Acceptance and continuation of engagements;
• Internal inspection; and
• Such other requirements as the Board may prescribe.

2. Current PCAOB QC Standards

Under current PCAOB standards, a QC system is a process to provide a firm with reasonable assurance that its personnel comply with applicable professional standards and the firm's standards of quality. The QC system encompasses the firm's organizational structure and the policies adopted and procedures established to provide that reasonable assurance.

Current PCAOB QC standards were adopted on an interim, transitional basis in 2003 from QC standards originally developed and issued by the AICPA. They include three general QC standards that apply to all firms. Beyond that, they also include certain requirements of membership in the AICPA's former SEC Practice Section (“SECPS”), which apply only to firms that were SECPS members immediately prior to the adoption of the PCAOB's interim QC standards. Below is an overview of the general QC standards and the SECPS member requirements.

a. General QC Standards

i. QC 20, System of Quality Control for a CPA Firm's Accounting and Auditing Practice

QC 20 provides that a firm should have a system of quality control that provides the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm's standards of quality. In the context of engagement performance, the system of quality control should also provide reasonable assurance that the work performed meets applicable regulatory requirements.

The firm's quality control policies and procedures should address the following elements:

• Independence, integrity, and objectivity;
• Personnel management;
• Acceptance and continuance of clients and engagements;
• Engagement performance; and
• Monitoring.

These elements of quality control are interrelated. Policies and procedures should be established to provide the firm with reasonable assurance with respect to each of these elements of QC. An appropriate individual or individuals in the firm should be assigned responsibility for the design and maintenance of the various quality control policies and procedures. These policies and procedures should be communicated in a manner that provides reasonable assurance that personnel will understand and comply. Additionally, documentation should be prepared to demonstrate compliance with the firm's policies and procedures for the elements of quality control.

ii. QC 30, Monitoring a CPA Firm's Accounting and Auditing Practice

QC 30 addresses how a firm should implement the monitoring element of quality control discussed in QC 20. Monitoring involves an ongoing consideration and evaluation of the following:

• The relevance and adequacy of the firm's policies and procedures;
• The appropriateness of the firm's guidance materials and any practice aids;
• The effectiveness of professional development activities; and
• Compliance with the firm's policies and procedures.

Under QC 30, monitoring procedures should enable the firm to obtain reasonable assurance that its system of quality control is effective. A firm's monitoring procedures may include:

• Inspection procedures;
• Pre-issuance or post-issuance review of selected engagements;
• Analysis and assessment of:
• New professional pronouncements;
• Results of independence confirmations;
• Continuing professional education (“CPE”) and other professional development activities undertaken by firm personnel;
• Decisions related to acceptance and continuance of client relationships and engagements;
• Interviews of firm personnel;
• Determination of any corrective actions to be taken and improvements to be made in the quality control system;
• Communication to appropriate firm personnel of any weaknesses identified in the quality control system or in the level of understanding or compliance therewith; and
• Follow-up by appropriate firm personnel to ensure that any necessary modifications are made to the quality control policies and procedures on a timely basis.

The nature and extent of monitoring procedures generally depends on the firm's size and the nature and complexity of the firm's practice. QC 30 provides that individuals in a small firm may perform monitoring procedures, including post-issuance review of engagement working papers, reports, and clients' financial statements, with respect to their own compliance with the firm's QC policies and procedures, but only if such individuals are able to critically review their own performance, assess their own strengths and weaknesses, and maintain an attitude of continual improvement.

iii. QC 40, The Personnel Management Element of a Firm's System of Quality Control—Competencies Required by a Practitioner-in-Charge of an Attest Engagement

QC 40 addresses the personnel management element of the quality control system. Personnel management includes hiring, assigning personnel to engagements, professional development, and advancement activities. Policies and procedures should be established to provide the firm with reasonable assurance that:

• Those hired possess the appropriate characteristics to enable them to perform competently.
• Work is assigned to personnel having the degree of technical training and proficiency required in the circumstances. Personnel participate in general and industry-specific continuing professional education and other professional development activities that enable them to fulfill responsibilities assigned, and satisfy applicable professional education requirements of the AICPA, and regulatory agencies.
• Personnel selected for advancement have the qualifications necessary for fulfillment of the responsibilities they will be called on to assume.

A firm's policies and procedures related to personnel management should be designed to provide a firm with reasonable assurance that practitioners-in-charge of engagements ( i.e., engagement partners) possess the kinds of competencies that are appropriate given the circumstances of the client engagement. Competencies are the knowledge, skills, and abilities that enable an engagement partner to be qualified to perform an engagement. Competencies may be gained in various ways, including through relevant industry, governmental, and academic positions. A firm's policies and procedures should ordinarily address the following competencies for an engagement partner:

• Understanding of the role of a system of quality control and a code of professional conduct;
• Understanding of the service to be performed;
• Technical proficiency;
• Familiarity with the industry;
• Professional judgment; and
• Understanding the organization's information technology systems.

Under QC 40, these competencies are interrelated. When establishing policies and procedures related to competencies needed by an engagement partner, a firm may need to consider the requirements of policies and procedures established for other elements of quality control.

b. SECPS Member Requirements

The SECPS was a division of the AICPA for U.S. firms that audited public companies, which established incremental quality control requirements for its members. The SECPS requirements originally applied to all U.S. firms that audited public companies under AICPA standards. The SECPS ceased to exist following the establishment of the PCAOB.

Under PCAOB rules, certain SECPS requirements still apply to firms that were members of the SECPS as of April 16, 2003. Based on current registration data, the SECPS member requirements apply to 201 (approximately 12% of) PCAOB-registered firms, including 11 of the 14 annually inspected firms in 2023.

i. Section 1000.08(d)—Continuing Professional Education of Audit Firm Personnel

Section 1000.08(d) requires SECPS member firms to ensure that all professionals residing in the United States, both CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE every year and at least 120 hours every three years. Professionals who devote at least 25% of their time to performing audit, review, or other attest engagements, or who have responsibility for supervision or review of such engagements, must obtain at least 40% of their CPE hours in subjects related to accounting and auditing.

Additional information on Section 1000.08(d)'s CPE requirements appears in SECPS Section 8000, Continuing Professional Education Requirements Effective for Educational Years Beginning After May 31, 2002. That information is summarized into three categories: (1) record-keeping for each professional to ensure that each professional adheres to all CPE requirements; (2) adherence to standards for CPE program sponsors for each program sponsored by the member firm; and (3) compliance with additional CPE requirements of the SECPS. Appendix A to Section 8000 includes the AICPA policies related to CPE.

ii. Section 1000.08(l)—Communication by Written Statement to All Professional Personnel of Firm Policies and Procedures on the Recommendation and Approval of Accounting Principles, Present and Potential Client Relationships, and the Types of Services Provided

Section 1000.08(l) requires SECPS member firms to communicate, through a written statement, to all professional firm personnel the broad principles that influence the firm's quality control and operating policies and procedures. Periodic communication also must inform professional firm personnel that compliance with those principles is mandatory.

iii. Section 1000.08(m)—Notification of the Commission of Resignations and Dismissals From Audit Engagements for Commission Registrants

Section 1000.08(m) requires that, if an SECPS member firm has resigned, declined to stand for reelection, or been dismissed as the auditor of an SEC registrant and the registrant has not reported the change in auditors to the SEC in a timely filed Form 8-K, the member firm is to report that the client-auditor relationship has ceased directly, in writing, to the former SEC client and the SEC within five business days.

iv. Section 1000.08(n)—Audit Firm Obligations With Respect to the Policies and Procedures of Correspondent Firms and of Other Members of International Firms or International Associations of Firms

Section 1000.08(n) requires SECPS member firms that are members of, correspondents with, or similarly associated with international firms or international associations of firms to seek adoption of policies and procedures that are consistent with the objectives in Appendix K (SECPS Section 1000.45), SECPS Member Firms With Foreign Associated Firms That Audit SEC Registrants.

Appendix K was adopted with the intention of enhancing the quality of SEC filings by issuers whose financial statements are audited by foreign associated firms of SECPS member firms. It requires SECPS member firms to seek adoption by their international organizations or individual foreign associated firms of certain policies and procedures, including:

• Procedures to be performed on certain SEC filings by a filing reviewer who is knowledgeable in applicable accounting and auditing standards, independence requirements, and SEC rules and regulations;
• Inspection procedures for a sample of audit engagements performed by foreign associated firms for issuer clients, to be performed by inspection reviewers who are knowledgeable in the same areas as filing reviewers; and
• Policies and procedures under which disagreements between the filing or inspection reviewer and the audit partner-in-charge should be resolved in accordance with the policy of the international organization or the filing or inspection reviewer's firm.

v. Section 1000.08(o)—Policies and Procedures To Comply With Independence Requirements

Section 1000.08(o) requires SECPS member firms to have policies and procedures in place to comply with applicable independence requirements. Section 1000.08(o) cross-references Appendix L, SECPS Section 1000.46, Independence Quality Controls, which requires firms to establish written policies covering relationships with “restricted entities,” for example, relationships between the restricted entity and the member firm, its benefit plans, and its professionals. These relationships include investments, loans, brokerage accounts, business relationships, employment relationships, proscribed services, and fee arrangements. Firms should maintain a database that includes all restricted entities (“restricted entity list”) and make the restricted entity list available to the firm's professionals and to foreign associated firms.

A senior-level partner should be designated to oversee the independence policies and maintain and communicate the restricted entity list. The policies and procedures also should require:

• Reviewing the restricted entity list prior to obtaining any security;
• Obtaining independence certifications from the firm's professionals;
• Reporting violations of policies;
• Establishing a monitoring system; and
• Developing policies for potential sanctions for violations of the firm's policies and procedures or professional independence requirements.

The policies and procedures should be made available to all professionals and a training program should be established to provide reasonable assurance that professionals understand the policies.

3. Observations From Oversight Activities

In the course of conducting inspections of registered public accounting firms and investigating potential violations of PCAOB standards and other related laws and rules governing audits of public companies and audits and attestation engagements of broker-dealers, the PCAOB may identify deficiencies in firms' execution of engagements and in firms' QC systems. Oversight activities also help the PCAOB to identify good practices, both for engagements and for QC systems. The PCAOB also considers information derived from the SEC's enforcement program.

Over time, firms have implemented a number of changes to their QC systems to remediate deficiencies identified through the PCAOB's inspections program. Examples of changes firms have made in response to the Board's inspections include:

• Independence —Creating automated links between the firm's tools for tracking subcontractors and evaluating and tracking business relationships to ensure that independence evaluations are complete and timely;
• Engagement Performance —Implementing new policies and procedures for engagement teams to focus on obtaining a thorough understanding of how issuers initiate, record, process, and report significant classes of transactions and how that information is recorded in the financial statements;
• Resources —Creating a committee to evaluate partner performance in relation to audit quality and establishing an accountability framework with penalties for negative audit quality events;
• Monitoring and Remediation —Adding new leadership positions to the internal inspection program, developing new analysis and reporting of internal inspection findings, and disseminating such findings more broadly; and
• Monitoring and Remediation —Adding in-process review and coaching programs to assist engagement teams in certain challenging areas, including internal control over financial reporting (“ICFR”) and accounting estimates.

Observations from PCAOB oversight activities have shown that improvements in quality controls can enhance the quality of engagements. However, PCAOB inspections continue to identify deficiencies related to engagements and the operation of firm QC systems, suggesting that not all firms have made meaningful improvements in these areas. Moreover, the pervasiveness of recent findings regarding such deficiencies—both in terms of the number of firms affected and the percentage of deficient engagements—suggests that an updated QC standard is needed to drive proactive, systemic, and consistent improvements in audit quality rather than just case-by-case improvements in response to firm-specific findings.

The following discussion summarizes recent observations from PCAOB inspections and investigations of QC systems, including deficiencies and violations—instances of noncompliance with PCAOB requirements—and good practices that the Board believes support and strengthen QC systems. The Board has taken these observations into account in developing the final QC standard and related amendments, rules, and forms.

a. QC Deficiencies and Violations Observed From Oversight Activities

PCAOB observations have generally revealed that while some firms have made improvements to their QC systems, the progress has been uneven. Even taking that progress into account, in roughly a third of the issuer audits the PCAOB inspected from 2020 to 2022, the auditor's opinion was not adequately supported. This suggests that there is significant room for improvement in QC systems' ability to provide reasonable assurance that firm engagements are performed in accordance with applicable professional standards and regulatory requirements.

As described below, the PCAOB's observations all too frequently indicate that firms' QC systems did not appear to provide reasonable assurance that firm personnel will comply with applicable professional standards in, among others, the areas of: (1) acceptance of engagements; (2) engagement performance; (3) independence, integrity, and objectivity; (4) personnel management; (5) monitoring; and (6) engagement quality reviews. Below are examples of the PCAOB's observations in these areas.

i. Acceptance of Engagements

A firm's QC system should provide the firm with reasonable assurance that it undertakes only those engagements that the firm can reasonably expect to be completed with professional competence. This includes taking into consideration, among other things, the availability of resources to perform an engagement and the competence of those resources. The PCAOB has observed instances where a firm's lack of policies and procedures in the area of engagement acceptance and continuance resulted in accepting new engagements that were not completed with professional competence and resulted in numerous violations of PCAOB auditing standards.

ii. Engagement Performance

A properly functioning QC system should provide the firm with reasonable assurance that the work performed by engagement personnel meets applicable professional standards, regulatory requirements, and the firm's standards of quality. A QC system cannot provide reasonable assurance if, for example, there are severe, frequent, or widespread deficiencies, or recurring instances of similar types of deficiencies at the engagement level. The PCAOB has observed deficiencies and violations in a range of areas of engagement performance, including, for example:

• Failure to identify and test controls that address risks of material misstatement or sufficiently evaluate review controls;
• Insufficient evaluation of significant assumptions or data used in developing an estimate;

• Unwarranted reliance on data or reports used in testing an issuer's financial reporting controls or in substantive testing;

• Engagement partners' failure to adequately supervise the engagement with due professional care, which contributed to not identifying deficiencies;

• Failure to implement and maintain adequate policies and procedures to provide reasonable assurance that work is performed and documented; and

• Failure to ensure audits are performed under PCAOB standards and not another framework.

iii. Independence, Integrity, and Objectivity

A firm's QC system should also provide the firm with reasonable assurance that personnel maintain independence—in fact and in appearance—in all required circumstances. Observations relating to auditor independence have been recurring over the last several years. ⁶⁴ Examples of these observations frequently have included:

• Violations of independence, including financial relationship and partner rotation requirements of17 CFR 210.2-01;

• Noncompliance by firm personnel in reporting their financial relationships during the independence confirmation process;
• Independence violations related to the firm providing impermissible non-audit services;

• Noncompliance with PCAOB Rule 3524,Audit Committee Pre-approval of Certain Tax Services, and PCAOB Rule 3526, Communication with Audit Committees Concerning Independence;

• Improper inclusion of indemnification clauses in engagement letters, which impaired independence based on the general standard of independence prescribed by17 CFR 210.2-01(b); and
• Failure to implement and maintain adequate policies and procedures to provide reasonable assurance that firm personnel timely consult on complex, unusual, or unfamiliar independence issues.

The PCAOB has also observed highly concerning, widespread instances where firm personnel have improperly shared answers on examinations required to obtain or maintain professional licenses. The Board has acted decisively in responding to this conduct, which was prevalent both domestically and internationally. The PCAOB has also observed instances where firm personnel have not acted with integrity by altering work papers or failing to cooperate with the Board.

These recurring deficiencies and violations suggest that some firms and their personnel either do not have the requisite understanding of applicable independence and ethics requirements, or, as evidenced by the systemic nature of certain of these violations, do not have appropriate controls in place to prevent violations.

iv. Personnel Management

The quality of a firm's work ultimately depends on the integrity, objectivity, intelligence, competence, experience, and motivation of personnel who perform, supervise, and review the work. A firm's QC system should provide the firm with reasonable assurance that personnel participate in general and industry-specific CPE and other professional development activities that enable them to fulfill responsibilities assigned and satisfy applicable CPE requirements. A firm's QC system also should provide the firm with reasonable assurance that personnel possess the appropriate characteristics to enable them to perform competently and that work is assigned to personnel having the degree of technical training and proficiency required in the circumstances.

The PCAOB has observed deficiencies related to compliance with the firm's auditing policies and procedures. The PCAOB also has observed deficiencies and violations where the firm did not assign personnel to engagements who had the training and proficiency required to perform audit work in accordance with PCAOB standards.

v. Monitoring

A firm's QC system should provide the firm with reasonable assurance that its policies and procedures are suitably designed and effectively applied. The PCAOB has observed situations where a firm's internal inspection procedures did not detect significant audit deficiencies or the firm did not make changes to address repeated identified audit deficiencies. These deficiencies and violations were subsequently identified through SEC and PCAOB oversight.

vi. Engagement Quality Reviews

Both the PCAOB and SEC have identified deficiencies and violations in audit areas that require evaluation by the engagement quality reviewer (“EQR”), which suggests the EQR did not perform the evaluation with due professional care. Additionally, for certain broker-dealer audit and attestation engagements, the PCAOB has observed instances where engagement quality reviews were not performed or sufficiently documented and policies and procedures did not provide reasonable assurance that engagement quality reviews were performed with due professional care.

b. Good Practices Observed From Inspections

The following observations regarding good QC practices are based on inspections in recent years. A good QC practice could be a procedure, technique, or methodology that is appropriately comprehensive and suitably designed in relation to a firm's size and the nature and complexity of the firm's practice. The Board has taken these observations into account in its consideration of QC 1000, while recognizing that the nature, extent, and formality of the design, implementation, and operation of QC systems can vary across firms.

i. Well-Defined QC System

A well-defined QC system includes all key elements of quality control and is supported by documentation that helps to promote firm personnel's understanding and consistent application of the firm's QC system. Helpful characteristics that the PCAOB has observed in some firms' QC systems include:

• Narratives and process flows that articulate how and where quality objectives fit within the QC processes and define risks posed to those quality objectives, including considering what could go wrong along the way; and

• Developing risk and control matrices that include well-defined controls.

ii. Accountability for Audit Quality

Leadership involvement in and commitment to a firm's QC system sets the tone at the top and drives clear expectations regarding the importance of audit quality. The PCAOB observed positive behaviors where firms have placed an emphasis on the importance of audit quality through extending accountability beyond engagement partners to other key leaders at the firm, such as audit quality leaders, technical experts, and office leaders, through performance management processes.

iii. Root Cause Analysis of Identified Deficiencies

Identifying causal factors for engagement and QC deficiencies ( i.e., root cause analysis) can enable a firm to determine the appropriate response to and remediation of deficiencies and modify policies and procedures to prevent similar occurrences in the future. The PCAOB has observed that thorough root cause analyses drive better remediation of identified deficiencies. If root cause analysis is performed by a centralized team, having a defined process to share data and lessons learned outside of the root cause analysis team may further enhance the performance of a firm's QC system.

Through its inspection activities the PCAOB has observed that some firms' root cause analysis programs have significantly evolved since the PCAOB was formed. The PCAOB has observed that some firms' approach to root cause analysis includes one or more of the following:

• Interviews with engagement teams and firm leadership;
• Use of proprietary tools to analyze large amounts of data;
• Root cause analysis training and the use of templates to facilitate consistency;
• Consideration of available performance metrics, such as engagement hours, training records, audit milestone dates, and partner experience years; and
• Consideration of positive quality events (i.e., actions, behaviors, or conditions that resulted in positive outcomes, such as where aspects of the firm's QC system operated effectively or where no engagement deficiencies were identified for individual engagements) to identify whether such actions, behaviors, or conditions were present on engagements where QC deficiencies were identified.

iv. Timely Monitoring and Evaluation Activities

Timely and effective monitoring activities drive high-quality audits. The PCAOB has observed several good practices followed by some firms in their monitoring activities, including:

• Increased real-time monitoring of in-process audit engagements, for example, through pre-issuance reviews or coaching programs;

• Formalized monitoring processes and actions for defined triggering events, including restatements, internal and external inspection results, and results of peer reviews; and
• Mature QC processes including internal self-certifications of the effectiveness of QC components and sub-components.

Other Developments Since the Adoption of Current PCAOB QC Standards

Since the PCAOB's current QC standards were first developed and issued, the auditing environment has changed significantly. The current QC standards were developed in the context of the self-regulatory peer-review system that existed before the establishment of the PCAOB. Therefore, they were not written with a view to inspection and enforcement by a regulator and do not address the current regulatory environment, including firms' responsibilities with respect to information brought to their attention through the PCAOB inspection process.

Since the QC standards were established, there have been significant developments in the availability and use of technologies and data analytic techniques, the organizational structure and management of firms have changed, and some firms have significantly increased their focus on governance and quality control.

For example, there have been significant developments in the use of technology by firms in relation to QC activities and performing engagements. Some firms have made significant investments in internally developed tools for use in the audit. The increased availability of “off-the-shelf” technologies, such as analytical software packages, has made some tools more readily available for use by firms. Firms developing or acquiring new technology-based tools, making changes to existing tools, and training firm personnel on how and when to use such tools have had impacts on QC. Many of these tools may reduce risk, for example by reducing the possibility of human error and enabling the analysis of whole populations of transactions rather than samples. But they may also create new risks if they do not work as intended or are used incorrectly.

Furthermore, some firm management and organizational structures have evolved to include more focus on centralization and a globally consistent methodology. Some firms have increased their use of services and resources supplied by firm networks, affiliates, and third-party providers. For example, some global networks are increasingly imposing requirements on member firms regarding the use of methodologies, technology, and policies and procedures that are developed or established at the network level. Some firms have also increased their use of shared service centers to assist with QC activities or performing engagements. In addition, some firms have changed their governance structures either voluntarily or due to changes in legal requirements. At the same time, some firms have begun to publish “transparency reports” that seek to inform the public about the firm's operations and quality control systems and practices.

Additionally, some firms have strengthened their approaches to firm governance and leadership, incentive systems, culture, and accountability. For example, some firms have added external parties to oversight roles. Some firms have also augmented their monitoring and remediation processes, including through implementing or enhancing ongoing monitoring activities and internal inspection processes, establishing processes for considering PCAOB inspection findings, performing root cause analysis, and increasing remediation efforts. Observations from PCAOB oversight activities have shown that improvements in quality controls can enhance the quality of audits. However, as noted above, PCAOB oversight activities continue to identify pervasive deficiencies, suggesting that many firms have meaningful improvements to make.

There have also been notable advances in internal control, quality management, and enterprise risk management frameworks and approaches, including the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) framework for internal control and the International Organization for Standardization (“ISO”) quality control standard ISO 9000:2015. Many of these share important commonalities, stressing active involvement of leadership, focus on risk, clearly defined objectives, objective-oriented processes, monitoring, and remediation of identified issues. Academic research suggests that these frameworks improve company performance.

Actions by Other Standard Setters

Following is a brief description of the quality control standards adopted by the IAASB and the AICPA.

1. IAASB

The IAASB identified concerns related to its then effective QC standard, International Standard on Quality Control (ISQC) 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements, and decided to take steps to improve the standard. In December 2020, the IAASB released a suite of new quality management standards, including International Standard on Quality Management 1, Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (“ISQM 1”), which became effective on December 15, 2022.

2. AICPA

In May 2022, the Auditing Standards Board of the AICPA adopted new quality management standards designed to improve a firm's risk assessment and audit quality, including Statement on Quality Management Standards (SQMS) No. 1, A Firm's System of Quality Management (“SQMS 1”). The AICPA's quality management standards closely align with the IAASB's quality management standards, adapted for private companies in the United States. The new AICPA standards will become effective on December 15, 2025.

PCAOB Outreach and Research

The Board and its advisory groups have long considered the potential for improvements to PCAOB QC standards. For example, in 2010, the Standing Advisory Group (“SAG”) discussed a potential QC rulemaking project, including considerations and potential challenges in designing and implementing a QC system. In 2014, the SAG discussed how QC standards may benefit from stronger requirements and other enhancements with respect to, for example, firm culture and tone at the top, firm risk assessment, and monitoring of the quality control system, including use of root cause analyses. In 2018, the SAG discussed whether additional or more specific direction in the quality control standards with respect to governance and leadership would lead to enhancements in firm quality control systems. Advisory group members have generally supported including requirements concerning firm governance and leadership in PCAOB QC standards.

Rulemaking History

On December 17, 2019, the Board issued the concept release to explore the possibility of revising PCAOB QC standards. The concept release described an approach similar to the approach taken by the then-proposed ISQM 1, with certain differences and alternative requirements to specifically address the PCAOB's objectives, including establishing requirements that:

• Align with U.S. Federal securities law, SEC rules, and other PCAOB standards and rules;
• Retain important topics in current PCAOB QC standards;
• Address specific emerging risks and problems observed through PCAOB oversight activities; and
• Provide more definitive direction to prompt appropriate implementation of certain requirements.

The Board received 36 comment letters in response to the concept release. Commenters included firms and related groups, investors and related groups, academics, trade groups, and others.

On November 18, 2022, the Board issued a proposal to supersede current PCAOB QC standards with an integrated, risk-based standard, QC 1000, A Firm's System of Quality Control, that would apply to all registered firms. The Board received 42 comment letters in response to the proposal. Commenters included firms and related groups, investors and related groups, academics, trade groups, and others. The Board has considered all comments in developing the final standard and related amendments, and commenter input is included where relevant in the discussion that follows.

Areas of Improvement to the QC Standards

Taking into account the foregoing considerations, as well as careful consideration of comments received, the Board adopted changes to its QC standards that it believes will drive significant improvements in firms' QC systems, by:

• Emphasizing accountability, firm culture and the “tone at the top,” and firm governance through requirements for specified roles within and responsibilities for the QC system, including at the highest levels of the firm; quality objectives that link compensation to quality; and, for the largest firms, the requirement of an independent perspective on firm governance;
• Striking the right balance between a risk-based approach to QC—which should drive firms to proactively identify and manage the specific risks associated with their practice—and a set of mandates, including mandatory quality objectives; mandatory processes for risk assessment, monitoring and remediation, and QC system evaluation; and specific requirements in key areas—which should assure that the QC system is designed, implemented and operated with an appropriate level of rigor;
• Addressing changes in the audit practice environment, including the increasing participation of other firms and other outside resources, the role of firm networks, the evolving use of technology and other resources, and the increasing importance of internal and external firm communications;
• Broadening responsibilities for monitoring and remediation of deficiencies to encourage an ongoing feedback loop that drives continuous improvement; and
• Requiring a rigorous annual evaluation of the firm's QC system and related reporting to the PCAOB, certified by key personnel, to underscore the importance of the annual evaluation of the QC system, reinforce individual accountability, and support PCAOB oversight.

In the Board's view, the basic objectives of the QC system should be the same for all firms, but the scope of the QC standard and how it applies should take into account wide disparities in nature and circumstances across registered firms, in particular the extent to which their practices include engagements required to be performed under PCAOB standards, and the complexity of such engagements. The risks that firms face, and therefore the specific policies and procedures necessary to appropriately serve investor interests through an effective QC system, vary significantly from the largest firms, operating as part of global networks, to local firms or sole proprietorships. The scalability of the new QC standard is discussed in greater detail below.

QC 1000: Basic Structure, Terminology, and Scalability

Basic Structure

1. Considerations Informing the Structure of QC 1000

Informed by its observations and assessment of changes to auditing practice, the Board believes it is critical that its new QC standard strikes an appropriate balance between risk-based elements, which should drive firms to proactively identify and manage the specific risks associated with their practice, and a set of mandates to assure that the QC system is designed, implemented, and operated with an appropriate level of rigor. Moreover, the Board believes the new QC standard should foster a proactive approach to QC that drives continuous improvement. Based in part on its observations, the Board also believes its new standard should include specific requirements for some important areas of the QC system that are addressed more generally in current PCAOB QC standards, such as firm governance and leadership, technology and other firm resources, and firm communications.

QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires PCAOB QC standards to address, which the Board believes will provide a robust framework for a firm's QC system. It incorporates eight components, which are based on mandatory elements and mandatory processes that create a basic structure applicable to all firms. For example, as discussed in more detail below, QC 1000 establishes mandatory, outcome-based quality objectives and mandatory processes for risk assessment and monitoring and remediation. Within the structure created by these mandates, firms will develop their own policies and procedures based on the specific risks created by their circumstances and practice. QC 1000 also includes requirements for annual evaluation of the QC system and reporting to the PCAOB on that evaluation, which the Board believes will add rigor and accountability to the firm's evaluation of whether the QC system has met its objectives, and will strengthen the feedback loop that drives continuous improvement.

The structure itself addresses areas that current PCAOB standards do not directly address, such as firm governance and leadership, technology and other firm resources, and firm communications. In addition, to the extent it is principles-based and focused on the specific risks faced by the firm, the structure is inherently scalable and can be applied to firms of all sizes and circumstances.

The structure of QC 1000 has commonalities with the structure of ISQM 1 and SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has informed the Board's thinking, the Board has carefully analyzed every aspect of that approach and considered where to align and where to further strengthen the PCAOB standard by including alternative or incremental provisions that the Board believes will better serve investor protection and the public interest. The Board believes that building on a well-understood basic framework, appropriately tailored and strengthened to address its legal and regulatory environment and its investor protection mandate, will enable firms to implement and comply with QC 1000 more effectively. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and IAASB or AICPA QC standards—which the Board believes constitute a very substantial majority of firms that perform engagements under PCAOB standards —can leverage the work they have already done and the investments they have already made to comply with those other requirements.

Many commenters, including firms and related groups, were generally supportive of structuring QC 1000 in a manner similar to the structure of ISQM 1 and SQMS 1. However, several commenters, including firms and related groups, suggested that further alignment should be considered, and any differences should be minimized. Several commenters suggested that firms would be subject to at least two different quality management/quality control systems, and commented that this would be impractical for firms to operate. The Board does not believe that QC 1000 conflicts with the requirements of other standard setters or that anything prevents firms from developing a single QC system for their entire practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject. The Board acknowledges certain differences between QC 1000 and the quality management standards set by other standard setters, in particular areas where QC 1000 establishes additional or more stringent requirements. However, the Board believes that quality responses developed by firms under QC 1000 can be considered by firms for the purposes of other quality management standards to which they are subject, reducing the need for two or more separate QC systems.

One investor-related group did not support the framework of the standard, arguing that ISQM 1 is a process-driven and compliance-oriented framework that does not encourage firms to meaningfully enhance their QC systems for the benefit of investors. Another investor expressed concern regarding the reliance on ISQM 1 in the development of QC 1000 on the basis that it does not always reflect the best interests of investors. The Board continues to believe that a common basic structure among quality control standards is beneficial. This is not only cost beneficial, but it also supports a firm's ability to operate a single, consistent QC system over its whole practice, which the Board believes ultimately supports audit quality. Where appropriate, QC 1000 goes beyond ISQM 1 to incorporate more detailed or more stringent provisions that are specifically relevant to the U.S. regulatory environment and investors.

Several commenters supported a principles-based approach to QC 1000. However, some commenters suggested that the specified quality responses throughout the standard impose prescriptive requirements that are not consistent with maintaining a principles-based approach. Others expressed a different perspective, suggesting that the standard was too principles-based, providing the firms with too much flexibility in designing, implementing, and operating their QC systems. For example, an investor expressed concern that a principles-based approach does not always reflect the best interests of investors. Other investor-related groups expressed concerns that a principles-based approach allows audit firms to conduct their own risk assessment and design their own controls to manage risks, including making the determination of whether QC deficiencies exist and are remediated without any public awareness or accountability. One of these investor-related groups suggested that an emphasis on a risk-based approach will result in little to no change at the largest auditing firms as they believe that this approach is already embedded in their QC systems. Another investor-related group commented that the proposed standard set the bar too low and failed to focus on audit quality and accountability such that it would only perpetuate the status quo.

The Board has retained the approach as proposed. The Board believes that QC 1000 strikes the right balance between mandatory and risk-based elements. As discussed in more detail below, QC 1000 establishes a mandatory minimum set of outcome-based quality objectives that apply to all firms. Firms generally cannot omit or modify any of the quality objectives set out in the standard. Therefore, firms do not determine the criteria by which their QC systems will be assessed, only the means by which they will meet those criteria. Moreover, QC 1000 establishes requirements with which all firms will have to comply for roles and responsibilities within the QC system and the firm's risk assessment process, monitoring and remediation process, and evaluation process, as well as specified quality responses applicable to all firms in areas that the Board believes justify a more prescriptive approach. It also includes evaluation and reporting requirements that the Board believes will add accountability and rigor to the annual evaluation.

Within that framework, QC 1000 requires firms to develop the policies and procedures they need to achieve the quality objectives and the overall objective of the QC system. The Board believes this more principles-based aspect of the standard will prompt firms to identify and focus on the most relevant risks to quality in the context of their own practice and will make QC 1000 appropriately scalable. This approach also allows for the standard to be operable by firms of all sizes. Smaller PCAOB audit practices can scale down their responses to fit the risks associated with a small practice, and as the practice grows, the firm can scale up to respond to new quality risks. In addition, the Board believes that this approach will make it less likely that the standard will need to be amended in the future in response to changes in the auditing environment, including the use of technology.

2. Components of the QC System

Under QC 1000, the QC system consists of eight components that are designed to be highly integrated:

Two process components:

• The firm's risk assessment process
• The monitoring and remediation process

Six components that address aspects of the firm's organization and operations:

• Governance and leadership
• Ethics and independence
• Acceptance and continuance of engagements
• Engagement performance
• Resources
• Information and communication

The risk assessment process applies to these six components, requiring firms to:

• Establish outcome-based “quality objectives,” including those specified throughout the standard (i.e., the desired outcomes to be achieved by the firm with respect to that component);

• Identify and assess “quality risks” to the quality objectives;

• Design and implement “quality responses” (i.e., policies and procedures to address quality risks); and

• Establish policies and procedures to monitor internal and external changes that may require modifications to the quality objectives, quality risks, or quality responses.

The monitoring and remediation process applies to all of the components of the QC system, including monitoring and remediation itself ( i.e., firms are required to identify and remediate deficiencies that are observed in their monitoring and remediation activities).

The firm is also required to evaluate and report on its QC system annually, based on the results of its monitoring and remediation activities.

The following diagram illustrates the structure of the firm's QC system under QC 1000:

3. Quality Objectives, Quality Risks, and Quality Responses, Including Specified Quality Responses

For each of the six components to which the risk assessment process applies, QC 1000 specifies required quality objectives. While QC 1000 provides some flexibility with regard to the quality risks that firms are required to identify and the quality responses that firms are required to develop to address those risks, it does not provide the same flexibility with regard to quality objectives. Instead, quality objectives that will apply to all firms are specified in the standard. Firms can establish additional quality objectives—indeed, they are required to do so if necessary to achieve the objective of the QC system—but they generally cannot omit or modify any of the quality objectives set out in the standard. The Board believes that, for many firms, the quality objectives specified in the standard are likely to be comprehensive, and does not expect in the current environment that additional quality objectives would generally be necessary. However, the Board also recognizes that the nature and circumstances of a firm and its engagements will vary and the environment may change. Accordingly, firms are required to establish additional quality objectives, if necessary. The quality objectives established by this standard set forth a floor rather than a ceiling.

Firms are required to identify and assess quality risks to the achievement of the established quality objectives. They are required to develop quality responses to address the assessed quality risks. Quality responses are defined as policies and procedures designed and implemented by the firm to address quality risks; policies are statements of what should, or should not, be done to address an assessed quality risk, and procedures are actions to implement and comply with policies. As proposed, the definition of quality responses provided that policies “may be documented or explicitly stated in communications.” In the final rule, that sentence was eliminated to avoid confusion or potential conflict with the documentation requirements set out in QC 1000.81-83.

The correspondence across quality objectives, quality risks, and quality responses is generally not one-to-one. Most quality objectives are likely to have multiple quality risks. Some quality risks may affect one or more quality objectives, either within a single component or across several components, and may require multiple quality responses. Some quality responses may address multiple quality risks.

Quality responses would typically be specific to the firm, to respond to its particular assessed quality risks. QC 1000 also includes some specified quality responses, which are mandatory for the firms to which they apply. Specified quality responses carry requirements from current PCAOB standards into QC 1000 or provide new requirements that the Board believes are important to a firm's QC system. The specified quality responses are not intended to be comprehensive; on the contrary, for most of the components of the firm's QC system, the standard includes only a few specified quality responses, and for the engagement performance component there are none. As a result, the specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives; firms are required to design and implement their own quality responses. Both the specified quality responses and the quality responses the firm designs and implements on its own are critical in addressing quality risks. The following graphic illustrates the relationship between all quality responses ( i.e., the quality responses necessary to achieve all established quality objectives) and the specified quality responses established in QC 1000:

Terminology

This section discusses some of the terminology used throughout QC 1000. Appendix A to QC 1000 defines several terms used in the standard.

Two commenters indicated that the proposed terminology was understandable and appropriate, but most commenters on the topic requested that the terminology used in QC 1000 be consistent with the terminology used by other standard setters, primarily to avoid potential confusion and ensure that the process of evaluating the QC system and the conclusion reached as to its effectiveness would be the same under both standards. The Board continues to believe that its proposed terminology is necessary to capture the basic concepts used in QC 1000, which differ in some respects from the concepts used by other standard setters, particularly as regards “other participants,” as the Board has defined that term, and the annual QC system evaluation process, which is grounded in the concepts of “engagement deficiency,” “QC deficiency,” and “major QC deficiency.” While this approach will result in an incremental burden for firms that seek to comply with other QC standards as well as QC 1000, the Board believes that the burden is justified. The Board also believes that, just as firms can perform audits under different auditing standards, they can learn to implement and operate a QC system under different QC standards. Accordingly, with the clarifications described below, the Board adopted the terminology substantially as proposed.

1. Applicable Professional and Legal Requirements

As discussed in more detail below, compliance with applicable professional and legal requirements is a fundamental concept under QC 1000, driving the objective of the QC system as well as many quality objectives and specified quality responses. The proposed standard defined “applicable professional and legal requirements” as

• Professional standards, as defined in PCAOB Rule 1001(p)(vi);
• Rules of the PCAOB that are not professional standards; and
• To the extent related to the obligations and responsibilities of accountants or auditors or to the conduct of engagements, rules of the SEC, other provisions of U.S. Federal securities law, and other applicable statutory, regulatory, and other legal requirements.

Two commenters supported the definition as proposed. One commenter recommended including the profession's ethical standards explicitly. Two commenters stated the phrase “other applicable statutory, regulatory, and other legal requirements” could be read broadly and extend beyond regulations that directly bear on the conduct of audit engagements. Another commenter suggested amending the definition of “professional standards” in PCAOB Rule 1001(p)(vi) to refer to “quality control standards” rather than “quality control policy and procedures.”

In response to comments, the Board made changes to the third, more general clause of the definition. As one commenter suggested, the Board expanded the definition to explicitly mention ethics laws and regulations. While the definition as proposed encompassed applicable ethics requirements, the Board believes an express reference will help to remind firms and individuals of the centrality of ethics considerations. The Board also refined the definition to make clear that it encompasses statutory, regulatory, and other legal requirements beyond professional standards and other PCAOB rules “[t]o the extent related to the obligations and responsibilities of accountants or auditors in the conduct of engagements or in relation to the QC system.” This change is designed to limit the breadth of the definition to the relevant circumstances.

The phrase “quality control policies and procedures,” used in PCAOB Rule 1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley. The Board believes its rule should continue to align with that statutory provision.

This definition captures all professional and legal requirements specifically related to engagements under PCAOB standards of issuers and SEC-registered broker-dealers, including relevant accounting, auditing, and attestation standards, PCAOB and SEC rules, other provisions of Federal securities law, other relevant laws and regulations ( e.g., state law and rules governing accountants), applicable ethics law and rules, and other legal requirements related to the obligations and responsibilities of accountants or auditors in the conduct of the firm's engagements or in relation to the QC system. It does not encompass requirements that apply to businesses generally, such as tax laws, safety regulations, and employment law.

2. Engagement

The proposed standard defined “engagement” as (1) any audit, attestation, review, or other engagement under PCAOB standards performed by a firm, or (2) any engagement in which a firm “play[s] a substantial role in the preparation or furnishing of an audit report” as defined in PCAOB Rule 1001(p)(ii). In the final standard, the term “engagement” encompasses the same scope as it did in the proposal—when the firm leads an engagement as lead auditor or practitioner, or plays a substantial role—but the definition has been restructured for clarity.

The final standard defines “engagement” as any audit, attestation, review, or other engagement performed under PCAOB standards:

• Led by a firm; or
• In which a firm “play[s] a substantial role in the preparation or furnishing of an audit report” as defined in PCAOB Rule 1001(p)(ii).

The definition covers not only circumstances in which the firm serves as the lead auditor or the “practitioner” for an attestation engagement, which is what is customarily meant by the term engagement, but also any substantial role work the firm undertakes. The Board's view is that this additional breadth is appropriate because playing a substantial role in an engagement for an issuer or broker-dealer is sufficient to require a firm to register with the PCAOB. The definition covers all engagements under PCAOB standards performed by the firm, whether the application of PCAOB standards is legally required ( e.g., for audits of issuers and broker-dealers) or undertaken pursuant to contractual agreement, where permitted but not required under SEC rules, or for any other reason.

Commenters on the definition of “engagement” generally supported it. One commenter requested clarification as to why the definition does not include work performed at less than a substantial role, given that the standard includes requirements regarding such work.

The Board defined “engagement” to exclude work performed on other firms' PCAOB engagements at less than a substantial role because it believes the auditor responsibilities associated with such work, and the risks posed by it, are materially different than the responsibilities and risks associated with a firm leading an engagement or playing a substantial role. QC 1000 contains provisions specifically applicable to work performed on other firms' PCAOB engagements at less than a substantial role, which have been tailored to reflect those responsibilities and risks. The Board believes this tailored approach is appropriate.

Also grounded in the Board's views on relative risk and the investor interests at stake, the concept of “engagement” marks an important distinction in the level of responsibility created under QC 1000: while all registered firms are required to design a QC system that complies with QC 1000, the threshold for a firm to implement and operate the QC system is when the firm has responsibilities under applicable professional and legal requirements with respect to a firm engagement. The distinction between scaled applicability under QC 1000 (for firms that do not have responsibilities with respect to engagements) and full applicability of QC 1000 (for firms that do perform engagements) is discussed in more detail below.

The Board notes, however, that just because work performed on other firms' PCAOB engagements at less than a substantial role is not considered an “engagement” does not mean it is disregarded under the QC system. This work, by itself, does not trigger the requirement to implement and operate the QC system under QC 1000. However, once a firm is required to implement and operate the QC system, the system will operate over all work performed by the firm under PCAOB standards, including work performed on other firms' PCAOB engagements at less than a substantial role. If a firm is required to implement and operate a QC system under QC 1000, the Board believes that the QC system should address every engagement under PCAOB standards in which the firm participates.

3. Firm Personnel

The proposed standard defined “firm personnel” as individual proprietors, partners, shareholders, members or other principals, accountants, and professional staff of a registered public accounting firm whose responsibilities include assisting with: (1) the performance of the firm's engagements; or (2) the design, implementation, or operation of the firm's QC system, including engagement quality reviews. Professional staff refers not only to employees, but also to other individuals who work under the firm's supervision or direction and control and function as the firm's employees. For example, secondees and leased staff would fall under the definition of “firm personnel.”

Two commenters agreed with the definition as proposed. Some firms and related groups objected to including non-employee contractors and consultants as firm personnel, in particular because they are not subject to the firm's performance evaluation or promotion process. These commenters suggested that such persons be classified as other participants instead. One commenter expressed concern about potential exposure due to the differences between QC 1000 and the definitions of employees with Federal, State, and local tax and labor laws.

The Board continues to believe it is appropriate for the definition of firm personnel to include individuals, such as non-employee contractors and consultants, who work under the firm's supervision or direction and control and function as the firm's employees. In light of the range of legal structures and arrangements used by firms in acquiring and deploying staff, the Board believes a definition based exclusively on legal employment would be too narrow. Instead, the final rule retains an approach based on the functional role played by the individual rather than a specific legal relationship.

When the firm is identifying quality risks to quality objectives that include firm personnel, it may identify different risks associated with non-employee contractors and consultants than other firm personnel, and accordingly would have to develop different policies and procedures for them. For example, non-employee contractors and consultants may be evaluated through the contracting process to determine whether the firm should retain them instead of through the firm's formal evaluation framework.

While the Board expresses no view on any tax or labor law consequences, it notes that the definition does not conflate “firm personnel” with employees. On the contrary, the Board acknowledges that firm personnel includes some non-employees.

Some commenters, generally firms and related groups, were opposed to the definition including anyone who “assists with” engagements or the quality control system, as it may include administrative staff. The Board revised the definition of firm personnel to clarify that “professional staff does not include persons engaged only in clerical or ministerial tasks,” which aligns with the definition of “Person Associated With a Public Accounting Firm (and Related Terms)” in PCAOB Rule 1001(p)(i).

4. Other Participants

Over the years, audits of issuers have increasingly involved the use of entities and individuals outside the firm in performing audit procedures and evaluating audit evidence. In the context of amending the standards governing the involvement of other auditors in an audit, the Board discussed the increasing prevalence and importance of the use of other audit firms and individual accountants outside the firm, such as an EQR not employed by the firm, and the use of auditor-engaged specialists. While it may be beneficial, and in many cases essential, to use other participants in some engagements, these arrangements can pose risks because other participants may not be subject to the same quality controls as firm personnel (for example, with regard to personnel assignments, training, supervision, and monitoring).

With respect to work performed in connection with the firm's QC system or the performance of its engagements, QC 1000 defines “other participants” as accounting firms (foreign or domestic, registered or unregistered), accountants, and other professionals or organizations, other than firm personnel, whose responsibilities include assisting with the performance of the firm's engagements or the design, implementation, or operation of the firm's QC system, including engagement quality reviews.

Some commenters expressed concerns with the use of “other participants” throughout the standard. Many commenters said the proposed responsibilities of the firm with regard to other participants were too broad. A few commenters suggested removing the reference to other participants from certain specified quality responses and allowing firms to tailor their responses to quality objectives for other participants. Some commenters were specifically concerned about the inclusion of internal auditors and external specialists in the standard through other participants, and believe they are adequately addressed in other standards. Some commenters argued that other participants should not be included in another firm's quality control system because they are covered by their own firm's quality control system.

Some commenters suggested bifurcating the definition into other participants whose responsibilities include assisting with the performance of the firm's engagements and other participants whose responsibilities include assisting with the design, implementation, and operation of the firm's QC system, on the basis that this would enhance clarity regarding to whom the requirements apply. One commenter said the policies and procedures related to other participants would differ depending on the type of other participant (for example, an internal auditor providing direct assistance differs from an auditor, specialist, or engagement quality reviewer) and QC 1000 imposes the same requirements for each type. One commenter supported the definition. One commenter agreed with separately defining “other participants” and “third-party providers.”

The final standard reflects the Board's view that, in designing, implementing, and operating its QC system, the firm will have to address not only firm personnel but also other auditors and other professionals or organizations that the firm uses in connection with the firm's QC system or the performance of its engagements. References to other participants are included throughout QC 1000 in a tailored and context-specific way that recognizes the key roles that other participants play.

The Board recognizes that some other participants may be covered by their own firm's quality control system, and that fact may inform the firm's risk assessment with respect to their participation. But the firm's own QC system must address all the work done on the firm's engagements and in connection with the design, implementation, and operation of the firm's QC system itself, regardless of who does it.

Commenters correctly pointed out that specific performance standards exist related to the use of certain types of other participants in an audit, such as other auditors, internal auditors, and specialists, but that does not mean that QC over their use in the firm's engagements is unnecessary. In part, the QC system operates to assure compliance with those specific audit standards. But it must also provide more general assurance about the performance of audits in which those types of other participants are involved. For example, the Board expects that the firm's policies and procedures would cover, if applicable, engaging specialists, determining their compliance with ethics and independence requirements, and communicating with them as part of the firm's quality control system.

The Board does not believe it is necessary for QC 1000 to bifurcate other participants between those that participate in engagements and those that are involved with the QC system. Just because a quality objective or other provision of QC 1000 refers to all types of other participants in the same way does not mean that the firm should respond by treating all types of other participants in the same way. On the contrary, the firm's policies and procedures addressing other participants should differentiate based on the types and roles of other participants to the extent necessary to be responsive to the firm's quality risks. When designing quality responses, the firm will address the specific risks posed by the other participants and their responsibilities within the firm's engagements and QC system. For example, a firm that uses a network as a resource in many areas, such as independence tracking and monitoring, engagement performance, information and communication, and monitoring and remediation, would have many quality risks and quality responses related to their use of the network. A smaller firm that only uses one individual from outside the firm as an engagement quality reviewer may have fewer quality risks and quality responses related to other participants to address in its quality control system.

The following diagram provides QC 1000's definitions of “firm personnel” and “other participants” and provides examples of each type:

As noted in the diagram, the persons performing some roles, such as an EQR or personnel at shared service centers, may be firm personnel or other participants, depending on their relationship to the firm. For example, an EQR employed by the firm would be considered firm personnel, whereas an EQR contracted from outside the firm that is not functioning as a firm employee would be an other participant. Similarly, personnel at shared service centers may be firm personnel (if they are employed by the firm or function as firm employees) or other participants (if they are personnel of another organization, such as a network affiliate).

5. Networks

QC 1000 acknowledges that networks of firms may be structured in a variety of ways and could include arrangements between firms for sharing knowledge; developing and implementing consistent policies, tools, and methodologies; conducting multi-location engagements; or executing other types of business or administrative matters. Through its oversight activities, the PCAOB has observed that some networks provide or require use of a wide range of resources and services and may involve various levels of personnel, composed of a mix of the firm's national and local office personnel. Some examples of resources and services that networks provide include:

• Audit methodologies;
• Technology tools;
• Training;
• Risk management activities;
• Consultations on accounting, auditing, and SEC matters;
• Preventive engagement-level monitoring and coaching;
• Support for inspections; and
• Root cause analysis and remediation.

Since networks may involve a wide variety of different arrangements and different degrees of coordination and cooperation across firms, rather than attempting to define the term “network,” QC 1000 describes these types of arrangements in more general terms. Under the standard, networks may include a combination of registered and unregistered accounting firms and other entities.

6. Third-Party Providers

Commenters on this topic supported the definition of third-party providers as proposed.

The standard addresses resources used by the firm that are sourced from third-party providers. Third-party providers are individuals or organizations, other than other participants, as defined above, that provide resources to the firm that are specifically designed for use in the performance of engagements or to assist in the operation of its QC system. The following diagram provides QC 1000's definition of “third-party providers” and several examples of them:

Scalability

The approximately 1,600 firms registered with the PCAOB differ significantly based on their nature and circumstances:

• Approximately 53% of firms are located in foreign jurisdictions, representing 89 foreign jurisdictions;
• Approximately 20% of total firms, and 40% of firms located in foreign jurisdictions, belong to one of six global networks that contain the largest number of registered, non-U.S. firms that share resources such as methodology and monitoring activities;

• Approximately 60 firms are sole proprietorships;
• Approximately 650 firms, or 41% of firms, performed an engagement under PCAOB standards for an issuer or broker-dealer during the 12 months ended June 2023;
• Approximately 70 only played a substantial role in such engagements in the past year;
• Approximately 140 performed audits of only broker-dealers in the past year;
• Approximately 130 firms that did not perform an engagement under PCAOB standards for an issuer or broker-dealer in 2022 did perform such an engagement in the past five years; and
• Approximately 51% of firms have not performed an engagement under PCAOB standards for an issuer or broker-dealer in the past five years.

While the Board believes the basic objectives of the QC system ought to be the same across all firms, the Board believes the QC standard needs to be appropriately scalable, so that firms of different sizes and characteristics can appropriately design their QC system to address the risks associated with their own practice.

The specific policies and procedures necessary to achieve the objectives of the QC system may vary significantly across firms, depending on their size, the types of engagements they perform, and other factors. The Board believes that QC 1000 is sufficiently principles-based and scalable that firms will be able to pursue an approach to QC that is appropriate in light of their specific circumstances.

In the Board's view, firms that perform engagements under PCAOB standards should generally be subject to the same QC requirements. In particular, the Board does not believe the historical distinction between firms that were members of the SECPS in 2003 and those that were not has continuing relevance in determining the QC standards that should apply today. Accordingly, the Board eliminated that distinction. As discussed in more detail below, QC 1000 incorporates certain SECPS requirements, making them applicable to all firms, and eliminates others. However, the Board also believes there are specific areas, such as firm governance, where firms with larger PCAOB audit practices should be subject to enhanced requirements. QC 1000 includes several requirements that apply only to the firms that meet the statutory threshold for annual PCAOB inspection.

The Board is aware that there is a significant number of registered firms that do not perform engagements under PCAOB standards every year—they only participate in other firms' engagements at less than the level of a substantial role or have no involvement in issuer or broker-dealer engagements. The Board believes that the risk to investor protection is minimal if the firm is not performing engagements under PCAOB standards for issuers and SEC-registered broker-dealers, and that it is appropriate to provide for more limited QC obligations in those circumstances. Under QC 1000, all registered firms are required to design a QC system but only firms that are subject to applicable professional and legal requirements with respect to a PCAOB engagement are required to implement and operate the QC system.

1. Scaled Applicability vs. Full Applicability

The Board created a fundamental distinction in QC 1000 between the obligation to design a QC system in compliance with the standard, which will apply to all firms, and the obligation to implement and operate an effective QC system, which, broadly speaking, will apply only to firms that perform engagements under PCAOB standards.

Under the standard, firms are required to implement and operate an effective QC system—that is, comply with all provisions of QC 1000—at all times that the firm is required to comply with applicable professional and legal requirements with respect to any of the firm's engagements.

As noted above, many registered firms do not perform engagements every year. However, a firm that is not currently performing any engagements may nevertheless have to comply with applicable professional and legal requirements with respect to a previous or future firm engagement. For example, procedures for the acceptance of a new engagement have to be performed before the engagement is conducted. Responsibilities may also arise with respect to completed engagements long after the issuance of the auditor's report—for example, if the issuer requests the auditor's consent to include its report in a registration statement, if an engagement deficiency is identified that requires remediation, or if the auditor becomes aware of facts that may have existed at the date of the auditor's report which may have affected the report. In the Board's view, whenever a firm has responsibilities under applicable professional and legal requirements with respect to an engagement, those responsibilities should be performed under a QC system that is implemented, is operating, and complies with PCAOB standards.

Importantly, if a firm is required to implement and operate an effective QC system, the firm would not necessarily have to implement and operate every QC policy or procedure that it has designed. An effective QC system provides reasonable assurance that the firm is complying with “applicable” professional and legal requirements. The extent of “applicable” requirements could change depending on the firm's circumstances, and the QC system policies and procedures that the firm would have to implement and operate could change in response. For example, if a firm last performed an engagement (as defined in the standard) five or six years ago and has no current responsibilities with respect to any other firms' engagements, it might be subject only to requirements regarding the retention of certain engagement-related documentation. In such a circumstance, an effective QC system— i.e., a system that provides reasonable assurance that the firm is complying with applicable professional and legal requirements regarding such documentation—could be scaled back to address only engagement-related documentation retention, as well as ongoing evaluation, reporting, and documentation requirements with respect to the QC system itself. The Board asked in the proposing release whether it was clear how a firm's responsibilities under QC 1000 may change depending on the extent of applicable professional and legal requirements to which the firm is subject at a particular time, and commenters that responded on the issue were generally supportive.

If the firm has no more responsibilities with respect to any engagement, the firm is required to continue operating the QC system until the next September 30 (the annual evaluation date). This would ensure that the firm would be required to evaluate and report on the QC system for any year during which the QC system was required to operate.

Firms that are not subject to the requirement to implement and operate the QC system are still subject to the requirement to design a QC system that complies with QC 1000. Paragraph .06 of QC 1000, discussed below, sets out the requirements for design of the QC system in more detail.

The Board believes it is appropriate to limit the application of the requirements of QC 1000 for firms that have no obligations under applicable professional and legal requirements with respect to firm engagements. Indeed, in those situations it is hard to see how a firm could, as a practical matter, “implement” or “operate” its QC system. Implementation and operation contemplate, among other things, the application of QC policies and procedures to the firm's engagements, monitoring of work performed on engagements, and identification and remediation of engagement deficiencies. Without “engagements,” as the standard defines that term, implementation and operation of a QC system would be largely hypothetical. Moreover, the population of firms that are subject only to the design requirements of QC 1000 is comprised entirely of firms that are not required to be registered with the PCAOB—because they do not participate in engagements under PCAOB standards or do so only below the level of a substantial role.

Many commenters, including firms and related groups, investor-related groups, academics, and others, did not support requiring firms that are not required to comply with applicable professional and legal requirements to design a QC system under QC 1000. Several of these commenters expressed concerns that this would be unnecessarily costly to those firms, or suggested that there could be challenges associated with implementing and operating a QC system based on hypothetical risks that could differ from the actual risks at the time the firm accepts and performs engagements pursuant to PCAOB standards. Some commenters suggested that this requirement may cause firms to deregister with the PCAOB, decline to assist U.S. firms in executing their global audits, or create a potential barrier to entry for new firms in the marketplace. One firm-related group commented that as this aspect of the proposal affects such a large number of firms, the potential political impacts deserve further consideration. The firm-related group further commented that foreign firms could see this as an accelerator to a decision to not service specific audit markets, which potentially impacts audit markets beyond the U.S., and that policy makers in other countries may view the potential for further market concentration more significantly.

Firms and a related group raising cost concerns with the proposed QC system design requirements suggested allowing firms that do not perform engagements the flexibility to design their QC system in accordance with another QC standard, such as ISQM 1 or SQMS 1. One of these firms further suggested that firms transitioning to performing engagements under PCAOB standards be given an additional six months to one year from their annual evaluation date to file their Form QC for the transition period. The firm asserted that even if a firm has complied with the design requirements, implementing and operating a QC system that complies with the standard would involve significant effort. Another firm suggested that it would be more appropriate to have a transition period for the registered public accounting firm to update their system of quality control to adhere to the incremental requirements of the PCAOB. An academic suggested that the design requirements for firms that have not performed and do not plan to perform engagements pursuant to PCAOB standards should be limited to client acceptance components. One firm suggested that the standard could include a requirement that firms are not allowed to perform an engagement under PCAOB standards until they have designed and implemented QC 1000. Other commenters suggested that registered firms that do not intend to conduct PCAOB audits should not be required to do anything under QC 1000.

Other commenters suggested a variety of approaches for when firms should be required to implement and operate a QC 1000-compliant QC system. One firm suggested that firms that only perform a substantial role in more than a certain threshold (presumably to be specified by the PCAOB) of PCAOB engagements could be permitted to comply with ISQM 1 instead of being subject to full applicability of QC 1000. Another commenter suggested that smaller firms ( e.g., triennially inspected firms with fewer than 100 issuer engagements) be permitted the option of complying with ISQM 1 or SQMS 1 as an alternative to QC 1000. Another firm suggested that the PCAOB should permit non-U.S. firms to comply with ISQM 1 rather than adopting QC 1000. Another commenter suggested that the criteria for full applicability of the standard should be based on whether the engagements individually or in the aggregate involve a material amount of market capitalization. The commenter suggested that under such an approach, the requirement to operate the QC system could be optional for registered firms auditing companies with a smaller market capitalization.

Some commenters, including a firm, a firm-related group, and an investor, commented that the requirement to design a QC 1000-compliant QC system is appropriate for any registered firm, even if it is not performing engagements or playing a substantial role in other firms' engagements. One firm-related group agreed that whenever a firm has responsibilities under applicable professional and legal requirements with respect to an engagement, those responsibilities should be performed under a fully implemented and operating QC system that complies with PCAOB standards. However, the commenter asked for clarification on the circumstances that trigger the need for a firm to implement and operate a QC system in compliance with QC 1000, and suggested targeted guidance in that area would be helpful.

The Board continues to believe that requiring all registered firms to design a QC system that complies with the standard, regardless of whether they have obligations with respect to engagements, is consistent with the PCAOB's statutory mandate and historical practice. Sarbanes-Oxley directs the PCAOB to include in its QC standards requirements related to numerous topics for “every” registered public accounting firm. The statute also directs the PCAOB that applications for registration with the PCAOB must contain “a statement of the quality control policies of the [applicant] for its accounting and auditing practices.” Consistent with that directive, as a condition to registration, applicants are required to furnish “a narrative, summary description, in a clear, concise and understandable format, of the quality control policies of the applicant for its accounting and auditing practices, including procedures used to monitor compliance with independence requirements,” and that description must provide an overview of the applicant's quality control policies regarding each element of quality control. Therefore, firms that register with the Board are already required to provide a summary of the design of their QC system regardless of whether they have obligations with respect to engagements.

The Board also believes that requiring all firms to design a QC system that complies with all provisions of QC 1000, and not just limiting the requirement to certain components such as acceptance and continuance of engagements, is consistent with its investor protection mandate. While the Board acknowledges that there could be challenges associated with implementing and operating a QC system based on hypothetical risks, it continues to believe that it is important for registered firms to design a QC system based on the quality risks the firm likely would face if it were to perform engagements. Because registering with the PCAOB enables a firm to issue audit reports or play a substantial role on audits performed under PCAOB standards for issuers and broker-dealers, and because investors and companies considering engaging the firm could reasonably expect that any firm that could pursue such an engagement would already have a PCAOB-compliant QC system designed and ready for implementation and operation, the Board believes that imposing a design requirement on all registered firms promotes its mission of protecting investors and promoting the public interest.

As discussed in more detail below, QC 1000 includes requirements that do not appear in other QC standards or that are more prescriptive or more specifically tailored to the PCAOB's legal and regulatory environment than the provisions of ISQM 1 or SQMS 1. Because of these key differences, the Board does not believe that a QC system design based on ISQM 1 or SQMS 1, as suggested by some commenters, would be sufficient. Furthermore, the Board believes that compliance with ISQM 1 may not be the regulatory baseline within certain jurisdictions. The PCAOB has observed other standard setters and regulators adopt variations of ISQM 1, which typically include more detailed and stringent requirements. Therefore, the Board believes that audit firms within some jurisdictions will already have to design and operate a QC system that goes beyond the requirements of ISQM 1, and it would not be appropriate for the Board to permit compliance with a less stringent quality system than the one required in the local regulatory environment. Similarly, the Board does not believe that it would be appropriate for it to permit firms to comply with their locally applicable variation of ISQM 1 as this would result in the PCAOB requiring and managing compliance with a multitude of different QC standards.

The Board also continues to believe that, whenever a firm has responsibilities under applicable professional and legal requirements with respect to a firm engagement, those responsibilities should be performed under a QC system that is implemented, is operating, and complies with PCAOB standards. Given the unique features of QC 1000, compliance with ISQM 1 or SQMS 1 would not, in the Board's view, be an adequate substitute, nor would the Board's regulatory purposes be served by providing firms with an extended compliance period after they take on an engagement.

The Board does not believe that this requirement will result in disruption to competition in the audit market. Firms that are subject to applicable professional and legal requirements with respect to engagements, including substantial role engagements, are required to implement and operate a QC 1000-compliant QC system. If a registered firm that has not led an engagement or played a substantial role in the past anticipates the possibility of transitioning to performing engagements, the Board believes the requirement to design a QC system that complies with QC 1000 will facilitate timely implementation and operation of their QC 1000 QC system, which will in turn facilitate appropriate performance of the engagements; appropriate monitoring and, if necessary, remedial action; and timely evaluation and reporting on Form QC. QC 1000 shares a basic structure and approach with ISQM 1 and SQMS 1, so designing for the incremental features unique to QC 1000 should not be unduly burdensome for firms that are subject to either or both of those other QC standards (which the Board believes will be the case for a very substantial majority of firms that are in a position to perform PCAOB engagements).

The Board does not believe that QC 1000 conflicts with the requirements of other standard setters or that anything prevents firms from developing a single QC system for their entire practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject. The Board acknowledges certain differences between QC 1000 and the quality management standards set by other standard setters, in particular areas where QC 1000 establishes additional or more stringent requirements. However, the Board believes that quality responses developed by firms under QC 1000 can be considered by firms for the purposes of other quality management standards to which they are subject, reducing the need for two or more separate QC systems.

Firms participating in a PCAOB engagement below the level of a substantial role do not require registration with the PCAOB. If such a firm does not lead and does not plan to lead engagements or play a substantial role in engagements pursuant to PCAOB standards, then the Board believes that the firm should assess whether the costs of complying with the design requirement are commensurate with their perceived benefit of being registered with the PCAOB.

2. Other Scalability Considerations

Aspects of QC 1000 are risk-based, which makes them inherently scalable. Firms are required to apply a risk-based approach to the design, implementation, and operation of the QC system in the context of their own audit practice. The standard provides that the firm will tailor the design of its QC system to its specific facts and circumstances, such as:

• The size and complexity of the firm;
• The types and variety of engagements it performs;
• The types of companies for which it performs engagements; and
• Whether it is a member of a network and, if so, the nature and extent of the network relationship.

Several commenters, including firms and a firm-related group, suggested that the proposed standard was too prescriptive. Many of these commenters suggested that, to promote further scalability, specified quality responses could be replaced with quality objectives to allow each firm to develop quality responses appropriate to the circumstances and risks for their firm. One of these firms stated that it disagreed with the notion in the proposing release that a specified quality response suggests that every firm has the same or similar quality risks and that the responses to those risks will also be the same or similar. Another firm suggested that the specified quality responses make the standard inherently less scalable and could be a barrier to entry for smaller firms. The firm further suggested that an overreliance on specified quality responses could discourage firms from performing robust risk assessments and developing tailored quality responses. Other commenters also suggested that more scalability could be incorporated into the standard through consideration of concepts such as professional judgment, relevance, or reliability. Some commenters suggested that further alignment of QC 1000 to ISQM 1 or SQMS 1 would promote further scalability. One firm stated that the standard was overly prescriptive and suggested that specific guidance be provided to small and medium-sized firms focused on operationality of the standard. Several commenters expressed concern that the prescriptive nature of QC 1000 would negatively affect smaller firms.

As discussed above, some specified quality responses carry requirements from current PCAOB standards into QC 1000, while others provide new requirements that the Board believes are important to a firm's QC system. The Board believes that this approach is appropriate and that the specified quality responses are required to address certain quality risks that are present in all firms that perform PCAOB engagements and to assure that the QC system is designed, implemented, and operated with an appropriate level of rigor. The inclusion of specified quality responses in the standard should not be interpreted to suggest that the Board believes all firms have the same or similar quality risks overall; the specific risks addressed by specified quality responses are likely a small subset of the overall population of quality risks identified by a firm, and the Board expects potentially wide variation in the full set of risks faced by different firms.

The Board believes that the standard incorporates the concepts of professional judgment, relevance and reliability where it is appropriate, for example, in the ability to exercise professional judgment in the determination of whether a major QC deficiency exists, or the discussion in the information and communication component noting that information would have to be both relevant and reliable such that it supports the operation of the firm's QC system and the performance of the firm's engagements in accordance with applicable professional and legal requirements. The Board continues to believe that the inclusion of prescriptive requirements in certain areas promotes its mission of protecting investors and promoting the public interest.

An investor-related group commented that it supports a risk-based approach up to a point, but it expressed concern that the standard placed too much emphasis on scalability and recommended the development of a set of minimum requirements for the establishment of quality control systems. Another commenter stated that the PCAOB should not let scalability concerns get in the way of driving change and improving quality, further suggesting that smaller-firm considerations should not get in the way of doing the right thing for the largest audit firms. One commenter suggested more specific requirements relating to the audits of broker-dealers, commenting that a high deficiency rate in broker-dealer audits suggests the need for more specific requirements with respect to audits of broker-dealers, such as requirements for specific expertise in the conduct of broker-dealer audits, or, to the extent that the broker-dealer is a subsidiary of an issuer, requirements relating to coordination between the broker-dealer audit team and the audit team of the issuer parent company.

The final standard establishes a set of minimum requirements that all firms must follow in the establishment of their QC system. As discussed in more detail below, while QC 1000 provides some flexibility with regard to the quality risks that firms identify and the quality responses that firms develop to address those risks, it does not provide the same flexibility with regard to quality objectives or specified quality responses. Instead, quality objectives and specified quality responses that will apply to all firms are specified in the standard. Firms can establish additional quality objectives—indeed, they are required to do so if necessary to achieve the reasonable assurance objective—but they generally cannot omit or modify any of the quality objectives or specified quality responses set out in the standard.

Within a uniform basic structure to be used by all firms, QC 1000 reflects a risk-based, scalable approach, particularly in the risk assessment process and the monitoring and remediation process. The nature and extent of these processes would be commensurate with the firm's quality risks and would therefore vary across firms in nature, scope, and complexity. The Board believes it is crucial that the standard be scalable so that firms of different sizes and characteristics can appropriately design their QC system to address the risks associated with their own practice, including specific risks relating to the types of companies that they audit, such as broker-dealers. The Board believes that an appropriate balance between quality objectives and specified quality responses is the best approach to improve quality across firms of all sizes that perform engagements pursuant to PCAOB standards, whether these be issuer or broker-dealer engagements. Similarly, the form, content, and extent of required documentation related to the QC system will be driven by a firm's nature and circumstances. QC 1000 contains both provisions that scale down, by tailoring for smaller PCAOB audit practices, and provisions that scale up, by focusing on risks faced by the largest firms.

Some provisions of QC 1000 focus particularly on firms with a smaller PCAOB audit practice. These include:

• Depending on the nature and circumstances of the firm (including its size and structure), a single individual may be assigned more than one of the QC system oversight roles required under the standard; and
• If the firm issued engagement reports with respect to five or fewer engagements for issuers, brokers, and dealers during the prior calendar year, engagement monitoring activities may include monitoring audits not performed under PCAOB auditing standards. For firms with this number of engagements performed under PCAOB standards, the Board understands that requiring a firm to annually monitor its engagements that are performed under PCAOB standards increases the likelihood of the same partner being inspected every year under QC 1000. The Board believes this could disincentivize partners from serving as the engagement partner and ultimately affect competitive conditions in the market.

Other provisions of QC 1000 impose incremental requirements on firms that issued audit reports for more than 100 issuers in the prior calendar year, including:

• An external oversight function for the QC system composed of one or more persons who are not partners, shareholders, members, other principals, or employees of the firm;
• A program for collecting and addressing complaints and allegations that includes confidentiality protections;
• An automated system for identifying investments in securities that might impair independence; and
• A requirement to perform in-process monitoring of engagements.

These incremental requirements specifically target and respond to potential quality risks that the Board believes are more likely to arise in audit practices of a certain size and complexity. Firms that audit fewer than 100 issuers may still determine that the incremental requirements are an appropriate quality response for quality risks that they have identified specific to their firm, but these are not mandatory for these smaller PCAOB audit practices to promote scalability of the standard.

Several commenters, including firms, suggested that the threshold for any incremental requirements be raised to 500 issuers, to align with the existing SECPS requirement that firms that audit more than 500 SEC registrants have an automated system to identify investment holdings of partners and managers that might impair independence. One of these firms also suggested a dual-threshold approach that would consider both the number of issuers audited and the market capitalization of the issuers. Two commenters, including an investor-related group and an academic, suggested that there should not be a threshold for incremental requirements, and all requirements of the standard should apply to all firms regardless of the size of the firm. The academic suggested that the incremental requirements may give rise to actual or perceived differences in audit quality between larger audit firms that issue audit reports for more than 100 issuers and smaller audit firms that issue audit reports for fewer than 100 issuers. One firm suggested that the incremental requirements only apply to those firms subject to annual inspection under the PCAOB's rules (in case the 100-issuer threshold for regular inspection in Rule 4003, Frequency of Inspections, ever were changed), and another firm suggested that these should only apply to the top six firms.

Two investor-related groups suggested that if the final standard does include a threshold for certain incremental requirements, the threshold should relate to the market capitalization of the issuers that the firm's audit practice covers rather than the number of issuer audit reports the firm issues. Other commenters were also supportive of a market capitalization-based threshold.

Several commenters suggested that the nature of the firm's audit practice be taken into consideration when determining the applicability of the incremental requirements, and that just looking to the number of issuers may not be an appropriate measure for the size or complexity of the audit practice. One commenter suggested that the proportion of the PCAOB audits to the size of the practice within a firm is also a relevant factor to consider. Some commenters suggested that imposing a threshold of 100 issuers could impose a barrier to entry for firms that wish to expand their audit practices beyond 100 issuers and, as a result, firms may manage their practice to stay below the 100-issuer threshold.

The Board believes that requiring certain incremental requirements of firms with larger PCAOB audit practices is appropriate and that the complexities inherent to large and complex firms are likely to give rise to quality risks for which the incremental requirements would be appropriate quality responses. Based on the comments received, the Board considered whether alternative measures could be used that looked to the nature and complexity of the issuers being audited, for example, through a market capitalization-based threshold. The Board believes it is appropriate to retain the threshold as proposed, based on the size of a firm's issuer audit practice rather than referencing the size of the companies subject to audit by the firm.

In general, the Board believes that the number of issuers is the most indicative measure of a firm's size and the complexity of its audit practice. Under a market capitalization measure, a firm that audits a single very large issuer could look like a large firm, but its practice may well be less complex than a firm that audits a large number of small issuers. The incremental requirements in QC 1000 respond to specific issues or risks—firm governance, confidential handling of complaints and allegations, tracking investments that may bear on independence, and monitoring of in-process engagements—that the Board believes are more significant in complex practices handling large numbers of engagements. Therefore, the threshold was adopted as proposed.

In addition, the Board believes that larger PCAOB audit practices that audit a greater number of issuers are more likely to have the resources to be able to effectively comply with the incremental requirements at a level commensurate to the risk.

The Board also believes that firms are familiar with the proposed threshold of issued audit reports for more than 100 issuers, because it is used to determine which firms are subject to annual PCAOB inspection. The Board does not believe it to be appropriate to increase the threshold to 500 issuers or to specifically limit the requirements to certain firms. The Board believes that firms that audit between 100 and 500 issuers are sufficiently large such that potential quality risks may arise as a result, and that the incremental requirements would be responsive to these risks.

Several commenters suggested that a cut-off date for the measurement of the size of the firm's issuer practice relative to the 100-issuer threshold, and a related transition period after a firm passes the 100-issuer threshold, be specified in the standard to allow time for firms to implement the incremental requirements. One of these commenters specifically requested consideration of the effective date for the implementation and operation of the incremental requirements if, because of a merger or acquisition, the resultant firm performs audits of more than 100 issuers.

The standard specifies a measurement cut-off date for the 100-issuer threshold of the prior calendar year-end. Therefore, if a firm has issued audit reports with respect to more than 100 issuers in the period January 1 to December 31, in any given year, the firm must implement the incremental requirements beginning the following January 1 and evaluate compliance with the incremental requirements as of the following September 30. The Board believes that firms continuously track the size of their issuer audit practice for the purpose of monitoring the threshold for annual inspection by the PCAOB. Therefore, prior to the calendar year-end measurement cut-off date, the Board expects that firms should have an informed view as to whether they will need to design, implement, and operate the incremental requirements for the following year. Similarly, the Board believes that a merger or acquisition between firms would take time to finalize such that the firms would have an informed view of whether the incremental requirements would be applicable to the successor firm, providing additional time for the firms to design, implement, and begin operating the incremental requirements. In addition, the Board does not believe that it is appropriate or consistent with its investor protection mandate to allow a firm that audits over 100 issuers to not operate the incremental requirements beginning the calendar year following the date of the merger or acquisition if that merger or acquisition resulted in the firm auditing more than 100 issuers. The Board believes that specific quality risks could arise as the result of a merger or acquisition; for example, a sudden increase in the size of the firm could exacerbate the potential quality risks that exist as a result of a firm's size, to which the incremental requirements would be responsive. Furthermore, there is nothing in the standard that prevents firms from implementing the incremental requirements earlier than required, if they believe it to be likely that the threshold will be met.

QC 1000: A Firm's System of Quality Control

Introduction

This section describes the requirements of QC 1000 and highlights the key differences between the final standard and current QC standards. Terms defined in Appendix A to QC 1000, Definitions, are italicized throughout QC 1000.

The introduction section of the standard sets up the structure for providing the standard's requirements. Paragraphs .01-.02 describe the risk-based approach to the firm's QC system and acknowledge the important role of the QC system—supporting consistent performance of engagements in accordance with applicable professional and legal requirements—in protecting investors through the preparation of informative, accurate, and independent engagement reports. To emphasize the auditor's role in investor protection, the Board added language to the final standard reminding auditors that the firm's QC system enhances investors' ability to rely on engagement reports. The Board also reversed the order of paragraphs .01 and .02 to improve flow.

One commenter suggested a risk-based approach to quality control with minimum requirements integrated into it, instead of a purely risk-based approach. The Board agrees that a purely risk-based approach would be inappropriate. As proposed and as adopted, QC 1000 is not a purely risk-based standard. It establishes mandatory quality objectives that every firm is required to achieve; lays out detailed, required processes for risk assessment, monitoring and remediation, and annual evaluation of the QC system; requires specified quality responses in many areas; and fosters accountability and rigor through mandated key roles for the QC system with specified individual responsibility and accountability and required reporting to the PCAOB.

The Firm's QC System

1. QC 1000

a. Objective of the QC System (QC 1000.05)

The proposal asked if the reasonable assurance objective was appropriate and if there were additional objectives that the QC system should achieve. Many commenters, including firms, supported the reasonable assurance objective and did not support additional objectives for the QC system.

Some commenters, including investors and investor-related groups, said there should be an explicit acknowledgement that auditing serves a public purpose and that the system of quality control therefore should serve investors. Other investors and investor-related groups suggested that the quality control system should seek a higher performance standard than mere compliance. Two commenters suggested that the objective should be expanded, so that in addition to complying with applicable professional and legal requirements, engagements should be performed in a manner that is responsive to the needs of investors by ensuring high-quality financial reporting. Another suggested that the foundation of the system should promote high-quality and “useful” financial and non-financial information and achieve a high level of transparent financial reports. The commenter also suggested removing the qualifier “reasonable” and emphasizing that the term “assurance” refers to a high level of assurance.

The Board agrees with these commenters that QC 1000 should frame auditor responsibilities in terms of investor protection, and revised paragraph .05 to reinforce that, as discussed in more detail below. The Board also considered broadening the objective of the QC system beyond compliance in a number of ways, as suggested by commenters.

For example, the Board considered adding explicit references to “investor needs” to the QC system objective. However, the Board are concerned that the concept of “investor needs” is too vague and indefinite to be interpreted consistently as an objective of the QC system. Consistent with the reasonable assurance objective, the Board believes that all investors want informative, accurate, and independent engagement reports. But beyond that, investors are not monolithic and may have different preferences. For example, the needs of a large institutional investor with an actively managed portfolio are different from those of a retail investor holding index funds. Investor needs could also vary across issuers and different types of financial instruments, as well as with changes in market conditions. As a result, the Board does not believe that a QC system objective that was expressly phrased in terms of satisfying “investor needs” would be capable of consistent interpretation or would provide firms with sufficient notice or direction about the conduct required of them.

The Board believes that “high-quality” and “useful” financial reporting suffer from the same issues. These terms are subjective, indefinite, and would mean different things to different financial statement users and in different situations. In addition, grounding auditor obligations in the quality or utility of financial reporting risks conflating the role of the auditor with the role of the preparer. The fundamental responsibility for financial reporting lies with the company. The auditor enhances investors' ability on company financial information through the preparation and issuance of informative, accurate, and independent engagement reports, but the company prepares the financial statements and retains ultimate responsibility for them.

The Board considered one commenter's suggestion of phrasing the objective in terms of “assurance,” rather than “reasonable assurance.” However, the Board believes that this would weaken, rather than strengthen, the standard, in that it could be read to suggest that any level of assurance, even if less than reasonable assurance, would be appropriate. As proposed, the final standard includes a note emphasizing that reasonable assurance is a high level of assurance.

Accordingly, the Board has not revised the objective of the QC system as these commenters suggested. The Board continues to believe that investor needs will be best served through an objective that is grounded in auditors' existing obligations and can be interpreted clearly and applied consistently. Auditor obligations under applicable professional and legal requirements address investors' fundamental priority: that the financial statements be free of material misstatement. They also clearly delineate what conduct is required, which enables both the Board and the firms that the Board regulates to interpret and apply them on a consistent basis.

The Board has, however, made revisions to paragraph .05 that the Board believes will be clarifying. The final rule specifies expressly that the firm's objective is to design, and if applicable, implement and operate an effective QC system. Further, although the Board concluded that it could not express the objective of the QC system in such terms, the Board does believe firms should be prompted to remember their critical role in investor protection. With that in mind, the Board revised paragraph .05 to explicitly acknowledge that a properly conducted engagement and related report enhance the confidence of investors and other market participants in the company's information to which the firm's report relates. The Board also revised the paragraph to remind auditors that an effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, and independent engagement reports in accordance with applicable professional and legal requirements.

Paragraph .05 specifies that an effective QC system consistently provides a firm with reasonable assurance that the firm, each member of firm personnel, and each other participant conduct each engagement and fulfill their other responsibilities in compliance with applicable professional and legal requirements, and that each engagement report issued by the firm complies with applicable professional and legal requirements. The Board revised the provision to refer to “each member of” firm personnel, “each” other participant, “each” engagement, and “each” engagement report. This change clarifies that the QC system provides reasonable assurance, not just over the pool of firm personnel, the pool of other participants, and the portfolio of engagements, but over each individual and each engagement. The objective is still reasonable assurance, not absolute assurance. But an effective QC system has to be designed, implemented, and operate in such a way that the firm has reasonable assurance that each individual who performs work on behalf of the firm and each engagement the firm undertakes will comply with applicable professional and legal requirements.

One commenter asserted that some prescriptive aspects of the standard result in absolute assurance instead of reasonable assurance. The Board disagrees, as it believes this is a misunderstanding of the standard. Specifically, the reasonable assurance objective under QC 1000 is broadly consistent with the Board's current QC standards, as well as ISQM 1 and SQMS 1, all of which contemplate that the system of QC should provide reasonable assurance. The Board believes that the combination of quality objectives and specified quality responses in QC 1000 establishes a balance between prescriptive requirements and a risk-based approach that contributes to the firm obtaining reasonable assurance, but does not require absolute assurance. Of course, nothing precludes a firm from going beyond the requirements in QC 1000 when designing its QC system.

One commenter suggested that the concept of reasonable assurance was not clear and could be clarified by retaining a footnote from QC 20 that reinforces that deficiencies in individual engagements do not, in and of themselves, indicate a firm's quality control system is insufficient to provide reasonable assurance. The Board has not retained that footnote. The concept of reasonable assurance should be familiar to auditors; it is a basic concept under the Board's current standards and the Board believes it can be interpreted and applied consistently. In addition, in light of QC 1000's detailed process for the evaluation of the QC system, including the new defined terms “QC deficiency” and “major QC deficiency,” discussed below, the Board does not believe such a footnote is necessary. Under QC 1000, firms will determine whether the QC system meets the reasonable assurance objective by determining whether any “major QC deficiencies” exist. The existence of major QC deficiencies indicates that the QC system does not provide reasonable assurance, whereas the existence of QC deficiencies that do not meet the definition of major QC deficiency does not. Since that conclusion is apparent from the definitions, the Board does not believe that the existing footnote is needed.

The “reasonable assurance objective” of the firm's QC system is similar to the objective of the QC system under existing PCAOB standards, except that the current standard requires reasonable assurance as to compliance with applicable requirements and “the firm's standards of quality” ( i.e., the firm's policies and procedures), whereas QC 1000's reasonable assurance objective refers only to applicable requirements. This change reflects the different role played by firm policies and procedures under the Board's current QC standards compared to QC 1000. Firm policies and procedures are the linchpin of current PCAOB QC standards: Most of the Board's current QC standards simply require firms to establish, communicate, document, and monitor specified policies and procedures. Policies and procedures also play an important role under QC 1000, but they would have a different context because of the significant differences in the way in which the standard is structured.

QC 1000 is grounded in the firm's risk assessment process, whereby the firm's quality objectives and the risks to achieving them are identified and addressed by the firm in an ongoing, structured fashion. This risk assessment process drives how the firm develops and refines its policies and procedures; the “quality responses” are designed and implemented to address quality risks. As such, policies and procedures are a means to an end—addressing quality risks—rather than an end in themselves. QC 1000 provides more detailed requirements regarding the structure, scope, and functioning of the firm's QC system, particularly in the monitoring and remediation component, than the Board's current QC standards.

This does not mean that firms' QC policies and procedures are no longer important. On the contrary, they are critical to addressing quality risks and thereby achieving quality objectives and the reasonable assurance objective. However, firms may no longer rely on simply promulgating policies and procedures as the central, and sometimes only, component of their QC system. Compliance with the QC standard ultimately is based on whether the firm has met its quality objectives and the reasonable assurance objective—which are driven by whether the firm's policies and procedures have in fact been effective in addressing quality risks—and on whether the firm has complied with the requirements of the standard in the design, implementation, and operation of the QC system. Another commenter suggested that the QC system should not address firm policies and procedures that go beyond applicable professional and legal requirements, on the basis that it might undermine investor protection by disincentivizing firms from developing policies and procedures that go beyond what is required. For the reasons discussed above, the Board has not included policies and procedures in the reasonable assurance objective. However, because policies and procedures play an important role in the firm achieving the reasonable assurance objective, the Board has determined that some quality objectives have to incorporate compliance with firm policies and procedures as well as applicable professional and legal requirements.

The reasonable assurance objective also reflects the view that the purpose of the QC system is to drive overall compliance by the firm, each member of firm personnel, and each other participant with applicable professional and legal requirements, and not necessarily to drive more narrow compliance with firm policies and procedures.

Under QC 1000, the reasonable assurance objective of the firm's QC system is generally consistent with the objective of the QC system under the Board's existing QC standards but, in addition to the changes discussed above, it places more emphasis in three key areas:

• Expressly reminding auditors that an effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, and independent engagement reports;
• Specifying that responsibilities be fulfilled not only with respect to professional standards, but also with respect to legal requirements to the extent they apply (e.g., SEC and PCAOB rules, other provisions of U.S. Federal securities law, and other applicable legal and regulatory requirements); and
• Expressly mentioning compliant engagement reporting (an existing responsibility under PCAOB standards), given the explicit reference to audit reports in Sarbanes-Oxley.

Responsibilities in this context include all responsibilities that are subject to applicable professional and legal requirements—for example, in relation to the firm's engagements, work the firm does on other firms' engagements, training, independence monitoring, and other activities that are part of or subject to the firm's QC system.

In addition, the objective covers the activities of a broader group than current standards. It applies not only with respect to firm personnel and other auditors, but also to other participants involved in the firm's engagements and QC activities whose work is performed at the direction of the firm. As discussed above, the Board believes that QC 1000 should reach such other participants in light of, among other things, the increasing prevalence and importance of the use of professionals and organizations outside the firm, such as auditor-engaged specialists and service centers, in audits performed under PCAOB standards. Many commenters, generally firms and related groups, expressed concern about the inclusion of other participants in the reasonable assurance objective. The Board believes that the firm's own QC system must address all the work done on the firm's engagements and in connection with the design, implementation, and operation of the firm's QC system, regardless of who does it. The reasonable assurance objective in QC 1000 appropriately reflects that scope.

b. Requirements To Design, Implement, and Operate a QC System (QC 1000.06-.07)

QC 1000 requires all firms to design a QC system that complies with the standard. This entails assigning QC-related roles and responsibilities as provided in paragraphs .10-.17; establishing quality objectives, at least annually identifying and assessing quality risks to the achievement of those objectives, and designing quality responses to address those risks, as provided in paragraphs .18-.57; designing a monitoring and remediation process that, upon implementation, would comply with paragraphs .58-.76; and documenting the design of the QC system as provided in paragraphs .81-.86. The design of the QC system is based on the quality risks the firm likely would face if it performed engagements.

The PCAOB received a significant volume of comments on this aspect of the proposal, which is discussed above. In addition, one commenter suggested emphasizing the concept of professional judgment by incorporating it in paragraph .06 or .07 and defining it in Appendix A of QC 1000. It is true that under QC 1000, judgment may have to be exercised in areas of the QC system, such as assessing risk and evaluating QC deficiencies. However, the basic approach of QC 1000, which specifies quality objectives to be achieved through specified risk assessment and monitoring and remediation processes, is outcome-based and not simply a matter of professional judgment. Moreover, under paragraph .10, all activities related to the QC system must be performed with due professional care. This means that even in judgmental areas, professional judgment is not unbounded; individuals must exercise professional skepticism and use the requisite knowledge, skill, and ability to diligently (and in good faith and with integrity) obtain and objectively evaluate information. Accordingly, the Board adopted these requirements as proposed.

In addition to the obligation to design the QC system, firms are required under paragraph .07 to implement and operate an effective QC system ( i.e., comply with all provisions of the standard) at all times that the firm is required to comply with applicable professional and legal requirements with respect to any of the firm's engagements. This would occur, for example, whenever the firm has responsibilities with respect to the acceptance of an engagement, the performance of an engagement, remediation of deficiencies in an engagement, or matters associated with an engagement that arise or continue after issuance of the engagement report, such as retention of audit documentation, issuance of reports included in Securities Act filings (including consent to the inclusion of such reports), other engagement deficiencies, and subsequently discovered facts. Once a firm no longer has any responsibilities under applicable professional and legal requirements with respect to any firm engagements, the firm will be required to continue operating the QC system until the next September 30 (the next date as of which the firm is required to evaluate the QC system). This ensures that the firm will evaluate and report on the QC system for any year during which the QC system was required to operate.

Note that firms may not have lengthy advance notice before responsibilities arise under applicable professional and legal requirements with respect to an engagement. For example, a firm may be contacted by an affiliated firm to play a substantial role in an engagement or may be asked to consent to the inclusion of a previously issued audit report in the registration statement of a company previously audited by the firm. Under the standard, registered firms will have to stand ready to have their QC system implemented and operating over such responsibilities whenever they arise.

Although all PCAOB-registered firms are required to design a QC system that complies with the standard, the obligation to implement and operate that system applies only when the firm is required to comply with applicable professional and legal requirements with respect to the firm's engagements. Implementing and operating a QC system means that assigned personnel are fulfilling their QC-related roles and responsibilities under QC 1000, the relevant quality responses ( i.e., policies and procedures) and monitoring and remediation process that the firm has designed are operational, and the firm is documenting the implementation and operation of its QC system. As noted above in the discussion of scalability, the scope of the QC system is driven by the professional and legal requirements that apply to the firm and its engagements and the relevant risks, which may vary depending on the nature and extent of the firm's practice.

The standard also makes clear that existing obligations under QC 1000, such as the obligation to evaluate and report on the QC system for periods in which the QC system was required to be implemented and operating, are not extinguished when a firm transitions from full applicability to scaled applicability.

As discussed in more detail above, the Board's view is that requiring all registered firms to design a QC system that complies with QC 1000 is consistent with the PCAOB's statutory mandate, historical practice, and investor protection mission, and that scaling back obligations under QC 1000 to the design of the QC system, as described under paragraph .06, is justified in cases where a firm is not subject to any obligations under applicable professional and legal standards with respect to any firm engagement.

b. Risk-Based Approach (QC 1000.08-.09)

The Board did not receive comments specifically on these paragraphs and adopted them as proposed. These paragraphs require a firm to employ a risk-based approach to quality control, such that the firm proactively manages its QC system and the quality of the work it performs on engagements.

Under the standard, the firm is required to design, implement, and operate a QC system that reflects and responds to the firm's particular risks through two process components.

• The firm's risk assessment process—establishing quality objectives, identifying, and assessing quality risks to the achievement of those objectives, and designing and implementing quality responses to address the identified quality risks—is applied to all of the aspects of the firm's organization and operations that are covered by the QC system and thus is tailored to each firm's specific facts and circumstances.
• The monitoring and remediation process is carried out in a way that is informed by and responsive to risks—for example, quality risks influence both the selection of engagements to monitor and the design and extent of monitoring activities.

The requirement to evaluate the effectiveness of the QC system supports continued improvement in these risk assessment and monitoring and remediation processes by requiring the firm to evaluate and report on whether the quality objectives and the reasonable assurance objective have been achieved. These requirements are discussed in more detail below.

The aspects of QC 1000 that are risk-based are inherently scalable. In applying a risk-based approach, the firm is required to tailor its QC system to the firm's specific facts and circumstances, including the size and complexity of the firm, the types and variety of engagements it performs, the types of companies for which it performs engagements, and whether it is a member of a network (and if so, the nature and extent of the relationship between the firm and the network). Accordingly, a large, complex firm that performs a wide variety of engagements will likely be required to have a more complex QC system than a small firm that performs a small number of less complex engagements.

2. Current PCAOB Standards

As described above, under current QC standards, a QC system is broadly defined as a process to provide a firm with reasonable assurance that its personnel comply with professional standards applicable to its accounting and auditing practice and the firm's standards of quality. The QC system encompasses the firm's organizational structure, policies adopted, and procedures established to provide that reasonable assurance. Registered firms are required to design, implement, and operate a system of quality control to provide this reasonable assurance.

Roles and Responsibilities

Expectations of individuals within the QC system are established through the assignment of roles and responsibilities that are essential to a well-functioning QC system. This aspect of the QC system creates clearer lines of communication and decision-making authority and greater accountability for those assigned to such roles. One commenter on the overall requirements supported them as proposed. Some firm commenters also supported the proposed roles and offered operational suggestions, while other firm commenters asserted that the proposed roles and responsibilities were not clear and appropriate for the reasons described in the following subsections.

1. QC 1000

a. Due Professional Care (QC 1000.10)

Paragraph .10 of the standard addresses due professional care in performing responsibilities in relation to the QC system. Due professional care, applicable to all firm personnel and other participants, includes professional skepticism. The concept of due professional care imposes a responsibility upon firm personnel and other participants to observe relevant professional standards including, in the context of quality control, QC 1000. The Board believes that this provision is a helpful clarification because the PCAOB standards describing due professional care do not specifically mention QC activities.

One commenter urged the PCAOB to clarify the need for professional skepticism by leadership in quality control roles. The Board does not believe specific provisions are needed in that regard, because paragraph .10 applies to all individuals performing QC roles, including those in leadership roles.

The Board has adopted this provision with modifications to align with the descriptions of due professional care and professional skepticism being adopted in AS 1000.

b. Assignment of Roles and Responsibilities (QC 1000.11-13)

The Board proposed to require the highest-ranking executive in the firm to bear ultimate responsibility and accountability for the QC system as a whole. If a firm has co-principal executive officers, each of them would bear such ultimate responsibility and accountability. The PCAOB did not prescribe the substantive qualifications the highest-ranking executive in the firm should have; the proposal did not include any such criteria (unlike the assigned roles under paragraph .12, which only may be assigned to personnel who have the experience, competence, authority, and time to carry out their responsibilities). The Board's intention was to establish accountability for QC at the highest level within the firm and underscore the critical importance of the QC system. One commenter supported this requirement, as it is analogous to the CEO being jointly responsibly for the SEC certifications with respect to the financial statements and internal controls. One commenter requested clarification on the structure of smaller firms where the firm's CEO may not be an audit practitioner and may rely on others to fulfill the requirements of the QC system. The Board believes it is important for the firm's principal executive officer, irrespective of whether that person is an audit practitioner, to be ultimately responsible and accountable for the firm's QC system, because the Board believes that this will lead to more vigorous oversight of the audit practice; benefiting investors and other stakeholders that rely on the firm's work.

The requirement in paragraph .12 of QC 1000 is limited to roles that are expected to exist in any firm and allows each firm to assign these roles based on the nature and circumstances of the firm, provided that those assigned have the experience, competence, authority, and time to enable them to carry out their assigned responsibilities. This approach also addresses scalability; as the note to paragraph .12 makes clear, depending on the nature and circumstances of the firm, one individual may be assigned to more than one of the roles in paragraphs .11 and .12.

A number of commenters suggested that the roles in paragraph .12 should be able to be split into multiple roles or assigned to multiple people. Commenters asserted that the roles, such as operational responsibility for the ethics and independence component, are complex enough to require two individuals. Several of the same commenters expressed that the requirement is generally too prescriptive. Several firms indicated that many firms in larger networks may commonly have these specified roles filled by individuals outside of the firm and the restriction of these roles to firm personnel may be problematic operationally.

For the roles specified in paragraph .12, the final standard retains the requirement that only one individual may be assigned responsibility for each role. A firm may have multiple individuals or multiple layers of personnel supporting these roles, but the responsibility for the assigned role may not be delegated and will remain with the one assigned individual. For example, a firm could assign one person to ethics-related matters and another person to independence-related matters, as long as both of these individuals report to the person with operational responsibility for the firm's compliance with ethics and independence requirements. The Board acknowledges that some firms may seek assistance from their network or other participants in performing some of their QC-related activities, but the Board believes a single individual within the firm should remain responsible for the operational responsibilities of the assigned roles. Regardless of whether specific tasks are delegated to others, the individual assigned to a specified role remains responsible and accountable for the role's related responsibilities.

Commenters generally supported allowing one person to hold multiple responsibilities under certain circumstances, such as smaller firms with limited resources. Two commenters supported the roles as proposed and one commenter suggested the firm's head of audit practice also be included as a role.

The Board's view is that the roles specified in paragraph .12 would be appropriate for every firm. Provided that the criteria in paragraph .12 of QC 1000 are met, the individual assigned ultimate responsibility and accountability for the QC system also may assume responsibility for all aspects of the QC system, including operational responsibility for the QC system, the firm's compliance with ethics and independence requirements, and the monitoring and remediation process. The Board has not been specific about who should be assigned the roles identified in paragraph .12. A firm may determine, based on its nature and circumstances, that it is appropriate to assign already established leaders to one or more of these roles, such as the head of audit practice as suggested by a commenter.

One commenter requested clarification of the intended role in .12d. The role in paragraph .12d allows firms to assign operational responsibility for other components ( e.g., the resources component) based on the nature and circumstances of the firm. The standard provides firms the ability to add additional roles and responsibilities, if appropriate, and the flexibility to assign one individual to more than one of the roles specified.

The proposal asked if firms would have difficulty filling the assigned roles. Two commenters were optimistic these roles could be filled in light of the requirements. Commenters cited increased liability or workload associated with these roles as potential disincentives that may keep qualified individuals from accepting these roles. Specifically, some commenters asserted that the proposal would lower the threshold for individual liability compared to current requirements, and that the threat of enforcement sanctions would deter individuals from accepting the roles. One commenter sought clarification on the supervision obligations prescribed under QC 1000 and the Board's authority to bring enforcement actions for failure to reasonably supervise under section 105(c)(6) of Sarbanes-Oxley. One commenter recommended amending paragraph .11 to acknowledge that individuals assigned ultimate responsibility for the QC system as a whole can rely on information provided to them and their responsibility is governed by a good faith standard. Two commenters expressed concern that firms, especially smaller issuer or broker-dealer practices, would have difficulty filling the specified roles. One commenter was concerned with increased accountability and suggested balancing accountabilities such that processes and outcomes, as well as rewards and penalties, are more appropriately weighted.

Current QC standards generally impose responsibilities directly on the firm rather than on individuals. Enforcement actions related to the failure to comply with current QC standards can be brought against individuals for contributing to violations by the firm or for failing to reasonably supervise an associated person of the firm who commits certain violations.

Under QC 1000, the individuals who are assigned specific responsibilities with respect to the QC system could be charged with violations if they fail to comply with those enumerated responsibilities, as well as for contributing to firm violations or failing reasonably to supervise. As discussed further in the sections that follow, the individuals who fill the roles specified in paragraphs .11 and .12 of QC 1000 have specified responsibilities spelled out in paragraphs .14 through .17 of the final standard. Those individuals must exercise due professional care ( see paragraph .10), and their failure to properly discharge their duties—for example, to establish or direct the establishment of certain QC-system reporting lines ( see paragraph .14b), to certify the firm's Form QC report to the PCAOB ( see paragraphs .14d and .15b), or to timely communicate certain information to others ( see paragraphs .16b and .17b)—would constitute violations of QC 1000. So while current QC standards generally require either a primary violation by the firm to trigger an individual's potential liability under Rule 3502 or a primary violation by another associated person to trigger a supervisory person's potential liability under section 105(c)(6) of Sarbanes-Oxley, QC 1000 creates a framework in which an individual's failure to discharge prescribed responsibilities could give rise to individual liability without regard to whether primary violations were committed by another.

That is not to say, however, that the individuals filling the roles specified in paragraphs .11 and .12 of QC 1000 no longer can be charged with contributing to violations by the firm or for failing to reasonably supervise an associated person who commits certain violations. Because of the important role played by the individuals filling those roles, their failure to properly fulfill their responsibilities may contribute to violations by their firm. Furthermore, paragraphs .15a, .16a, and .17a of the final standard make clear that the individuals who fill the roles discussed therein are supervisory persons who have supervisory responsibilities under the Board's QC standards, for purposes of section 105(c)(6) of Sarbanes-Oxley.

The Board believes that providing another basis for enforcement against responsible individuals could enhance their accountability for the QC system. Enhanced accountability emphasizes the importance of the firm assigning roles to firm personnel who have the experience, competence, authority, and time needed to carry out their assigned responsibilities. Although the Board recognizes that some commenters expressed concern about whether individuals would be willing to assume these specified roles, the Board believes that these roles are necessary and appropriate for every firm. The Board also believes that, with appropriate incentives, firms should be able to fill these roles. The PCAOB is adopting these requirements as proposed.

The Board discusses each of the QC roles identified in the standard in the subsections that follow. Paragraph .13 provides that individuals assigned operational responsibilities under paragraph .12 should have a direct line of communication to the individual with ultimate responsibility and accountability for the QC system. This line of communication would provide these individuals the information necessary to perform their assigned roles. One commenter supported a feedback loop between the individuals assigned responsibilities under paragraphs .11 and .12, but sought clarity regarding whether individuals in the roles in paragraph .12 are required to report to the firm's principal executive officer. The Board has not prescribed the firm's reporting structure related to those roles, as it may vary based on the nature and circumstances of the firm.

c. Ultimate Responsibility and Accountability for the QC System as a Whole (QC 1000.14)

The individual assigned ultimate responsibility and accountability for the QC system as a whole reinforces the responsibility and accountability of firm personnel by demonstrating a commitment to quality. The standard emphasizes the role of that individual—by the individual recognizing and reinforcing professional ethics, values, and attitudes through the individual's actions, behaviors, and communications—in establishing a firm's tone at the top and attitude towards quality.

The individual assigned ultimate responsibility and accountability is responsible for establishing, or directing the establishment of, structures, reporting lines, and authorities and responsibilities for the roles involving operational responsibility for aspects of the QC system and the QC system as a whole. For each firm, the approach to fulfilling these responsibilities will be dependent on the firm's nature and circumstances. For example, in a smaller firm where there are fewer individuals with assigned roles, structures may be less formal. Conversely, for a larger firm, it may be necessary to have multiple individuals in roles with assigned responsibilities or to have multiple layers of personnel supporting different activities. However, ultimate responsibility and accountability cannot be delegated.

Also, the individual assigned ultimate responsibility and accountability is accountable for the design, implementation, and operation of the firm's QC system in accordance with applicable professional and legal requirements and the firm's policies and procedures, as well as for the firm's annual QC system evaluation. The functions performed by the individual with ultimate responsibility and accountability may vary across firms. For example, in a smaller firm, the individual assigned ultimate responsibility and accountability may be directly involved in aspects of the QC system, such as the firm's monitoring and remediation process. In a larger firm, this person may supervise others who perform these activities.

Lastly, the Board proposed requiring the individual assigned ultimate responsibility and accountability for the QC system as a whole, along with the individual assigned operational responsibility and accountability for the firm's QC system as a whole, to certify the firm's annual evaluation of its QC system in a report to the PCAOB. One commenter expressed concern that the certification requirements may create a barrier to firms operating in environments that do not have Sarbanes-Oxley-style reporting requirements. The same commenter also emphasized the certifications may have a disproportional impact on smaller firms that have fewer resources. One commenter suggested that certification by the firm's CEO is an ineffective incentive and a more appropriate incentive would be compensation that was heavily weighted towards effective QC systems.

As discussed further below, the Board believes such certification will lead to increased discipline in the evaluation process and reinforce the accountability of the certifying individuals, and has adopted that requirement as proposed. The Board believes certifications are commonly known among issuers within the regulatory environment and would be familiar to their auditors. The Board also believes the certification requirements will complement the revised provisions in paragraphs .25b and .44g of the final standard, which address compensation incentives based on an effective QC system.

d. Operational Responsibility and Accountability for the QC System as a Whole (QC 1000.15)

This requirement did not draw comment and the Board adopted it as proposed. The individual assigned operational responsibility and accountability for the QC system as a whole is accountable for supervising the design, implementation, and operation of the firm's QC system. This includes overseeing the operation of the QC system in achieving the reasonable assurance objective. Depending on the nature and circumstances of the firm, this individual may be the same person assigned ultimate responsibility and accountability for the QC system, or may be assigned other operational responsibilities, such as for ethics and independence or monitoring and remediation.

In carrying out the specified responsibilities, the individual assigned operational responsibility and accountability for the QC system as a whole may be supported by the individuals assigned operational responsibility for the firm's compliance with ethics and independence requirements, the monitoring and remediation process, or other components of the QC system. This includes receiving information from such individuals regarding violations of ethics and independence requirements and the results of the monitoring and remediation process.

Along with the individual assigned ultimate responsibility and accountability for the QC system as a whole, and for similar reasons, the Board has required the individual assigned operational responsibility and accountability for the QC system as a whole to certify the firm's annual report to the PCAOB on the evaluation of its QC system, as discussed below.

e. Operational Responsibility for the Firm's Compliance With Ethics and Independence Requirements (QC 1000.16)

Compliance with ethics and independence requirements is essential to the performance of engagements and, in some situations, presents challenging, novel, or complex issues. The current requirements for former SECPS member firms include designating a senior-level partner to oversee the firm's independence policies and consultation process, among other independence-related activities. Like in the proposal, in the final standard the individual assigned operational responsibility for compliance with ethics and independence requirements will supervise the areas addressed by the ethics and independence component of QC 1000, which include the firm's risk assessment process for ethics and independence and the design, implementation, and maintenance of the firm's policies and procedures related to ethics and independence.

Within the ethics and independence component, there are quality objectives and specified quality responses that address potential violations of ethics and independence requirements, including a quality objective that potential violations are communicated to the individual with operational responsibility for ethics and independence requirements. That individual is then responsible for communicating such violations to the individuals assigned operational responsibility for the monitoring and remediation process and operational responsibility and accountability for the QC system as a whole.

Paragraph .16b, as well as several other requirements in the standard, refers to actions being taken on a “timely basis.” In each of these cases, what constitutes “timely” would depend on the underlying matter to which the action relates, including the matter's nature, scope, and impact. Timely communication and action should be sufficiently prompt to achieve its objective. In some cases, for example, where there is a high risk of a severe or pervasive problem, communication and action may have to be immediate to be timely. The only commenter on this term agreed that what constitutes “timely” would depend on the underlying matter to which action relates. The commenter also wanted clarification that the firm's policies and procedures assist in promoting communication such that the appropriate individuals with responsibilities over the firm's QC system become aware of relevant matters in a timely manner, as appropriate for the size and the scale of the firm and relative nature of the matter. Insofar as the comment may be read to suggest that the size and scale of the firm, on its own, is a factor in determining timeliness, the Board disagrees. In the Board's view, timeliness is a function of the nature and significance of the issue (appreciating that the size and scale of the firm may be relevant in gauging the nature and significance of an issue).

One commenter expressed concern that the prescriptiveness of the communication requirements may detract from the achievement of the intended objectives. Specifically, the commenter was concerned that it may not be appropriate to require communication of all violations to the individual with operational responsibility and accountability for the QC system as a whole.

The specified communications are intended to enable these individuals to take timely and appropriate actions in accordance with their responsibilities. In the Board's view, in order to do that, they need to be apprised of ethics and independence violations. Ethics or independence violations may take a variety of forms, and therefore the nature and extent of the communication may also take a variety of forms commensurate to the severity and pervasiveness of the violation. Leaving aside the question of whether a violation of ethics or independence requirements could ever be insignificant, individual violations may evidence problems within specific areas of the firm's policies and procedures or an overall pattern of disregard for ethics and independence requirements that requires timely intervention. The Board has adopted these requirements as proposed.

f. Operational Responsibility for the Monitoring and Remediation Process (QC 1000.17)

The monitoring and remediation process is a critical part of a firm's QC system because it creates a feedback loop to inform the firm's risk assessment process, results in an approach that drives continuous improvement, and provides the firm with information about whether the QC system is operating effectively. As proposed, the individual assigned operational responsibility for the monitoring and remediation process would be responsible for supervising the design, implementation, and operation of the monitoring and remediation process component and the evaluation of the QC system. This individual would also be responsible for overseeing actions taken to respond to identified engagement deficiencies, QC deficiencies, and major QC deficiencies.

One commenter was concerned that it would be a conflict of interest for this individual to oversee both the monitoring and remediation process and the evaluation process. Another commenter recommended that the responsibility for the annual evaluation be shared between the individual with operational responsibility for the QC system as a whole, who recommends the evaluation conclusion, and the individual with operational responsibility for the monitoring and remediation process, who concurs or recommends changes to the conclusion. The Board understands that in a smaller firm these roles may all be performed by the same individual. In a larger firm that assigns different individuals to the roles, the individual with operational responsibility for the monitoring and remediation process supervises the evaluation process. Although the individual overseeing the monitoring and remediation process also oversees the evaluation process, other aspects of QC 1000 drive accountability for the evaluation. Paragraph .14c makes the individual assigned ultimate responsibility and accountability for the QC system as a whole accountable for the annual evaluation. Additionally, paragraphs .14d and .15b impose certification requirements that also drive accountability for the evaluation process. The Board has adopted this requirement as proposed.

The individual assigned operational responsibility for the monitoring and remediation process is also responsible for communicating, on a timely basis, matters related to monitoring and remediation to the individuals assigned ultimate responsibility and accountability for the QC system as a whole and operational responsibility and accountability for the QC system as a whole. These communications would include key aspects of the monitoring and remediation process, such as the monitoring activities performed, results of the monitoring activities, and the remedial actions taken. The communication of this information to the individual assigned ultimate responsibility and accountability for the QC system as a whole facilitates and supports that individual's overall accountability for the evaluation of the QC system.

2. Current PCAOB Standards

QC 20.22 requires the assignment of responsibility for the design and maintenance of QC policies and procedures to appropriate individuals but does not specify the role or roles to which such responsibilities should be assigned. In addition, members of the SECPS are required to designate a senior-level partner responsible for, among other things:

• Overseeing the functioning of the firm's independence policies and consultation process;
• Maintaining the restricted entity list and providing it to all professionals; and
• Supervising the monitoring system related to overseeing that independence violations are addressed.

QC 1000 retains and expands on these concepts. However, rather than specifying that a senior-level partner be responsible for independence matters, the standard takes a more functional approach, requiring a person with the experience, competence, authority, and time needed to enable that person to carry out the assigned responsibilities.

Another key difference, as discussed above, is that QC 1000 imposes specific responsibilities on the individuals assigned the specific roles, such that enforcement action could be brought against them individually if they fail to meet those responsibilities.

The Firm's Risk Assessment Process

The risk assessment process is the basis for a risk-based approach to the design, implementation, and operation of the firm's QC system. The firm's risk assessment process, in combination with the monitoring and remediation process, creates a feedback loop to drive continuous improvement of the firm's QC system.

The proposal included a risk assessment process that would be principles-based and could be tailored to the size and complexity of the firm and the types and variety of engagements it performs. Several commenters, including firms, were generally supportive of a risk-based approach to the firm's QC system. One commenter, an investor-related group, expressed concern that a principles-based approach would allow audit firms too much discretion in conducting their own risk assessment. Another commenter noted that while they generally supported a risk-based, scalable approach, they supported a more prescriptive approach for the resources and monitoring and remediation components.

The Board has retained the approach as proposed because it believes that applying a risk-based approach to the design, implementation, and operation of the QC system will prompt firms to identify and focus on the most relevant risks to quality in the context of their own practice and will make QC 1000 appropriately adaptable to future changes in technology, regulation, and the business environment. It will also ensure scalability, allowing firms to right-size their QC systems as their practices grow and change. As discussed above, QC 1000 contains a balance of prescriptive and risk-based elements.

One commenter requested clarity on whether QC 1000 would operate separately or in concert with other quality control standards, specifically whether the risk assessment process would apply only to engagements performed under PCAOB standards or to the firm's overall risk assessment of all its engagements, including those performed under other standards. Consistent with the way the term “engagement” is defined in QC 1000, the requirements of QC 1000, including those regarding the firm's risk assessment process, generally apply only to work performed under PCAOB standards. However, nothing prevents a firm from designing, implementing, and operating a single risk assessment process for its entire audit and assurance practice that satisfies both QC 1000 and the other quality control standards that apply to the firm.

The risk assessment process should be familiar to firms because it is analogous to existing auditor responsibilities for identifying, assessing, and responding to risks of material misstatement of the financial statements. Audit procedures for identifying and assessing risks of material misstatement include information-gathering procedures to identify risks ( e.g., obtaining an understanding of the company, its environment, and its internal control), assessment of risks based on information obtained, and design and implementation of responses to address the identified risks. The standard creates analogous responsibilities in relation to the QC system. Similarly, as the auditor is required by auditing standards to modify the overall audit strategy and the audit plan if circumstances change during the course of the audit, the firm is required by QC 1000 to monitor, identify, assess, and respond to changes in relevant conditions, events, and activities that affect the firm's QC system.

1. QC 1000.18

The firm's risk assessment process applies to the six components of the firm's QC system that specify quality objectives. To design, implement, and operate this process, the firm is required to:

• Establish quality objectives;
• Identify and assess quality risks to the achievement of the quality objectives; and
• Design and implement quality responses to address the identified quality risks.

The process for establishing quality objectives, identifying, and assessing quality risks, and designing and implementing quality responses is iterative, and the requirements of the standard would not necessarily be addressed in a linear manner. For example, in identifying and assessing quality risks, the firm may determine that one or more additional quality objectives are required; in designing and implementing quality responses, the firm may identify additional quality risks. The risk assessment process is also iterative and ongoing, so that new or developing risks are identified and addressed as they emerge. For smaller and less complex firms, the risk assessment process may be centralized and involve only a few individuals. For larger and more complex firms, the risk assessment process may be more structured and decentralized, involving multiple layers and groups. The Board believes that the risk assessment approach will prompt firms to proactively identify, assess, and respond to quality risks, while at the same time allowing them to apply judgment when identifying and assessing quality risks.

a. Establish Quality Objectives (QC 1000.19)

The standard defines quality objectives as the desired outcomes in relation to the components of the QC system to be achieved by the firm. Establishing quality objectives is the first step in the risk assessment process and forms the basis for the identification and assessment of quality risks and the design and implementation of quality responses. The quality objectives are outcome-based and the risk assessment process provides firms the ability to determine how the quality objectives are to be achieved.

One investor-related group expressed concern with the lack of specificity in the proposed standard regarding the design of an audit firm's quality control system, suggesting that the proposed standard would enable firms to design a QC system that could too easily be certified as working properly. The Board believes that the quality objectives specified in QC 1000 will promote an appropriate level of rigor in the QC system. While QC 1000 provides some flexibility with regard to the quality risks that firms identify and the quality responses that firms develop to address those risks, it does not provide the same flexibility with regard to quality objectives. Instead, quality objectives that will apply to all firms are specified in the standard. Firms can establish additional quality objectives—indeed, they are required to do so if necessary to achieve the reasonable assurance objective—but they generally cannot omit or modify any of the quality objectives set out in the standard. Therefore, firms do not determine the criteria by which their QC systems will be assessed, only the means by which they will meet those criteria.

Quality objectives are specified in the standard for six of the components of the QC system: governance and leadership, ethics and independence, acceptance and continuance of engagements, engagement performance, resources, and information and communication. A firm may determine that it is necessary to establish quality objectives for its monitoring and remediation process. In those circumstances, the firm's risk assessment process would also apply to the monitoring and remediation process. Otherwise, although monitoring and remediation would not be subject to the firm's risk assessment process as described in the standard, it would nevertheless be carried out in a way that is informed by and responsive to quality risks.

The Board believes that, for many firms, the quality objectives specified in the standard are likely to be comprehensive and it does not expect, in the current environment, that additional quality objectives would generally be necessary. However, the Board also recognizes that the nature and circumstances of a firm and its engagements will vary and conditions may change. Accordingly, a firm is required to establish additional quality objectives if necessary to achieve the reasonable assurance objective.

The requirement for the firm to establish quality objectives necessary to achieve the reasonable assurance objective is designed to prompt ongoing reexamination of the quality objectives and modification as needed, which should enable the firm's QC system to adapt to a changing environment and remain fit for purpose. If a firm determines that its quality objectives need to be more specific, it could establish sub-objectives to provide a more direct link to quality risks and support the development of more comprehensive or better-targeted responses.

b. Identify and Assess Quality Risks (QC 1000.20)

The proposal defined quality risks as risks that, individually or in combination with other risks, have a reasonable possibility of adversely affecting the firm's achievement of one or more quality objectives if the risks were to occur, and are either (i) risks that have a reasonable possibility of occurring or (ii) risks of intentional acts by firm personnel and other participants to deceive or to violate applicable professional and legal requirements. The “reasonable possibility” term in the definition of quality risks is aligned with use of the term in PCAOB standards: there is a reasonable possibility of an event when the likelihood of the event is either “reasonably possible” or “probable,” as those terms are used in the FASB Accounting Standards Codification (“FASB ASC”) Topic 450, Contingencies.

A number of commenters raised questions or made suggestions about the proposed treatment of intentional acts in the definition of quality risks. One commenter suggested that intentional misconduct should not be explicitly addressed in the definition because the necessary response, especially as it relates to colleagues' behavior, may negatively impact the trust among colleagues and could constrain the achievement of quality objectives. Instead, this commenter suggested that the risk of intentional misconduct may be more effectively considered and responded to as part of the broader understanding of quality risks. Another firm expressed concern that requiring consideration of all illegal acts would contradict a risk-based approach.

Several firms agreed that the definition of quality risks should explicitly address the risk of intentional misconduct but suggested that the definition should also address the possibility of occurrence related to acts of intentional misconduct. Several commenters, including firms, firm-related groups, and an academic, recommended that the threshold of “reasonable possibility of occurring” should apply to all quality risks, including risks of intentional misconduct. Many of these commenters said that not applying the threshold of “reasonable possibility of occurring” to the risk of intentional misconduct would not be practical and could harm audit quality as this would divert time, resources, and attention from addressing more reasonably possible risks. Some commenters referenced the inclusion of the “reasonable possibility of occurring” threshold in AS 2110 and suggested that the same principle should apply to the risk of intentional misconduct in QC 1000. Two of these commenters suggested that not applying the threshold of “reasonable possibility of occurring” to the definition of quality risks would be inconsistent with AS 2401, Consideration of Fraud in a Financial Statement Audit, and could impose a threshold on firms that exceeds the current auditing standards over auditors' identification and assessment of fraud risks. Several commenters also stated that the inclusion of other participants in addressing every conceivable risk of intentional misconduct may be impractical as firms may have limited access to information on the conduct of other participants. One firm suggested that additional guidance may be beneficial with regard to assessing and responding to risks of intentional misconduct by other participants that are not part of the firm.

A firm-related group suggested that not applying the threshold of “reasonable possibility of occurring” to intentional misconduct appeared to go beyond the reasonable assurance objective and expressed concern that, without further clarification of how firms should deal with risks of intentional misconduct with less than a reasonable possibility of occurring, a disproportionate level of resources could be allocated to this area, to the detriment of other quality risks with more than a remote possibility of occurring.

After considering the comments received, the Board revised the definition of quality risks such that the threshold of “reasonable possibility of occurring” applies to all risks, including risks of intentional misconduct by firm personnel and other participants. However, the Board continues to believe that firms should be explicitly prompted to consider risks of intentional misconduct in their risk assessment process, because without such a prompt, firms may discount the possibility that intentional misconduct may occur and omit or underweight these types of risks in their risk assessment process. Therefore, the final definition provides that, for all risks, whether or not related to intentional misconduct, the firm would assess the possibility of occurrence and the possibility that the risks would have an adverse effect on the achievement of its quality objectives.

One firm suggested that while the threshold of “adversely affecting” is reasonably understood, additional guidance or examples would be welcomed. Another commenter noted that more examples serve as helpful interpretive guidance to those implementing the standard. Two firms believed the threshold is sufficiently clear and did not have specific requests for further guidance. The Board will monitor the implementation of the new standard by audit firms, and, if appropriate, consider the need for additional guidance.

The standard requires the firm to identify and assess quality risks for each quality objective it establishes. Most quality objectives are likely to have multiple quality risks. Some quality risks may relate to multiple quality objectives, either within a single component or across several components. The nature and extent of the firm's risk assessment process would be commensurate with the firm's quality risks and therefore will vary across firms in nature, scope, and complexity. In assessing risks, the firm would consider how often the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objectives. The firm would then take this information into account in determining the nature, timing, and extent of the quality response(s) needed to address the quality risk.

One commenter requested clarification of whether the Board expects firms to categorize the identified risks (for example as lower, higher, or significant). While there is nothing in QC 1000 that requires such categorization, firms that find such an approach helpful could certainly use it.

The standard requires the identification and assessment of quality risks annually. Requiring an assessment annually, as well as when matters come to the firm's attention, drives a systematic, disciplined, and proactive approach to assessing the firm's quality risks. Through the Board's oversight activities, it has observed that many firms update their QC systems on an ad hoc basis, in response to changes in regulatory requirements or deficiencies identified by internal or external inspections, and do not have a systematic process of risk assessment. This reactive approach can result in firms taking corrective actions only after deficient audits have been identified. The annual identification and assessment requirement will instill a regular and disciplined approach to performing the risk assessment process and to identifying new quality risks that require modifications to the firm's quality responses or quality risks identified in a prior year that may no longer be sufficient or relevant.

The standard does not specify quality risks that must be assessed and responded to by all firms; rather it includes factors for the firm to consider in its risk assessment process. The Board believes that such an approach would result in the firm identifying and assessing the quality risks that are most relevant in light of its facts and circumstances.

i. Obtain an Understanding of the Conditions, Events, and Activities That May Adversely Affect the Achievement of the Firm's Quality Objectives

The standard requires the firm, as part of identifying and assessing quality risks, to obtain an understanding of the conditions, events, and activities that may adversely affect the achievement of the firm's quality objectives. This understanding underpins the firm's identification and assessment of the quality risks that are most relevant to the achievement of the firm's quality objectives. Appendix B of the standard provides examples related to the nature and circumstances of the firm and its engagements that may give rise to quality risks.

The considerations highlighted in paragraph .20a. and Appendix B could assist the firm in identifying one or more quality risks to the achievement of one or more quality objectives. For example, consideration of changes in a firm's structure may be relevant for a firm that has recently completed an acquisition of another firm. This consideration may result in the identification of a number of quality risks, such as a quality risk that the audit methodology used by the acquired firm may not be compatible with the acquirer's methodology or a quality risk that the firm is unable to retain personnel post-acquisition, which may pose risks to quality objectives in areas like engagement performance and resources.

Several commenters, including firms, noted that the examples provided in Appendix B were helpful. Two commenters expressed concern with the language used in paragraph .20a., specifically, that it was not sufficiently clear that the specific examples in Appendix B are meant to be illustrative rather than a checklist for every firm to consider. As the Board stated in connection with the proposal, the list in paragraph .20a. is not intended to be exhaustive and the specific examples provided in Appendix B are meant to be illustrative rather than a checklist for every firm to consider. Whether particular conditions, events, and activities are relevant, and result in one or more quality risks, depends upon the nature and circumstances of the firm and its engagements and how the conditions, events, and activities relate to or affect the operation of the firm's QC system and the performance of its engagements. The firm may also identify quality risks that do not relate to the list in paragraph .20a. or to any of the specific examples.

One firm expressed concern with the inclusion of proposed paragraph B10b. in Appendix B, which discusses the extent of alignment of a third-party provider's standards of conduct with those of the firm. The firm suggested that the example may imply that third-party providers from outside the public accounting profession may not be appropriate or sufficient, because they may not be subject to a centrally governed code of conduct. Nothing in the Board's standards requires a third-party provider to have a centrally governed code of conduct and the Board has added the phrase “if any” to the example to eliminate any ambiguity in that regard. However, the Board does believe that the existence of such a code of conduct, and the extent to which it aligns with the firm's own standards of conduct, is a relevant example that could be considered by a firm in assessing whether there exist conditions, events, or activities, as a result of its use of resources or services obtained from third-party providers, that may adversely affect the achievement of its quality objectives.

(1) The Nature and Circumstances of the Firm

The standard includes a list of considerations related to the nature and circumstances of the firm. Appendix B of the standard provides specific examples of each consideration in paragraphs .B2 through .B11.

The Board continues to believe that to consistently execute quality audits, it is important that a commitment to audit quality is embedded in the firm's culture and exists throughout the firm. In connection with this, the Board has added a new paragraph .20a.(1)(d) and paragraph .B5 to provide firms with an additional risk assessment consideration relating to the culture of the firm, and the extent to which a culture of integrity and a commitment to audit quality, including ethics and independence, is promoted within the firm and embraced by firm personnel across all levels of the firm.

In addition, the Board has added paragraph .B6e. to highlight that in understanding the resources of the firm, the firm may also have to consider the risks associated with technological resources, including their susceptibility to cybersecurity breaches.

(2) The Nature and Circumstances of The Firm's Engagements

In obtaining an understanding of the nature and circumstances of the firm's engagements, the firm considers the types of engagements performed by the firm as well as the types of entities for which such engagements are undertaken. Paragraph .B12 of Appendix B of the standard contains a list of examples of these considerations. For instance, a firm that conducts audits of broker-dealers may consider information from relevant authorities, like the SEC and Financial Industry Regulatory Authority (“FINRA”), in identifying risks associated with such audit engagements. The Board added an example to paragraph .B12a. to highlight that in understanding the nature and circumstances of the firm's engagements, the firm may also consider the laws and regulations to which the companies it audits are subject.

(3) Other Relevant Information

Other relevant information captures other information sources that help the firm to identify quality risks. One such source is the firm's monitoring and remediation activities. Consideration of information from those activities creates a feedback loop within the QC system by informing the firm of the results of the monitoring and remediation process that may help the firm identify quality risks.

Other sources are external inspections and oversight activities by regulators, and other external reviews, such as peer reviews. For example, the results of an external inspection may identify a high rate of noncompliance with independence requirements within a specific office of the firm or within a certain employee staff level, which the firm would take into account when identifying and assessing quality risks for the ethics and independence component.

ii. Identify and Assess Quality Risks Based on the Understanding Obtained

Under the standard, identifying and assessing quality risks is an ongoing, iterative process. The firm assesses risks as part of the initial design and implementation of the QC system, and thereafter annually, including in response to new information or changes in its circumstances and environment.

The standard requires the firm to identify and assess quality risks for each of the quality objectives established by the firm, based on the understanding of the relevant factors and other relevant information and taking into account whether, how, and the degree to which the achievement of the quality objectives may be adversely affected. The note clarifies that this assessment is based on inherent risk, without regard to the effect of any related quality responses. The assessment is similar to the determination made under AS 2201 as to whether an account or disclosure is significant based on inherent risk, without regard to the effect of controls. One commenter agreed with the clarification provided in the note that the assessment is based on inherent risk, but expressed concern that the note may not be sufficient to prompt or remind auditors of the independence of quality risks from quality responses. The Board believes that the note to paragraph .20b. provides clear direction for assessing quality risks without regard to the effect of quality responses. The Board will monitor the implementation of the new QC standard, and, if appropriate, consider the need for additional guidance. Quality risks may affect one or more quality objectives, either within a single component or across several components. For example, a quality risk that the firm may not be able to attract and retain qualified personnel would affect several quality objectives in the resources component, and may also affect quality objectives in other components, such as engagement performance or engagement acceptance and continuance.

Under the definition of quality risks, the firm would not be required to identify every conceivable risk, but only those that have a reasonable possibility of occurring and, if they were to occur, a reasonable possibility of adversely affecting the firm's achievement of one or more quality objectives. The identification of quality risks takes into account individual risks as well as combinations of risks. For example, a risk that has a reasonable possibility of occurring but individually does not have a reasonable possibility of adversely affecting the achievement of the quality objective may meet the proposed definition of a quality risk when analyzed in combination with other risks.

The firm may undertake the quality risk assessment separately or concurrently with risk identification. Assessing the identified quality risks involves consideration of the frequency with which the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objective(s). Identifying quality risks with the appropriate degree of specificity (not too narrowly or too broadly) would help the firm design quality responses that reduce to an appropriately low level the risk that the quality objective will not be achieved. Quality risks that are defined too broadly may result in quality responses that are not sufficiently targeted to the actual quality risk. Conversely, if quality risks are defined too narrowly, the quality responses may not sufficiently address the full extent of the actual quality risk.

The process of identifying and assessing quality risks is depicted below.

c. Design and Implement Quality Responses (QC 1000.21)

The standard requires the firm to design and implement quality responses that address quality risks in order to achieve the quality objectives. Quality responses are defined as policies and procedures designed and implemented by the firm to address quality risks. Under the definition, policies are statements of what should, or should not, be done to address assessed quality risks. Procedures are actions to implement and comply with policies.

Under the principles-based approach of the standard, the nature, timing, and extent of quality responses depend on the underlying quality risks and the reasons why these risks were assessed as quality risks. For example, a quality risk that is tied to an event that is expected to occur multiple times per year, or that could have a very significant impact, requires a more extensive response than a quality risk tied to a specific event that is expected to occur only once and have a less significant impact.

The firm may decide to implement quality responses at the firm level or the engagement level, or through a combination of responses at the firm and engagement levels, depending on the nature of the quality risk. Quality responses may address multiple quality risks related to one or more QC components.

Quality responses may vary depending on to whom they apply. For example, based on the quality risks that are being addressed, the firm may develop some policies and procedures that are applicable to all firm personnel and others that apply only to firm leadership or personnel in a particular function or geographic location. Similarly, the firm's policies and procedures regarding other participants may be different for different types of other participants ( e.g., network affiliates, engaged specialists).

Information obtained from the identification and assessment of quality risks enables the firm to develop quality responses that appropriately and adequately respond to the quality risks. In assessing risks, the firm would consider how often the quality risks may occur and the magnitude of the impact of the quality risks on the related quality objectives. The firm would then take this information into account in determining the nature, timing, and extent of the quality response(s) needed to address the quality risk.

In addition to the quality responses designed by the firm, the standard requires certain specified quality responses for all firms. Some specified quality responses are drawn from existing PCAOB requirements or from the specified responses in ISQM 1, and have been included either to carry existing requirements into the new standard or to create other obligations that would have to be met in designing, implementing, and operating the QC system. Other specified quality responses are new provisions that the Board believes are sufficiently important to merit an explicit requirement. The specified quality responses are not intended to be comprehensive; on the contrary, for most of the components of the firm's QC system, QC 1000 includes only a few specified quality responses, and for the engagement performance component there are none. As a result, the specified quality responses alone would not be sufficient to enable the firm to achieve all established quality objectives, and firms must design and implement their own quality responses in addition to the specified quality responses. The specified quality responses and the quality responses the firm designs and implements on its own are critical in addressing quality risks.

For example, the specified quality response requiring mandatory training may address some of the quality risks related to certain quality objectives in the resources component ( e.g., hiring, developing, and retaining firm personnel). However, mandatory training alone will not be sufficient to address all the quality risks that may be identified for that quality objective and will have to be combined with additional firm-developed quality responses.

d. Modifications to the Quality Objectives, Quality Risks, or Quality Responses (QC 1000.22-.23)

The standard requires firms to take proactive measures to address new quality risks that may come up between the firm's periodic risk assessments. To the extent practical, these policies and procedures would be not just retrospective, but also forward-looking, so the firm could anticipate and plan for significant changes. For example, a new accounting standard may result in a firm identifying a new quality risk that firm personnel may misinterpret the new standard. Identifying this risk prior to the next annual risk assessment may prompt the firm to revisit its quality responses that are affected by this event, and thus avoid potential problems in future engagements.

One commenter suggested that it may be cost beneficial to require or encourage audit firms' QC leaders to stay current with developments in auditing literature to put them in a better position to triage newly identified quality risks and identify engagements susceptible to those risks. Another commenter recommended that firms be required to create an individual or other entity charged with maintaining situational awareness.

The Board notes that paragraph .22 of QC 1000 requires firms to establish policies and procedures for monitoring changes to conditions, events, and activities that indicate modifications to the firm's quality objectives, quality risks, or quality responses may be needed. In addition, the individual(s) responsible for monitoring such changes are subject to the general due professional care standard of QC 1000.10, which requires a critical assessment of the relevant information (which would include relevant literature). In light of these overarching requirements, the Board does not consider it necessary to add the specific provisions that commenters suggested. Rather, the Board believes that allowing flexibility for firms to establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities encourages firms to concentrate their efforts on the risks most relevant to them and contributes to the standard being appropriately scalable. A firm may of course determine, based on its nature and circumstances, that it is appropriate to establish specific policies and procedures for the monitoring of developments in auditing literature or to charge a specific individual with maintaining situational awareness.

Policies and procedures in this area may vary, depending on the size and complexity of the firm and the types and variety of engagements it performs. For a larger firm operating in a complex environment and auditing a wide range of different types of companies, such policies and procedures would be extensive. For example, they could involve periodic meetings with teams across the firm to gather and analyze the necessary information to enable the firm to identify changes to conditions, events, and activities that may require modification of the firm's quality objectives, quality risks, or quality responses. Smaller and less complex firms, operating in a less varied and more stable environment, may have a less extensive set of policies and procedures.

If the firm identifies changes to conditions, events, or activities indicating modifications to the quality objectives, quality risks, or quality responses may be needed, the standard requires the firm to determine what, if any, modifications are needed, and to make them on a timely basis. The timing depends on the nature and extent of the modification needed. In some circumstances, immediate action may be required, whereas in other cases, if the impact on risk is less urgent, immediate action is not necessary. Modifications not implemented in a timely manner may fail to prevent quality risks from occurring and adversely affecting the quality objective. For example, in the case of a new accounting standard, the firm would need to implement any necessary modifications to its quality responses in time so that, once the standard became effective, firm personnel would be able to apply it properly.

2. Current PCAOB Standards

Under current PCAOB QC standards, firms have a responsibility to establish and maintain a QC system to provide the firm with reasonable assurance that its personnel comply with applicable professional standards and the firm's standards of quality. The current QC standards make few explicit statements about risk assessment.

Governance and Leadership

The governance and leadership component of the firm's QC system addresses the environment that enables the effective operation of the QC system and directs the firm's culture, decision-making processes, organizational structure, and leadership. A firm's culture and tone, as set by leadership, can and should promote the importance of quality.

The PCAOB has long considered firm governance and leadership to be an important aspect of firms' QC systems. For example, PCAOB inspections have historically covered the firm's tone at the top, a foundational aspect of governance and leadership, during the process for reviewing firms' QC systems. PCAOB inspection procedures focus on how firm management is structured and whether actions and communications by the firm's leadership—the tone at the top—demonstrates a commitment to audit quality.

1. QC 1000

a. Governance and Leadership Quality Objectives (QC 1000.24)

Under QC 1000, a firm is required to establish quality objectives for the governance and leadership component in several different areas:

• The firm's commitment to quality;
• Organization and governance structure; and
• Resources.

i. The Firm's Commitment to Quality (QC 1000.25.a-d)

The firm's commitment to quality is an important factor in influencing the behavior of firm personnel and the conduct of engagements. The Board believes that the firm's commitment to quality is most effectively demonstrated through the communications, actions, behaviors, and directives of leadership at all levels of the firm. Accordingly, the quality objectives related to commitment to quality are directed at the communications, actions, and accountability of firm leadership.

Frequent and consistent communication from leadership to firm personnel regarding the commitment to quality is important in order to create an appropriate culture and tone at the top. Paragraph .25a. focuses on communicating and promoting key professional attributes by recognizing and reinforcing the firm's role in protecting the interests of investors and the public interest by meeting the firm's responsibilities; the importance of adhering to appropriate standards of conduct; the importance of professional ethics, values, and attitudes; and expected behavior and responsibility of firm personnel for quality both in QC-related activities and the performance of engagements. Collectively, these attributes and expected behaviors are the foundation of an effective QC system.

To achieve an appropriate tone at the top, however, it is not enough for firm leadership to “talk the talk.” They also have to “walk the walk.” Accordingly, paragraphs .25b. and .25c. establish objectives with regard to leadership's responsibility for and commitment to quality, including through leadership's own behavior. For example, leadership would demonstrate a commitment to quality by acting in a manner consistent with the firm's communications described in paragraph .25a. regarding expectations of firm personnel. Conversely, repeated failure to take steps to address known quality concerns would demonstrate a lack of commitment to quality.

One commenter sought clarification on the term “leadership,” including whether it relates only to the specified roles in paragraph .11 and .12, or to all partners and equivalents in the firm. Under QC 1000, leadership is not limited only to those in specified QC roles. While the composition of leadership may vary due to the nature and circumstances of the firm and its engagements and how the firm chooses to organize itself, it includes firm-wide leadership; the executive team; regional, office, and industry segment leadership; and any other levels of leadership the firm may establish. Not all partners or partner equivalents are necessarily leadership; it would depend on the role of the individual.

Firms and firm-related groups were broadly supportive of the Board's proposed quality objectives for governance and leadership. However, several commenters, mostly investors and investor-related groups, urged the Board to go further in stressing the role of firm leadership and the QC system as a counterbalance to the economic incentives that may drive firms to compromise on quality. Some suggested that compensation plans should weigh quality as much as, or more than, revenue generation. One investor-related group suggested that the standard should increase accountability for the firm and firm leadership's quality control efforts. Another investor stated that audit quality should be required to be considered at the time of the appointment of firm leadership. One commenter suggested that leadership's accountability should not be limited to deficiencies and outcomes but extended to acknowledge positive behaviors and processes.

After considering these comments, the Board revised paragraph .25b to explicitly mention performance evaluation and compensation in the context of defining leadership's responsibility for quality and holding leadership accountable. The Board believes this will drive increased clarity about the scope of leadership's responsibilities and increased accountability for an effective QC system, and will prompt firms to focus on their expectations for leadership behavior and the incentives that drive it. Firms can use a variety of different means to define the responsibility for quality and drive accountability—from firmwide communications and policies to individualized job descriptions, performance targets, promotion criteria, compensation schemes, and sanctions—and can acknowledge both outcome-based and process-based measures and both positive and negative behaviors. The revised quality objective reflects that performance evaluation and compensation play a necessary role in that process.

While the Board agrees with the commenter that quality considerations should be taken into account in the appointment of firm leadership, the Board believes other quality objectives already address that issue, such as paragraph .44g of QC 1000. Additionally, the criteria for appointing firm leadership may appropriately vary based on the size of the firm and the nature of its practice, so the Board has avoided being prescriptive in that regard. For example, a larger firm may have numerous candidates for leadership roles with many criteria considered for appointment, but smaller PCAOB audit practices may have limited personnel eligible for leadership roles.

As noted in the proposal, paragraph .25d. focuses on the firm's commitment to quality in relation to its strategic decisions and actions, which include matters such as the firm's financial goals, growth of the firm's market share, industry specialization, business combinations, new geographic markets, and new service offerings. The quality objective emphasizes that a firm's strategic decisions and actions should be consistent with and support the firm's commitment to quality.

One commenter expressed concern that strategic actions may take extended periods of time to yield benefits to quality, and it may be challenging for firms to demonstrate that such actions are consistent with a commitment to quality. The Board notes, however, that this quality objective does not prescribe any specific time horizon, and the Board believes it is wholly consistent with both short-term measures and long-term investments in technology, training, knowhow, and other means of strengthening a firm's audit practice that may take an extended period to yield measurable improvements.

Some investors and investor-related groups suggested that the Board require a clear separation of duties between those responsible for audit quality and those responsible for commercial interests. Two of those commenters cited the regulation of credit ratings agencies as an example of appropriate separation of regulated activity and commercial interests. Another commenter cited with approval the 2007 amendments to the AICPA QC standard, which included application material to the effect that QC leaders should have the authority to implement policies and procedures to ensure that others within the firm will not override those policies to meet short-term financial goals (a concept that does not appear in other QC standards).

The Board considered mandating a greater degree of separation between decision-making about QC and potential commercial motivations, as these commenters suggested, but the Board does not believe such separation can be achieved by all firms, especially firms with smaller PCAOB audit practices with limited leadership roles. As discussed in more detail below, the Board is requiring firms with larger PCAOB audit practices to include an element of independent oversight of their QC system. Moreover, the Board does not believe it would be appropriate to mandate a fully separate or independent QC function. Potential conflicts of interest at the engagement level are addressed in numerous ways in the Board's regulatory scheme: through independence requirements, ethical requirements of integrity and objectivity, and the basic requirement of professional skepticism, a critical aspect of due professional care. At the firm level, the Board believes that those conflicts can best be addressed by emphasizing the responsibility and accountability of firm leadership. QC 1000 requires that responsibility for QC reside at the highest levels of firm leadership, and that leaders are evaluated and compensated in a way that creates accountability. In the Board's view, appropriately incentivized firm leadership are best positioned to set the tone and establish a quality-focused culture throughout the firm. Rather than requiring firms to segregate the governance of the firm's audit practice from the firm's other commercial interests, the Board believes the quality objectives described in paragraph .25 will promote responsibility for and commitment to quality, while allowing firms to develop quality responses appropriate to their particular governance structure.

Lastly, one commenter suggested the governance and leadership component should promote diversity, equity, and inclusion in recruiting talented leaders, a governance body, and auditors. Another commenter suggested leadership can demonstrate its commitment to quality through providing ongoing, meaningful support of scholarly audit and accounting research. The Board has not revised the standard to reflect these specific suggestions; however, firms may identify quality risks and design and implement quality responses in these areas to achieve the quality objective in paragraph .25a or other quality objectives established by the firm.

ii. Organizational and Governance Structure (QC 1000.25.e)

Establishing and maintaining appropriate firm organizational structures provides an institutional framework supporting the firm's QC system and the performance of the firm's engagements. Organizational structures may include operating units, operational processes, divisions, and geographical locations.

Firm organizational structures may differ based on the size and complexity of the firm in order to be flexible, scalable, and proportionate to the circumstances of the firm. Some firms may concentrate or centralize processes or activities and other firms may have a decentralized approach. Some firms may use internal shared service centers in the operation of the firm's QC system or to enable the performance of its engagements.

A firm's governance structure may include a governing board or committee with representation from various service lines, or with members who are independent of the firm. Such a governing board may have subcommittees to assist it with managing specific areas, such as strategic planning, resource planning, the firm's risk assessment process, and the monitoring and remediation process.

Paragraph .25e., which did not attract specific comment and the Board adopted as proposed, will drive a firm's organizational and governance structure to enable the design, implementation, and operation of the QC system and support performance of the firm's engagements in accordance with applicable professional and legal requirements. This results-oriented approach focuses on whether the QC system actually works as intended and allows firms to tailor the establishment of their governance structure. Additionally, the firm would consider the complexity and operating characteristics of the firm as part of performing its risk assessment process and identifying quality risks.

The assignment of roles, responsibilities, and authority within the firm's organizational structure is a key aspect of the design, implementation, and operation of the QC system. Establishing clear roles and responsibilities and clear lines of authority helps to translate the broad institutional objectives of the QC system into individual actions to be performed and monitored, and for which individuals can be held accountable. The assignment of roles and responsibilities may vary across firms depending on the nature and circumstances of the firm and its engagements. For example, in a smaller firm with a limited number of individuals in leadership roles, the individual with oversight of the firm may assume all of the roles and responsibilities related to the QC system. A larger firm may have multiple levels of leadership that align to the firm's organizational structure.

iii. Resources (QC 1000.25.f)

The firm's resources enable the operation of the firm's QC system and the performance of the firm's engagements. Firm leadership influences the nature and extent of the resources that the firm obtains, develops, uses, and maintains, and how those resources are allocated or assigned, including the timing of when they are used. This quality objective, which did not draw comment and which the Board adopted as proposed, emphasizes the importance of the firm having the necessary resources, and allocating them appropriately, such that the firm's QC system is designed, implemented, and operated effectively and the firm's engagements are performed in accordance with applicable professional and legal requirements.

b. Governance and Leadership Specified Quality Responses (QC 1000.26-29)

The proposal included three specified quality responses in the governance and leadership component, discussed in greater detail below. Some firms and a firm-related group objected generally that the specified quality responses were overly prescriptive and unnecessary, and suggested they should be reformulated as risk-based quality objectives. Other firms generally supported including specified quality responses.

The Board believes the specified quality responses address important risks that justify specific requirements and has retained them in the final standard. Firms are required to include these specified quality responses when designing and implementing quality responses to address the quality risks in the governance and leadership component.

Proposed QC 1000 included a requirement for the firm to establish and maintain clear lines of responsibility and supervision within its QC system. A commenter argued that the quality objective in paragraph .25e is sufficient and the specified quality response was not necessary. While paragraph .27 may address a portion of the firm's quality response to .25e, the Board believes paragraph .27 provides additional direction that is appropriate for all firms. Establishing and maintaining structures within the firm—including defining authorities, responsibilities, accountabilities, and supervisory and reporting lines for roles within the firm—will support the effective design and operation of the QC system and the performance of the firm's engagements, regardless of the size of the firm or the types of engagements it performs. The requirement also complements the documentation requirements of QC 1000.

One commenter expressed concern that this requirement, in combination with the requirements of paragraph .12, could result in a prescriptive, hierarchical approach that would not be desirable or practical. The requirement in the final standard is intended to enhance supervision within the context of firms' existing QC systems and supervisory structures. It does not require firms to develop or adopt any particular supervisory structure and would be compatible with a range of different approaches, including very flat structures.

The commenter also expressed concern that individuals acting in a supervisory capacity could face liability beyond what exists under Sarbanes-Oxley, which may disincentivize teaming. As discussed above, paragraphs .15, .16, and .17 of the final standard prescribe specific supervisory roles within a firm's QC system, and the individuals who fill those roles are supervisory persons who must exercise reasonable supervision for purposes of section 105(c)(6) of Sarbanes-Oxley. Additionally, to the extent that other individuals are assigned supervisory responsibilities in light of paragraph .27's specified quality response, those individuals, like all who are involved in the design, implementation, and operation of the QC system, must exercise due professional care as set forth in paragraph .10 of the final standard.

Another commenter recommended that individuals in supervisory roles should be held liable only for knowing or reckless violations. The Board notes that paragraph .27 does not itself create responsibilities for supervisory personnel or prescribe standards of liability that apply when those responsibilities are not met. Those issues are addressed elsewhere in the PCAOB's standards and rules, including in the roles and responsibilities component of QC 1000 and PCAOB Rule 3502, as well as in section 105(c)(6) of Sarbanes-Oxley. In the Board's view, the requirement to establish and maintain clear lines of authority and supervision primarily serves to clarify how the QC system is structured and how it operates, by laying out clearly the authorities, responsibilities, accountabilities, supervisory and reporting lines, and who is responsible for each element of the QC system. If the requirement has consequences in terms of individual accountability and liability, that would only be because it removes any doubt about which individuals are acting in a supervisory capacity and the scope of their respective responsibilities, thereby clarifying how these other provisions should be applied.

The proposal included a specified quality response to incorporate an oversight function for the audit practice including at least one person from outside the firm, which would apply to firms that issue audit reports with respect to more than 100 issuers. See Scalability above, for a discussion of the 100-issuer threshold.

Comments were mixed on the need for and potential breadth of this requirement. The Board received several comments, primarily from investors and investor-related groups, suggesting that the proposed requirement did not go far enough. Some commenters stated that the oversight function should not be limited to one individual but instead a larger number (such as three) of independent non-employee members should be required, or potentially an advisory council or committee of the firm's board of directors with multiple or even a majority of independent non-employee members. Some of these commenters asserted that requiring only one person with undefined authority to serve in an oversight role makes it unlikely to be effective and falls short of the 2008 recommendations of the U.S. Treasury Department's Advisory Committee on the Auditing Profession, which suggested consideration of “firms appointing independent members with full voting power to firm boards and/or advisory boards with meaningful governance responsibilities.” One commenter objected that the requirement only mandates practices that are already in place at the largest firms, and so will not generate any change. Another commenter asserted that there is little merit in requiring an independent member of the firm's oversight function without also considering the balance of the oversight function and the contribution of the independent member. Others called for more specificity about the individual's role, including specific powers, such as the power to meet with firm management and obtain relevant information. Some investor-related groups also called for transparency on the role of the non-employee members.

Many commenters, including some larger firms, supported the oversight role. Two commenters suggested that the requirement for an independent oversight function be extended to apply to all firms that issue audit reports for issuers and one of these commenters suggested having firms consider whether an independent function is an appropriate response to achieving the quality objectives.

Other commenters, including some mid-sized firms, did not support the specified quality response and suggested it should be a quality objective instead. One firm suggested that the objective could be better accomplished by designating an “audit quality expert” on a firm's board (similar to a “financial expert” on an audit committee) or by hiring independent external QC advisers. Some commenters expressed concern about the lack of specificity and clarity regarding the role, including questions regarding the individual's authority and function. One noted that the individual was not required to be a CPA and asserted that the need for and benefits of the role had not been sufficiently articulated; on that basis, the commenter did not support it. Another commenter did not see the linkage between the specified quality response and the quality objectives and suggested that the lack of definition of the role, coupled with a lack of clarity about which quality objectives were being addressed, would make implementation challenging. Other commenters stated that finding individuals to fill this role may be challenging.

Some commenters requested guidance on how to implement the requirement, including with respect to the qualifications or roles of the individuals. One firm sought clarity on whether supervisory liability under Sarbanes-Oxley section 105(c)(6) would apply equally to members with an oversight or advisory function. Some commenters, including firms, expressed concern about the potential scope and meaning of the terms such as “governance structure,” “independent judgment,” and “oversight function,” and requested confirmation that current practices such as independent advisory boards are a permissible approach. One firm requested an extended implementation period to allow time for firms to design and implement the oversight function, including identifying and onboarding appropriate individuals.

Based on the comments received, the Board refined the proposed requirement to provide additional specificity and clarity. The final rule refers to an “external” oversight function “for the QC system composed of one or more persons,” none of whom has a disqualifying relationship with the firm. This more precise language clarifies that the focus is on the QC system and emphasizes that the function is to be carried out entirely by one or more persons external to the firm, who are not principals or employees of the firm and do not have any other relationship with the firm that would interfere with the exercise of independent judgment with regard to QC-related matters. The Board also added a name for the position—External QC Function, or EQCF—which it believes clarifies and underscores that the person or persons are external to the firm and serve in a QC-focused role. The Board also conformed the provision to the descriptions in QC 1000.12 of other specified QC system roles by providing that the EQCF should have the experience, competence, authority, and time necessary to enable them to carry out the responsibilities assigned to them by the firm.

To clarify what is entailed in “an external oversight function for the QC system,” the final standard also specifies a baseline requirement that the EQCF's responsibilities should include evaluating, at a minimum, the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. The Board believes this addition is responsive to commenters who requested clarification of the proposal, as well as those suggesting that the standard include some specific requirements with respect to the role. The Board expects that firms will make a number of significant judgments in performing and reporting on their QC system evaluation. The Board expects that the person or persons serving in this external oversight function will evaluate judgments made by firm personnel in the firm's evaluation of the firm QC system and the required reporting.

The evaluation performed by the EQCF will be in some respects analogous to the EQR's evaluation of significant judgments made by the engagement team and the related conclusions reached in forming the overall conclusion on the engagement and in preparing the engagement report. Like the EQR, the EQCF will review and evaluate work performed by others, not redo the work, and must exercise due professional care in performing their responsibilities.

However, there are important differences between the requirements for the EQR and the EQCF. Unlike the EQR standard, QC 1000 does not impose specific limits on the length of service of the EQCF, though firms should consider the potential for arrangements relating to length of service, such as term limits and protections against removal, to prevent the creation of a relationship with the firm that impairs independent judgment. QC 1000 also does not specify the procedures the EQCF should perform to evaluate the significant judgments made and related conclusions reached. These may vary based on the circumstances of the firm and the design, implementation, and operation of its QC system, but must be sufficient to enable the EQCF to perform their evaluation with due professional care. In addition, unlike the EQR standard, QC 1000 does not require that the EQCF provide concurring approval of reporting, although firms would be free to establish such concurring approval as a matter of policy. Documentation will have to be prepared and maintained in sufficient detail to evidence how the quality response operated. This will form part of the QC documentation supporting the firm's ongoing risk assessment and monitoring and remediation efforts, as well as the Board's oversight activities. Under QC 1000.65, firms will be required to consider the EQCF's evaluation in their ongoing monitoring of the QC system (including monitoring of the evaluation process).

Separately, the Board carefully considered commenter suggestions to increase the required number of independent individuals and to establish specific eligibility criteria for them. Given the oversight responsibility of an EQCF, the Board believes at least one person is always necessary and firms may determine, based on their circumstances, that more than one person is needed to appropriately carry out the function. The Board believes the requirement will respond to the quality objective in paragraph .25e by ensuring an independent perspective on QC matters, but it does not supplant firm leadership or relieve them of their fundamental responsibility to instill and maintain a firm culture that appropriately prioritizes QC. Accordingly, the Board does not believe it would be appropriate to mandate a specific number of individuals or the specific credentials they must have (besides their ability to exercise independent judgment with regard to matters related to the QC system and the general requirement that they have the experience, competence, authority, and time necessary to enable them to carry out their assigned responsibilities). Rather, the decision will be based on specific skillsets of the person or persons in this function to be able to carry out the requirements of the function. In that regard, firms may conclude that one or persons appointed to the EQCF should be non-auditors to bring a greater diversity of perspectives to the function.

Beyond the minimum responsibilities specified in the standard, the Board gave firms flexibility in establishing other responsibilities of the EQCF, enabling the function to best respond to the nature and circumstances of the firm. For example, if the firm has experienced an increase in recurring engagement deficiencies, the firm may charge the EQCF with reviewing and evaluating the firm's remediation actions and monitoring plan. As another example, a firm may assign the EQCF with strategic responsibilities, such as maintaining situational awareness through the identification and monitoring of emerging risks or trends that could potentially affect the firm's QC system. While QC 1000 specifies that the EQCF exercise oversight over the QC system, the firm may also choose to extend its authority more broadly. The responsibilities assigned to the EQCF will in turn drive decisions about the scope of the EQCF's authority. At a minimum, that will entail sufficient access to information, documentation, and firm personnel to enable evaluation of the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system, but it could be broader depending on the scope of the EQCF's responsibilities as assigned by the firm. Consideration of the experience, competence, and time necessary to serve in the role will likewise depend on the responsibilities assigned by the firm.

The firm may consider many matters when establishing an EQCF. Such matters could include:

• The responsibilities assigned by the firm to the EQCF, including those specified in QC 1000;
• The qualifications required of the individual(s) assigned to fulfill those responsibilities, including those specified in QC 1000;
• The scope of authority afforded to the EQCF in light of the assigned responsibilities;
• Whether to establish a direct line of communication from the EQCF to the individual assigned ultimate responsibility and accountability for the QC system as a whole, or the individual assigned operational responsibility for the QC system as a whole, or both;
• Whether to require that the EQCF comply with independence requirements applicable to auditors;

• The level of external transparency of the EQCF's role and responsibilities;
• The compensation structure for the EQCF; and
• The term of service for the EQCF, including restrictions on removal and limits on length of service.

In making these determinations, the firm should be mindful of the requirement that members of the EQCF not have any relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system.

The EQCF could be, but would not be required to be, in the “chain of command” under the SEC independence rule. The Board does not believe that the EQCF would be a “supervisory person” under Sarbanes-Oxley section 105(c)(6) solely by virtue of having evaluated the significant judgments made and related conclusions reached by the firm when evaluating and reporting on the effectiveness of the firm's QC system. However, depending on the nature and degree of their responsibility, ability, or authority to affect the conduct of the firm's associated persons, as established by the firm, the EQCF could be subject to Sarbanes-Oxley section 105(c)(6).

The Board has not required the results of the EQCF's evaluation to be publicly disclosed. However, nothing set forth in this release would limit or prohibit firms from disclosing any information about the EQCF's activities—including the EQCF's practices, methods, or procedures, or the manner or results of the EQCF's evaluation—if the firm chooses.

Based on comments received and experience with inspections of firms' systems of quality control, the Board believes that investors, audit committees, and other stakeholders will benefit from the EQCF's evaluation even in the absence of public disclosure. An external oversight function should enhance the discipline with which the firm carries out its own QC system evaluation. As the Board observe the implementation and performance of the EQCF through its inspection activities, the PCAOB may publish observations or good practices. For these reasons, the Board believes that the EQCF will support improvements in firms' systems of quality control, ultimately benefiting investors, audit committees, and other stakeholders.

People internal and external to the firm can help a firm identify instances of noncompliance with applicable professional and legal requirements earlier than might be possible through the firm's own monitoring. The proposal included a specified quality response requiring policies and procedures for addressing potential noncompliance with applicable professional and legal requirements and with the firm's policies and procedures with respect to the QC system, the firm's engagements, firm personnel, or other participants.

This would include clearly defining channels within the firm that enable reporting of complaints and allegations by firm personnel and external parties ( e.g., employees of companies or other participants) and establishing procedures for appropriately investigating and addressing such complaints and allegations, including complying with any applicable reporting or other requirements.

The proposal sought comment on the appropriateness of this specified quality response, and whether any additional specified quality responses should be considered. Two firms that commented supported the specified quality response. Two other firms expressed concern with the prescriptiveness of other participants being included in the requirement. One investor suggested there should be an explicit requirement for a whistleblower mechanism with key protections such as confidentiality and protection against retaliation, and that the individual responsible for the firm's QC system be responsible for the investigation of whistleblower complaints and remediation of QC issues identified by whistleblowers.

The Board adopted the specified quality response with some modifications, described below. The Board believes that establishing policies and procedures that support the reporting and investigation of potential noncompliance will assist firms in complying with applicable professional and legal requirements. It will also assist them in identifying and dealing with individuals, including those in leadership, who fail to comply with applicable professional and legal requirements or the firm's policies and procedures. Finally, it may result in firm personnel or external parties identifying and communicating deficiencies in the QC system.

The final provision retains the reference to other participants, as the Board believes it is important for the firm to capture any potential noncompliance with applicable professional and legal requirements, including with regard to work performed by other participants that relates to the firm's QC system or the firm's engagements.

The Board has expanded the requirements related to the firm's policies and procedures for collecting and addressing complaints and allegations to explicitly require that they:

• Be made available to all firm personnel and other participants;
• Address processes and responsibilities for receiving, investigating, and addressing complaints and allegations; and
• Include protecting persons making complaints and allegations from retaliation.

The Board also expanded the specified quality response to require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to include confidentiality protections in their policies and procedures.

The firm's policies and procedures regarding complaints and allegations should be made available to all firm personnel and other participants, which could occur by posting them on an intranet site or providing such policies and procedures to other participants upon engagement. The policies and procedures should include identifying who is responsible for receiving, investigating, and addressing complaints and allegations; describing the process for submitting complaints and allegations; and describing how the firm will investigate and address complaints and allegations received. The Board also specified that the policies and procedures should explicitly address protection against retaliation of persons making complaints and allegations, which the Board believes is a critical element of any effective program for receiving complaints and allegations.

The required policies and procedures regarding investigating and addressing complaints and allegations allow scalability. The process for investigating and addressing a complaint or allegation would vary, commensurate with and responsive to the significance of the complaint or allegation.

For firms that issued audit reports with respect to more than 100 issuers during the prior calendar year, the policies and procedures will have to provide a confidential and anonymous submission process for complaints and allegations, similar to the requirements for audit committees under the Exchange Act. For example, a firm may have a confidential and anonymous submission process through a website, toll-free number, or mobile app, and could manage the process in-house or through a third-party provider. The firm's policies and procedures will also have to provide for protection, during the investigation, of the confidentiality of individuals and entities who make complaints and allegations. The Board believes this requirement specifically targets and responds to potential quality risks that are more likely to arise in audit practices of a certain size and complexity. However, firms that are not subject to this express requirement may nevertheless determine that such requirements are a necessary or appropriate quality response to address their quality risks.

2. Current PCAOB Standards

Existing PCAOB QC standards contain limited references to firm governance and leadership. For example:

• QC 20 acknowledges that the QC system includes the firm's organizational structure;

• The SECPS member requirements on independence quality controls provide that the importance of compliance with such independence standards, and the QC standards, should be reinforced by management of the member firm, thereby setting the appropriate tone at the top and instilling its importance into the professional values and culture of the member firm; and

• The SECPS member requirements provide that member firms should communicate to all professional firm personnel the broad principles that influence the firm's quality control and operating policies and procedures on, at a minimum, matters related to the recommendation and approval of accounting principles, present and potential client relationships, and the types of services provided, and inform professional firm personnel periodically that compliance with those principles is mandatory.

Ethics and Independence

This component addresses the fulfillment of firm and individual responsibilities under relevant ethics and independence requirements. Adhering to such requirements is a foundational concept that not only promotes audit quality but also safeguards the vital role that auditors play within the capital markets.

The ethics and independence component of the standard has been tailored to the ethics and independence requirements that apply to engagements performed under PCAOB standards. Under the standard, ethics and independence requirements include the PCAOB's ethics and independence standards and rules, the SEC's rule on auditor independence, and other applicable requirements regarding accountant ethics and independence, such as those arising under state law or the law of other jurisdictions ( e.g., obligations regarding client confidentiality). The Board clarified that the reference to other applicable requirements is limited to those that are relevant to fulfilling auditor obligations and responsibilities in the conduct of engagements or in relation to the QC system. The standard requires firms to establish quality objectives related to ethics and independence requirements and design and implement specified quality responses.

1. QC 1000

a. Ethics and Independence Quality Objectives (QC 1000.31)

Understanding of and compliance with ethics and independence requirements are fundamental to the auditor's role. Adherence to standards of professional ethics is as important as adherence to requirements regarding auditor independence, and firms' QC systems should address both. Under the standard, firms are required to establish quality objectives that address understanding of and compliance with ethics and independence requirements. While maintaining independence and adhering to ethical requirements is each individual's responsibility, the firm also has responsibility and plays a critical role in ensuring that individuals understand those requirements and have the tools and resources they need to comply.

One firm suggested that the Board clarify the ethical requirements that are subject to the responsibility of the individual assigned operational responsibility for the firm's compliance with ethics and independence requirements. The firm specifically commented that competence and due care are characteristics required by both ethical standards and QC standards, and as a result, there could be confusion over whether such requirements are ethical requirements or quality control requirements when determining the responsibility of the individual assigned operational responsibility for the firm's compliance with ethical and independence requirements. In some cases, a matter may be applicable to the responsibilities of both the individual assigned operational responsibility for the firm's compliance with ethics and independence requirements and the individual assigned operational responsibility and accountability for the QC system as a whole. A firm could divide responsibilities based on the specific issues involved, so long as the lines of responsibility are clear (for example, duties of competence and due care in the context of the audit, codified under the PCAOB's ethics rules, could be assigned to the individual with operational responsibility for compliance with ethics and independence requirements, while duties of competence and due care in the context of QC system activities, codified in QC 1000, could be assigned to the individual with operational responsibility for the QC system).

Under the standard, the firm is required to establish a quality objective to identify conditions, relationships, events, and activities that could result in violations of ethics and independence requirements and evaluate and respond to such conditions, relationships, events, and activities on a timely basis. This will help the firm reduce the risk of noncompliance by identifying potential violations of ethics and independence requirements in time to prevent many violations and to quickly remediate violations that do occur. For example, a firm that plans to acquire another firm could identify the acquisition as an event that could result in independence violations by the personnel of the acquired entity. This could prompt the firm to develop policies and procedures that address onboarding processes for firm personnel of acquired entities around independence. These policies and procedures would assist in identifying and resolving potential independence violations before the acquisition is completed. One firm commented that as the proposed quality objectives for ethics and independence are broadly consistent with other jurisdictional and international quality control/management standards, it believes that they are appropriate, and no further changes are needed.

An investor-related group expressed concern that the proposal did not sufficiently address conflicts of interest, such as when an audit firm performs other services for the audited company. The investor-related group further commented that without clear separation between those responsible for quality control and those responsible for maintaining client relationships and winning consulting contracts, investors can have less than full confidence the system of quality control will ensure the necessary level of audit quality. The Board acknowledges that QC 1000 does not create new requirements regarding auditor independence. However, in relation to the commenter's specific concern about the performance of non-audit services, QC 1000 requires the QC system to operate over compliance with numerous restrictions on non-audit services that exist under current independence rules enacted in response to previous independence conflicts.

QC 1000 establishes quality objectives that apply to all firms. Within the ethics and independence component, firms are required to establish quality objectives that address both personal and firm-level compliance. Personal violations include such matters as owning stock in companies that are audit clients of the firm or its affiliated entities while a “covered person in the firm.” Firm-level violations include such matters as providing prohibited services or failing to obtain required audit committee pre-approval. The Board has also included specified quality responses that directly address the firm's policies and procedures for identifying and monitoring firm and personal relationships with audit clients to help mitigate the risk of potential violations. In addition, the roles and responsibilities requirements direct firms to assign an individual operational responsibility for the firm's compliance with ethics and independence requirements to provide oversight specifically focused on this area.

The quality objectives address compliance with ethics and independence requirements not just by firm personnel, but also by others who may be subject to ethics and independence requirements in relation to work they perform on behalf of the firm. These others may include, for example, “persons associated with a public accounting firm” as defined in PCAOB rules or “covered persons in the firm” under the SEC independence rule. The Board notes that these and other concepts used in the ethics and independence rules do not map directly to the terminology the Board generally uses in QC 1000. (For example, some “other participants,” such as other accounting firms, are subject to independence requirements, while others, such as engaged specialists and the company's internal auditors, are not.) To ensure that the requirements for this component of the QC system align with, and do not go beyond, the ethics and independence requirements over which the QC system would operate, in this component the Board uses terminology that incorporates or refers back to the underlying ethics and independence requirements. For example, rather than having quality objectives address compliance by “other participants,” in this component the quality objective addresses compliance by “others subject to [ethics and independence] requirements.”

One firm commented that it supported the direction of the quality objectives, but asserted that some of the terms were confusing as it related to “others subject to ethics and independence requirements.” The firm questioned whether these correspond to other participants as defined in the standard. The firm further commented that the terminology used for others subject to ethics and independence requirements could create operational challenges because those terms are open to interpretation and requested that the Board clarify the language the standard used. The firm suggested that the proposed requirements that contain this language could go beyond the intended applicability of the independence rules to the various parties contemplated. Again, the Board uses terminology in this component that incorporates or refers back to the terminology used in ethics and independence rules, terminology which it believes is well understood in those contexts. The Board uses it precisely to avoid going beyond the scope of existing ethics and independence requirements, and to ensure that QC 1000 addresses exactly the same population as the ethics and independence rules themselves.

One firm commented that while the proposed quality objectives for ethics and independence are appropriate and important, further clarification may be needed of how the objectives apply to firm personnel. Specifically, the firm argued that it could be inferred that the ethics and independence requirements extend to all individuals involved in the operation of the firm's QC system, including those individuals who are not subject to the requirements under the existing PCAOB and SEC independence rules, for example, data research teams. QC 1000 does not impose ethics and independence requirements on individuals who are not currently subject to them. References in the standard to “requirements” and “obligations” are to existing requirements and obligations which themselves specify to whom they apply. However, firms may choose to implement broader policies regarding ethical behavior that impose requirements on individuals who are not subject to the ethics and independence rules of the PCAOB and the independence rule of the SEC.

With respect to the timing of communication of violations to the individual assigned operational responsibility for the firm's compliance with applicable ethics and independence requirements, the quality objective states that such actions should take place on a timely basis. One firm agreed that timely communication of ethics and independence related matters within the firm is important for audit quality, but expressed concern that the prescriptive nature of the requirements addressing communications may detract from the achievement of the intended objectives. The firm suggested that it is important to recognize that the evaluation of certain matters would be done in accordance with the firm's policies and procedures, which are designed to strike a balance between prematurely alerting individuals to matters for which the facts and potential impacts are not sufficiently known and making sure those with ultimate responsibility for decisions are made aware on a timely basis. The final standard does not specify that all violations need to be communicated immediately. However, the Board believes timely communication and action should be sufficiently prompt to achieve its objective. In some cases, for example, where there is a high risk of a severe or pervasive problem, communication and action may have to be immediate to be timely.

b. Ethics and Independence Specified Quality Responses (QC 1000.32-.36)

The specified quality responses are primarily based on existing PCAOB ethics and independence requirements and SEC independence requirements, including the provisions regarding independence quality controls that currently apply to SECPS member firms. The Board incorporated these SECPS member requirements into QC 1000, with some refinements, and extending those requirements to all firms. The Board's view is that the SECPS requirements address matters that are generally relevant to a QC system operating over compliance with SEC and PCAOB independence rules. Since those rules apply to all firms that perform engagements for issuers and broker dealers, the Board believes it is appropriate to extend the SECPS requirements to all firms.

Under the standard, the firm is required to design, implement, and maintain policies and procedures for the following:

• General ethics and independence matters;
• Certain specific matters that may reasonably be thought to bear on independence;
• Communication regarding ethics and independence policies and procedures; and
• Mandatory training on ethics and independence.

One firm commented that it generally supports the specified quality responses and believes that it is appropriate to have the same set of independence requirements apply for all firms. Another firm suggested that the specified quality responses are not necessary to achieve the objectives of QC 1000. Instead of prescriptive specified responses, the firm suggested that the standard include more specified quality objectives which would promote scalability and allow for future adaptations to technological or other innovations. Another commenter said that the proposal expanded on the independence requirements in a granular manner and suggested that the details be moved into an appendix or practice aid or provided as additional guidance to help reduce differences between QC 1000 and other standard setters. The specified quality responses for the ethics and independence component primarily carry forward existing requirements from the PCAOB's QC standards and extend certain existing requirements to all firms. The Board believes that the specified quality responses relate to risks that apply to all firms and therefore should be addressed by all firms. The Board intends them to be obligations of all firms and have therefore codified them within the rule text rather than as guidance.

i. QC Policies and Procedures About General Ethics and Independence Matters (QC 1000.33)

The standard requires the adoption of policies and procedures regarding general ethics and independence matters, carrying forward current PCAOB and SEC requirements.

The proposed requirement in QC 1000.33.a did not draw comment and was adopted as proposed.

The phrase “may reasonably be thought to bear on independence” is used in PCAOB Rule 3526 and should be familiar to all firms. It is taken from an independence standard that predates the existence of the PCAOB, and, as the Board noted in connection with the adoption of Rule 3526, it focuses auditors on the perceptions of reasonable third parties when making independence determinations. It is consistent with the SEC's general standard on independence. The firm's policies and procedures are required to address all matters that may reasonably be thought to bear on the independence of the firm, firm personnel, and affiliates of the firm under SEC and PCAOB rules.

In addition to the broad concept of matters that “may reasonably be thought to bear on independence,” SEC and PCAOB rules address certain specific matters that bear on independence. For example, 17 CFR 210.2-01(c) sets forth a non-exclusive list of circumstances that the SEC considers to be inconsistent with independence. Such circumstances include, among others, certain financial relationships, employment relationships, business relationships, non-audit services, contingent fees, and circumstances related to partner rotation. PCAOB rules also list certain prohibited tax transactions and tax services that would make the firm not independent of its client.

The underlying facts and circumstances and relevant requirements will determine what actions need to be taken by the firm to address a matter that may reasonably be thought to bear on independence. For example, in some situations, it will be sufficient to communicate the matter to the audit committee. In other situations, further action may be required.

The proposed requirements in QC 1000.33.b-c did not draw comment and were adopted substantially as proposed.

Integrity and objectivity are important ethical concepts currently addressed in QC 20. Under the existing standard, integrity requires personnel to be honest and candid within the constraints of client confidentiality, whereas objectivity imposes the obligation to be impartial, intellectually honest, and free of conflicts of interest.

As discussed in more detail below, the Board rescinded the interim ethics and independence standard, ET 102, Integrity and Objectivity, and replacing it with a new standard, EI 1000, Integrity and Objectivity . QC 1000 includes a reference to that new rule and to PCAOB Rule 3500T, Interim Ethics and Independence Standards.

The final standard clarifies that firm personnel are expected to demonstrate integrity and objectivity in carrying out all of their professional responsibilities associated with the QC system and the performance of engagements. This includes activities ranging from the design and implementation of the QC system, monitoring and remediation, and evaluation of the QC system, to training and professional development; planning, performing, and supervising engagements; and internal and external communications. The Board also believes that it is important for the firm's policies and procedures to address obligations related to integrity and objectivity for associated persons of the firm, other than firm personnel, who perform work on behalf of the firm.

The proposed requirement in QC 1000.33.d did not draw comment and was adopted as proposed.

Establishing a consultation process on independence matters is an existing concept under SECPS independence requirements. Currently, SECPS member firms are required to designate a senior-level partner responsible for overseeing the adequate functioning of the firm's independence policies and consultation process.

The Board expanded this concept in QC 1000 by covering not only independence matters, but also ethics matters, and by expressly requiring the firm's policies and procedures to address the identification of ethics and independence matters that require consultation. The Board believes the specific focus on identifying matters requiring consultation should prompt firm personnel and others subject to such requirements to more effectively identify ethics and independence issues that are new, challenging, or complex and that would benefit from evaluation by subject matter experts. The Board applied the requirement to all firms, not just SECPS member firms.

Under existing SECPS requirements, member firms are required to establish a monitoring system to determine that corrective actions are taken on all apparent independence violations reported by firm personnel. Under those requirements, the monitoring system should include procedures to provide reasonable assurance that (i) investments of the firm and its benefit plans are in compliance with the firm's policies and (ii) information received from its partners and managers is complete and accurate. The SECPS requirements do not prescribe specific activities for the monitoring system, other than stating that generally it includes auditing, on a sample basis, selected information such as brokerage statements, or alternative procedures that accomplish the same objective. One firm requested clarification of whether auditing, on a sample basis, selected information such as brokerage statements, will be mandatory under QC 1000. The standard does not prescribe specific activities to monitor compliance with ethics and independence requirements and the firm's ethics and independence policies. This allows scalability based on the firm's size and specific circumstances. The Board expects that firms that have developed monitoring systems to comply with SECPS requirements would continue to use these systems as one aspect of monitoring compliance under the standard. While auditing brokerage statements is not mandatory under QC 1000, the firm must design, implement, and maintain policies and procedures to monitor compliance with applicable ethics and independence requirements and related firm policies and procedures. Based on the firm's size and specific circumstances, a firm can choose which monitoring activities are an effective response to meet the quality objective.

With respect to compliance with applicable ethics and independence requirements by the firm and its affiliates, the Board understands that firms employ various manual and automated tools for evaluating whether the firm and its affiliates comply with SEC and PCAOB independence requirements and the firm's independence policies and procedures. Some examples of such tools include having a centralized process to monitor business relationships, establishing an independence confirmation process that includes detailed guidance and questions related to independence and prohibited non-audit services, and periodic review of the completeness and accuracy of information reported on independence confirmations.

A firm may establish ethics and independence policies and procedures that are more restrictive than the rules of the SEC and PCAOB—for example, to comply with requirements of other jurisdictions or to simplify compliance with SEC and PCAOB requirements by setting bright-line policies and reducing the range for individual judgment. Under the standard, the firm's evaluation of compliance covers applicable ethics and independence requirements as well as the firm's policies and procedures.

The proposed requirements in QC 1000.33.f were adopted substantially as proposed.

As previously discussed, QC 1000 includes the existing SECPS requirement for firms to have policies and procedures that address independence violations and expands the requirement to cover all firms and to include ethics violations.

Under the standard, the firm is required to establish policies and procedures addressing violations and potential violations of ethics and independence requirements. These types of policies and procedures are intended to be preventive, detective, and corrective by nature.

The firm's policies and procedures are required to address identifying conditions, events, relationships, or activities that could constitute ethics or independence violations involving the firm, firm personnel, and, with respect to work performed on behalf of the firm, others subject to such requirements. For example, if a firm or its network is contemplating a reorganization or restructuring that would affect the relationships among affiliated firms or other entities, identifying post-reorganization investment activities as such an activity could assist the firm in designing and implementing appropriate policies to prevent independence violations.

With respect to ethics and independence violations that do or could occur, the firm's policies and procedures are required to address the taking of preventive and corrective actions to address violations on a timely basis. Such policies and procedures could specify the individuals responsible for taking preventive and corrective actions (at the engagement or firm level), the timing of preventive and corrective actions, and any potential sanctions against firm personnel or other individuals for violating ethics and independence requirements. While one firm supported bringing greater attention and accountability to the ethics and independence component, it suggested that the level of prescription may create operational challenges that could be detrimental to audit quality. Specifically, with regards to paragraph .33f.(2), the firm commented that ethical or independence violations may take a variety of forms and that dictating that preventive and corrective actions must be taken does not promote a risk-based approach. The standard requires that a firm's policies and procedures address, with respect to violations and potential violations, the taking of preventive and corrective actions, as appropriate. Ethics or independence violations may take a variety of forms, and therefore the nature and extent of the preventive and/or corrective actions may also take a variety of forms commensurate to the severity and pervasiveness of the violation.

The firm's policies and procedures are required to address reporting of ethics and independence violations. QC 1000 requires that firm personnel and others performing work on behalf of the firm that are subject to the ethics and independence requirements report both their own violations and other violations of which they become aware that may affect the firm. The Board revised the language in proposed paragraph .33f.(3) to clarify that the requirement applies to others performing work on behalf of the firm that are subject to the ethics and independence requirements.

The standard takes a principles-based approach, which allows each firm to determine which reporting mechanisms best fit its structure and address its quality risks. Through the Board's oversight activities, it has observed that firms employ various mechanisms for firm personnel to report violations. Some examples include direct communication lines to an ethics and independence group, designated individuals within the human resources department or the legal department, and whistleblower hotlines. Firms may assess each case individually and involve appropriate subject matter experts, depending on the nature of the violation. Some firms also establish escalation protocols for certain types of ethics and independence violations ( e.g., violations involving a partner in the firm).

In addition, the firm's policies and procedures are required to address any communications that need to take place as a result of a violation of ethics and independence requirements. For example, PCAOB Rule 3526 requires certain communications to the audit committee regarding matters that are thought to bear on the firm's independence, including violations of independence requirements.

ii. QC Policies and Procedures About Certain Matters That May Reasonably Be Thought To Bear on Independence: Restricted Entities, Independence and Ethics Certifications, and Matters Requiring Audit Committee Pre-Approval

Under the standard, the firm's policies and procedures on matters that may reasonably be thought to bear on the independence of the firm are required to address, among other things, (1) restricted entities, including the maintenance and dissemination of the list of restricted entities; (2) independence and ethics certifications; and (3) matters requiring audit committee pre-approval.

(1) Restricted Entities (QC 1000.34.a-d)

Most of the requirements related to restricted entities come from existing SECPS member requirements, which will now apply to all firms. Under the standard, as under current requirements, restricted entities include all audit clients (including affiliates of the audit client) of the firm and affiliates of the firm. One firm commented that the proposal did not define “affiliates” and recommended either referencing the definition provided in PCAOB Rule 3501 or defining the term in the standard in a manner similar to Rule 3501. “Audit client,” “affiliate of the audit client,” and “affiliate of the accounting firm” are terms defined in existing PCAOB and SEC rules. As proposed, paragraph .34 includes a footnote referring to those definitions.

Existing SECPS requirements require firms that audit more than 500 SEC registrants to have an automated system to identify investment holdings of partners and managers that might impair independence. As proposed, the Board required an automated system for firms that issued audit reports with respect to more than 100 issuers during the prior calendar year. The Board understands that firms that audit more than 500 SEC registrants already have automated systems in place, based on the SECPS requirements to have an automated system 17 CFR 210.2-01(d). Firms that issued audit reports for 100 or fewer issuers are required to consider whether the system needs to be automated, taking into account the quality risks and the nature and circumstances of the firm. For example, a firm with close to 100 issuers and a significant number of managers and partners may assess timely identification of personal investments that may impair independence as a quality risk, and a quality response to address that risk may include an automated system to help facilitate a more timely relationship-checking process.

One firm commented that the specified quality response to have an automated process for identifying direct or material indirect financial interests is appropriate, and another firm commented that it did not object to the requirement. However, a firm and a firm-related group recommended that the PCAOB consider if the existing SEC requirements are sufficient such that no additional PCAOB requirements are needed, and several firms commented that the costs of implementing the requirement would be significant and instead the threshold should be increased to 500 issuers to be consistent with the SEC requirements. Some of these firms suggested that the cost may be a potential barrier to entry for firms approaching the 100-issuer audit client threshold. One of these firms commented further that some firms that audit over 100 issuers will consider decreasing the size of their practice due to the associated cost of the requirement. This firm suggested that the specified quality response be removed and instead, if necessary, implement a quality objective that firms could address through their risk assessment process. Several firms suggested that firms that audit more than 100 but no more than 500 issuers could consider implementing such a process, but it should not be required. One firm-related group suggested that the threshold for requiring an automated independence system be reduced further, given the number of repeated independence issues among all firms.

One firm expressed concerns with both the proposed requirement in paragraph .34a.(1) and the suggestion in paragraph .34a.(2) to automate this process, suggesting that this would be cost prohibitive and firms should design processes that reflect their respective size, complexities and risks identified. Another firm commented that firms subject to the current SECPS requirements have likely invested significant capital and resources to implement and maintain tools that enable compliance with those requirements, and while the firm views that investment as worthwhile and believes the procedures have contributed to audit quality over the years, it expressed concerns for the cost of the requirement to firms that audit between 100 and 500 issuers. Another firm commented that it has such an automated system in place, however it suggested that the implementation of such a system within the timeframe set out in the proposed standard may be challenging and costly. One firm commented that the determination of whether or not to implement an automated process for identifying and tracking direct and material indirect financial interests should be risk-based and not include a prescriptive requirement based on an arbitrary count of greater than 100 issuers. The firm specifically commented that the size, scope, nature, and complexity of firms' issuer practices can vary significantly among the annually inspected firms, noting for example that a large portion of its issuer client count consists of Form 11-K audits and smaller reporting companies. Another firm commented that while the size of the firm's client base is one factor to consider in determining an appropriate quality response, the nature and circumstances of the firm and the firm's clients are also factors that should be taken into consideration, as well as the firm structure, industries served, and number of managers and partners.

Some firms sought clarity as to whether an automated process would be required for other financial relationships, for example, employment relationships, business relationships, or non-audit services, and commented that the identification of certain financial relationships cannot be easily automated. Instead, the firms suggested limiting the requirement to automate the process for identifying investments in securities that might impair independence, to align with the SEC requirement. A number of firms and a firm-related group requested clarity on what “automated” means and what the Board's expectations are with regards to the nature, extent and scope of automation.

After consideration of the comments, the Board adopted the 100-issuer threshold as proposed. The Board believes it is important to maintain a consistent threshold for the incremental requirements in QC 1000. As discussed in more detail above, the Board believes that the 100-issuer threshold is appropriate, and while the nature of each firm's audit client list may vary, there still exist complexities inherent to firms with a large number of issuer audit clients that may give rise to quality risks that apply to the firm's independence, for which the automated system would be an appropriate quality response.

The Board clarified in the final standard that the requirement for an automated process is limited to the process to identify investments in securities that might impair the independence of the firm or firm personnel, the same scope as required under 17 CFR 210.2-01(d). The Board has observed through its oversight activities that some firms have systems that automate the identification of their professionals' investment holdings through direct broker feeds, but a direct broker feed is not the only type of automated process that would meet the Board's requirement. As discussed in a December 9, 1999, letter from the SEC's Chief Accountant, firms need to develop a system that tracks audit engagements and financial investments held by professionals such that the conflict verification process is automated. Such a system may rely on firm professionals accurately self-reporting and entering their investments into the system in a timely manner. These holdings would automatically be compared to the list of restricted entities to identify any relationships with restricted entities. Based on the size of the firm and other characteristics, a firm may determine that a direct broker feed is an appropriate quality response (for example, if the firm's monitoring activities found high rates of non-compliance by firm personnel with the firm's policies and procedures for reporting financial investments), but a direct broker feed is not expressly mandated for firms subject to the requirement to implement an automated process. The Board also made a change to require that the process described in paragraph .34a.(1) must be automated to conform the degree of responsibility that the requirement imposes on the auditor to that required under paragraph .34.

One firm suggested that a longer transition period be provided for firms that are not currently subject to a requirement to implement an automated system. The firm commented that if two firms merged and one or both of the firms had previously not been subject to the requirement, it is unlikely that a system of this nature could be implemented and tested for effectiveness in the time period provided. The Board believes that firms continuously monitor the size of their audit practice relative to the 100-issuer threshold, and if a firm is considering a transaction such as a merger that would increase its number of issuer audit clients significantly, then the firm could begin to implement such a system in advance of the end of the calendar year in which the firm first surpasses the 100-issuer threshold. Indeed, for a transaction such as a merger of audit firms, the Board believes that there could exist specific risks to independence as a result, which in itself may result in a firm developing an automated system as a quality response.

Current SECPS requirements require timely (generally monthly) communication of additions to the Restricted Entity List. The proposal contemplated requiring that firms have policies and procedures for maintaining and making available the list of restricted entities to firm personnel and others performing work on behalf of the firm who are subject to independence requirements, and updating and communicating changes to the list of restricted entities at least monthly to such persons.

Several firms and a firm-related group suggested the specified quality response be replaced with a quality objective regarding updates to and awareness of changes in the restricted entity list. Two of these firms suggested that the requirement be amended to limit communications to additions to the restricted entity list. Another firm suggested communications be limited to firm personnel subject to independence requirements and the requirements should allow for flexibility in the nature, timing, and extent of communications. QC 1000 does not enlarge the population of individuals who are subject to ethics and independence requirements. References in the standard to “requirements” and “obligations” are to existing requirements and obligations which themselves specify to whom they apply. In addition, after consideration of the comments received, the Board amended the standard to limit the required communications to additions to the list of restricted entities, rather than all changes.

Some firms did not support this communication to “others performing work on behalf of the firm,” and suggested that communications should be limited to potential covered persons affected by the additions. Two of these firms commented that these individuals would likely not be considered covered persons for engagements other than the engagement they are working on, and suggested that the Board allow firms to take a risk-based approach when determining the scope and frequency of the communications. Another firm suggested that QC 1000 does not need to specifically address certain communications to other participants where this is required by another standard, specifically AS 2101 (as in effect for audits of fiscal years ending on or after December 15, 2024) paragraph .06D, which includes a “written description of all relationships between the other auditor and the audit client of persons in financial oversight roles at the audit client that may reasonably be thought to bear on independence. Another firm commented that the goal of alerting others performing work on behalf of the firm to specific engagement independence requirements could be achieved through engagement-specific independence certifications.

After consideration of the comments received, the Board amended the standard to require at least monthly communication of additions to the list of restricted entities to firm personnel and others performing work on behalf of the firm whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm. The Board believes that it is appropriate to limit communications of additions to the list of restricted entities to firm personnel and others performing work on behalf of the firm to those additions that could reasonably be thought to bear on the independence of the firm. For example, additions to the affiliate list for an issuer would be relevant for an individual who is performing work on behalf of the firm on that issuer, or a partner who is located in the same office of the firm in which the lead audit engagement partner primarily practices in connection with the audit. This communication should be made as frequently as necessary, and on an at least monthly basis, through the period that the individual is subject to the independence requirements.

Several firms and a firm-related group commented that the requirement to communicate the restricted entity list would not be more effective than the automated systems already in place at larger firms. Two firms also commented that smaller firms with infrequent changes to the restricted entity list may not need to communicate changes monthly. One of these firms suggested that many firms already have policies where individuals are required to review the restricted entities list prior to purchasing stock/during proposal/acceptance procedures to determine whether an independence conflict would exist, and that many firms also make those restricted lists readily available to employees as part of their current QC systems. The Board believes, and has observed through its oversight activities, that such automated systems may not fully mitigate quality risks associated with the timely reporting of financial relationships by firm personnel, for example, if the automated system is not equipped to identify certain financial relationships, or if the firm is reliant on its professionals making timely reporting of these relationships into the firm systems. The Board believes that requiring the communication of additions to the list of restricted entities to firm personnel whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm on an at least monthly basis may prompt firm personnel to report a previously unreported relationship. If there are no additions, there is no required communication.

One firm commented that it is unclear whether communication is intended to mean a distributed communication ( e.g., email of the updated list) or communication can be made available ( e.g., a website that hosts such list and is readily available to access). Some firms may decide to communicate updates to the list of restricted entities on a more frequent basis, as changes are being made, or in more targeted ways (such as to particular offices or engagement teams). The standard does not prescribe the method of communication. Through the Board's oversight activities, it have observed that some firms comply with existing SECPS requirements by communicating additions to the list of restricted entities to all firm personnel weekly via email. These firms could continue that practice to comply with the standard. However, other methods that result in an effective communication may also be acceptable; for example, a firm might communicate that there have been additions to the list of restricted entities via email, and include within the email a link to an accessible website-hosted list of additions. While the standard requires communications of additions to those individuals whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm, the firm may choose to extend the communications of additions more broadly. In addition, if the firm communicates additions to less than all firm personnel, then the firm must have correctly identified the group of people whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm.

The standard does not prescribe a specific process for maintaining and making available the list of restricted entities to firm personnel and other individuals. Firms are able to determine the specific methods and tools needed to keep the list of restricted entities up to date and to ensure that any additions are communicated on a timely basis to firm personnel and other individuals. This determination is based on factors such as the size of the firm, the number of audit clients, and the complexity of those clients ( e.g., the number of audit client affiliates). For example, a smaller firm with a small group of professionals, a stable portfolio of audit clients, and a manual process for maintaining the list of restricted entities may decide to communicate changes monthly. For a larger firm with many audit clients and firm affiliates, an automated tool could help facilitate more frequent updates to the list of restricted entities. The firm is required to notify relevant professionals of additions to the list at least monthly.

The Board recognizes that some firms are members of networks that may develop systems, processes, and controls to monitor network firms' compliance with independence requirements, including maintaining a database of restricted entities. As described above, the standard does not prescribe a specific process for maintaining a database of restricted entities, so this process could potentially be performed by a network or outsourced to a third party. At the same time, the standard requires each firm to establish its own quality objective, which places responsibility on the firm with respect to resources or services provided by the network or a third-party provider.

The Board incorporated into QC 1000 the existing SECPS requirements for firm personnel to review the list of restricted entities prior to obtaining any security or other financial interest in an entity, but with the following refinements:

• Require firm personnel to review the list of restricted entities, not only before they or their relevant family members obtain a direct or material indirect financial interest in an entity or enter into a direct or material indirect relationship with an entity, but also after additions to the list of restricted entities are communicated by the firm, upon firm personnel's employment at the firm, prior to changes in position ( e.g., going into a chain of command or other covered person role ), and prior to entering into or modifying any business or employment relationships.

• Require the firm and firm personnel to take required actions on a timely basis if the review of the list of restricted entities indicates that action is required under applicable professional and legal requirements or the firm's policies and procedures.

Under this approach, the firm's policies and procedures will require that the list of restricted entities be reviewed before the firm enters into any relationship, engagement to perform non-audit services, or fee arrangement that might affect compliance with independence requirements. This requirement serves the same purpose as review of the list of restricted entities by the firm personnel and helps the firm to identify relationships that may result in noncompliance with applicable professional or legal requirements.

One firm commented that, rather than requiring that the list of restricted entities be reviewed before the firm enters into any relationships, engagements to perform non-audit services, or fee arrangements that might affect compliance with independence requirements, firms should be permitted to develop quality responses to identify prohibited relationships and fee arrangements that appropriately respond to quality risks, based on the firm's facts and circumstances. The firm also suggested that the requirement for firm personnel to review the list of restricted entities after changes to the list are made should be deleted since firm personnel would already be notified of changes based on paragraph .34b. The Board believes these specified quality responses are appropriate and should be addressed by all firms, regardless of the specific facts and circumstances of the firm. In addition, the Board views the requirements of paragraph .34b for the firm to maintain and make available the list of restricted entities, and paragraph .34d for firm personnel to review the list of restricted entities, as separate.

(2) Independence and Ethics Certifications (QC 1000.34.e)

Certifications are intended to drive greater accountability for firm personnel's compliance with independence requirements and to deter independence violations. The certification requirement is similar to an existing SECPS requirement, which requires each professional to certify near the time of initial employment and at least annually thereafter that he or she (1) has read the member firm's independence policies, (2) understands their applicability to his or her activities and those of his or her spouse and dependents, and (3) has complied with the requirements of the member firm's independence policies since the prior certification.

The proposal contemplated obtaining certifications from firm personnel regarding familiarity and compliance with SEC and PCAOB independence requirements and the firm's independence policies and procedures (1) upon employment, (2) at least annually thereafter, and (3) upon any change in personal circumstances, such as firm role, geographic location, or marital status, that is relevant to independence.

Several commenters, including firms, did not support the requirement to obtain additional certifications upon changes in personal circumstances, and three firms raised practical concerns when the changes involved marital status. One firm suggested that the standard should emphasize that a firm's independence certification process should consider timeliness in addressing the quality objective, and instead encourage firms to consider the appropriateness of obtaining periodic certifications throughout the year. One firm commented that a firm should have flexibility to determine its own policies and procedures for certifications beyond requiring them at employment and annually thereafter; the firm suggested that, for example, quarterly certification accompanied by training on the impact of life events may be more effective and practicable than event-driven review and certification. Another firm recommended that firms be allowed to develop their own quality responses based on their own unique quality risks when personal circumstances change rather than requiring certification upon changes in personal circumstances as a quality response. Another firm suggested that this requirement should instead be managed through proper education and awareness of relevant independence requirements. Another firm suggested that these items would be better suited as examples of considerations included in implementation guidance. One firm suggested that the certification requirements should be applicable for firms with over 500 issuers that already have an automated independence system. The firm further commented that the requirement is onerous in terms of being able to identify the data on a timely basis and suggested a semi-annual representation period instead of circumstance-driven.

In addition, the proposing release sought feedback on whether the standard should require annual written certification regarding familiarity and compliance with ethics requirements and the firm's ethics policies and procedures, in addition to those regarding independence. The proposing release further asked whether firms should be required or encouraged to adopt firm-wide codes of ethics or similar protocols. One firm did not support a specific quality response that includes a certification process for ethics requirements and procedures. The firm suggested that firms should be permitted to adopt a quality response that addresses the risks within their own practice, and that a certification requirement that applies to all firm practice staff could turn into a “check-the-box” compliance exercise that would not benefit audit quality. One firm commented that such requirements would already be addressed by the requirement for mandatory training in paragraph .36. Other commenters, including firms, investors, and investor-related organizations, supported the requirement to obtain a written annual certification regarding familiarity and compliance with ethics requirements and the firm's ethics policies and procedures. One of these investors commented that the main argument against such certifications is that it imposes a cost and that it becomes a “tick-the-box exercise,” but in the investor's view the cost is de minimis given other annual declarations needed by firm personnel, and firm leadership can send an appropriate signal by embracing the ethics code to stop such annual declarations becoming a perfunctory exercise. One firm and an investor-related organization supported a requirement that firms should adopt firm-wide codes of ethics.

After consideration of the comments received, the Board made two changes to the final standard. First, the Board removed from the standard the requirement to obtain a certification from firm personnel regarding familiarity and compliance with SEC and PCAOB independence requirements and the firm's independence policies and procedures upon any change in personal circumstances, and replaced this with the requirement that such a certification must be obtained for any change in professional circumstances that is relevant to independence. Rather than include examples of such changes in the text of the standard, the Board provided in this release some examples of changed professional circumstances that may be relevant to the independence of the firm's personnel under applicable independence rules. These examples include changes within the firm such as promotions, moving offices, or changing practice groups ( e.g., changes to covered person status). Although, in connection with this change, the Board removed a certification requirement with regard to changes in personal circumstances, such changes can have independence implications under SEC and PCAOB independence requirements, and a firm's QC system must provide reasonable assurance of compliance with those requirements. Secondly, the Board added a requirement for certification by firm personnel regarding familiarity and compliance with the applicable ethics requirements and the firm's ethics policies and procedures as the Board believes such certification will enhance individual accountability and, ultimately, compliance. The Board not added a requirement for firms to adopt a firm-wide code of ethics or similar protocol, because it believes that firms should have flexibility to determine whether this would assist them in meeting the relevant quality objectives.

The standard does not prescribe a checklist of specific content for the certifications, focusing instead on general concepts of familiarity and compliance. It is possible that the form of certification called for by the existing SECPS requirement would satisfy the standard. In addition, the standard expands on the existing SECPS requirement by requiring firms to obtain certifications every time firm personnel have a change in professional circumstances that is relevant to independence, such as a change in role or geographic location. Changes within the firm such as promotions, moving offices, or changing practice groups may have consequences under independence rules ( e.g., changes to covered person status) and result in noncompliance. The Board continues to believe that a specified quality response requiring specific event-driven independence and ethics certifications appropriately considers timeliness in addressing the quality objective and applies to quality risks that exist in all firms.

(3) Matters Requiring Audit Committee Pre-Approval (QC 1000.34.f)

The proposed requirement did not draw comment and was adopted as proposed. QC 1000 contains a new requirement regarding firm policies and procedures for identifying matters that require pre-approval by the audit committee and obtaining such approval. The primary responsibility for identifying matters that require audit committee pre-approval and obtaining such pre-approval resides at the engagement level. The firm's policies and procedures, however, provide tools and guidance that enable engagement teams to properly identify the relevant matters and obtain necessary pre-approvals on a timely basis. Through the Board's oversight activities, it has observed numerous instances where firms did not have an effective mechanism in place for monitoring whether matters that require audit committee pre-approval were properly disclosed to audit committees. The new requirement should lead to more consistent compliance.

iii. Communication of Changes to Ethics and Independence Policies and Procedures (QC 1000.35)

The proposed requirement did not draw comment and was adopted as proposed. The final standard incorporates existing SECPS requirements regarding the dissemination of the firm's independence policies and procedures and expands the requirements to cover ethics policies and procedures.

When deciding how to make ethics and independence policies and procedures available, firms would consider how to make firm personnel and others performing work on behalf of the firm aware of where and how to find these policies and procedures in a way that supports those individuals' ongoing compliance with certification and other requirements. The standard requires the firm to communicate any substantive changes to its ethics and independence policies and procedures on a timely basis.

iv. QC Policies and Procedures About Mandatory Ethics and Independence Training (QC 1000.36)

The proposed requirement did not draw comment and was adopted as proposed.

The standard includes a requirement for mandatory periodic training on ethics and independence, which expands on the existing SECPS requirements that cover training on independence. The mandatory training requirement promotes awareness and understanding of the ethics and independence requirements, which should lead to better compliance with such requirements. Under existing SECPS requirements, firms are required to establish a training program for professionals to complete near the time of initial employment and periodically thereafter.

The specific content and extent and timing of the training will be determined by the firm, but the program is required to cover both the relevant professional and legal requirements (for example, regarding financial interests, business relationships, employment relationships, proscribed services, and fee arrangements) and the firm's related policies and procedures.

By not specifying the content for such mandatory training, the standard allows firms the ability to develop training programs based on their circumstances. For example, a firm may develop its training to place a greater emphasis on areas with recurring ethics and independence findings across the firm, or it may target specific ethics and independence findings in different regions. Similarly, the standard does not specify how the firm would provide such training. A firm may develop and deliver its own training, contract with others to provide training, or provide access to third-party training.

Under the standard, the firm is required to provide such training at least annually, or more often as needed.

2. Current PCAOB Standards

QC 20 provides that policies and procedures should be established to provide the firm with reasonable assurance that personnel maintain independence (in fact and in appearance) in all required circumstances, perform all professional responsibilities with integrity, and maintain objectivity in discharging professional responsibilities. The SECPS member requirements regarding independence quality controls apply only to certain firms. The requirements for ethics and independence discussed above are more detailed than the existing requirements in QC 20 and Appendix L of the SECPS and would apply to all firms.

Acceptance and Continuance of Engagements

This component addresses the firm's processes when considering whether to accept or continue an engagement.

1. QC 1000

a. Acceptance and Continuance of Engagements Quality Objectives (QC 1000.38)

The proposal described the quality objectives related to acceptance and continuance of engagements. Several commenters, including firms, were generally supportive of the proposed quality objectives.

A commenter on the AS 1000 rulemaking objected to the use of the term “client” in that standard to refer to the company and its management. The commenter suggested “company under audit” instead. The Board agrees with the commenter that the terminology used in the PCAOB standards should help to remind auditors that they work for the benefit of investors, not the management of the company. Accordingly, the Board generally replaced references to the “client” with references to the “company” or eliminated them altogether (for example, this component, called “Acceptance and Continuance of Client Relationships and Specific Engagements” in proposed QC 1000, is “Acceptance and Continuance of Engagements” in the final standard). The Board, however, retained references to the “client” where that aligns with other rules, such as in the area of independence.

The quality objectives in this component were adopted substantially in the form proposed, with the exception of the change throughout to focus on the engagement instead of the client relationship and the other clarifications discussed below.

Acceptance and continuance of engagements is an aspect of a firm's compliance and risk management process. Each firm, depending on its nature and circumstances, may approach acceptance and continuance of engagements differently. The acceptance and continuance of engagements process assists the firm in mitigating reputational, business, and litigation risk. The quality objectives stress the importance of focusing the acceptance and continuance of engagements process on the firm's ability to perform an engagement in accordance with applicable professional and legal requirements.

i. Timing (QC 1000.38.a(1))

The proposed standard required the firm's judgment about whether to accept or continue an engagement to be made as part of or before performing preliminary engagement activities. Preliminary engagement activities, which are activities the auditor should perform at the beginning of the audit, are described in AS 2101.06.

One commenter stated that the proposed requirement implied that the judgment was only made during preliminary activities and not throughout the engagement. The Board clarified the quality objective in paragraph .38a(1) to specify that the initial judgment is to be made as part of or before preliminary engagement activities. QC 1000.40, discussed below, addresses the firm's obligation to continue to address situations that could have caused it to decline the engagement had the information been known prior to acceptance and continuance.

ii. Independence and Permissibility of Services (QC 1000.38.a(2)(a) and (b))

This proposed quality objective did not draw significant comment and was adopted as proposed.

The firm's ability to perform the engagement includes considering whether the firm is independent and whether the services are permissible. These are threshold considerations for acceptance and continuance, because in general, under PCAOB standards the firm is not allowed to accept an engagement unless it is independent of the company for which the engagement will be performed and the services are permissible under applicable professional and legal requirements (including obtaining audit committee pre-approval where that is required).

The firm's policies for acceptance and continuance in the areas of independence, permissibility of services, and pre-approval relate to and to some extent overlap with the ethics and independence component. The requirements in the ethics and independence component more generally address the ongoing evaluation of compliance with applicable professional and legal requirements relating to the independence of the firm, firm personnel, and others subject to such requirements.

iii. Access to Company Information and Company Personnel (QC 1000.38.a.(2)(c))

This proposed quality objective did not draw significant comment and was adopted substantially as proposed.

The firm's ability to perform an engagement in accordance with applicable professional and legal requirements depends on the firm's ability to obtain information from the company and gain access to individuals at the company who can respond to the firm's inquiries. Restricted or limited access to company information or personnel—for example, due to language differences, physical location, or local law restrictions—could impair the firm's ability to perform the engagement in accordance with applicable professional and legal requirements.

iv. Resources (QC 1000.38.a(2)(d))

Another aspect of the firm's ability to complete the engagement in accordance with applicable professional and legal requirements is the resources available to the firm. The Board believes it is important for a firm to have the right resources available so that the engagement can be performed in accordance with applicable professional and legal requirements. This includes the availability of resources like the following, either internal or external to the firm:

• Firm personnel or other participants with competence to perform procedures (e.g., industry experience or experience with new or specialized accounting pronouncements that apply to the company) and sufficient availability to meet audit timing requirements;
• Engagement partners;
• Specialists;
• EQRs;
• Technology to be used in the performance of the engagement, such as technology for testing the implementation and effectiveness of automated processes; and
• Intellectual resources needed in the performance of the engagement (e.g., industry-specific audit programs).

One commenter suggested that consideration should be given to the availability of industry-specific resources at the partner and manager level and the Board agrees that industry-specific resources are important in certain audits. However, the Board believes that issue is adequately addressed by the general reference to “resources to perform the engagement,” which includes industry-specific resources where those would be needed. The Board adopted this quality objective as proposed.

v. Other Relevant Factors (QC 1000.38.a(2)(e))

This proposed quality objective did not draw comment and was adopted as proposed.

The firm's ability to perform engagements in accordance with applicable professional and legal requirements may also be affected by other factors associated with providing professional services in the particular circumstances. Accordingly, the standard, by directing firms to consider such other relevant factors, retains the breadth and inclusiveness of QC 20.15b, which requires the firm to establish policies and procedures to provide reasonable assurance that the firm appropriately considers the risks associated with providing professional services in the particular circumstances.

v. Information About the Nature and Circumstances of the Engagement, Including the Integrity and Ethical Values of the Company (QC 1000.38.a(3))

In order for the firm to make appropriate judgments about whether to accept or continue an engagement, the firm needs to obtain sufficient information about the nature and circumstances of the engagement ( e.g., the nature of the company and the environment in which it operates) and the integrity and ethical values of the company, including its management and audit committee. This information is relevant because it can help identify potential risks to performing the engagement that may result in the firm not being able to perform the engagement in accordance with applicable professional and legal requirements. The nature and circumstances of the engagement may, for example, reveal the need for specialized expertise that the firm does not have. A lack of management integrity may affect the reliability of the company's accounting records. Designing and implementing policies and procedures that direct and standardize the collection and evaluation of such information could help the firm in consistently making appropriate judgments about whether to accept or continue an engagement. Additionally, information obtained during the firm's acceptance and continuance process about the nature and circumstances of the engagement and the integrity of management and the audit committee would in many cases be relevant when planning and performing the engagement.

One commenter requested clarification of whose integrity and ethical values are relevant to the consideration of “the integrity and ethical values of the company (including management and the audit committee)”—for example, whether consideration could be limited to the audit committee chair. Since members of management and the audit committee all have influence over the company's financial reporting, the Board believes their integrity and ethical values are important to the judgment of accepting or continuing an engagement. Therefore, consistent with the proposal, the final standard does not include such a limitation.

The quality objective in QC 1000.38.b retains the concept in QC 20.16 of having policies and procedures regarding obtaining an understanding with the company about the engagement and aligns with similar requirements under PCAOB auditing and attestation standards. Achieving this objective should minimize the risk of misunderstandings regarding the nature and scope of the engagement and any limitations associated with it.

c. Acceptance and Continuance of Engagements Specified Quality Response (QC 1000.39-.40)

The proposal included a specified quality response regarding policies and procedures to address situations where the firm learns of information that would have caused it to decline a previously accepted engagement. Two commenters were generally supportive of the proposed specified quality response.

Under this specified quality response, the firm's policies and procedures are required to address situations in which the firm becomes aware of relevant contrary information after the firm's decision to accept or continue an engagement. This contrary information may have existed at the time of the decision to accept or continue an engagement but not been known by the firm at the time, or it may have emerged subsequent to that decision. Depending on the circumstances, appropriate responses may include such actions as:

• Consulting with legal counsel or others within the firm to determine if the firm is able to continue the engagement;
• Discussing the information with management and the audit committee to determine if the firm is able to continue the engagement;
• Including this information in the auditor's risk assessment procedures so that any additional risks are responded to during the audit; and
• Withdrawing from the engagement and notifying appropriate regulatory authorities as required under applicable professional and legal requirements.

One commenter suggested that specific circumstances should require an immediate reconsideration of client continuance, such as illegal acts, fraud, or material omissions of fact. Existing auditing standards, such as AS 1301, include requirements related to evaluating the continuation of the client relationship. The QC system would address compliance with these requirements.

Under the proposal, a firm would be deemed to have become “aware” of information if any partner, shareholder, member, or other principal of the firm was aware of such information, the same standard that applies with respect to the reporting of specified events on Form 3. One commenter stated that the concept of when a firm becomes “aware” should take into account the size and scale of the firm, and the nature of the matters related to the QC system, suggesting that alignment with the requirements of Form 3 may be inappropriate because of Form 3's relatively limited scope compared to the matters addressed by QC 1000. The Board continues to believe that it would be inappropriate to differentiate among firm principals in this regard; all firm principals should be responsible for promptly communicating and acting upon relevant information. Accordingly, the class of persons whose awareness is attributed to the firm was not been narrowed.

Another commenter recommended clarifying the timing of when a firm becomes “aware” of information subsequent to accepting or continuing a client relationship. Footnote 26 of the final standard reflects the suggested clarification that the firm is deemed “aware” of information when any partner, shareholder, member, or other principal of the firm “first becomes aware” of such information.

2. Current PCAOB Standards

The quality objectives of QC 1000 paragraph .38 do not fundamentally change a firm's existing responsibilities regarding acceptance and continuance decisions under QC 20. The quality objectives expand on the requirements in QC 20 with regard to considering the necessary information and making appropriate judgments about the associated risks and the firm's ability to mitigate those risks and perform an engagement in accordance with applicable professional and legal requirements.

Engagement Performance

This component addresses the firm's processes relating to the performance of the firm's engagements in accordance with applicable professional and legal requirements. Engagement performance encompasses the activities of firm personnel and other participants in all phases of the design and execution of the engagement—planning, performing, supervising, and documenting the engagement; conducting an engagement quality review; and making communications regarding the engagement. In order for the firm to consistently deliver compliant engagements, including when performing work on other firms' engagements, firm personnel and other participants need to understand and fulfill their responsibilities in accordance with applicable professional and legal requirements.

1. QC 1000

The proposal described the quality objectives for the engagement performance component and asked if there should be any specified quality responses for this component. Firms that commented were generally supportive of the proposed quality objectives. Two commenters wanted clarity on why some concepts in auditing standards were or were not included in QC 1000. One of these commenters, an investor-related group, suggested the standard address certain areas like fraud protection, crypto assets, climate change, and critical audit matters. The Board believes these areas are engagement-level specific, whereas QC 1000 focuses on the firm-level controls over engagement responsibilities. Commenters, including firms and related groups, were also supportive of not providing specified quality responses in this component. The Board adopted these provisions substantially as proposed.

Under QC 1000, a firm is required to establish quality objectives for the engagement performance component in the following areas:

• Engagement responsibilities;
• Consultations and differences in professional judgment; and
• Engagement documentation.

a. Engagement Responsibilities (QC 1000.42.a)

This proposed quality objective did not draw comment and was adopted as proposed.

The standard uses the term “engagement partner” with its existing meaning under PCAOB audit and attestation standards: the member of the engagement team with primary responsibility for the audit, examination, or review, as the case may be. The definition of “engagement” under QC 1000, under which substantial role work is defined as an engagement, does not change the meaning of engagement partner or affect the responsibilities of individuals involved in substantial role engagements. No comments were received on the use of this term.

i. Responsibilities of the Engagement Partner (QC 1000.42.a(1))

The engagement partner is responsible for the engagement and its performance, including managing and achieving consistent compliance with applicable professional and legal requirements on the engagement. This quality objective focuses firms on partner involvement throughout the engagement, including appropriately supervising firm personnel and other participants.

ii. Due Professional Care (QC 1000.42.a(2)(a))

Due professional care means acting with reasonable care and diligence, exercising professional skepticism, acting with integrity, and complying with applicable professional and legal requirements. In the context of engagement performance, professional skepticism is an attitude that includes a questioning mind and critical assessment of audit evidence and other information that is obtained to comply with PCAOB standards and rules. Exercising professional skepticism improves the quality of judgments made while performing the engagement and is key to performing an engagement in good faith and with integrity. PCAOB oversight activities have suggested that the lack of professional skepticism contributes to some of the QC deficiencies identified during PCAOB inspections. As an example, a firm's policies and procedures did not provide reasonable assurance that engagement partners supervised engagements with due professional care, which contributed to the failure to identify deficiencies in those engagements.

The quality objective related to due professional care, including professional skepticism, enables appropriate conclusions to be reached that are supported by sufficient appropriate evidence.

iii. Supervision (QC 1000.42.a.(2)(b))

Proper supervision aims to ensure that work is performed as directed and supports the conclusions reached. The quality objective emphasizes the importance of firm personnel and other participants being supervised properly, consistent with AS 1201 and AT No. 1.

iv. Reporting and Other Communications (QC 1000.42.a(3))

PCAOB standards and rules impose a number of requirements relating to reporting and communicating the results of the engagement. The engagement report and communications to the audit committee are typically prepared at the engagement level and may include information provided by the firm. For example, the firm may provide information related to independence to be communicated in accordance with PCAOB Rule 3524 or PCAOB Rule 3526. This quality objective emphasizes the importance of auditor reporting and communication in accordance with applicable requirements.

b. Consultations and Differences in Professional Judgment (QC 1000.42.b-.c)

Consultations are an important aspect of engagement performance, as they provide a mechanism to discuss and resolve complex, unusual, or unfamiliar matters with individuals who have the requisite knowledge, skill, and ability. Under current PCAOB standards, QC 20.19 highlights the significance of consultations, requiring appropriate policies and procedures. The quality objective should drive firms to continue to focus on the importance of consultation and resolution before the issuance of an engagement report.

The quality objective in the proposed standard provided that consultations on complex, unusual, or unfamiliar accounting and auditing matters are undertaken with qualified individuals from within or outside the firm.

One commenter suggested that the standard require firms to adopt policies that identify situations when national office consultation is required. The Board does not believe it is appropriate to include such prescriptiveness in the standard, as not all firms have national offices. Additionally, the quality objective provides that the firm will identify the risks specific to their engagements and determine whether there are specific situations that always require consultation.

Another commenter said that the reference to “unfamiliar” accounting and auditing matters was unclear and was concerned that it creates an unnecessary level of prescription that will be difficult to operationalize. The commenter also expressed concern that an unintended consequence could be that auditors may infer that consultations may compensate for lack of competence on the engagement team. The final standard retains the term, consistent with the use of “unfamiliar” in current QC 20.19. It is noted that inclusion of that term in paragraph .42 does not modify or limit auditor obligations to have the competence necessary to conduct the engagement established elsewhere in PCAOB standards.

Differences in professional judgment may occur when there is a concern or disagreement regarding the application of applicable professional and legal requirements during the performance of the engagement. The quality objective underscores the importance of having and adhering to appropriate procedures for the resolution of differences in professional judgment during the performance of engagements such that the firm, firm personnel, and other participants comply with applicable professional and legal requirements.

The proposed quality objective provided that differences in professional judgment related to the engagement are brought to the attention of the individual(s) with responsibility and authority for resolving such matters and are resolved before the issuance of an engagement report. One commenter suggested clarifying that if the engagement partner does not agree with the conclusions arising from the consultation (addressed above), that would be treated as a difference in professional judgment that would require compliance with the quality objective regarding differences of professional judgment. The final standard clarifies that point.

c. Engagement Documentation (QC 1000.42.d)

This proposed quality objective did not draw significant comment and the Board adopted as proposed.

AS 1215 contains the general requirements for the documentation the auditor should prepare and retain in connection with engagements. 17 CFR 210.2-06 also addresses documentation retention requirements. The quality objective regarding engagement documentation in proposed QC 1000 is meant to drive firms to focus on compliance with these requirements.

2. Appendix K Requirements

Existing PCAOB standards (referred to as Appendix K requirements) require SECPS member firms that are associated with international firms or networks to seek adoption of policies and procedures by their associated international firms or network regarding filing reviews, inspection procedures, and disagreements between the engagement partner and the reviewer. As noted in the proposal, the Board believes that the purposes originally intended to be served by Appendix K have either been eliminated (through the elimination of the U.S. GAAP reconciliation) or otherwise addressed (through requirements for engagement quality review). Accordingly, the Board proposed to not retain requirements like those in Appendix K.

The proposal asked whether the PCAOB should eliminate Appendix K and rely exclusively on a risk-based approach. Commenters had mixed views regarding the retention of Appendix K requirements. Some commenters supported the elimination of Appendix K requirements and reliance on a risk-based approach. Other commenters asserted that the Appendix K requirements are beneficial and should be retained or made even more prescriptive. The Board believes it unnecessary to retain the Appendix K requirements because under the risk-based approach, firms will have to assess and respond to quality risks including, if applicable, a relative lack of experience in performing engagements under U.S. professional and legal requirements.

Some commenters expressed concern that in a risk-based approach, a person performing a limited review function similar to the current Appendix K reviewer would be considered part of the engagement team, while another commenter requested clarification that such a reviewer would not necessarily be a member of the engagement team. Under QC 1000, the firm's assessment of quality risks will determine the nature and extent, if any, of additional resources or reviews that would need to be performed over engagements to ensure compliance with PCAOB and SEC requirements. In some circumstances, the response might involve adding one or more additional members to the engagement team. In other circumstances, the response might involve resources that would not constitute members of the engagement team because they perform a contemporaneous quality control function and do not perform audit procedures or help plan or supervise the audit work.

One commenter expressed concern that reviewers' firms would be considered “other accounting firms” and reviewers' hours would be included for purposes of Form AP filings. Specific to Form AP filing requirements, firms should review the Note to Item 3.2 of the Form AP Instructions regarding the reporting of other accounting firms.

3. Current PCAOB Standards

Under current QC standards, engagement performance covers all phases of the design and execution of the engagement, and engagement quality reviews. QC 20 contains general requirements regarding engagement performance, including planning, performing, supervising, reviewing, documenting, and communicating the results of each engagement; referring to authoritative literature; and consulting with qualified individuals when appropriate. QC 20 provides that policies and procedures should be established to provide reasonable assurance that the engagement is performed in accordance with applicable professional standards. QC 1000 retains these concepts from the extant standards.

As discussed above, QC 1000 does not contain provisions similar to the Appendix K requirements that currently apply to former SECPS member firms.

Resources

This component addresses the firm's responsibilities for obtaining, developing, using, maintaining, allocating, and assigning resources—including people, financial, technological, and intellectual resources—to enable the design, implementation, and operation of the firm's QC system and the performance of its engagements.

1. QC 1000

a. Resources Quality Objectives (QC 1000.44)

The proposal asked if the Board's proposed quality objectives for resources were appropriate. Commenters that responded to this question generally supported the quality objectives. One commenter suggested that the risks associated with the resources component are greater and that a prescriptive approach would be warranted. The Board believes the combination of quality objectives and specified quality responses appropriately provides for scalability and prescriptiveness.

Under QC 1000, a firm is required to establish quality objectives for the resources component in several different areas:

• People;
• Technological resources;
• Intellectual resources; and
• Resources from a network or third-party provider.

i. People (QC 1000.44.a-.g)

The quality objectives in QC 1000.44.a-.b are similar to the personnel management element of quality control addressed in QC 20 and QC 40, and the Board adopted them as proposed with one change. The proposed standard included a note that describes what competence comprises—knowledge, skill, and ability—which is derived from QC 40.04. Two commenters suggested deleting the last sentence in the note, which as proposed stated that “The measure of competence is qualitative rather than quantitative . . .,” on the basis that it would discourage the use of quantitative performance metrics. The Board believes that QC 40 should be understood as saying, not that quantitative measures are wholly irrelevant, but that competence is not measured exclusively on a quantitative basis because quantitative measurement alone may not accurately reflect the nature of experience gained over time. The note in the final standard has been revised to clarify that competence can be measured both qualitatively and quantitatively.

These two quality objectives work together in addressing competence from the perspective of both the firm and individual. The firm and its personnel have responsibilities for developing and maintaining competence that will support the operation of the firm's QC system and the performance of the firm's engagements in accordance with applicable professional and legal requirements and the firm's policies and procedures.

Understanding the competence needed to carry out responsibilities for the operation of the firm's QC system and the performance of the firm's engagements assists a firm in identifying its personnel needs. This understanding also assists a firm in identifying areas for personnel development. Competence can be developed through an appropriate combination of education, professional experience in accounting and auditing with proper supervision, and training such as CPE.

A commitment to quality can be demonstrated through a person's actions and behaviors, including consistent adherence to firm policies and procedures, demonstrating key professional attributes like objectivity, integrity, and due professional care, and taking the initiative to develop and maintain competence. Conversely, a lack of commitment to quality can be seen through actions and behaviors such as inconsistent compliance with professional standards, cheating on professional development and compliance exams, or a “check the box” approach to professional development.

The quality objectives in QC 1000.44.c-.e address the assignment of firm personnel and individuals who are other participants, in the firm's engagements, QC roles, and other firms' engagements. As discussed previously, the firm's people resources may include firm personnel (generally, employees of the firm) or resources from outside the firm (other participants). For example, EQRs or personnel at service centers may be considered either firm personnel (if employed by the firm or functioning as firm employees) or other participants (if contracted by the firm). One commenter was concerned that the inclusion of other participants in the firm's QC system may create cross-jurisdictional legal issues, such as employment information that may be protected by privacy laws. The Board believes it is important for the QC system to assess the competence of other participants, which may include having policies and procedures on what to do if the firm is unable to make such assessment due to legal issues. One commenter mentioned that the responsibilities related to the use of specialists engaged by the firm, other auditors, and internal auditors providing direct assistance are addressed in existing auditing standards as engagement team responsibilities and are not needed within this quality objective. While it is acknowledged that there are auditing standards that address those topics at the engagement level, the quality objectives relate to the firm's processes for assigning the appropriate individuals to engagements and QC activities.

One commenter emphasized the need for firm resources to have time to fulfill their assigned responsibilities. Another commenter suggested a prescriptive approach to human capital management, including monitoring assignments and time requirements, utilization, and engagements with high turnover and workloads. Given the wide range of firms based on their size, scope, and nature of practice, the Board does not believe prescriptive requirements in this area are appropriate. The Board clarified paragraphs .44c and .44e by adding “needed” to the quality objective to increase the focus on sufficient competency, objectivity, time, and when appropriate, the authority needed to fulfill their assigned responsibilities. The PCAOB has also separately proposed new reporting requirements regarding firm and engagement metrics that, if adopted by the Board and approved by the SEC, would enhance transparency about, among other things, firms' human capital management.

The quality objectives focus on three key aspects of the ability to fulfill the assigned role: competence, objectivity, and time. Individuals need to have competence to fulfill their assigned roles in accordance with applicable professional and legal requirements and the firm's policies and procedures. As previously discussed, both the individual and the firm play a part in developing a person's competence. The ability to maintain objectivity is essential to performing QC activities or engagements; a lack of objectivity may, for instance, create an unconscious bias that directly affects quality. Individuals' ability to devote appropriate time to their assignments also affects quality.

In addition to the competence, objectivity, and time needed to perform engagement and QC activities, individuals need to have the requisite authority to perform effectively. In the context of engagement activities, the auditing standards already provide authority structures with respect to, for example, supervision and the responsibilities of the engagement partner, and those standards are augmented by firm policies on matters such as consultation. For QC activities, the need for appropriate authority is specified in the quality objective.

The QC 1000.44.f quality objective to comply with the firm's policies and procedures did not attract comment and was adopted as proposed.

This quality objective is based on a concept embedded in QC 20: that firm personnel should adhere to the firm's own standards of quality. The Board believes that this should remain among the firm's objectives, and also that it would play an important role in the operation of the QC system under QC 1000.

The firm's QC-related policies and procedures are essential to the proper functioning of an effective QC system. By definition, those policies and procedures are the “quality responses” the firm has designed and implemented to address quality risks. Firm personnel need to understand those policies and procedures and operate in compliance with them in order for the QC system to operate as designed and achieve its objectives. Additionally, firm personnel need to understand and comply with firm policies and procedures in order for the firm's work on its own engagements and other firms' engagements to be performed appropriately.

Evaluations help support and promote the continuous development of the competence of firm personnel. Some commenters, generally investor-related groups, suggested the standard address incentives in partner compensation relative to quality control systems and weight it at least as much as revenue growth. After considering comments, the Board revised paragraph .44g to add “including through compensation plans and decisions in which quality considerations play a critical part.” The Board believes this change will prompt firms to appropriately weight quality concerns in their organization-wide compensation plans and individual compensation decisions. The Board believes his change, along with the change to the quality objective in paragraph .25b, should result in firms giving appropriate weight to quality in compensation plans and decisions regarding performance for both firm leadership and firm personnel.

The quality objective contemplates that evaluations should be performed at least annually. Many firms currently utilize an annual performance review process in order to facilitate such evaluations. A firm may have multiple quality responses to address the quality risks associated with the different types of firm personnel. For example, non-employee contractors and consultants, who work under the firm's supervision or direction and control and are considered firm personnel, may be evaluated through the contracting process to determine whether the firm should retain them. The quality objective does not specify the format of or approach to periodic evaluations.

The quality objective in QC 1000.44.g, which refers to accountability and incentives, is principles-based, and firms will be able to design and implement incentive systems based upon their nature and circumstances. The “appropriate standards of conduct” identified in the quality objective include fulfilling engagement and QC responsibilities with competence, integrity, objectivity, and due professional care and complying with applicable professional and legal requirements and the firm's policies and procedures, as described in paragraph .46 of the standard.

ii. Technological Resources (QC 1000.44.h)

Technological resources cover many aspects that collectively comprise a firm's technological environment, including information technology applications, infrastructure, and processes ( e.g., firm processes to manage access to the IT environment, program changes, changes to the IT environment, or IT operations). Technological resources may be developed by the firm or obtained, for example, from the firm's network or a third-party provider.

The nature and extent of the use of technological resources differs across firms. For example, some audit firms are making significant investments in technological resources and expanding their use of technology-based audit tools, such as software used to perform data analytics or to access information from a distributed ledger. Some technology facilitates the operation of firms' QC systems, such as monitoring individual financial investments for purposes of compliance with independence rules. The availability of “off-the-shelf” technological resources continues to evolve, leading to an increase in firms of all sizes employing technology to assist in operating their QC systems or planning and performing engagements.

The quality objective in QC 1000.44.h highlights that the proper use of technological resources, in a manner that enables the operation of the firm's QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm's policies and procedures, is the firm's responsibility. The proposal asked if the quality objective and specified quality responses related to technological resources provide sufficient direction to enable the appropriate use of emerging technologies. Commenters that addressed this question, generally firms, indicated the proposed quality objectives and specified quality responses provide sufficient direction. One commenter suggested that the standard does not create incentives to use technology to improve audit quality.

The technology environment is dynamic, and firms' use of technological resources will likely continue to evolve in the future. The Board believes that principles-based standards are more adaptable to future developments, less likely to become obsolete, and less likely to discourage the use of emerging technologies. As a result, QC 1000 does not include any prescriptive requirements related to how firms address emerging technology. Instead, it includes a risk factor to prompt consideration of technology as part of the firm's risk assessment process. Separately, the Board has proposed certain amendments to PCAOB auditing standards that address certain aspects of designing and performing audit procedures using technology-assisted data analysis of information in electronic format.

The Board adopted the technological resources quality objective as proposed. The Board believes the risk-based approach creates incentives for firms to obtain or develop, implement, maintain, and use technological resources throughout the firm based on the size and nature of the firm.

iii. Intellectual Resources (QC 1000.44.i)

The quality objective in QC 1000.44.i related to intellectual resources did not attract comment and was adopted substantially as proposed. The Board revised the note to add “to enable the operation of the firm's QC system,” consistent with the quality objective.

Intellectual resources generally include the information the firm uses to promote consistency in the execution of the firm's QC system and the performance of engagements. Intellectual resources may be made available through a variety of media, including via written manuals or technological resources ( e.g., the firm's methodology may be embedded in the information technology application that enables the operation of the firm's QC system and facilitates the performance of the engagement).

Intellectual resources may be obtained or developed internally, or acquired externally (for example, a commercially available audit or QC methodology or a subscription data feed). Regardless of how intellectual resources are acquired, the firm remains responsible for ensuring they are fit for purpose and properly implementing and maintaining them. For example, if a firm acquired its QC methodology from a vendor, the firm is responsible for choosing a methodology and implementing it (including appropriately identifying risks and designing, implementing, and operating appropriate responses) in a way that enabled the firm's engagements to be properly performed and the firm's QC system to operate in accordance with QC 1000. If a firm developed methodology to direct the performance of its engagements in accordance with applicable professional and legal requirements, and a new auditing standard were issued after that methodology was implemented by the firm, the methodology would need to be updated to properly address the applicable professional and legal requirements.

The quality objective related to intellectual resources in the final standard is similar to the technological resources quality objective, as both objectives relate to resources enabling the operation of the firm's QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm's policies and procedures.

iv. Resources From a Network or Third-Party Provider (QC 1000.44.j)

In some circumstances, the firm may use resources provided by a network or a third-party provider. Such resources may include methodologies, applications, and tools used in the firm's QC system or the performance of its engagements.

The proposal included a quality objective in QC 1000.44.j related to the resources provided by a network or a third-party provider. One commenter requested the objective be broken into two quality objectives, as a firm's approach to each of these groups may be significantly different. The Board agrees that a firm's approach to resources provided by the network may be different from resources provided by a third-party provider, and that the approach to different types of third-party providers could also vary. But the Board does not believe that such differences compel separate quality objectives. A firm may identify multiple quality risks and develop multiple quality responses related to a single quality objective.

For example, a firm may use multiple third-party providers for a variety of different resources, such as an audit methodology provider or a confirmation intermediary. If these different types of third-party providers or resources present different risks, the firm would be required to develop different quality responses. In that scenario, the firm could have different policies and procedures applicable to different types of third-party providers and/or different types of resources. A firm that is not affiliated with a network is not required to establish a quality objective related to network-provided resources and therefore would not identify quality risks or related quality responses.

Notwithstanding that a firm may use resources from a network or a third-party provider, the firm remains responsible for the use of these resources in the QC system and performance of its engagements.

Consideration of the nature of the resources provided by the network or third-party providers, how and to what extent the resources will be used, and the general characteristics of the third-party provider will assist the firm in determining whether it needs to supplement or adapt such resources. For example, the firm may obtain its methodology from a third-party provider under an arrangement whereby the third-party provider agrees to update the methodology when new standards are issued. In this scenario, the firm remains responsible for verifying that such changes are incorporated into the methodology and supplementing the methodology if such changes are not made, so that the firm's resources support its performance of compliant engagements. As another example, the firm may obtain a service from a third-party provider that provides a System and Organization Controls 1 (SOC 1) report. The firm would be responsible for verifying that the controls are designed effectively at the third-party provider and for designing and implementing any complementary user entity controls identified in the report.

The firm is also responsible for taking any necessary actions in using a resource from a network or third-party provider to enable the resource to function effectively. For example, the network or third-party provider may need information related to the firm's restricted entities so that it can facilitate independence confirmations. In addition, if the firm discovered a problem with the design or operation of the resource, it may need to communicate such problems to the network or third-party provider so that the resource can effectively operate.

b. Resources Specified Quality Responses (QC 1000.45-.51)

The proposal asked if the specified quality responses for resources were appropriate. Two commenters that addressed this question supported the specified quality responses. Two other commenters objected that the specified quality responses were too prescriptive and suggested they be rewritten as risk-based quality objectives.

One commenter stated that certain of these requirements relate closely to auditing standards and requested clarity on how QC 1000 is intended to interact with engagement-related auditing standards. QC 1000 focuses on firm-level controls over compliance with auditing standards, including those related to engagement performance.

The Board adopted the specified quality responses as proposed, with one modification suggested by commenters. These specified quality responses carry provisions from the PCAOB's existing QC standards into QC 1000 or establish firm-level requirements that align with existing engagement-level requirements. They also include new requirements that the Board believes are important to a firm's QC system.

The specified quality response related to appropriate standards of conduct did not attract comment and was adopted as proposed.

The reference to “appropriate standards of conduct” reflects a number of concepts in existing PCAOB standards, including:

• Fulfilling responsibilities with professional competence;

• Integrity and objectivity;

• Due professional care (including the exercise of professional skepticism); and

• Complying with applicable professional and legal requirements and the firm's policies and procedures.

Firm personnel are individually responsible for complying with the firm's standards of conduct, and the firm's policies and procedures around these standards of conduct are intended to result in firm personnel being held accountable for their behavior and actions. This includes evaluating firm personnel's adherence to such standards of conduct, addressing deviations, and holding personnel accountable for fulfilling their engagement and QC responsibilities, including through the firm's incentive system. The Board believes the standards of conduct included in this specified quality response are foundational to fulfilling not only engagement responsibilities, but also QC responsibilities.

QC 40 addresses requirements regarding the competencies of engagement partners and, by extension, EQRs. The proposed standard, in QC 1000.47, required that firms' QC policies and procedures address certain enumerated competencies, as well as other competencies as necessary in the circumstances. Some commenters suggested that the competencies identified in proposed paragraph .47a-h be moved to a quality objective or staff guidance and argued that they were redundant to the auditing standards. The Board believes that the competencies in paragraph .47 are applicable to all firms and accordingly are appropriate as specified quality responses. One commenter asked for clarification of the expectation of “including an understanding of” and suggested that the standard include consideration of “other competencies as necessary in the circumstances,” consistent with QC 40.08. The Board believes that auditors should be familiar with the concept of obtaining an understanding, and note that the construct of QC 40 is a restrictive list whereas the list of competencies in this requirement is identified as “including” and not intended to be comprehensive, so the Board does not believe a reference to other competencies is necessary.

One commenter indicated that the firm would not be in a position to impose the specific requirements in paragraph .47 on individuals that are not part of the firm. The Board has narrowed the requirement to apply only to firm personnel, rather than “others participating in an engagement,” as proposed. It is noted, however, that other quality objectives, such as those in paragraphs .44c and .44e, continue to apply with respect to individuals outside of the firm as well as firm personnel. As discussed in more detail above in the Acceptance and Continuance of Engagements discussion, the Board also revised “client” to “company” in paragraph .47.

Paragraph .47 of QC 1000 both expands the required competencies for engagement partners and requires certain competencies for other firm personnel in engagement roles commensurate with their responsibilities. This includes applying existing requirements for engagement partners—an understanding of, among other things, the importance of exercising sound judgment, the role of the firm's QC system in the performance of engagements, and the industry in which the company operates—to everyone in an engagement role, at a level commensurate with their responsibilities.

To reflect changes in the environment since the existing QC standards were issued, the Board required competencies related to understanding the subject matter of attestation engagements, the internal control framework and technology used by the company, and the technological and intellectual resources used in performing engagement procedures. Regarding technological and intellectual resources, the Board required an understanding of how and whether it is appropriate to use these resources in performing the engagement. This specified quality response does not imply that the engagement partner or other firm personnel participating on an engagement need to be knowledgeable about how such resources are developed.

QC 20 provides that policies and procedures are required to be established to provide the firm with reasonable assurance that personnel participate in CPE and other professional development activities that enable them to fulfill responsibilities assigned and satisfy applicable CPE requirements. In addition, SECPS member requirements provide that member firms are required to ensure that (1) all professionals in the firm residing in the United States, including CPAs and non-CPAs, participate in at least 20 hours of qualifying CPE every year and at least 120 hours every three years and (2) professionals who devote at least 25 percent of their time to performing audit, review or other attest engagements, or who have the partner- or manager-level responsibility for the overall supervision or review of any such engagements, must obtain at least 40 percent (eight hours in any one year and 48 hours every three years) of their required CPE in subjects relating to accounting and auditing.

Through the PCAOB's oversight activities, the Board has observed situations where a lack of understanding of professional standards appears to have contributed to audit deficiencies. These problems have been observed in domestic firms and international firms, including firms that were not SECPS members.

One commenter requested the standard set out more specific requirements with respect to training, identify areas or categories that must be regularly addressed, and not eliminate the CPE obligation in the existing standard. Another commenter requested the standard include minimum requirements related to training of audit staff. The Board believes it is important for firms to provide training focused on areas where firm personnel need to develop or maintain their competence so that they may fulfill their QC and engagement roles. If the Board were to set specific requirements with respect to training, firms may not evolve their training over time to respond to changes in the firm or in the needs of firm personnel. The Board maintained the principles-based approach to training.

Under the specified quality response in QC 1000.48, the firm is required to provide training, including training on applicable professional and legal requirements, that is mandatory for all firm personnel on an annual basis. This specified quality response provides firms the ability to determine the type and extent of training necessary based on their personnel and the nature and circumstances of the firm and its engagements. For example, a firm may determine that training is necessary on a wide array of topics for a certain level of staff within the firm. Another firm may determine that training is necessary for one or more staff in a certain area due to a new engagement or as a result of an area of development identified as part of a performance evaluation. A firm may also decide that it is necessary to repeat training as a periodic reminder of existing requirements, such as those relating to internal control over financial reporting. Ultimately, the type and extent of training should be directed at whatever is necessary to enable firm personnel to fulfill their assigned QC and engagement roles in accordance with applicable professional and legal requirements and the firm's policies and procedures.

This specified quality response in QC 1000.49 did not attract comment and was adopted as proposed.

This specified quality response relates to the quality objective in paragraph .44g., which provides that firm personnel are evaluated at least annually, incentivized to fulfill their assigned responsibilities and adhere to appropriate standards of conduct, including through compensation plans and performance decisions regarding performance that appropriately prioritize quality considerations, and held accountable for their actions and failures to act.

Specific to the individuals assigned ultimate responsibility and accountability for the QC system as a whole and operational responsibility and accountability for the QC system as a whole, the firm's periodic performance evaluations of these individuals are required to take into account the results of the firm's evaluation of its QC system. A firm will be able to determine its approach to comply with this specified quality response. For example, the firm may set targets and measure the outcome of the evaluation of the QC system against those targets. As another example, the firm may consider the individual's actions taken in response to identified QC deficiencies or major QC deficiencies, including the timeliness and effectiveness of such actions. The periodic performance evaluation of these individuals may be informal in a less complex firm or undertaken by a special committee in a more complex firm.

No comments were received on the specified quality response in QC 1000.50 and it was adopted as proposed.

Laws or regulations may establish requirements for the professional licensing or other qualifications of the firm and firm personnel. Under this specified quality response, the firm is required to have policies and procedures regarding licensure such that the firm and firm personnel hold the required licenses or qualifications. The policies and procedures address such matters as (1) the jurisdiction(s) where firm and firm personnel are required to hold licenses or other qualifications, and (2) whether the firm and such firm personnel comply with the jurisdictions' requirements.

The quality objective in paragraph .44h. provides that technological resources are obtained or developed, implemented, maintained, and used to enable the firm's QC system and the performance of its engagements. As part of the firm's quality response to this quality objective, the firm's technological resources should also have the characteristics described in paragraph .51. One commenter stated that the quality objective in proposed paragraph .44h is sufficient and this specified quality response should be removed. The Board believes the firm's policies and procedures should address its technological resources having the capacity (resource requirements for the necessary output), integrity (guarding against improper information modification), resiliency (ability to operate and recover under adverse conditions), availability (ensuring timely and reliable access to and use of information), reliability (ability to function consistently), and security (protection against intentional subversion). These characteristics enable the ongoing operation of the firm's QC system and performance of its engagements. The Board believes this specified quality response provides additional direction and has retained it in the final standard.

Also related to technology, the proposal asked if the standard should include a specified quality response that would require the use of technological resources by the firm to respond to the risks related to the use of certain technology by the companies for which the firm performs engagements. Several commenters did not support inclusion of such a specified quality response. One commenter requested a requirement to design and implement controls to prevent unauthorized access to data and technology. The Board did not make any changes or additions to the quality objective or specified quality responses related to technological resources because it believes the more general provisions appropriately address this issue, and more specific provisions are at risk of quickly becoming outdated as technology evolves.

2. Current PCAOB Standards

QC 1000 largely covers the same areas addressed in QC 20 and QC 40 for personnel management and assignment of responsibilities. Existing PCAOB QC standards do not provide specific direction on the use of intellectual resources or technological resources, except for one application regarding independence.

Information and Communication

This component addresses the firm's processes for obtaining, generating, sharing, and using information to enable the design, implementation, and operation of the QC system and the performance of the firm's engagements, and for communicating information within the firm and to external parties. As discussed in more detail below, the Board made some changes in response to commenter input but adopted most provisions as proposed.

1. QC 1000

The information and communication area of the firm's operations serves the critical function of generating, gathering, and disseminating the information needed for the firm, including the QC system, to function. The process of determining information needs is iterative and ongoing; as the nature and circumstances of the firm change, information needs also change. The information and communication component of the QC system operates over this area of the firm's operations.

One firm suggested that the information and communication component refer to “relevant and reliable” information to convey that not all information is intended to be obtained and disseminated to the relevant individuals or roles. The firm disagreed that relevance and reliability is implied within the context of the proposed requirements, and argued that the term “information” needs parameters and qualifying language to provide boundaries to the vast amount of information that exists or could be created in the context of a firm's QC system. The firm further argued that without appropriate qualifiers, the breadth of information to be considered and/or communicated within a QC system will inhibit firm leaders from identifying and focusing on information most relevant to the successful operation of the QC system. As discussed in the proposal, in determining specific information to be communicated to firm personnel, including the nature and extent of such communication, the firm may consider the type of information that is relevant to the recipients given their roles and responsibilities within the firm. The Board continues to believe that information would have to be relevant and reliable to support the operation of the firm's QC system and the performance of the firm's engagements in accordance with applicable professional and legal requirements, so that a reference in the standard to “relevant and reliable” information is unnecessary.

a. Information and Communication Quality Objectives

The standard requires the firm to establish a number of quality objectives for the information and communication component. These objectives are discussed in more detail below. One firm commented that, as the proposed quality objectives for information and communication are broadly consistent with other jurisdictional and international quality control/management standards, they are appropriate, and no further changes are needed.

i. Identifying, Capturing, Processing, and Maintaining Information (QC 1000.53.a)

Identifying, capturing, processing, and maintaining information is an ongoing process necessary to support the firm's QC activities and the performance of its engagements in accordance with applicable professional and legal requirements. Information systems vary from firm to firm and encompass various sets of activities involving people, processes, data, or technology, or some combination thereof. Some firms' information systems may be heavily reliant on IT aspects while other information systems may require more manual intervention. Firms are able to determine the type of information systems necessary to achieve their quality objectives.

One commenter suggested that the information and communication component could be enriched by explicitly integrating academic audit and accounting studies as a vital source of information to be used by firms to inform their QC system. The Board believes that the quality objectives within the information and communication component sufficiently establish the desired outcomes for the identification of external information to support the operation of the firm's QC system. A firm may determine that the conclusions of certain academic studies inform the design or operation of its QC system. Furthermore, depending on the nature and circumstances of the firm and its engagements, the firm may consider any applicable academic studies in the firm's risk assessment process as it obtains an understanding of the conditions, events, and activities that may adversely affect the achievement of its quality objectives. The requirement was adopted as proposed.

ii. Exchange of Information (QC 1000.53.b-.c)

Information is essential to firm personnel being able to understand and fulfill their responsibilities relating to the QC system and the performance of the firm's engagements. For example, through the Board's oversight activities, it observed improved audit quality when there was regular, consistent communication among members of the engagement team. The quality objective prompts firms to tailor the nature, timing, and extent of information communicated based on firm personnel's responsibilities, including those related to the firm's policies and procedures.

Communication is generally an ongoing process that involves all firm personnel. For example, the firm communicates information to engagement teams, such as information obtained during the firm's acceptance and continuance process that is relevant in performing the engagement. Engagement teams also communicate information to the firm—for example, information about the company obtained during engagement performance that may assist the firm when evaluating whether to continue the engagement. Two-way communication may also occur among firm personnel. For example, firm personnel performing engagements may exchange information directly with firm personnel performing activities within the firm's QC system, such as information to facilitate compliance with the firm's independence policies and procedures. The standard emphasizes the need for two-way communication within the firm and the responsibility of all firm personnel to communicate information.

One commenter addressed the quality objectives set out in paragraphs .53b.-.53c. of the proposed standard related to the timely exchange of information between firm personnel and leadership, including those with responsibilities for the firm's QC system. The commenter recommended that the final release clarify that the firm's policies and procedures assist in promoting communication such that the appropriate individuals with responsibilities over the firm's QC system become aware of relevant matters in a timely manner, as appropriate for the size and the scale of the firm and relative nature of the matter. As discussed above, the Board believes timely communication and action should be sufficiently prompt to achieve its objective and that timeliness is a function of the nature and significance of the issue. These requirements were adopted as proposed.

iii. External Parties (QC 1000.53.d-.e)

There are many circumstances in which firms communicate information about themselves and their performance to external parties. Some external communications are required by law or regulation, such as the transparency reporting that is required in some jurisdictions, and others are made by firms voluntarily, for example, in connection with marketing or recruitment efforts.

The standard requires the firm to establish a quality objective that addresses communications to external parties in accordance with applicable professional and legal requirements. This quality objective focuses firms on providing the necessary communications to external parties when required. Among other things, this objective (paragraph .53d.) covers the completeness, accuracy, and timeliness of a firm's existing annual and periodic reporting to the PCAOB ( i.e., Forms 2 and 3, Form AP, and Form QC). It would also cover reporting under the Board's proposed revised reporting requirements and metrics requirements if those are ultimately adopted by the Board and approved by the SEC.

An investor expressed concern with the absence of references to investors or the public from the examples of external parties, and further commented that the proposal makes no mention of the role of quality control with respect to critical audit matters. This provision relates to communications to external parties that are required under applicable professional and legal requirements. Under current requirements, the only required communication from the audit firm to investors is the audit report. Audit reporting is part of engagement performance, is covered by a separate quality objective relating to engagement performance, and is not addressed by this quality objective. To the extent that a communication to a regulator is ultimately available to the public (as is the case with, for example, various forms filed with the PCAOB), such communications would be covered by this quality objective, thus providing downstream benefits for investors and the public.

A firm recommended that the scope of the requirement be limited to information or communications regarding a firm's audit practice and engagements performed in accordance with PCAOB standards. As discussed in more detail above, the definition of applicable professional and legal requirements in the final rule has been more narrowly tailored to address engagements, as defined in QC 1000, and the QC system itself. The Board believes this change addresses the commenter's concern about the possible overbreadth of the quality objective, and the Board adopted it as proposed.

The PCAOB also observed that some firms make public communications about firm-level or engagement-level information, such as firm metrics and financial data. For example, some firms publish transparency or audit quality reports, either voluntarily or in response to the requirements of other jurisdictions, that contain data such as:

• Revenue breakdown by service line, by year, or by geographic segment;
• Professional staff ratios;
• Staff turnover ratios;
• Average training hours per professional; and
• Partner workload.

In addition to transparency or audit quality reports, firms may communicate these data via web pages or other media, such as promotional publications, social media, interviews, or presentations via webcast or video. Furthermore, if adopted, the Firm and Engagement Metrics proposal will require firms to publicly report certain metrics relating to their audits and their audit practices.

Regardless of the form of communication and the type of information presented, the Board believes that firms' QC systems should address the integrity of firms' external communications about themselves and the performance of their engagements. Such information can influence the views of relevant stakeholders, including audit committees determining whether to engage or retain an auditor and investors determining whether to ratify such an appointment.

The proposed standard contemplated that the firm would establish a specific quality objective that firm-level or engagement-level information communicated externally is accurate and not misleading and, with respect to any performance metrics, that the communication explains in reasonable detail how the metrics were determined and, if applicable, how the metrics or the method of determining them changed since performance metrics were last communicated. The Board's view is that a specific quality objective in this area will prompt firms to implement targeted policies and procedures that address, for example, the quality and consistency of data and the need for context or explanation. This in turn will improve the informativeness, reliability, and comparability of such communications and avoid misleading the intended audience.

Several commenters, including firms and related groups, broadly supported the quality objectives or agreed that it is important to address communications to stakeholders about a firm's or engagement's performance, and that such communications should be accurate and not misleading. However, many of the commenters on this topic raised concerns with regard to the proposed quality objective addressing the firm's external communications relating to metrics.

Several commenters suggested that additional clarification be provided on the metrics and communications that are in scope for the quality objective. Some commenters recommended that the scope of the requirement be limited to metrics related to audit quality that are required to be communicated under applicable professional, legal, or other regulatory requirements and are communicated publicly. One firm recommended that the scope of metrics be limited to those related to the effectiveness of the firm's QC system or audit quality, and that the scope of the communications be limited to “formal” external reporting such as audit quality reports, transparency reports, communications with audit committees, and other published reports. Another firm recommended that the external communications in scope for the objective should be limited to communications externally about audit quality and should not extend to other external information issued by the firm that is not specifically related to audit quality such as marketing communications or recruiting information. The firm further argued that this limitation on scope to only audit-quality-related external communications should also apply to the communication of how metrics were determined and explanations of year-on-year changes. Another firm recommended that the scope be limited to information or communications regarding a firm's audit practice and engagements performed in accordance with PCAOB standards.

One firm expressed concern regarding firms' ability to design and implement quality responses to address the risk of every type and form of information communicated given the broad scope of the requirement. The firm recommended that the scope should be limited to information resulting from and regarding the evaluation of the firm's QC system, which will allow firms to focus efforts on the information that is most meaningful to stakeholders, which in turn will enhance the reliability of such information.

One firm commented that in addition to recommending limiting the quality objective to engagements performed under PCAOB standards that would be subject to the firm's QC system, it may not be practicable to communicate in reasonable detail how a metric was determined in all situations ( e.g., if the metric was provided in a speech). The firm asserted that it should be allowed to present the information about how a metric was determined and, if necessary, how it changed, in a single, publicly available location ( e.g., on the firm's website). One firm commented that the level of disclosure that would be required may create confusion or may not ultimately be necessary, in particular in instances when the metric does not relate to audit quality. Further, the firm stated that the disclosures may conflict with requirements that may apply to registered firms outside of the U.S. Another firm recommended that the words “explains in reasonable detail how the metrics were determined and, if applicable, how the metrics or the method of determining them changed since performance metrics were last communicated” be removed from the quality objective. The firm asserted that this requirement may discourage smaller firms from including many quality metrics in their audit quality, transparency, and similar reports given limited time and resources available to produce their voluntary report. Some commenters, including firms and a related group, recommended that considerations related to metrics in QC 1000 be taken up as part of the PCAOB's research project on firm and engagement performance metrics.

After consideration of the comments received, the Board continues to believe it is appropriate that all firm communications to external parties regarding themselves and their audit practice, in whatever medium, meet the minimum standard of being accurate and not misleading.

However, in response to commenters, the Board clarified the quality objective in certain respects. It has clarified that the quality objective is limited to communications regarding the firm's audit practice, firm personnel, or engagements and removed the word “performance” from the phrase “performance metrics,” to align with the terminology use in the Board's proposed metrics requirements. Additionally, the Board revised the quality objective to provide that only metrics communicated in writing require an explanation of how the metrics were determined and, if applicable, how the method of determining them changed since metrics were last communicated. The Board believes this will address commenter concerns about the feasibility of providing such explanations for metrics communicated orally. In addition, the Board removed the requirement to explain in reasonable detail, if applicable, how the metrics themselves have changed since they were last communicated. The Board believes that requiring an explanation of how the metrics were determined and, if applicable, how the method of determining the metric changed since it was last communicated will enhance the understandability and comparability of the metrics made available to external parties. However, the Board does not believe it to be necessary to require narrative discussion of numeric changes in the metric period over period if there has been no change in the underlying calculation method.

These disclosures may be incremental to requirements that could apply to registered firms outside of the U.S., however, the Board does not believe that these requirements will operate in conflict. The Board has observed variation and complexities in how metrics are defined and calculated by firms, as well as changes in the calculation method over time such that it believes this quality objective is necessary to improve the informativeness, reliability, and comparability of such communications and avoid misleading the intended audience. In addition, over 100 unique qualitative disclosures and quantitative audit quality metrics have been observed by the Center for Audit Quality (“CAQ”) in its analysis of the CAQ's eight Governing Board firms' most recent audit quality reports. The Board believes this indicates both a demand for and an ability to supply metrics, which further emphasizes the need for consistency and comparability of the metrics.

The Board considered whether it would be appropriate to allow for additional disclosures relating to metrics to be presented in a single public location such as the firm's website. However, the Board believes that by limiting the requirement to written communications, it has eliminated the concern about how to present such information with respect to an oral communication, and given the importance of the information to the intended audience, that this should be presented in the same written communication as the disclosed metrics.

The Board received feedback from a number of commenters, including investors and related groups, criticizing the proposal for failing to include required metrics or audit quality indicators. The Board has proposed a separate standard on firm and engagement metrics and it has addressed these comments in that proposal.

iv. Networks (QC 1000.53.f)

If the firm belongs to a network, exchange of information between the firm and the network may play an important role in supporting the operation of the firm's QC system and the performance of its engagements. For example, if the network performs certain monitoring activities relating to the firm's QC system, the network's communication of information ( e.g., results of its monitoring activities or any changes to its activities from the prior year) may result in the firm adjusting the nature, timing, and extent of its own monitoring activities. On the other hand, the firm may need to communicate to the network when there are changes to the firm's QC system that may affect the network's monitoring activities.

The Board did not receive comment on the proposed quality objective relating to the exchange of information between a firm and a network and adopted it as proposed.

v. Other Participants (QC 1000.53.g-.h)

Many firms have increasingly involved parties outside the firm in QC functions, such as independence compliance, and engagement functions, such as performing audit procedures and evaluating audit evidence. Working with other participants can differ from working with individuals within the firm. For example, auditor-engaged specialists may have different professional training and experience and may operate under a different type of QC system, or none at all. Firms may experience differences in local norms and expectations when working with firms based in other jurisdictions. These and other factors give rise to risks in the communication between firm personnel and other participants, including the potential for misunderstandings regarding the audit effort needed to meet the objective of the other participant's work. It is therefore imperative that appropriate communications take place between the firm and other participants to enable the other participants to understand and carry out their responsibilities relating to activities within the firm's QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm's policies and procedures.

The Board broadened the language of the quality objective to clarify that it applies to the use of participants in both the firm QC system and in engagements.

For other participants that are firms, the Board proposed that information obtained from the other participants should include the conclusion of the most recent evaluation of its QC system and a brief overview of remedial actions taken and to be taken, as well as a footnote clarifying that the most recent evaluation of the other participant firm's QC system refers to that firm's evaluation under paragraph .77 of QC 1000 as of the most recent evaluation date, if such an evaluation was performed, and otherwise to the most recent QC evaluation performed by the other participant firm under any professional standard.

One commenter stated that audit firms monitor the quality of member firms but have typically been reluctant to share negative information about a member firm, and that requiring transparency in such information would be beneficial. However, several firms and related groups expressed concerns about the impact of having other participant firms share the most recent evaluation of their QC system based on the confidentiality protections set out in Sarbanes-Oxley or other relevant local laws and regulations. Two firms commented that these concerns would be alleviated if the definition of QC deficiency was updated to align with the definition in ISQM 1 and SQMS 1. One firm commented that the proposed quality objective addressing information and communication related to other participants is appropriate, however if information is to be shared at the deficiency level, the firm is concerned that this would violate the confidentiality provision within Sarbanes-Oxley. Another firm suggested limiting the extent of information shared to only what is necessary for firms to achieve the reasonable assurance objective. This firm agreed with obtaining and considering the other participant firm's overall conclusion of the most recent evaluation of the QC system, however it argued that this should not include information regarding deficiencies, if any, and remedial actions taken and to be taken. Some commenters argued that firms should be able to take a risk-based approach in determining whether it is necessary to request specific information regarding an other participant firm's QC system.

One firm-related group argued that certain international legislation may be an issue for firms when reporting clients' or individuals' personal information. The commenter further expressed concerns that those firms applying QC 1000 fully and reporting thereunder may be selected in preference to those using other standards. Another firm-related group expressed concern that a firm-level QC inspection finding might result in the best firm for the component auditor role being bypassed. The commenter further suggested that guidance is needed for when the evaluation and/or overview of remedial actions is not forthcoming.

Some commenters, including firms and a related group, argued practical concerns regarding the application of the requirement to other participants not registered with the PCAOB. One firm commented that, while it is not aware of any legal or regulatory concerns with other participants sharing the most recent evaluation of their QC system, it suggested that the PCAOB state that firms will not violate this requirement if local laws or regulations exist that prevent compliance.

After consideration of the comments received, the Board amended the standard to limit the information that should be obtained to only the conclusion of the most recent evaluation of the QC system. The Board believes that this addresses commenter concerns relating to the risk of communicating privileged information. Furthermore, the Board continues to believe that obtaining the communication of the conclusion of the other participant's most recent evaluation may assist a firm in determining the nature and extent of supervision of the work of other participants or deciding whether other participants are fit to participate in the firm's engagements, including ensuring that the best firm for the job is not bypassed. If necessary, the firm may discuss the conclusion with the other participant firm to seek to gain a better understanding of the basis for such conclusion.

The Board believes that in practically all cases, the firm would be able to obtain the conclusion of the most recent evaluation of the other participant's QC system. However, if a firm is unable to obtain this (for example, if the other participant has not performed an evaluation, or if local laws forbid them from sharing it), then the firm should assess what other procedures are necessary to achieve the quality objective.

One firm commented that paragraph 53f. specifically addressed networks, while .53g. addresses other participants, and that it was unclear whether paragraph .53g. also applies to networks given their inclusion in the definition of “other participants” or if the Board intends for paragraph .53g. to apply to any other party defined within “other participants.” Paragraph .53g. applies to firms within a network to the extent that the firm is an other participant, as defined in QC 1000.A7 and discussed in more detail above.

Another firm expressed concerns that it may not be able to practically apply paragraph .53g. to all “other participants.” Specifically, the firm requested clarification as to the expectation regarding the extent to which firms design policies and procedures to ensure other participants comply with applicable professional and legal requirements, including bifurcation of participants that are part of the engagement team as compared to participants in the firm's quality control system. Another firm suggested it would be impractical to suggest that a firm's QC system can be applied to other participants or that they would explicitly comply with the firm's policies and procedures as if they were part of the firm. As discussed in more detail above, just because a quality objective or other provision of QC 1000 refers to all types of other participants in the same way, this does not mean that the firm should respond by treating all types of other participants in the same way. The firm's policies and procedures addressing other participants should differentiate based on the types and roles of other participants to the extent necessary to be responsive to the firm's quality risks (for example, the firm would have different policies for the use of engaged specialists versus external EQRs).

The proposed requirement in paragraph .53.h did not draw comment and was adopted as proposed.

The firm may also participate in another firm's engagement as an other participant. For the same reasons that apply when the firm is issuing the engagement report and using the work of other participants, it is important that there is an appropriate exchange of information in order to enable the firm serving as an other participant to fulfill its role in accordance with applicable professional and legal requirements.

d. Information and Communication Specified Quality Responses (QC 1000.55-.56)

One firm commented that the proposed specified quality responses for information and communication are appropriate. Other comments that are specific to each specified quality response are discussed below.

The requirement in paragraph .55 carries forward an existing requirement from the PCAOB's QC standards and extends it to cover other participants, not just firm personnel. One firm suggested that, as it relates to other participants, the quality objective in paragraph .53g. was sufficient, and the specified quality response was not needed. Another firm commented that it is concerned that expanding the requirement to communicate quality control policies and procedures beyond firm personnel to include other participants may not be operational due to the size, content, and methods of accessing the policies and procedures. The firm further asserted that the proposed standard may inappropriately blur the lines between a firm's system of quality control and engagement-level requirements that are already addressed through existing PCAOB standards and rules. The Board believes that other participants play an important role in the operation of the firm's QC system and the performance of its engagements and that it is imperative for these other participants to be aware of the firm's policies and procedures to the extent required to enable them to carry out their responsibilities. For that reason, the Board believes it is necessary to expand the existing requirement to include other participants in a specified quality response.

To address the concern about the volume of material required to be shared with other participants, the Board clarified the requirement by providing that policies and procedures should be communicated “to the extent” and in a manner reasonably designed to enable firm personnel and other participants to carry out their responsibilities; in other words, the requirement is to communicate what firm personnel and other participants need to know, not necessarily all of the firm's policies and procedures. For example, a firm would communicate to an EQR contracted by the firm its policies and procedures related to EQR review and independence. In addition, although the wording of the requirement is different, the substance of the existing requirement is unchanged. Reference to “reasonably designed and implemented” captures the existing requirement to communicate in “a manner that provides reasonable assurance that those policies and procedures are understood and complied with” without repeating the reasonable assurance already captured by the overarching objective of the QC standard.

Another commenter requested clarification as to whether the communication of policies and procedures is required in narrative, flowchart, or other form. The Board believes that the policies and procedures should be in writing and in a manner that is reasonably designed to enable firm personnel and other participants to understand and carry out their responsibilities relating to activities within the firm's QC system and the performance of its engagements. The format of these policies and procedures may vary depending on the specific responsibilities being addressed and how the firm wants to communicate them.

Under the existing PCAOB standard, the firm is also required to make timely communications to appropriate personnel regarding changes to its established quality control policies and procedures. The Board does not think it is necessary to address changes to policies and procedures separately; the requirement is to communicate policies and procedures as in effect, which includes changes to such policies and procedures over time. If the firm needs to communicate changes to its policies and procedures to enable firm personnel and other participants to understand and carry out their responsibilities, then the specified quality response will require such communication.

Given the importance of information generated from the monitoring and remediation process, paragraph .56 includes a specified quality response that requires the firm to communicate such information to firm personnel to enable them to take timely action. In determining specific information to be communicated to firm personnel, including the nature and extent of such communication, the firm may consider the type of information that is relevant to the recipients given their roles and responsibilities within the firm. For example, information communicated to engagement teams may be focused on a description of identified engagement deficiencies and related remedial actions that are likely to be relevant to such firm personnel and their engagements. Information communicated to all firm personnel may relate to deficiencies identified through QC system-level monitoring activities, such as compliance issues in connection with the firm's ethics and independence policies and procedures.

One firm asserted that the requirement to communicate identified engagement deficiencies and QC deficiencies to firm personnel could hold firms to a higher standard than may be prudent, and that a perceived requirement to communicate each engagement deficiency seems imbalanced to appropriately influence change. The specified quality response requires that such communications be made to enable firm personnel to take timely action in accordance with their responsibilities. Based on the results of the monitoring and remediation process, the firm can assess the nature and extent of the communications to be made, and this should be commensurate with the risk that other similar unidentified engagement deficiencies exist; for example, for engagement deficiencies related to the examination of broker-dealer compliance reports, the firm may limit the communications to firm personnel working on broker-dealer engagements and adjacent industry sectors.

In addition, under paragraph .57 the firm is required to communicate the results of the annual evaluation of its QC system to certain individuals in firm leadership positions. These individuals may use this information in various ways, for example, as a basis for further communications to firm personnel about the importance of quality or to address concerns about the QC system in a timely manner. The requirement reinforces firm leadership's responsibility and accountability for the firm's QC system.

2. Current PCAOB Standards

Existing PCAOB QC standards focus principally on communication of certain information, specifically:

• Firm QC policies and procedures;

• Weaknesses identified in the QC system or the level of understanding or compliance therewith;

• Internal inspection findings;

• Principles that influence the firm's policies and procedures on matters related to the recommendation and approval of accounting principles, present and potential client relationships, and the types of services provided;

• Additions to the Restricted Entity List; and

• Notification to the SEC of resignations and dismissals from audit engagements for SEC registrants.

QC 1000, by contrast, more broadly addresses the firm's responsibilities regarding its information system and internal and external communications.

Monitoring and Remediation Process

1. QC 1000

a. Overview (QC 1000.58)

The monitoring and remediation process is an integral part of an effective QC system because it creates a feedback loop to inform the firm's risk assessment process. The feedback loop will help the firm identify and assess new and evolving quality risks and design and implement effective quality responses. It drives a firm's focus on continuing to improve its QC system, with a view to preventing future engagement deficiencies. The monitoring and remediation process applies to the design, implementation, and operation of all QC system components, including the monitoring and remediation component, and provides the basis for a firm's evaluation of whether its QC system is effective and for reporting on the QC system.

The Board has observed through its oversight activities that some firms have made significant efforts to enhance their monitoring and remediation process, which has led to improvements in the firms' QC systems and in audit quality. These efforts include increased attention to ongoing monitoring activities, internal monitoring of both in-process and completed engagements, root cause analysis of both positive outcomes and QC deficiencies, and remedial actions to address QC deficiencies. However, PCAOB inspections continue to identify deficiencies for some firms, suggesting that not all firms have made meaningful improvements in these areas.

Under QC 1000, the monitoring and remediation process addresses the following:

• General requirements;
• Engagement monitoring activities;
• QC system-level monitoring activities;
• Monitoring activities performed by a network;
• Determining whether engagement deficiencies exist;
• Responding to engagement deficiencies;
• Determining whether QC observations exist;
• Determining whether QC deficiencies exist;
• Responding to QC deficiencies; and
• Monitoring the implementation and operating effectiveness of remedial actions.

Under the standard, a firm performs monitoring activities to determine whether its quality responses are properly designed and operating as intended, such that the firm's quality risks are sufficiently mitigated and its quality objectives are achieved. As described later, the results of the firm's monitoring and remediation process are to be evaluated annually as part of the evaluation of the QC system. Therefore, the monitoring activities conducted need to be sufficient to support the conclusions reached during such an evaluation.

b. General Requirements (QC 1000.59-.61)

The standard specifies three goals for the monitoring and remediation process:

• Relevant, reliable, and timely information. Monitoring and remediation must provide information about the design, implementation, and operation of the firm's QC system that is relevant, reliable, and timely. The information obtained from monitoring activities informs a firm about actions, behaviors, or conditions that contributed to issues that need to be addressed and may also provide insights as to factors that help prevent deficiencies from occurring. For example, information obtained about actions, behaviors, and conditions related to an engagement that was subject to internal or external monitoring activities where no deficiencies were identified may provide insights about good practices to use when addressing issues on similar engagements.
• Reasonable basis for timely detection of engagement deficiencies and QC deficiencies. The standard uses the concept of “reasonable basis,” which is present throughout PCAOB auditing standards, including the standards governing the auditor's report. Therefore, this concept is well understood by the profession. “Timely” as it relates to the detection of engagement deficiencies means that the firm's monitoring activities are designed to identify deficiencies as promptly as practicable. For example, the Board expects that the firm's monitoring activities will generally enable the firm to identify deficiencies in calendar year-end engagements in time to include them in its evaluation of the QC system as of the following September 30.

• Timely remediation. The firm's monitoring and remediation process must enable timely remediation of identified engagement deficiencies and QC deficiencies. What constitutes “timely” depends on the deficiency's nature, scope, and impact. For example, where there is a high risk of severity or pervasiveness, remedial actions may have to be immediate to be timely.

The first element of monitoring and remediation is designing and performing monitoring activities for engagements and the QC system itself. The Board believes that the selected frequency and timing of the firm's monitoring activities ( e.g., a combination of ongoing and periodic monitoring activities) are important elements in achieving an overall effective monitoring and remediation process. Ongoing monitoring activities are generally those activities that are routine in nature, built into the firm's processes, and performed on a real-time basis. Periodic monitoring activities, by contrast, are conducted from time to time at set intervals. The use of ongoing and periodic monitoring activities would vary by firm and be influenced by the nature and circumstances of the firm.

The other elements of the monitoring and remediation process specified in the standard are:

• Determining whether engagement deficiencies exist and responding to them.
• Determining whether QC observations exist.
• Determining whether QC deficiencies exist.
• Performing root cause analysis of QC deficiencies.
• Designing and implementing remedial actions to respond to QC deficiencies and determining whether such actions are implemented as designed and operate effectively.

These other elements are discussed below, in relation to the requirements of paragraphs .61-.76.

QC 1000 requires that the firm's QC system include both engagement monitoring activities and QC system-level monitoring activities. The standard differentiates engagement monitoring activities from QC system-level monitoring activities. The two types of activities would provide different kinds of information and, in the Board's view, a firm would need both in order to have a reasonable basis for detecting engagement and QC deficiencies and evaluating its QC system. Engagement monitoring activities are monitoring procedures performed on engagements, including in-process and completed engagements. QC system-level monitoring activities are monitoring procedures regarding aspects of a firm's QC system, including the firm's risk assessment and monitoring and remediation processes.

Notwithstanding the differences between engagement monitoring activities and QC system-level monitoring activities, a firm could design and perform dual-purpose monitoring activities— i.e., activities directed at individual engagements that also address aspects of the firm's QC system. For example, a firm could perform engagement monitoring activities related to acceptance and continuance of engagements that would also address the design, implementation, and operation of the acceptance and continuance of engagements component of the firm's QC system.

QC 1000 defines “engagement” as any audit, attestation, review, or other engagement performed under PCAOB standards (1) led by a firm or (2) in which a firm plays a substantial role in the preparation or furnishing of an engagement report. Under the standard, substantial role engagements that the firm undertakes would be required to be included in the population of engagements on which the firm performs monitoring activities. In situations where the firm participates in another firm's engagement but does not play a substantial role, while such work would not be treated as the firm's own “engagement” for purposes of the standard, any firm that was required to implement and operate an effective QC system under the standard is required to extend its QC system to all audit, attestation, review, and other work it performs under PCAOB standards, including other firms' engagements in which the firm plays less than a substantial role.

In general, for purposes of QC 1000, engagement monitoring activities are performed only on “engagements” as that term is defined in the standard. One firm suggested that audit quality should consistently be measured for all engagements, whether performed under the PCAOB standards or other auditing standards, and therefore a firm's QC system should provide reasonable assurance of performing all such engagements in compliance with applicable laws and professional requirements. This firm urged the Board to consider whether the monitoring-related requirements in QC 1000 that use the term “engagements” (as defined in QC 1000) may result in a lost opportunity to fully capitalize on the expected benefits of a more comprehensive monitoring program. Given the limits of the Board's statutory authority under Sarbanes-Oxley, the Board does not believe it would be appropriate to expand the scope of the term “engagements” to include work performed under standards of other standard-setters. However, nothing prevents firms from developing a single QC system for their entire audit practice that satisfies both PCAOB requirements and other professional standards to which the firm is subject, which could include performing the same types of monitoring activities for both PCAOB engagements and other audits.

The Board also understands that firms that perform only a small number of issuer and broker-dealer engagements would be significantly affected by a requirement to perform monitoring activities over PCAOB “engagements” every year. In the extreme case, a firm that issues an audit report for only one issuer would have to monitor the same engagement every year. The prospect of annual monitoring could disincentivize partners from serving as the engagement partner and ultimately affect competitive conditions in the market. Accordingly, paragraph .61a includes a note that permits firms that issued engagement reports for five or fewer issuers, brokers, and dealers in the previous year to include audits not performed under PCAOB auditing standards in their engagement monitoring activities for purposes of QC 1000, so long as the audits are selected taking into account the factors in determining the nature, timing, and extent of engagement monitoring activities set forth in paragraph .64. This accommodation takes into consideration the structure of the SEC's partner rotation requirements exemption for small firms, and is limited to audits rather than attestation work because audits are performed under more rigorous standards. These firms will still have to design, implement, and operate a monitoring and remediation process that meets the requirements of QC 1000, including the requirements regarding the objectives and elements of the monitoring and remediation process set forth in paragraphs .59 and .60, which focus on “engagements” as defined in the standard. The firms will also be subject to the requirement under paragraph .62b to inspect at least one completed PCAOB engagement for each engagement partner on a cyclical basis, as discussed below.

Current PCAOB QC standards provide that, in some circumstances, individuals may perform monitoring procedures over the same areas for which they are responsible. Such monitoring procedures are a type of self-assessment and under the proposed standard, self-assessments would not have been permissible. Individuals would lack the requisite objectivity if they reviewed engagements in which they participated (or, in the case of audits, for which they performed the engagement quality review), or monitoring activities for which they participated in the design, implementation, or operation of the activity.

Two commenters agreed that self-assessment should not be permitted in QC 1000. Other commenters, including firms and a related group, raised concerns regarding the proposal's disallowance of self-assessments as part of a firm's monitoring and remediation process. Specific concerns included the impact of this requirement on smaller firms and the resource constraint that may be very difficult for firms to overcome if individuals who may be involved in an engagement through consulting with engagement teams, evaluating engagement team progress, or monitoring turnover on the engagement team are ineligible to perform monitoring activities.

While the Board appreciates the concerns around resource constraints raised by commenters, allowing individuals to review their own work is inconsistent with the quality objective in paragraph .44e that individuals assigned to perform activities within the QC system have the objectivity needed to perform such activities in accordance with applicable professional and legal requirements and the firm's policies and procedures. Taking into account commenter feedback, the Board added a note to the standard to clarify that the restriction on self-assessment is grounded in that quality objective. The note further explains the implication, in the context of the monitoring and remediation process, that individuals generally cannot perform monitoring activities over their own work, for example by performing engagement monitoring activities on an area of an engagement in which they participated. The impact of this restriction will depend on the role that the individual played in the engagement. For example, individuals who have consulted on a particular area of an engagement would be permitted to perform monitoring activities on other areas of an engagement that were unrelated to the consultation. However, individuals that served as the engagement quality reviewer on an engagement may not perform monitoring activities on that engagement, even if they did not review every area of the engagement.

e. Engagement Monitoring Activities (QC 1000.62-.64)

Engagement monitoring activities provide valuable information to firms on whether engagement or QC system-level areas may require additional attention. For example, monitoring procedures may highlight an area on an audit engagement where insufficient audit evidence was obtained to support the auditor's opinion. More broadly, engagement monitoring activities may identify pervasive issues where a number of engagements have similar problems, possibly highlighting the need to revise methodology, provide additional training, or take other actions at the QC-system level.

i. Monitoring Completed Engagements (QC 1000.62)

Similar to the proposal, the final standard requires firms to perform engagement monitoring activities on completed engagements. Two commenters expressed support for the requirement to monitor completed engagements. One commenter suggested that paragraph .62 be amended to permit the legacy flexibility of QC 20 for a firm to have pre-issuance or post-issuance, or both, monitoring programs, depending on the individual firm's risk assessment. This commenter asserted that some smaller firms, in particular, have already implemented robust pre-issuance quality monitoring reviews on substantially all issuer audits.

The Board continues to believe that the information derived from performing inspections of completed engagements provides the firm a perspective on its engagements that cannot be obtained through other monitoring activities. The Board also noted that the standard does not prescribe specific monitoring activities, so firms will be able to determine what activities to perform when monitoring completed engagements. Based on PCAOB oversight activities, the Board has observed that most firms perform engagement monitoring activities on their completed engagements as part of their existing QC practices. Requiring the inspection of completed engagements would therefore not change practice for most firms and, accordingly, seems unlikely to impose incremental costs in most instances.

The proposed standard also included a requirement for firms to establish a cyclical basis for monitoring completed engagements such that each engagement partner would have at least one engagement subject to monitoring in each cycle. Some firms and a related group supported that requirement in principle. Some commenters suggested that firms should be permitted to include all of the engagements within a particular engagement partner's portfolio of engagements, not only PCAOB engagements, since the firm operates a single QC system. One commenter stressed that if firms are not permitted to consider all engagements in an engagement partner's portfolio, it may unnecessarily drive firms to two separate cyclical inspection programs (that is, doubling inspection program activities) based on the applicable set of professional standards. This commenter also suggested that the standard should allow firms to consider whether engagement partners have been subjected to external inspections/reviews when determining if, and when, to subject them to an internal inspection.

Similar to the proposal, the final standard requires firms to inspect at least one completed PCAOB engagement for each engagement partner over a cyclical period. Although, as discussed above, firms with five or fewer issuer and broker-dealer engagements may be permitted to include non-PCAOB engagements in their monitoring activities, inspections under this paragraph must be of “engagements” as defined in QC 1000. This will ensure that firms regularly evaluate the work of every partner under PCAOB standards to determine whether engagement deficiencies or QC deficiencies have occurred and can design and implement appropriate remedial actions. The note to the final standard clarifies that point.

The proposed standard also included a note stating that if a firm uses a cycle longer than three years, the firm would be required to demonstrate how its cycle is adequate to provide the firm with a reasonable basis for detecting engagement deficiencies and QC deficiencies, taking into account the factors in paragraph .64. Several commenters, including an investor-related group, disagreed with this aspect of the proposal, suggesting that each firm should be allowed to determine the appropriate cycle for engagement partner selection. Some of these commenters stated that requiring a set interval for engagement partner selection could actually result in a reduced ability by the firm to incorporate unpredictability into the selection process. One firm further stated that the proposed requirement regarding the engagement partner selection cycle could also decrease the frequency of other monitoring activities, such as in-process reviews, or curb investment and innovation in pre-issuance monitoring programs.

The Board continues to believe it is appropriate to incorporate an expectation that each engagement partner will be subject to inspection at least every three years and adopted that aspect as proposed. A three-year period appears to be a norm for other standard setters and, based on PCAOB oversight activities, is common in practice. The Board appreciates that requiring a set interval could make the timing of selection predictable for an engagement partner, so a three-year cycle is a baseline expectation, not a requirement. Firms can of course adopt a shorter cycle, or can adopt a longer cycle if they are able to demonstrate how that cycle is adequate to provide a reasonable basis for detecting engagement deficiencies and QC deficiencies. Regardless of the cyclical period used by the firm, risks or other circumstances related to an engagement or an engagement partner may trigger the need for the firm to inspect an engagement partner's completed engagement(s) more than once during the cyclical period.

The proposed note to paragraph .62b also included language requiring firms to consider incorporating a level of unpredictability when determining when, during the cyclical period, an engagement partner has an engagement selected for monitoring and which completed engagement(s) to select. This was intended to make it less likely that engagement partners would be in a position to manage engagements with the expectation that they would or would not be inspected. However, commenters, including firms and investors and related groups, suggested that this language should be strengthened to require that the firm “should” incorporate unpredictability into the selection process. One of these commenters went further to suggest that the PCAOB also incorporate language requiring unpredictability in the focus areas subject to internal inspection monitoring, in addition to the timing of such monitoring. The Board agreed with the comments raised with respect to requiring firms to incorporate unpredictability into their selection process and this change is reflected in the note to paragraph .62b. Additionally, in order to allow sufficient flexibility for firms to determine how to incorporate unpredictability in the selection process, language has been added to the note to clarify that the firm should include an element of unpredictability in “at least one of” the elements listed in the note to paragraph .62b.

The firm's selection of completed engagements should be responsive to information obtained from various sources, including prior monitoring activities. The standard, in paragraph .64 (discussed further below), includes factors for a firm to take into account when selecting engagements for monitoring. These factors will assist a firm when determining its cyclical basis and selecting at least one engagement to inspect for each engagement partner.

ii. Monitoring In-Process Engagements and Other Work (QC 1000.63)

Monitoring in-process engagements can help firms detect and prevent potential engagement deficiencies before an engagement report is issued, resulting in a more proactive, preventive monitoring approach. Through its oversight activities, the PCAOB has observed a variety of different in-process engagement monitoring activities, including:

• Monitoring activities on a specific area of the audit after the engagement team has conducted certain audit procedures or used a specific tool or template (e.g., an in-process reviewer evaluates an engagement team's testing of management's earnings forecast used in an impairment analysis);
• Engagement team coaching by an individual who is not part of the engagement team (e.g., a member of the firm's national office works with an engagement team to review their audit approach, including the nature, timing, and extent of planned audit procedures);
• Evaluating an engagement team's progress against certain defined milestones or metrics and taking appropriate action when such milestones or metrics are not achieved (e.g., if an engagement partner did not review an engagement team's planning memo before interim audit procedures were to start, adjusting the engagement team's schedule so that the document could be reviewed and comments addressed before starting interim work; if an engagement team's hours exceed a certain weekly threshold, taking action by identifying the issue and adding additional resources to the team); and
• Monitoring engagement team turnover during the engagement and taking appropriate action when issues arise (e.g., if more experienced or senior personnel on the engagement, such as the manager or senior manager, leaves the firm during the engagement and prior to the completion of procedures, taking actions to ensure the engagement team has the necessary resources to complete the engagement).

The proposed standard contemplated that firms that issue audit reports with respect to more than 100 issuers during the prior calendar year would be required to monitor in-process engagements. The proposal noted the Board's understanding that monitoring in-process engagements may be challenging for some firms based on their size and nature, so the proposed standard also included a “should consider” requirement to provide sufficient scalability for firms that issue audit reports with respect to 100 or fewer issuers. Under the proposed standard, firms that audit 100 or fewer issuers would be expected to reach a conclusion about whether to monitor in-process engagements in light of identified quality risks and quality responses.

Firms that commented on this requirement supported the concept of monitoring in-process engagements and the flexibility the standard provided for firms to design their in-process monitoring based on the nature and circumstances of the firm. Two firms stated that the purposes of in-process monitoring are clear and appropriate and that the proposed standard clearly distinguished between in-process engagement monitoring and engagement quality reviews under AS 1220. Two firms suggested that the 100-issuer threshold is not necessary, and that all firms should only be required to consider whether to monitor in-process engagements.

The Board believes that differentiating a firm's obligation based on the number of issuer clients is appropriate because, in its view, firms with larger, more complex audit practices generally are subject to quality risks for which in-process monitoring is an appropriate quality response. The Board based the requirement on the size of a firm's issuer audit practice rather than its broker-dealer audit practice, as it believes the number of a firm's issuer clients is more indicative of the firm's size and the complexity of its practice. And, as noted above, firms are familiar with the threshold of more than 100 issuer audit reports. The majority of firms with 100 or fewer issuers do not perform in-process engagement monitoring activities. Requiring these firms to perform such monitoring activities could significantly change current practice and is not justified by the circumstances of every firm. However, due to the benefits of this proactive engagement monitoring, the standard requires that firms that do not meet the 100-issuer threshold should consider monitoring in-process engagements. The Board believes that this approach strikes an appropriate balance between prescriptiveness and scalability, and adopted the requirement as proposed.

One individual commenter suggested that audit firms would find it cost prohibitive to build in “in process” controls that would be akin to doing an inspection of an audit in process, with the exception of certain circumstances, but the PCAOB did not receive any specific comments from firms expressing that concern. In addition, firms with over 100 issuer clients typically have the resources to implement such procedures, and based on PCAOB oversight activities, the majority of them already monitor in-process engagements to some extent.

In situations where the firm participates in another firm's engagement but does not play a substantial role, paragraph .63c provides that the firm should consider performing monitoring activities on such work. Some commenters agreed with the requirement for firms to consider performing monitoring activities on their work on other firms' engagements. When deciding whether and when to do so, and what monitoring activities to perform, firms would take into account the factors identified in paragraph .64, such as the firm's monitoring and external inspection history and the risks associated with the performance of the work. In addition, if a substantial portion of the firm's activities that are subject to the QC system relate to work performed on other firms' engagements at less than a substantial role, the firm would have to make that decision in light of the overall objectives of the QC system.

One commenter requested clarification as to whether the in-process monitoring activities the Board has observed would be sufficient to meet the requirement, or whether the Board expects such activities to be expanded or enhanced. The standard does not specify any particular monitoring activities, so the firm has discretion to select activities based on the nature and circumstances of the firm and its engagements and the scope and nature of its other monitoring activities. For example, when determining which engagements to select for in-process monitoring, a firm would leverage the factors presented in paragraph .64 of the standard to identify engagements where there is a greater risk of noncompliance with applicable professional or legal requirements. Similarly, these factors will also assist a firm in determining the riskier areas of such engagements upon which to perform in-process engagement monitoring activities.

i. Designing Engagement Monitoring Activities, Including Selecting Which Engagements To Monitor (QC 1000.64)

Similar to the proposal, the final standard requires a firm to take into account certain factors when determining the nature, timing, and extent of engagement monitoring activities, including which completed or in-process engagements to select for monitoring. These factors reflect aspects of a firm and its engagements that could create a greater risk of noncompliance with applicable professional and legal requirements. A firm will need to tailor its monitoring activities to address the particular circumstances of the firm and select engagements for monitoring based upon their specific risks.

The factors are:

• Quality risks and the reason for their assessments, and quality responses. For example, the complexity of or changes to applicable professional and legal requirements and the firm's policies and procedures may present a quality risk that the firm may not timely communicate the required use of a practice aid for planning audit procedures when certain fraud risk factors are present. In response to this risk, the firm would design its engagement monitoring activities to verify the engagement team's use of the practice aid. The earlier these monitoring activities are performed, the more proactive the firm could be in planning audit procedures that address audit issues as they arise. Regarding the proposed factor in paragraph .64b related to the “design of the quality responses,” the final standard has removed the word “design” from the factor and made other edits to clarify that the firm should also take into account the scope and operation of quality responses, for example related to information about how those quality responses operated in previous years.
• The nature, timing, extent, and results of previous monitoring activities. This includes insights learned from previous engagements and QC system-level monitoring activities that are applied when determining engagement monitoring activities to perform. For example, in selecting engagements for monitoring, the firm would take into account deficiencies identified in previous engagements for the same client and other engagements where a similar deficiency may exist. As another example, engagement deficiencies related to inventory obsolescence testing identified by a firm through prior year engagement monitoring activities may prompt a firm to monitor the testing of inventory obsolescence on more engagements in the current year. One commenter recommended a clarifying revision to paragraph .64c to change the reference to “inspections of in-process engagements” to “monitoring of in-process engagements.” The commenter explained that the characterization of in-process engagement monitoring as an “inspection” is not consistent with how in-process engagement monitoring was described in the proposal, as the in-process monitoring activities observed by the PCAOB do not include inspections of in-process engagements. The Board agreed and included this revision in the final standard.
• Information obtained from oversight activities by regulators, other external inspections or reviews, and, if applicable, monitoring activities performed by a network. Information obtained from network monitoring activities or external reviews provides a firm direction as to, for example, the type of procedures to perform or when to perform them. The results of network monitoring activities or information obtained from external reviews could also identify issues that may exist on other similar engagements of the firm, prompting a decision to monitor some or all of these other engagements. For example, if an engagement was recently inspected through network monitoring activities or an external review, a firm may determine that selecting the same engagement for internal inspection would be unnecessary.

The proposal included a note that a firm cannot rely solely on network monitoring activities or external inspections by regulators of individual engagements without performing its own inspections of completed engagements. One commenter, a firm, agreed with the proposed requirements for firms to perform their own monitoring activities rather than solely relying on the monitoring activities performed by the network. Another firm disagreed and recommended that the standard permit networks to perform monitoring activities on behalf of a member firm, including in certain circumstances as the sole source of a firm's QC engagement monitoring. This commenter stated that monitoring of completed and in-process engagements by the network may provide member firms in the network with more objective and experienced monitoring resources, and that smaller member firms may not have the resources to perform objective monitoring on completed and/or in-process engagements without leveraging the network. Similar to what is described below as it relates to a firm's QC system and the extent of monitoring activities performed by a network, regardless of whether a network performs engagement monitoring activities on a firm's engagements, the firm is ultimately responsible for its QC system and for evaluating any information it obtains from the network about any engagement monitoring activities the network performs. The firm would take into account the nature and extent of activities performed by a network in designing and implementing its own activities but all firms are required to perform some level of engagement monitoring. The final standard includes a clarifying revision to this note that replaces “inspections of completed engagements” with “engagement monitoring activities.”

• Characteristics of a particular engagement. Factors such as the industry, the type of engagement ( e.g., issuer audit, broker-dealer audit, attestation), the location(s) or jurisdiction(s) in which the client is located or the work is to be performed, whether it is a new engagement for the firm, and the experience and competence of the engagement team could affect conduct and outcomes of the engagement. For example, if the engagement team members are all new to the engagement, their lack of historical knowledge may present an additional risk for that engagement and provide a basis for its selection for monitoring.
• Characteristics of particular engagement partners. Factors such as the experience and competence of engagement partners, the results of internal and external inspections of their work, and the firm's cycle for inspecting their engagements could affect the quality risks associated with an engagement, whether positively or negatively. For example, an engagement partner's lack of experience in an industry the company under audit recently entered may create additional risks to complying with applicable professional and legal requirements. Therefore, performing engagement monitoring activities on such engagements may be appropriate.
• Other information relevant to the quality risks. The standard includes a non-exhaustive list of examples. For clarity, this factor was rephrased in terms of “quality risks” rather than “risks of noncompliance with applicable professional and legal requirements.” The standard also includes a footnote referencing footnote 26, which explains that the firm is deemed “aware” of information when any partner, shareholder, member, or other principal of the firm first becomes aware of such information.

The requirement is both principles-based and risk-centered, rather than prescriptive. It provides for scalability by including factors for firms to take into account when determining the nature, timing, and extent of engagement monitoring activities. In addition to the factors included in the standard, a firm may identify other factors that are also relevant based on the nature and circumstances of the firm and its engagements.

d. QC System-Level Monitoring Activities (QC 1000.65)

Similar to the proposal, the final standard requires a firm to take into account certain factors when determining the nature, timing, and extent of QC system-level monitoring activities.

Due to their nature, some of the factors are consistent with the factors a firm is required to take into account when determining the nature, timing, and extent of engagement monitoring activities, such as the quality responses, including their timing, frequency, scope and operation. Regarding the proposed factor in paragraph .65b related to the “design of the quality responses,” conforming to the change made in paragraph .64b, the word “design” was removed from the factor and made other edits to clarify that the firm should also take into account the scope and operation of quality responses, for example related to information about how those quality responses operated in previous years. The specific features of a firm's quality responses are also relevant for a firm to consider when designing QC system-level monitoring activities. For example, a firm's quality responses related to acceptance and continuance of engagements might include a policy that firm personnel complete a checklist and assemble information evaluated by the engagement partner before making a recommendation to firm leadership on whether to continue with an engagement for the upcoming year. Based on this quality response, a firm might design QC system-level monitoring activities that include a review of the checklist and documentation for a selection of engagements.

Some other factors the standard requires firms to take into account when determining the nature, timing, and extent of QC system-level monitoring activities include:

• The design of a firm's risk assessment and monitoring and remediation processes. The design of these processes is relevant when designing monitoring activities to evaluate if such processes are implemented and operating effectively. For example, a firm may monitor the cyclical basis determined by the firm for inspecting engagement partners' completed engagements. A firm's monitoring activities in this area could include whether the firm is complying with the established period for selecting completed engagements as well as evaluating whether changes to the period may be necessary based on the results of other monitoring activities. The firm could also develop metrics for its QC system and use them in its monitoring and remediation process.
• Changes in the QC system. As a firm's QC system is continuously evolving in response to changes in risks, the firm would have to consider whether and how such changes necessitate changes to the nature, timing, and extent of QC-system level monitoring activities. For example, changes to a quality response would be an indication that changes to the activities that monitor the design, implementation, and operation of such response may be necessary. It should be noted that, even in the absence of changes in the QC system, for example in cases where the firm determines that there have been no changes related to a particular quality response, the firm would still need to consider whether previous monitoring activities related to that quality response continue to provide the firm with a reasonable basis to evaluate the QC system, including the appropriateness of the firm's monitoring activities for the current period.
• When applicable, services provided by other participants in the firm's QC system. A firm may use other participants in its QC system (for example, other participants may assist with engagement quality reviews). The firm would take that into account when deciding what QC system-level monitoring activities to undertake (for example, assessing other participants' compliance with PCAOB standards regarding engagement quality reviews).

A firm's monitoring activities are likely to vary over time as a firm takes into account the factors included in the standard (see paragraphs .64-.65). Since a firm's QC system is a continuous and iterative process, such factors will generally lead a firm to perform different monitoring activities or employ different monitoring approaches over time.

Several commenters, including investor-related groups, suggested that the standard should require that the monitoring and remediation process, or more generally QC 1000, provide for use of quantitative metrics. QC 1000 does not require firms to use quantifiable metrics in their monitoring activities or suggest the use of any particular metrics. The Board has recently proposed a new set of firm reporting requirements that includes both firm-level and engagement-level metrics, and the comments regarding metrics received in response to the QC 1000 proposal are addressed in that proposing release.

Other than removing the word “performance” from the phrase “performance metrics,” to align with the terminology used in the PCAOB's proposed metrics requirements, the Board adopted as proposed paragraph .65c, which requires the firm to take into account any metrics that the firm may use in its QC system when determining the nature, timing, and extent of QC system-level monitoring activities. This could include, but is not required to include, any metrics firms would be required to report if the metrics proposal is ultimately adopted by the Board and approved by the SEC, as well as any additional metrics a firm may develop. Depending on their circumstances, firms may find that developing metrics to monitor engagements and the QC system would enhance their ability to identify deficiencies, measure whether quality objectives have been met, and evaluate the effectiveness of remediation activities.

e. Monitoring Activities Performed by a Network (QC 1000.66)

The Board adopted substantially as proposed the requirements that apply when networks perform monitoring activities relating to a firm's QC system or engagements. Networks employ a variety of different approaches to monitoring firm QC systems. Some networks perform monitoring activities either directly on the firm's QC system, such as monitoring a firm's compliance with QC policies and procedures established by the network and adopted by the firm, or on tools or other resources developed or purchased by the network and used by the firm, such as an independence tracking system. Other networks perform no monitoring activities.

The nature and extent of a network's monitoring activities will inform a firm's approach to monitoring. To illustrate, if a firm used a network independence tracking system to identify matters that may bear on the independence of firm personnel, and if the network monitored the design and operation of the tracking system and provided the firm with relevant information about those activities, the firm is required to evaluate the monitoring activities performed by the network on the tracking system. In performing its evaluation, the firm needs to understand the scope of the network monitoring activities, such as whether the firm's personnel were selected for monitoring procedures, and if so, whether the population selected was sufficient to provide a reasonable basis for detecting engagement and QC deficiencies. To the extent provided, the firm is also required to evaluate the results of the testing performed by the network, and if deficiencies were identified, the remedial actions, if any, taken or proposed to be taken by the network. Under this example, the firm would also determine its responsibilities in assisting the network with any monitoring or remediation activities related to the tracking system.

Regardless of any QC monitoring activities that a network may perform on behalf of the firm, the firm is ultimately responsible for its QC system. Therefore, under the standard, the firm is responsible for evaluating any information it obtains from the network about any QC monitoring activities the network performs. Some commenters, all of which were firms, supported the proposed requirements related to monitoring activities performed by a network.

A firm is required to adjust its monitoring activities as necessary, based on the scope of the network's monitoring activities and the information the firm receives (or does not receive) from the network about those activities. One commenter expressed concern that the proposal allows the firm to request certain categories of information from a network but does not require that the information actually be received. In situations where a firm does not receive information requested from the network about the monitoring activities the network performed, the firm would not be in a position to take such activities into account in planning its own activities. To illustrate, a network may provide information to a firm regarding the results of member firms' internal engagement monitoring activities, which the firm uses to evaluate the competence of other network firm personnel and their ability to participate in the firm's engagements. If, due to a change in a particular network firm's local privacy laws, the network is unable to provide such information regarding that member firm, the firm will need to evaluate that member firm's competence and ability using a different approach. To illustrate another case, if a firm requests but does not receive any information from the network regarding QC monitoring activities related to independence that the network performed on behalf of the firm, and the firm does not perform any monitoring activities related to its QC system in that area, the firm would have no basis for concluding that the quality objectives related to independence were achieved.

f. Determining Whether Engagement Deficiencies Exist (QC 1000.67)

The requirements for determining whether engagement deficiencies exist did not draw comment and were adopted with one modification, described below.

As defined by the standard, an engagement deficiency is an instance of noncompliance with applicable professional or legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm. Engagement deficiencies include:

• Instances of noncompliance in which a firm did not adequately support its opinion—because the firm did not perform sufficient procedures, obtain sufficient appropriate evidence, or reach appropriate conclusions with respect to relevant financial statement assertions;
• Instances in which the firm did not fulfill the objective of its role in the engagement, such as not performing attestation services in accordance with AT No. 2; and
• Other instances of noncompliance with applicable professional and legal requirements with respect to a firm's engagement, which may include, for example, not satisfying applicable independence requirements, not making required communications to the audit committee, or not filing Form AP.

The standard requires a firm to evaluate a variety of information in making its determination about whether an engagement deficiency exists, including internally developed information from monitoring activities, information from external parties like regulators and peer reviewers, and other relevant information of which the firm becomes aware. Beyond the sources specified in the standard, a firm is not expected to seek out other sources of information that may indicate an engagement deficiency exists. However, if the firm becomes aware of such information, the firm is expected to evaluate it. For purposes of the standard, the firm is deemed “aware” of information when any partner, shareholder, member, or other principal of the firm first becomes aware of such information. The Board made a change to the proposed note in paragraph .67e item (4) to clarify that complaints the firm becomes aware of, that may indicate the existence of an engagement deficiency, could be related to either a company or the firm. The language was also broadened to clarify that complaints are not limited to those submitted through a formal whistleblower program.

The standard does not specify how a firm would evaluate information to determine whether an engagement deficiency exists. Rather, it provides firms the ability to develop an approach for such evaluation. A determination that an engagement deficiency exists due to the firm not complying with a PCAOB reporting requirement may be relatively simple to make. For example, evaluating whether the firm filed a Form AP in accordance with PCAOB Rule 3211 would not require a significant amount of effort. However, evaluating information indicating the firm did not perform the necessary audit procedures for an issuer's revenue transactions to determine whether an engagement deficiency exists could be more complex, and therefore require a more in-depth analysis.

A firm's determination that an engagement deficiency exists may pertain to an in-process engagement, a completed engagement, or work performed on other firms' engagements.

If a firm obtains information about a potential deficiency in an in-process engagement, whether from monitoring activities or other sources, the firm is expected to evaluate the information to determine whether an engagement deficiency exists before the engagement report is issued. In that regard, it should be noted that identifying a problem while an engagement is in process may enable the firm to rectify the problem before an engagement deficiency could arise. Many professional and legal requirements that apply to performing an engagement impose ongoing responsibilities that are not completed until the engagement itself is completed. In relation to such ongoing responsibilities, if a problem is identified in an in-process engagement but resolved before the engagement is completed, no engagement deficiency would arise. For example, if an engagement team initially failed to obtain sufficient appropriate audit evidence in its testing of revenue because it failed to perform a necessary procedure, the engagement team could still perform the procedure at a later time during the engagement; as long as sufficient appropriate audit evidence was obtained prior to the issuance of the report, there would be no engagement deficiency. QC 1000 does not have specific provisions to address remediation of this type of problem because the auditor's responsibility is already addressed by applicable professional and legal requirements. However, even in instances where an engagement deficiency does not arise because a problem was identified and corrected prior to issuance of an engagement report, a firm would still need to consider whether the existence of the problem constitutes a QC observation—an observation about the design, implementation, or operation of the firm's QC system that may indicate one or more QC deficiencies exist—and, ultimately, a QC deficiency.

By contrast, some applicable professional and legal requirements (such as those relating to preliminary engagement activities, including engagement acceptance procedures, and certain required communications to the audit committee) are required to be complied with prior to or at the beginning of the engagement. With respect to those requirements, an engagement deficiency would arise if the required time for performance had passed and the required activities were not performed appropriately, even if the engagement was still in process.

The standard requires determinations to be made on a timely basis. For completed engagements, the timeliness of the determination depends on the nature of the information subject to evaluation. For example, if the information suggested other engagements may present a similar issue, then it would be expected that determination would be made sooner so that the risk of engagement deficiencies on other engagements—whether in-process or completed—is mitigated.

The final standard was revised to clarify that the evaluation and determination of whether engagement deficiencies exist must both be done on a timely basis.

g. Responding to Engagement Deficiencies (QC 1000.68)

Under the final standard, when a firm determines an engagement deficiency exists, the firm is required to take action to address the deficiency. The action taken would depend on whether the engagement deficiency related to an in-process engagement, a completed engagement, or work performed by the firm on other firms' engagements. In some instances, a firm may find it beneficial to perform a root cause analysis to determine what action to take.

i. Engagement Deficiency Related to an In-Process Engagement

For an engagement deficiency related to an in-process engagement, the proposed standard provided that the firm take action to address the deficiency in accordance with applicable professional and legal requirements. The nature of the engagement deficiency would determine what a firm would need to do to address it and the timing of the required action. For engagement deficiencies that could affect the auditor's report, under the proposed standard, remedial action would be required before the engagement report is issued, such that the engagement report issued is appropriate in the circumstances. In other instances, action would still be required to address the deficiency, but the firm would have more flexibility regarding when such actions are performed; action could be performed either before the report is issued or afterwards (if afterwards, the provisions of paragraph .68b would apply). The Board adopted substantially as proposed the requirement for responding to an engagement deficiency on an in-process engagement.

ii. Engagement Deficiency Related to a Completed Engagement

For an engagement deficiency related to a completed engagement, the proposed standard included a requirement for firms to take action to address the engagement deficiency in accordance with applicable professional and legal requirements (discussed in more detail below in connection with paragraph .70). However, under the proposed requirement, no action would have been required if it was probable that the engagement report was not being relied upon.

The proposed standard included a note that stated the firm must treat an auditor's report as being relied upon if the auditor's report is included in the most recent SEC filing on a form that requires its inclusion. Because this note also appeared in the proposed amendments to AS 2901 in paragraph .01, refer to the detailed discussion below for commenter feedback and the Board's responses. The note to paragraph .68b. was revised to provide that, in the absence of circumstances indicating that reliance is impossible or unreasonable ( e.g., cessation of a trading market for issuer securities), inclusion of an engagement report in the most recent filing on an SEC form that requires inclusion of such an engagement report generally evidences that the report is being relied upon. The Board believes this is responsive to commenter concerns and allows for sufficient flexibility for such circumstances. The note was also revised to clarify that an engagement report can be included in an SEC filing either directly or through incorporation by reference.

iii. Engagement Deficiency Related to Work Performed on Other Firms' Engagements

For an engagement deficiency related to work performed on other firms' engagements, the standard requires a firm to communicate to the other firm the engagement deficiency. The communication needs to be sufficient to enable the other firm to develop a response commensurate with the extent of noncompliance. These engagement deficiencies, while there may or may not be additional remedial actions for the firm to take related to the particular work performed, should be included in the population of QC observations to be evaluated to determine whether QC deficiencies exist. The Board did not receive comment on this aspect of the proposal and adopted it as proposed.

iv. Evaluating Whether Similar Engagement Deficiencies Exist

The proposed standard also required a firm to evaluate whether similar engagement deficiencies exist in other in-process engagements, completed engagements (unless it is probable that the engagement report is not being relied upon), and work performed on other firms' engagements, and if so, to take actions as required by paragraphs .68a.-c. for in-process engagements, completed engagements, and any other work performed by the firm on other firms' engagements at less than a substantial role. Understanding the nature of the engagement deficiency will assist the firm in determining the extent of the necessary evaluation. To illustrate, if the engagement deficiency was caused by an error in the firm's methodology for auditing a company's loan valuation allowance, then the firm would evaluate whether similar engagement deficiencies exist on engagements that were also using that methodology. As another example, if engagement team members did not comply with PCAOB standards when auditing accounts receivable because they failed to perform certain procedures in the firm's audit program, the firm would evaluate whether the person(s) who were responsible for performing the procedures and the person(s) supervising the work participated in any other audit engagement's accounts receivable testing, and if so, whether similar engagement deficiencies exist.

One commenter requested that the Board provide additional examples of engagement deficiencies, as the concept of applicability to other in-process engagements could be subject to different interpretations. The Board will consider whether application guidance in this area would be appropriate.

Another commenter stated that the expectation of what “evaluate,” as used in this context, may require is not clear and suggested that the evaluation be limited to certain engagements based on a risk-based assessment, taking into consideration the root cause of the identified engagement deficiency. As noted above, understanding the nature of the engagement deficiency would assist the firm in determining the extent of the actions to take in order to evaluate whether similar engagement deficiencies exist on other engagements.

The Board adopted this aspect of the standard as proposed.

v. Addressing Engagement Deficiencies (QC 1000.69-70)

Paragraph .69 of the standard requires firms to respond to engagement deficiencies by taking into account the nature and severity of the engagement deficiency. In other words, the response should be targeted based on the nature of the problem and proportionate to the severity of the problem.

Understanding the nature and severity of an engagement deficiency could assist firms in:

• Developing an appropriate response to the engagement deficiency;
• Determining whether an engagement deficiency could relate to other engagements; and
• Assessing whether the engagement deficiency, which represents a QC observation, is also a QC deficiency.

The actions taken by the firm to respond to engagement deficiencies may include preventive or corrective actions (or a combination of these actions):

• Corrective actions are actions taken to rectify an identified deficiency in a current or completed engagement (for example, performing a procedure that had been omitted, designing and performing additional or alternative procedures if audit evidence is insufficient, or filing a required report).
• Preventive actions are actions taken to prevent the occurrence of a deficiency in future engagements (for example, training, developing audit tools, or enhancing audit methodology).

The proposed note to this requirement also appeared in the proposed amendments to AS 2901.04 and a detailed discussion of commenter feedback and the Board's views appears below. As adopted, the note in paragraph .69 includes clarifying changes. The requirement was otherwise adopted as proposed.

The proposed requirement in paragraph .70 did not draw comment and the Board adopted it as proposed. Firms should comply, as applicable, with other standards related to engagement deficiencies on completed engagements.

• AS 2901 addresses auditor responsibilities with respect to engagement deficiencies on completed audit engagements. AS 2201.99 directs the auditor to comply with AS 2901 as it relates to audits of internal control over financial reporting.
• AS 2905 deals with auditor responsibilities when, subsequent to the date of a report on audited financial statements, the auditor becomes aware of facts that might have affected the report had he or she then been aware of such facts before issuing the report. AS 2201.98 is a similar provision relating to auditor's reports on internal control over financial reporting.
• AT No. 1 and AT No. 2 incorporate responsibilities similar to those required under AS 2901 for attestation engagements relating to certain broker-dealer reports.

The amendments to AS 2901 are discussed below.

h. Determining Whether QC Observations Exist (QC 1000.71)

The proposed standard would have required firms to determine the existence of “QC findings,” defined as “[a] finding about the design, implementation, or operation of the firm's QC system that may indicate one or more QC deficiencies exist. Engagement deficiencies are QC findings.”

Commenter feedback on this defined term was in most instances directly related to the last sentence in the defined term, urging that engagement deficiencies should not automatically be considered QC findings. The Board was concerned that commenters may have misinterpreted “QC findings” as akin to “QC deficiencies,” whereas the intention is only to designate matters that have to be evaluated as potential QC deficiencies. To alleviate the potential confusion, the defined term was changed to “QC observation” and the definition reworded. The definition of a QC observation in the final standard is “(1) An engagement deficiency; or (2) Any other observation about the design, implementation, or operation of the firm's QC system that may indicate one or more QC deficiencies exist.”

Under the definition, any information that may indicate a problem with the design, implementation, or operation of the firm's QC system would be a QC observation. Because a QC system provides reasonable assurance that engagements are conducted in accordance with applicable professional and legal requirements, all engagement deficiencies would be QC observations. Examples of other QC observations include an error in the design or operation of a technology tool or methodology, or information suggesting that a firm may not have achieved a quality objective.

The determination of QC observations involves collecting observations and related evidence that may indicate a QC deficiency exists, including information from monitoring activities, information from external parties like regulators and peer reviewers, and other relevant information of which the firm becomes aware.

Under the standard, the results of all monitoring activities performed by the firm, and if applicable, those performed by a network relating to the firm's QC system or its engagements, are required to be analyzed by the firm to determine if there are QC observations. It is possible that a firm's engagement monitoring activities could identify not only engagement deficiencies, but also QC observations that are not engagement deficiencies. For example, if, as part of the firm's quality response related to technological resources, the firm's technology leader must review and approve all software audit tools used on engagements, and if a firm's engagement monitoring activities reveal that an engagement team did not receive the appropriate authorization to use a specific tool, that observation would be a QC observation, regardless of whether the use of the tool also gave rise to an engagement deficiency.

Oversight activities by regulators and external inspections or reviews include activities of the PCAOB and other regulators. As a firm typically has one QC system for its entire audit practice, the results of the inspections, reviews, and other oversight activities performed by these external parties would likely be relevant to a firm's determination of whether QC observations exist.

Other relevant information of which the firm becomes aware would comprise information obtained from within and outside the firm. A firm would not be expected to seek out such other sources of information; however, if other relevant information came to the firm's attention, a firm is expected to determine whether it is a QC observation. For example, the firm may become aware of an issue with a formula in a practice aid used to assist engagement teams in auditing stock-based compensation if a member of an engagement team communicates that issue to firm personnel supporting the firm's QC system.

The final standard has been revised to clarify that the evaluation and determination must both be done on a timely basis.

i. Determining Whether QC Deficiencies Exist (QC 1000.72)

The standard requires firms to determine whether QC deficiencies exist, and (except for the change in terminology to “QC observation”) was adopted as proposed.

i. Definition of QC Deficiency

In response to commenter input, the Board made changes to the definition of the term “QC deficiency.” As proposed, the definition provided in part that a QC deficiency was a QC finding that results in “a reduced likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives,” and included a note providing examples of circumstances where that likelihood could be reduced. Two commenters questioned the operability of that aspect of the proposed definition of QC deficiency, in particular its linkage to the definition of an internal control deficiency under COSO in its integrated framework through the phrase “reduced likelihood.” Two commenters suggested that the definition of QC deficiency should incorporate the concept of “a significantly reduced likelihood.” Another commenter requested guidance relative to the application of the “reduced likelihood” model. Other commenters suggested that the definition should be more closely aligned with that of other standard setters, for example ISQM 1, by incorporating the concept of an “acceptably low level.”

Taking into account commenter feedback, the standard defines a QC deficiency as a QC observation that, based on the evaluation under paragraph .72, individually, or in combination with one or more other QC observations, evidences:

• That the likelihood of the firm not achieving the reasonable assurance objective or one or more quality objectives has not been reduced to an acceptably low level;

Note: The likelihood of not achieving the reasonable assurance objective or one or more quality objectives would be above an acceptably low level if, for example, a quality objective is not established, a quality risk is not properly identified or assessed, or a quality response is not properly designed or implemented or is not operating effectively.

• Noncompliance with requirements of this standard, other than those under “Documentation”; or
• Noncompliance with requirements of this standard under “Documentation” that adversely affects the firm's ability to comply with any of the other requirements of this standard.

The first subparagraph of the definition of QC deficiency incorporates an existing concept of “acceptably low level” that is currently used in PCAOB auditing standards so this concept should be familiar to firms. In addition, it aligns more closely with similar definitions of other standard setters, for example the definition of “deficiency” in ISQM 1. The Board made conforming changes to the note that follows subparagraph (1) of the definition.

Similar to the proposal, the definition of QC deficiency in the final standard also includes noncompliance with the requirements of the proposed standard other than documentation requirements, such as the requirements related to roles and responsibilities, the firm's risk assessment process, the monitoring and remediation process, and the evaluation of the QC system. Two commenters expressed concern with this requirement, stating that there may be instances where the firm may not comply with a requirement in the standard but the quality objectives and specified quality responses were met, and a firm should be able to apply judgment to determine whether a QC deficiency exists under those circumstances. The Board continues to believe that compliance with the requirements of QC 1000 is a baseline element of any firm's QC system, such that failure to comply is always a QC deficiency, and adopted this aspect of the QC definition as proposed.

The definition also includes noncompliance with the documentation requirements of QC 1000, to the extent that such noncompliance adversely affects the firm's ability to comply with any of the other requirements of the proposed standard, while excluding other documentation issues. For example, a firm's failure to document some details of its monitoring activities, in a context where the firm otherwise sufficiently documents the evaluation of the results from its monitoring activities, would not meet the definition of a QC deficiency. The Board received no comment on this aspect of the definition of QC deficiency and adopted it as proposed.

Under the final standard, the determination of whether something identified as a QC observation meets the definition of a QC deficiency would be based on the nature, severity, and pervasiveness of the underlying matter; the likelihood that it could affect other component(s) of the QC system or other engagements; and the severity of such an effect if it were to occur. In the case of engagement deficiencies, this evaluation would take account of the basis for the firm's determination of the actions required under paragraph .68 of QC 1000, including any root cause analysis performed. These considerations are discussed, in turn, in the following subsections.

The final standard has been revised to clarify that the evaluation and determination must both be done on a timely basis.

ii. Nature, Severity, and Pervasiveness of the Matter That Gave Rise to the QC Observation

The nature, severity, and pervasiveness of the matter that gave rise to the QC observation should be taken into account when determining whether a QC deficiency exists. For a QC observation that is also an engagement deficiency, the results of the firm's evaluation of whether a similar engagement deficiency exists on other in-process and completed engagements would provide useful information to the firm when determining whether a QC deficiency exists.

The standard explains that the nature, severity, and pervasiveness of the matter that gave rise to the QC observation includes:

• The component(s) of the QC system, quality objective(s), or quality risk(s) to which the QC observation relates. Depending on the quality risks that a firm identifies, some components may play a greater role in its QC system than others. For example, for a small firm that audits one issuer and has no intention to expand its issuer audit practice, the engagement performance component would have a greater role than acceptance and continuance of engagements because the quality risks associated with the new engagement would be mitigated by the firm's policy of not taking on new issuer audit engagements. Based on the firm's risk assessment, certain quality risks may pose a greater threat to the firm's QC system than others. In addition, some QC observations may relate to a single component of the QC system or a single quality objective, while others may relate to multiple components of the QC system or multiple quality objectives. For example, an engagement deficiency may relate to the resource component ( e.g., competence and training of firm personnel, firm methodology), the information and communication component ( e.g., failure to communicate changes to the methodology), or the engagement performance component ( e.g., failure to consult when required), or all three of those components.
• Whether the QC observation is in the design, implementation, or operation of the QC system. For example, a matter that gave rise to a QC observation in the design of a process has a greater likelihood of being pervasive to a firm's practice than a process that did not operate as designed on one occasion.
• The frequency with which the QC observation occurred. Frequency relates to the number of times the matter that gave rise to the QC observation occurred—for example, on engagements within a particular industry sector or practice group, a particular office, or firmwide. It might also relate to the number of times the observation was identified, the number of firm personnel involved, or the number of quality objectives affected. When related to the execution of a firm's quality response, it would also include relative frequency of QC observations compared to the number of times the procedure was executed properly.

The duration of time that the QC observation existed. Duration addresses how long the matter that gave rise to the QC observation existed. In order to understand duration, a firm would need to understand whether there were other instances prior to those initially identified by the firm as QC observations.

iii. Likelihood That the Matter That Gave Rise to the QC Observation Could Affect Other Component(s) of the QC System or Other Engagements, and the Severity of Such an Effect

Whether a QC observation is a QC deficiency would also depend on the likelihood that the matter that gave rise to the QC observation could affect other QC system components or other engagements.

Other engagements include in-process engagements, completed engagements, engagements to be performed in the future, as well as work performed on other firms' engagements. A firm may design and implement mitigating actions to address an engagement deficiency when such a deficiency comes to the firm's attention. When considering the likelihood that future engagements could be affected (for purposes of determining whether a QC deficiency exists), a firm would not take into account any mitigating actions, even if they have been implemented. This is because the determination of whether a QC deficiency exists must be made based on the nature, severity, and pervasiveness of the matter that gave rise to the QC observation, viewed on its own. That shows the extent to which the QC system failed in allowing the underlying matter to occur. Whether the firm was subsequently able to partially or fully remediate the QC deficiency does not eliminate the fact that the failure occurred.

In addition to the likelihood of a matter's recurrence, the standard also requires a firm to evaluate the matter's severity if it were to affect other component(s) or engagements.

One commenter suggested that the standard address the concept of compensating responses as a factor when considering QC findings in proposed paragraph .72. In considering whether a QC observation is a QC deficiency (on the basis that the likelihood of the firm not achieving the reasonable assurance objective or one or more quality objectives has not been reduced to an acceptably low level) the firm could consider compensating responses that address the same quality risk. Additional discussion in response to this commenter's feedback appears below in the context of discussion of remedial actions.

j. Responding to QC Deficiencies

i. Root Cause Analysis (QC 1000.73-.74)

The requirement to perform root cause analysis on all identified QC deficiencies did not draw comment and was adopted as proposed.

Root cause analysis is a widely used concept in QC frameworks. Identifying and understanding the underlying causes of a problem supports developing solutions that address those causes, rather than just the symptoms. Proper determination of the causal factors that led to QC deficiencies is essential to developing effective remedial actions. For example, a policy or procedure could be inappropriately designed or implemented or a person may not have complied with a policy or executed a procedure as it was intended. As another example, an audit tool may not have operated as intended. Root cause analysis looks for different types of causes through investigating the patterns of negative effects, finding hidden flaws in the QC system, and discovering specific actions that contributed to the problem. Improvements in audit quality have generally been observed through PCAOB oversight activities where a firm has established an effective root cause analysis program. Many different types of causes may contribute to a problem.

A firm might find it helpful when performing root cause analysis to leverage information obtained from its evaluation of whether a QC deficiency exists. That is, information about the nature, severity, or pervasiveness of the matter that gave rise to the QC observation and the likelihood that the matter that gave rise to the QC observation could affect other components of the QC system or other engagements may provide evidence of what caused the problem to occur.

Root cause analysis procedures could take different forms depending on the circumstances, which allows for scalability. Some key elements that the PCAOB has observed that may lead to more robust and comprehensive root cause analysis include:

• Monitoring audit deficiencies identified and performing root cause analysis on a continual basis. This allows firms to obtain information that allows them to react more timely and implement remedial actions to reduce recurring deficiencies in other audits.

• Process mapping at the engagement level and the firm level of the underlying work flows of how a firm conducts its practice. A well-defined process makes it easier to analyze negative events to determine what went wrong.
• Consideration of both positive and negative quality events (i.e., actions, behaviors, or conditions that resulted in positive or negative outcomes) to identify whether such actions, behaviors, or conditions were present on engagements where QC deficiencies were identified.
• Measuring, in real time, the effectiveness of remedial actions and audit quality improvement plans or initiatives to identify whether remedial efforts are effective.

The standard does not require firms to perform root cause analysis on QC observations that are not QC deficiencies.

Paragraph .74 of the standard requires that the nature, timing, and extent of the root cause analysis be commensurate with the nature, severity, and pervasiveness of the QC deficiency. This provision did not draw comment and was adopted as proposed.

A QC deficiency that could affect multiple engagements may require more urgent root cause analysis, depending on the circumstances. To illustrate, a QC deficiency related to a firm's approach to testing business combinations would be more urgent if a firm's clients regularly enter into such transactions. Taking into account the nature, severity, and pervasiveness of the QC deficiency, root cause analysis may be performed at different points in time or, depending on the size and nature of the firm, operate as more of a continual process. At times, it might be effective to combine similar QC deficiencies and perform root cause analysis on them collectively rather than on an individual basis.

In some instances, the causal factors may be relatively apparent and therefore require less analysis than in a situation where the cause of the deficiency is complex and requires significant investigation and analysis. As previously mentioned, there may be multiple causes contributing to a QC deficiency. Generally, the more thorough the analysis, the more likely the causal factors will be identified and the greater the likelihood that a firm could design and implement remediation efforts that will be effective in preventing similar QC deficiencies from occurring again.

It is important for firms to have well-defined processes in order to perform sufficient root cause analysis. The better delineated the underlying processes, the less work that may be necessary to determine why the QC deficiency occurred.

ii. Remedial Actions (QC 1000.75)

The requirement to design and implement timely remedial action for QC deficiencies did not attract comment and was adopted as proposed.

The timing of a firm's efforts to design and implement remedial actions depends on the results of the firm's root cause analysis and the nature, severity, and pervasiveness of the QC deficiency. The Board expects a firm to respond in a manner that would mitigate the occurrence of additional QC deficiencies related to similar underlying causes.

In some circumstances, due to the extent of remedial actions necessary to address the QC deficiency, a firm might design and implement temporary remedial actions until permanent actions can be designed and implemented. For example, a firm could design and implement supplemental audit practice aids to address QC deficiencies until the firm is able to revise its comprehensive audit methodology. In some situations, a complex QC deficiency may result in the firm developing a multi-step plan with milestones necessary to be achieved as the firm designs and implements its remedial actions.

In other situations, the extent of remedial actions the firm needs to take to address a particular QC deficiency may be reduced by other compensating responses that the firm has in place. If the remedial actions, including any relevant compensating responses, have been tested and found effective in addressing the issue, the firm might determine, based on the facts and circumstances, that no further remedial action is necessary.

The process of identifying QC observations, determining QC deficiencies, performing root cause analysis, and designing and implementing remedial actions is iterative. For example, a firm may learn information from performing root cause analysis that may identify issues that would have been relevant when evaluating a different QC observation had such information been known at the time. If this were to occur, a firm would further evaluate the other QC observation to determine if a QC deficiency exists based on this new information. As another example, the work entailed in a root cause analysis could potentially help a firm identify other quality objectives that are not being met. To illustrate, the firm's root cause analysis may show that a lack of training caused deficiencies in a complex audit or accounting area that is common to the firm's engagements, and may also lead to the identification of other problems in the same area, such as inadequate audit methodology or a missed consultation due to the lack of a well-understood, robust consultation process.

PCAOB oversight activities have identified that some firms evaluate positive quality events associated with engagements where no engagement deficiencies were identified. For example, certain procedures, techniques, or voluntary practice aids may have contributed to an engagement performed in accordance with applicable professional and legal requirements. These firms use the information obtained from such evaluations to assess the actions of individuals on engagements with deficiencies, ultimately highlighting potential actions to prevent future engagement deficiencies. The Board believes that evaluating positive outcomes could contribute to the success of the firm's root cause analysis and remediation efforts. Therefore, the standard includes a note highlighting that it may be beneficial for firms to consider actions, behaviors, or conditions that resulted in positive outcomes, such as where aspects of the firm's QC system operated effectively or where no engagement deficiencies were identified for individual engagements.

In some circumstances, a firm may determine the root cause of a QC deficiency is related to the use of a resource or service provided by a third-party provider. If this were to occur, under the standard, the firm is responsible for addressing the effect of the deficiency on its QC system. This could include, among other things, working with the third-party provider to design and implement remedial actions or deciding to end the relationship with the third-party provider and, as part of the firm's remedial actions, revising its policies and procedures in the area affected. Irrespective of the approach taken and the extent of participation by third parties, the firm remains responsible for its QC system.

If a firm belongs to a network and uses network resources or services to enable the operation of the firm's QC system or the performance of its engagements, a root cause of a QC deficiency could be related to the network resource or service. Similar to a firm's use of resources or services provided by a third-party provider, a firm is responsible for addressing the effect of the deficiency on its QC system regardless of whether the remedial actions taken by the firm are coordinated with the network or designed and implemented exclusively by the firm. Further, the firm remains responsible for determining whether the actions taken by the network sufficiently remediate the QC deficiency.

Under the standard, firms are able to design their approach to conducting root cause analysis and developing remedial actions. Firms' approaches will vary based on the nature and circumstances of the firm and its engagements. In addition, approaches will likely change as new technologies become available and other techniques develop.

k. Monitoring the Implementation and Operating Effectiveness of Remedial Actions (QC 1000.76)

The requirement to monitor the implementation and operating effectiveness of remedial action for QC deficiencies did not attract comment and was adopted as proposed.

Under the final standard, a firm monitors the effectiveness of its remedial actions through engagement monitoring activities and/or QC system-level monitoring activities, depending on the nature of the QC deficiency. If a firm determines the remedial actions were not properly implemented or operating effectively, the firm would be required to take timely actions until the monitoring activities indicate the QC deficiency was remediated. Timely actions could include, among others, one or more of the following:

• Adjusting the implemented remedial actions;
• Designing and implementing additional remedial actions; or
• Performing additional root cause analysis to determine if other causes exist and, if so, designing and implementing remedial actions to address such causes.

Once additional actions are taken, a firm is required to perform monitoring activities on such changes to determine whether the QC deficiency was remediated.

2. Current PCAOB Standards

Current PCAOB QC standards require firms to establish policies and procedures to provide the firm with reasonable assurance that the policies and procedures relating to each of the other QC elements are suitably designed and are being effectively applied. The standards also address how a firm implements the monitoring element of a QC system in its accounting and auditing practice. The standards discuss various monitoring procedures that a firm may perform, such as reviewing engagements before or after the engagement reports are issued, reviewing selected administrative and personnel records pertaining to the QC elements, considering systemic causes of findings that indicate improvements are needed, determining corrective actions, and following up to ensure that any necessary modifications are made to the firm's QC policies and procedures on a timely basis. Although current PCAOB QC standards provide that monitoring procedures taken as a whole should enable firms to obtain reasonable assurance that their QC systems are effective, there are no express obligations for firms to perform any specific types of monitoring.

Evaluation of and Reporting on the QC System

1. QC 1000

a. Annual Evaluation of the Effectiveness of the QC System (QC 1000.77)

A firm's evaluation of the results of its monitoring and remediation process helps the firm identify the areas within the QC system that are designed, implemented, and operating effectively, as well as areas that require attention. This perspective will assist firm leadership in allocating resources to address QC deficiencies and provide them with a basis for communicating to others—within or outside the firm—the status of the firm's QC system.

Current PCAOB QC standards do not require such an evaluation. The Board understands that some firms already evaluate their QC systems, either voluntarily or in response to other requirements. However, not all firms evaluate their QC systems, and those that do may not apply the same degree of rigor.

i. Evaluation Requirement

The proposed standard included a requirement for the firm to evaluate annually whether its QC system is effective, is effective except for one or more unremediated QC deficiencies that are not major QC deficiencies, or is not effective ( i.e., one or more major QC deficiencies exists). Pursuant to proposed paragraph .07c, firms that were not required to implement and operate a QC system at any time within the previous 12 months would not be subject to the requirement to evaluate and report on their QC system.

Some commenters expressed support for the proposed annual evaluation requirement. However, several commenters suggested that the Board conform the terminology to ISQM 1, such that the conclusions reached in evaluating the QC system would be the same under both standards. Some commenters expressed concern about the potential for stakeholder confusion because the criteria and terminology used in QC 1000 differ from ISQM 1. One commenter expressed concern that the more stringent criteria of QC 1000 would create a competitive disadvantage.

One commenter recommended that the Board eliminate the middle category (effective except for one or more unremediated QC deficiencies that are not major QC deficiencies), so that a firm's QC system would be evaluated as either effective or not effective based on whether any unremediated major QC deficiencies exist as of the evaluation date, such that the reasonable assurance objective has not been achieved. The commenter analogized to ICFR reporting, where management is only required to report material weaknesses.

The Board adopted the evaluation requirements as proposed. The Board does not believe there is any likelihood of confusion among external stakeholders arising from differences in evaluation criteria between QC 1000 and ISQM 1 because, under the final PCAOB standard, the conclusion reached about the effectiveness of a firm's QC system is not required to be made public. The same is true under ISQM 1. Therefore, if a firm were to evaluate its QC system under both standards and reach different conclusions, market participants would be unaware of that fact unless the firm chose to make the results of its evaluation public (in which case, it could also choose to provide an explanation of the difference). Additionally, while ISQM 1 requires communication to those charged with governance about how the system of quality management supports the consistent performance of quality audit engagements, QC 1000 does not require any such communication to the audit committee. Firms would of course be free to discuss the evaluation of their QC system with the audit committee, potentially as part of the report required under listing standards that may apply to the issuer. The Board believes most audit committee members are already well acquainted with reviewing information prepared under different frameworks, e.g., financial statements prepared under U.S. GAAP and under IFRS, and could readily understand that the more stringent criteria under QC 1000 could lead to a different conclusion about the effectiveness of the QC system.

Similarly, the Board believes that firms that are required to perform multiple QC system evaluations will be able to train their personnel and acquire other resources as necessary to avoid confusion among internal stakeholders and perform the evaluation under QC 1000 appropriately. A firm will be subject to both QC 1000 and other QC standards only if it is performing audits under multiple sets of auditing standards. Just as such firms manage the differences in audit requirements and methodology associated with different auditing standards, the Board believes they will be capable of managing differences in the QC system requirements under QC 1000 and other QC standards, including differences in the criteria and terminology used in evaluating the QC system.

The Board also believes that requiring three categories for the QC system evaluation, as proposed—effective, effective except for one or more unremediated QC deficiencies that are not major QC deficiencies, and ineffective—will result in a more rigorous QC system evaluation, a greater incentive for firms to address QC deficiencies promptly, and more detailed and informative reporting to the PCAOB. Given that reporting is only to the PCAOB, the Board does not believe an analogy to management's public reporting regarding ICFR, where only material weaknesses are required to be reported, is appropriate.

Firms will be required to perform an evaluation of their QC system annually. The firm's evaluation is based on data and evidence provided by the firm's monitoring and remediation activities. An annual evaluation will provide leadership with timely information to facilitate an effective feedback loop. This approach highlights the importance of the QC system in driving continuous improvement in firms' ability to perform compliant engagements on a consistent basis. The evaluation requirement will drive firms to collect and analyze the results of their monitoring and remediation processes in order to identify deficiencies and will provide an additional incentive for firms to focus on areas requiring the most immediate attention and improvement.

The evaluation requirement also reinforces the responsibility and accountability of leadership for the firm's QC system. As discussed above, the individual charged with ultimate responsibility and accountability for the QC system as a whole will be accountable for the annual evaluation, and both that individual and the individual charged with operational responsibility and accountability for the QC system as a whole will be required to certify the firm's annual report regarding the evaluation of its QC system. The Board believes this will send a clear message about the importance of the evaluation and incentivize firm leadership to take ownership of both the annual evaluation of the QC system and the results.

While the Board adopted as proposed a requirement for annual evaluation of the QC system, it made some changes in response to commenter input, as described below.

ii. Evaluation Frequency and Date

The proposed standard would have required the firm to evaluate its QC system annually as of November 30 and conclude on whether any unremediated QC deficiencies (including major QC deficiencies) exist as of that date.

One commenter, an investor-related group, supported the proposed November 30 evaluation date and opposed allowing firms to set their own reporting date.

Many commenters, generally firms and firm-related groups, suggested that firms should be permitted to choose their own evaluation date, primarily because it would enable them to choose a date based on their own operating and business cycle or inspection cycle. These commenters also noted other considerations, such as alignment with the firm's fiscal year end or the date already chosen for the evaluation required under ISQM 1. Several commenters suggested that firms should be able to choose a date that would allow them sufficient time to perform root cause analysis, remediate identified issues, and test the effectiveness of their remediation efforts. One commenter noted that firms could choose a date with a view to enabling real-time conversations with audit committees. Another commenter suggested that additional flexibility on the evaluation date would enhance the scalability of the standard. Some commenters stated that requiring a specific evaluation date could lead firms to perform assessments twice a year. Several commenters also raised a concern about potential resource limitations in performing the evaluation on the timetable the Board proposed.

Other commenters suggested various options for potential alternative evaluation dates:

• March 31, on the basis that it is better aligned with a natural business cycle for many firms or aligns with the Form 2 reporting date. (These commenters generally preferred allowing firms to choose their own evaluation date over a mandated date applicable to all firms and suggested March 31 as a second-best approach.)
• September 30, which would allow firms to report to the PCAOB by November 15 and, in turn, report to audit committees before the end of the calendar year.
• September 30 or October 31, if the proposed January 15th reporting date is implemented, to allow additional time to complete reporting.
• February 28, to allow reporting by April 1, in advance of the April/May proxy season.
• A window, for example, November to March, within which firms could choose a date.

Taking into account commenter feedback on the proposed evaluation date of November 30, the evaluation date was revised to September 30 for all firms. The Board believes this earlier date addresses commenter concerns that the November 30 date would have caused potential resource limitations during the traditional busy period for many firms. Further, the Board believes an evaluation date of September 30 would provide the firm with enough time to identify and potentially remediate any QC deficiencies identified from the most recent calendar year-end engagements, which might not be possible if an earlier date were selected.

As summarized above, some firms expressed concern that a firm that has already chosen its evaluation date under ISQM 1 would be required to perform two QC system evaluations per year since the PCAOB's evaluation date differs from ISQM 1's. The Board believes firms can build on work already done for the purpose of complying with the requirements of one QC standard in performing the other, to the extent applicable. However, since the nature of the two evaluations is inherently different ( e.g., the determination of major QC deficiencies, the differing definitions of QC deficiency under QC 1000 vs. deficiency under ISQM 1), the Board believes that there would always be some differences between the evaluation required under QC 1000 and the evaluation required under ISQM 1. While there could be additional costs associated with multiple evaluations if a firm chose to have separate evaluation dates for purposes of QC 1000 and other QC standards to which it is subject, firms would be free to change their evaluation date under other QC standards so that the evaluation dates coincide.

The proposed standard also included a note clarifying what unremediated means in the context of this requirement: remedial actions that completely address the QC deficiency have not been fully implemented, tested, and found effective. While this note did not draw specific comment, one commenter suggested that the framework afforded by section 104(g)(2) of Sarbanes-Oxley, which the commenter said focuses on substantial good faith progress instead of complete remediation, is necessary and should be retained. The Board disagrees as, in its view, the two provisions serve fundamentally different purposes and a different approach is appropriate for firm evaluation and reporting under QC 1000.

Sarbanes-Oxley section 104(g)(2) governs the circumstances under which the PCAOB is permitted to make portions of an inspection report dealing with quality control criticisms and potential defects public. It forbids publication if the criticisms or defects “are addressed by the firm, to the satisfaction of the Board,” not later than 12 months after the date of the report. In describing its process for determining whether a matter has been addressed to its satisfaction, the Board indicated that a “favorable Board determination reflects the Board's assessment that the firm has demonstrated substantial, good faith progress toward achieving the relevant quality control objectives, sufficient to merit the result that the criticisms remain nonpublic. A favorable determination does not necessarily mean that the firm completely and permanently cured any particular quality control defect.”

By contrast, reporting on Form QC is simply factual: as of the evaluation date, has each identified QC deficiency been fully remediated or not? Under QC 1000, firms will perform a self-evaluation, based on the process and criteria set forth in the standard. This is very different from the process by which the Board determines whether a matter has been remediated to its satisfaction for purposes of section 104(g)(2), not least because it involves the firm's self-assessment rather than the Board's judgment. Moreover, the Board does not believe the consequences of a firm reporting an unremediated QC deficiency to the PCAOB would be the same as the consequences of the PCAOB publishing QC criticisms in an inspection report; in particular, the Board does not believe that the legislative policy choice reflected in section 104(g)(2), which, as the Board has said, favors “the correction of quality control problems over the exposure of them,” applies in this context, given the nonpublic nature of the Form QC reporting. Accordingly, the Board adopted the note to paragraph .77 as proposed.

b. Determining Whether Major QC Deficiencies Exist (QC 1000.78)

The standard requires firms to evaluate unremediated QC deficiencies as of the evaluation date to determine whether major QC deficiencies exist. While the identification of QC deficiencies will be an ongoing process throughout the year, the determination of whether any of those QC deficiencies, alone or in combination, constitute major QC deficiencies will be required only as part of a firm's annual evaluation of its QC system.

i. Definition of a Major QC Deficiency

The proposed standard provided that a major QC deficiency was “an unremediated QC deficiency or combination of unremediated QC deficiencies, based on the evaluation under paragraph .78, that severely reduces the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives.” One commenter supported the concept of major QC deficiency. However, a number of commenters expressed concern with that proposed definition:

• Several commenters expressed concern that the definition could cause a firm to come to a different conclusion about its QC system during the annual evaluation process under QC 1000 than the conclusion a firm may reach under ISQM 1 and suggested that the definition be revised to include the concepts of severe and pervasive, similar to the concepts that appear in relation to the evaluation of QC deficiencies under ISQM 1.
• One commenter stated that it was unclear why a new term, “major QC deficiency,” would be necessary and questioned the need for a reference to a threshold other than “achieving reasonable assurance.”
• Another commenter was concerned that the concept of major QC deficiency, which other QC standards do not use, will redirect time and resources to analyzing the level of a deficiency instead of the important elements to remediate the deficiency such as root cause analysis and implementing timely changes to a firm's system.
• Another commenter stated that the phrase “severely reduces the likelihood” in the definition of major QC deficiency is vague and not sufficiently defined in the proposed QC standards and suggested that the phrase be replaced with the phrase “prevents the firm from concluding.”

The Board considered the commenter feedback and determined to adopt this language as proposed. The Board agrees it is possible that firms could reach different conclusions as to the effectiveness of their QC system under QC 1000 and ISQM 1 or SQMS 1. However, the concept of severe and pervasive, which commenters suggested be incorporated in the definition, appears in the factors for firms to consider when determining the existence of a major QC deficiency (see paragraph .78b. below). The Board believes that including this concept in the factors clarifies the process firms will need to go through in making their determination of whether a major QC deficiency exists.

The defined term “major QC deficiency” is unique to QC 1000, but the concept it embodies—that the QC system does not provide the firm with reasonable assurance that the objectives of the QC system have been met—is not, and appears in both ISQM 1 and SQMS 1. Accordingly, the Board does not believe that phrasing the requirements as it has, including the use of a defined term, will require a different evaluation process than if it had simply required a determination that the QC system was ineffective. The standard does not require the determination of major QC deficiencies to be performed at any time other than the evaluation date. However, firms may choose to perform such an analysis ahead of the annual evaluation date to enable sufficient time to design, implement, and test remedial actions related to the QC deficiencies that have the greatest potential impact on the QC system.

As with the defined term “QC deficiency,” the defined term “major QC deficiency” is analogous to a term in COSO's integrated framework, major deficiency, which includes the concept of “severely reduces the likelihood.” The Board believes that this concept is already well-understood by firms.

Another commenter expressed concern that a major QC deficiency would exist if there was a severely reduced likelihood that the firm did not achieve a single quality objective, even when the firm had in fact achieved the reasonable assurance objective. In the Board's view, this concern is more theoretical than real. The quality objectives in QC 1000 relate to compliance with applicable professional and legal requirements in each component of the QC system and in the aspects of the firm's practice that are addressed by each component. Failing to achieve such a quality objective implies that the reasonable assurance objective has not been achieved. Some quality objectives, particularly in the resources component, also relate to compliance with the firm's policies and procedures. These quality objectives are directed to the QC system itself: compliance with policies and procedures is necessary for the QC system to operate as designed. While failure to comply with firm policies and procedures does not necessarily imply failure to comply with applicable professional and legal requirements, it does mean that the QC system is not operating as designed, which may raise questions about the level of assurance it provides.

In response to commenter feedback regarding the proposed concept of presumed major QC deficiencies (discussed in the next section), the lead-in language of paragraph .78 was revised to clarify that the factors in paragraph .78b are to be applied by the firm both (i) when a presumption arises that a major QC deficiency exists and the firm attempts to rebut the presumption, and (ii) in instances where no presumption arises.

ii. Presumed Major QC Deficiency (QC 1000.78.a)

The proposed definition of a major QC deficiency provided for two circumstances that would be presumed to evidence a major QC deficiency. These circumstances included an unremediated QC deficiency or combination of unremediated QC deficiencies that:

• Relates to the firm's governance and leadership that affect the overall environment supporting the operation of the QC system. Firm governance and leadership establish the environment that determines how firm personnel carry out responsibilities for the operation of a firm's QC system and the performance of its engagements. Because of the pervasive impact of leadership and the “tone at the top,” one or more unremediated QC deficiencies related to firm governance and leadership that affect the overall environment supporting the operation of the QC system would almost always severely reduce the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives.
• Results in or is likely to result in one or more significant engagement deficiencies in engagements that, taken together, are significant in relation to the firm's total portfolio of engagements conducted under PCAOB standards. A significant engagement deficiency exists when (1) the engagement team failed to obtain sufficient appropriate evidence in accordance with the standards of the PCAOB or failed to perform interim review or attestation procedures necessary in the circumstances, (2) the engagement team reached an inappropriate overall conclusion on the subject matter of the engagement, (3) the engagement report is not appropriate in the circumstances, or (4) the firm is not independent of its client. An unremediated QC deficiency that would likely result in one or more of these deficiencies in engagements that, taken together, are significant in relation to the firm's total portfolio of engagements conducted under PCAOB standards would give rise to a presumption that a major QC deficiency exists. The definition included examples of quantitative and qualitative criteria that may signal such significance.

One commenter argued that the proposed presumption regarding deficiencies in the governance and leadership component was unnecessary, on the basis that not every deficiency in governance and leadership was necessarily a major QC deficiency. Other commenters expressed concern that the circumstances presumed to evidence a major QC deficiency remove the auditor's ability to apply professional judgment. Another commenter suggested that the presumptions could be replaced with indicators of a major QC deficiency, similar to how AS 2201 treats material weaknesses. Another commenter stated that it is not appropriate to include in the proposed definition circumstances when a major QC deficiency is presumed to exist because the factors provided in paragraph .78 are sufficient to make the evaluation of whether a QC deficiency is a major QC deficiency. Another commenter suggested that these presumed major QC deficiencies could be relocated from the definition and into paragraph .78 and achieve the same objective.

The Board considered the commenter feedback. However, as described above, the Board continues to believe that because of the pervasive impact of leadership and the “tone at the top,” one or more unremediated QC deficiencies related to firm governance and leadership that affect the overall environment supporting the operation of the QC system would almost always severely reduce the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives—that is, would almost always result in a major QC deficiency.

The Board also noted that, consistent with the proposal, the presumptions are not conclusive and can be rebutted by the firm in appropriate circumstances. The note to paragraph .78a clarifies that in order to rebut a presumption that a major QC deficiency exists, a firm must demonstrate, by taking into account both of the factors in paragraph .78b. (including all of the listed examples in paragraph .78b.(1)), that a major QC deficiency does not exist. The standard thus allows for circumstances in which a deficiency related to one of the presumptions does not amount to a major QC deficiency, and creates an opportunity for firms to exercise professional judgment in deciding whether to attempt to rebut the presumption and, if so, how to apply the paragraph .78b factors. However—appropriately, in the Board's view—the presumptions shift the burden of proof to the firm, which will have to demonstrate that circumstances generally reflecting a major QC deficiency do not constitute a major QC deficiency in its case. The Board believes the term “presumption” achieves this burden shifting more clearly than “indicators” or other terms would do.

The Board agrees with the commenter that suggested that the presumed major QC deficiencies should not be included in the definition of major QC deficiency and have taken another commenter's suggestion to relocate the presumption to paragraph .78. Accordingly, the Board made the following revisions to paragraph .78:

• Relocated the circumstances presumed to evidence a major QC deficiency from the definition into paragraph .78a, so they are explicitly part of the process of determining whether a major QC deficiency exists.
• Included a note to clarify what the firm has to demonstrate in order to rebut the presumption that a major QC deficiency exists.

Importantly, the circumstances where a major QC deficiency is presumed to exist are not an exhaustive list of possible major QC deficiencies. For example, any deficiency that requires significant effort and resources to remediate may be a major QC deficiency.

One firm requested clarification of the relationship between the definitions of “engagement deficiencies” and “significant engagement deficiencies.” As is evident from their respective definitions, significant engagement deficiencies are a subset of engagement deficiencies. QC 1000 defines an engagement deficiency as “an instance of noncompliance with applicable professional and legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm.” As the footnote to paragraph .78 of the standard provides, “A significant engagement deficiency exists when (1) the engagement team failed to obtain sufficient appropriate evidence in accordance with the standards of the PCAOB or failed to perform interim review or attestation procedures necessary in the circumstances, (2) the engagement team reached an inappropriate overall conclusion on the subject matter of the engagement, (3) the engagement report is not appropriate in the circumstances, or (4) the firm is not independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.”

iii. Factors for Consideration

To help firms make the determination of whether a major QC deficiency exists, the standard provides factors on which to base the determination, which assist firms in applying the definition. Several commenters expressed general support for the proposed factors, and the Board adopted them as proposed.

The Board did not receive comments on the examples that illustrated the proposed factors, and adopted this aspect of the proposal substantially as proposed, with one addition, in a renumbered paragraph .78b.(1)(d). The added example relates to the persistence of an unremediated QC deficiency or combination of unremediated QC deficiencies over time. Through its oversight activities the PCAOB has observed repeat or persistent criticisms—appearing in consecutive inspections, or occurring consistently over multiple years, even if not every year—which the Board believes may be indicative of a problem so pervasive and/or so severe that the firm has been unable to effectively remediate it, or of significant failures in the firm's remediation process. Firms will need to consider whether and how the existence of a persistent unremediated QC deficiency or combination of unremediated QC deficiencies year over year might indicate the existence of a major QC deficiency.

Under the standard, the factors for determining whether a major QC deficiency exists are:

• The severity and pervasiveness of the unremediated QC deficiency or combination of unremediated QC deficiencies. A firm assesses an unremediated QC deficiency, considering both quantitative and qualitative implications. For example, a firm will assess how many of the components of its QC system, quality objectives, and quality responses are affected by the deficiency, the number of root causes, and the number of affected engagements or engagements likely to be affected in the future, as well as the impact on those engagements, including engagements where the opinion was not appropriately supported or the financial statements or management's internal control assessment had to be revised or restated. The firm would also consider the implications of the deficiency for the QC system overall, based on ways in which the design or operation of other aspects of the QC system may be affected, the pervasiveness of the root causes, and the risk of the firm issuing inappropriate engagement reports or otherwise performing deficient engagements in the future. Viewed this way, for example, an unremediated QC deficiency that affects engagements only in a single industry, where the firm has few clients and no intention to acquire more and the engagements represent an insignificant portion of the firm's total portfolio of engagements under PCAOB standards, is less likely to be severe or pervasive. The Board views the concepts of severity and pervasiveness as overlapping and the factors in paragraph .78b.(1) that indicate the severity and pervasiveness of an unremediated QC deficiency, or combination of unremediated QC deficiencies, represent both aspects. The standard does not require the firm to determine that an unremediated QC deficiency is both severe and pervasive in order for it to constitute a major QC deficiency, nor is the list of examples exhaustive.
• The extent to which remedial actions have been implemented, tested, and found to be effective. Before the annual evaluation date, a firm may implement remedial actions that reduce the severity or pervasiveness of an unremediated QC deficiency. To illustrate, if a firm identifies an issue with its audit software, it could develop a temporary “work around” to mitigate the unremediated QC deficiency until a permanent solution is employed. For this factor to be relevant for a firm when determining whether a major QC deficiency exists as of the annual evaluation date, the remedial actions have to be tested and the results have to show that such remedial actions are operating effectively.

c. Firm Reporting on QC System Evaluation (QC 1000.79-.80)

i. Reporting to the PCAOB

(1) Annual Reporting

Under the proposal, firms were to report to the Board annually the outcome of the evaluation of the firm's QC system with respect to any period during which the firm was required to implement and operate the QC system. Many commenters supported the proposed annual reporting requirement. However, one commenter stated that this annual firm reporting would be of no meaningful incremental benefit to the PCAOB and has the potential to create an adversarial dynamic that would not promote audit quality or well serve investor protection goals. Another commenter suggested that if the required reporting on Form QC to the PCAOB would lead to follow-on requests from the PCAOB to furnish more detailed information as to specific findings, then confidentiality legislation may be an issue for firms. Other commenters argued that, because the PCAOB could obtain the same information through the inspections process, reporting to the PCAOB would be unnecessarily duplicative. Another commenter argued that all unremediated QC deficiencies should not have to be reported on Form QC, specifically commenting that the PCAOB already has the ability to access QC documentation for all registered firms to view this information. Another commenter suggested that the value of the report when not accompanied by independent attestation is likely to be limited.

The Board acknowledges that it has the ability to request from firms information relating to their QC systems. However, the Board continues to believe that annual reporting to the Board will provide the PCAOB with important information about firm QC systems in a timely and structured way and will provide an effective and efficient means of gathering information about firm QC systems. Currently, only 14 of the approximately 1,600 registered firms are subject to annual inspection. Approximately 640 registered firms are required to be inspected on a triennial basis, of which approximately one third are inspected in any given year. Therefore, the Board does not believe that collecting firms' QC information during an inspection would provide timely information regarding the majority of registered firms' QC systems. Data collected by the PCAOB will inform its inspections process, including decisions about the selection of firms and engagements as well as focus areas to inspect and the nature and extent of its inspection procedures (both for QC processes and individual engagements), and will enable the PCAOB not only to make more refined data requests from the firms, but also to focus its inspection resources on those firms and engagements with the greatest risk. The Board believes that this will help better advance its investor protection mandate. Additionally, the Board believes that a formal reporting process will result in enhanced accountability of firm leadership for QC and an additional incentive for prompt remediation of identified QC deficiencies. While the standard does not require attestation over the firm's evaluation process, the Board believes that the requirements regarding the form, including required certifications, will provide sufficient incentive for firms to report accurately and completely (and enforcement remedies will be available if they do not). The incremental effort for a firm to report its evaluation to the PCAOB will not be substantial, as the firm is simply communicating the results of its evaluation process and any related remediation activities, which it is required to conduct and document under QC 1000 in any case.

One firm suggested that the Board only require reporting to the PCAOB if a firm performed engagements in accordance with PCAOB standards during the one-year period ending on the evaluation date. The Board considered whether this change would be of significant benefit to firms and would further enhance the scalability of the standard. However, firms that are not currently performing engagements may have responsibilities with respect to past engagements. Moreover, regardless of whether they are required to report the results of the annual evaluation, firms will still be required to perform an evaluation pursuant to QC 1000 in such a circumstance. On that basis, the Board believes that reporting would be valuable even for firms that did not perform an engagement during the year preceding the evaluation date, and that reporting should not constitute an undue burden.

(2) Reporting Mechanism: Form QC

As proposed and under the final rules, firms are required to report their annual QC evaluation on a new form, Form QC. Several commenters supported the use of a separate Form QC, with some of these commenters asserting that because firms should be allowed to select their own evaluation date, this would necessitate the use of Form QC, rather than an existing form such as Form 2. Another commenter supported the view that expanding Form 2 to incorporate QC information was not favorable as this would make the form longer and more complex. The Board continues to believe that separate reporting on new Form QC remains appropriate. The contents of Form QC are the result of a separate evaluation process by a firm and the Board believes that it is simpler for the results of the annual evaluation to be reported on a separate form. In addition, as discussed in more detail above, QC 1000 requires firms to conduct an annual evaluation of their QC system as of September 30. The use of a separate Form QC for reporting the results of the annual evaluation will facilitate closer alignment of the timing of the reporting and the annual evaluation date. For example, the submission deadline for Form 2 is June 30, which is nine months after the annual evaluation date of September 30. Furthermore, Form 2 reporting is public and, as discussed in more detail below, Form QC will not be publicly available.

The proposal asked whether Form QC should be permitted to be filed in XML or another machine-readable format. In response, one commenter supported the PCAOB permitting widely accepted formats that support usability. Another commenter supported that the web-based system for submitting the information be navigable and easy to use. Reporting to the PCAOB will be done using the same platform as its other reporting forms (currently, its web-based RASR system and, in the future, potentially new means of information exchanges as the PCAOB continues to modernize its reporting technology aimed at simplifying and automating data collection, processing, and interoperability).

(3) Contents of Form QC

The contents of Form QC will address the matters listed in paragraphs .79-.80. In addition, Form QC will elicit certain information about the firm and the individuals responsible for the QC system, aggregated information about the items required to be reported in paragraph .80, the areas of QC to which any unremediated QC deficiencies relate, and a certification of the evaluation of the QC system by certain designated individuals (discussed below).

One firm asserted that the requirement to report unremediated deficiencies is at too granular a level to be meaningful. The Board considered several alternatives, including requiring firms to report to the Board on the outcome of the annual evaluation of the firm's QC system only when the firm identifies a major QC deficiency. While this approach could reduce some of the costs associated with preparing the annual evaluation to the PCAOB, it would also significantly reduce the value of the reporting of the firm's annual evaluation to the PCAOB, as well as potentially affecting the rigor of the firm's evaluation process. As noted above, reporting on all unremediated QC deficiencies will inform various aspects of the Board's oversight activities. In addition, to the extent that reporting may increase firm leadership's focus on their responsibility and accountability for quality, reduced reporting would be less beneficial. Therefore, the Board decided that annual reporting to the PCAOB of the results of firms' annual evaluation of the QC system, including unremediated QC deficiencies, is the appropriate approach.

One commenter supported the inclusion of Item 4.1 of Form QC on whether the Board should inform a party of a subpoena for information on Form QC, but another commenter argued that it was unnecessary, may interfere with investigations, may create a potential ground for firms to sue the Board in the event notification did not occur, or potentially involve the PCAOB in private litigation. Because Form QC will be nonpublic, the Board believes that firms should be given the opportunity to request such notification, consistent with the PCAOB's treatment of the other nonpublic form filed with the PCAOB.

An investor suggested firms should also affirm to the PCAOB on Form QC that any information that the firm voluntarily released ( e.g., in transparency reports, audit quality reports, and CEO speeches) over the time period covered by Form QC was consistent with the state of their quality control system, as of the time of the voluntary disclosure. This commenter also suggested that the affirmation should be publicly available. An investor-related group suggested that firms should report publicly on Form QC how an independent QC board committee (established under paragraph .28 of QC 1000) carries out its responsibilities. As discussed in more detail below, Form QC will not be publicly available, so there would be no benefit to the public in adding this information to Form QC. However, the Board remains committed to finding additional ways of providing public disclosure to better inform investors about firms, and to that end, has separately proposed to amend Form 2 to identify whether the firm has an external oversight function for the audit practice (established under paragraph .28 of QC 1000) and, if so, the identity of the person or persons and an explanation for the basis of the firm's determination that each such person is independent (including the criteria used for such determination) and the nature and scope of each such person's responsibilities.

Some commenters indicated that there might be circumstances in which information required by Form QC may be restricted from disclosure by the operation of legal requirements (such as data protection laws). Two of these commenters suggested that the instructions to Form QC should include a provision found in other PCAOB forms allowing firms to decline to provide information if the firm believes that providing such information would violate non-U.S. law. Another commenter, while acknowledging that it was not aware of non-U.S. laws that would prohibit reporting the information required on Form QC, suggested that the Board state that firms would not violate the requirement to file Form QC if laws or regulations exist in the jurisdiction(s) of the firm that prevent compliance with this requirement.

The Board acknowledges that certain PCAOB forms include a general instruction for assertions of conflicts with non-U.S. law. In these circumstances, the instructions identify the specific parts and items within the form for which the firm may withhold responsive information on the basis that the firm could not provide such information without violating non-U.S. law. Form QC, however, calls for certain discrete information that the Board does not believe, and that no commenter has suggested, would be restricted from disclosure under non-U.S. law ( e.g., the firm's name, the evaluation date, the overall conclusion of the firm's evaluation, the number of unremediated QC deficiencies, and for each unremediated QC deficiency, whether it is or is not major and the areas of the QC system to which it relates). Beyond that, Form QC requires firms to provide narrative information, including a description of each unremediated QC deficiency, the basis for the firm's QC deficiency determination, a summary of remedial actions, and the firm's major QC deficiency presumption analysis (if applicable). The Board believes that the narrative information required to be reported in Form QC can be provided at a sufficiently summarized level such that the reporting of such information by the firm would not require disclosure of information that could be restricted by legal requirements such as data protection laws. For example, if a firm reports an unremediated QC deficiency on Form QC, the Board believes that the firm could provide a description of the deficiency and a summary of the remedial actions taken and planned to be taken without violating non-U.S. law.

Some commenters suggested that the standard should clarify that firms submit Form QC in connection with an inspection under section 104 of the Sarbanes-Oxley Act and that Form QC should receive the same confidentiality protections of section 105(b)(5)(A) of the Act that other inspections-based documents and information receive. One of these commenters further suggested that the Board should make clear that all of Form QC and its contents benefit from the privilege established by section 105(b)(5)(A), regardless of how a deficiency has come to light. Another commenter suggested that the Board consider requesting firms to provide the information proposed to be in Form QC through the inspection process, and that such requests could be made at any time to facilitate the PCAOB's inspections. The commenter explained that under this suggested alternative approach, Part II and the related exhibits of Form QC could be removed and instead, the PCAOB could request this as part of the inspection process, to allow the information to be privileged under section 105(b)(5), while retaining the certification.

The Board does not believe that it is appropriate to specify that Form QC is provided in connection with an inspection. The obligation to furnish Form QC to the PCAOB does not derive from a request from PCAOB inspection staff; instead, that obligation arises expressly from paragraph .79 of QC 1000. And while Form QC, like other forms filed with the PCAOB (such as annual reports on Form 2), may be used to inform the PCAOB inspection process, that is not the only purpose of the form; it may be used, for example, in connection with PCAOB standard-setting processes, its economic and risk analysis, and its registration program, to name a few examples. Furthermore, Form QC submissions may not directly relate to an inspection. For example, triennially inspected firms are required to report on Form QC annually, including in years in which they are not subject to inspection. Firms that are no longer performing engagements making them subject to PCAOB inspection may still be required to report on Form QC in light of their post-issuance QC responsibilities, such as their audit documentation retention obligations under AS 1215. Accordingly, the Board does not believe that Form QC is received by the Board in connection with an inspection for purposes of section 105(b)(5)(A) of the Act, though it notes, as discussed further below, that certain information contained within a Form QC may be subject to the protections of section 105(b)(5)(A).

(4) Reporting Date

The proposal contemplated that firms would have until January 15 of the year following the November 30 evaluation date to file Form QC. This provided firms 46 days from the evaluation date to the reporting date. As adopted, the standard provides that firms have until November 30 to report on Form QC to the PCAOB. This provides firms with 61 days after the evaluation date of September 30 to file Form QC. A general instruction was added to Form QC to clarify the reporting period covered by the firm's evaluation. The reporting period is the period beginning on October 1 of the year preceding the year in which Form QC is required to be filed (or, if a firm's obligation to implement and operate a QC system arises under paragraph .07a after October 1 of that year, the date on which that obligation arises)) and ending September 30 of the year Form QC is required to be filed. Under this provision, the reporting period will generally be 12 months long, but will be shorter if the obligation to implement and operate the QC system arises mid-period (whether by virtue of the effective date of QC 1000 or the firm's otherwise becoming subject to the requirement to implement and operate the QC system).

Several commenters suggested a 90-day period from the evaluation date to the reporting date would be appropriate because this would allow for testing of controls that operate at the evaluation date, and allow firms to perform thorough and detailed evaluations. Several commenters suggested that additional time is required for Form QC preparation beyond 45 days to be able to compile relevant information, including information on remedial actions, with some commenters supporting a 60-day period that would align with the shortest due date applicable to issuers to report on their conclusion on internal control over financial reporting. Another commenter suggested that reporting should be in advance of the April/May proxy season, suggesting a reporting date of April 1 using an evaluation date of February 28. One commenter did not support a January 15 reporting deadline, suggesting that this would be close to the conclusion of the audit and, if there are matters to be reported to the audit committee, would leave the audit committee with little time to consider and respond to the information before the due date of the issuer's Form 10-K. The commenter also suggested that for firms subject to both ISQM 1 and QC 1000, having different reporting dates would create unnecessary complexities for audit committees receiving reports under different standards and different points in time. Several commenters suggested that a January 15 reporting deadline would be challenging for many firms given the proximity to year-end holidays. One commenter suggested that coinciding the reporting date of January 15 with the PCAOB's inspection process should not be a key consideration for firms in determining the most appropriate date for their annual assessment.

The Board believes that extending the number of days from the evaluation date to the reporting date to 61 days will provide firms sufficient time to complete their evaluation and report to the PCAOB. In addition, the reporting date of November 30 as adopted is prior to the calendar year end and the traditional busy period for many firms, which the Board believes will further benefit firms in performing their evaluations.

ii. Form QC: Not Publicly Available

The proposed standard contemplated that Form QC would be nonpublic. Many commenters, including firms, supported requiring the contents of Form QC to be nonpublic. One firm commented that to require public reporting would be inconsistent with the balance that Congress struck in sections 104(g)(2) and 105(b)(5) of Sarbanes-Oxley. One commenter asserted that the PCAOB should not use rulemaking to cause firms to disclose quality control matters that the PCAOB is prohibited by Sarbanes-Oxley from disclosing or cause firms to otherwise disclose information that would be confidential under statute. Another commenter suggested that public disclosure of unremediated QC criticisms could allow companies that have a lower demand for audit quality to select a lower quality auditor.

Other commenters, generally investors and investor-related groups, objected to the lack of public disclosure. Two investors commented that the proposed disclosure to audit committees but not to the public leaves investors in the dark, and that disclosure requirements provide an effective incentive for remediation of identified quality control issues. Another commenter asserted that if the PCAOB is permitted to compel firms to disclose quality control information to audit committees, then they expect that the PCAOB could also compel disclosure of such information to the public. The commenter suggested that QC disclosures only to audit committees may have unintended consequences for the public markets as companies will have more information regarding the quality of their auditors than individual investors. Some investors and investor-related groups commented that the proposal provides little public accountability with no mandated or meaningful disclosures about the operation of the QC system. Two investors and an investor-related group commented that firms furnish a statement of the quality control policies of the firm when registering with the PCAOB, however this information is not required to be updated and can quickly become out of date. Therefore, providing the public with additional disclosure about a firm's quality control system will act as an updating function.

One firm suggested that it would be difficult for the public to synthesize in a useful manner the information in Form QC without the right level of context. However, three investor-related groups did not support the view that partial disclosure of Form QC would result in potentially incomplete or misleading picture of a firm's QC system, and favored disclosing elements of Form QC and leaving to investors the assessment of the relative importance of the information. One of the investors further suggested a restructuring of Form QC that would allow confidential information to remain confidential while sharing decision-useful information with investors. Another investor suggested that investors would directly benefit from the disclosure of firm-identified deficiencies that omits PCAOB-identified deficiencies, further commenting that to the extent firms do not disclose any deficiencies to the public, investors may have concern that the system of quality control was not sufficient to proactively identify deficiencies.

The Board continues to recognize the desire of investors and other stakeholders for information related to audit quality and the effectiveness of firms' QC systems. But its ability to require firms to publicly disclose their QC deficiencies is subject to certain legal constraints imposed by Sarbanes-Oxley.

As a threshold matter, some or all of the unremediated QC deficiencies identified during a firm's annual evaluation may have been identified as QC criticisms or potential defects during a PCAOB inspection. Furthermore, the Board believes that the QC deficiencies identified during PCAOB inspections are likely to be important information from the perspective of investors and other stakeholders, especially because PCAOB inspection teams customize their QC-related procedures based on, among other things, the firm's structure, procedures performed in prior inspections, past and current inspection observations, the size of the firm, and an assessment of risk related to each focus area. Notably, however, section 104(g)(2) of Sarbanes-Oxley provides that if a quality control criticism or potential defect identified during a PCAOB inspection is addressed by the firm to the Board's satisfaction within 12 months of the date of the Board's inspection report, no portions of the inspection report that deal with that criticism or potential defect will be made public. Making or requiring public disclosure through a publicly available form of QC deficiencies that have been identified during a PCAOB inspection would be inconsistent with this provision of Sarbanes-Oxley, if disclosure were required before the Board has determined whether it is satisfied with the firm's remediation efforts or after the Board has determined that the firm has satisfactorily addressed the deficiencies.

The limitation imposed by section 104(g)(2) is a significant one. In light of section 104(g)(2), it appears that even if the PCAOB were to require Form QC to be publicly available, the PCAOB could not require the disclosure of information regarding the existence or nature of QC deficiencies that are still subject to the Board's remediation determination. However, if information reported by a firm on Form QC informs a QC criticism contained within an inspection report, and if that QC criticism is not addressed to the Board's satisfaction within 12 months of the date of that report, then the QC criticism would be made public in accordance with section 104(g)(2).

The Board believes that the omission of deficiencies that are still subject to the Board's remediation determination (or as to which the Board has made a favorable remediation determination) would result in a publicly available Form QC that supplies an incomplete and potentially misleading picture of the effectiveness of the firm's QC system. This view is guided by the familiar principle that omitting material facts from a disclosure can cause the statements that are made to be misleading. The Board's decision not to mandate public disclosure of Form QC, in a context where material information (namely, the existence and nature of QC deficiencies that are still subject to the Board's remediation determination) may often be omitted, is motivated in part by that concern, not by any lack of confidence in investors' ability to interpret the information provided to them. For example, a firm may have self-identified a number of relatively minor QC deficiencies in its own evaluation, while QC deficiencies identified by the PCAOB are more severe or could be of greater public interest. In a partial disclosure scenario, the firm would disclose the minor matters, but not the more significant ones that are still subject to the Board's remediation determination, creating a misleading picture of the state of its QC system.

The Board was also concerned that, in certain circumstances, even such partial disclosure would conflict with section 104(g)(2) of Sarbanes-Oxley. For example, assume firms were required to disclose the conclusion of their most recent evaluation and any QC deficiencies that were self-identified, but not any PCAOB-identified QC deficiencies that remain subject to the Board's remediation determination. Under such an approach, if a firm had PCAOB-identified QC deficiencies but no additional self-identified QC deficiencies, then the firm would not disclose any specific QC deficiencies but would disclose an overall conclusion (either “effective except for one or more QC deficiencies that are not major QC deficiencies” or “ineffective,” depending on the nature of the PCAOB-identified deficiencies) that nonetheless reveals that the firm has unremediated QC deficiencies, without specifically identifying them. In such a scenario, the Board would be indirectly requiring firms to disclose the existence of PCAOB-identified QC deficiencies that are still subject to the Board's remediation determination, notwithstanding section 104(g)(2) of Sarbanes-Oxley.

Moreover, public disclosure of portions of Form QC may in some cases be subject to other legal constraints imposed by Sarbanes-Oxley. Depending on how a QC deficiency has come to light, certain information contained within a Form QC might be confidential pursuant to section 105(b)(5)(A) of Sarbanes-Oxley, which addresses documents and information prepared or received by or specifically for the Board in connection with an inspection or investigation. Additionally, Form QC requires firms to report on remedial actions that in certain (though likely rare) circumstances may be subject to laws relating to the confidentiality of proprietary, personal, or other information, or might reasonably be identified by a firm as proprietary. In such a scenario, the Board, in accordance with section 102(e) of Sarbanes-Oxley, would need to honor a firm's properly substantiated request for confidential treatment of such information.

The Board also believes that firms may be in a better position to report fully and candidly to the PCAOB about their annual evaluation—more effectively supporting both their own remediation efforts and PCAOB oversight activities—if they are confident that the information would be understood and used in the context of a broader understanding of their overall audit practice and an ongoing dialogue between the firm and the PCAOB.

Accordingly, the Board adopted Form QC as a nonpublic form, as proposed.

To that end, the Board adopted new PCAOB Rule 2203A, which establishes the Form QC reporting requirement and specifies that the Board will not make a filed Form QC or the contents thereof (including any amendment thereto) public. The rule does not, however, prohibit a firm from voluntarily disclosing its Form QC or the contents thereof to the public or to particular stakeholders. Nor does the rule prohibit the PCAOB from sharing Form QCs or their contents and related documentation with the SEC or other entities, consistent with Sarbanes-Oxley. The rule expressly provides that Form QCs and their contents may be publicly disclosed in enforcement proceedings.

One commenter noted that Form QC or its contents may not be relevant to all enforcement proceedings and suggested that the Board explicitly clarify in the final standard that the Form QC may become public as part of an enforcement proceeding where Form QC or its content is relevant to the respective enforcement proceeding. The Board does not believe that such a clarification is necessary. When a Form QC or its content is relevant to an enforcement proceeding, it would be admissible, and when it is not relevant to an enforcement proceeding, PCAOB adjudication rules already specify that it shall be excluded.

The rule also provides that the Board may publish Form QC information in summaries, compilations, or other general reports, provided that the firm or firms to which particular Form QC information relates are not identified (unless the information has previously been made public by the firm or firms involved or by other lawful means). Two commenters suggested that the Board could publish Form QC information in summaries, compilations, or other general reports, provided that the firms are not identified. However, another commenter did not support aggregated anonymized information and suggested that this would depart from the spirit and letter of the confidentiality provisions of Sarbanes-Oxley. The Board believes that summaries, compilations, or general reports that present relevant QC-related information on an aggregated and anonymized basis may provide useful insight to investors, audit committees, firms, and other stakeholders about firm QC systems, the implementation of QC 1000, and related matters. The Board also continues to believe that presenting such data on an aggregated and anonymized basis would not run afoul of any limitations of Sarbanes-Oxley.

While firm reporting on Form QC will be nonpublic due to the aforementioned legal constraints and policy considerations, the Board notes that other aspects of QC 1000 and related requirements promote transparency about firm QC systems within the confines of those constraints. For example, the PCAOB has observed the emerging practice of firm transparency reporting, including that the nature and content of these reports continues to evolve and expand in response to market demand. Advances in thinking about firm and engagement metrics could also affect what financial statement users demand and what firms could usefully provide. QC 1000 requires that the QC system operate over any public reporting that firms do provide, including any public reporting of metrics. Firms have to establish a specific quality objective with regard to their public reporting, including that any firm-level or engagement-level information with respect to the firm's audit practice, firm personnel, or engagements communicated to external parties be accurate and not misleading, and—as with any quality objective—they have to monitor their performance in relation to that objective and remediate identified deficiencies.

As part of their annual reporting on Form 2, all registered firms will also be required to provide an annual confirmation with regard to the design of their QC system under QC 1000 and whether they were required to implement and operate the QC system. The Board believes an annual confirmation will be a useful reminder to all firms of their responsibilities regarding the design, implementation, and operation of an effective QC system. The Board also believes that the public will benefit from being able to determine whether a particular firm has been required to implement and operate its QC system from year to year. Such information on Form 2 will be publicly available on the PCAOB website and will be accessible to investors and other financial statement users, audit committees, and other stakeholders. It will also inform PCAOB oversight efforts.

To accompany the changes to Form 2, a similar confirmation has been added to the application for PCAOB registration, Form 1. The Board believes such a confirmation will appropriately put applicants on notice of their obligations with respect to their QC systems, which would apply from and after the time that their registration is approved.

iii. Certification of the Evaluation of the Firm's QC System by Firm Leadership

As proposed, the Board required that both the individual assigned ultimate responsibility and accountability for the QC system as a whole and the individual assigned operational responsibility and accountability for the firm's QC system as a whole (the “QC certifiers”) certify the firm's report to the PCAOB on the evaluation of its QC system. Several commenters were supportive of the certification requirement, including a commenter that stated that individual certifications are likely to focus the mind and it seems likely that improvements will be seen as a result of such a requirement.

Some commenters opposed the certification requirement, saying it adds little value to the evaluation of the QC system, may not provide a full view of the subject matter it purports to be certifying to and may create an unjust reliance by a third party on the certification, or is an ineffective incentive for making quality control a higher priority within a firm. Another suggested that while certification may sharpen an individual's sense of accountability, this may not necessarily lead to and cannot guarantee enhanced engagement quality. Another commenter suggested that certification requirements could act as a barrier to registration for firms operating in environments in which there are no Sarbanes-Oxley style reporting requirements, and that it could have a disproportionate impact on smaller firms.

The Board continues to believe that, analogous to the CEO and CFO certifications required under Sarbanes-Oxley, certification of Form QC will lead to increased discipline in the evaluation process and will reinforce the accountability of the certifying individuals, which in turn should improve the quality of the firm's evaluation. The text of the certification, which is unchanged from the proposal, appears in Item 3.2 of Form QC. That item requires certification of certain information regarding the design and evaluation of a firm's QC system, including that each QC certifier reviewed the Form QC and that the disclosures made in the Form QC are complete and accurate in all material respects to the individual's knowledge.

As proposed, the final rules require certification from both the individual assigned ultimate responsibility and accountability for the QC system ( i.e., the firm's principal executive officer(s)) and the individual assigned operational responsibility and accountability for the QC system. One commenter suggested that certification be required only from the individual with ultimate responsibility and accountability for the firm's QC system on the basis that, in the event of differences of opinion between the two certifiers, the individual responsible for the operational responsibility and accountability for the QC system could be subject to excessive pressure from the firm's principal executive officer. However, under EI 1000, certifiers will be subject to a duty to act with integrity, which includes not subordinating their professional judgment, and the individual with ultimate responsibility and accountability for the firm's QC system will have a number of obligations (for example, under QC 1000.14a.) that are inconsistent with the exercise of undue influence over a subordinate.

The Board does not require similar certifications from other personnel in the QC system, but firms may choose to institute policies that require levels of certification internal to the firm to assist those certifying Form QC.

Some commenters raised concerns about the potential liability of the QC certifiers. Several requested clarification on whether the QC certifiers could be held personally liable for an inaccurate statement only if they made the statement knowing it was false or recklessly not knowing it was false. One of these commenters further stated it had concerns about the potential for unnecessary and excessive liability that the certification could impose upon the QC certifiers, and the effect that this could have on firms' ability to recruit qualified professionals to serve. The commenter further suggested that the final adopting release expressly state that while the QC certifiers are responsible for exercising professional competence in connection with the design and operation of the firm's QC system (and may face consequences for failure to do so), the QC certifiers shall not be held responsible for inevitable system errors or the wrongful acts of others which may, in limited circumstances, overcome the best of those efforts.

If a QC certifier fails to certify the firm's Form QC, such conduct would constitute a violation of the individual's obligation under either paragraph .14d or .15b of QC 1000, as applicable to the particular individual. The Board believes this requirement is important for creating accountability within the firm to achieve the reasonable assurance objective.

Beyond that, QC certifiers' potential liability for statements contained within the Form QC certification is informed by the particular language of those statements. Certain statements in the certification reflect objective facts that the Board believes are readily knowable by the individual. Paragraph 1 of the certification, for instance, recites that the individual reviewed the firm's report on Form QC. Paragraph 3(a) of the certification contains an acknowledgement that the individual is responsible and accountable for the firm's QC system as a whole and has designed, or caused to be designed, the QC system to ensure that it meets QC 1000's reasonable assurance objective. Notably, this paragraph is not tantamount to a certification that the firm's QC system in fact meets QC 1000's reasonable assurance objective; on the contrary, Form QC contemplates that a firm might conclude, and report on its certified Form QC, that its QC system is not effective. Rather, in paragraph 3(a), the QC certifiers acknowledge their role in designing (or causing to be designed) the firm's QC system. Paragraph 3(b) of the certification states that the individual evaluated the effectiveness of the firm's QC system and has presented in Form QC the conclusions reached. With respect to each of these statements in the Form QC certification, the Board believes that the QC certifiers can and should reach a conclusion about their accuracy through the exercise of due professional care. In light of the nature of these statements, the Board does not agree with the commenters that a showing of recklessness or knowing misconduct is necessary to establish a violation with respect to these aspects of the Form QC certification.

The other statements in the Form QC certification are subject to knowledge qualifiers. In paragraph 2, the QC certifier states that the disclosures made in Part II of Form QC regarding the evaluation of the effectiveness of the firm's system of quality control are complete and accurate in all material respects “[b]ased on my knowledge.” Similarly, paragraph 3(c) states that the QC certifier has disclosed, based on the evaluation of the QC system, all unremediated QC deficiencies “of which I am aware.” These statements would be inaccurate, and the QC certifier's certification would therefore constitute violative conduct, only if they were knowingly false (if the QC certifier knew that Part II was not complete and accurate in all material respects, or if the QC certifier was aware of undisclosed unremediated QC deficiencies), or if they were made recklessly not knowing they were false.

One commenter suggested that the certification say “to the best of my knowledge” rather than “based on my knowledge,” and another commenter suggested that the wording of the certification be updated to “in my capacity as the individual assigned [ultimate/operational] responsibility” rather than “who have been assigned [ultimate/operational] responsibility.” After consideration of these comments, the Board believes that the proposed language is clear, appropriate, and likely to be easily understood, and does not believe that the proposed certification text requires amending.

One commenter did not support the clause in the proposed certification that states that the firm has disclosed all unremediated quality control deficiencies. The commenter, while acknowledging that this statement is subject to a knowledge qualifier, suggested that this certification could lead to unnecessary disputes over what the QC certifiers should have known in a particular circumstance and suggested that obtaining a certification from the firm (not the individual) may sufficiently address this item without discounting the standards to which auditors are held. As discussed above, the inclusion of “of which I am aware” in paragraph 3(c) of certification means that liability would arise with respect to that paragraph only if the QC certifier made the statement knowing it was false or recklessly not knowing it was false.

Another commenter also suggested that the standards clarify that such certification relates to the “firm's evaluation” of its QC system, and not a specific individual's evaluation of the quality management system. As reflected in paragraph .77 of QC 1000, the annual evaluation is conducted by the firm, but the firm, as a legal entity, acts through individuals, and the QC certifiers are the individuals who, under the standard, are responsible and accountable for the QC system as a whole and are required to certify the firm's report to the PCAOB on its annual evaluation.

Another commenter asserted that the text of the certification suggests that a certifying individual should be considered to have violated QC 1000 only to the extent that the inaccuracy in a submitted certification is material to an investor's or reasonable auditor's understanding of the QC system as a whole, and asked that the Board confirm that is the case. The Board does not agree with this characterization of Form QC. Some statements in Form QC, such as the one in paragraph 2, are expressly conditioned on materiality, while other statements, such as that in paragraph 3(b), are not.

One commenter suggested that creating a potential Sarbanes-Oxley type certification for privately held accounting firms and making this available to the public could create market confusion as to what exactly is being certified and the level of reliance users should place on such a certification. The certification does not contain the outcome of the firm's annual evaluation of its QC system or identify any unremediated QC deficiencies, but rather certifies the completeness and accuracy of the information being reported to the PCAOB on Form QC. That information is set forth elsewhere in Form QC and, as explained above, that information is treated as nonpublic. Because the certified information is treated as nonpublic, the Item 3.2 certifications are likewise treated as nonpublic; in the Board's view, the certifications do not present a full or useful picture of a firm's QC system without the underlying information.

iv. Requirement for Form QC Amendments

The proposed general instructions for Form QC included provisions detailing when amendments of Form QC should be filed. Those instructions indicate that Form QC should be amended only to correct information that was incorrect at the time that the form was filed or to provide information that was omitted from the form and was required to be provided at the time the form was filed. The Board considered commenters' feedback, and retained the language regarding amendments in the proposed general instructions for Form QC, which mirrors the standard for amending certain other PCAOB forms.

Two commenters requested clarification on how firms should consider information that comes to their attention after the evaluation date or the reporting date that is relevant to the firm's conclusion on Form QC, including how this interacts with relevant provisions in proposed EI 1000. Other commenters suggested that revisions to Form QC not be required for inconsequential matters. Other commenters requested guidance on when an amendment to Form QC would be required, and some suggested that a threshold be developed for potential amendments.

QC 1000 requires firms to conduct the annual evaluation of their QC system's effectiveness as of September 30 and to file their report on Form QC regarding that evaluation by November 30. Consequently, annual evaluations under QC 1000 should conclude sometime between October 1 and November 30 of each year. Information that relates to the firm's QC system as of the evaluation date (September 30), and that comes to the firm's attention after the evaluation date but before the firm has filed Form QC, should be factored into the firm's evaluation and reflected, if and as appropriate, in Form QC. In contrast, any information that relates to the firm's QC system as of the evaluation date, but that comes to the firm's attention after the firm has filed its Form QC, would not need to be reflected on Form QC or on an amendment to Form QC (although it may constitute a QC observation to be considered in the next annual evaluation of the QC system).

In other words, Form QC captures, and conveys to the Board, the conclusions reached by the firm as a result of its completed annual evaluation, and that evaluation cannot disregard information that comes to light before Form QC has been filed. Therefore, when Form QC is filed, it should be complete and accurate as of the date of its filing. Similar to PCAOB staff guidance on Form 2 reporting, if a firm discovers that it provided incorrect information in a filed Form QC or omitted information that should have been included based on information that the firm was aware of at the time of filing, then the firm should file an amended Form QC. That amendment obligation is not subject to any materiality or other thresholds, because the Board believes it is entitled to receive Form QCs that contain information that is correct and that do not omit information that was required to be provided. The Board does not believe that any of the information on Form QC is inconsequential.

v. Reporting to the Audit Committee

In connection with the proposal of QC 1000, the Board also proposed amendments to AS 1301, Communications with Audit Committees, which contemplated communication to the audit committee of certain information about the firm's most recent evaluation of its QC system. Several commenters supported the amendments as proposed. Other commenters supported limiting the communications to the conclusion of the annual evaluation or limiting communication of deficiencies to only major QC deficiencies. One commenter expressed concern with reporting to audit committees about all unremediated QC deficiencies that exist as of the evaluation date, in part because of the interaction of such communications with the confidentiality restrictions under section 105(b)(5)(A) of Sarbanes-Oxley. The commenter further suggested that requiring all QC deficiencies to be communicated would create more extensive communication requirements for firms related to QC deficiencies than what auditors are required to communicate to audit committees in an audit of ICFR, and in addition, this approach would differ from management's external reporting on its ICFR to its stakeholders, which solely discloses deficiencies that are material weaknesses.

One commenter asserted that audit committees are likely to find more value in understanding quality matters specific to the engagement and having a broader dialogue about the firm's approach to quality control. Two commenters argued that a firmwide report on audit quality would have little utility to each individual audit committee. One of these commenters suggested instead that audit committees would be more influenced by an independent verification of the QC system such as the PCAOB inspection report on their auditor, and information relating to the auditor's performance on their engagement, including audit quality indicators. The other commenter recommended that firms report relevant human resource metrics to the audit committee and explain what was done to assure audit quality was not compromised. One commenter asserted it could be extremely challenging for audit committees to understand and reconcile the information that would be communicated to them under the proposed changes to AS 1301, especially given the considerable time period between the issuance of public portions of firm inspection reports and the potential release of nonpublic inspection findings. One commenter did not support the requirement to disclose a firm's QC deficiencies to audit committees, and stated that QC deficiencies may have little to no impact on a given reporting issuer's audit or that area of the firm's practice. Another commenter questioned whether or not the audit committee would be inclined to seek a new auditor based only on a firm-wide evaluation of quality control furnished to the audit committee by the auditor. One commenter was generally supportive of the requirements but expressed concern with the timing of the required communication due to existing important year-end communications. The commenter expressed concern that not communicating QC deficiencies known at a January 15 reporting date could potentially introduce legal considerations that could place tension on the engagement team and the firm's obligation to comply with other existing required communications under AS 1301. One commenter recommended specifying that this communication is not required to be in writing due to confidentiality concerns, and two commenters did not support any required communication of the annual evaluation of the QC system to the audit committee.

One commenter asserted that requiring firms to communicate to audit committees about their most recent annual QC evaluations is inconsistent with the Congressional balance struck in Sarbanes-Oxley section 104(g)(2). In addition, the commenter suggested that the requirement indirectly regulates the actions of audit committees and imposes a fiduciary duty of care on audit committees, regardless of whether quality control issues relate to the performance of the engagement, which is beyond the scope of the PCAOB's jurisdiction. Another commenter asserted that the proposed communication could also be construed as contradictory to the PCAOB's conclusion that Form QC would be treated as nonpublic.

Several commenters were concerned about the proposed requirement to discuss remedial actions taken and to be taken, and suggested that some of this information may be protected by section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley. One commenter suggested that the communication of a brief overview of remedial actions taken or to be taken should only be required upon the determination that substantial good faith progress has not been made on the remedial actions.

After consideration of the comments received, the Board determined not to adopt the proposed amendments to AS 1301. Although the Board continues to believe that firms could communicate the overall conclusion of their annual evaluation and their planned remedial actions to audit committees without expressly disclosing information subject to section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley, the Board recognizes that such a disclosure obligation could present implementation challenges. Specifically, and as discussed in more detail above, there may be challenges associated with compelling firms to publicly disclose certain information about their QC systems while simultaneously preserving their ability not to disclose other related information that may be subject to confidentiality protections, privileges, or prescribed disclosure procedures under Sarbanes-Oxley. The Board believes that the same challenges could arise if firms were compelled to make disclosures to audit committees.

The Board also recognizes that firms and audit committees have direct interaction, so while PCAOB standards do not require firms to make disclosures to audit committees, an audit committee may ask a firm to voluntarily disclose information about its QC system. As the Board has previously noted, such inquiries could include requesting the firm to keep the audit committee apprised of the status of the quality control remediation process (including whether the firm made a submission to the Board responding to inspection report quality control criticisms by the 12-month deadline) and whether the Board has made a final remediation determination (including a negative determination that has not yet become public).

2. Current PCAOB Sstandards

Current PCAOB QC standards do not require firms to evaluate their QC systems or to report on any such evaluations. As previously noted, some firms conduct evaluations and share their results in published reports, either voluntarily or under other regulatory requirements.

Documentation

Documentation supports a firm's QC system in a number of ways. It helps provide clarity around roles and responsibilities and the firm's policies and procedures, which promotes consistent compliance by firm personnel and other participants. Documentation enables proper monitoring and supports the evaluation and continuous improvement of a firm's QC system. It makes it easier to train firm personnel and other participants and facilitates the retention of organizational knowledge, providing a history of the basis for decisions made by the firm about its QC system. Further, documentation assists others conducting reviews of the firm's QC system by providing evidence of the system's design, implementation, and operation. Current PCAOB standards provide only general direction on the nature and extent of QC documentation and specific requirements for documentation of certain items.

Through its oversight activities, the PCAOB has observed that the nature and extent of firms' documentation of their QC systems vary greatly. Some firms have detailed documentation for all areas of their QC systems. Other firms have significantly less documentation. For example, some firms have documentation only in areas that have been subject to PCAOB inspections, such as remediation, root cause analysis, or internal inspections. QC 1000 establishes more comprehensive requirements for firms to document their QC systems.

1. QC 1000

The proposal included an overarching documentation requirement that captured the design, implementation, and operation of the firm's QC system and the annual evaluation of the QC system. The scope of that requirement was then specified in proposed paragraphs .82 and .83.

The documentation of the design and implementation of the QC system captures decisions made regarding “the who, what, when, where, why, and how” of the QC system. This aspect of documentation will help firm personnel and others understand what is expected of them in fulfilling their responsibilities and support consistent implementation and operation of the firm's QC system. For example, documentation of the design of policies and procedures regarding general and specific independence matters would enable a consistent understanding by firm personnel and others about who is responsible for what, when the responsibilities are triggered, and why certain actions are necessary. Such documentation will allow for consistent actions by firm personnel and others in implementing the design of those policies.

The documentation of the operation of the firm's QC system enables the firm to determine if the policies and procedures were operated in the manner that the firm intended. It would also provide evidence of compliance with the specified quality responses and other requirements of QC 1000. For example, it would provide evidence of how the firm complied with specific communication requirements related to the operation of the firm's QC system and the performance of its engagements and whether the quality responses implemented by the firm operated as designed.

The Board received no comments on the general obligation to prepare and retain documentation regarding the QC system and paragraph .81 was adopted as proposed. The comments received regarding the scope of the proposed documentation requirement are addressed below, in connection with the discussion of paragraphs .82 and .83.

The proposal included a list of specific matters that firms would be required to document. Documentation of the lines of responsibilities and supervision within the QC system should reduce operational ambiguity and provide clarity about who within the firm is accountable for various firm supervisory responsibilities within the firm's QC system. One firm suggested that the phrase “successive senior levels” may not be clear. As discussed in more detail above, under QC 1000.27, the firm should establish and maintain clear lines of responsibility and supervision—including defining authorities, responsibilities, accountabilities, and supervisory and reporting lines for roles within the firm, up to and including the principal executive officer(s)—within the QC environment. A description of these successive lines of responsibility and supervision must be included in the documentation of the QC system, and a reference to paragraph .27 was added to clarify that point.

The requirement for the firm to document aspects of its risk assessment process ensures that the firm will have adequate evidence to support its annual risk assessment. Specifically, the firm is required to document identified quality risks, reasons these risks were identified, and policies and procedures the firm had put in place in response. This documentation is valuable in subsequent risk assessments and could help to support decisions about, for example, whether to establish additional quality objectives, identify new or modified quality risks, or design and implement new quality responses.

The requirements for the firm to document aspects of its monitoring and remediation process will also support its monitoring and remediation activities. For example, a firm's documentation of engagement and QC system-level monitoring activities performed, its evaluation of the results of those monitoring activities, actions taken to address engagement deficiencies, and identified QC deficiencies would demonstrate the firm's approach to complying with certain requirements of the standard for the monitoring and remediation process component. This documentation will also assist the firm in monitoring its monitoring and remediation process and in making its annual evaluation of the effectiveness of the QC system pursuant to paragraph .77.

The standard also requires the firm to document the basis for the conclusion it reached in evaluating the effectiveness of its QC system pursuant to paragraph .77. This documentation provides evidence of the decisions made in reaching the conclusion about the effectiveness of the firm's QC system, which may be valuable in future evaluations and in establishing compliance with the firm's reporting obligations to the PCAOB.

The standard requires the firm to document certain matters if the firm uses resources or services provided by a network or a third-party provider in the firm's QC system or the performance of the firm's engagements. When a firm uses resources or services provided by a network or a third-party provider, the standard requires the firm to document how the resources or services are developed and maintained and, if such services or resources were supplemented or adapted, how and why they were supplemented or adapted. Firms will also have to document how the resources or services were implemented and operated. Documentation of such matters will serve as evidence of decisions made regarding resources or services used by the firm.

Some networks or third-party providers may provide documentation about their services or resources to the firm. For example, the firm may obtain an understanding of how the resources were developed and maintained by the network through documentation provided by the network. This documentation may need to be supplemented by the firm depending on various factors, including the extent of the documentation provided and whether the firm supplements or adapts the resource or service.

As discussed above, a reference to paragraph .27 was added to paragraph .82a. to clarify that a description of the successive lines of responsibility and supervision must be included in the documentation of the QC system. Paragraph .82 was otherwise adopted as proposed.

Requiring documentation to be in sufficient detail to support a consistent understanding of the QC system by firm personnel, including an understanding of their roles and responsibilities with respect to the firm's QC system, will help to clarify the firm's expectations of its personnel and promote consistent compliance with the firm's QC policies and procedures.

One firm expressed concern that this “consistent understanding” threshold may not be easily understood. The Board believes that firms will be able to determine the nature and extent of the documentation needed to facilitate a consistent understanding by firm personnel based on the functioning of their QC system. Based on the requirements in paragraph .83a, firms would initially determine the appropriate level of detail of documentation based on the experience they already have in implementing and operating a QC system under current standards and whether their personnel understand their roles and responsibilities, and modify documentation as needed over time based on their monitoring and remediation activities and the results of their QC system evaluations.

As described previously, documentation supports a firm's QC system in a number of ways. For example, it provides clarity around the firm's policies and procedures, enables proper monitoring, and supports the evaluation and continuous improvement of a firm's QC system. Documentation also facilitates the retention of organizational knowledge, providing a history of the basis for decisions made by the firm about its QC system. Further, it assists others conducting reviews of the firm's QC system by providing evidence of the system's design, implementation, and operation.

In particular, the Board believes that appropriate documentation of the QC system is necessary for the PCAOB to fulfill its statutory mandate to protect investors and the public interest. Sarbanes-Oxley requires that, in conducting an inspection of a registered public accounting firm, the PCAOB evaluates the sufficiency of the quality control system of the firm and the manner of the documentation and communication of that system by the firm. Sarbanes-Oxley further authorizes the PCAOB to perform such other testing of quality control procedures as are necessary or appropriate in light of the purpose of the inspection and the responsibilities of the Board. In addition, the Board's rules provide that a regular inspection will include, but is not limited to, the steps and procedures as specified in sections 104(d)(1) and (2) of Sarbanes-Oxley and any other tests of the audit, supervisory, and quality control procedures of the firm as the Director of the Division of Registration and Inspections or the Board determines appropriate. As part of the Board's inspection procedures, firms will be expected to provide the PCAOB with evidence relating to the effectiveness of the QC system.

Given that mandate, the level of documentation that would be sufficient to enable PCAOB inspectors to evaluate the effectiveness of a firm's QC system through an inspection may be different from the level of documentation that would be sufficient for the firm to support its annual evaluation. Under QC 1000, a firm must evaluate the effectiveness of its QC system based on the results of its monitoring and remediation activities, and firms can determine the nature, timing, and extent of QC system-level monitoring activities taking into account a number of factors. There could be certain quality responses, or certain instances of the operation of quality responses, that are not monitored by the firm within a given year and not considered in connection with the firm's annual evaluation. If the firm were required to prepare and retain documentation only to the extent related to its own annual evaluation, the firm might not prepare and retain documentation to evidence that these quality responses operated effectively. However, in light of the scope of the PCAOB's statutory mandate, its inspection procedures cannot be limited to quality responses (and, to the extent applicable, samples of the operation of quality responses) that the firm chose to monitor in the period. On the contrary, firms will be expected to provide evidence of the operating effectiveness of any quality responses selected for inspection in connection with the PCAOB's evaluation of the effectiveness of the firm's QC system.

Therefore, the proposed standard contemplated that, in order to effectively support the firm's QC system, the documentation of the QC system needs to be at the level of detail to enable an experienced auditor that understands QC systems but has no experience with the design, implementation, and operation of the firm's QC system to understand the design, implementation, and operation of the QC system, including the quality objectives, quality risks, quality responses, monitoring activities, remedial actions, and basis for the firm's conclusions reached in the evaluation of the QC system (“experienced auditor threshold”). Incorporating the experienced auditor threshold when describing the extent of detail firms are required to document and maintain regarding their QC system is appropriate because that level of detail will facilitate the firm's monitoring activities and external monitoring, including PCAOB inspections conducted in accordance with Sarbanes-Oxley. Two firms agreed that the experienced auditor threshold was appropriate.

Several commenters, including firms and a related group, argued that the proposed documentation requirements were too broad, and suggested a variety of different limitations to narrow their scope. Some firms suggested that the standard differentiate data relating to the operation of the QC system from data relating to the design, implementation, and annual evaluation of the QC system, with a shorter retention period for the former. Other commenters, including firms and a related group, recommended that the documentation requirements be comparable to the documentation requirements that Sarbanes-Oxley imposes on issuers with regard to management's assessment of the effectiveness of the issuer's internal control over financial reporting. Another firm suggested that the documentation requirements be comparable and analogous to the documentation retention requirements set out in the SEC's rules for issuer audits and related interpretive guidance. One firm and a related group suggested that the documentation requirements be limited to the evidence to support the annual evaluation of the QC system and related monitoring. Two firms suggested that additional guidance or clarity would be necessary in order for firms to appropriately adopt documentation retention policies related to the operation of controls that meet the expectations of the proposed standard.

The Board does not believe that any of the more narrowly scoped documentation requirements suggested by commenters would be appropriate. QC 1000's documentation requirements need to be aligned with the PCAOB's mandate, provided by Congress, to “evaluate the sufficiency of the quality control system of a firm” through its inspection procedures. Therefore, the Board believes that it is imperative that documentation that enables the experienced auditor to evaluate the operation of the quality responses should be included in the documentation that is prepared and retained by the firm.

To clarify the level of detail of the documentation relating to the operation of the QC system that is to be prepared and retained under QC 1000, paragraph .83 was revised to include a note to .83b. stating that with respect to the operation of the QC system, the documentation must include documentation that enables the experienced auditor to evaluate the operation of the quality responses. As discussed in connection with paragraph .86 below, the Board continues to believe that all of the documentation required under the standard should be retained for seven years.

Commenters also expressed concern that firms would be required to retain large volumes of documentation. Several commenters suggested that the costs associated with retaining documentation of the operation of the QC system would be burdensome, and some further commented that the data relating to the operation of the QC system could include sensitive data, and a requirement to prepare and retain all such data could also introduce heightened data security risks. One firm suggested the Board consider adding language that appears in SQMS 1 clarifying which matters require documentation, specifically referencing SQMS 1 paragraphs A224 and A227.

In considering commenters' concerns that the documentation to support that the quality responses operated effectively in every instance would result in a substantial volume of documentation, the Board believes that the ability to effectively monitor whether the firm's quality responses are properly designed and operating effectively should not be restricted by the documentation requirements of the standard. Furthermore, the Board believes that the new note to paragraph .83b clarifies that the firm need not prepare and retain excessively voluminous documentation of the day-to-day operation of every action of its QC system, provided the information is not required to satisfy the requirements of paragraphs .82-.83.

The Board believes that the extent of documentation sufficient to evidence whether the quality responses operated effectively would scale with the size of the firm's PCAOB practice and the risks and complexities of their engagements and, in turn, the assessed quality risks and the quality responses established to address them. Therefore, the documentation requirements of the standard should be less costly and burdensome for firms with smaller PCAOB audit practices, which the Board believes is appropriate.

In addition, firms are able to evaluate the nature and extent of the documentation that is necessary to evidence the operation of the quality responses. In determining the sufficiency of the detail and extent of the QC documentation, the firm may identify quality responses for which the evidence required to be able to demonstrate that the quality response operated effectively may not entail retention of all the information produced in the day-to-day operation of the QC system. For example, in the event that a large volume of automated emails sent by the firm to its employees are evidence supporting that a quality response operated, the firm could evaluate whether alternative evidence (such as email delivery reports or other aggregated data) would provide sufficient support regarding the operation of the quality response—without having to prepare and retain all of the individual emails within the QC documentation. In addition, to the extent that the operation of the firm's QC system includes sensitive data, the firm has flexibility to not include the sensitive data fields in the documentation that is prepared and retained to the extent that they are not necessary to evidence that the quality response operated effectively. Furthermore, informed by its oversight activities, the PCAOB has observed that firms currently archive and retain documentation for extended periods of time and are able to implement processes to appropriately safeguard the information. The PCAOB has also observed instances where firms have migrated systems and still maintained the appropriate documentation through archives or through migration of the information onto the new systems.

As the note to paragraph .83b makes clear, documentation of every aspect of the operation of the firm's QC system may not be required to evidence that each quality response operated effectively. For example, there may be certain documentation, such as emails or meeting invitations that are sent as part of the day-to-day operation of the QC system, that may not be necessary to enable an experienced auditor to evaluate the effective operation of the quality responses. In these circumstances, the firm may determine it is not required to prepare and retain this information within the documentation of its QC system. However, the Board also believes that there may be circumstances in which an email or meeting invitation needs to be retained because it evidences how a quality response operated to address a quality risk and is necessary to enable an experienced auditor to evaluate the operation of the quality response.

Although some commenters suggested the documentation requirements be analogous to the SEC's ICFR documentation retention guidance, the Board does not believe that is an appropriate threshold. The SEC's guidance indicates that management's documentation needs to provide “reasonable support” for its ICFR assessment and that management's documentation need not include all controls that exist within a process that impacts financial reporting, but should be focused on those controls that management concludes are adequate to address the financial reporting risks. QC 1000 is not a “reasonable support” standard and instead requires documentation to understand how the firm's quality responses are designed to address the quality risks and evidence the operation of the QC system.

The standard's approach to documentation requirements is principles-based and provides for scalability. When determining the form, content, and extent of documentation, the firm will consider, among other things, the nature and circumstances of the firm and the nature and complexity of the matter being documented. For example, for a large multi-office firm that performs many audits under PCAOB standards, the extent of documentation would be greater than for a small, single-office firm with a few firm personnel that audits one issuer or broker-dealer. The firm's documentation may take the form of formal written manuals and checklists or may be informally documented ( e.g., in email communications), subject to the requirement of paragraph .83 that the documentation be in sufficient detail to support a consistent understanding of the QC system by firm personnel and for an experienced auditor to understand the design, implementation, and operation of the QC system. The firm may determine that a detailed memo is a more appropriate form of documentation for more complex matters, whereas, for less complex matters, briefer communications, such as email, may suffice. The nature and circumstances of the firm and the nature and complexity of the matter being documented are not the only factors that could drive the form, content, and extent of documentation. There may be other factors, such as the nature of the firm's engagements or the frequency and extent of changes in the firm's QC systems. The Board believes this principles-based approach provides for scalability and that providing specific guidelines and detailed examples of various types of documentation would potentially limit firms' flexibility unnecessarily.

The proposal contemplated that firms would have to concurrently file their Form QC and assemble their documentation for retention by the same date. As adopted, the standard provides that firms have an additional 14 days after the date that the firm is required to file Form QC to assemble their documentation. Several commenters expressed concern with having the QC documentation completion date be concurrent with the date that the firm must report annually to the PCAOB on Form QC pursuant to paragraph .79. Many of these commenters recommended a document completion date 45 days after the reporting date, with some of these commenters suggesting that 45 days would ensure consistency with the requirements of AS 1215. One firm suggested that a full 45 days to assemble a complete and final set of documentation was not necessary, but the time period needed to assemble documentation should be built into an evaluation of the length of the reporting period if the final standard retained a document completion date concurrent to the reporting date.

After consideration of the comments received, the Board revised paragraph .84 to provide firms up until December 14 (a total of 75 days after the evaluation date) to complete a final set of QC documentation. This includes an additional 14 days after the date that the firm is required to report to the PCAOB on Form QC. The 14-day period aligns with the changes to PCAOB requirements for engagement documentation. The Board believes that larger PCAOB audit practices with more complex and scaled up QC systems will employ the use of electronic tools in the assembly of the documentation of the QC system, and therefore a 14-day period to the QC documentation completion date is feasible. In addition, for smaller PCAOB audit practices with scaled down QC systems, the Board expects that the volume of documentation to be assembled will be smaller such that a 14-day period is also feasible for those firms. Furthermore, the Board notes that, because the final rule includes a longer period from evaluation date to reporting date than proposed, under the final standard firms will have 75 days after the evaluation date to assemble their documentation, rather than 45 days as proposed.

The standard permits additional documentation supporting a firm's QC system to be added after the QC documentation completion date in a manner similar to the addition of audit evidence to audit documentation under AS 1215.16. When this occurs, the standard requires a firm to indicate the date the information was added, the name of the person who prepared the additional documentation, and the reason for adding it. The standard also requires all previously retained documentation supporting the firm's evaluation of its QC system to remain intact and not be discarded.

The proposed standard contemplated that the firm would retain QC documentation for seven years from the QC documentation completion date, unless a longer period is required by law.

Two firms commented that they believed the seven-year retention period to be cost-prohibitive. One of these firms commented that if the firm changed its systems, for example, it will have to maintain additional licenses for old systems to access and use the data and pay for up to seven years' worth of storage, and it believes that maintaining that much data would introduce unnecessary cost as well as increased cybersecurity risk. The firm also commented that the seven-year retention period goes beyond the retention requirements of the quality management standards set forth by the AICPA and IAASB, and that this difference could cause operational challenges. The firm recommended aligning the documentation requirements with the firm's inspection and remediation cycle or allowing the firm to use a risk-based approach based on its judgment. Two firms opposed the seven-year period and suggested that it be based on the most recent inspection (for example, one year from the most recent inspection period), or until the inspection for a particular period has been completed.

As discussed in the proposal, the Board was concerned that requiring the retention period to be aligned with the PCAOB inspection cycle would be too short. A firm's remediation activities may span multiple years and the actions taken by the firm in certain areas may be informed by prior actions. Further, the objective of the documentation requirement is much broader than providing evidence for inspection purposes or enabling proper remediation. As described in the proposal, the Board believes that the documentation may also be useful for training purposes, ensuring the retention of organizational knowledge, and providing a history of the basis for decisions made by the firm about its QC system. One firm commented on these purposes and suggested that firms should determine what documentation has continuing relevance based on the circumstances. Another firm suggested that this could be reasonably handled by firms on a case-by-case basis, and any necessary documentation that could impact or inform future periods could be specifically retained. The firm further commented that some information would become stale over time and that it does not anticipate information retained early on being used for training or the retention of organizational knowledge in later years. A firm and a related group commented that a seven-year retention requirement is appropriate as it pertains to documentation that supports a firm's evaluation of its system of quality control and the related testing.

After consideration of the comments received, together with the amendment made to paragraph .83. of the standard, the Board adopted the requirement to retain documentation for seven years from the QC documentation completion date, unless a longer period of time is required by law, as proposed. Paragraph .86 was amended to clarify that the documentation to be retained for this period is the documentation of its QC system required under paragraphs .81-.83 and paragraph .85. This requirement aligns the QC document retention requirement with other requirements in PCAOB standards and SEC rules (such as 17 CFR 210.2-06). Furthermore, the documentation relating to the firm's engagements must be retained for seven years, and the Board believes that it is appropriate for the firm to also retain documentation of the QC system that operated over those engagements for the same time period. For consistency and practical application, the retention period is the same for all firms and applies to all documentation the firm is required to accumulate to meet the documentation requirements of the standard.

2. Current PCAOB Standards

Existing QC 20 provides that:

• Appropriate consideration should be given to the extent to which QC policies and procedures, and compliance with them, should be documented.

• The form, content, and extent of documentation depends on relevant factors, including the size, structure, and nature of the firm's practice.

• A firm should prepare appropriate documentation to demonstrate compliance with its policies and procedures for the QC system.

• Documentation should be retained for a period sufficient to enable those performing monitoring procedures and a peer review to evaluate the extent of the firm's compliance with its QC policies and procedures.

QC 30 and the SECPS membership requirements include documentation requirements for certain items such as findings from certain monitoring activities, CPE, notification of cessation of client relationships, filing reviews under Appendix K, and corrective actions to address apparent independence violations.

Additional Amendments

QC 1000 supersedes the existing PCAOB interim QC standards in their entirety. Currently, Rule 3400T requires registered firms and their associated persons to comply with the AICPA's quality control standards as in existence on April 16, 2003, to the extent not superseded or amended by the Board. Rule 3400T identifies the AICPA's Statements on QC Standards (QC 20, QC 30, QC 40) and certain of the AICPA's SECPS membership requirements, which are applicable only to firms that were members of the AICPA SEC Practice Section on April 16, 2003. The Board rescinded Rule 3400T. In consequence, the interim quality control standards referenced in Rule 3400T are no longer part of PCAOB standards. Rule 3400T is replaced with Rule 3400, which describes the auditor's responsibilities for complying with quality control standards adopted by the Board and approved by the SEC.

Other amendments to PCAOB standards, rules, and forms are described below.

Amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, and Related Amendments

1. Background

Currently, AS 2901 applies when the auditor concludes, after issuing its report on the financial statements, that procedures “considered necessary at the time of the audit in the circumstances then existing” were omitted from an audit of the financial statements, but there is no indication that the financial statements are not fairly presented. Existing AS 2901 requires remedial action if (i) the auditor concludes that the omitted procedures impair its ability to support the previously issued opinion, and (ii) people are likely to rely on the report. If remedial action is required but the auditor is not able to perform the omitted procedures or alternative procedures that support the opinion, the standard directs the auditor to consult with counsel. Existing AS 2901 does not apply to ICFR audits or to attestation engagements.

2. Amendments to AS 2901

The Board believes that amendments to AS 2901 are appropriate to modernize the standard, incorporate the concepts and terminology introduced in QC 1000, and bring the standard into alignment with the auditor's existing responsibility to obtain sufficient appropriate audit evidence to support the opinion.

QC 1000 introduces a new term, “engagement deficiency,” defined as an instance of noncompliance with applicable professional or legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm. For an engagement deficiency related to a completed engagement, QC 1000 requires firms to take action to address the engagement deficiency “in accordance with applicable professional and legal requirements” ( e.g., AS 2901, AS 2905, AS 2201.98-.99).

The Board broadened the scope of AS 2901 to incorporate this new terminology, so that remedial action is required for engagement deficiencies for both financial statement audits and ICFR audits unless it was probable that the engagement report is not being relied upon. Reflecting this broader scope, the name of the standard was also changed to “Responding to Engagement Deficiencies After Issuance of the Auditor's Report.”

a. Scope and Applicability (AS 2901.01-.02)

Note that, under PCAOB Rule 1001(a)(xii), “auditor” as used in AS 2901 means both firms and their associated persons.

i. Engagements Covered

Existing AS 2901 predates ICFR audit requirements and applies only to financial statement audits. The Board proposed to extend the scope of AS 2901 to cover engagement deficiencies in ICFR audits as well. Several commenters, generally firms, agreed with the proposal to extend the scope of AS 2901 to include engagement deficiencies in ICFR audits, and the Board adopted that change in scope.

Similar to the concept in existing AS 2901, the Board proposed that the revised standard would not apply to engagements where it is probable that the audit report is not being relied upon. The proposed standard included a note providing that the firm must treat an engagement report as being relied upon if the engagement report is included in the most recent SEC filing on a form that requires its inclusion. One commenter pointed out that the use of the term “must” in the proposed note did not allow for the auditor to take into account situations that may indicate an auditor's report is not being relied upon even when the auditor's report is included in the most recent filing on an SEC form. Two commenters suggested that the standard should also exclude engagements where the issuance of the subsequent year's auditor's report is imminent.

The Board agrees that the standard should allow for circumstances where the auditor's report is included in the most recent filing on an SEC report, but the auditor may nonetheless conclude that the auditor's report is no longer being relied upon. However, in the Board's view, the fact that the issuance of the subsequent year's auditor's report is imminent is not determinative of whether the report continues to be relied upon.

The Board revised the note to paragraph .01 to provide that, in the absence of circumstances indicating that reliance is impossible or unreasonable ( e.g., cessation of a trading market for issuer securities), inclusion of an auditor's report in the most recent filing on an SEC form that requires inclusion of such an auditor's report evidences that the report is being relied upon. The Board believes this is responsive to commenter concerns and allows for sufficient flexibility. The note has also been revised to clarify that an auditor's report can be included in an SEC filing either directly or through incorporation by reference.

The determination that an auditor's report is not being relied upon would primarily be influenced by whether the auditor's report and related financial statements are readily available and whether a trading market exists for the company's securities. Circumstances that may suggest the engagement report is no longer being relied upon could include:

• So much time has elapsed that the financial statements covered by the auditor's report are no longer required to be included in SEC periodic reports.
• The issuer's or broker-dealer's business has been dissolved or gone into liquidation.

ii. Compliance With AS 2905/AS 2201.98

Under the amendments, AS 2901 points the auditor to AS 2905 or AS 2201.98 to the extent they apply. This preserves the difference in treatment that exists under current auditing standards between situations where financial statements and potentially the audit opinion may be in doubt (AS 2905 or AS 2201), and other circumstances where remedial action is required but there is no initial indication that the financial statements might be misstated (AS 2901).

iii. Deficiencies Covered

Existing AS 2901 applies when the auditor concludes that procedures considered necessary at the time of the audit in the circumstances then existing were omitted. As proposed, AS 2901 was extended to cover all engagement deficiencies identified. The Board believes it is more consistent with the basic philosophy of QC 1000 and better supports the ultimate goal of improving audit quality to require remedial action for all engagement deficiencies, regardless of whether the audit opinion is unsupported.

b. Activities To Address Engagement Deficiencies

AS 2901 currently requires remedial action when, due to omitted procedures that were considered necessary at the time of the audit, the auditor's opinion is not sufficiently supported. The required action is to perform the omitted procedures or alternative procedures that would support the opinion. If that is not possible, the auditor is directed to consult an attorney to determine an appropriate course of action.

Under the proposal, remedial action would be required for all engagement deficiencies—both those engagement deficiencies that affect the auditor's opinion and those that do not. Many commenters expressed concern with the proposal to require remedial actions for all engagement deficiencies, with one commenter suggesting that remedial actions should only be required for major deficiencies, and another commenter suggesting that the need for remedial actions should be assessed on a case-by-case basis, taking into account the severity of the engagement deficiency. Several commenters suggested that firms should be able to exercise judgment about whether remediation is necessary and observed that in practice most identified engagement deficiencies are remediated. Other commenters considered the proposed requirement overly prescriptive and one commenter suggested that the requirement was unnecessarily burdensome for instances where the auditor's report is adequately supported despite an identified engagement deficiency. On the other hand, two commenters expressed support for the Board's approach to the obligation to remediate engagement deficiencies, with one commenter stating that requiring remedial action for all identified engagement deficiencies, not just in situations where the auditor's opinion may be unsupported, would contribute to improving audit quality.

The Board continues to believe that requiring firms to take action to address all engagement deficiencies, whether related to an unsupported auditor's opinion or not, is appropriate and reinforces a firm's obligation to comply with all applicable professional and legal requirements, and adopted this requirement as proposed. As discussed below, when the opinion is appropriately supported, the firm may determine which actions to take in response to an engagement deficiency.

i. Addressing Engagement Deficiencies Related to an Unsupported Auditor's Opinion (AS 2901.03)

Under the proposal, in cases where the auditor did not obtain sufficient appropriate audit evidence to support the opinion, the auditor would have been required to either obtain additional evidence such that the opinion is adequately supported or take action to prevent future reliance on the report. One firm suggested that further guidance regarding these requirements would assist a firm in distinguishing between the engagement deficiencies that are subject to this provision rather than paragraph .04 (discussed below), or in the alternative, explicit alignment to the PCAOB's definition of a Part I.A or Part I.B deficiency. The Board is reluctant to incorporate terminology into its standards that does not have a fixed meaning under PCAOB rules and is subject to change. The Board also does not want to suggest that the requirements apply only to deficiencies identified by the PCAOB. However, in order to address this concern, paragraphs .03a and .03b were revised to make it explicit that the auditor's actions in paragraph .03b relate specifically to instances where the auditor is not able to obtain sufficient appropriate audit evidence to support the auditor's opinion.

The type of procedures that the auditor performs in response should be guided by the type and amount of evidence needed to support the auditor's opinion. If the auditor is not able to obtain sufficient appropriate evidence to support the opinion, the auditor is required to take appropriate action to prevent future reliance on the audit report. The Board also amended AS 2201 as part of this rulemaking to include a reference to AS 2901 as a reminder of auditor responsibilities under that section with respect to audits of internal control over financial reporting.

ii. Addressing All Other Engagement Deficiencies

Under the proposed standard, for all other deficiencies on audit engagements, the auditor would have been required to perform remedial actions, similar to those described in QC 1000.69, based on the auditor's determination of what action (corrective, preventive, or both) is appropriate based upon the specific facts and circumstances. The proposal described the following potential responses to engagement deficiencies:

• Take corrective action to completely remediate the deficiency, where appropriate.
• For deficiencies that cannot be completely remediated, remediate to the extent possible and implement measures to prevent recurrence. For example, if a Form AP was filed late, the auditor would not be able to remediate the lateness but could improve the controls over the filing process.
• Determine, based on the facts and circumstances, that no further remedial action is necessary,e.g., because of remedial actions already taken to respond to other deficiencies.

One commenter suggested including language in the lead-in to the note to paragraph .04 to further clarify that the actions a firm may take to remediate an engagement deficiency could be either corrective or preventive, or could be a combination of the two. The note in the final standard reflects this clarification.

Additionally, the term “remedial” was removed from the final standard in the lead-in to the note to paragraph .04 in order to encompass all actions required under applicable professional and legal requirements, some of which ( e.g., notification to the board of directors or regulatory agencies) may not be remedial in nature.

c. Documentation

The proposed documentation requirement did not draw comment and was adopted as proposed.

When the auditor's response to engagement deficiencies involves adding additional information to the auditor's working papers, the requirements of AS 1215.16 will apply.

Under AS 2901, the auditor should document the actions taken pursuant to paragraphs .03 and .04 to address engagement deficiencies in an audit engagement where the audit report has previously been issued. This documentation requirement is consistent with the documentation requirements in proposed QC 1000.82c for all engagement deficiencies.

3. Related Amendments

The Board proposed to add provisions similar to AS 2901 to the standards for broker-dealer attestation engagements, AT No. 1 and AT No. 2, to prompt auditors of brokers and dealers to take appropriate action if they discover that the opinion or conclusion in a previously issued attestation report was not supported. Currently, those standards are silent as to the responsibilities that apply when a deficiency is identified after the engagement report is issued.

One commenter, who recommended changes to proposed AS 2901 (including that remediation should be required only when the auditor's opinion may not be supported), suggested that the same changes be incorporated into AT No. 1 and AT No. 2. For the reasons discussed above in the context of AS 2901, the Board does not believe such a limitation is appropriate. However, the Board made a conforming change, similar to a change made to AS 2901, to the note to clarify that the auditor must treat reports as being relied upon when the examination report (in the case of AT No. 1) or review report (in the case of AT No. 2) is included (either directly or through incorporation by reference) in an SEC filing on an SEC form that requires inclusion of such an examination report or review report. The Board also made revisions to the proposed requirements in AT No. 1 and AT No. 2 by removing the word “remedial” from the lead-in language to the notes in each of the respective standards in order to encompass all actions required under applicable professional and legal requirements, some of which ( e.g., notification to the board of directors or regulatory agencies) may not be remedial in nature. With these modifications, the Board adopted the proposed amendments to AT No. 1 and AT No. 2.

The Board also amended AS 2201 as part of this rulemaking to include a reference to AS 2901 as a reminder of auditor responsibilities under that section with respect to audits of internal control over financial reporting.

The Board did not propose to amend its interim attestation standards to include provisions similar to AS 2901. One commenter encouraged the Board to consider creating a separate attestation standard like AS 2901 to minimize repetition within each attestation standard, especially if the Board plans to adopt new standards beyond AT No. 1 and AT No. 2 in the future. At this time, the Board did not amend its interim attestation standards to include provisions similar to AS 2901, though it may consider doing so in the future.

Rescission of ET Section 102; Adoption of EI 1000; Related Amendments

1. Rescission of ET Section 102 and Adoption of EI 1000, Integrity and Objectivity

The Board rescinded an interim ethics and independence standard, ET 102, Integrity and Objectivity, replacing it with a new standard, EI 1000, Integrity and Objectivity. EI 1000 is based on existing ET 102, including its related interpretations codified as ET 102.02, .03, and .05, but reflects revisions that align PCAOB ethics requirements with the scope, approach, and terminology of QC 1000. To take one example, the new EI 1000 applies to registered public accounting firms and their associated persons rather than current AICPA “members” as referenced in ET 102.

Integrity and objectivity are foundational to the audit and critical to the performance of engagements under PCAOB standards. They lend credibility and engender trust in financial reporting. As the U.S. Supreme Court pointed out in United States v. Arthur Young:

By certifying the public reports that collectively depict a corporation's financial status, the independent auditor assumes a public responsibility transcending any employment relationship with the client. The independent public accountant performing this special function owes ultimate allegiance to the corporation's creditors and stockholders, as well as to the investing public. This “public watchdog” function demands that the accountant maintain total independence from the client at all times, and requires complete fidelity to the public trust.

The responsibility to maintain integrity and objectivity is an important counterbalance to the risk that the auditor may be unduly influenced by company management or may be subject to cognitive or other biases in performing the audit. In turn, an auditor's integrity and objectivity can help to increase investor trust in financial reporting and strengthen capital markets.

Currently, paragraph .01 of ET 102 sets out three requirements that apply in the performance of a professional service: (i) maintaining integrity and objectivity, (ii) being free of conflicts of interest, and (iii) not knowingly misrepresenting facts or subordinating judgment. The remaining paragraphs of the rule and the relevant portions of ET 191 provide more detailed direction in specific contexts.

The Board proposed creating two overarching requirements in EI 1000: (i) maintaining integrity, which would include being honest and candid, not knowingly or recklessly misrepresenting facts, and not subordinating judgment; and (ii) maintaining objectivity, which would include being impartial, intellectually honest, and free of conflicts of interest. The proposal incorporated descriptions of integrity and objectivity that were substantially based on existing requirements in QC 20.10.

In addition to substantially recodifying existing requirements, the Board also proposed to clarify the scope of the rule and more closely align it with the scope, approach, and terminology of QC 1000.

With two clarifications discussed below, the Board adopted EI 1000 as proposed and rescinded ET 102.

a. General

As proposed, the Board modernized the standard and aligned it with other PCAOB standards and rules by renumbering it in accordance with the PCAOB's reorganized standards framework, incorporating PCAOB terminology, and eliminating outdated provisions.

The final rule clarifies that the requirements of EI 1000 apply in connection with all responsibilities under “applicable professional and legal requirements” (as defined in QC 1000) and the firm's related policies and procedures, whether in relation to the firm's engagements, work the firm does on other firms' engagements, training, independence monitoring, or other activities that are part of or subject to the firm's QC system. In addition, EI 1000 applies to registered firms and their associated persons, rather than to “members” as ET 102 currently provides.

The final rule also corrects a reference in EI 1000.02.b(2) from “materially false and misleading” to “materially false or misleading.”

One commenter supported the replacement of ET 102 with EI 1000, but recommended labeling it “OI” for Objectivity and Integrity. As described in the proposal, the Board created a designation not only for its standard on objectivity and integrity, but for future standards as well. The Board intends to use “EI” for all ethics and independence standards, just as it uses “AS” to designate auditing standards.

While one commenter confirmed that the terms used in EI 1000 are generally clear, another commenter recommended clarifying the expectations for the terms “being honest and candid” in EI 1000.02 and “being intellectually honest” in EI 1000.03. This language is drawn from existing QC 20.10, has a clear plain English meaning, and the Board believes should be well understood.

b. Integrity

EI 1000.02 notes that, as part of maintaining integrity, a firm and its associated persons must be “honest and candid.” This requirement is drawn from existing QC 20.10. The Board omitted the reference to “within the constraints of client confidentiality” in order to avoid suggesting that “client confidentiality” could limit a firm's or its associated persons' obligations to comply with the requirements of PCAOB rules or standards. This is consistent with the Board's interpretation of QC 20.10, under which a firm or its associated persons must be honest and candid in complying with PCAOB rules and standards, including during PCAOB inspections. It also confirms, among other things, that associated persons have the ability to report wrongdoing within the firm and to the appropriate regulatory authorities without constraints of confidentiality, consistent with PCAOB rules and standards. Similar to current QC 20.10, EI 1000.02 does not address the requirements of client confidentiality beyond the requirements set forth in PCAOB rules and standards and applicable requirements of the Federal securities laws, including the Sarbanes-Oxley Act.

One commenter suggested that, rather than removing the reference to confidentiality, the Board should instead refer to IESBA Code Section 260 related to noncompliance with laws or regulations. In general, the Board does not incorporate by reference the concepts and terminology used by other standard setters. In relation to noncompliance with laws and regulations in particular, the Board has proposed its own new standard. If a new PCAOB standard in that area is ultimately adopted by the Board and approved by the SEC and makes it appropriate for the Board to amend EI 1000, the Board would of course intend for EI 1000 to align with its new standard rather than the IESBA code.

The proposal clarified that the responsibility to avoid factual misrepresentations covers not only knowing, but also reckless behavior, and that this responsibility applies to any knowing or reckless misrepresentation of fact, including situations where documents—such as work papers and communications with the PCAOB and the SEC—containing materially false or misleading information are knowingly or recklessly signed, permitted or directed to be signed, or left uncorrected by those with authority to correct them.

One commenter suggested that the concept of failing to correct a document that is materially false and misleading when having the authority to do so should be limited to circumstances in which the document was materially false and misleading “when made.” The Board agrees that the duty to correct is not unbounded, and generally applies at the time that a document is made (including when filed with or submitted to a regulatory authority). The Board notes, however, that while EI 1000 does not independently impose a duty to correct a document that was not materially false or misleading when made, such a duty may arise under other statutes, laws, or regulations, and the Board believes that in such a circumstance, the failure to discharge that duty should also constitute a violation of EI 1000. The Board added language to EI 1000.02b to clarify the circumstances under which failure to correct a document would constitute a knowing or reckless misrepresentation of facts.

The Board proposed to broaden the responsibility to avoid subordination of judgment so it would apply to any dispute or disagreement over applicable professional and legal requirements or how to apply them. One commenter suggested that, as part of the provision on subordination of judgment, the Board should address the risk of supervisors exercising undue influence over subordinates in the same manner as under the AICPA Code of Professional Conduct. The relevant interpretive provision of the AICPA Code, 1.130.020, Subordination of Judgment, identifies undue influence by a supervisor as a potential threat to compliance with the AICPA's Integrity and Objectivity Rule and provides safeguards to be applied when the threat is not at an acceptable level. The safeguards to be applied are essentially the same as the process required under EI 1000.02c, including research and consultation to determine whether the supervisor's position is supportable, consultation with higher levels of management, and, if appropriate action is not taken, consideration of potential duties to notify third parties and consideration of the appropriateness of continuing a relationship with the firm. In addition to the provision in EI 1000, QC 1000 also addresses the risk of undue influence through a quality objective in the engagement performance component related to the appropriate resolution of differences in professional judgment, as well as general provisions that would apply to undue influence by a supervisor, including in the governance and leadership component, the ethics and independence component, and the resources component. The Board believes these provisions address the concerns raised by this commenter and have adopted the subordination of judgment provision of EI 1000 as proposed.

c. Objectivity

One commenter suggested that the Board could clarify the standard by including references to the AICPA or IESBA concepts of conflict of interest. As noted above, it is not generally Board policy to incorporate by reference the concepts and terminology used by other standard setters. The Board also believes that a cross reference is not appropriate because EI 1000 addresses essentially the same conduct as the AICPA and IESBA provisions.

d. Rescission of Certain AICPA Interpretations

Additionally, the Board rescinded the former AICPA interpretations currently codified as ET 102.04, .06, and .07, which address members' obligations to their employer's external accountant, performance of educational services, and professional services involving client advocacy, respectively. These are generally not relevant to engagements performed under PCAOB standards. In addition, the matters addressed in paragraph .07 are either effectively superseded by 17 CFR 210.2-01 or more effectively addressed elsewhere in PCAOB standards ( e.g., AS 2610, Initial Audits—Communications Between Predecessor and Successor Auditors).

2. Amendments to ET Section 191

In connection with EI 1000, the Board also proposed amending ET 191 by making a conforming amendment to paragraph .062 and rescinding paragraphs .130, .131, .170, .171, .186, .187, .198, .199, .202, and .203. The only commenter on this topic supported these amendments. The Board adopted the amendments as proposed. The interpretations the Board rescinded (addressing, respectively, use of the CPA designation by accountants not in public practice, service as a director of a bank, service on the board of directors of United Way or a similar federated fund-raising organization, providing services for company executives, and providing client advocacy services) are generally not relevant to engagements performed under PCAOB standards or are addressed elsewhere in PCAOB and SEC rules. The Board did not amend the portions of ET 191 that pertain to ET 101, which is not being substantively amended in this rulemaking.

3. Amendments to Rule 3500T, Interim Ethics and Independence Standards, and ET Section 101, Independence

The Board proposed amending paragraph (a) of Rule 3500T to eliminate the introductory phrase “In connection with the preparation or issuance of any audit report,” which it believes may cause the rule to be read unduly narrowly. The Board also proposed eliminating references to ET 102, Integrity and Objectivity, and substituting a reference to EI 1000, Integrity and Objectivity. These proposed amendments did not receive any comment and were adopted as proposed.

Lastly, the Board amended paragraphs .04, .13, and .16 of ET 101, Independence, to conform the references to ET 102, which will be rescinded, to EI 1000.

Other Amendments

In connection with the adoption of QC 1000, the Board also adopted amendments to other professional standards, PCAOB rules, and PCAOB forms. As discussed in more detail below, these amendments:

• Align terminology, concepts, and cross-references with QC 1000;
• Rescind standards that are unnecessary in light of the adoption of QC 1000;
• Recodify certain provisions of requirements that are rescinded into other PCAOB standards and rules; and
• Make other technical and clarifying amendments.

The one commenter that addressed this topic generally supported the amendments and also recommended an amendment to PCAOB Rule 1001(p)(vi) to use the term “quality control standards” instead of “quality control policies and procedures.” The language used in PCAOB Rule 1001(p)(vi) is drawn from section 110(5) of Sarbanes-Oxley and the Board believes its rule should continue to align with that statutory provision.

These amendments are discussed further below.

1. Rescission of Rule 3400T, Interim Quality Control Standards; Adoption of Rule 3400, Quality Control Standards

These rule changes did not receive any comment and were adopted as proposed.

PCAOB Rule 3400T, Interim Quality Control Standards, requires registered public accounting firms and their associated persons to comply with the Board's interim quality control standards. The Board rescinded Rule 3400T, including all current QC standards identified in the rule, which the Board adopted on an interim, transitional basis. The Board adopted in its place a new rule, Rule 3400, to codify the auditor's responsibilities for complying with the Board's quality control standards.

2. Rescission of AS 1110, Relationship of Auditing Standards to Quality Control Standards

The Board received no comment on the proposed rescission of AS 1110 and rescinded it, as proposed.

At the time AS 1110 was issued, it served to describe the relationship between the then already-existing auditing standards and the new set of standards that governed a firm's system of quality control. This relationship is now well understood by firms and clarified within QC 1000. In addition, the first two paragraphs of AS 1110 merely repeat the requirements to comply with the auditing and QC standards that are addressed by other PCAOB standards and rules. Accordingly, the Board rescinded AS 1110.

3. Adoption of AS 1310, Notification of Termination of the Auditor-Issuer Relationship

The Board adopted a new standard, AS 1310, which recodifies existing requirements of SECPS 1000.08(m), Notification of the Commission of Resignations and Dismissals from Audit Engagements for Commission Registrants, and applies those requirements to all firms and all issuer engagements. As noted above, the Board rescinded the QC standards that pertain only to firms that were SECPS members at the time the PCAOB was created. In lieu of the SECPS requirement, the Board adopted a new standard that requires the auditor to notify the SEC upon resignation or dismissal from an audit engagement of an issuer if the issuer does not report such change in a current report on Form 8-K.

The only commenter to address this proposed standard agreed that it could provide valuable and timely information to investors to alert them when audit committees have failed to fulfill their reporting responsibilities. The Board notes, however, that notifications provided under the current SECPS requirement might not be made publicly available. Nevertheless, the Board believes that notices provided to the SEC under the standard could provide valuable information to the SEC. Therefore, the Board adopted the standard substantially as proposed, with a revision to conform to the precise language on Form 8-K. This requirement applies to all issuer engagements, regardless of whether the firm was a member of the SECPS and regardless of whether the issuer is required to report on Form 8-K.

4. Amendments to AT Section 101, Attest Engagements

These amendments did not receive any comment and were adopted as proposed.

The amendments to AT Section 101 align with the rescission of AS 1110 discussed above, by deleting the paragraphs that address the relationship of attestation standards to QC standards. Additionally, the deletion of footnote 23 removes language related to monitoring compliance with quality control policies and procedures, which is unnecessary in light of the adoption of QC 1000.

5. Amendments to Form 1, Application for Registration

The Board proposed to amend Form 1 to (i) refer to QC 1000 in the instructions in order to prompt firms to consider their obligations with respect to QC in connection with their application for registration, and (ii) add a new item whereby firms confirm whether they have designed a QC system in accordance with PCAOB standards. The only commenter to address this amendment agreed that the amendments would be appropriate. The Board adopted these amendments as proposed.

6. Amendments to Form 2, Annual Report Form

The Board proposed to amend Form 2 to add a new item whereby firms would confirm (i) that they have designed a QC system in accordance with PCAOB standards; and (ii) whether they were required to implement and operate a QC system in accordance with PCAOB standards at any time during the period of time covered by Form 2. The only commenter to address this amendment agreed that the amendments would be appropriate. The Board adopted these amendments as proposed.

7. Technical and Conforming Amendments

These amendments did not receive any comment and were adopted as proposed.

The Board implemented a number of technical and conforming amendments to align terminology and concepts in existing standards and one PCAOB form with QC 1000.

The Board also implemented a technical amendment to the instructions to Form AP to clarify an exclusion from disclosing the identity of, and hours incurred by, accounting firms in certain circumstances. The Board, when it adopted Form AP, stated that it intended to exclude the reporting of “hours incurred in the audit of entities in which the issuer has . . . an investment” using the equity method of accounting. Form AP currently excludes hours “of an accounting firm performing the audit of entities in which the issuer has an investment that is accounted for using the equity method,” but the Board is concerned that such language might be read to exclude all of the audit work performed by such an accounting firm on an audit, rather than only those hours spent performing the audit of entities in which the issuer has an investment accounted for using the equity method. The Board revised the instruction in Part IV of the form to exclude from its disclosure requirements the identity of, and hours incurred by, accounting firms “in performing” the audit of entities in which the issuer has an investment that is accounted for using the equity method, which clarifies that the identity of, and hours incurred by, such firms with respect to other work on the audit must be disclosed on Form AP, unless they are subject to other Form AP exclusions.

Effective Date

In the proposing release, the Board sought comment on the amount of time auditors would need before the proposed new quality control standard and the other proposed amendments to PCAOB standards, rules, and forms, if adopted by the Board and approved by the SEC, become effective. We proposed an effective date of December 15 of the year after approval by the SEC.

One commenter agreed that the proposed effective date should be reasonable in practical terms. Another commenter asserted that the standard is not clear on the effective date as it relates to design and implementation and operating effectiveness, and recommended that the Board allow firms significant time between the release of the final standard and its effective date. One commenter suggested that an 11-month period from the effective date to the first evaluation date would not be practicable, and firms would need time to consider whether and how to transition from their evaluation date previously established under ISQM 1.

Several commenters suggested that if the standard is approved in 2023, and becomes effective on December 15, 2024, this would provide challenges to auditors. Some of these commenters further suggested that the proposed effective date would be particularly challenging for smaller firms that might not have already implemented ISQM 1 and do not have to implement SQMS 1 until December 15, 2025. Commenters suggested alternative effective dates such as December 15, 2025; 18 months after approval by the SEC and no sooner than December 15, 2025; the later of 12 months after approval by the SEC or December 15, 2025; or two years after SEC approval. One commenter suggested a phased approach such that the effective date would be different for firms that are annually inspected than for other firms, while other commenters suggested that firms that are required to implement incremental requirements based on the size of the firm should be provided additional time to implement the incremental requirements. One commenter suggested that an overly speedy adoption timeline could create unintended consequences such as disruption to QC systems and increased difficulty of getting buy-in on the proposed QC changes from stakeholders. Another commenter suggested that an additional one to two years may be needed for firms with less than 100 issuers, or that have not adopted ISQM 1, to develop and implement the additional monitoring, evaluation and remediation requirements. The commenter further suggested that a proposed initial evaluation date that is eleven and a half months after the effective date may not allow enough time for remediation and that the PCAOB should consider a longer onboarding process.

After considering the comments received subject to approval by the SEC, the final standard and related amendments to auditing standards, rules, and forms will take effect on December 15, 2025.

The Board believes that an effective date of December 15, 2025 strikes an appropriate balance between the benefits to investors of having QC 1000 take effect as promptly as practicable, while allowing sufficient time for firms to design and implement robust, QC 1000-compliant QC systems.

One commenter suggested the Board consider how mergers and acquisitions of firms would impact the effective date for the standard, and suggested the Board consider similar guidance to the SEC that provides that issuers may exclude an acquired business's internal control over financial reporting from its assessment of internal control for up to one year or for one assessment. After consideration of the comment received, the Board appreciates that it could take time to fully integrate a newly acquired firm's QC system and perform an evaluation of its effectiveness. However, the Board does not believe that it is appropriate or consistent with its investor protection mandate to allow for a portion of a firm's QC system to be excluded from the annual evaluation. The Board believes that specific quality risks could arise as the result of a merger or acquisition, and that firms should be designing, implementing, and operating quality responses to address these as part of merger planning and execution. Furthermore, if, as a result of a merger or acquisition between registered public accounting firms, the resultant firm is unable to conclude that the QC system is effective as of the evaluation date, then the Board believes that it is essential that the firm has identified and is remediating the QC deficiencies that exist as a result of the merger or acquisition and is monitoring any impact on the firm's engagements.

Unlike ISQM 1 and SQMS 1, under QC 1000, the requirements for QC system evaluation are not being implemented on a delayed basis. When QC 1000 takes effect, all provisions of QC 1000 will take effect. Because the evaluation date of September 30 builds in over a nine-month delay between the effective date of the standard and the first evaluation date, the Board does not believe further delaying the effective date of the evaluation requirements would be necessary or appropriate. However, the first evaluation period will be of the period beginning on the effective date of the standard ( i.e., December 15, 2025) and ending on the next September 30, rather than the 12-month period ending on that September 30.

D. Economic Considerations and Application to Audits of Emerging Growth Companies

Economic analysis is an important aspect of the rulemaking process. This economic analysis describes the baseline for evaluating the economic impacts of the rulemaking, the need for rulemaking, its expected economic impacts (including benefits, costs, and potential unintended consequences), and reasonable alternatives considered. Due to data limitations, much of the economic analysis is qualitative in nature; however, where reasonable and feasible, the analysis incorporates quantitative information, including information from PCAOB inspections of registered firms.

The Board has sought information relevant to the economic analysis over the course of this rulemaking. To the extent that commenters expressed views related to the economic analysis, many commenters generally agreed with the need for QC 1000, but some commenters raised concerns with certain impacts of the proposed standard. Several commenters expressed concerns about costs associated with certain key requirements, such as documentation. Some commenters suggested that the economic analysis should more explicitly consider costs that could disproportionately impact smaller and mid-size firms. Some commenters asserted potential unintended consequences with the proposed standard, including demand on staff resources and potential competitive effects, while other commenters suggested alternatives to help manage costs associated with certain proposed requirements, such as the 100-issuer threshold and evaluation and reporting dates. Some commenters offered a quantitative perspective regarding impacts. Several commenters referenced additional academic research for the Board's consideration. The Board considered all the comments received, including the quantitative perspectives and academic research the comments referenced, and has developed the following economic analysis that evaluates the expected benefits and costs of the final requirements, discusses potential unintended consequences, and facilitates comparison to alternative actions considered.

Baseline

The discussion above provides an overview of current PCAOB QC standards; summarizes observations from PCAOB oversight activities; and describes developments in the auditing environment since the adoption of current PCAOB QC standards, including the actions of other standard setters. This section expands on that discussion by describing additional aspects of the economic baseline against which the economic impacts of the requirements can be considered and presenting other relevant information on the audit services market for issuers and broker-dealers. Specifically, this expanded discussion includes:

• Three complementary proxies for the level of compliance with professional standards applicable to the performance of engagements, derived from PCAOB inspections data. Analysis of these proxies informs the baseline for considering the expected benefits of the requirements (e.g., improved compliance with professional standards).

• Information on resources that U.S. global network firms (“GNFs”) invest in their QC systems. As the requirements are expected to result in changes to some firms' QC systems, this information informs the baseline for considering the expected costs of the requirements.
• Changes firms have made to their QC systems to remediate QC deficiencies identified by PCAOB inspections staff and presents QC deficiencies related to firms' management of their audit practices. This discussion provides information on the evolution of QC systems and informs the evaluation of the need for and the economic impacts of the requirements.
• A concise survey of academic literature on quality-threatening behaviors that suggest certain weaknesses in some QC systems in practice.
• Key assumptions regarding how QC systems are likely to evolve absent the requirements.

In describing the baseline, the analysis presents anonymized and aggregated summary statistics regarding deficiencies included in past PCAOB inspection reports. Since PCAOB inspection reports do not consider broker-dealer engagements, the analysis also presents anonymized and aggregated summary statistics regarding audit and attestation engagement deficiencies included in annual reports on the PCAOB's interim inspection program related to audits of brokers and dealers. The following background information associated with this quantitative inspection information bears emphasizing:

• QC deficiencies presented in Part II of a PCAOB inspection report may relate to: (1) a firm's management of its audit practice or (2) a firm's performance of audit procedures. QC deficiencies of the first type refer to the operation of QC policies and procedures. For example, a QC deficiency related to a firm's management of its audit practice may be identified through inspection staff's review of how the firm considers and addresses risks in connection with engagement acceptance and continuance decisions. QC deficiencies of the second type are inferred through analysis of deficiencies identified during inspections of individual issuer audit engagements. For example, a QC deficiency related to a firm's performance of audit procedures may be identified through inspection staff review of the performance of audit procedures related to management's accounting estimates.

• Deficiencies presented in Part I.A of an inspection report represent deficiencies in issuer audits selected for inspection that were of such significance that the Board believes that the firm, at the time it issued its audit report, had not obtained sufficient appropriate audit evidence to support its opinion on the issuer's financial statements and/or internal control over financial reporting. As part of the PCAOB's process for reviewing firms' QC systems, PCAOB inspection teams evaluate whether identified deficiencies in individual audits indicate a defect or potential defect in a firm's QC system. However, a Part I.A deficiency does not, on its own, necessarily imply significant defects or potential defects in a firm's QC system. The PCAOB inspection team will consider the nature, significance, and frequency of deficiencies and related firm methodology, guidance, practices, and possible root causes when assessing whether Part I.A deficiencies in individual audits indicate significant defects or potential defects in a firm's QC system that should appear in Part II of the firm's inspection report.

• The Dodd-Frank Wall Street Reform and Consumer Protection Act gave the PCAOB oversight of auditors of broker-dealers registered with the SEC. In June 2011, the PCAOB established an interim program to inspect these auditors and identify and address with them any significant issues observed in their audits and related attestation engagements. This interim inspection program remains in place today. The inspection processes for audits of issuers and broker-dealers are different in many respects, including the applicable laws, rules, and professional standards; the inspection selection process; inspection focus areas; and reporting of inspection results. In particular, unlike PCAOB inspections of issuer audits, which lead to an inspection report for each inspected firm, the PCAOB issues a single annual report on the interim inspection program related to audits of brokers-dealers, which summarizes the results of the PCAOB's inspections of broker-dealer engagements performed during the previous year.

• The analysis of QC and issuer audit deficiencies below is presented over a twelve-year period for three separate categories of firms: (1) U.S. GNFs, (2) other firms having more than five inspected issuer engagements, and (3) other firms having five or fewer inspected issuer engagements. Categorizing inspections information among firms of different sizes helps account for the significantly skewed variation in audit firm size present in the audit market. The 2011 through 2022 period is used because information from earlier inspection years is less comparable and information from later inspection years was not completely available as of the date of this analysis. Information was preliminary for the 2022 inspection year as of the date of the PCAOB staff analysis.

• The analysis of audit and attestation engagement deficiencies included in annual reports on the PCAOB's interim inspection program related to audits of brokers and dealers below is presented over a 12-year period. The 2011 through 2022 period is used because 2011 was the first year of the interim inspection program and 2022 is the most recent year that data are available as of the date of this analysis. Information on deficiencies associated with attestation examinations or reviews is not available prior to 2015 because 2015 was the first full year during which the PCAOB was able to review attestation engagements of brokers and dealers.

1. Proxies Related to Compliance With Professional Standards

This subsection presents analyses of three quantitative proxies for the level of compliance with professional standards and thus provides information on the baseline for considering the key expected benefit of the requirements: improved compliance with professional standards. Specifically, it presents information on Part I.A deficiencies, QC deficiencies related to audit performance, and broker-dealer engagement deficiencies, from the audits or engagements PCAOB inspected. Overall, the analyses suggest that some firms' QC systems may not be providing the required reasonable assurance. Broker-dealer engagements and issuer audits performed by firms other than U.S. GNFs appear to have more room for improvement on average based on the period examined.

a. Part I.A Deficiencies

Figure 1 presents for categories of PCAOB-inspected audits the percentage of inspected issuer audits having at least one Part I.A deficiency. PCAOB staff calculated the Part I.A deficiency rates by dividing the number of inspected issuer audits that had at least one Part I.A deficiency by the number of inspected issuer audits for each given year. The Part I.A deficiency rate should not be equated with the rate of audit deficiencies across the whole issuer population. It may understate the true rate of issuer audit deficiencies because some deficiencies may not rise to the level of a Part I.A deficiency and because PCAOB inspectors do not inspect all aspects of inspected audits. However, it may also overstate the true rate of issuer audit deficiencies because PCAOB inspectors generally focus their attention on, among other things, audits and audit areas with a heightened risk of material misstatement.

Despite these potential biases in the Part I.A deficiency rate, the Board believes that the Part I.A deficiency rates presented in Figure 1 are indicative of underlying issuer audit deficiencies. However, there are two caveats that may impact the interpretation of Figure 1. First, because the audits with deficiencies are not drawn from a random sample, the deficiencies could be driven in part by changes over time in the proportion of reviewed audits that were selected based on characteristics associated with high-risk audits. Second, PCAOB inspections staff review more focus areas during reviews of U.S. GNF issuer audits than they do during reviews of other firms' issuer audits, increasing the opportunity for a reviewed U.S. GNF issuer audit to have at least one Part I.A deficiency.

For U.S. GNFs, Figure 1 shows that the percentage of inspected issuer audits having at least one Part I.A deficiency was 37% in 2011 and 30% in 2022 For other firms, the percentage has remained in the 31% to 53% range.

Figure 2 provides additional insight on how the percentage of inspected issuer audits having at least one Part I.A deficiency varies by firm. Each bar indicates the percentage of 2020, 2021, and 2022 firm inspections with a Part I.A deficiency rate within a given range. For example, Figure 2 indicates that 22% of all 2020, 2021, and 2022 U.S. GNF inspections and 11% of all 2020, 2021, and 2022 inspections of other firms with more than five inspected engagements had a Part I.A deficiency rate below 10%. Figure 2 excludes firm inspections with five or fewer inspected engagements because the Part I.A deficiency rate is a less informative proxy in these cases due to the small number of inspected engagements.

Note:

During the 2020, 2021, and 2022 inspection years, there were in total 18 inspections of U.S. GNFs and 35 inspections of other firms having more than five engagements reviewed.

b. QC Deficiencies Related to Audit Performance

Figure 3 presents the average number of QC deficiencies related to audit performance per inspected firm. QC deficiencies related to audit performance are inferred through analysis of inspections of individual audits and thus represent another proxy for the level of compliance with professional standards. To prepare Figure 3, PCAOB staff counted the number of distinct QC deficiencies related to audit performance in Part II of PCAOB inspection reports. Staff assigned a zero to firm inspections that resulted in no QC deficiencies related to audit performance. Staff then calculated averages per inspected firm by year and firm group, assigning equal weight to each QC deficiency regardless of its nature or whether it was a repeat deficiency. While the total number of QC deficiencies is not readily comparable across each of the three categories of firms because of differences in inspection approach, the averages have ranged between 3.3 and 15.8 for U.S. GNFs, between 2.9 and 8.0 for other firms having more than five engagements reviewed, and between 0.9 and 2.7 for other firms having five or fewer engagements reviewed. Two caveats may impact the interpretation of Figure 3. First, starting in 2019, the PCAOB revised its approach to identifying QC deficiencies related to audit performance. The Board believes this policy change reduced the number of QC deficiencies related to audit performance for some of the inspections of non-affiliated firms (“NAFs”) but not for the U.S. GNFs. Second, the variability in the deficiency rate in the second panel may be due in part to year-over-year changes in the set of firms having more than five engagements reviewed, which may include triennial firms.

c. Broker-Dealer Engagement Deficiencies

Figure 4 presents the percentage of broker-dealer audits with deficiencies and the percentage of attestation engagements and reviews with deficiencies, among the selected sample of PCAOB engagements. The percentages are reproduced from the PCAOB's annual reports on the interim inspection program related to the audits of broker-dealers. The percentages are equal to the number of inspected engagements for which there were deficiencies divided by the number of inspected engagements. The percentages of audits and attestation examinations with deficiencies have remained greater than 45%. The percentage of attestation reviews with deficiencies has remained in the 23% to 54% range.

2. Resources Associated With QC systems

Firms implement their QC systems through a set of policies and procedures. These policies and procedures vary across firms, reflecting both the principles-based nature of current QC standards and the variation in firms' particular circumstances. To inform the baseline for considering the expected costs of the requirements, PCAOB staff: (1) held initial discussions with U.S. GNFs to obtain qualitative information regarding the resources associated with their QC systems and (2) conducted a voluntary survey of U.S. GNFs on the resources they employ to design, implement, and operate QC policies and procedures. Overall, the information indicates the resources that U.S. GNFs are already devoting to the design, implementation, and operation of QC policies and procedures related to the ISQM 1 requirements.

The U.S. GNF survey requested both qualitative and quantitative information for each of the eight QC system components specified by ISQM 1: risk assessment, governance and leadership, independence and ethics, acceptance and continuance, engagement performance, resources (human, intellectual, and technological), information and communication, and monitoring and remediation. In addition, the survey requested qualitative and quantitative information related to network requirements or network services, evaluation of the QC system, and documentation. The request referred to ISQM 1 explicitly in order to facilitate comparability of the information gathered across firms and to the proposed QC standard.

All six U.S. GNFs provided qualitative information and five provided quantitative information. Staff received completed surveys between June 23 and July 6, 2021. The respondents provided the information as of their most recently completed fiscal year-end or QC system assessment date.

The qualitative information that PCAOB staff received indicates that U.S. GNFs' QC policies and procedures are extensive and highly integrated with the audit process. Multiple groups, teams, functions, and individuals participate in the design, implementation, and operation of QC policies and procedures. Engagement teams play a key role in the operation of many QC policies and procedures. Among other QC-related responsibilities, engagement teams often assist in acceptance and continuance decisions; initiate consultations; help maintain accurate and complete information within independence systems; attend training; and initiate and complete individual performance evaluations.

The U.S. GNFs' QC systems involve multiple IT systems that support QC activities and may also serve other operational functions. These QC systems may also rely upon work or services provided by the firm's global network and/or third-party vendors. Global network services may relate to development and maintenance of technological and intellectual resources ( e.g., global audit methodology, global independence and assurance policies and procedures, etc.) or monitoring the quality of audit services performed by network affiliates. The firms report making ongoing investments in their QC systems, including implementation of new technology that supports QC activities.

The quantitative portion of the survey asked the U.S. GNFs to estimate: (1) the number of firm personnel involved in designing, implementing, or operating QC policies and procedures on an annual basis (by partner vs. non-partner); (2) the percentage of their time committed; and (3) the expected percentage change in QC resource requirements as of December 15, 2022, when ISQM 1 became effective. PCAOB staff asked the firms to include in their estimates only those resources directly related to the design, implementation, and operation of QC policies and procedures over audits of U.S. issuers and broker-dealers. In cases where removing time spent on QC policies and procedures related to audits of private companies was prohibitively difficult or impossible, staff asked firms to include this time in their estimates and describe the inseparable portion. Firms reported that their QC policies and procedures generally apply across their entire audit practice and thus their estimates typically included resources dedicated to QC systems over engagements performed under PCAOB standards as well as audits performed under other standards.

In initial discussions with the U.S. GNFs, firms reported that identifying all firm personnel hours related to their QC systems would be an enormous challenge. To make the data request feasible, PCAOB staff directed firms to exclude from their quantitative estimates time spent by engagement teams operating QC policies and procedures ( e.g., performing independence procedures, planning for or engaging in consultations, executing the firm's methodology) and facilitating internal inspections. Staff also asked firms to exclude: (1) time spent by firm personnel attending training; (2) time spent by individuals on compliance with personal independence policies and procedures; (3) time spent performing engagement quality reviews of individual engagements; and (4) any resources invested at the global network level to design, implement, or operate QC policies or procedures. The qualitative information received from the firms suggests that these aspects of their QC systems are likely resource-intensive.

Table 1 summarizes the quantitative information received in aggregate form. It presents the means and standard deviations of partner, non-partner, and total full-time equivalents (FTEs) by QC system component. The means provide a sense of average scale while the standard deviations provide a sense of average variability across the firms. Overall, the means presented in Table 1 indicate that U.S. GNFs commit a mean of 647.9 total FTEs to designing, implementing, and operating their QC policies and procedures. QC policies and procedures related to: (1) independence and ethics utilize a mean of 189.9 total FTEs and (2) human, intellectual, and technological resources utilize a mean of 252.6 total FTEs. Non-partner FTEs are roughly 3.5 times partner FTEs, but partners play a relatively larger role in the governance and leadership, engagement performance, and monitoring and remediation components of QC systems. The standard deviations presented in Table 1 indicate that the average variability across firms is 499.9 total FTEs. The average variability for the independence and ethics component is 173.9 total FTEs and for the resources component is 295.2 total FTEs.

The mean “Total” row values presented in Table 1 may include some underestimation error for several reasons. First, some firms were unable to reasonably estimate all of the resources for certain components, most notably for the governance and leadership component. Second, firms were generally unable to reliably estimate the cost of IT infrastructure that supports the QC system. Third, firms were generally unable to reliably estimate the portion of common-pool resources attributable to the QC system that support broader operational or financial objectives of the firm. Fourth, due to estimation challenges as described above, firms were directed to exclude certain resources from their estimates, including time spent by engagement teams executing QC policies and procedures and time spent by firm personnel attending training.

By contrast the mean “Total” row values may also include some overestimation error. For example, firms broadly reported that their QC policies and procedures apply to both issuer and non-issuer audits and it would generally be infeasible to identify firm personnel hours related to quality control over issuer audits only. In these cases, PCAOB staff asked firms to include both issuer and non-issuer QC hours in their estimates.

Some firms were unable to separately break out the level of resources committed to designing, implementing, and operating QC policies and procedures for risk assessment, information and communication, network requirements or network services, evaluation of the system of quality management, and documentation. These firms distributed these resources across the remaining components. While this leads to some overestimation error to the remaining components, the information provided by the firms that were able to separately break out these components indicates that these components are relatively less resource-intensive and, therefore, the overestimation error is likely small. This overestimation error does not apply to the mean “Total” row values because any errors in how the firms allocated across components nets out when summing.

Most U.S. GNFs were unable to provide precise estimates regarding expected future changes in QC system resource requirements as of December 15, 2022, when ISQM 1 became effective. The qualitative information provided by the firms indicates that: (1) additional resources likely were required; (2) some of the U.S. GNFs had assigned teams to manage ISQM 1 implementation; and (3) the risk assessment component and the evaluation of the system of quality management component were expected to require the most additional resources.

The Board also received information regarding non-GNFs through the proposal comment process that indicates that non-GNFs have devoted resources to the design, implementation, and operation of QC policies and procedures related to ISQM 1 and/or SQMS 1 requirements. One commenter noted that national firms with fewer than 500 issuers have significantly fewer resources associated with QC policies and procedures. One commenter noted that firms have invested significant time and resources to comply with the existing quality management standards from other standard setters, and another commenter noted that, at least with respect to QC roles and responsibilities, smaller firms have already designed their processes to accord with ISQM 1 and SQMS 1. One firm explained that its implementation efforts of ISQM 1 required a great deal of evaluation of risks and related responses, and another firm explained that its implementation effort was a significant undertaking that involved a number of people across the firm. Another commenter suggested that non-U.S. firms may be incorporating quality management frameworks adopted by their local regulator, such as CPAB's Quality Management System framework. Several commenters representing non-GNF perspectives focused more generally on the provisions of QC 1000 that diverge from ISQM 1 and SQMS 1, which the Board understands as implying that these firms had expended resources to construct and operate quality control systems in compliance with those standards. However, at least one commenter noted that for small firms that do not need to comply with ISQM 1, efforts may be ongoing to implement SQMS 1, indicating that some of these firms may be focused on resources for design and may not yet be spending resources to operate QC policies in line with SQMS 1.

One commenter noted research that appears to be too tangential or unrelated to actual resources employed by firms to be useful for advancing the Board's understanding of resources associated with the design, implementation, and operations of their QC systems. The commenter noted that most academic studies related to resources employed by NAFs or foreign affiliates of GNFs in the design, implementation, and operations of their QC systems focus on either: (1) the contributions of internal quality reviews to audit firm quality or (2) the association of audit firm network arrangements, as proxies for resources, with audit quality. For example, one study suggests that when firms have formal connections via networks or large alliance arrangements, audits within those arrangements have similar levels of quality, which the commenter noted may imply that formal connections are a vehicle to share and enforce QC practices.

3. Developments in Firms' QC Policies and Procedures

This subsection provides information on the evolution of firms' QC policies and procedures. First, it describes changes firms have made to their QC policies and procedures to remediate QC deficiencies identified in inspection reports. Second, it presents analyses of QC deficiencies related to firms' management of their audit practices. QC deficiencies related to firms' management of their audit practice relate to the operation of QC policies and procedures. Overall, the information suggests that QC policies and procedures are advancing.

Many firms have implemented a number of changes to their QC systems to remediate their QC deficiencies. Changes brought about through remediation are wide-ranging and can touch upon all major elements of the current QC standards. The nature, extent, and formality of changes made by a firm vary based on the size of the firm and the nature and complexity of its practice. Examples of changes made by various types of firms include:

• Adding in-process review and coaching programs to assist engagement teams in certain challenging areas, including ICFR and accounting estimates;
• Creating a committee to evaluate partner performance in relation to audit quality and issuing an accountability framework with penalties for negative audit quality events;
• Implementing a new template that includes guidance to facilitate the assessment and documentation of partner performance, including guidance related to various performance metrics (such as technical knowledge; leadership and training skills; and compliance with firm quality control policies and procedures);
• Requiring audit partners to articulate specific actions they will take to achieve performance goals related to audit quality and providing additional guidance and information around partner workload management;
• Implementing new policies and procedures for engagement teams to focus on obtaining a thorough understanding of how issuers initiate, record, process, and report significant classes of transactions and how that information is recorded in the financial statements;
• Hiring external consultants to work with the firm to develop a new ICFR audit approach;
• Adding new leadership positions to the internal inspection program, developing new analysis and reporting of internal inspection findings, and beginning to disseminate findings more broadly;
• Creating a committee to provide oversight on the firm's audit quality initiatives and a new leadership position to drive consistency across regions; and
• Implementing new templates that provide guidance related to performing a root cause analysis, including identifying areas of a firm's quality control process to perform causal analysis, collecting relevant data, and documenting the results.

The Board took these observations into account in developing QC 1000.

One commenter, an academic, referred to a recent unpublished study examining how firms change and manage their QC systems, which involved surveying QC leaders from eight U.S. accounting firms. The commenter reported that the three most common changes currently underway in the firms relate to: (1) engagement monitoring and use of data analytics; (2) organizational structure ( e.g., a dedicated ISQM team, independent advisors); and (3) a more proactive approach to identifying QC issues.

Figure 5 presents the average number of QC deficiencies related to firms' management of their audit practice per inspected firm. To prepare Figure 5, PCAOB staff counted the number of distinct QC deficiencies related to firms' management of their audit practice in Part II of PCAOB inspection reports. Staff assigned a zero to firm inspections that resulted in no QC deficiencies related to the firm's management of its audit practice. Staff then calculated averages per inspected firm by year and firm group, assigning equal weight to each QC deficiency regardless of its nature or whether it was a repeat deficiency. While the total number of QC deficiencies are not readily comparable across each of the three categories of firms, the averages have ranged between 0.8 and 10.2 for U.S. GNFs, between 0.3 and 1.5 for other firms having more than five engagements reviewed, and between 0.3 and 0.6 for other firms having five or fewer engagements reviewed.

4. Academic Literature on Quality-Threatening Behaviors and Quality Control

This subsection discusses academic research on behaviors that suggest certain weaknesses in QC systems in practice. Over time, researchers have documented a variety of quality-threatening behaviors, including “premature sign-off of audit procedures, failure to perform required procedures, inappropriate reductions in substantive testing or other forms of under-auditing, underreporting of time, inadequate adjustments of audit procedures in response to changing risk conditions, and over-reliance on management explanations of unusual deviations in analytical procedures.”

Some commenters provided additional specific examples of quality-threatening behaviors. For example, one commenter reported that some academic research finds auditors may not always be objective when deciding on the acceptability of management's accounting choices or when recommending audit adjustments that would reduce reported income or assets. Citing a settlement between a U.S. GNF and the Federal Deposit Insurance Corporation, another commenter asserted that one firm's QC system failed when one of the firm's engagement teams inappropriately assigned a responsibility to an intern.

Research suggests that quality-threatening behaviors imply a failure of QC systems to provide reasonable assurance of compliance. Moreover, some research suggests that, while not solely responsible, certain features of firms' management of their audit practice may encourage quality-threatening behaviors. For example, experimental research suggests that certain cognitive biases in auditor evaluation and reward systems may inadvertently deter appropriate professional skepticism and other studies suggest that partner reward systems at some firms may weight revenue generation more heavily than professional competencies. Some research finds that reward systems oriented toward revenue generation are associated with lower proxies for audit quality. Synthesizing several recent academic studies, one commenter reported that an excessive focus on commercialism, rather than professionalism, continues to be a dominant focus within firms' cultures and may negatively impact audit quality. The commenter also reported that academic research indicates quality-threatening behaviors may be negatively associated with audit team leadership characteristics. For example, skeptical auditors may be penalized if they do not find a material misstatement, audit managers sometimes reward senior associates for performing the unethical act of under-reporting time when the client is more desirable, or while internal inspections lead to increased auditor effort in the inspection year, positive internal inspection results may lead auditors to decrease effort in the future.

An excessive focus on commercial objectives may also lead to undue focus on cost-control in the execution of audits. For example, in one study, audit staff report working, on average, five hours per week, and sometimes 20 hours per week, past the threshold where they feel audit quality begins to deteriorate. In another study, audit staff report working on average 72 hours per week during busy season. Other research finds that a heavier workload in the fieldwork phase of the audit is negatively associated with proxies for audit quality and that high levels of time pressure are positively associated with audit quality-threatening behaviors. Referring to academic research, one commenter reported that engagement-level pressures, including meeting budgets, can affect audit quality. The commenter also reported that academic research finds that audit partner workload compression is negatively associated with audit quality.

One commenter noted academic papers that study various factors that may impact audit quality but appear to be too tangential or unrelated to quality-threatening behaviors that suggest certain weaknesses in QC systems. The commenter included academic research that studies the relationship between audit teams' use of the work of other participants and audit quality. The commenter also cited research from other countries that finds evidence that partner-related characteristics influence audit quality. In addition, the commenter noted academic papers that find evidence that non-audit services can negatively affect audit quality through mechanisms other than independence impairment. Moreover, the commenter included research that has examined the association between PCAOB inspections of audit firms and audit quality but does not appear to relate specifically to weaknesses in QC systems.

5. Assumptions Regarding the Baseline

Absent the requirements, the Board believes that many firms would continue to design and implement new QC policies and procedures or modify existing QC policies and procedures in response to evolving audit market conditions, technological advances, PCAOB oversight activities, internal monitoring, and actions of other standard setters. The Board believes that most firms have either implemented ISQM 1 or will implement SQMS 1 when it goes into effect. PCAOB-registered firms with an international presence or that are part of a global network will likely find it efficient to design and implement a QC system that complies with both PCAOB standards and ISQM 1 and have that system operate over their entire assurance practice. For similar reasons, PCAOB-registered firms with a private company audit practice will likely find it efficient to design and implement a QC system that complies with both PCAOB standards and SQMS 1 and have that system operate over their entire assurance practice.

Supporting that view, comment letters on the proposing release suggest that some firms have already designed and implemented, or are in the process of designing and implementing, QC policies and procedures consistent with the requirements of other QC standards. For example, one commenter said that nearly all firms are subject to multiple QC standards, including ISQM 1. Another commenter said that firms in Europe have invested heavily to implement ISQM 1. Another commenter said that nearly all firms that will need to adopt QC 1000 are also subject to other QC standards, including ISQM 1 and SQMS 1, and that firms have already invested significant time and resources to comply with them. Another commenter presented its recent survey research that finds firms have started to prepare for ISQM 1 and SQMS 1 implementation but that there is variation in their level of preparedness. Overall, the comments indicate that firms have made progress implementing the quality control standards of other standard setters.

The Board's view is also informed by several public information sources. First, the AICPA website indicates that most registered firms that are headquartered in the U.S. were reviewed as part of the AICPA's Peer Review program since 2019, and therefore were required to comply with AICPA QC standards at that time. Second, among the U.S.-headquartered firms that signed an issuer or broker-dealer audit opinion in 2021 but were not peer reviewed since 2019, most indicate on their web page that they perform audits or tax services that require them to comply with AICPA QC standards. Third, most foreign jurisdictions require companies to have a statutory audit performed, which the Board believes suggests that most registered firms headquartered in foreign jurisdictions likely perform audits under IAASB QC standards. Finally, firms' annual reports filed with the PCAOB on Form 2 for the April 1, 2022, through March 31, 2023, reporting period indicate that most firms collected fees for services aside from the performance of issuer audits and therefore may have performed services subject to AICPA or IAASB QC standards during that time. Overall, the Board believes these public information sources support its view that most firms will be complying with either ISQM 1 or SQMS 1. Furthermore, most firms that will not be complying with ISQM 1 or SQMS 1 will likely be scaled-applicability firms and therefore less impacted by the requirements.

Need

1. Introduction and summary

This section discusses the problem that the requirements are intended to address and explains how the requirements address it. Overall, three observations suggest that there is a problem that the requirements will help to address:

• Under current PCAOB QC standards, a firm's QC system is required to provide reasonable assurance that the firm's personnel comply with applicable professional standards, regulatory requirements, and the firm's standards of quality. However, the audit market does not currently provide sufficient incentives for all firms to design, implement, and operate QC systems that achieve this requirement on a consistent basis.

• Current PCAOB QC standards contain higher-level principles and do not directly address recent developments in QC. As a result, the current regulatory baseline is not rigorous enough to sufficiently support PCAOB oversight, further undermining firms' and individuals' incentives to provide the required reasonable assurance.
• The lack of incentives to provide the required reasonable assurance is evidenced by the prevalence of audit performance deficiencies—i.e., Part I.A deficiencies and QC deficiencies related to audit performance discussed above—which, as noted in the first two observations above, suggest that some firms' QC systems are not providing the required reasonable assurance.

The requirements of QC 1000 will help address the problem by establishing three overarching features, which are discussed further below:

• The requirements mandate firms' QC systems to more proactively assess risks and monitor and remediate deficiencies.
• The requirements improve accountability within firms with respect to the reasonable assurance objective.
• The requirements use more precise language and include more prescriptive requirements in key areas to reflect best practices.

2. The Audit Market Does Not Provide Sufficient Incentives for All Firms To Design, Implement, and Operate QC Systems That Provide Reasonable Assurance

A diverse set of investors and other financial statement users need and request high quality audits. However, due to the presence of asymmetric information and positive externalities in the audit market, there are not sufficient incentives for all firms to design, implement, and operate QC systems that provide reasonable assurance that a firm's personnel comply with applicable professional standards, regulatory requirements, and the firm's standards of quality. This lack of incentives can lead to an inefficient allocation of audit services as described in the following paragraphs.

Investors and other financial statement users cannot easily observe the services performed by an auditor. This information asymmetry creates a risk that, unbeknownst to investors and other financial statement users, auditors may under-audit and gather insufficient audit evidence to support their opinion or may otherwise depart from applicable requirements. Economic theory refers to this effect as moral hazard. While this may enable the auditor to do less work and reduce potential conflicts with company management and may therefore lead to short-run benefits for the auditor, it may also lead to a net welfare loss in the audit market as a whole.

A positive externality inherent to the current audit market may exacerbate this risk. The services of an auditor provide benefits to a variety of investors and financial statement users, including current shareholders, potential shareholders, investors in other companies, creditors, and regulators, among others. However, auditors do not bargain with all of these parties. Rather, Sarbanes-Oxley requires that the audit committee be responsible for the appointment, compensation, and retention of the auditor. In practice, company management may also play a role through its influence over the audit committee. This creates a de facto principal-agent relationship between the company and the auditor. Moreover, some beneficiaries of the auditor's work ( e.g., investors generally, who benefit from overall confidence in the quality of financial information provided to the market) may have no influence on the auditor at all. Economic theory suggests that, in the presence of positive externalities such as these, markets may undersupply goods or services. As a result, the positive externality in the audit market may create an additional risk that auditors may gather insufficient audit evidence to support their opinion or otherwise depart from applicable requirements.

A firm also faces its own management challenges in implementing its desired service, economic, and regulatory compliance objectives. Individual offices or personnel may have incentives that diverge from the firm's collective best interest. For example, some research suggests that certain partners or offices may be commercially dependent on particular clients and may be willing to take risks to retain those clients that the firm as a whole would not—a form of free riding on the firm's reputation and capacity to absorb potential litigation costs. In addition, research suggests that an audit firm's QC system is essential to increase audit effort and audit quality because it aligns incentives of individual partners with those of the firm. Even if QC systems were able to align the incentives of individual offices and personnel to the firm's collective best interest, some research suggests that behavioral biases ( e.g., confirmation bias, over-optimism, and anchoring bias) may lead offices or personnel to act in ways contrary to both their own self-interest and the firm's collective best interest. One commenter presented its recent unpublished survey research regarding challenges firms face when implementing changes to their QC systems. The commenter reported that challenges include obtaining buy-in and acceptance from staff as well as managing different perspectives from various offices.

Some firms may manage these challenges by adopting centralized control practices that may have ambiguous impacts on their QC systems. For example, academic research suggests that firms carefully screen new partners to act in the best interest of the firm and emphasize meeting engagement budgets—an easily monitored metric that ties directly to profitability. One commenter asserted that audit firms' financial incentives to operate too lean undermine audit quality. Investors and other financial statement users may have trouble monitoring how firms incentivize, implement, and monitor compliance with applicable professional requirements. These monitoring challenges, as well as the lack of specificity in current PCAOB QC standards, give firms the flexibility to design, implement, and operate QC systems that may not fully meet the needs of investors and other financial statement users.

In the absence of sufficient market incentives to achieve an efficient allocation of audit services, regulatory intervention can introduce incentives that generate changes in behavior and impact audit quality. For example, economic research suggests that auditing standards play a role in determining the amount of effort an auditor exerts, which ultimately impacts audit quality. In addition, auditing standards can introduce incentives by providing a baseline against which an auditor manages legal liability. Auditing standards also provide a benchmark for regulatory inspections and enforcement actions that introduce incentives for firms to initiate changes that impact audit quality. Moreover, research suggests that PCAOB Part II inspection findings introduce strong incentives for firms to make changes necessary to remediate QC deficiencies in order to avoid public disclosure of the deficiencies.

3. Current PCAOB QC Standards Do Not Directly Address Recent QC Developments

Developments in the auditing environment since the development of the current PCAOB QC standards by the AICPA and subsequent adoption of these standards on an interim basis by the Board are discussed above. In brief and as discussed above, the audit market has changed significantly since the AICPA developed the current PCAOB QC standards in 1997. At that time, the audit market was largely self-regulated by firms and QC inspections were performed through a peer review program. Since then, PCAOB oversight has led firms to address deficiencies identified during inspections, including making changes to their QC systems to remediate QC deficiencies. There have also been significant developments in the use of technology by firms in relation to QC activities and performing engagements. Some firm management and organizational structures have also evolved to include more focus on centralization and a globally consistent methodology. Some firms have strengthened their approaches to firm governance and leadership, incentive systems, and accountability. In addition, thought leadership in quality management has advanced, as have the QC standards adopted by other standard setters.

The current PCAOB QC standards are based on the higher-level principles described above and do not directly address the developments described in the previous paragraph. While research suggests that PCAOB oversight is associated with higher audit quality, the current PCAOB QC standards were not written with a view to inspection and enforcement by a regulator. As a result, the current PCAOB QC standards yield a regulatory baseline that is not rigorous enough to sufficiently support the Board's ability to address audit performance deficiencies through PCAOB inspection and enforcement activities related to firms' QC systems. For example, some firms have added external parties to oversight roles as described above, but current PCAOB QC standards contain limited references to firm governance and leadership. At the same time, the current PCAOB QC standards do not provide sufficiently specific requirements to directly incentivize firms and individuals to establish and implement QC policies and procedures that achieve the reasonable assurance objective as evidenced by the prevalence of audit performance deficiencies.

4. Prevalence of Audit Performance Deficiencies

The three proxies for the level of compliance with applicable professional standards discussed above— i.e., Part I.A deficiencies, QC deficiencies related to audit performance, and deficiencies arising during inspections of broker-dealer engagements—as well as the recent PCAOB enforcement actions discussed above suggest that some firms' QC systems are not providing reasonable assurance as required under current PCAOB QC standards. To be sure, this analysis of PCAOB inspection activities does suggest that some improvements in audit performance have followed from remedial changes firms have made to their QC systems and that some firms have already reduced the number of QC deficiencies related to management of their audit practice. However, the Board continues to observe high rates of audit performance deficiencies and believes that a new QC standard will address these audit performance deficiencies because the new standard will incentivize firms to design, implement, and operate effective QC systems.

5. How the Requirements Address the Need

The requirements provide substantial additional direction to firms regarding the design, implementation, and operation of their QC systems that the Board believes address the need for standard-setting. Three overarching features of the requirements help address the problem. The first feature pertains to the mandate for a more integrated, proactive, and risk-based QC system. The second pertains to the enhancements to accountability within the firm to achieve the reasonable assurance objective. The third pertains to more precise language and more prescriptive requirements in several key areas.

Regarding the first feature, the new risk assessment process, coupled with a detailed monitoring and remediation process, form a feedback loop designed to foster a proactive approach to QC that drives continuous improvement. For example, the risk assessment process requires the firm to obtain an understanding of the conditions, events, and activities that may adversely affect the achievement of its quality objectives; identify and assess quality risks; and then design and implement quality responses. The monitoring and remediation process will help the firm evaluate whether the QC system is working effectively in practice. This more proactive approach to QC should help address the positive externality problem in the audit market by leading firms to implement QC systems that more consistently satisfy the interests of all beneficiaries of the audit. Additionally, as discussed above, information asymmetry may cause investors and other financial statement users not to have sufficient information to understand whether their issuer's audit firm has an effective QC system that consistently produces high-quality audits, and investors and other financial statement users may not have a sufficient voice in the financial reporting ecosystem to be able to demand or incentivize audit firms to implement one. Requiring the auditor to implement a robust QC system substitutes a compliance incentive for the insufficient market incentive.

Regarding the second feature, the Board believes QC 1000 will improve accountability within the firm to achieve the reasonable assurance objective. Several of the requirements that improve accountability within the firm address the positive externality problem directly by leading firms to implement QC systems that more consistently satisfy the interests of all beneficiaries of the audit. For example, QC 1000 requires the firm to document and assign roles and responsibilities; communicate information related to the monitoring and remediation process to firm personnel to enable them to take timely action in accordance with their responsibilities; and establish a quality objective to incentivize individuals to fulfill their assigned responsibilities, through means such as performance evaluations and compensation. Leadership will also be accountable for the design, implementation, and operation of the firm's QC system, including through means such as their performance evaluation and compensation, and the firm will be required to establish a quality objective that leadership communicate and promote the firm's role in protecting the interests of investors and the public interest. The requirements that improve accountability within the firm will help address the information asymmetry problem by requiring the firm's QC system to operate over any public reporting regarding firm or engagement metrics that the firm provides. Overall, this second feature reinforces the first through an additional incentive that is personal to responsible individuals within the firm and reinforces the general incentives for the firm to comply with the standard.

Regarding the third feature, while the requirements provide substantial additional guidance to firms regarding the design, implementation, and operation of their QC systems, QC 1000 also provides more precise and prescriptive requirements that will enhance the Board's ability to inspect and enforce and incentivize firms to design, implement, and operate effective QC systems. For example, QC 1000 includes more unconditional responsibilities than current PCAOB QC standards and specifies precise conditions under which a firm must design, implement, and operate an effective QC system. Together with the features described above— i.e., a more integrated, proactive, and risk-based QC system and enhanced accountability within the firm to achieve the reasonable assurance objective—these features establish a regulatory baseline that more directly incentivizes firms and individuals to comply in order to avoid enforcement.

Economic Impacts

This section discusses the expected benefits and costs, and the potential unintended consequences, that may result from the requirements. The expected impacts of several key provisions are highlighted. These provisions relate to:

• Scaled applicability;
• In-process monitoring activities;
• Firm governance structure;
• The automated independence process;
• Complaints and allegations policies and procedures;
• Reporting the annual QC system evaluation;
• Certification of the annual QC system evaluation;
• Responding to engagement deficiencies identified after issuance of the audit report; and
• SECPS requirements.

While the analysis of economic impacts is largely qualitative in nature due to data limitations, the analysis does, in part, use PCAOB inspections data to help evaluate the expected benefits. Technical details regarding the quantitative analysis of the expected benefits are included in a separate staff white paper.

The economic impacts of the requirements will arise out of changes firms will make to their QC systems that they would not otherwise make but for the requirements. As discussed above, the Board expects that, absent the requirements, many firms would continue to make changes to their QC systems in response to evolving audit market conditions, advances in technology, PCAOB oversight activity, internal monitoring, and the actions of other standard setters. This attenuates both the benefits and the costs attributable to the requirements.

1. Benefits

The expected benefits of the requirements are described using four complementary views: (1) the benefits of quality management frameworks generally; (2) the direct benefits of the requirements in the form of improved compliance with applicable professional and legal requirements; (3) the indirect benefits of the requirements in the form of improved financial reporting quality and capital market efficiency; and (4) the benefits of key provisions.

a. Benefits of Related Frameworks

QC 1000 bears resemblance to existing quality management and enterprise risk management frameworks ( e.g., ISO 9000 and COSO). These frameworks share several features in common with QC 1000, including embedding risk in decision making, proactive involvement of leadership, clearly defined objectives, objective-oriented processes, monitoring, and remediation. Using a variety of proxies ( e.g., market reaction), academic research has found that these frameworks improve company performance. In particular, researchers have found that the COSO framework—the closest antecedent to QC 1000—effectively improves financial reporting. Similarly, research finds that markets penalize public companies with weaker internal control systems and reward the remediation of those weaknesses. While differences between QC 1000 and existing frameworks as well as differences between audit firms and other companies may limit the relevance of this research to some extent, this research suggests that QC 1000 may help firms design, implement, and operate more effective QC systems.

b. Improved Compliance With Applicable Professional and Legal Requirements

The Board expects the requirements will benefit investors and other financial statement users by improving compliance with applicable professional and legal requirements via a more detailed QC standard. As described above, the requirements are expected to achieve this through three principal mechanisms. First, they explicitly connect the components of the QC system into an integrated cycle of risk assessment, performance monitoring, and remediation. Second, several of the new requirements will support the effectiveness of QC systems by emphasizing accountability to the reasonable assurance objective. Third, more precise and prescriptive requirements will enhance the Board's ability to inspect and enforce. Broker-dealer engagements and issuer audits performed by firms other than U.S. GNFs may see more improvement because they appear to have more room for improvement on average. However, the recent uptick in deficiencies for U.S. GNFs suggests that QC 1000 will also be a valuable resource for these firms to address those deficiencies and, thus, further protect investors.

Some commenters described how a risk-based QC standard would improve audit quality. However, one commenter argued that the requirements are too risk-based ( e.g., they could result in too little change at the larger firms) and suggested an even stronger prescriptive approach to certain aspects of the standard ( e.g., training and supervision). The Board believes the standard reflects a balanced approach that includes prescriptive requirements where appropriate.

PCAOB staff analysis of PCAOB inspections data supports the view that more effective QC policies and procedures will lead to improved compliance with applicable professional and legal requirements. Staff examined the historical association between satisfactory remediation of QC deficiencies and subsequent Part I.A deficiencies for triennial firms. Satisfactory remediation of a QC deficiency reflects substantial good-faith progress toward achieving a quality control objective. As such, an association between historical satisfactory remediation efforts and a subsequent decrease in Part I.A deficiencies would suggest that more effective QC policies and procedures lead to improved compliance with applicable professional and legal requirements. After controlling for auditor and issuer characteristics that may also drive Part I.A deficiencies using standard statistical techniques, the staff analysis indicates that, on average, satisfactory remediation is associated with reduced likelihood of subsequent Part I.A deficiencies. This suggests that more effective QC policies and procedures may lead to improved compliance with applicable professional and legal requirements. One commenter reported observing that satisfactory remediation of QC deficiencies results in fewer audit failures and asserted that this was in line with certain key findings of the staff analysis.

The staff analysis is subject to several important caveats. First, remedial actions typically target specific aspects of a firm's QC system. By contrast, implementation of QC 1000 may require a broader set of changes. Second, due to the transformational nature of QC 1000, the changes firms will make to their QC systems could be substantially different from firms' historical satisfactory remedial actions. Third, U.S. GNFs were intentionally excluded from the analysis, potentially limiting its applicability to the U.S. GNFs. However, though association does not imply causation, the historical association between the number of QC deficiencies related to U.S. GNFs' management of their audit practice and U.S. GNFs' compliance with applicable professional standards suggests that, even among the U.S. GNFs, more effective QC systems could lead to improved compliance with applicable professional and legal requirements. Overall, the Board expects the association between satisfactory remediation and subsequent Part I.A deficiencies among triennial firms more likely understates the impact of QC 1000 due to its transformational nature.

Observations from PCAOB inspections and academic research also suggest that the requirements may improve compliance with applicable professional and legal requirements. PCAOB inspectors have observed that root cause analyses, effective design and implementation of remedial actions, and appropriate governance practices related to leadership's tone can drive audit quality, and one academic study reports that, as perceptions of the strength of the QC system increase, the likelihood of “reduced audit quality behaviors” decreases. These findings likewise support the view that the requirements, which place greater emphasis on root cause analysis, remediation, and governance practices, if successfully implemented, will lead to improved compliance with applicable professional and legal requirements.

c. Improved Financial Reporting Quality and Capital Market efficiency

Academic research provides evidence that compliance with auditing standards is positively associated with proxies for financial reporting quality. Research also finds a positive association between firms' successful remediation of QC deficiencies—a proxy for adopting effective QC system practices—and the financial reporting quality of their issuer clients. PCAOB staff analysis also provides some evidence that successful remediation may be associated with improved financial reporting quality. The fact that the results from each of these studies that suggest a positive association with financial reporting quality does not necessarily mean that auditing standards or remediation of deficiencies cause better financial reporting quality.

Investors and other financial statement users may benefit from improved issuer financial reporting quality because it helps solve information asymmetries and agency problems inherent to capital markets. Economic theory suggests that investors face a separation-of-ownership-and-control problem whereby issuer management may misappropriate investors' capital. Relevant and accurate financial reporting can alleviate these problems by providing investors and other financial statement users with more accurate information regarding the financial position and operating results of companies. Investors may use this information to improve the efficiency of their capital allocation decisions ( e.g., investors may more accurately identify companies with the strongest prospects for generating future risk-adjusted returns and allocate their capital accordingly). Investors may also perceive less risk in capital markets generally, leading to an increase in the supply of capital. An increase in the supply of capital could increase capital formation while also reducing the cost of capital to companies. While some uncertainty remains regarding the economic impacts of financial reporting, empirical academic research has affirmed this basic premise under certain conditions. Moreover, some studies have identified a direct association between auditors' compliance with PCAOB standards and capital market efficiency.

The requirements may also lead to improved compliance with applicable professional and legal requirements on broker-dealer audit engagements and, in turn, improved financial reporting quality and investor protection. An auditor's work on these engagements, if appropriately performed, should make it more likely that a broker-dealer will maintain appropriate controls over compliance and less likely that there will be material reporting errors. The auditor's work also has the potential to make it more difficult for broker-dealers to engage in fraud and other misconduct. Improved broker-dealer financial reporting quality also gives industry overseers, such as the SEC and FINRA, as well as other users of broker-dealer financial information, such as the Securities Investor Protection Corporation, more accurate information relevant to a broker-dealer's financial condition, its ability to continue as a going concern, and its handling of customer securities and cash. This, in turn, enhances the ability of these organizations to carry out their responsibilities in ways that protect investors. Compliance with applicable professional and legal requirements may also contribute to the early identification or prevention of broker-dealer failures. Failures of large broker-dealers can have a negative impact on the stability and liquidity of financial markets, and failures caused by misconduct may damage investor confidence. A reduction in such failures could help improve the strength and safety of the financial system.

d. Benefits of Key Provisions

i. Scaled Applicability

QC 1000 will require that a firm implement and operate an effective QC system at all times when the firm is required to comply with applicable professional and legal requirements with respect to any of the firm's engagements, and thereafter through the next September 30. The discussion above provides further information on this provision. As of June 30, 2023, up to 60% of firms may not meet this criterion but will be required to design a QC system in compliance with QC 1000. Because registering with the PCAOB enables a firm to issue audit reports or play a substantial role on audits performed under PCAOB standards for issuers and broker-dealers, and because investors and companies considering engaging the firm could reasonably expect that any firm that could pursue such an engagement would already have a PCAOB-compliant QC system designed and ready for implementation and operation, the Board believes that imposing a design requirement on all registered firms promotes its mission of protecting investors and promoting the public interest. The Board also believes that designing the QC system will better position these firms to accept and perform engagements in compliance with applicable professional and legal requirements to the extent that the firm will have a PCAOB-compliant QC system ready for implementation and operation.

ii. In-Process Monitoring Activities

QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to monitor in-process engagements and will require all other firms to consider monitoring in-process engagements. The discussion above provides further information on this provision. Monitoring in-process engagements can help firms detect and prevent engagement deficiencies before the engagement report is issued, resulting in a more proactive and preventive monitoring approach that has the potential to benefit investors through improved audit quality. The benefits will depend on the extent to which firms already have in-process monitoring activities in place. Information gathered through PCAOB inspection activities indicates that 11 out of 14 annually inspected firms perform some in-process engagement monitoring activities.

iii. Firm Governance Structure

QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to incorporate into their governance structure an external oversight function for the QC system composed of one or more persons who are not principals or employees of the firm and do not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system ( i.e., EQCF). The final standard specifies a baseline requirement that the EQCF's responsibilities should include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system. The discussion above provides further information on this provision. Such an oversight function could reduce negative impacts of commercial considerations on decision making by firms about their QC system and thereby improve incentives to implement QC systems that more fully meet the interests of investors and other financial statement users. Some academic research finds that the level of board of directors independence is associated with certain benefits, such as improved operating performance and company value, which implies independent oversight in a firm`s governance structure could potentially improve the quality of audit services provided by the firm.

iv. The Automated Independence Process

QC 1000 will require firms that issued audit reports with respect to more than 100 issuers during the prior calendar year to automate the process to identify investments in securities that might impair the independence of the firm or firm personnel that are managerial employees or partners, shareholders, members, or other principals. The discussion above provides further information on this provision. Automating this process should help firms more effectively and efficiently identify such investments. The automated process could also indirectly improve compliance with other relevant independence requirements. For example, automating this process may lead firms to maintain and make available the list of restricted entities more efficiently and effectively.

v. Complaints and Allegations Policies and Procedures

QC 1000 will require firms to design, implement, and maintain policies and procedures that address processes and responsibilities for receiving, investigating, and addressing complaints and allegations and include protecting persons making complaints and allegations from retaliation. Firms that issued audit reports with respect to more than 100 issuers during the prior calendar year will be required to include confidentiality protections in their policies and procedures. The discussion above provides further information on this provision. Overall, the Board expects the policies and procedure regarding complaints and allegations will help reduce information asymmetry within the firm by alerting responsible individuals to instances of non-compliance of which they may otherwise be unaware. Some academic research suggests that the complaints and allegations provisions will increase the likelihood that individuals will submit complaints and allegations related to potential non-compliance. For example, one survey of public company auditors finds that (1) greater protection of individual identity and (2) trust that the firm would investigate and act on a report are both positively associated with intention to report non-compliance with auditing standards. A survey of accounting students finds that a weaker threat of retaliation is positively associated with the propensity to submit a complaint. The Board acknowledges that some experimental research finds that explicit protections may unintentionally deter internal complaints and allegations because the protections signal to potential persons making complaints that retaliation is a risk. However, overall, the Board expects the complaints and allegations provisions will benefit investors by reducing non-compliance with auditing standards and, thus, improving audit quality.

vi. Reporting the Annual QC System Evaluation

QC 1000 will require firms to report to the PCAOB about the annual evaluation of their QC system. The discussion above provides further information on this provision. This requirement will help the Board obtain more timely, structured, and consistent information regarding the effectiveness of firms' QC systems relative to what could be gathered through the inspections process, especially for the triennial firms. The Board will use this information to support its oversight activities ( e.g., to select firms, audits, or focus areas for review). Reporting to the PCAOB will also improve incentives within a firm to design, implement, and operate an effective QC system.

vii. Certification of the Annual QC System Evaluation

QC 1000 will require certain individuals in firms' leadership to certify the annual evaluation of their firm's QC system. The discussion above provides further information on this provision. This requirement will help address the positive externality problem in the audit market by creating greater accountability within firm leadership to implement an effective QC system. As noted in the proposal, PCAOB staff reviewed academic literature on the impacts of CEO and CFO certification requirements in the U.S. and engagement partner signature requirements in the United Kingdom and found both supportive and unsupportive findings. One commenter noted academic research that has found there is little, if any, effect of CEO and CFO certifications required under Sarbanes-Oxley. Citing academic literature on accountability frameworks, the same commenter noted that imposition of accountability is largely positive but that the increased accountability that would result from the certification requirement could have negative consequences. As discussed below, the Board acknowledges that increased accountability could lead to potential unintended consequences. However, the Board continues to believe that the certification requirement will benefit investors by increasing discipline in the evaluation process and reinforcing the accountability of the certifying individuals.

viii. Responding to Engagement Deficiencies Identified After Issuance of the Audit Report

The amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, include: (1) addressing engagement deficiencies in addition to omitted procedures and (2) including the ICFR audit within its scope. Relatedly, the amendments to AT No. 1 and AT No. 2 mirror the amendments to AS 2901. The discussion above provides further information on this provision. The Board expects these amendments will lead auditors to perform additional procedures to obtain sufficient appropriate evidence or take additional action to prevent future reliance on insufficiently supported audit opinions (or review reports in the case of review engagements) that are being relied on. In such cases, PCAOB standards will require firms to advise their client to make appropriate disclosure of the newly discovered facts and their impact on the financial statements (or examination or review reports in the case of attestation engagements) to persons who are known to be currently relying or who are likely to rely on the financial statements and the related auditor's report (or review report in the case of a review engagement). Academic research on ICFR suggests that such disclosures will be valuable to capital market participants with improvements in company performance and financial reporting.

ix. SECPS Requirements

The requirements will refine, integrate into QC 1000, and extend to all firms the SECPS member requirements currently required under PCAOB Rule 3400T. Based on current registration data, approximately 13% of PCAOB-registered firms are already subject to these requirements under PCAOB Rule 3400T. The discussion above provides an overview of these requirements. The Board expects that this feature of the rulemaking will benefit investors by enhancing audit quality through improved compliance with SEC and PCAOB independence rules on engagements performed by firms not already subject to these requirements under PCAOB Rule 3400T.

2. Costs

The Board expects the requirements will result in additional direct and indirect costs to auditors and, potentially, indirect costs to the companies that they audit. The extent of these costs will depend on the degree to which firms otherwise have QC systems in place designed to comply with other QC standards and the specific policies and procedures adopted by the firm. The information presented above suggests that U.S. GNFs commit hundreds of partner and non-partner FTEs to their QC systems, including, individually, each of the major QC system components specified in ISQM 1. Resources are particularly utilized in the areas of independence, ethics, and resources. As discussed above, the Board believes most firms are subject to other QC standards. In designing, implementing, and operating their QC systems, firms that are subject to both PCAOB standards and other QC standards can leverage the investments they make to comply with the requirements of the other standards. Therefore, the Board expects that a portion of the overall costs of designing, implementing, and operating policies and procedures to comply with QC 1000 have been or will be incurred by most firms regardless of whether QC 1000 is adopted. As a consequence, for most firms, the Board expects the costs discussed below will derive primarily from the provisions in QC 1000 that go beyond the requirements of other QC standards.

Several commenters noted there will be costs and challenges to implement and operate features of QC 1000 that are incremental to the systems firms have established to comply with other QC standards. One commenter said that the need to accommodate nuances among different standards results in firms maintaining different methodologies, practices, and procedures that puts pressure on limited firm resources. Several commenters asserted that firms that audit between 100 and 500 issuers will be significantly impacted by costs associated with some or all of QC 1000's incremental requirements for firms that issue audit reports for more than 100 issuers, and some of the commenters noted resource differences between GNFs and annually inspected NAFs. Since QC systems are resource-intensive, the efforts required to respond to the additional provisions in QC 1000 or to otherwise adapt the QC system to the auditing environment for issuers and SEC-registered broker-dealers could be significant.

While the PCAOB lacks data to quantify the costs that could result from QC 1000, some studies have estimated costs associated with ICFR under Sarbanes-Oxley section 404. The Board acknowledges differences between section 404 and QC 1000, but section 404 is similar to QC 1000 in that section 404 was a policy shock that led large public companies to improve their internal control practices. In addition, while QC 1000 is not an internal control framework per se, it does reflect similar principles as COSO, the industry standard control framework that was widely relied upon to implement section 404. One commenter observed that the requirements under QC 1000 are similar in certain ways to the requirements related to ICFR under Sarbanes-Oxley for companies and suggested that the impacts of QC 1000 on auditors will be similar to the impact Sarbanes-Oxley had on companies notwithstanding key differences between a company's ICFR and an audit firm's QC system.

a. Direct and Indirect Costs of the Proposed Requirements

The Board expects the requirements will lead to several direct and indirect costs. There will be a direct cost to audit firms to design a QC system that complies with QC 1000. For example, firms will likely spend time reviewing QC 1000; assigning roles and responsibilities; identifying staffing and training needs; and developing a set of quality objectives, quality risks, and quality responses. Once a QC system is designed, firms will incur costs to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm's quality objectives, quality risks, or quality responses may be needed. Some firms may outsource certain aspects of QC system design. The Board also expects that customization will be necessary to ensure that each QC system design appropriately addresses each firm's circumstances. The extent of the design costs will likely depend on facts and circumstances unique to each firm. Among firms that will be subject to other QC standards, which the Board believes represents most firms, the design costs will likely be reduced and limited to incremental requirements around ethics, independence, monitoring, and remediation.

For full applicability firms—those that will be required to implement and operate an effective QC system—there will likely be additional costs. Firms may need to implement fixed resources ( e.g., people, financial, technological, or intellectual) prior to operating their QC system. For example, a firm may need to invest in an IT system or train individuals having QC roles or responsibilities. Several commenters identified significant implementation costs and called for an extended implementation period due to these costs. Describing the results of its recent survey of assurance service QC leaders, one commenter reported that obtaining “buy in” and acceptance from organizational members is the most common challenge firms face when implementing changes to their QC systems. As discussed, the Board agrees there will be implementation costs; however, these implementation costs will be reduced to the extent that firms already implement the requirements to comply with the actions of other standard setters or due to other developments. Furthermore, the Board expects the design and implementation costs will be largely fixed in nature and will decline over time.

Firms may also incur new operating costs, at the firm level and the engagement level. At the firm level, firms may require additional resources to administer new or revised quality responses after they are implemented, execute the annual risk assessment, perform the annual evaluation of the QC system, report the results of the evaluation to the PCAOB using the same PCAOB platform as the other reporting forms, and prepare and retain the required documentation. Several commenters identified significant operating costs. For example, one commenter argued that the proposed independent oversight function could entail insurance costs. At the engagement level, engagement team time may be required to execute new or revised quality responses. For example, an engagement team may carry out procedures regarding continuance of the firm's relationship with the client served by that engagement team. These operating costs will be reduced for firms that would be subject to other standard setters or other developments.

Several commenters asserted that the documentation costs, as originally proposed, could be particularly onerous. For example, several commenters asserted that firms would be required to retain large volumes of documentation to support the operation of the firm's quality responses for each instance related to all years for which firms are required to maintain such documentation. One commenter noted that information evidencing the operation of a firm's QC system can vary in size, type, and storage requirements and that the costs of modifying the firm's existing IT systems to comply with the documentation requirement could be significant. Some commenters noted that the amount of documentation to be retained is expected to require considerably more storage space for each evaluation period, which the commenters suggested translates to a need for new servers and extended licensing agreements. One commenter said that firms that change their systems will have to maintain licenses for old systems for up to seven years. The same commenter said the seven-year retention period goes well beyond the retention requirements of ISQM 1 and SQMS 1 and asserted that firms with a significant private company client base would be challenged to have different documentation retention policies since many aspects of quality control relate to the firm as a whole. Some commenters suggested that retaining sensitive information introduces heightened cybersecurity risks for firms, firm personnel, clients, and other stakeholders. The Board acknowledges that the documentation requirement could create costs for firms, including costs related to retention and cybersecurity infrastructure. To clarify the expected cost burden, the discussion above notes that documentation of every aspect of the operation of the firm's QC system may not be required to evidence that each quality response operated effectively.

Several commenters asserted that smaller firms may be especially affected by the new QC requirements, including requirements incremental or alternative to ISQM 1 and SQMS 1. One commenter said that smaller firms will need to hire consultants or additional staff for the monitoring, remediation, and evaluation functions, notwithstanding the scalability of QC 1000. Another commenter asserted that QC 1000 will impose disproportionate costs on smaller firms but noted that the commenter did not analyze in detail the cost of each incremental requirement and therefore did not have an estimate of the disproportionate costs. Relatedly, research finds that implementation and operating costs of internal control frameworks precipitated by Sarbanes-Oxley are proportionally greater for smaller companies.

The Board acknowledges that the direct costs will likely vary depending on the size of the firm and the nature of its audit practice. Larger PCAOB audit practices that already have extensive QC systems in place may benefit from economies of scale or scope when incorporating the new requirements into their existing systems, which would decrease the cost of QC 1000 per engagement. Larger PCAOB audit practices will be able to distribute fixed implementation costs over a larger number of engagements, while smaller practices will distribute fixed implementation costs over a smaller number of engagements. On the other hand, it may also be difficult for firms with more complex clients and diverse client portfolios—characteristics of larger PCAOB audit practices—to implement effective QC systems. To the extent that smaller firms may be disproportionately impacted as commenters have suggested, the Board continues to believe that the principles-based features and scalable nature of QC 1000, described in greater detail above, as well as the 100-issuer threshold for some provisions, help to mitigate their costs because smaller firms will rely on proportionally fewer resources for design, implementation, and operation of their QC systems.

In addition to the direct costs to auditors to comply with the requirements, indirect costs may arise. To the extent that compliance with the requirements will improve compliance with applicable professional and legal requirements at the engagement level, costs may increase for the affected engagements. For example, in bringing their work into compliance with PCAOB auditing standards, some engagement teams may gather additional or more persuasive audit evidence and prepare more documentation than they previously did. However, firms should be incurring these costs already.

Audited companies may also incur indirect costs related to the requirements. For example, some commenters asserted that the 100-issuer threshold could deter triennially inspected firms from accepting new public company audit engagements or encourage firms to resign from existing audit engagements to avoid crossing the 100-issuer threshold. Although the Board recognizes this possibility, for context regarding the number of firms currently around the 100-issuer threshold, PCAOB staff analysis of audit reports included in SEC filings indicates that, during the 2022 calendar year, two NAFs audited between 80 and 100 issuers and two NAFs audited between 100 and 120 issuers. Firms may pass on part of any increased costs they incur at the firm or engagement level by raising the fees they charge their clients. In addition, to the extent that the requirements improve compliance with applicable professional and legal requirements, some audited companies could face additional costs to respond to their auditors' requests for additional or more extensive audit evidence. Audited companies may incur other costs due to changes in audit firm QC policies and procedures. For example, if QC 1000 results in changes to firms' client acceptance and continuance practices, firms may require greater fees or refuse to accept or retain high-risk clients. While this outcome would represent a cost to audited companies, the result could be a more efficient audit market if riskier companies pay more. These indirect costs will be reduced to the extent that firms will have already implemented the requirements in response to similar actions of other standard setters or due to other developments.

b. Costs of Key Provisions

i. Scaled Applicability

Scaled-applicability firms will incur the design costs discussed above. Should a scaled-applicability firm ever become subject to the implementation and operation requirements, the firm will then incur the implementation and operation costs discussed above. As with other registered firms, the costs to scaled-applicability firms will be less to the extent they will already be complying with ISQM 1 or SQMS 1. Firms and a related group suggested allowing firms that do not perform engagements the flexibility to design their QC system in accordance with another QC standard, such as ISQM 1 or SQMS 1, to help manage costs. However, the Board expects the design costs for those firms to be limited to incremental requirements around ethics, independence, monitoring, and remediation. Furthermore, scaled-applicability firms may choose to avoid the design costs by withdrawing from PCAOB registration given that they are not required to be registered.

ii. In-Process Monitoring Activities

The Board believes the in-process monitoring requirement may contribute to the direct and indirect costs discussed above such as: (1) developing documentation, (2) providing training, (3) gathering additional audit evidence, and (4) other potential indirect costs such as the time required of issuers to provide their auditor with additional or more extensive audit evidence. The costs will depend on the extent to which firms already have in-process monitoring activities in place. In addition, in-process monitoring may result in increased audit fees. Information gathered through PCAOB inspection activities indicates that 11 out of 14 annually inspected firms perform some in-process engagement monitoring activities.

iii. Firm Governance Structure

The Board believes there could be costs to design, implement, and operate the oversight function ( i.e., EQCF). For example, firms that are required to incorporate the oversight function into their governance structure for the first time may incur costs when retaining appropriate individuals from outside of the firm. Firms with an existing oversight function may incur costs to find different individuals to fill the role. In addition, firms with an existing oversight function may incur incremental costs to incorporate the baseline requirement to evaluate, at a minimum, significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system.

Several commenters expressed concern that the oversight function would be costly or difficult to fulfill, especially for firms that audit between 100 and 500 issuers. One commenter suggested the oversight function could add costs that ultimately have to be passed on through higher audit fees, which investors in smaller issuers are unlikely to support, particularly when the costs are spread over a small amount of invested public capital in a firm's issuer audits clients. Conversely, one commenter said that the costs of the oversight function could be reduced by engaging an independent accounting firm to provide weekly advisory services.

To help address these cost concerns, the requirement will allow firms to implement an oversight function into their QC system suitable for their circumstances. Costs, as well as the associated benefits, could be attenuated for U.S. GNFs by the fact that all of the U.S. GNFs indicate, as of the 2020 inspection cycle, that they already have a governance structure that includes a non-employee.

iv. The Automated Independence Process

The Board believes there could be costs to design, implement, and operate the required automated process to identify investments in securities that might impair independence. The costs will depend on the extent to which firms already have such an automated process in place. Information gathered through PCAOB inspection activities indicates that nine out of 14 annually inspected firms already have one in place. The remaining five have processes in place that are not fully automated. Firms will be able to automate the process in a way that is suitable to their unique facts and circumstances. Most firms will likely need to: (1) convert their restricted entity list into a searchable electronic form; (2) maintain the electronic restricted entity list; and (3) develop queries that can compare a manager's or partner's relevant investments in securities to the electronic restricted entity list. Some firms may choose to integrate the automated process with existing systems related to client acceptance or time and expense. Firms with simple restricted entity lists ( e.g., fewer clients, fewer subsidiaries) or simpler QC policies and procedures for restricted entities ( e.g., any investment in any security of a restricted entity is restricted) may require less investment in software and expertise than other firms.

Several commenters said that the proposed automated process will entail significant costs. One commenter emphasized that there will be upfront and ongoing investments in technology and other overhead to operate such a process. Another commenter noted that implementing and maintaining an automated independence monitoring system is costly for smaller firms, which audit predominantly privately held companies and have not previously been subject to the automated independence system requirement under SEC rules. One commenter said it was unaware of any truly off-the-shelf system responsive to the proposed requirement. One commenter emphasized that for firms that audit between 100 and 500 issuers, the main potential downside of an automated process is the associated time and incremental cost to develop an efficient and effective system. The commenter noted that, in addition to software costs, there will be costs to oversee the system to ensure the data entered are correct and firm personnel are trained to use the system. Another commenter noted that the six largest firms represent 60% of issuers and approximately 98.7% of the capital markets and asserted that the automated independence process will nearly triple the number of firms required to implement automated investment tracking systems but pick up less than 15% of issuers, which represent less than 1% of the capital markets. The same commenter also asserted that the differences in size, scope, nature, and complexity between the six largest annually inspected firms and other annually inspected firms can be immense and that more than 80% of the commenter's issuer client count consists of either Form 11-K audits or audits of smaller companies, which have less impact on capital markets. While the commenter provided these figures in response to costs of the automated independence process, the same figures could apply to the costs and benefits of each of the key policy provisions that invoke the 100-issuer threshold.

To help address these views, the final standard clarifies that the required automated process: (1) will apply only to the identification of relevant investments in securities and (2) will permit firms to rely on firm professionals accurately self-reporting and entering their investments into the system ( e.g., direct brokerage feeds will not be expressly mandated). In addition, the Board believes that existing software products likely could be adapted to respond to the requirements. Furthermore, off-the-shelf systems more tailored to the requirements may enter the market in the future. Notwithstanding the commenters' views, the Board retained the automated independence process requirement, and acknowledges there will be costs to design, implement, and operate it.

v. Complaints and Allegations Policies and Procedures

The Board expects the policies and procedures regarding complaints and allegations will entail direct costs to firms to design, implement, and maintain. Most notably, firms will incur additional variable costs to receive, investigate, and address complaints and allegations. Firms that issued audit reports with respect to more than 100 issuers during the prior calendar year will incur costs to implement confidentiality protections. The costs will depend on the extent to which firms already have policies and procedures regarding complaints and allegations in place. Information gathered through PCAOB inspection activities indicates that 10 out of 14 annually inspected firms already have hotlines in place that may satisfy certain of the complaints and allegations requirements.

vi. Reporting the Annual QC System Evaluation

The Board expects the requirement to report the annual QC system evaluation to the PCAOB will entail an additional annual cost to firms to prepare Form QC. However, since firms will already be required to perform and document the evaluation, any additional costs associated with preparing Form QC should be minimal. The requirement may also result in some increased litigation risk to the extent that information reported to the PCAOB is not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, and to the extent that reporting of this information to a third party may vitiate other privileges that otherwise could have been used to protect the information from compelled disclosure in third-party actions. Non-protected material may become subject to compulsory production, which could impose indirect costs on firms to the extent that legal or other consequences may flow from that production.

vii. Certification of the Annual QC System Evaluation

The certification requirement itself may not impose much direct cost on firms because the evaluation activities precede certification. However, to the extent that firms choose to implement a more robust internal compliance infrastructure ( e.g., by requiring sub-certifications from personnel with direct responsibility for certain functions), those costs could also be attributable to the certification requirement. Moreover, firms may be exposed to litigation costs because the certifications in Form QC are not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, meaning that third parties may be able to compel production of the certifications, and the certifications may have an impact in third-party litigation. For example, the threat of liability for negligent conduct could lead to costs if individuals demand additional remuneration or take additional steps to act reasonably and demonstrate that they have acted reasonably ( e.g., assuring themselves that the QC system is appropriately designed) or to defend against enforcement allegations. The Board believes, however, that the internal compliance exercise, and even potentially the threat of third-party litigation, can reinforce the importance of the firm's QC system within the firm, which in turn can help produce the benefits the Board expects this provision will generate.

viii. Responding to Engagement Deficiencies Identified After Issuance of the Audit Report

The amendments to AS 2901, Consideration of Omitted Procedures After the Report Date, and related amendments to AT No. 1 and AT No. 2 will contribute to the engagement-level costs discussed above to the extent auditors will perform additional procedures to obtain sufficient appropriate evidence or take additional action to prevent future reliance on insufficiently supported audit opinions (or review reports in the case of review engagements) that are being relied on. The Board expects the requirement to extend the scope of AS 2901 to include the ICFR audit within its scope will be particularly impactful because the audit of internal control over financial reporting is both resource-intensive and a common and recurring area of deficiency.

vii. SECPS Requirements

The requirements will refine, integrate into QC 1000, and extend to all firms the SECPS member requirements currently required under PCAOB Rule 3400T. The Board expects this will increase development, implementation, and operating costs for firms not already subject to these requirements. However, the Board believes the costs should be minimal because, based on its oversight activities, the Board believes these firms already have in place policies and procedures related to compliance with SEC and PCAOB independence rules.

3. Unintended Consequences

The requirements could give rise to unintended consequences. Overall, however, the Board expects any potential unintended consequences will be mitigated by other factors.

a. Human Capital

Some firms may require additional staff resources to implement the requirements. To meet this demand, firms may transfer personnel from engagement-level roles to QC roles. This could create a risk that engagements are insufficiently staffed. Alternatively, some firms may assign more junior staff to QC roles or to new openings on engagements. This could create a risk that QC system or engagement personnel lack sufficient training or experience. One commenter reported the commenter's own analysis to demonstrate that audits are largely conducted by non-CPAs with limited experience in the field of auditing. QC 1000 includes quality objectives that mitigate these risks. For example, firms will be required to establish quality objectives that individuals who are assigned to engagements or perform QC system activities have the competence, objectivity, authority (in the case of activities within the QC system), and time to perform their responsibilities in accordance with applicable professional and legal requirements and the firm's policies and procedures.

Some commenters argued that the costs of QC 1000 would be especially significant due to labor shortages. One commenter asserted that an aggressive enforcement atmosphere may create disincentives for individuals to join the profession, harming the talent pipeline that is necessary for the production of high-quality audits. Another commenter raised concerns that recruiting and retaining partners and employees for a firm's QC system will be a tremendous challenge for firms willing and able to absorb additional costs to properly implement the requirements of QC 1000 given the tight labor market. One commenter reported that some market research indicates significant declines in the number of new CPA candidates and annual accounting degree completions. The commenter also reported commentary from a survey that reveals the largest accounting firms regularly score low along dimensions that are most indicative of their desirability as places to work. Another commenter cited news articles and academic research that suggest attracting and retaining talent is a serious concern for accounting firms and university accounting programs. However, based on its preliminary survey research, another commenter reported that some QC leaders do not feel resource constrained.

The Board acknowledges the commenters' concerns about the potential impact on staff resources. However, the potential impact on staff resources is likely the result of the interplay among numerous factors in the labor market, such as the rigor of qualifying for and completing the requirements for CPA licensure and the relatively low starting salaries being cited by college students as one of the main hurdles to choosing accounting as a major. To meet increased demand for staff resources, some firms may choose to hire additional experienced staff. It is possible that the labor demand shock could result in increased wages and potentially higher audit fees, which could be exacerbated by the concentration of large firms in the audit market. Higher wages could in turn help firms attract and retain a skilled workforce or encourage qualified individuals to take essential roles at firms. The principles-based features and scalable nature of QC 1000 described above, as well as the 100-issuer threshold for some provisions, help mitigate this risk because fewer resources will be required for firms based on those features.

b. Competition

The requirements could also cause firms to exit the public company audit market or deter other firms from future entry. Entry deterrence could be exacerbated by the fact that being registered with the PCAOB will subject firms to certain QC requirements even if they do not perform engagements. Several commenters agreed that the proposed requirements, if adopted, could impact competition. One commenter expressed concern that the incremental requirements of QC 1000 relative to other QC standards could lead smaller high-quality firms to exit the market. One commenter asserted that the certification requirement would be an especially significant driver of exit, particularly for smaller firms. Some commenters suggested that the design requirement for scaled-applicability firms could lead some scaled-applicability firms to deregister with the PCAOB or create a barrier to entry. One commenter added that the design requirement for scaled-applicability firms could impact audit markets beyond the U.S. by creating a disincentive for foreign firms to serve specific audit markets. Another commenter suggested that further enhancing the scalability of QC 1000 may be helpful for smaller firms to stay competitive. One commenter noted that QC 1000 requirements may serve as an impediment to audit firm mergers and acquisitions and otherwise perturb market activity. Correspondingly, less consolidation could mitigate concentration or help preserve a competitive dynamic amongst firms. Nevertheless, the presence of fewer firms could reduce competition in the public company audit market even in light of additional scalability or fewer mergers and acquisitions. Some commenters said that some firms may resign existing issuer clients or decline new ones to avoid incremental QC 1000 requirements for firms that issue more than 100 audit reports. This could lead to a further reduction in competition for engagements that these firms would otherwise compete. This reduction in competition would likely only apply to actual or potential issuer clients of firms that are close to the 100-issuer threshold. As noted above, PCAOB staff analysis of audit reports included in SEC filings indicates that, during the 2022 calendar year, the number of firms currently around the 100-issuer threshold includes two NAFs that audited between 80 and 100 issuers and two NAFs that audited between 100 and 120 issuers.

Confirming the widely held view that audit firms compete on price, some research suggests that reduced competition is indeed associated with higher audit fees. However, any exit would likely be limited primarily to firms with small market shares and to the smaller issuer or broker-dealer audit markets, which research suggests tend to be competitive. For example, firms that would manage their client portfolio to avoid incremental QC 1000 requirements would likely prefer to resign (or decline to accept) smaller issuer clients than larger issuer clients. Moreover, some research suggests that reduced competition may have a positive impact on audit quality because it curtails issuers' opportunity to opinion shop. Compounding this effect, the requirements may further deter opinion shopping as a basis for competition to the extent they would improve auditors' compliance with professional standards. One commenter argued that opinion shopping is not prevalent and any reduction in opinion shopping would be minimal.

c. Network Resources

Some commenters expressed concern that the requirements could diminish the availability of global network resources and that smaller firms around the world could decline to assist U.S. firms in their global audits. One commenter added that this could be detrimental to overall engagement quality. Several factors could mitigate this potential unintended consequence. First, staff analysis of 2021 Form AP filings finds that 74% of all audits (32% of Fortune 500 audits) do not use other auditors. Second, this potential unintended consequence would likely be limited primarily to firms that lack the network resources to implement QC 1000. One academic study finds that 94% of component auditors identified on Form AP are affiliated with the principal auditor (99% when the principal auditor is a GNF). Third, other auditors that do not play a substantial role on any PCAOB engagement would be able to deregister with the PCAOB and continue to perform their existing roles on the engagements. Fourth, the competitiveness of the smaller issuer audit market suggests that principal auditors would be able to retain a different component auditor of comparable quality. Finally, to the extent the requirements would lead a firm to retain a lower-quality component auditor, existing PCAOB standards related to audits involving other auditors could help mitigate the risk that the new component auditor performs a low-quality component audit. It is possible that, despite the requirements, firms may not improve compliance with applicable professional and legal requirements when performing their engagements. For example, personnel assigned to QC roles may adopt a perfunctory, “check the box” attitude toward compliance. The firm's risk assessment process and monitoring and remediation process requirements, which require personnel assigned to QC roles to think proactively about the reasonable assurance objective, could help to mitigate this risk. As another example, engagement partners may overestimate the ability of their firm's QC system to support achievement of the reasonable assurance objective and relax their efforts to self-monitor or monitor others. While QC 1000 centralizes responsibility for QC to a degree, other requirements could mitigate this risk. For example, individual responsibility features prominently in QC 1000 and PCAOB auditing standards emphasize the responsibility of the engagement partner for the engagement and its performance.

d. Accountability

Some commenters expressed concern that the accountability provisions of QC 1000 could have potentially harmful unintended consequences. For example, one commenter asserted that good faith actions with regard to supervisory responsibilities could become subject to PCAOB enforcement. Some commenters suggested that the roles and responsibilities requirements could reduce audit quality or increase costs by creating a disincentive for the most qualified individuals to take on the specified roles. One commenter noted that individual certification poses a potential threat of additional liability and could affect the recruitment of talented individuals needed to fill critical roles within firms. Another commenter noted that for firms with an issuer practice that makes up a small portion of the overall practice, it can be difficult to find partners to fill lead and engagement quality reviewer roles on engagements when those roles are subject to a higher risk of individual enforcement actions.

The Board acknowledges that, in addition to positive consequences, accountability can have negative consequences, such as disincentives from taking on QC roles with greater accountability. One commenter suggested that the incorporation of rewards into the firms' accountability model could mitigate this potential unintended consequence. QC 1000 contemplates that the firm's compensation plans and performance evaluations will appropriately incentivize firm personnel to fulfill their assigned responsibilities and that firm leadership will be held accountable for quality, including through their performance evaluations and compensation. Depending on the firm's specific quality risks, including the risk that qualified individuals may be unwilling to take on QC roles, firms can incorporate both positive incentives (“carrots”) and negative incentives (“sticks”) in the design of their incentive plans.

e. Scalability

One commenter expressed concern based on academic research that limiting the applicability of certain requirements to firms of a certain size could give rise to audit quality differences between larger and smaller firms. In general, the incremental requirements for larger PCAOB audit practices are less suitable to smaller PCAOB audit practices' QC systems. For example, a smaller firm may not need an automated system to track investments if it has a stable number of issuer clients and a small group of persons subject to independence requirements. But if a smaller firm does not achieve its quality objectives or the reasonable assurance objective, it will have to take remedial action, which could include implementing some or all of the incremental QC system features that are expressly required for larger PCAOB audit practices.

f. Design Requirements Under Scaled Applicability

Some commenters expressed concern that scaled-applicability firms could design QC systems inappropriate for the future circumstances that would arise should the firm eventually become a full-applicability firm. One commenter cited research that suggests audit firm personnel designing a QC system to address hypothetical future circumstances will need to overcome numerous cognitive biases. The Board believes this potential unintended consequence is mitigated by QC 1000's proactive approach. For example, the firm will be required to establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm's quality objectives, quality risks, or quality responses may be needed. When such changes are identified, the firm will be required to determine what, if any, modifications are needed to make them on a timely basis. In effect, a scaled-applicability firm's QC system design should be appropriate for its circumstances in the event it becomes a full-applicability firm.

g. Other Potential Unintended Consequences

Because firms' QC systems will likely operate over all of their engagements, including those that are not subject to PCAOB standards, the engagement-level costs discussed above could apply to those engagements as well. Moreover, one commenter asserted that firms with a significant private company client base will be challenged by different documentation retention policies based on client base since many aspects of QC relate to the firm as a whole. Correspondingly, the requirements could improve compliance on those engagements because they would be governed by more effective QC policies and procedures. Indeed, one commenter said that requiring all firms to design a QC system that complies with QC 1000 could have a beneficial impact on private company audits.

Research on other quality management and enterprise risk management systems suggests other potential unintended consequences. For example, research on ISO 9000 adoption indicates that it may reduce staff morale, stifle innovation, and require excessive levels of documentation. The principles-based features and scalable nature of QC 1000 described above, as well as the 100-issuer threshold for some provisions, help mitigate these concerns by providing firms the ability to design, implement, and operate policies and procedures to support achievement of the reasonable assurance objective based on their facts and circumstances.

Alternatives Considered

During the development of the requirements, the Board considered a number of alternative approaches to address the need described above. This section explains: (1) why standard setting is preferable to other policy-making approaches, such as providing interpretive guidance or enhancing inspection or enforcement efforts; (2) why the chosen standard-setting approach is preferable to other standard-setting approaches; and (3) key policy choices made in determining the details of the standard-setting approach.

1. Why Standard Setting Is Preferable to Another Approach

As potential alternatives to standard setting, the Board considered whether interpretive guidance or greater focus on inspections or enforcement could better address the need described above.

Interpretive guidance assists firms in the implementation of existing PCAOB standards and rules and can advance audit quality by establishing a common understanding of a firm's obligations under PCAOB standards and rules. For example, interpretive guidance may address, among other things, specific, common audit deficiencies identified during PCAOB inspections and the applicable requirements under PCAOB standards and rules. By contrast, as discussed above, some firms' QC systems appear to not be providing reasonable assurance of compliance generally. Moreover, current PCAOB QC standards were developed decades ago in a very different audit environment and have not been updated to reflect the risk-based, proactive approach to QC that the Board believes would be most effective. Therefore, the Board believes revisions to the current PCAOB QC standards are needed to require firms to make the necessary enhancements to their QC systems to help drive compliance with professional standards.

While the PCAOB will continue to address firms' compliance with PCAOB standards and rules through inspection and enforcement activities, QC standard setting provides certain unique benefits. Firms' QC systems operate over all aspects of all issuer audits and broker-dealer engagements, whereas PCAOB inspections assess compliance with only certain aspects of the issuer audits and broker-dealer engagements selected for review. In addition, inspection and enforcement efforts take place after the engagement has occurred and after investors and other financial statement users have potentially suffered harm. Therefore, greater focus on inspecting and enforcing compliance with PCAOB standards and rules may not be as effective as updating the QC standards and amending other related standards.

2. Why the Chosen Standard-Setting Approach Is Preferable to Other Standard-Setting Approaches

QC 1000 shares the same basic structure as ISQM 1 and SQMS 1. The Board also considered basing QC 1000 on a different quality management framework, such as COSO or ISO 9001, or developing its own risk-based approach. The essential features of these other quality management frameworks are broadly similar to ISQM 1 and SQMS 1. For example, they typically are risk-based and focus on monitoring and remediating deficiencies. However, ISQM 1 and SQMS 1 have the further advantage of being specifically tailored to audit firms. Furthermore, an original risk-based approach would likely include the same essential features as ISQM 1 and SQMS 1. Overall, the Board believes that the benefits of basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach ( e.g., improved compliance with applicable professional and legal requirements) would be similar to the benefits of using a structure similar to ISQM 1 and SQMS 1.

Basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach would likely be more costly. As highlighted above, the Board expects that many firms are familiar with ISQM 1 or SQMS 1 and have made, or will make, investments in their QC systems to comply with those requirements. Firms may be less familiar with other quality management frameworks than they are with ISQM 1 and SQMS 1. Basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach therefore would likely require additional effort by firms to understand and apply the standard. Some firms may be required to employ or engage persons with the necessary expertise in the particular quality framework to facilitate appropriate implementation. While the largest firms may employ consultants with this expertise, smaller firms may not, and acquiring or engaging the necessary consultants could be costly. In addition, basing QC 1000 on a different quality management framework or an original PCAOB risk-based approach may introduce an element of regulatory complexity, which could both increase cost and detract from audit quality for firms that would be required to comply with ISQM 1 or SQMS 1.

3. Key Policy Choices

This section discusses several potential provisions that the Board decided against including in QC 1000. These provisions relate to: (1) applicability; (2) the threshold for incremental requirements; (3) firm governance structure; (4) self-assessment monitoring; (5) in-process monitoring activities; (6) the evaluation and reporting dates; (7) reporting the annual QC system evaluation; (8) certification of the annual evaluation; (9) public reporting; and (10) audit committee communications.

a. Applicability

The discussion above explains the distinction between scaled applicability and full applicability. The Board considered requiring all firms to design, implement, and operate a QC system that meets the requirements only upon being required to comply with applicable professional and legal requirements with respect to a firm engagement. This approach would reduce the costs of the requirements to firms not performing engagements by allowing them to defer the costs of designing their QC system. However, scaled-applicability firms may reduce their costs under the approach by withdrawing from PCAOB registration. Furthermore, any reduced costs would not address the risk that firms could be unprepared to accept and perform engagements in compliance with applicable professional and legal requirements.

The discussion above also addresses commenters' views on alternative approaches to this key policy choice. For example, several commenters suggested allowing scaled applicability firms to design a QC system that complies with ISQM 1. One commenter suggested limiting the design requirements to acceptance and continuance policies. One commenter suggested limiting the design requirement to firms that satisfy an issuer client market capitalization criterion. While these alternative approaches could reduce some of the costs to scaled-applicability firms associated with designing their QC systems, they could also reduce the benefit of firms having a PCAOB-compliant QC system ready for implementation and operation. Furthermore, as discussed above, firms could avoid the costs of designing a QC system that complies with QC 1000 by deregistering.

b. Threshold for Incremental Requirements

The incremental requirements that will apply only to firms that issued audit reports for more than 100 issuers in the prior calendar year ( e.g., requirements related to firm governance structure) are discussed above. Several commenters suggested alternative thresholds. For example, some commenters suggested the threshold should consider the market capitalizations of issuer clients. One commenter suggested that the threshold should consider the types of financial statements being audited. These alternative approaches could help ensure QC 1000 is appropriately scalable to the facts and circumstances of all firms. However, the Board believes there could be practical challenges with implementing a more complex threshold. For example, market capitalization can be volatile and would require PCAOB and firm resources to track. Some firms may cross an issuer market capitalization threshold multiple times within a short period of time. Issuer count, by contrast, aligns with Rule 4003, Frequency of Inspections, is easier to track, and may not be as volatile as market capitalization. Finally, while market capitalization may be a useful proxy for investor exposure to the issuers audited by the firm, it would be a less useful proxy for the complexity of a firm's QC system.

c. Firm Governance Structure

Specified quality responses related to governance and leadership are discussed above. The Board considered extending to all firms the requirement to incorporate into their governance structure an external oversight function for the QC system composed of one or more persons who are not principals or employees of the firm and do not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of independent judgment regarding matters related to the QC system. However, in light of the direct cost of such an oversight function, which could disproportionately impact smaller PCAOB audit practices, and reflecting the Board's view that the public interest in such independent oversight is strongest in relation to the largest firms, the requirement applies only to firms that issued audit reports with respect to more than 100 issuers during the prior calendar year.

Some commenters suggested that more than one independent member of the oversight function should be required. In support of this view, one commenter noted that the independent member(s) would be in the minority and cited academic research regarding audit committees that suggests oversight functions are more effective with a greater proportion of independent members. Another commenter referred to a report that cites survey research that suggests female directors improve corporate governance and that the positive influence is most significant when there are three or more female directors. The same commenter suggested that the oversight function should have public reporting responsibilities. Some commenters suggested that the independent oversight member should have more control. The Board acknowledges the commenters' views on the potential additional benefits of additional independent oversight requirements. However, the Board is also sensitive to the costs of any additional requirements, which several commenters suggested may be costly or difficult to fulfill.

d. Self-Assessment Monitoring

The Board considered permitting individuals to perform monitoring procedures over the same areas for which they are responsible. It decided against this approach because the Board feels it would be inconsistent with the quality objective that individuals who are assigned to perform activities within the QC system have the objectivity to monitor work in accordance with applicable professional and legal requirements and the firm's policies and procedures. As emphasized above, this quality objective is important for creating accountability within the firm to achieve the reasonable assurance objective. Information gathered through PCAOB inspection activities indicates that roughly 3% of firms inspected between 2018 and 2020 performed self-assessments. This suggests that relatively few firms would be impacted by this policy choice. The Board considered allowing self-assessment monitoring under certain conditions to reduce costs for impacted firms but ultimately decided against it out of concern that individuals may not be able to objectively assess their own work. In these circumstances, the firm may use other participants or third-party providers to perform monitoring activities.

e. In-Process Monitoring Activities

In-process monitoring activities are discussed above. The Board considered extending the requirement to monitor in-process engagements to all firms but decided to limit the requirement to firms that issue audit reports with respect to more than 100 issuers. The Board believes that differentiating a firm's obligation based on the number of issuer clients may be appropriate because, in the Board's view, firms with larger, more complex audit practices are generally subject to quality risks for which in-process monitoring is an appropriate quality response. The Board also understands through PCAOB oversight activities that the majority of smaller PCAOB audit practices do not perform in-process monitoring activities and may lack the resources to do so. Therefore, to balance these concerns, QC 1000 includes a “should consider” requirement to provide sufficient scalability for firms that issue audit reports with respect to 100 or fewer issuers.

f. Evaluation and Reporting Dates

Several commenters suggested that QC 1000 should allow firms to choose their own evaluation date. This alternative could reduce the cost of QC 1000 by allowing firms to perform the evaluation when most convenient. For example, some firms could set their QC 1000 evaluation date near their ISQM 1 evaluation date and use parts of their ISQM 1 evaluation for their QC 1000 evaluation. However, the information reported to the PCAOB on Form QC would be less current and therefore less informative to the PCAOB when it selects firms and engagements for inspection, inspection focus areas, and inspection procedures. Tracking firms' compliance with the evaluation requirements could also be more challenging. In addition, the inherent differences between the QC 1000 and ISQM 1 evaluations will require incremental effort from firms to comply with QC 1000.

The Board initially proposed a November 30 evaluation date followed by 46 days from the evaluation date to both report and document the QC system evaluation. This timeline would provide the PCAOB with timely information to inform PCAOB oversight activities. Some commenters expressed concern that a November 30 evaluation date could present costs and other challenges because some firms have already chosen an alternative evaluation date under ISQM 1 or because the timeframe for the evaluation could conflict with some firms' inspection cycles or business cycles and can encompass holidays and religious observances. The Board was persuaded that a November 30 evaluation date could have led to unnecessary incremental resource demands during the busy and holiday seasons. Accordingly, the Board instead required firms to adopt a September 30 evaluation date as discussed above. Some commenters expressed concern that 46 days would be insufficient to report on and document their evaluation. The Board was persuaded that 46 days to report on and document the QC system evaluation could have created unnecessary costs to firms. Therefore, under the final standard, a firm will have 61 days to evaluate their QC system and an additional 14 days after the evaluation to assemble their documentation.

g. Reporting the Annual QC System Evaluation

Firm reporting on the QC system evaluation is discussed above. One commenter asserted that an explicit reporting requirement is unnecessary because the PCAOB inspection process provides the Board and staff with any relevant contemporaneous quality control information for both annual and triennially inspected firms. The Board considered obtaining the annual QC system evaluation as part of the PCAOB inspection process rather than an explicit reporting requirement. Under this alternative approach, the evaluation would be less timely, structured, and consistent and likely would not inform the PCAOB's inspection approach as effectively, especially for triennial firms. It could also diminish the beneficial incentive effect of mandatory reporting to the PCAOB. This alternative approach could eliminate or reduce the costs to firms associated with preparing a summary report of the firm's QC system evaluation. In addition, if, under this alternative approach, the privilege protections of section 105(b)(5) were determined to apply to some or all of the information generated by the firm pursuant to QC 1000, that could diminish the discoverability of such information in litigation, thereby decreasing third-party litigation risk. However, this alternative approach would not address the lost information value, particularly for the triennial firms.

The Board also considered requiring firms to report to the Board on Form QC only when the firm identifies a major QC deficiency. This approach would reduce some of the variable costs associated with preparing and transmitting Form QC to the PCAOB. However, this approach would also reduce the value of Form QC to the PCAOB. For example, reporting on unremediated QC deficiencies would inform various aspects of PCAOB oversight activities, including focusing inspection resources on higher risk firms, engagements, and focus areas; designing the nature and extent of inspection procedures, both for QC processes and individual engagements; and making more refined data requests from the firms. This alternative approach could also diminish the beneficial incentive effect of mandatory reporting to the PCAOB.

Several commenters suggested that the PCAOB clarify that Form QC is submitted under the PCAOB's inspections authority, as a way of bestowing the confidentiality protections of section 105(b)(5) upon the information provided therein. This would, according to commenters, alleviate uncertainty about the extent to which information submitted thereon may be subject to discovery or other disclosures, diminish a risk of unwarranted legal exposure, and help place the information in the context of the ongoing inspections dialogue. The Board acknowledges the commenters' concerns about these issues. However, as discussed above, QC 1000 is not an inspections rule; it is a QC standard that places obligations on all registered firms regardless of their inspection status (annual, triennial, or exempt), and as such the Board is not able to say that Form QC information is necessarily submitted “in connection with an inspection” as would be necessary to trigger the confidentiality protections of section 105(b)(5) of Sarbanes-Oxley.

h. Certification of the Annual Evaluation

Some commenters requested that the Board specify a heightened legal standard ( e.g., recklessness) at which liability could be imposed on individuals for making a certification that is later determined to be false, or create safe harbors for inevitable system errors or the wrongful acts of others. As discussed above, the standard for liability turns on the particular language of each statement in the certification: some statements are subject to a negligence standard, while others (namely those with knowledge qualifiers) give rise to liability only if the certifier knew that the statement was false or recklessly did not know it was false. The Board acknowledges that alternative approaches urged by commenters could have saved some costs. Specifically, limiting liability to recklessness in all circumstances would provide individuals with comfort that their decisions would not be second-guessed in litigation. This result may make the performance of those services more efficient by removing an incentive to perform tasks that are not directly related to quality. For example, individuals may be less incentivized to engage in self-protective behaviors if a heightened legal standard ( e.g., recklessness) is imposed. In addition, more staff may be willing to take these roles (or to take them at a lower price) if liability or workload would have been more limited by a heightened legal standard. However, that approach would have attenuated the benefits sought to be achieved by the certification requirement by removing the Board's ability to hold individuals accountable for conduct that fails to meet a reasonable person standard of care.

i. Public Reporting

The discussion above summarizes commenters' views on public reporting about firms' QC systems and legal constraints on public disclosure that are imposed by Sarbanes-Oxley. Some commenters suggested that the non-confidential portions of Form QC could be made publicly available. Such public reporting could in principle provide investors with additional information on audit quality and thereby help address the problem discussed above. However, the Board believes that significant portions of Form QC may be confidential. As a result, the non-confidential portions of Form QC could have been misleading and difficult to compare across firms. Public reporting of non-confidential portions of Form QC could also lead firms to be less candid in their Form QC reporting and thereby diminish its value to the PCAOB. Some commenters also expressed concern that any public reporting could be contrary to Sarbanes-Oxley. After considering the benefits and costs of alternative approaches, including those identified by commenters, the Board believes that firm reporting on Form QC should be nonpublic.

Several commenters suggested that QC 1000 should require firms to publicly disclose information related to audit quality. As discussed above, the Board has proposed separate rules related to firm and engagement metrics as well as firm reporting.

j. Audit Committee Communications

Commenters' views on potential required reporting to audit committees are discussed above. The Board initially proposed to require the firm to discuss with the audit committee the conclusion of the firm's most recent annual evaluation of its QC system and a brief overview of remedial actions taken and to be taken. This information could give audit committees greater insight into the quality of their auditor. Several commenters were supportive of the proposed requirement. However, several other commenters asserted that the information could be largely difficult to understand, irrelevant to an individual audit committee, and potentially inconsistent with Sarbanes-Oxley. Furthermore, one commenter noted research and expressed concern that disclosure regarding the annual QC system evaluation to the audit committee only could enable audit committees to shop for lower-quality auditors. Similarly, another commenter expressed concern with an approach that would provide mandatory disclosure to audit committees but not to investors and the public. As discussed above, the Board determined not to adopt the proposed amendments to AS 1301 after consideration of the comments received.

Special Considerations for Emerging Growth Companies

Pursuant to section 104 of the Jumpstart Our Business Startups (“JOBS”) Act, rules adopted by the Board subsequent to April 5, 2012, generally do not apply to the audits of emerging growth companies (“EGCs”), as defined in section 3(a)(80) of the Exchange Act, unless the SEC “determines that the application of such additional requirements is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation.” As a result of the JOBS Act, the rules and related amendments to PCAOB standards that the Board adopts are generally subject to a separate determination by the SEC regarding their applicability to audits of EGCs.

To inform consideration of the application of PCAOB standards to audits of EGCs, PCAOB staff prepares a white paper annually that provides general information about characteristics of EGCs. As of the November 15, 2022, measurement date, there were 3,031 companies that self-identified as EGCs and filed audited financial statements with the SEC between May 16, 2021, and November 15, 2022, that included an audit report signed by a firm. Of the 263 registered firms that audited EGCs, 227 firms (or 86%) performed audits for both EGC and non-EGC issuers. Approximately 98% of EGCs were audited by these 227 firms.

PCAOB staff also gathered information on Part I.A deficiencies for the audits of EGCs between 2013 and 2022. Figure 6 presents the percentage of inspected EGC and non-EGC issuer audits having at least one Part I.A deficiency. The data suggest that Part I.A deficiencies are even more common among audits of EGCs, raising questions about whether QC systems of firms that audit EGCs are effective in preventing audit deficiencies for these types of audit engagements.

In general, any new PCAOB standards and amendments to existing standards determined not to apply to the audits of EGCs would require auditors to address differing requirements within their methodologies or policies and procedures with respect to audits of EGCs and non-EGCs, which would create the potential for confusion. This may not be practical in the context of the QC standards; while some components of the QC system (such as engagement monitoring) may enable different approaches for audits of EGCs compared to audits of other companies, other elements (for example, resources and governance and leadership) are necessarily firm-wide and cannot easily be differentiated for different types of audits. Even where differentiation is possible, maintaining separate QC system components for EGC and non-EGC audits and separate methodologies with respect to, for example, auditor obligations with respect to deficiencies in completed engagements and foundational ethics requirements, may add cost or lead to confusion, and could run counter to the objective of integrating QC practices into a single virtuous cycle of risk assessment, monitoring, and remediation. These methodology and QC system differentiation costs would affect at least the 227 registered firms that audit both EGCs and non-EGCs and that, collectively, audit approximately 98% of EGCs.

The discussion of economic impacts of the requirements is generally applicable to the audits of EGCs. In particular, the benefits to financial reporting quality articulated above may be especially pertinent for EGCs, including improved efficiency of capital allocation, lower cost of capital, and enhanced capital formation. EGCs tend to be smaller and have a shorter SEC financial reporting history than the broader population of public companies. Academic research suggests that, for several reasons, smaller public companies tend to exhibit greater information asymmetry between management and investors. Accordingly, EGCs are likely to exhibit greater information asymmetry between management and investors and hence the importance of the external audit to investors in enhancing the credibility of EGC financial reporting may be more pronounced.

The requirements could impact competition in an EGC product market if the indirect costs to audited companies of the requirements disproportionately impact the EGCs relative to their competitors. EGCs may be forced to raise prices, thereby diverting market share toward their competitors. This could increase competition in markets where EGCs have a dominant market share and decrease competition in markets where EGCs have a less than dominant market share. The potential impact to competition in EGC product markets would be reduced to the extent EGC auditors will already be required to comply with ISQM 1 or SQMS 1 or otherwise would choose not to pass on incremental costs arising from the requirements in the form of higher audit fees.

The proposal sought comment on the applicability of the proposed requirements to audits of EGCs. Some commenters agreed that the proposed requirements should apply to the audits of EGCs.

Accordingly, and for the reasons explained above, the Board requests that the Commission determine that it is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation, to apply QC 1000 and the related amendments to Board standards, rules, and forms to audits of EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for Commission Action

Within 45 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding; or (ii) as to which the Board consents, the Commission will:

(A) By order approve or disapprove such proposed rules; or

(B) Institute proceedings to determine whether the proposed rules should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rules are consistent with the requirements of Title I of the Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( https://www.sec.gov/rules/pcaob ); or
• Send an email torule-comments@sec.gov. Please include PCAOB-2024-02 on the subject line.

Paper Comments

• Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-02. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/rules/pcaob ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rules that are filed with the Commission, and all written communications relating to the proposed rules between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the PCAOB. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to PCAOB-2024-02 and should be submitted on or before July 2, 2024.