Coming soon to a financial statement near you: CAMs! Late this summer, in audit reports for large accelerated filers with June 30 fiscal year ends, auditors will begin to disclose “critical audit matters.” Under the new auditing standard for the auditor’s report (AS 3101), CAMs are defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” Essentially, the concept is intended to capture the matters that kept the auditor up at night, so long as they meet the standard’s criteria. Compliance will be required for audits of large accelerated filers for fiscal years ending on or after June 30, 2019, and for audits of all other companies to which the requirement apply (not EGCs) for fiscal years ending on or after December 15, 2020. With that in mind, the PCAOB has released three new documents offering guidance on CAM implementation: The Basics; A Deeper Dive on the Determination of CAMs; and Staff Observations from Review of Audit Methodologies. (See also thecorporatecounsel.net blog.)
You may remember that the PCAOB requirement to disclose CAMs in audit reports was approved in 2017 after many years of self-examination, meditation, rumination, reflection, cogitation, outreach, discussion, debate and deliberation about the concept of the audit report. Following the financial crisis of 2008, the fact that clean audit reports were given to a number of failed or failing companies, together with the lack of transparency in the current form of audit report, led to a demand for a new look at whether the pass/fail report model might be improved; the current model has long been disparaged as just boilerplate that doesn’t really convey to investors any of the auditor’s insight into judgment calls and business risks. In 2011, the PCAOB sought to address this concern in a Concept Release by floating various alternatives, principle among them the “auditor’s discussion and analysis.” (See this Cooley news brief.) But the ADA concept was widely criticized because, among other things, it was viewed as “fundamentally changing the auditor’s current role from attesting on information prepared by management to providing an analysis of financial statement information,” thus causing the auditors to step into a role of management. After a number of proposals and reproposals, the final standard was adopted. Then SEC Commissioner Kara Stein observed in her statement on approving the new standard that it “marks the first significant change to the auditor’s report in more than 70 years.”
In “The Basics,” the staff of the PCAOB runs through the “basic” provisions of the rule at a high level. No surprises here. The PCAOB summarizes how CAMs are determined, provides the required introductory language, outlines the documentation necessary (particularly in connection with matters determined not to be CAMs), as well as the required communications with the audit committee. (For a summary of the requirements in the adopting release, see this PubCo post.)
In “Deeper Dive,” the staff delves further into the subject of CAM determinations, first observing that “CAMs are required to relate to accounts or disclosures that are material to the financial statements. Materiality is not solely based on quantitative factors; it also reflects qualitative factors.” For example, a potential loss contingency might be a CAM, but not if the likelihood was determined to be remote and it was not recorded in the financial statements; in that case it would “not relate to an account or disclosure that is material to the financial statements.” A potentially illegal act could be qualitatively material (and potentially a CAM), even if the amounts involved were not quantitatively material, so long as there was an accrual or disclosure in the financial statements. A CAM could also relate to many accounts or disclosures and have a pervasive effect on the financial statements, such as in the event of a potential going-concern qualification.
The staff also runs through a number of FAQs, as summarized below:
- It’s all relative. The staff notes that the “standard uses the word ‘especially,’ instead of ‘most’ as originally proposed, to convey more clearly that there could be multiple CAMs and that matters are assessed on a relative basis within the specific audit.” Each of the specific criteria in the definition are to be considered individually and in combination. The description of the CAM should be specific and discuss why the auditor determined that the matter was a CAM—what especially challenging, subjective or complex auditor judgments were implicated.
- Consistency across auditors? Although the requirements for determining CAMs are principles-based and fact-specific, some issues inherently fit the bill, regardless of the auditor. For example, the staff observes, “[b]y their nature, accounting estimates generally involve subjective assumptions and measurement uncertainty and may involve complex methods.” That’s generally the case with estimates regardless of the characteristics of the auditor, according to the staff. However, other matters may well reflect differences in auditor judgments.
- Consistency across years? That depends on the circumstances. Some issues may meet the definition every year, while others my occur only in one year, for example, implementation of a new accounting standard or accounting for a significant unusual transaction. Some may be CAMs sporadically, such as the audit of deferred tax assets accounts and disclosures when the auditor is required to assess the company’s ability to use NOL carryforwards.
- Evaluation of events related to overall business or the economic or regulatory environment. Events of this type—natural disasters, cybersecurity breaches, significant changes in regulations, standards, government policy or the economic or business environment—are sometimes the subject of communications between the auditor and the audit committee, leading auditors to consider the impact on the audit and the audit response. The example the staff provides is of a cybersecurity breach that targets the company’s general ledger system, which could affect specific accounts or could be pervasive. With regard to CAM determination, the auditors would assess the impact of the breach on the financials and the audit.
- Internal control weaknesses or deficiencies. The evaluation of control weaknesses or deficiencies are not, by themselves, CAMs because they do not relate to a financial statement account or disclosure. However, in light of the possibility of material misstatements of account balances or disclosures resulting from a control weakness or deficiency, the audit response to the deficiency or weakness could involve especially challenging, subjective or complex auditor judgment and could be a CAM. In describing the related CAM, if “a significant deficiency was among the principal considerations in determining that a matter was a CAM, the auditor would describe the relevant control-related issues over the matter in the broader context of the CAM without using the term ‘significant deficiency.’ For material weaknesses, unlike significant deficiencies, there is reporting by the company, so there would be no sensitivity around using that term in a CAM description if referring to the existence of a material weakness was responsive to the requirements for CAM communication.”
- CAMs and critical accounting estimates. CAEs (estimates to be discussed in MD&A because high levels of subjectivity or uncertainty make them material or subject to change or the effect on the financials is material) and CAMs may overlap, but they are not congruent. The source of CAMs is broader, and matters that are not CAEs may be determined to be CAMs.
- “Significant risks” as CAMs. These two matters may also overlap but are not the same. Among the factors to be considered by the auditor in determining whether a matter is a CAM is the auditor’s assessment of the risks of material misstatement, including significant risks. However, if responding to a significant risk did not involve especially challenging, subjective or complex auditor judgment, that response would not be a CAM. And, while audit responses to risks of material misstatement may not amount to “significant risks,” they could still meet the CAM definition, “particularly when the risks relate to areas in the financial statements which involve greater degrees of judgment and estimation.”
- Audit strategy and CAMs. While decisions and changes to audit strategy may not themselves be CAMs, they could be indicative of CAMs and included in the description of how the auditor addressed the CAM, such as the degree of auditor judgment, the extent of audit effort or the nature of the audit evidence.
- Disclosures not in the financial statements and CAMs. CAMs, by definition, must relate to financial statement accounts or disclosures. Ordinarily, the auditor would not include in the CAM description information about the company that had not been made publicly available by the company unless the “information is necessary to describe the principal considerations that led the auditor to determine that a matter is a CAM or how the matter was addressed in the audit.” However, public disclosures by the company outside the financials can be used in the CAM description.
In “Staff Observations,” the PCAOB staff has reviewed CAM methodologies and materials submitted by 10 US audit firms (collectively auditing approximately 85% of large accelerated filers), and provides some insights gleaned from that review. Generally, the observations cautioned auditors to be specific in their disclosures and not to view the new standard too narrowly. Auditors were advised:
- Not to exclude any audit committee communication from the population of potential CAMs.
- In determining CAMs, to consider, in addition to the six factors identified in the standard (see this PubCo post), other factors specific to the audit, as provided in the standard.
- To be specific in describing the principal considerations that led to the CAM determination—not just that the matter was especially challenging etc., but why it involved especially challenging, subjective or complex auditor judgment.
- When describing how a matter was addressed in the audit, to tailor discussion to the specific audit and the specific matter and to avoid standardized language. For example, instead of a general reference to internal control testing, the auditor should “describe the testing of the relevant controls.”
- To recognize that the communication can refer to both the relevant financial statement account and the relevant disclosure; they are not necessarily alternatives.
- To recognize that “publicly available” information, which may be included in the CAM description, may include information made public by the company outside the financial statements.
- To recognize that, although the auditor is required to provide a draft of the CAM to the audit committee and is expected to discuss the draft with the committee, “CAMs are the responsibility of the auditor—not the audit committee.”