Yesterday, the SEC approved, by a vote of three to two, a new PCAOB quality control standard, QC 1000, A Firm’s System of Quality Control, and related amendments to its standards, rules and forms. According to the press release, the new standard
“establishes an integrated, risk-based quality control standard that will require all registered public accounting firms to identify specific risks to their practice and design a quality control system that includes appropriate responses to guard against those risks. Registered firms that perform engagements under PCAOB standards will be required to implement and operate the QC system. The new quality control standard focuses on an audit firm’s accountability and continuous improvement of its audit practice and will require an annual evaluation of the firm’s QC system and related reporting to the PCAOB, certified by key firm personnel. In addition, firms that annually issue audit reports for more than 100 issuers will be required to establish an external quality control function (EQCF) composed of one or more persons who can exercise independent judgment related to the firm’s QC system.”
According to SEC Chief Accountant, Paul Munter, “[e]ffective QC systems provide critical investor protections by driving continuous improvement in firms’ audit quality in support of the issuance of informative, accurate, and independent audit reports….QC 1000 is an integrated risk-based QC standard that strikes an appropriate balance that can be applied by firms of varying sizes and complexities along with a set of mandates tailored to the size of the firms’ audit practices, which should assure that QC systems are designed, implemented, and operated with an appropriate level of rigor.” SEC Chair Gary Gensler pointed out that the “auditing profession has changed in the 21st century, and the Amendments we are considering today are long overdue. To put in context how important it is to update the quality control standards, the PCAOB found that 46 percent—nearly half—of the auditing engagements it reviewed in 2023 fell short of obtaining sufficient appropriate audit evidence.” The two dissenters primarily took issue with, in their view, the too-brief time allotted by the SEC to the process of refining the standard, the requirement that every PCAOB-registered firm design a compliant QC system—even if they are not required to implement it—and the failure to address adequately commenters’ concerns about the new EQCF. QC 1000 and related amendments will take effect on December 15, 2025.
The current PCAOB quality control standards are a holdover from the standards designed by American Institute of Certified Public Accountants and were developed almost 30 years ago, prior to the accounting scandals of the 2000s and the creation of the PCAOB under SOX. The press release explained that “QC 1000 addresses changes in the audit practice environment since that time and leverages what the PCAOB has learned through two decades of experience in its inspections and enforcement programs, including, for example, the increasing participation of other firms and other outside resources in firm engagements, the role of firm networks, and the evolving use of technology.”
In his statement, Gensler stressed that those “who rely on the auditors’ professional opinion must be able to trust that opinion. That trust, though, is based on the assumption that the firm has strong quality control. It’s important, therefore, that firms have a system in place to ensure quality control.” He briefly summarized the requirements of the proposed standard, addressing how it is designed to achieve that goal:
“First, the proposed standard requires firms to proactively identify and manage risks within their quality control systems. Second, the proposed standard reinforces the risk-based requirements by requiring ongoing monitoring and remediation—thus, driving continuous improvement. Third, the standard holds the firm’s leadership accountable in the event of quality control shortfalls. Finally, the standard has varying requirements that differ based upon the size and nature of the firm’s audit practice—thus, it’s not one-size-fits-all. For instance, while all firms have to design a quality control system, only those that perform engagements under PCAOB standards are required to implement and operate the QC system. Firms would also have flexibility in how they achieve the required quality control objectives. Meanwhile, the 13 largest firms that annually issue audit reports for over 100 issuers are required to have one or more independent persons evaluate the firm’s significant judgments and conclusions on the effectiveness of its QC system.”
In her dissenting statement, Commissioner Hester Peirce said that, while “[t]roublingly high audit deficiency rates” made the effort to revise the PCAOB’s quality controls standards worthwhile, the SEC and PCAOB “cut the process short and put out Q1000, a standard that still needs work.” Consequently, she was unable to support it. The dissent of one PCAOB member and concerns of commenters should have, in her view, led the SEC to provide more time to consider the standard. She also identified several implementation challenges, such as, first, the requirement that all registered firms design a quality control system that complies with QC 1000 even if they do not audit issuers or broker-dealers—a process that, she argues, will be “difficult, costly, and pointless.” Second, she contended that the standard had too many prescriptive elements that were not risk-based and that its expectations were not always clear. Third, she suggested that QC 1000 might not be consistent with other quality control standards from other standard setters, creating complexity. Fourth, she believed that there remained many unanswered questions about requirement to establish an EQCF, such as the role and responsibility of the EQCF, its process and the extent of its liability. In the end, she did not view this standard as ready for prime time. For those who want to delve deeper into these issues, her statement includes 10 questions (and 36 footnotes).
Commissioner Caroline Crenshaw pointed out that the standard has been a long time in the making, having begun the standard-setting process as a concept release in 2019. The new standard, she said, will “require PCAOB-registered audit firms to design a quality control system subject to prescribed quality objectives and processes,” but will provide firms the “flexibility to tailor the design of the required processes to their specific risks and needs.” The standard is also scaled: “All PCAOB-registered firms are required to design a quality control system and think through how to ensure basic quality systems. This exercise would never strike me as pointless. I’d rather design controls for a fire evacuation, and not use it, then never plan it at all. And while they must think it through, only those firms that actually perform an audit under PCAOB standards must then operate their quality control system. Of those firms, only a tiny subset—firms that perform over 100 engagements per year— would be subject to the full suite of the QC Amendments, including the External Quality Control Function.”
Commissioner Mark Uyeda dissented, dissatisfied with the process as well certain substantive elements of the standard. With regard to process, Uyeda characterized it as “fast and furious.” During the initial 90-day comment period, he said, “several commenters raised concerns that the PCAOB had not provided the public with an opportunity to consider the requirement for certain firms to adopt and implement an [EQCF] during its rulemaking process and that the final requirement was not a logical outgrowth from the Board’s proposal.” While the PCAOB responded with an expansive 28-page letter (which elicited comment letters asking for more information), the SEC issued notice of the meeting only two weeks after receiving the PCAOB’s letter. In light of the new information and feedback, he said, “it would have been prudent for the Commission to extend the process to allow for a thoughtful consideration of the standard, particularly the EQCF requirement….The Commission could have used more time to allow more market participants to express their views on the PCAOB’s letter and for the PCAOB to provide additional guidance.”
He also expressed concern about “the standard’s requirement that every PCAOB-registered firm, even those without a current audit engagement subject to PCAOB standards, must design a compliant QC system. While the requirement to implement and operate an effective QC system applies only to firms performing engagements, the standard’s ‘design-only’ requirement imposes costs without attendant benefits. This requirement may disproportionately burden smaller audit firms that do not have current engagements but may be seeking smaller public companies, broker-dealers, and others as clients.” In defending the requirement, the SEC cited the risk of unpreparedness to perform engagements. But Uyeda argued that the SEC was just being “paternalistic” when it implies “that public companies and broker-dealers engaging an audit firm cannot make their own judgments on the preparedness of a firm, simply because the firm had not designed a QC system before the engagement. In a competitive market for audit services, firms that are unable to successfully perform engagements will not receive engagements.”
Commissioner Jaime Lizárraga also noted the trend toward increased audit deficiencies reported by PCAOB inspectors in recent years, growing from 34% in 2021 to 46% in 2023. This “concerning trend,” he observed, suggests “that some firms’ QC systems are not providing reasonable assurance that its personnel comply with the firm’s standards of quality.” The modernized standard that the PCAOB adopted “achieves a careful balance between a risk-based approach and standardized requirements. The result is a common baseline that fosters predictability and a level playing field. But the part of the standard requiring an [EQCF] applies only to firms that audit more than 100 issuers annually. In 2023, only 14 firms, out of a total of more than 1600 registered firms, met this threshold. The EQCF is based on the notion that a second pair of impartial eyes can be helpful when evaluating the significant judgments and conclusions that an audit firm has made with respect to its QC system. This provision has been informed by, and evolved from, extensive stakeholder input over many years.”