The American Institute of CPAs is still concerned about the Public Company Accounting Oversight Board’s new firm and engagement metrics standard, despite some modifications from the original proposal.
Under the new rules, PCAOB-registered public accounting firms that audit one or more issuers that qualify as an accelerated filer or large accelerated filer will be required to publicly report specified metrics relating to such audits and their audit practices. The metrics cover the following eight areas:
Partner and manager involvement;
Workload;
Training hours for audit personnel;
Experience of audit personnel;
Industry experience;
Retention of audit personnel (firm-level only);
Allocation of audit hours; and,
Restatement history (firm-level only).
The AICPA reacted cautiously to the announcement. “We’re still studying the components of the final firm metrics requirements but, as we stated in our comment letter to the PCAOB this past summer, these rules will place a significant burden on small and midsized audit firms and could lead some to exit public company auditing altogether,” said the AICPA in a statement emailed Friday to Accounting Today. “This is not just conjecture: a majority of respondents (51%) to a recent survey we did of Top 500 firms with audit practices said they would rethink engaging in public company audits if the requirements were approved.”
The PCAOB it made some modifications to the original proposal in response to the comments had received since April:
Reduced the metric areas to eight (from 11);
Refined the metrics to simplify and clarify the calculations;
Increased the ability to provide optional narrative disclosure (from 500 to 1,000 characters); and,
Updated the effective date. (If approved by the SEC, the earliest effective date of the firm-level metrics will be Oct. 1, 2027, with the first reporting as of September 30, 2028, and engagement-level metrics for the audits of companies with fiscal years beginning on or after Oct. 1, 2027.)
The AICPA welcomed those changes but doesn’t think they go far enough. “We’re glad the PCAOB took some comments to heart by extending implementation dates, particularly for smaller firms, and lowering the number of required metrics,” said the AICPA. “But the potential consequences of the remaining requirements — reduced competition and market diversity in the public audit space — are a significant risk. We hope the SEC will give these unintended outcomes the weight they deserve before giving final approval to the requirements.”
The Securities and Exchange Commission would still need to give final approval to the standard, as well as the new firm reporting standard. Last week, the PCAOB decided to pause work on its controversial NOCLAR standard, on noncompliance with laws and regulations, until next year. On Thursday, SEC chairman Gary Gensler announced he would be stepping down in January, which may affect the timing of its approval or disapproval by the SEC. With the incoming Trump administration, the SEC is expected to take a far less aggressive stance on enforcement and regulation. On Friday, the SEC announced that it filed 583 total enforcement actions in fiscal year 2024 while obtaining orders for $8.2 billion in financial remedies, the highest amount in SEC history.
Audit and finance skills are heavily in demand for corporate board members, according to a recent survey.
BDO’s 2024 Board Survey polled 249 corporate directors of public company boards in July and August and found that 27% of respondents said the top skill set for directors in 2025 is audit/finance.
“It was tied actually with cybersecurity as a skill set, and then just behind technology implementation and industry specialization, as well as corporate strategy,” said Amy Rojik, national managing principal for corporate governance of BDO USA. “I think this reflects several things that are important to public companies, in particular the heightened focus of stakeholders, especially regulators and investors, on the need for high-quality and reliable financial information and disclosures to aid in investment decisions. We all know that regulators are heavily pushing for transparency and disclosures across the board, and in particular with respect to financial accounting and reporting disclosures, along with important oversight responsibilities, particularly in increasing risk areas like cybersecurity where breaches can really have a material impact on a company’s financial condition.”
The survey asked the board members what they believe are the greatest near-team opportunities for generative AI, and 11% cited finance and accounting.
“Anecdotally, the top three board education continuing education topics that we get asked to provide to the board are generative AI, cybersecurity and enterprise risk management,” said Rojik. “Those by far are the most requested things that, especially with the audit committee, we’re seeing as a topic of conversation that they want to dive deeper into. I find that very encouraging because it’s across the board.”
Some 17% of the survey respondents indicated that advancing the use of emerging technology is a top strategic priority, while lagging implementation of emerging technology (27%) is a top-cited risk. At the same time, a slight majority of directors (51%) indicated they plan to increase investment in emerging technology, while 41% intend to increase investment in cybersecurity, data privacy and governance over the next year.
Generative AI has become a governance focus, with directors pursuing use cases and working to mitigate a wide array of risks. Approximately one third of directors (31%) selected customer experience (16%) or product/service development (15%) as the greatest opportunity for generative AI.
Rojik pointed to a recent spotlight report from the Public Company Accounting Oversight Board on how auditing firms and financial statement preparers are using AI.
“It’s probably more at the forefront, where we’re probably on the audit side preparing more administrative documents or initial drafts of memos and presentations and researching internal accounting and auditing guidance,” she said. “Preparers may be doing something similar, maybe summarizing accounting standards and interpretations, and benchmarking company information. And then some are even using generative AI to assist in the performance of less complex and repetitive processes, such as preparing account recs or identifying reconciling items. I think the potential investments that companies are looking forward to are summarizing accounting policy and legal documents, evaluating completeness of audit documentation against relevant documentation requirements, performing risk assessment procedures and scoping the audit.”
But data privacy and security remain important factors, she added. Firms need to be careful about client information being loaded into a generative AI-enabled tool, who is allowed to use those types of tools on the audit, what level of staff, and where the supervision is in those models.
“There’s still, fortunately for all of us, a very high human element of supervision and review to make sure this is all making sense and that we understand what’s going into these models that we’re exploring and what’s coming out has integrity,” said Rojik. “We have a long way to go on both sides of that, from an audit perspective and from a financial reporting perspective. I would say with confidence every audit firm is looking at how to do that, but they’re also looking at it from a lens of how the regulators are going to monitor, enforce and regulate that. There’s more to come in that space certainly, but that’s a huge area to keep an eye on for boards.”
The survey also included data on committee allocation for audit, and found 57% of the public company board respondents have an audit committee and serve on it, while 43% have an audit committee and do not serve on it, and 0% do not have an audit committee.
The audit committee and others are confronting risks from technology and the economy.
“Organizations are really considering where they should be allocating risks, especially emerging risks, and so we’re taking a look at their traditional board structures in terms of the committee allocations,” said Rojik. “Is the audit committee the right committee to put all these emerging risks in? Should there be special committees of the board, or should there be separate committees? Several of our clients have recently instituted separate technology committees, or technology innovation committees. Some, especially financial institutions of a certain size, are required to have risk committees. The most important thing boards can be doing, though, is looking at how they’re putting together that allocation through their charters and other documents that hold them accountable, and then looking at how regulators are viewing the required disclosures.”