Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley,” or the “Act”), notice is hereby given that on June 20, 2024, the Public Company Accounting Oversight Board (the “Board” or the “PCAOB”) filed with the Securities and Exchange Commission (the “Commission” or the “SEC”) the proposed rules described in items I and II below, which items have been prepared by the Board. The Commission is publishing this notice to solicit comments on the proposed rules from interested persons.

I. Board's Statement of the Terms of Substance of the Proposed Rules

On June 12, 2024, the Board adopted Amendments Related to Aspects of Designing and Performing Audit Procedures that Involve Technology-Assisted Analysis of Information in Electronic Form (“proposed rules”). The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b-4 and is available on the Board's website at https://pcaobus.org/​about/​rules-rulemaking/​rulemaking-dockets/​docket-052 and at the Commission's Public Reference Room. Start Printed Page 54923

II. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

In its filing with the Commission, the Board included statements concerning the purpose of, and basis for, the proposed rules and discussed any comments it received on the proposed rules. The text of these statements may be examined at the places specified in Item IV below. The Board prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements. In addition, the Board is requesting that the Commission approve the proposed rules, pursuant to section 103(a)(3)(C) of the Act, for application to audits of emerging growth companies (“EGCs”), as that term is defined in section 3(a)(80) of the Securities Exchange Act of 1934 (“Exchange Act”). The Board's request is set forth in section D.

A. Board's Statement of the Purpose of, and Statutory Basis for, the Proposed Rules

(a) Purpose

The Board adopted amendments to AS 1105, Audit Evidence, and to AS 2301, The Auditor's Responses to the Risks of Material Misstatement, and conforming amendments to another PCAOB auditing standard (collectively, the “amendments” or “final amendments”). The amendments are designed to improve audit quality and enhance investor protection by addressing the growing use of certain technology in audits.

In particular, the amendments update PCAOB auditing standards to more specifically address certain aspects of designing and performing audit procedures that involve analyzing information in electronic form with technology-based tools ( i.e., technology-assisted analysis). The amendments are designed to decrease the likelihood that an auditor who performs audit procedures using technology-assisted analysis will issue an auditor's report without obtaining sufficient appropriate audit evidence that provides a reasonable basis for the opinion expressed in the report.

Information from the PCAOB's research project on Data and Technology indicates that some auditors are expanding their use of technology-assisted analysis (often referred to in practice as “data analysis” or “data analytics”) in the audit. Auditors use technology-assisted analysis in many different ways, including when responding to significant risks of material misstatement to the financial statements. For example, some auditors use technology-assisted analysis to examine the correlation between different types of transactions, compare company information to auditor-developed expectations or third-party information, or recalculate company information.

Existing PCAOB standards discuss certain fundamental auditor responsibilities, including addressing the risks of material misstatement to the financial statements by obtaining sufficient appropriate audit evidence. However, the standards do not specifically address certain aspects of using technology-assisted analysis in the audit. If not designed and executed appropriately, audit procedures that involve technology-assisted analysis may not provide sufficient appropriate audit evidence as required by the standards.

Having considered the expanded use of technology-assisted analysis by auditors, the Board proposed amendments in June 2023 to address certain aspects of designing and performing audit procedures that involve technology-assisted analysis. Commenters generally supported the objective of improving audit quality and enhancing investor protection by clarifying and strengthening requirements in AS 1105 and AS 2301 related to certain aspects of designing and performing audit procedures that involve technology-assisted analysis. In adopting the final amendments, the Board took into account the comments received.

The amendments further specify and clarify certain auditor responsibilities that are described in AS 1105 and AS 2301. The amendments are focused on addressing certain aspects of technology-assisted analysis, not specific matters relating to other technology applications used in audits ( e.g., blockchain or artificial intelligence) or the evaluation of the appropriateness of tools under the firm's system of quality control. The amendments are principles-based and therefore intended to be adaptable to the evolving nature of technology. In particular, the amendments:

• Specify considerations for the auditor's investigation of items identified when performing tests of details;
• Specify that if the auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure;
• Specify auditor responsibilities for evaluating the reliability of external information provided by the company in electronic form and used as audit evidence;
• Emphasize the importance of controls over information technology;
• Clarify the description of a “test of details”;
• Emphasize the importance of appropriate disaggregation or detail of information to the relevance of audit evidence; and
• Update certain terminology in AS 1105 to reflect the greater availability of information in electronic form and improve the consistency of the use of such terminology throughout the standard.

The amendments will apply to all audits conducted under PCAOB standards. Subject to approval by the SEC, the amendments will take effect for audits of financial statements for fiscal years beginning on or after December 15, 2025.

See Exhibit 3 for additional discussion of the purpose of this project.

(b) Statutory Basis

The statutory basis for the proposed rules is Title I of the Act.

B. Board's Statement on Burden on Competition

Not applicable. The Board's consideration of the economic impacts of the proposed rules is discussed in section D below.

C. Board's Statement on Comments on the Proposed Rules Received From Members, Participants or Others

The Board initially released the proposed rules for public comment in PCAOB Release No. 2023-004 (June 26, 2023). The Board received 21 written comment letters relating to its initial proposed rules. See Exhibits 2(a)(B) and 2(a)(C). The Board has carefully considered all comments received. The Board's response to the comments it received, and the changes it made to the rules in response to the comments received, are discussed below.

Background

In 2010, the Board adopted auditing standards related to the auditor's assessment of and response to risk (the “risk assessment standards”), including AS 1105 and AS 2301. Although the risk assessment standards were designed to apply to audits when auditors use information technology, the use of information in electronic form ^[1] and the

use of technology-based tools ^[2] by companies and their auditors to analyze such information has expanded significantly since these standards were adopted.

In light of the increased use of technology by companies and auditors, in 2017 the Board began a research project to assess the need for guidance, changes to PCAOB standards, or other regulatory actions.^[3] Through this research the Board found that auditors have expanded their use of certain technology-based tools, including tools used to perform technology-assisted analysis (as described above, also referred to in practice as “data analytics” or “data analysis” ^[4] ), to plan and perform audits. While the Board's research indicated that auditors are using technology-assisted analysis to obtain audit evidence, it also indicated that existing PCAOB standards could address more specifically certain aspects of designing and performing audit procedures that involve technology-assisted analysis. Consequently, under existing standards, there is a greater risk that when using technology-assisted analysis in designing and performing audit procedures, auditors may fail to obtain sufficient appropriate evidence in the audit.

The amendments in this release are intended to improve audit quality through principles-based requirements that apply to all audits conducted under PCAOB standards. They are designed to decrease the likelihood that an auditor who performs audit procedures using technology-assisted analysis will issue an auditor's report without obtaining sufficient appropriate audit evidence that provides a reasonable basis for the opinion expressed in the report. The remainder of this section of the release provides an overview of the rulemaking history, existing requirements, and current practice. In addition, it discusses reasons to improve the existing standards.

Rulemaking History

In June 2023, the Board proposed to amend AS 1105 and AS 2301 to address aspects of designing and performing audit procedures that involve technology-assisted analysis and that the Board's research indicated are not specified in existing PCAOB standards.^[5] The proposed amendments were informed by the staff's research regarding auditors' use of technology, as described above.

The proposed amendments: (i) specified considerations for the auditor's investigation of items that meet criteria established by the auditor when designing or performing substantive audit procedures; (ii) specified that if an auditor uses audit evidence from an audit procedure for more than one purpose the procedure needs to be designed and performed to achieve each of the relevant objectives; (iii) provided additional details regarding auditor responsibilities for evaluating the reliability of external information maintained by the company in electronic form and used as audit evidence; (iv) clarified the differences between “tests of details” and “analytical procedures,” and emphasized the importance of appropriate disaggregation or detail of information to the relevance of audit evidence; and (v) updated certain terminology in AS 1105 to reflect the greater availability of information in electronic form and improve the consistency of the use of such terminology throughout the standard.

The Board received 21 comment letters on the proposal. Commenters included an investor-related group, registered public accounting firms (“firms”), firm-related groups, academics, and others. The Board considered all comments in developing the final amendments, and specific comments are discussed in the analysis that follows. Commenters generally supported the Board's efforts to modernize the auditing standards to specifically address certain aspects of designing and performing audit procedures that involve technology-assisted analysis, and some commenters offered suggestions to improve and clarify the proposed amendments.

Existing Requirements

The final amendments modify certain requirements of PCAOB standards relating to audit evidence and responses to risk (AS 1105 and AS 2301). AS 1105 explains what constitutes audit evidence and establishes requirements regarding designing and performing audit procedures to obtain sufficient appropriate audit evidence. AS 2301 establishes requirements regarding designing and implementing appropriate responses to identified and assessed risks of material misstatement.

The following discussion provides a high-level overview of the areas of the PCAOB standards that the amendments address. The discussion further below provides additional details regarding the specific requirements that the Board amended.

Classification of Audit Procedures (See Figure 1 below)—Under PCAOB standards, audit procedures can be classified into either risk assessment procedures or further audit procedures, which consist of tests of controls and substantive procedures. Substantive procedures include tests of details and substantive analytical procedures.^[6] Existing standards provide examples of specific audit procedures ^[7] and describe what constitutes a substantive analytical procedure,^[8] but do not describe what constitutes a test of details. PCAOB standards do not preclude the auditor from designing and performing audit procedures to accomplish more than one purpose. The purpose of an audit procedure determines whether it is a risk assessment procedure, test of controls, or substantive procedure.^[9]

Figure 1. Classification of Audit Procedures

Items Identified for Investigation in a Test of Details —Designing substantive tests of details and tests of controls includes determining the means of selecting items for testing. Under existing standards, the alternative means of selecting items for testing include selecting specific items, selecting a sample that is expected to be representative of the population ( i.e., audit sampling), or selecting all items. The auditor may decide to select for testing specific items within a population because they are important to accomplishing the objective of the audit procedure or because they exhibit some other characteristic.^[10] Existing PCAOB standards specify the auditor's responsibilities for planning, performing, and evaluating an audit sample,^[11] but do not specify the auditor's responsibilities for addressing items identified when performing a test of details on specific items, or all items, within a population.

Relevance and Reliability of Audit Evidence —Under PCAOB standards, audit evidence is all the information, whether obtained from audit procedures or other sources, that is used by the auditor in arriving at the conclusions on which the auditor's opinion is based.^[12] PCAOB standards require the auditor to plan and perform audit procedures to obtain sufficient appropriate audit evidence to provide a reasonable basis for their audit opinion. Sufficiency is the measure of the quantity of audit evidence, and appropriateness is the measure of its quality. To be appropriate, audit evidence must be both relevant and reliable in providing support for the auditor's conclusions.^[13]

The relevance of audit evidence depends on the design and timing of the audit procedure. The reliability of audit evidence depends on the nature and source of the evidence and the circumstances under which it is obtained, such as whether the information is provided to the auditor by the company being audited and whether the company's controls over that information are effective.^[14] In addition, when using information produced by the company as audit evidence, the auditor is responsible for evaluating whether the information is sufficient and appropriate for purposes of the audit.^[15] Existing PCAOB standards do not specify auditor responsibilities regarding information the company received from one or more external sources and provided in electronic form to the auditor to use as audit evidence.

Current Practice

The Board's research indicated that audit procedures involving technology-assisted analysis are an important component of many audits. The use of technology-assisted analysis has expanded over the last decade as more accounting firms, including smaller firms, incorporate such analysis as part of their audit procedures. However, the investment in and use of technology-assisted analysis vary across registered firms and across individual audit engagements within a firm.^[16]

The greater availability of both information in electronic form and technology-based tools to analyze such information has contributed significantly to the increase in the use of technology-assisted analysis by auditors. More companies use enterprise resource planning (“ERP”) and other information systems that maintain large volumes of information in electronic form, including information generated internally by the company and information that the company receives from external sources. Significant volumes of this information are available to auditors for use in performing audit procedures.

Powerful technology-based tools that process and analyze large volumes of information have become more readily available to auditors. As a result, auditors sometimes apply technology-assisted analysis to the entire population of transactions within one or more financial statement accounts or disclosures. The Board's research indicated that auditors primarily use technology-assisted analysis to identify and assess risks of material misstatement. Technology-assisted analysis enables the auditor to identify new risks or to refine the assessment of known risks. For example, by analyzing a full population of revenue transactions, an auditor may identify certain components of the revenue account as subject to higher risks or may identify new risks of material misstatement associated with sales to a particular customer or in a particular location.

Increasingly, some auditors also have been using technology-assisted analysis in audit procedures that respond to assessed risks of material misstatement, including in substantive procedures. For example, such analysis has been used to test the details of all items in a population, assist the auditor in selecting specific items for testing based on auditor-developed criteria, or identify items for further investigation when performing a test of details. The staff has observed that auditors' use of technology-assisted analysis occurs mostly in the testing of revenue and related receivable accounts, inventory, journal entries, expected credit losses, and investments.^[17] As discussed below, some auditors use audit evidence obtained from such analysis to achieve more than one purpose.

Audit methodologies of several firms affiliated with global networks address the use of technology-assisted analysis by the firms' audit engagement teams. For example, the methodologies specify audit engagement teams' responsibilities for: (i) designing and performing audit procedures that involve technology-assisted analysis ( e.g., determining whether an audit procedure is a substantive procedure); (ii) evaluating analysis results ( e.g., whether identified items indicate misstatements or whether performing additional procedures is necessary to obtain sufficient appropriate audit evidence); and (iii) evaluating the relevance and reliability of information used in the analysis.

Commenters on the proposal generally agreed with the description of the current audit practice and the auditor's use of technology-assisted analysis. One of these commenters noted that, in addition, auditors can also use technology-assisted analysis to help understand a company's flow of transactions, especially given increases in the number and complexities of a company's information systems.

Reasons To Improve the Auditing Standards

The amendments in this release are intended to improve audit quality through principles-based requirements that apply to all audits.

1. Areas of Improvement

The amendments are designed to decrease the likelihood that an auditor who performs audit procedures using technology-assisted analysis will issue an auditor's report without obtaining sufficient appropriate audit evidence that provides a reasonable basis for the opinion expressed in the report. Observations from the PCAOB's Data and Technology research project indicate that some auditors are using technology-assisted analysis in audit procedures whereas others may be reluctant to do so due to perceived regulatory uncertainty. The research further suggests that clarifications to PCAOB standards could more specifically address certain aspects of designing and performing audit procedures that involve technology-assisted analysis. The Board's Investor Advisory Group has also noted that auditors' use of technology-assisted analysis is an area of concern due to auditors' potential overreliance on company-produced information, and that addressing the use of such analysis in the standards could be beneficial.^[18]

Using technology-assisted analysis may enhance the effectiveness of audit procedures. For example, analyzing larger volumes of information and in more depth may better inform the auditor's risk assessment by providing different perspectives, providing more information when assessing risks, and exposing previously unidentified relationships that may reveal new risks. At the same time, inappropriate application of PCAOB standards when designing and performing audit procedures that involve technology-assisted analysis has the potential to compromise the quality of audits where the procedures are used. For example, PCAOB oversight activities have found instances of noncompliance with PCAOB standards related to evaluating the relevance and reliability of company-provided information and evaluating certain items identified in audit procedures involving technology-assisted analysis.^[19]

The amendments to existing PCAOB standards in this release address aspects of designing and performing audit procedures that involve technology-assisted analysis where the Board identified the need for additional specificity or clarity in the existing standards.^[20] These aspects include areas where PCAOB oversight activities have identified instances of noncompliance with PCAOB standards and areas where auditors have raised questions during the Board's research regarding the applicability of PCAOB standards to the use of technology-assisted analysis. The discussion below describes the amendments in more detail. The discussion further below describes alternatives that the Board considered.

2. Comments on the Reasons To Improve

Commenters generally supported the Board's efforts to modernize its auditing standards to specifically address aspects of designing and performing audit procedures that involve technology-assisted analysis. Several commenters highlighted that auditors' use of technologies, including technology-assisted analysis, continues to grow, and one of these commenters noted that the proposal is an important step forward to address this rapidly changing environment. An investor-related group stated that PCAOB standards should directly address auditors' use of technology and data, and that the proposed amendments to AS 1105 and AS 2301 were responsive to their concern about auditor overreliance on technology-assisted analysis.

Commenters also generally supported the principles-based nature of the proposed amendments and the Board's decision not to require the use of technology-assisted analysis. One commenter, for example, noted that audit procedures performed using technology-based tools may not always provide sufficient appropriate audit evidence. An investor-related group, however, recommended that the Board consider requiring auditors to use certain (but unspecified) types of technology-based tools that financial research and investment management firms have used to analyze financial statements. As discussed further below, requiring the use of technology would have been outside the scope of the project. The Board retained the principles-based nature of the proposed amendments within the final amendments, so that the standards are flexible and can adapt to the continued evolution of technology.

Several commenters stated that the Board should consider the effect of auditors' and companies' use of technology more broadly on the audit. One commenter stated that technology will need to be an ongoing focus for the Board in its standard setting given the evolving nature of technology, and that broader change may be needed. This commenter also recommended a more holistic standard-setting approach that is interconnected with other PCAOB projects. Other commenters stated that as technology continues to evolve, the Board should continue to research and evaluate the need for standard setting related to other types of technology used in the audit, such as artificial intelligence. Academics emphasized the need for the PCAOB to be forward-thinking to regulate in this area.

As the Board stated in the proposal, these amendments address only one area of auditors' use of technology—certain aspects of designing and performing audit procedures that involve technology-assisted analysis. Other areas continue to be analyzed as part of the Board's ongoing research activities. In addition, the Board's Technology Innovation Alliance Working Group continues to advise the Board on the use of emerging technologies by auditors and preparers relevant to audits and their potential impact on audit quality.^[21] These ongoing activities may inform future standard-setting projects.

Commenters also expressed a need for more guidance and illustrative examples. One of these commenters stated that additional explanatory materials or separate guidance could help maintain competition among firms. Another stated that insights from the PCAOB's research and oversight activities would benefit small and mid-sized accounting firms in identifying and selecting appropriate tools.

Throughout this release, where appropriate, the Board has incorporated examples and considerations for applying the final amendments. The examples and considerations highlight the principles-based nature of the amendments and emphasize that the nature, timing, and extent of the auditor's procedures will depend on the facts and circumstances of the audit engagement. In addition, the staff's ongoing research activities will continue to evaluate the need for staff guidance.

Discussion of the Final Amendments

Specifying Auditor Responsibilities When Performing Tests of Details

See paragraphs .10 and .48 through .50 of AS 2301 of the amendments.

1. Clarifying “Test of Details”

The Board proposed to amend AS 1105.13 and .21 to address the differences between the terms “test of details” and “analytical procedures,” by clarifying the meaning of the term “test of details.” The proposed amendments stated that a test of details involves performing audit procedures with respect to individual items included in an account or disclosure, whereas analytical procedures generally do not involve evaluating individual items, unless those items are part of the auditor's investigation of significant differences from expected amounts. The Board adopted the proposed description of a “test of details” with certain modifications as discussed further below, including relocating the description from AS 1105 to new paragraph .48 in AS 2301.

Under PCAOB standards, the auditor's responses to risks of material misstatement involve performing substantive procedures for each relevant assertion of each significant account and disclosure, regardless of the assessed level of control risk.^[22] Substantive procedures under PCAOB standards include tests of details and substantive analytical procedures.^[23] Appropriately designing and performing an audit procedure to achieve a particular objective is key to appropriately addressing the risks assessed by the auditor. For significant risks of material misstatement, including fraud risks, the auditor is required to perform substantive procedures, including tests of details that are specifically responsive to the assessed risk.^[24] PCAOB standards also state that it is unlikely that audit evidence obtained from substantive analytical procedures alone would be sufficient.^[25]

As discussed in the proposal, the use of “data analytics” or “data analysis” in practice and the use of the term “analytical procedures” in PCAOB standards have led to questions about whether an audit procedure involving technology-assisted analysis can be a test of details ( i.e., not an analytical procedure as described under PCAOB standards). The distinction is important because of the requirement in PCAOB standards that the auditor perform tests of details when responding to an assessed significant risk of material misstatement. Relying on analytical procedures alone to address an assessed significant risk is not sufficient.

Commenters on this topic supported clarifying the meaning of tests of details and that tests of details involve performing audit procedures at an individual item level. However, several commenters stated that with technology-assisted analysis, aspects of a substantive analytical procedure may also be performed at an individual item level. Some commenters provided examples where the auditor uses a technology-assisted analysis to develop an expectation of recorded amounts for individual items in an account and aggregates the individual amounts to compare to the aggregated amount recorded by the company.

One commenter suggested clarifying the term “individual items” given the varying forms and level of disaggregation of data obtained for analysis by the auditor. This commenter suggested further clarifying that consideration be given to the objective of the audit procedure, the nature of the procedure to be applied, and the evidence necessary to meet the objective of the audit procedure. Another commenter sought additional information related to circumstances where a procedure would not be considered a test of details because it was not applied to individual items in an account.

Some commenters, mostly firms, expressed a preference that the standards not compare tests of details to analytical procedures. For example:

• A firm-related group stated that the proposed clarification was unnecessarily nuanced.
• Another commenter stated that the proposed description of analytical procedures as compared to tests of details was not accurate and could cause confusion.
• Other commenters stated that analytical procedures are clearly defined in PCAOB standards and are well understood by auditors, and that comparing tests of details to analytical procedures is unnecessary.
• Some commenters suggested evaluating the proposed amendments together with the Board's standard-setting project to address substantive analytical procedures.

Other commenters stated that technology-assisted analysis continues to make classification of procedures between tests of details and analytical procedures more challenging because some procedures may exhibit characteristics of both types of procedures. These commenters suggested that the auditing standards focus on the sufficiency and appropriateness of evidence obtained from an audit procedure instead of clarifying the terminology of tests of details and analytical procedures. Some commenters also stated that the development of an expectation differentiates an analytical procedure from a test of details.

Having considered the comments received, the Board made several changes to the proposed description of a “test of details.” The final amendments state that a test of details involves performing audit procedures with respect to items included in an account or disclosure ( e.g., the date, amount, or contractual terms of a transaction). When performing a test of details, the auditor should apply audit procedures that are appropriate to the particular audit objectives to each item selected for testing.

First, the Board relocated the description of a “test of details” and related requirements to a new section of AS 2301, in new paragraph .48. The Board believes that describing a test of details within AS 2301 is appropriate because tests of details are performed as substantive procedures to address assessed risks of material misstatement. The description uses the term “items included in an account or disclosure” instead of “individual items.” The change in terminology was made to more closely align with the description of items selected for testing in existing AS 1105.22-.23.

Second, the Board revised the amendment to clarify that when performing a test of details, the auditor should apply the audit procedures that are appropriate to the particular audit objectives to each item selected for testing. This provision focuses the auditor on the objectives of the audit procedures being performed and is consistent with existing requirements for audit sampling.^[26] The Board believes that an emphasis on the objectives of the audit procedures, regardless of the means of selecting items for testing in the test of details, continues to be important and is aligned with the final amendments to AS 1105.14 (using an audit procedure for more than one purpose), which are discussed below in this release.^[27]

Lastly, the final amendments do not compare tests of details to analytical procedures, and the Board did not amend the existing description of analytical procedures in AS 1105.21. Because of the overlap between the description of analytical procedures and substantive analytical procedures, further potential amendments to the description of analytical procedures are being considered as part of the Board's standard-setting project to address substantive analytical procedures.^[28] In addition, comments the Board received related to the auditor's use of substantive analytical procedures were taken into consideration in that project.

The final amendments are not intended to define “items included in an account or disclosure” because such a definition is impractical given the variety of accounts and disclosures subject to tests of details. The auditor would determine the level of disaggregation or detail of the items within the account or disclosure based on the facts and circumstances of the audit engagement, including the assessed risk and the relevant assertion intended to be addressed, and the objective of the procedure.

In addition, the Board considered the comments suggesting that the amendments focus on the sufficiency and appropriateness of evidence obtained from performing audit procedures instead of describing categories of procedures. Considering current practice and the nature of audit procedures performed currently, the Board continues to believe that the existing standards are sufficiently clear in describing auditors' responsibilities for obtaining and evaluating audit evidence. The Board's ongoing research has not identified specific examples of substantive analytical procedures that, by themselves, would provide sufficient appropriate audit evidence to respond Start Printed Page 54929 to a significant risk. Commenters also did not provide such examples. Therefore, the Board believes retaining the categories of procedures as tests of details and substantive analytical procedures continues to be appropriate.

2. Specifying Auditor Responsibilities When Investigating Items Identified

The Board proposed to add a new paragraph .37A to AS 2301 that specified matters for the auditor to consider when investigating items identified through using criteria established by the auditor in designing or performing substantive procedures on all or part of a population of items. Under the proposed paragraph, when the auditor establishes and uses criteria to identify items for further investigation, as part of designing or performing substantive procedures, the auditor's investigation should consider whether the identified items:

• Provide audit evidence that contradicts the evidence upon which the original risk assessment was based;
• Indicate a previously unidentified risk of material misstatement;
• Represent a misstatement or indicate a deficiency in the design or operating effectiveness of a control; or
• Otherwise indicate a need to modify the auditor's risk assessment or planned audit procedures.

The proposed requirement included a note providing that inquiry of management may assist the auditor and that the auditor should obtain audit evidence to evaluate the appropriateness of management's responses.

The Board adopted the proposed provisions with certain modifications as discussed further below, including relocating the requirements from proposed paragraph .37A to new paragraphs .49 and .50 in AS 2301. The Board also made a conforming amendment to paragraph .10 of AS 2301 to include a reference to paragraphs .48 through .50.

As discussed above, designing substantive tests of details and tests of controls includes determining the means of selecting items for testing. The alternative means of selecting items for testing consist of selecting all items; selecting specific items; and audit sampling. As discussed in the proposal, the Board's research has indicated that auditors use technology-assisted analysis to identify specific items within a population ( e.g., an account or class of transactions) for further investigation. For example, auditors may identify all revenue transactions above a certain amount, transactions processed by certain individuals, or transactions where the shipping date does not match the date of the invoice. Because technology-assisted analysis may enable the auditor to examine all items in a population, it is possible that the analysis may return dozens or even hundreds of items within the population that meet one or more criteria established by the auditor.

Considering current practice, the Board stated in the proposal that PCAOB standards should be modified to address the auditor's responsibilities in such scenarios more directly. The auditor's appropriate investigation of identified items is important both for identifying and assessing the risks of material misstatement and for designing and implementing appropriate responses to the identified risks.

Commenters were supportive of the principles-based nature of the proposed amendment and agreed with the Board's decision not to prescribe the nature, timing, or extent of investigation procedures. However, commenters also asked for further clarification, guidance, and examples to address different scenarios that the auditor encounters when 100 percent of a population is tested, given that certain requirements in proposed AS 2301.37A exist in the standards today. Some commenters said it was unclear how proposed AS 2301.37A was different from requirements in existing standards related to the auditor's ongoing risk assessment, and the auditor's responsibility to revise their risk assessment under certain scenarios and to evaluate the results of audit procedures. Several commenters noted that existing standards address auditors' responsibilities when investigating items under certain scenarios. These commenters observed, for example, that AS 2110, Identifying and Assessing Risks of Material Misstatement, applies when the auditor uses technology-assisted analysis to identify and assess risks of material misstatement, and AS 2110.74 and AS 2301.46 apply when the items identified by the auditor when using technology-assisted analysis indicate a new risk of misstatement or a need to modify the auditor's risk assessment. One commenter asked whether identifying items for further investigation was intended to describe only scenarios where specific items are selected for testing.

One commenter noted that the proposed amendment implied that technology-assisted analysis could be used only for purposes of risk assessment or selecting specific items for testing. Another commenter stated that it is important for the auditor's investigation of items to include determining whether there is a control deficiency.

Several commenters asked that the Board clarify whether sampling can be applied to items identified for investigation or whether the auditor is expected to test 100 percent of the identified items. Some commenters also asked the Board to clarify whether the evidence obtained would be considered sufficient and appropriate, or if the auditor would be required to perform further procedures, in situations where a technology-assisted analysis over an entire population ( e.g., matching quantities invoiced to quantities shipped) did not identify any items for investigation. One commenter recommended that the amendments be extended to address the auditor's responsibilities over other items in the population not identified for investigation. Two commenters asked the Board to clarify how the proposed amendment and existing standard would apply when the technology-assisted analysis is modified after the original analysis is complete.

Consistent with the proposal, the final requirements are principles-based and intended to be applied to all means of selecting items for a test of details ( e.g., selecting all items, selecting specific items, and audit sampling). The Board continues to believe that appropriately addressing the items identified by the auditor for further investigation in a test of details is an important part of obtaining sufficient appropriate audit evidence, because these items individually or in the aggregate may indicate misstatements or deficiencies in the design or operating effectiveness of a control. In response to comments received, the final amendments reflect several modifications from the proposal.

First, the Board reframed the requirements to focus on the auditor's investigation of items when performing a test of details as part of the auditor's response to assessed risks. The Board narrowed the requirement to apply only to tests of details because, as commenters noted, existing PCAOB standards describe the auditor's responsibility to investigate items identified when performing substantive analytical procedures.^[29] In addition, the Board did not repeat the considerations related to the auditor's risk assessment that are required under existing PCAOB standards as described above. The Board believes these changes alleviate potential confusion about how the Start Printed Page 54930 requirements are intended to be applied. The Board also removed the proposed note requiring the auditor to obtain audit evidence when evaluating the appropriateness of management's responses to inquiries, because existing PCAOB standards already address this point by noting that inquiry alone does not provide sufficient appropriate evidence to support a conclusion about a relevant assertion.^[30]

Second, the requirements have been relocated into two new paragraphs (.49 and .50) in AS 2301, which are designed to work together. Paragraph .49 applies to all tests of details, regardless of the means of selecting items used by the auditor. The requirement states that when performing a test of details, the auditor may identify items for further investigation. For example, an auditor may identify balances or transactions that contain, or do not contain, a certain characteristic or that are valued outside of a range. The final amendment emphasizes that when such items are identified, audit procedures that the auditor performs to investigate the identified items are part of the auditor's response to the risks of material misstatement. The auditor determines the nature, timing, and extent of such procedures in accordance with PCAOB standards. The final amendment also provides that the auditor's investigation of the identified items should include determining whether the items individually or in the aggregate indicate (i) misstatements that should be evaluated in accordance with AS 2810 or (ii) deficiencies in the company's internal control over financial reporting.

When the auditor identifies items for further investigation in a test of details, the final amendment does not prescribe the nature, timing, and extent of audit procedures to be performed regarding the identified items, including whether those procedures are performed on the items individually or in the aggregate. Prescribing specific procedures would be impracticable considering the multitude of possible scenarios encountered in practice. The nature of the identified items and likely sources of potential misstatements are examples of factors that would inform the auditor's approach. To comply with PCAOB standards, the nature, timing, and extent of the audit procedures performed, including the means of selecting items, should enable the auditor to obtain evidence that, in combination with other relevant evidence, is sufficient to meet the objective of the test of details.

In some cases, an auditor may be able to group the identified items ( e.g., items with a common characteristic) and perform additional audit procedures to determine whether the items indicate misstatements or control deficiencies by group.^[31] In other cases, it may not be appropriate to group the items identified for investigation.^[32] Further, the auditor's investigation could also identify new relevant information ( e.g., regarding the types of potential misstatements) and the auditor may need to modify the audit response.

When a test of details is performed on specific items selected by the auditor,^[33] the final amendments discuss the auditor's responsibilities for addressing the remaining items in the population. When the auditor selects specific items in an account or disclosure for testing, new paragraph .50 provides that the auditor should determine whether there is a reasonable possibility that remaining items within the account or disclosure include a misstatement that, individually or when aggregated with others, would have a material effect on the financial statements.^[34] If the auditor determines that there is a reasonable possibility of such a risk of material misstatement in the items not selected for testing, the auditor should perform substantive procedures that address the assessed risk.^[35] As discussed in the proposing release, the auditor's responsibilities over other items in the population are described in existing PCAOB standards, and the final requirement (AS 2301.50) reminds the auditor of those responsibilities.

The final amendments do not specify, as suggested by some commenters, whether the evidence obtained would be considered sufficient and appropriate, or whether the auditor would be required to perform further procedures, in situations where a technology-assisted analysis over an entire population did not identify any items for investigation. Because facts and circumstances vary, it is not possible to specify scenarios that would provide sufficient appropriate audit evidence. Consistent with existing standards, for an individual assertion, different types and combinations of substantive procedures might be necessary to detect material misstatements in the respective assertions.^[36] For example, in addition to performing a technology-assisted analysis of company-produced information to match quantities invoiced to quantities shipped, other audit procedures, such as examining a sample of information that the company received from external sources ( e.g., purchase orders and cash receipts), may be necessary to obtain sufficient appropriate audit evidence for the relevant assertion. The auditor would be required to document the purpose, objectives, evidence obtained, and conclusions reached from the procedures in accordance with the existing provisions of AS 1215, Audit Documentation.^[37]

Specifying Auditor Responsibilities When Using an Audit Procedure for More Than One Purpose

See paragraph .14 of AS 1105 of the amendments.

The Board proposed to amend paragraph .14 of AS 1105 by adding a sentence to specify that if an auditor uses audit evidence from an audit procedure for more than one purpose, the auditor should design and perform the procedure to achieve each of the relevant objectives of the procedure.

The proposed amendment was intended to supplement existing PCAOB standards because the Board's research indicated that: (i) technology-assisted analysis could be used in a variety of audit procedures, including risk assessment and further audit procedures (such as tests of details and substantive analytical procedures); (ii) an audit procedure that involves technology-assisted analysis may provide relevant and reliable evidence for more than one purpose ( e.g., identifying and assessing risks of material misstatement and addressing assessed risks); and (iii) questions have been raised about whether the evidence obtained from an audit procedure that involves technology-assisted analysis can be used for more than one purpose. The Board adopted the amendment substantially as proposed, with certain modifications to clarify and simplify the sentence, as discussed below. As amended, the sentence added to paragraph .14 provides that “[i]f the auditor uses an audit procedure for more than one Start Printed Page 54931 purpose, the auditor should achieve each objective of the procedure.”

Under existing PCAOB standards, the purpose of an audit procedure determines whether it is a risk assessment procedure, test of controls, or substantive procedure.^[38] Although AS 1105 describes specific audit procedures, it does not specify whether an audit procedure may be designed to achieve more than one purpose; nor does it preclude the auditor from designing and performing multi-purpose audit procedures.^[39] In fact, other PCAOB standards have long permitted auditors to use audit evidence for more than one purpose through the performance of properly designed “dual-purpose” procedures in certain scenarios.^[40]

Considering the variety of applications of technology-assisted analysis throughout the audit, the Board stated in the proposal that PCAOB standards could be modified to more specifically address when an auditor uses audit evidence from an audit procedure for more than one purpose, to facilitate the auditor's design and performance of audit procedures that provide sufficient appropriate audit evidence. The proposal explained that audit procedures involving technology-assisted analysis are not always multi-purpose procedures. For example, a technology-assisted analysis that is used to analyze a population of revenue transactions to identify significant new products may provide audit evidence only to assist the auditor with identifying and assessing risks (a risk assessment procedure). But if the procedure also involves obtaining audit evidence to address the risk of material misstatement associated with the occurrence of revenue, the procedure would be a multi-purpose procedure.

Commenters, including an investor-related group, supported the objective of the amendment to specify the auditor's responsibilities when using audit evidence for more than one purpose. One commenter stated that the proposed amendment appears to prohibit an auditor from using audit evidence obtained later in the audit. In that commenter's view, the amendment implied that the auditor must intend to use the audit procedure for more than one purpose, which could be viewed as contradicting the principle that risk assessment should continue throughout the audit.

Several commenters stated that the proposed amendment implied that, for an auditor to use audit evidence for more than one purpose, the auditor would need to know all of the purposes initially when designing the procedure. These commenters added that audit procedures that use technology-assisted analysis can be more iterative in nature and may not be designed for all the purposes that they ultimately fulfill through the nature of the evidence they generate. For example, one commenter noted that when using technology-assisted analysis to substantively test a population of transactions, the auditor may identify a sub-population of transactions that exhibit different characteristics than the rest of the population and use that information to modify the risk assessment of the sub-population. Another commenter noted that an audit procedure may be designed as a risk assessment procedure, but the technology-assisted analysis may provide audit evidence for assertions about classes of transactions or account balances or other evidence regarding the completeness and accuracy of information produced by the company used in the performance of other audit procedures. These commenters suggested that the amendment be revised by focusing on evaluating the audit evidence obtained from the procedure.

The proposed amendment was not intended to imply that the auditor should not evaluate or consider information obtained from an audit procedure that the auditor was not aware of when initially designing the procedure or that the auditor obtains after a procedure is completed. As noted in the proposal, an auditor may use audit evidence from an audit procedure that involves technology-assisted analysis to achieve one or more objectives, depending on the facts and circumstances of the company and the audit. Further, the auditor would be required to consider and evaluate such information under existing PCAOB standards. For example, as one commenter noted, existing AS 1105 states that audit evidence is all the information, whether obtained from audit procedures or other sources, that is used by the auditor in arriving at the conclusions on which the auditor's opinion is based.^[41] Another commenter observed that existing PCAOB standards provide that the auditor's assessment of the risks of material misstatement, including fraud risks, continues throughout the audit.^[42]

The Board continues to believe that in order for an auditor to use an audit procedure for more than one purpose ( i.e., as more than a risk assessment procedure, test of controls, or substantive procedure alone), the auditor would need to determine that each of the objectives of the procedure has been achieved. Therefore, after considering the comments received, the Board retained the requirement but removed the reference to “design and perform the procedure.” The auditor's responsibilities for designing and performing procedures are already addressed in AS 2110 and AS 2301. Therefore, the final amendment to paragraph .14 of AS 1105 states that “[i]f the auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure.”

As noted in the proposal, the purpose, objective, and results of multi-purpose procedures should be clearly documented. Under existing PCAOB standards, audit documentation must contain sufficient information to enable an experienced auditor, having no previous connection with the engagement, to understand the nature, timing, extent, and results of the procedures performed, evidence obtained, and conclusions reached.^[43] Accordingly, audit documentation should make clear each purpose of the multi-purpose procedure, the results of the procedure, the evidence obtained, the conclusions reached, and how the auditor achieved each objective of the procedure.

Commenters were supportive of acknowledging the auditor's documentation responsibilities when using audit evidence for more than one purpose. An investor-related group commented that the audit planning documentation should support how each procedure will achieve each objective and that the audit work papers should document that the work performed achieved each objective. Another commenter also concurred with the notion that the purpose, objective, and results of multi-purpose procedures should be clearly documented. One commenter noted it was unclear whether there are any incremental Start Printed Page 54932 documentation expectations in comparison to current practice.

Under PCAOB standards, audit documentation should be prepared in sufficient detail to provide a clear understanding of its purpose, source, and the conclusions reached.^[44] This applies also for procedures performed that involve technology-assisted analysis. Therefore, the Board believes that specifying further documentation requirements is unnecessary.

Some commenters suggested that the Board provide an example of using audit evidence from an audit procedure to achieve more than one purpose, including two commenters suggesting an example similar to examples issued by the American Institute of Certified Public Accountants (“AICPA”).^[45] Given the evolving nature of the auditor's use of technology, the Board did not include a specific example in the text of the final amendments to AS 1105.14. The proposing release, however, discussed an example where a technology-assisted analysis of accounts related to the procurement process could both: (i) provide the auditor with insights into the volume of payments made to new vendors ( e.g., a risk assessment procedure to identify new or different risks); and (ii) match approved purchase orders to invoices received and payments made for each item within a population ( e.g., a test of details to address an assessed risk associated with the occurrence of expenses and obligations of liabilities).^[46] The Board believes this example illustrates how auditors would apply the principles-based amendments consistently. If the procedure performed does not achieve each of the intended objectives, other procedures would need to be performed ( e.g., other substantive procedures to address assessed risks of material misstatement).

Lastly, two commenters suggested that the Board clarify that the specific audit procedures discussed in AS 1105.14 are not an all-inclusive list, to allow for the use of additional types of procedures, or combination of procedures, in the future as technology evolves. The Board believes the existing language is sufficiently clear because it does not indicate that the specific audit procedures described in the standard are the only types of audit procedures the auditor can perform.

Specifying Auditor Responsibilities for Evaluating the Reliability of Certain Audit Evidence and Emphasizing the Importance of Appropriate Disaggregation or Detail of Information

See paragraphs .07, .08, .10, .10A, .15, .19, and .A8 of AS 1105 of the amendments.

1. Evaluating the Reliability of External Information Provided by the Company in Electronic Form

The Board proposed to add paragraph .10A to AS 1105 to specify the auditor's responsibility for performing procedures to evaluate the reliability of external information maintained by the company in electronic form when using such information as audit evidence. The proposed paragraph provided that the auditor should evaluate whether such information is reliable for purposes of the audit by performing procedures to: (a) obtain an understanding of the source of the information and the company's procedures by which such information is received, recorded, maintained, and processed in the company's information systems; and (b) test controls (including information technology general controls and automated application controls) over the company's procedures or test the company's procedures.

The Board adopted the amendments substantially as proposed with certain modifications discussed below. The Board also made a conforming amendment to footnote 5 of paragraph .A8 of AS 1105 to include a reference to paragraph .10A.

The Board noted in the proposal that, based on its research, auditors often obtain from companies, and use in the performance of audit procedures, information in electronic form. In many instances, companies have obtained the information from one or more external sources. PCAOB standards do not include specific requirements regarding information received by the company from external sources, maintained, and in many instances processed by the company, and then included in the information provided to the auditor in electronic form to be used as audit evidence.^[47] Because this information is maintained and potentially can be modified by the company, the Board proposed to amend its standards to address this risk to the reliability of audit evidence that the auditor obtains through using this type of information.

Commenters on this topic, including an investor-related group, supported the Board's objective of addressing the risks that information the company receives from one or more external sources and provides to the auditor in electronic form to use as audit evidence may not be reliable and may have been modified by the company. However, several commenters also stated that further clarification of the requirements was needed:

• Some commenters asked for clarification about the information the company received from one or more external sources and “maintained in its information systems” in electronic form. A few of those commenters also asked whether the use of “its information systems” was intended to be the same as the “information system relevant to financial reporting” in AS 2110.^[48] Several commenters suggested clarifying the proposed examples of the types of information subject to these requirements that were included in the proposed footnote to AS 1105.10A and providing more specific examples, such as a bank statement in PDF format.

• One commenter noted that the proposed amendment may not clarify the difference between maintaining the reliability of the external information received by the company and what the company does with that information after it is received. The commenter noted that after external information has been received, it is often recorded into the company's information system where it is moved, processed, and changed to the point that it is no longer considered external information, but rather information produced by the company and subject to transactional processes and controls. Another commenter stated that the requirements should not focus on accuracy and completeness because the information is provided to the company from an external source.
• A number of commenters stated that the proposed amendment, specifically the requirement in AS 1105.10A to test controls over procedures or test the company's procedures themselves, implied that the auditor had to test the effectiveness of internal controls in order for the information to be determined to be reliable. Many of these commenters asked for clarification of the distinction between testing the company's controls and testing the company's procedures. One commenter noted that certain smaller and mid-sized companies may not have implemented controls that can be tested. Some commenters added that,Start Printed Page 54933 because the proposed amendments did not include “where applicable” related to information technology general controls (“ITGCs”) and automated application controls, the proposed amendments implied that ITGCs and automated application controls always needed to be tested and effective. Several of these commenters also provided examples of scenarios where ITGCs and automated application controls may not need to be tested, such as controls that reconcile information in the company's information systems to the information the company received from the external source. Commenters also asked whether information from an external source provided by the company can be tested directly ( i.e., not testing a company's controls) and stated that it would be helpful to clarify expectations of the auditor's work effort when evaluating the reliability of such information.
• One commenter indicated that it was unclear how the requirements of footnote 3 of AS 1105.10 and proposed AS 1105.10A interrelate when using information produced by a service organization. Footnote 3 of AS 1105 refers the auditor to responsibilities under AS 2601,Consideration of an Entity's Use of a Service Organization, and in an integrated audit, AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, when using information produced by a service organization as audit evidence.
• An investor-related group commented that, in addition to the requirements for the auditor to evaluate the reliability of external information provided by the company in electronic form, the auditor should also be required to evaluate the reliability of digital information maintained outside the company and used by the auditor as audit evidence. Another commenter suggested that the auditor's requirements should also address information obtained directly by the auditor from external sources.

In consideration of comments received, the Board made several modifications to the final amendments, which are described in more detail below. The final amendment (paragraph .10A) provides that the auditor should evaluate whether external information provided by the company in electronic form and used as audit evidence is reliable by:

a. Obtaining an understanding of (i) the source from which the company received the information; and (ii) the company's process by which the information was received, maintained, and, where applicable, processed, which includes understanding the nature of any modifications made to the information before it was provided to the auditor; and

b. Testing the information to determine whether it has been modified by the company and evaluating the effect of those modifications; or testing controls over receiving, maintaining, and processing the information (including, where applicable, information technology general controls and automated application controls).

As discussed above, the proposed amendments described auditor responsibilities related to evaluating the reliability of information in electronic form provided by the company to the auditor that the company received from external sources. Examples of such information include, but are not limited to, bank statements, customer order information, information related to cash receipts, and shipping information from third-party carriers provided to the auditor in electronic form.

The Board believes that a principles-based description of the information subject to the requirement that does not list specific types of information, as suggested by some commenters, is in the best interest of audit quality and investor protection. This approach is adaptable to evolving sources and forms of electronic information, considering continued advancements in technology. The Board has clarified the final amendment by removing the reference to “maintained in the company's information systems,” which confused some commenters. The use of this term in the proposal was intended to refer broadly to information in electronic form within a company that the company could provide to the auditor.

The Board has revised subparagraph (a) of the final amendment to replace the term “company's procedures” with “company's process.” In the proposal the Board used “company's procedures” to align with AS 2110.28(b), which describes the company's procedures to initiate, authorize, process, and record transactions. However, the Board believes use of the “company's process” is more consistent with AS 2110.30 and .31, which describe the company's business processes that the auditor is required to understand. The Board also believe that using “company's process” clarifies that the intent of the requirement is to understand the flow of the information from the time the company received it from the external source until the company provided it to the auditor. Additional refinements made to this requirement include (i) removing the word “recorded” because receiving, processing, and maintaining data would encompass recording it; and (ii) adding “where applicable” to address examples provided by commenters where companies receive information from external sources that may be maintained only—and not processed—by the company.

The Board also made revisions to clarify that, as part of understanding how the information received from external sources is processed by the company, the auditor should obtain an understanding of the nature of any modifications made to the information. This revision focuses the auditor on identifying the circumstances where the information may have been modified or changed by the company.

The Board did not intend to imply that internal controls are required to be tested and effective in order for the auditor to be able to determine that external information is reliable for purposes of the audit, as suggested by some commenters. Rather, the proposed amendment was meant to (i) clarify the auditor's responsibility for performing procedures to evaluate the reliability of audit evidence; and (ii) address the risk that the company may have modified the external information prior to providing it to the auditor for use as audit evidence.

The Board revised the final amendment in subparagraph (b) to require that the auditor (i) test the information to determine whether it has been modified by the company and evaluate the effect of those modifications; or (ii) test controls over receiving, maintaining, and where applicable, processing the information. As discussed in the proposing release, the auditor may determine the information has been modified by the company by either comparing the information provided to the auditor to (i) the information the company received from the external source; or (ii) information obtained directly by the auditor from external sources. Some commenters referred to comparing the information provided by the company to the information the company received from the external source, as testing the information “directly” for reliability.

For example, the auditor may obtain customer purchase order information from the company's information systems and compare this information to the original purchase order submitted by the customer to determine whether any modifications were made by the company. In another example, the auditor may obtain interest rate information from the company's information systems and compare it to the original information from the U.S. Department of Treasury. Under the final Start Printed Page 54934 amendments, if the auditor determines modifications were made by the company, the auditor would have to evaluate the effect of the modifications on the reliability of the information. For example, the auditor may determine that certain modifications ( e.g., formatting of the date of a transaction from the European date format to the U.S. date format) have not affected the reliability of the information. Conversely, the auditor may determine that inadvertent or intentional deletions, or improper alterations of key data elements by the company ( e.g., customer details, transaction amount, product quantity) have negatively affected the reliability of information.

Finally, the Board further clarified the amendment to indicate that if the auditor chooses to test controls instead of testing the information as described above, the auditor should test controls over the receiving, maintaining, and where applicable, processing of the information that are relevant to the auditor's evaluation of whether the information is reliable for purposes of the audit. This aligns with the Board's intent in the proposal that described testing controls over the company's procedures. Controls over processing the information would include internal controls over any modifications made by the company to the information.

Several commenters noted that in instances where controls over the information are ineffective, or are not implemented or formalized, the auditor may need to perform procedures other than testing internal controls to determine the reliability of the information provided by the company. In response to these comments, the Board believes it is important to remind auditors that PCAOB standards already address circumstances when the auditor encounters ineffective controls, or controls that are not implemented or formalized. It is important for the auditor to also understand the implications of such findings on the nature, timing, and extent of procedures that the auditor needs to perform in accordance with PCAOB standards.^[49]

The Board also considered the comments related to specifying requirements for the auditor to evaluate the reliability of external information obtained directly by the auditor from external sources, which would include digital information maintained outside the company and used as audit evidence. Under existing standards, audit evidence must be reliable, and its reliability depends on the nature and the source of the evidence and the circumstances under which it is obtained.^[50] In light of the existing requirements within AS 1105, the Board believes that the auditor's responsibilities to evaluate the reliability of information obtained from external sources are sufficiently clear and that further amendments to address information obtained by the auditor directly from external sources are not necessary. In addition, the Board considered but decided not to address in this project auditors' responsibilities related to using information produced by a service organization as audit evidence.^[51]

Further, as discussed below, the Board's proposed amendment was intended to highlight the importance of controls over information technology. The Board considered the comments received, and the final amendment clarifies that ITGCs and automated application controls should be tested where applicable ( e.g., where controls are selected for testing or where a significant amount of information supporting one or more relevant assertions is electronically initiated, recorded, processed, or reported).^[52] The Board believes testing ITGCs and automated application controls is important to mitigate the risk that the information provided by the company in electronic form is not reliable. In some cases, the auditor may already be testing the relevant ITGCs and automated application controls, while in other cases the auditor may need to test additional controls.

Consistent with the proposal, the Board did not prescribe the nature, timing, or extent of the auditor's procedures to evaluate the reliability of the external information. An auditor would design the procedures considering the wide variety of types of external information received by companies and differences in the processes for receiving, maintaining and, where applicable, processing such information. Further, the nature, timing, and extent of the auditor's procedures would depend on the purpose for which the auditor uses the information whose reliability is being evaluated. In general, performing audit procedures to address the risks of material misstatement involves obtaining more persuasive evidence than in performing risk assessment procedures.^[53] Accordingly, evaluating the reliability of information used in substantive procedures and tests of controls would require more auditor effort than evaluating the reliability of information used in risk assessment procedures.

2. Emphasizing the Importance of Controls Over Information Technology

The Board proposed several amendments to AS 1105 to emphasize the importance of controls over information technology for the reliability of audit evidence. As noted above, auditors obtain from companies, and use in the performance of audit procedures, large volumes of information in electronic form. The reliability of such information is increased when the company's controls over that information—including, where applicable, ITGCs and automated application controls—are effective. The Board adopted the amendments to paragraph .10 of AS 1105 as proposed, and amendments to paragraphs .08 and .15 of AS 1105 substantially as proposed, with minor modifications as described below.

Commenters on this topic supported the objective of emphasizing the importance of controls over information technology in establishing reliability of information used as audit evidence. Several commenters opined that the proposed amendments, more specifically the proposed amendments to paragraph .15 of AS 1105, implied that internal controls, including ITGCs and automated application controls, would need to be tested and determined effective in order to determine that the information is reliable.

The proposed amendments were not intended to imply that (i) internal controls are required to be tested and effective in order for the auditor to be able to determine that information is reliable for purposes of the audit; or (ii) testing other relevant controls is less important or unnecessary. Rather, the proposed amendments were meant to highlight to the auditor that certain information is more reliable when internal controls are effective, and where applicable, those internal controls include ITGCs and automated Start Printed Page 54935 application controls, which is consistent with existing PCAOB standards.^[54] The Board's standards also describe scenarios where the sufficiency and appropriateness of the audit evidence usually depends on the effectiveness of controls.^[55] The amendments did not change these existing principles.

Further, in the proposing release the Board explained that the proposed amendments state “where applicable” in relation to the controls over information technology because information produced by the company may also include information that is not in electronic form, or information that is subject to manual controls. One commenter noted that this explanation was informative and suggested incorporating it into the amendments. Another commenter also recommended defining “where applicable” with clear factors or examples of when ITGCs and automated application controls would be applicable. Because of the wide variety of types and sources of information, and ways in which companies use information, it would be impracticable to specify scenarios where ITGCs and automated application controls would be applicable.

Having considered the above comments and the Board's intent to retain the existing principle in paragraph .08 of AS 1105 that certain information is more reliable when controls are effective, the Board modified paragraph .15 of AS 1105 within the final amendments to align the language with AS 1105.08. In addition, the final amendments to paragraph .08 were also aligned with the terminology in paragraph .10A of AS 1105 described above.

Lastly, separate from commenting on the proposed amendments to paragraph .08 of AS 1105 discussed above, some commenters suggested amendments to modernize the last bullet point of the paragraph, which describes that evidence from original documents is more reliable. Three commenters asserted that the information may exist in different forms ( e.g., paper or electronic form) and may be in a format other than a document ( e.g., unprocessed data). In the views of two of these commenters, no physical or original document exists when an electronic data transmission from a customer initiates a transaction in a company's ERP system. These commenters suggested modernizing the language to focus on the original form of the audit evidence and any subsequent conversion, copying, or other modifications. The Board considered the comments received but did not amend the language because the bullet points in paragraph .08 of AS 1105 are intended to be examples of factors that may affect the reliability of audit evidence. The existing language provides an example of one type of audit evidence—original documents that have not been converted, copied, or otherwise modified—which is consistent with the principles suggested by the commenters.

3. Emphasizing the Importance of Appropriate Disaggregation or Detail of Information

The Board proposed to amend paragraph .07 of AS 1105 to emphasize that the relevance of audit evidence depends on the level of disaggregation or detail of information necessary to achieve the objective of the audit procedure. Whether an auditor performs tests of details, substantive analytical procedures, or other tests, technology-assisted analysis may enable the auditor to analyze large volumes of information at various levels of disaggregation ( e.g., regional or global) or detail ( e.g., relevant characteristics of individual items such as product type or company division). The appropriate level of disaggregation or detail of information that the auditor uses as audit evidence is important for obtaining audit evidence that is relevant in supporting the auditor's conclusions.^[56] Having considered the comments received, the Board adopted the amendment as proposed.

The level of disaggregation or detail that is appropriate depends on the objective of the audit procedure. For example, when testing the valuation assertion of residential loans that are measured based on the fair value of the collateral, disaggregated sales data for residential properties by geographic location would likely provide more relevant audit evidence than combined sales data for both commercial and residential properties by geographic location. In another example, when performing a substantive analytical procedure and analyzing the plausibility of relationships between revenue and other information recorded by the company, using revenue disaggregated by product type would likely be more relevant for the auditor's analysis and result in obtaining more relevant audit evidence than if the auditor used the amount of revenue in the aggregate.

Commenters on this topic were supportive of the proposed amendment and indicated that it aligned with current practice. Some of these commenters suggested providing examples, stating that examples would help auditors in understanding and applying the amendment. Consistent with the proposal, the final amendment does not prescribe an expected level of disaggregation or detail, as auditor judgment is needed to determine the relevance of information based on the objective of the audit procedure.

4. Updating Certain Terminology in AS 1105

The Board proposed to update certain terminology used to describe audit procedures for obtaining audit evidence in AS 1105, without changing the meaning of the corresponding requirements. For example, considering the greater availability and use of information in electronic form, the Board proposed to use the term “information” instead of the term “documents and records” in AS 1105.15 and .19. Further, to avoid a misinterpretation that only certain procedures could be performed electronically, the Board proposed to remove the reference to performing recalculation “manually or electronically” in AS 1105.19. For consistent terminology, the Board also proposed to replace the terms “generated internally by the company” in AS 1105.08 and “internal” in AS 1105.15 with the term “produced by the company.” Having considered the comments received, the Board adopted the amendments to paragraphs .08, .15, and .19 of AS 1105 as proposed.

Commenters on this topic supported the updates to certain terminology described above, and stated the updated terminology appears clear and appropriate. One commenter suggested modifying the terminology in paragraph .19 from “checking” to “testing” because testing more clearly describes an audit procedure that is being performed over the mathematical accuracy of information. Having considered the comment, the Board retained the existing terminology in paragraph .19 of “checking” to avoid a potential for confusion with test of details.

Effective Date

The Board determined that the amendments will take effect, subject to approval by the SEC, for audits of financial statements for fiscal years Start Printed Page 54936 beginning on or after December 15, 2025.

In the proposing release, the Board sought comment on the amount of time auditors would need before the amendments become effective, if adopted by the Board and approved by the SEC. The Board proposed an effective date for audits with fiscal years ending on or after June 30 in the year after approval by the SEC.

Several, mostly larger firms and firm-related groups, supported an effective date of audits of financial statements for fiscal years beginning on or after December 15 at least one year following SEC approval, or for fiscal years ending on or after December 15 at least two years following SEC approval. Two commenters supported an effective date two years after SEC approval. These commenters indicated that this would give firms the necessary time to update firm methodologies, tools, and develop and implement training. In addition, several commenters highlighted that additional time would be needed because of the potential indirect impact on companies, especially if companies need to implement or formalize controls or processes around information received from one or more external sources, and auditors need to verify that the controls have been designed and implemented appropriately. Another commenter highlighted that the proposed effective date may be too soon to allow auditors to update methodologies, provide appropriate training and effectively implement the standards. In addition, multiple commenters, mainly accounting firms, suggested that the Board consider the effective dates for other standard-setting projects when determining the effective date for the amendments.

The Board appreciates the concerns and preferences expressed by the commenters. Having considered the requirements of the final amendments, the differences between the amendments and the existing standards, the Board's understanding of firms' current practices, and the effective dates for other Board rulemaking projects, the Board believes that the effective date, subject to SEC approval, for audits of financial statements for fiscal years beginning on or after December 15, 2025 will provide auditors with a reasonable time period to implement the final amendments, without unduly delaying the intended benefits resulting from these improvements to PCAOB standards, and is consistent with the Board's mission to protect investors and further the public interest.

D. Economic Considerations and Application to Audits of Emerging Growth Companies

Economic Considerations

The Board is mindful of the economic impacts of its standard setting. This section describes the economic baseline, economic need, expected economic impacts of the final amendments, and alternative approaches considered. There are limited data and research findings available to estimate quantitatively the economic impacts of the final amendments. Therefore, the Board's economic discussion is largely qualitative in nature. However, where reasonable and feasible, the analysis incorporates quantitative information, including descriptive statistics on the tools that firms use in technology-assisted analysis.^[57]

Baseline

The discussion above describes important components of the baseline against which the economic impact of the final amendments can be considered, including the Board's existing standards, firms' current practices, and observations from the Board's oversight activities. The discussion below focuses on two additional aspects of current practice that informed the Board's understanding of the economic baseline: (i) the PCAOB staff's analysis of the tools that auditors use in technology-assisted analysis; and (ii) research on auditors' use of technology-assisted analysis.

1. Staff Analysis of Tools That Auditors Use in Technology-Assisted Analysis

PCAOB staff reviewed information provided by firms pursuant to the PCAOB's oversight activities regarding tools they use in technology-assisted analysis. The information identifies and describes tools used by audit engagement teams. The staff reviewed information provided by the U.S. global network firms (“GNFs”) as well as seven U.S. non-affiliated firms (“NAFs”).^[58] The information was first provided for the 2018 inspection year and was available through the 2023 inspection year for the GNFs and NAFs analyzed.

Firms reported using both internally developed and externally purchased tools. Some of the externally purchased tools were customized by the firms. The nature and number of tools varied across firms, and their use varied with the facts and circumstances of specific audit engagements. Some firms describe their tools by individual use case or functionality based on how the tool has been tailored by the firm ( e.g., one tool to test accounts receivable and another tool to test inventory using the same software program), and other firms describe their tools grouped by software program, thus affecting the number of unique tools reported by the firms. Some firms consolidated some of their tools over time, thus reducing the number of unique tools they used, although the number of audit engagements on which tools are used has not decreased. For example, instead of having separate tools to perform technology-assisted analysis and analytical procedures performed as part of the auditor's risk assessment, some firms have consolidated both functions into one tool. Firms generally do not require the use of such tools on audit engagements.

The average number of tools used by audit engagement teams, as reported to the PCAOB by the U.S. GNFs, increased from approximately 13 to approximately 18 per firm, or approximately 38%, between 2018 and 2023. In the 2023 inspection year, U.S. GNFs reported that 90% of their tools are used for data visualization, summarization, tabulation, or modeling.^[59] All the U.S. GNFs reported using tools to assist in: (i) identifying and selecting journal entries; and (ii) selecting samples for testing. The U.S. GNFs reported having tools that support both risk assessment ( e.g., assessing loan risk) and substantive procedures ( e.g., performing journal entry testing or fair value testing). The U.S. GNFs developed approximately 75% of the reported tools in-house while the rest were purchased externally. Furthermore, approximately 18% of the U.S. GNFs' tools used cloud computing. Less than 7% of the U.S. GNFs' tools used blockchain technology, artificial intelligence, or robotic process automation. All the U.S. Start Printed Page 54937 GNFs' tools used company data and approximately 20% also used third-party data.

Compared to U.S. GNFs, the U.S. NAFs within the scope of the PCAOB staff's review reported to the PCAOB using fewer tools. In the 2023 inspection year, on average, the U.S. NAFs reported using approximately six tools per firm. For a subset of these firms, the average number of tools increased from approximately two tools per firm to approximately five tools per firm between 2020 and 2023.^[60] The U.S. NAFs used the tools to visualize, summarize, and model data. Some of the U.S. NAFs reviewed use third-party software as their data analysis tools and used company data ( e.g., transactional and journal entry data) as inputs. One U.S. NAF firm developed an in-house tool to assist with determining the completeness and accuracy of journal entry data used for testing journal entries.

One commenter asserted that the PCAOB should have information on firms' use of technology-based tools, as well as firms' improper use of tools, through its oversight activities. Information obtained through PCAOB oversight activities regarding firms' use of technology-based tools is presented here, and information related to firms' improper use of tools is presented above. As described above, the nature and extent of the use of technology-based tools in an audit varies by firm and by individual audit engagement. The Board's rulemaking has been informed by all relevant information as described in this release.

2. Research on Auditors' Use of Technology-Assisted Analysis

Academic studies regarding the prevalence of technology-based tools used to analyze information in electronic form and the impacts of using such tools in audits are limited. However, several recent surveys provide insights regarding: (i) how auditors have been incorporating data analytics into their audit approaches; and (ii) potential impediments to auditors' further implementation of data analytics. One commenter referenced additional academic research that was not originally cited in the proposing release. The Board considered this research and included references to articles that are relevant to the analysis in this release.^[61]

Regarding incorporating data analytics into audit approaches, the surveys indicate that while the use of data analytics presently may not be widespread, it is becoming more common in various aspects of the audit, primarily risk assessment and, to a lesser extent, substantive procedures. For example, a 2017 survey of U.S. auditors reported that auditors used data analytics in risk assessment and journal entry testing.^[62] Also, a survey of Norwegian auditors, some of whom perform audits under PCAOB standards, reported that data analytics were not widely used and were used primarily as supplementary evidence. In this survey, the respondents indicated that data analytics were used primarily in risk assessment and various types of substantive procedures, including analytical procedures.^[63] A 2018 to 2019 survey of auditors in certain larger New Zealand firms reported that auditors are more frequently encountering accessible, large company data sets ( i.e., data sets from the companies under audit). The respondents reported that third-party tools to process the data are increasingly available and allow auditors with less expertise in data analytics to make effective use of data.^[64] A 2020 Australian study that focused on big data analytics found that the use of big data analytics has reduced auditor time spent on manual-intensive tasks and increased time available for tasks requiring critical thinking and key judgments.^[65] A 2023 Canadian study that also focused on big data analytics found that big data analytics improves financial reporting quality.^[66]

Earlier surveys reported qualitatively similar, though less prevalent, use of data analytics. For example, a 2016 survey of Canadian firms reported that 63% and 39% of respondents from large firms and small to mid-sized firms, respectively, had used data analytics, most commonly in the risk assessment and substantive procedures phases. Both groups reported that data analytics were used to provide corroborative evidence for assertions about classes of transactions for the period under audit. However, only smaller and mid-sized firms reported that data analytics were also used to provide primary evidence for assertions about classes of transactions for the period under audit and account balances at period end. Furthermore, only larger firms reported that data analytics were also used to provide corroborative evidence for assertions about account balances at period end.^[67]

A survey of 2015 year-end audits performed by U.K. firms reported that the use of data analytics was not as prevalent as the market might expect, with the most common application being journal entry testing.^[68] A 2015 Start Printed Page 54938 survey of U.K. and EU auditors found that data analytics were being used in both risk assessment procedures and to perform certain specific audit procedures ( e.g., recalculation).^[69] Finally, a 2014 survey of U.S. auditors reported that they often use information technology to perform risk assessment, analytical procedures, sampling, internal control evaluations, and internal control documentation. The respondents identified moderate use of data analytics in the context of client administrative or practice management.^[70]

Regarding potential impediments to the implementation of data analytics, surveys indicate that some firms are reluctant to implement data analytics in their audit approach due to perceived regulatory risks. For example, one survey found that auditors were cautious about implementing data analytics due to a lack of explicit regulation. Respondents reported performing both tests of details that do not involve data analytics and those that do involve data analytics in audits under PCAOB standards.^[71] Another survey found that auditors did not require the use of advanced data analytic tools partly due to uncertainty regarding how regulatory authorities would perceive the quality of the audit evidence produced. However, the respondents tended to agree that both standard setters and the auditing standards themselves allow information obtained from data analytics to be used as audit evidence.^[72] A different survey found that some auditors were reluctant to implement data analytics because the auditing standards do not specifically address them.^[73] These survey findings are consistent with other surveys that find auditors structure their audit approaches to manage regulatory risks arising from inspections, including risks associated with compliance with PCAOB standards.^[74] One commenter on the proposed amendments cited a study which noted that “uncertainty about regulators' response and acceptance of emerging technologies can hinder its [emerging technology's] adoption.” ^[75] However, by contrast, another survey found that the audit regulatory environment was not commonly cited by respondents as an impediment to the use of data analytics.^[76]

Overall, the research suggests that auditors' use of technology-assisted analysis in designing and performing audit procedures is becoming increasingly prevalent. Some commenters also acknowledged that the use of technology-assisted analysis is becoming more prevalent. An investor-related group provided examples of expanded use of technology by both companies and audit firms, including the use of large, searchable databases and the development of tools for analyzing large volumes of data. This provides a baseline for considering the potential impacts of the final amendments. The research also suggests that some auditors perceive regulatory risks when implementing data analytics. Some commenters acknowledged that regulatory uncertainty has been a factor in firms' hesitance to use technology-assisted analysis. This provides evidence of a potential problem that standard setting may address.

Need

Low-quality audits can occur for a number of reasons, including the following two reasons. First, the company under audit, investors, and other financial statement users cannot easily observe the procedures performed by the auditor, and thus the quality of the audit. This leads to a risk that, unbeknownst to the company under audit, investors, or other financial statement users, the auditor may perform a low-quality audit.^[77]

Second, the federal securities laws require that an issuer retain an auditor for the purpose of preparing or issuing an audit report. While the appointment, compensation, and oversight of the work of the registered public accounting firm conducting the audit is, under Sarbanes-Oxley, entrusted to the issuer's audit committee,^[78] there is nonetheless a risk that the auditor may seek to satisfy the interests of the company under audit rather than the interests of investors and other financial statement users.^[79] This could arise, for example, through audit committee identification with the company or its management ( e.g., for compensation) or through management influence over the audit committee's supervision of the auditor, resulting in a de facto principal-agent relationship between the company and the auditor.^[80] Effective auditing standards help address these risks by explicitly assigning responsibilities to the auditor that, if executed properly, are expected to result in high-quality audits that satisfy the interests of Start Printed Page 54939 audited companies, investors, and other financial statement users.

Economic theory suggests that technology is integral to the auditor's production function— i.e., the quantities of capital and labor needed to produce a given level of audit quality. As technology evolves, so do the quantities of capital and labor needed to produce a given level of audit quality.^[81] Auditing standards that do not appropriately accommodate the evolution of technology may therefore inadvertently deter or insufficiently facilitate improvements to the audit approach. Risk-averse auditors may be especially cautious about incorporating significant new technological developments into their audit approaches because they may be either unfamiliar with the technology or unsure whether a new audit approach would comply with the PCAOB's auditing standards. On the other hand, auditing standards that are too accommodative ( e.g., by not adequately addressing the reliability of information used in a technology-based analysis) may not sufficiently address potential risks to audit quality arising from new audit approaches.

As described above, since 2010, when the PCAOB released a suite of auditing standards related to the auditor's assessment of and response to risk, two key technological developments have occurred. First, ERP systems that structure and house large volumes of information in electronic form have become more prevalent among companies. For example, one study reports that the global ERP market size increased by 60% between 2006 and 2012.^[82] As a result, auditors have greater access to large volumes of company-produced and third-party information in electronic form that may potentially serve as audit evidence. Second, the use of more sophisticated data analysis tools has become more prevalent among auditors.^[83] As noted above, the PCAOB staff's analysis of the tools that firms use in technology-assisted analysis indicated that the number of such tools used by U.S. GNFs in audits increased by 38% between 2018 and 2023.^[84] One commenter noted that the advancement of analytical tools has increased auditor capabilities in data preparation and data validation.

These recent technological developments have been changing the way technology-assisted analysis is used in audits, as discussed in more detail above. Although PCAOB standards related to the auditor's assessment of and response to risk generally were designed to apply to audits that use information technology, they may be less effective in providing direction to auditors if the standards do not address certain advancements in the use of technology-assisted analysis in audits. Modifying existing PCAOB standards through the final amendments addresses this risk, as discussed below. Many commenters, including an investor-related group, indicated there was a need for such standard setting given that the use of information in electronic form, and the use of technology-based tools by companies and their auditors to analyze such information, have expanded significantly since these standards were developed.

The remainder of this section discusses the specific problem that the final amendments are intended to address and how the amendments address it.

1. Problem To Be Addressed

Audit procedures that involve technology-assisted analysis may be an effective way to obtain persuasive audit evidence. Although the Board's research showed that auditors are using technology-assisted analysis to obtain audit evidence, it also indicated that existing PCAOB standards could address more specifically certain aspects of designing and performing audit procedures that involve technology-assisted analysis. As discussed in detail above, these aspects include specifying auditors' responsibilities when performing tests of details, using an audit procedure for more than one purpose, investigating certain items identified by the auditor when performing a test of details, and evaluating the reliability of information the company receives from one or more external sources that is provided to the auditor in electronic form and used as audit evidence.

Consequently, under existing standards, there is a risk that when using technology-based tools to design and perform audit procedures that involve technology-assisted analysis, an auditor may issue an auditor's report without having obtained sufficient appropriate audit evidence to provide a reasonable basis for the opinion expressed in the report. For example, if an auditor does not appropriately investigate certain items identified though technology-assisted analysis when performing a test of details, the auditor may not identify a misstatement that would need to be evaluated under PCAOB standards. In another example, if an auditor does not appropriately evaluate the level of disaggregation of certain information maintained by the company, the auditor would not be able to determine, under PCAOB standards, whether the evidence obtained is relevant to the assertion being tested.^[85]

Furthermore, there is a risk that auditors may choose not to involve technology-assisted analysis in the audit procedures they perform, even if performing such procedures would be a more effective, and may also be a more efficient, way of obtaining audit evidence. For example, an auditor may choose not to perform a substantive procedure that involves technology-assisted analysis if the auditor cannot determine whether the procedure would be considered a test of details under existing standards.

2. How the Final Amendments Address the Need

The final amendments address the risk that the auditor may not obtain sufficient appropriate audit evidence when addressing one or more financial statement assertions. For example, the final amendments: (i) specify considerations for the auditor when items are identified for further investigation as part of performing a test of details; ^[86] (ii) specify procedures the auditor should perform to evaluate the reliability of information the company receives from one or more external Start Printed Page 54940 sources and that is provided to the auditor in electronic form and used as audit evidence; ^[87] and (iii) clarify that if the auditor uses an audit procedure for more than one purpose, the auditor should achieve each objective of the procedure.^[88]

The final amendments also address the risk that auditors may choose not to perform audit procedures involving technology-assisted analysis by: (i) specifying responsibilities when performing tests of details; ^[89] and (ii) clarifying that an audit procedure may be used for more than one purpose.^[90] Collectively, the amendments should lead auditors to perceive less risk of noncompliance with PCAOB standards when using technology-assisted analysis.

Economic Impacts

This section discusses the expected benefits and costs of the final amendments and potential unintended consequences. In the proposing release, the Board noted that it expected the economic impact of the amendments, including both benefits and costs, to be relatively modest. Some commenters disagreed with the characterization of costs and benefits as “modest,” stating that both costs and benefits of technology-assisted analysis can be substantial. However, the Board did not attempt to describe the overall costs and benefits of the use of technology-assisted analysis, but rather the marginal impact of the final amendments. It is difficult to quantify the benefits and costs because the final amendments do not require the adoption of any specific tools for technology-assisted analysis or that the auditor perform technology-assisted analysis. Some firms may choose to increase their investments in technology, and others may choose to make minimal changes to their existing audit practices. In general, the Board expects that firms will incur costs to implement or expand the use of technology-assisted analysis if firms determine that the benefits of doing so justify the costs. The Board included qualitative references to the benefits and costs associated with the use of technology-assisted analysis, including those raised by commenters.

1. Benefits

The final amendments may lead auditors to design and perform audit procedures more effectively, because they clarify and strengthen requirements of AS 1105 and AS 2301 related to aspects of designing and performing audit procedures that involve technology-assisted analysis. More effective audit procedures may lead to higher audit quality, more efficient audits, lower audit fees, or some combination of the three. To the extent the amendments lead to higher audit quality, they should benefit investors and other financial statement users by reducing the likelihood that the financial statements are materially misstated, whether due to error or fraud.

An increase in audit quality should in turn benefit investors as they may be able to use the more reliable financial information to improve the efficiency of their capital allocation decisions ( e.g., investors may more accurately identify companies with the strongest prospects for generating future risk-adjusted returns and allocate their capital accordingly). Some commenters stated that the proposed amendments would benefit investors and the general public by reducing audit failures. One commenter stated that the analysis in the proposing release appeared to suggest that existing financial information and audits are “less reliable.” The Board's intent was not to suggest that existing audits are unreliable, but rather that the proposed amendments may increase audit quality, which should in turn increase investors' confidence in the information contained in financial statements. In theory, if investors perceive less risk in capital markets generally, their willingness to invest in capital markets may increase, and thus the supply of capital may increase. An increase in the supply of capital could increase capital formation while also reducing the cost of capital to companies.^[91] The Board is unable to quantify in precise terms this potential benefit, which would depend both on how audit firms respond to the standard and on how their response affects audit quality, factors that are likely to vary across audit firms and across engagements. Auditors also are expected to benefit from the final amendments because the additional clarity provided by the amendments should reduce regulatory uncertainty and the associated compliance costs. Specifically, the final amendments should provide auditors with a better understanding of their responsibilities, which in turn should reduce the risk that auditors design and perform potentially unnecessary audit procedures ( e.g., potentially duplicative audit procedures).

Most commenters agreed that the proposed amendments would allow auditors to design and perform audit procedures more effectively, ultimately leading to higher quality audits. Some commenters identified specific benefits to audit quality resulting from increased use of technology-assisted analysis, such as the ability to automate some repetitive tasks and to improve the performance of risk assessment procedures and fraud and planning procedures. One commenter stated that the proposed amendments could result in the ineffective use of analytics if there is implicit pressure for firms to adopt technology-assisted analysis without appropriately preparing for its use, and another stated that the proposed amendments may not change the likelihood of not obtaining sufficient appropriate audit evidence. As discussed below, the final amendments are principles-based and are intended to clarify auditors' responsibilities when using technology-assisted analysis.

The following discussion describes the benefits of key aspects of the final amendments that are expected to impact auditor behavior. To the extent that a firm has already incorporated aspects of the amendments into its methodology, some of the benefits described below would be reduced.^[92]

i. Decreasing the Likelihood of Not Obtaining Sufficient Appropriate Audit Evidence

The final amendments are expected to enhance audit quality by decreasing the likelihood that an auditor who performs audit procedures using technology-assisted analysis will issue an auditor's report without obtaining sufficient appropriate audit evidence that provides a reasonable basis for the opinion expressed in the report. For example, the final amendments specify auditors' responsibilities for investigating items identified when performing a test of details. In another example, the final amendments specify auditors' responsibilities for evaluating the reliability of certain information provided by the company in electronic form and used as audit evidence. As a result, auditors may be more likely to obtain sufficient appropriate audit evidence when designing and performing audit procedures that use Start Printed Page 54941 technology-assisted analysis, resulting in higher audit quality. As described above, the higher audit quality should benefit investors and other financial statement users by reducing the likelihood that the financial statements are materially misstated, whether due to error or fraud. These potential benefits to audit quality apply both to audit engagements where auditors currently incorporate technology-assisted analysis into their audit approach and audit engagements where auditors have been previously reluctant to use technology-assisted analysis because of the risk of noncompliance.

ii. Greater Use of Technology-Assisted Analysis

The final amendments may lead to some increase in the use of technology-assisted analysis by auditors when designing and performing multi-purpose audit procedures and tests of details. For example, the final amendments clarify the description of a “test of details.” As a result of this clarification, auditors may make greater use of technology-assisted analysis when designing or performing tests of details because they may perceive a reduction in noncompliance risk.

Notwithstanding the associated fixed and variable costs, greater use of technology-assisted analysis by the auditor when designing or performing audit procedures may allow the auditor to perform engagements with fewer resources, which may increase the overall resources available to perform audits.^[93] In economic terms, it may increase the supply of audit quality.^[94] For example, obtaining sufficient appropriate audit evidence by using technology-assisted analysis may require fewer staff hours than obtaining the evidence manually. Current labor shortages of qualified individuals and decreases in accounting graduates and new CPA examination candidates amplify the value of gathering sufficient appropriate audit evidence with fewer staff hours.^[95]

Apart from consideration of demands from the audited company, discussed in greater detail below, the efficiencies that may arise from greater utilization of technology-assisted analysis would be retained by the auditor in the form of higher profit. However, to better address regulatory, litigation, or reputational risks, the auditor may choose to redeploy engagement-level resources to other work. For example, auditors may shift staff resources to audit areas or issues that are more complex or require more professional judgment.^[96]

As a result of the greater use of technology-assisted analysis by auditors, some companies may be able to obtain a higher level of audit quality or renegotiate their audit fee, or both. The outcome would likely vary by company depending on the competitiveness of the company's local audit market and the company's audit quality expectations. For example, negotiating power may be smaller for larger multinational companies, which may have fewer auditor choices, than for smaller companies, which may have more auditor choices. Furthermore, some companies may expect their auditor to reassign engagement team staff resources from repetitive or less complex audit procedures to more judgmental aspects of the audit. Other companies may expect the engagement team to perform the audit with fewer firm resources ( e.g., fewer billable hours). Some research suggests that most companies prefer audit fee reductions in response to their auditor's greater use of data analytics.^[97]

Because the final amendments do not require the auditor to use technology-assisted analysis when designing and performing audit procedures, the associated benefits would likely be limited to cases where auditors determine that their benefits justify their costs, including any fixed costs required to update the auditor's approach ( e.g., update methodologies, provide training). The fixed costs may be significant; however, some firms may have incurred some of these costs already.^[98] Moreover, despite the continued tendency of companies to adopt ERP systems to house their accounting and financial reporting data, some companies' data may remain prohibitively difficult to obtain and analyze, thus limiting the extent to which the auditor can use technology-assisted analysis.^[99] Some survey research also suggests that some firms lack sufficient staff resources to appropriately deploy data analysis.^[100] Collectively, these private costs may deter some auditors from incorporating technology-assisted analysis into their audit approach and thereby reduce the potential benefits associated with greater use of technology-assisted analysis.

Some commenters suggested that audit fees are unlikely to decrease as a result of increased use of technology-assisted analysis due primarily to the costs involved with using technology-assisted analysis. One commenter stated that the Board's analysis in the proposal focused on reducing costs (which could put downward pressure on audit fees), and suggested that the analysis should focus instead on enabling auditors to shift resources to higher risk areas of the audit, which should increase audit quality. Another commenter urged the PCAOB not to include commentary that relates the greater use of technology-assisted analysis to lower audit fees on the grounds that the proposing release underestimated the costs to smaller firms of designing, implementing, and operating technology-assisted analysis. The commenter added that such commentary could have the unintended effect of encouraging firms to reduce costs and therefore choose to use analytics ineffectively or choose not to implement technology-assisted analysis. A different commenter noted that the “supposition that efficiencies would accrue to the firms, potentially impacting audit efficiencies or even audit fees, is beyond the Board's charge of improving audit quality.” The Board acknowledged that there can be significant costs associated with the use of technology-assisted analysis, particularly with the initial implementation of technology-assisted analysis tools, which some firms may pass on to audited companies in the form of higher audit fees, at least in the short term. However, the Board noted that the final amendments do not require the use of technology-assisted analysis, and academic studies suggest that greater use of data analytics could reduce audit fees.^[101]

One commenter stated that the PCAOB should be “agnostic” about the use of audit technology and should focus on audit quality rather than audit efficiency. The Board believes that the PCAOB's focus on audit quality does not preclude it from considering the effect of audit efficiency on the Board's stakeholders. Furthermore, audit efficiencies in one area may allow auditors to redeploy resources to other audit areas that are more complex or require more professional judgment, resulting in increased audit quality.

2. Costs

To the extent that firms make changes to their existing audit approaches as a result of the final amendments, they may incur certain fixed costs ( i.e., costs that are generally independent of the number of audits performed), including costs to: update audit methodologies, templates, and tools; prepare training materials; train their staff; and develop or purchase software. GNFs and some NAFs are likely to update their methodologies using internal resources, whereas other NAFs are likely to purchase updated methodologies from external vendors.

In addition, firms may incur certain engagement-level variable costs. For example, the final amendments related to evaluating whether certain information provided by the company in electronic form and used as audit evidence is reliable could require additional time and effort by engagement teams that use such information in performing audit procedures. This additional time, and therefore the resulting variable costs, may be less on integrated audits or financial-statement audits that take a controls reliance approach because, in these cases, internal controls over the information, including ITGCs and automated application controls, may already be tested. As another example, some firms may incur software license fees that vary by the number of users. To the extent that auditors incur higher costs to implement the amendments and can pass on at least part of the increased costs through an increase in audit fees, audited companies may also incur an indirect cost.

Some commenters stated that they do not believe the fixed and variable cost increases will be modest as stated in the proposal, and that the evolution of technology-assisted analysis may render tools and training obsolete, requiring renewed investment at regular intervals. One of these commenters referenced increased resource costs such as the need to investigate items identified through technology-assisted analysis. One commenter stated that the proposing release mischaracterized the costs to NAFs of implementing technology-assisted analysis. This commenter noted that costs could include a learning curve for new technology adoption, increased costs of hiring engagement team members with appropriate skill sets, obtaining reliable data, and the development or purchase of software tools. Another stated that some audit firms already use technology, so both costs and benefits would be modest for those firms. As the Board discussed in the proposal and as reiterated above, the final amendments do not require the use of technology-assisted analysis. Therefore, the costs discussed by these commenters would occur only if firms determined it was in their best interest to incur them.

Some aspects of the final amendments may result in more or different costs than others. The following discussion describes the potential costs associated with specific aspects of the amendments.

i. Potential Additional Audit Procedures and Implementation Costs

The final amendments clarify and specify auditor responsibilities when designing and performing audit procedures that involve technology-assisted analysis. As a result, some auditors may perform incremental procedures to comply with the final amendments, which may lead to incremental costs. For example, in addition to applying technology-assisted analysis when testing specific items in the population, some auditors may address the items not selected for testing by performing other substantive procedures if the auditor determines that there is a reasonable possibility of a risk of material misstatement in the items not selected for testing ( i.e., the remaining population). To the extent that auditors currently do not fulfill their responsibilities under existing PCAOB standards related to the remaining population when there is a reasonable possibility of a risk of material misstatement, those firms may incur one-time costs to update firm methodologies and ongoing costs related to fulfilling their responsibilities. In another example, an auditor may determine that incremental procedures are necessary to evaluate the reliability of external information provided by the company in electronic form.. These incremental procedures may apply to audit engagements where auditors currently incorporate technology-assisted analysis into their audit approach, and audit engagements where auditors have been reluctant to use technology-assisted analysis due to the risk of noncompliance.

At the firm level, some firms may incur relatively modest fixed costs to update their methodologies and templates ( e.g., documentation templates) or customize their technology-based tools. Firms may also need to prepare training materials and train their staff. Firms may incur relatively modest variable costs if they determine that additional time and effort on an individual audit engagement is necessary in order to comply with the final amendments. For example, a firm may incur additional variable costs to investigate items identified when performing a test of details.

ii. Greater Use of Technology-Assisted Analysis

As discussed above, the final amendments do not require the use of technology-assisted analysis in an audit. However as noted above, the final amendments may lead to some increase in the use of technology-assisted analysis by auditors when designing and performing multi-purpose audit procedures and tests of details. The greater use of technology-assisted analysis by the auditor may allow the auditor to perform engagements with fewer resources. However, this potential efficiency benefit would likely be offset, in part, by fixed and variable costs to the audit firm. Fixed costs may be incurred to incorporate technology-assisted analysis into the audit approach. For example, some firms may purchase, develop, or customize new tools.^[102] Some firms may choose to hire programmers to develop tools internally. Firms may also incur fixed costs to obtain an understanding of companies' information systems.^[103] Some commenters stated that the costs to research, develop, and implement technology-assisted analysis can be significant. They also stated that rapid technological advancements require continual investment by audit firms to keep pace. Because the final amendments do not require the adoption of technology-assisted analysis, any such investments by firms would be made only if they determine that the benefits justify the costs.

Relatively modest variable costs may be incurred to use technology-assisted Start Printed Page 54943 analysis on individual audit engagements. For example, firms may incur variable costs associated with preparing company data for analysis or updating their technology-based tools. Several commenters stated that there are costs associated with obtaining or preparing data in a format that can be utilized by specific tools for technology-assisted analysis. In another example, a firm may incur variable costs to obtain specialized expertise for using technology-assisted analysis on audit engagements. For example, a firm data analytics specialist may be used on an audit engagement to automate certain aspects of data preparation or design and perform a custom technology-assisted analysis. One commenter noted that the investigation of items identified by technology-assisted analysis requires resources such as the involvement of personnel who are skilled in interpreting the results of technology-assisted analysis. As a result, according to the commenter, the use of technology-assisted analysis may not necessarily reduce costs and may increase costs. As discussed above, auditors may increase audit fees due to costs associated with the use of technology-assisted analysis, passing along some of those costs to audited companies.

Several factors may limit the costs associated with greater use of technology-assisted analysis in an audit. First, the costs would likely be incurred by a firm only if it determined that the private benefits to it would exceed the private costs. Second, some firms have already made investments to incorporate technology-assisted analysis in audits. Finally, the cost of software that can process and analyze large volumes of data has been decreasing.^[104]

3. Potential Unintended Consequences

In addition to the benefits and costs discussed above, the final amendments could have unintended economic impacts. The following discussion describes potential unintended consequences considered by the Board and, where applicable, factors that mitigate them. These include actions taken by the Board as well as the existence of other countervailing forces.

i. Reduction in the Use of Technology-Assisted Analysis

It is possible that, as a result of the final amendments, some auditors could reduce their use of technology-assisted analysis. This could occur if the final amendments were to lead firms to conclude that the private benefits would not justify the private costs of involving technology-assisted analysis in their audit approach. For example, the final amendments specify considerations for investigating items identified by the auditor when performing a test of details and procedures for evaluating the reliability of certain information the company receives from one or more external sources and used as audit evidence. As discussed above, such additional responsibilities could lead to fixed costs at the firm level and variable costs at the engagement level. As a result, some auditors may choose not to use audit procedures that involve technology-assisted analysis.

Several factors would likely mitigate any negative effects associated with this potential unintended consequence. First, the Board believes that any decrease in the use of technology-assisted analysis would likely arise from a reduction in the performance of audit procedures that would not have contributed significantly to providing sufficient appropriate audit evidence. This development would therefore probably benefit, rather than detract from, audit quality. For example, currently some auditors might not appropriately investigate items identified when using technology-assisted analysis in performing tests of details. The amendments specify auditors' responsibilities for investigating the items identified. If auditors view the requirement as too costly to implement, they may instead choose to perform audit procedures that do not involve the use of technology-assisted analysis. If the other procedures chosen by the auditor provide sufficient appropriate audit evidence, the reduction in the performance of audit procedures that involve technology-assisted analysis (where auditors did not appropriately investigate items identified) would benefit audit quality.

Second, any reduction in the use of technology-assisted analysis resulting from certain of the amendments, such as in the above scenario, may be offset by the greater use of technology-assisted analysis in other scenarios. For example, as discussed above, the final amendments clarify the description of a “test of details.” As a result, auditors may make greater use of technology-assisted analysis in performing tests of details because they may perceive a reduction in noncompliance risk.

Finally, because the final amendments are principles-based, auditors will be able to tailor their work subject to the amendments to the facts and circumstances of the audit. For example, the amendments do not prescribe procedures for investigating items identified when performing a test of details. Rather, the auditor will be able to structure the investigation based on, among other things, the type of analysis and the assessed risks of material misstatement.^[105]

Some commenters stated that the proposed amendments could potentially deter auditors from using technology-assisted analysis; in contrast, others said that the proposed amendments could potentially pressure auditors to use technology-assisted analysis. As outlined above, the final amendments, consistent with the proposal, do not require the use of technology-assisted analysis, and the Board believes that auditors will use technology-assisted analysis to the extent that it allows them to perform audit procedures in a more efficient or effective manner. Some commenters expressed appreciation for PCAOB standards that allow auditors to employ appropriate audit procedures based on the facts and circumstances of the audit engagement. They agreed with the scalable, principles-based approach that allows for use of technology-assisted analysis to the extent that it is effective and efficient, taking into consideration the firm size, company size, and other circumstances of the audit engagement.

ii. Inappropriately Designed Multi-Purpose Audit Procedures

It is possible that some auditors could view the final amendments as allowing any audit procedure that involves technology-assisted analysis to be considered a multi-purpose procedure. Auditors who hold this view may fail to design and perform audit procedures that provide sufficient appropriate audit evidence. This potential unintended consequence would be mitigated by: (i) existing requirements of PCAOB standards; and (ii) the amendment to paragraph .14 of AS 1105.

Existing PCAOB standards address auditors' responsibilities for designing and performing procedures to identify, assess, and respond to risks of material misstatement and obtaining sufficient appropriate audit evidence.^[106] Auditor responsibilities established by existing PCAOB standards apply to the performance of both audit procedures that are designed to achieve a single objective and audit procedures that are designed to achieve multiple objectives. Further, existing standards specify auditor responsibilities in certain scenarios that involve multi-purpose audit procedures. For example, existing PCAOB standards provide that an audit Start Printed Page 54944 procedure may serve as both a risk assessment procedure and a test of controls provided that the auditor meets the objectives of both procedures.^[107] In another example, existing PCAOB standards provide that audit procedures may serve as both a test of controls and a substantive procedure provided that the auditor meets the objectives of both procedures.^[108]

In addition, the amendment to paragraph .14 of AS 1105 would further mitigate the risk that auditors fail to design and perform multi-purpose audit procedures. The amendment would emphasize the auditor's responsibility to achieve particular objectives specified in existing PCAOB standards when using audit evidence from an audit procedure for multiple purposes.

iii. Disproportionate Impact on Smaller Firms

It is possible that the costs of the final amendments could disproportionately impact smaller firms. As discussed in Section IV.C.2 above, increased use of technology-assisted analysis may require incremental investment and specialized skills. Smaller firms have fewer audit engagements over which to distribute fixed costs ( i.e., they lack economies of scale). As a result, smaller firms may be less likely than larger firms to increase their use of technology-assisted analysis when designing and performing multi-purpose audit procedures and tests of details. Although the final amendments do not require auditors to use technology-assisted analysis, a choice not to use it may negatively impact smaller firms' ability to compete with larger firms ( e.g., if using technology-assisted analysis is expected by prospective users of the auditor's report). One commenter stated that the costs of using technology-assisted analysis could be significant and cause audits performed by small and mid-sized accounting firms to be uneconomical.

This potential unintended negative consequence would be mitigated by several factors. First, the fixed costs associated with the amendments may be offset by engagement-level efficiencies which may increase the competitiveness of smaller firms. Second, as discussed above, the costs associated with acquiring and incorporating technology-based analytical tools into firms' audit approaches have been decreasing and may continue to decrease. Third, while reduced competition may result in higher audit fees,^[109] it may also reduce companies' opportunity to opinion shop, thereby positively impacting audit quality.^[110] In contrast, some literature suggests that reduced competition may have a negative effect on audit quality.^[111]

Finally, any negative impact on the smaller firms' ability to compete with larger firms would likely be limited to smaller and mid-sized companies because smaller firms may lack the economies of scale and multi-national presence to compete for the audits of larger companies. Indeed, there is some evidence that smaller and larger audit firms do not directly compete with each other in some segments of the audit market ^[112] although some research suggests that smaller and larger firms do compete locally in some cases.^[113]

Alternatives Considered

The development of the final amendments involved considering numerous alternative approaches to addressing the problems described above. This section explains: (i) why standard setting is preferable to other policy-making approaches, such as providing interpretive guidance or enhancing inspection or enforcement efforts; (ii) other standard-setting approaches that were considered; and (iii) key policy choices made by the Board in determining the details of the amendments.

1. Why Standard Setting Is Preferable to Other Policy-Making Approaches

The Board's policy tools include alternatives to standard setting, such as issuing interpretive guidance or increasing the focus on inspections or enforcement of existing standards. The Board considered whether providing guidance or enhancing inspection or enforcement efforts would be effective mechanisms to address concerns associated with aspects of designing and performing audit procedures that involve technology-assisted analysis. One commenter stated that PCAOB staff guidance would be preferable to standard setting to communicate the requirements. Several commenters stated that additional guidance and examples would be helpful for auditors when applying existing standards and the proposed amendments when performing audit procedures that involve technology-assisted analysis.

Interpretive guidance inherently provides additional information about existing standards. Inspection and enforcement actions take place after insufficient audit performance (and potential investor harm) has occurred. Devoting additional resources to interpretive guidance, inspections, or enforcement activities, without improving the relevant performance requirements for auditors, would at best focus auditors' performance on existing standards and would not provide the benefits associated with improving the standards, which are discussed above.

The In contrast, some literature suggests that reduced competition may have a negative effect on audit quality.amendments, by contrast, are designed to improve PCAOB standards by adding further clarity and specificity to existing requirements. For example, the amendments specify auditor responsibilities for evaluating the reliability of external information provided by the company in electronic form and used as audit evidence. In another example, the amendments clarify auditor responsibilities when the auditor uses an audit procedure for more than one purpose.

2. Other Standard-Setting Approaches Considered

The Board considered, but decided against, developing a standalone standard that would address designing and performing audit procedures that involve technology-assisted analysis. Addressing the use of technology-assisted analysis in a standalone standard could further highlight the auditor's responsibilities relating to using technology-assisted analysis. However, a new standalone standard would also unnecessarily duplicate many of the existing requirements, because existing PCAOB standards are already designed to be applicable to audits performed with the use of Start Printed Page 54945 technology, including technology-assisted analysis.

Further, as the discussion above explains in greater detail, the Board's research indicates that auditors are using technology-assisted analysis in audit procedures. Rather than developing a new standalone standard, the final amendments use a more targeted approach that includes amending certain requirements of the standards where the Board's research has indicated the need for providing further clarity and specificity regarding designing and performing audit procedures that involve technology-assisted analysis.

3. Key Policy Choices

i. Investigating Certain Items Identified by the Auditor

As discussed above, auditors may use technology-assisted analysis to identify items within a population ( e.g., transactions in an account) for further investigation when performing a test of details.^[114] The auditor's investigation may include, for example, examining documentary evidence for items identified through the analysis, or designing and performing other audit procedures to determine whether the items identified individually or in the aggregate indicate misstatements or deficiencies in the company's internal control over financial reporting.

The Board considered but did not prescribe specific audit procedures to investigate items identified by the auditor in the way described in the above examples. Instead, the final amendments specify that audit procedures that the auditor performs to investigate the identified items are part of the auditor's response to the risk of material misstatement. The auditor determines the nature, timing, and extent of such procedures in accordance with PCAOB standards. The Board also considered, but did not prescribe, specific audit procedures to address items not selected for a test of details ( i.e., remaining items in the population) when the auditor's means of selecting items was selecting specific items. Although certain audit procedures may be effective to address the assessed risk under certain circumstances, other audit procedures may be more effective under different circumstances. Because of the wide range of both the analyses that the auditor may perform to identify items for further investigation, and the potentially appropriate audit procedures that the auditor may perform to investigate them, the Board believes that an overly prescriptive standard could in certain cases lead auditors to perform audit procedures without considering the facts and circumstances of the audit engagement.

ii. Describing a New Specific Audit Procedure

The Board considered but did not describe (or define), technology-assisted analysis or similar terms ( e.g., data analysis or data analytics) in AS 1105 as a new specific audit procedure. Although describing technology-assisted analysis as a specific audit procedure might clarify certain auditor responsibilities, it could also create confusion and unnecessarily constrain the potential use of such analyses in the audit. As the Board's research indicates, and as commenters have stated, auditors already incorporate technology-assisted analysis in various types of audit procedures ( e.g., inspection, recalculation, reperformance, analytical procedures) that are used for various purposes ( e.g., identifying risk or responding to risk). In addition, describing technology-assisted analysis or similar terms would present challenges because the meaning of such terms may vary depending on the context and may further evolve as technology evolves.

iii. Requiring Auditors' Use of Technology

The final amendments, consistent with existing PCAOB standards, are principles-based and are intended to be applicable to all audits conducted under PCAOB standards. An investor-related group commented that the Board should consider requiring that auditors use certain types of technology-based tools that financial research and investment management firms have used to assess and verify the accuracy and completeness of financial statements, in order to improve audit quality and help detect fraud. In contrast, some commenters noted that requiring the use of certain technology could have unintended consequences for smaller companies and affect the ability of smaller firms to compete. As one commenter noted, clients of small and mid-sized accounting firms may rely on other processes appropriate to their size to manage their operations and financial reporting, and the use of technology-assisted analysis may not be as cost-effective in those circumstances. Another commenter noted that it is important that PCAOB standards continue to enable auditors to employ audit procedures that are appropriate based on the engagement-specific facts and circumstances, recognizing that technology-assisted analysis may not be the most effective option and therefore its use should not be expected on all audits. That commenter emphasized the need for the proposed amendments to be scalable for firms (and the companies they audit) of all sizes and with varying technological resources. Several other commenters stated that the principles-based nature of the proposed amendments was important, so that they can be applicable to all PCAOB-registered firms and the audits they conduct under PCAOB standards, regardless of the size of the firm or complexity of the issuer.

The Board considered the views of commenters, including those of investors, and the Board decided not to require auditors' use of technology as part of these amendments, which would have been outside the scope of the project. Maintaining a principles-based approach to these amendments is appropriate due to the ever-evolving nature of technology; requiring the use of specific types of technology, based on how they are used currently, could quickly become outdated. In addition, as discussed above, the Board's Technology Innovation Alliance Working Group continues to advise the Board on the use of emerging technologies by auditors and preparers relevant to audits and their potential impact on audit quality. These ongoing activities may inform future standard-setting projects.

Application of the Proposed Rules to Audits of Emerging Growth Companies

Pursuant to section 104 of the Jumpstart Our Business Startups (“JOBS”) Act, rules adopted by the Board subsequent to April 5, 2012, generally do not apply to the audits of emerging growth companies ( i.e., EGCs), as defined in section 3(a)(80) of the Exchange Act, unless the SEC “determines that the application of such additional requirements is necessary or appropriate in the public interest, after considering the protection of investors, and whether the action will promote efficiency, competition, and capital formation.” ^[115] As a result of the JOBS Act, the rules and related amendments to PCAOB standards that the Board adopts are generally subject to a Start Printed Page 54946 separate determination by the SEC regarding their applicability to audits of EGCs.

To inform consideration of the application of auditing standards to audits of EGCs, the PCAOB staff prepares a white paper annually that provides general information about characteristics of EGCs.^[116] As of the November 15, 2022, measurement date in the February 2024 EGC White Paper, PCAOB staff identified 3,031 companies that self-identified with the SEC as EGCs and filed with the SEC audited financial statements in the 18 months preceding the measurement date.^[117]

As discussed above, auditors are expanding the use of technology-assisted analysis in audits. The final amendments, as discussed above, address aspects of designing and performing audit procedures that involve technology-assisted analysis. The proposed rules are principles-based and are intended to be applied in all audits performed pursuant to PCAOB standards, including audits of EGCs.

The discussion of benefits, costs, and unintended consequences of the proposed rules above is generally applicable to all audits performed pursuant to PCAOB standards, including audits of EGCs. The economic impacts on an individual EGC audit would depend on factors such as the auditor's ability to distribute implementation costs across its audit engagements, whether the auditor has already incorporated technology-assisted analysis into its audit approach, and electronic information acquisition challenges ( e.g., information availability, legal restrictions, or privacy concerns). EGCs are more likely to be newer companies, which are typically smaller in size and receive lower analyst coverage. These factors may increase the importance to investors of the higher audit quality resulting from the proposed rules, as high-quality audits generally enhance the credibility of management disclosures.^[118]

However, as discussed above, the use of technology-assisted analysis appears to be less prevalent among NAFs than GNFs. Therefore, since EGCs are more likely than non-EGCs to be audited by NAFs, the impacts of the proposed rules on EGC audits may be less than on non-EGC audits.^[119]

The proposed rules could impact competition in an EGC's product market if the indirect costs to audited companies disproportionately impact EGCs relative to their competitors. However, as discussed above, the costs associated with the proposed rules are expected to be relatively modest. Therefore, the impact of the proposed rules on competition, if any, is likewise expected to be limited.

Overall, the proposed rules are expected to enhance the efficiency and quality of EGC audits that implement technology-assisted analysis and contribute to an increase in the credibility of financial reporting by those EGCs. To the extent the proposed rules improve EGCs' financial reporting quality, they may also improve the efficiency of capital allocation, lower the cost of capital, and enhance capital formation. For example, higher financial reporting quality may allow investors to more accurately identify companies with the strongest prospects for generating future risk-adjusted returns and reallocate their capital accordingly. Investors may also perceive less risk in EGC capital markets generally, leading to an increase in the supply of capital to EGCs. This may increase capital formation and reduce the cost of capital to EGCs. We are unable to quantify in precise terms this potential benefit, which would depend both on how audit firms respond to the standard and on how their response affects audit quality, factors that are likely to vary across audit firms and across engagements.

Furthermore, if certain of the proposed rules did not apply to the audits of EGCs, auditors would need to address differing audit requirements in their methodologies, or policies and procedures, with respect to audits of EGCs and non-EGCs. This could create the potential for additional confusion.

Two commenters on the proposal specifically supported the application of the amendments to EGCs. One of those commenters stated that excluding EGCs from the proposal would be inconsistent with protecting the public interest.

Accordingly, and for the reasons explained above, the Board will request that the Commission determine that it is necessary or appropriate in the public interest, after considering the protection of investors and whether the action will promote efficiency, competition, and capital formation, to apply the proposed rules to audits of EGCs.

III. Date of Effectiveness of the Proposed Rules and Timing for Commission Action

Within 45 days of the date of publication of this notice in the Federal Register or within such longer period (i) as the Commission may designate up to 90 days of such date if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the Board consents, the Commission will:

(A) By order approve or disapprove such proposed rules; or

(B) Institute proceedings to determine whether the proposed rules should be disapproved.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rules are consistent with the requirements of Title I of the Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form (https://www.sec.gov/​rules/​pcaob); or
• Send an email torule-comments@sec.gov. Please include PCAOB-2024-03 on the subject line. Start Printed Page 54947

Paper Comments

• Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-03. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/​rules/​pcaob). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rules that are filed with the Commission, and all written communications relating to the proposed rules between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and copying at the principal office of the PCAOB. Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly.

We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to PCAOB-2024-03 and should be submitted on or before July 23, 2024.

Footnotes