8011-01P
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-100277; File No. PCAOB-2024-02]
Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules
on A Firm’s System of Quality Control and Related Amendments to PCAOB
Standards
June 5, 2024.
Pursuant to section 107(b) of the Sarbanes-Oxley Act of 2002 (the “Act”), notice
is hereby given that on May 24, 2024, the Public Company Accounting Oversight Board
(the “Board” or the “PCAOB”) filed with the Securities and Exchange Commission (the
“Commission”) the proposed rules described in items I and II below, which items have
been prepared by the Board. The Commission is publishing this notice to solicit
comments on the proposed rules from interested persons.
I.

Board’s Statement of the Terms of Substance of the Proposed Rules
On May 13, 2024, the Board adopted A Firm’s System of Quality Control and

Other Amendments to PCAOB Standards, Rules, and Forms (collectively, the “proposed
rules”). The text of the proposed rules appears in Exhibit A to the SEC Filing Form 19b-4
and is available on the Board’s website at Docket 046  PCAOB (pcaobus.org) and at the
Commission’s Public Reference Room.
II.

Board’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rules
In its filing with the Commission, the Board included statements concerning the

purpose of, and basis for, the proposed rules and discussed any comments it received on
the proposed rules. The text of these statements may be examined at the places specified
in Item IV below. The Board has prepared summaries, set forth in sections A, B, and C
below, of the most significant aspects of such statements. In addition, the Board is
requesting that the Commission approve the proposed rules, pursuant to section
103(a)(3)(C) of the Sarbanes-Oxley Act, for application to audits of emerging growth

companies (“EGCs”), as that term is defined in section 3(a)(80) of the Securities
Exchange Act of 1934 (“Exchange Act”). The Board's request is set forth in section D.
A.

Board’s Statement of the Purpose of, and Statutory Basis for, the Proposed Rules
(a) Purpose
The Board adopted a new PCAOB quality control (“QC”) standard that it believes

will lead registered public accounting firms (“firms”) to significantly improve their QC
systems. An effective QC system protects investors by facilitating the consistent
preparation and issuance of informative, accurate, independent, and compliant
engagement reports. Properly conducted audits and other engagements enhance the
confidence of investors and other market participants in the information firms report on.
The Board adopted an integrated, risk-based standard, QC 1000, A Firm’s System
of Quality Control, that mandates quality objectives and key processes for all firms’ QC
systems, with a focus on accountability and continuous improvement. The Board has
designed QC 1000 to be applied by firms of varying size and complexity. If approved by
the U.S. Securities and Exchange Commission (the “SEC”), the Board believes this new
standard will lead firms to better serve investors by more consistently complying with the
professional and legal requirements that apply to PCAOB engagements.
In connection with the adoption of QC 1000, the Board also adopted other
changes to its standards, rules, and forms. QC 1000 and the other changes adopted
substantially reflect the Board’s November 2022 proposal,1 but have been modified in
response to commenter input.
In a separate release, the Board also adopted a new auditing standard, AS 1000,
General Responsibilities of the Auditor in Conducting an Audit, that addresses the

See A Firm’s System of Quality Control and Other Proposed Amendments to PCAOB Standards,
Rules, and Forms, PCAOB Rel. No. 2022-006 (Nov. 18, 2022) (“proposal” or “proposed
standards”), available on the Board’s website in Docket 046.

general principles and responsibilities of the auditor.2 This release includes references to
AS 1000, where appropriate
Improving the Board’s QC Standards
The Board strongly believes that an effective quality control system facilitates
continuous improvement. Over time, the PCAOB’s oversight experience suggests that
firm QC systems fall short. For example, PCAOB inspectors observed that approximately
40% of the issuer audits they reviewed in 2022 had one or more deficiencies where the
auditor failed to obtain sufficient appropriate audit evidence to support its opinion, an
increase of six percentage points over the deficiency rate in 2021 and 11 percentage
points over the rate in 2020.3 In all those cases, auditors issued audit opinions without
completing the audit work that PCAOB standards require for them to obtain reasonable
assurance about whether the financial statements were free of material misstatement
and/or whether the issuers maintained, in all material respects, effective internal control
over financial reporting.
Every step of this rulemaking—from the December 2019 concept release,4 to the
proposal, to adoption—has been informed by extensive research and outreach, as well as
by PCAOB inspections and enforcement activities. The PCAOB’s current QC standards
were developed decades ago and issued by the American Institute of Certified Public
Accountants (“AICPA”) before the PCAOB was established. The auditing environment
has changed significantly since that time, including evolving and greater use of

See General Responsibilities of the Auditor in Conducting an Audit and Amendments to PCAOB
Standards, PCAOB Rel. No. 2024-004 (May 13, 2024) (“Auditor Responsibilities Release”).

See Spotlight: Staff Update and Preview of 2022 Inspection Observations (July 2023) (“2022
Inspection Observations Preview”), at 3, available at https://assets.pcaobus.org/pcaobdev/docs/default-source/documents/spotlight-staff-preview-2022-inspectionobservations.pdf?sfvrsn=1b116d49_4.

See Concept Release, Potential Approach to Revisions to PCAOB Quality Control Standards,
PCAOB Rel. No. 2019-003 (Dec. 17, 2019) (“concept release”), available on the Board’s website
in Docket 046.

technology, and increasing auditor use of outside resources, such as other accounting
firms and providers of support services. Firms themselves have also changed
significantly, as has the role of firm networks. And advances in internal control, quality
management, and enterprise risk management suggest that factors such as active
involvement of leadership, focus on risk, clearly defined objectives, objective-oriented
processes, monitoring, and remediation of identified issues can contribute to more
effective QC. These developments have, in part, led to PCAOB advisory groups’ general
support for strengthening the QC standards, including through risk-based elements and
enhanced requirements for firm governance and leadership.
Taking into account those considerations, as well as the comments the Board
received on the concept release and proposal, the Board believes that improving PCAOB
standards will lead firms to improve their QC systems. This should result in more
consistent compliance with applicable requirements, which ultimately better serves and
protects investors. The specific improvements the Board adopted include:
•

Emphasizing accountability, firm culture and the “tone at the top,” and firm
governance through requirements for specified roles within and responsibilities
for the QC system, including at the highest levels of the firm; quality objectives
that link compensation to quality; and, for the largest firms, the requirement of an
independent perspective in firm governance;

•

Striking the right balance between a risk-based approach to QC—which should
drive firms to proactively identify and manage the specific risks associated with
their practice —and a set of mandates, including required risk assessment and
other QC-related processes, quality objectives, and quality responses—which
should assure that the QC system is designed, implemented, and operated with an
appropriate level of rigor;

•

Addressing changes in the audit practice environment, including the increasing
participation of other firms and other outside resources, the role of firm networks,
the evolving use of technology and other resources, and the increasing importance
of internal and external firm communications;

•

Broadening responsibilities for monitoring and remediation of deficiencies to
create a more effective ongoing feedback loop that drives continuous
improvement; and

•

Requiring a rigorous annual evaluation of the firm’s QC system and related
reporting to the PCAOB, certified by key firm personnel, to underscore the
importance of the annual evaluation of the QC system, reinforce individual
accountability, and support PCAOB oversight.

Framework of the QC Standard
The Board carefully considered the characteristics of an appropriate framework
for a PCAOB QC standard that could accomplish its regulatory goals. As a threshold
issue, section 103 of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) provides that
PCAOB QC standards must include requirements regarding certain specified matters, and
also grants the Board broad authority to include such other requirements as it may
prescribe in carrying out its investor protection mandate. The Board also considered how
best to capture areas it had identified for improvement and how best to foster consistent,
compliant implementation by the firms it regulates. Because the Board believes it is the
best structure for accomplishing its goals, the Board adopted the QC 1000 framework as
proposed.
The Board notes that the framework has commonalities with other international
and domestic standards for firm QC systems, though it goes beyond those requirements in
a number of areas, including with regard to firm governance of the largest firms, more
specific requirements for monitoring and remediation and the evaluation of the QC

system, an ethics and independence component aligned with SEC and PCAOB
requirements, and more specific provisions addressing technology and externally
communicated firm-level and engagement-level information and metrics. The Board
believes that building on a well-understood basic framework, appropriately tailored and
strengthened to address its legal and regulatory environment and its investor protection
mandate, will enable firms to implement and comply with QC 1000 more effectively. In
designing, implementing, and operating their QC systems, firms that are subject to both
PCAOB standards and other international or domestic QC standards—which the Board
believes constitute a very substantial majority of the firms that perform engagements
under PCAOB standards—can leverage the work they have already done and the
investments they have already made to comply with those other requirements.
QC 1000
The Board developed QC 1000 with a view to its statutory mandate to protect the
interests of investors and the public interest, and the Board believes the new standard will
facilitate the consistent preparation and issuance of informative, accurate, and
independent engagement reports. The final standard provides a framework for a QC
system that is grounded in an ongoing process of proactively identifying and managing
risks to quality, with a feedback loop from ongoing monitoring and remediation that
should drive continuous improvement, an explicit focus on firm governance and
leadership, firm culture, and individual accountability, and specific direction in a number
of areas that current PCAOB standards do not address directly.
QC 1000 primarily consists of:
Two process components
•

The firm’s risk assessment process

•

The monitoring and remediation process

Six components that address aspects of the firm’s organization and operations

•

Governance and leadership

•

Ethics and independence

•

Acceptance and continuance of engagements

•

Engagement performance

•

Resources

•

Information and communication

Requirements for evaluation of and reporting on the QC system
•

Annual evaluation of the effectiveness of the QC system

•

Reporting to the PCAOB on the QC system evaluation
The standard also includes requirements regarding individual roles and

responsibilities in the QC system and documentation requirements.
Scalability
In the Board’s view, the basic objectives of the QC system should be the same for
all firms, but the scope of the QC standard and how it applies should take into account the
wide disparities in nature and circumstances across registered firms, in particular the
extent to which their practices include engagements required to be performed under
PCAOB standards and the complexity of such engagements. The risks that firms face,
and therefore the specific policies and procedures necessary to appropriately serve
investor interests through an effective QC system, vary significantly from the largest
firms, operating as part of global networks, to local firms or sole proprietorships.
QC 1000 establishes a uniform basic structure to be used by all firms, within which firms
will be required to pursue an approach to quality control that is appropriate in light of the
risks associated with their particular PCAOB audit practice. Aspects of the new standard
are risk-based, and to that extent inherently scalable. In addition, it imposes more
stringent requirements for the largest firms in some areas, while enabling smaller firms to

comply with the core requirements in ways that take into account these firms’ size and
the complexity of audits performed by them.
Scalability: Larger PCAOB Audit Practice.
The Board believes that firms with a particularly extensive PCAOB audit practice
(i.e., those that issue audit reports for more than 100 issuers per year) should be subject to
enhanced requirements, given such firms’ greater complexity and the relatively greater
public interest implicated by the fact that they audit companies that make up a substantial
majority of U.S. public market capitalization. The incremental requirements under
QC 1000 for such firms include:
•

An external oversight function for the QC system compose of one or more
persons who can exercise independent judgment related to the QC system;

•

A program for collecting and addressing complaints and allegations that includes
confidentiality protections;

•

An automated system to track investments that may bear on independence; and

•

Required monitoring of in-process engagements.
Scalability: Smaller PCAOB Audit Practice.
Many firms perform only a small number of PCAOB engagements per year and

are subject to resource constraints that larger PCAOB audit practices do not face. The
Board has addressed the particular needs of these firms in a number of ways, including:
•

Providing that a single individual may be assigned more than one of the QC
system oversight roles required under the standard; and

•

Allowing firms that issue five or fewer engagement reports for issuers or brokerdealers in a year to include audits not performed under PCAOB auditing standards
in some of their monitoring activities.
Scalability: Firms that do not have responsibilities in relation to a PCAOB
engagement.

All registered firms will be required to design a QC system that meets the
requirements of QC 1000. Firms will be required to implement and operate the QC
system in compliance with QC 1000 when they lead an engagement under PCAOB
standards, play a substantial role in the preparation or furnishing of an audit report (as
defined in PCAOB rules), or have current responsibilities under applicable professional
and legal requirements regarding any such engagement. This approach reflects the
Board’s view that all firms that register with the PCAOB should be appropriately
prepared to perform a PCAOB engagement, regardless of whether they are currently
subject to requirements with respect to one, while limiting the costs of compliance in
circumstances where the risk to investor protection is minimal.
Key Changes from the QC 1000 Proposal
Key changes from the proposal include:
•

For the firms with larger PCAOB audit practices, the requirement to include an
independent oversight function for their QC system has been refined. Under the
final rule, the external quality control function (“EQCF”) will be composed of one
or more persons who are not principals or employees of the firm and do not
otherwise have a relationship with the firm that would interfere with the exercise
of independent judgment with regard to matters related to the QC system. The
responsibilities of the EQCF may vary across firms but include, at a minimum,
evaluating the significant judgments made and the related conclusions reached by
the firm when evaluating and reporting on the effectiveness of its QC system.

•

The final rule requires firms to report on their QC system evaluation to the
PCAOB, but not to the audit committee, as proposed. Legal constraints limit our
ability to require public disclosures about the effectiveness of firms’ QC systems
at the level that some investors have requested. While the final rule recognizes the
impediments to requiring public disclosure of QC system evaluation, the Board

remains committed to finding additional ways of providing public disclosure to
better inform investors about firms and PCAOB audit engagements. To that end,
we have separately proposed a set of firm-level and engagement-level metrics
across 11 areas that would be reported publicly.
•

The timing of the QC system evaluation and reporting has changed. Under the
final rule, the evaluation date for the annual evaluation of the QC system is
September 30, rather than November 30 as proposed, with Form QC due by
November 30 rather than January 15 of the following year. This shift allows more
time between the evaluation date and the filing date than we proposed, but still
allows sufficient time to generally enable the firm’s monitoring activities to
identify deficiencies in calendar year-end engagements and the results of that
monitoring to be included in the evaluation.

Other Changes to PCAOB Standards, Rules, and Forms
In connection with the adoption of QC 1000, the Board also adopted other
changes to PCAOB standards, rules, and forms. These include, among other changes,
expanding the auditor’s responsibility to respond to deficiencies on completed
engagements under an amended and retitled AS 2901, Responding to Engagement
Deficiencies After Issuance of the Auditor’s Report, and related amendments to AT No. 1,
Examination Engagements Regarding Compliance Reports of Brokers and Dealers, and
AT No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers;
and replacing the existing standard ET 102, Integrity and Objectivity, with a new
standard, EI 1000, Integrity and Objectivity, to better align PCAOB ethics requirements
with the scope, approach, and terminology of QC 1000.
Effective Date
If approved by the SEC, the final standard and related amendments to auditing
standards, rules, and forms will take effect on December 15, 2025, with the initial

evaluation of the QC system to be performed as of September 30, 2026, and initial
reporting to the PCAOB by November 30, 2026. Firms will be permitted to elect to
comply with the requirements of QC 1000, except reporting to the PCAOB on the annual
evaluation of the QC system, before the effective date, at any point after SEC approval of
the final standard and related amendments.
(b) Statutory Basis
The statutory basis for the proposed rules is Title I of Sarbanes-Oxley.
B.

Board’s Statement on Burden on Competition
Not applicable. The Board’s consideration of the economic impacts of the

proposed rules is discussed in section D below.
C.

Board’s Statement on Comments on the Proposed Rules Received from Members,
Participants or Others
The Board issued a concept release regarding potential changes to quality control

standards for public comment in PCAOB Release No. 2019-003 (Dec. 17, 2019). The
Board received 36 written comment letters on the concept release. The Board released the
proposed rule amendment for public comment in PCAOB Release No. 2022-006 (Nov.
18, 2022). The Board received 43 written comment letters on its proposal. The Board has
carefully considered all comments received. The Board’s response to the comments it
received and the changes made to the rules in response to the comments received are
discussed below.
BACKGROUND
This section presents background information on this rulemaking, including an
overview of existing PCAOB QC requirements and current practice, a review of other
developments since the current QC requirements were adopted, a summary of relevant
actions taken by other standard setters, a discussion of PCAOB research and outreach

efforts related to QC, the December 2019 concept release and 2022 proposal, and a
summary of the key areas the Board has identified for improvement of the QC standards.
OVERVIEW OF EXISTING REQUIREMENTS AND CURRENT PRACTICE
1.

Requirements of the Sarbanes-Oxley Act of 2002
Sarbanes-Oxley requires the Board to establish certain professional standards,

including quality control standards, to be used by registered public accounting firms in
the preparation and issuance of audit reports for issuers, brokers, and dealers.5
Furthermore, Sarbanes-Oxley requires the PCAOB’s QC standards to address:
•

Monitoring of professional ethics and independence from issuers, brokers, and
dealers on behalf of which the firm issues audit reports;

•

Consultation within the firm on accounting and auditing questions;

•

Supervision of audit work;

•

Hiring, professional development, and advancement of personnel;

•

Acceptance and continuation of engagements;

•

Internal inspection; and

•

Such other requirements as the Board may prescribe.6

2. Current PCAOB QC standards
Under current PCAOB standards, a QC system is a process to provide a firm with
reasonable assurance that its personnel comply with applicable professional standards and
the firm’s standards of quality.7 The QC system encompasses the firm’s organizational

See sections 101(c)(2) and 103(a)(1) of Sarbanes-Oxley, 15 U.S.C. 7211(c)(2), 7213(a)(1). This
release uses the terms “issuer,” “broker,” and “dealer” as defined in Sarbanes-Oxley. See section
2(a)(7) of Sarbanes-Oxley, 15 U.S.C. 7201(7) (defining “issuer”); Sections 110(3) and (4) of
Sarbanes-Oxley, 15 U.S.C. 7220(3), (4) (defining “broker” and “dealer”); see also PCAOB Rules
1001(b)(iii), (d)(iii), (i)(iii) (defining “broker,” “dealer,” and “issuer,” respectively). Entities that
are brokers or dealers or both are sometimes referred to herein as “broker-dealers.”

See section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B).

See paragraph .03 of QC 20, System of Quality Control for a CPA Firm’s Accounting and
Auditing Practice.

structure and the policies adopted and procedures established to provide that reasonable
assurance.8
Current PCAOB QC standards were adopted on an interim, transitional basis in
2003 from QC standards originally developed and issued by the AICPA.9 They include
three general QC standards that apply to all firms.10 Beyond that, they also include certain
requirements of membership in the AICPA’s former SEC Practice Section (“SECPS”),
which apply only to firms that were SECPS members immediately prior to the adoption
of the PCAOB’s interim QC standards. Below is an overview of the general QC
standards and the SECPS member requirements.
a. General QC Standards
i. QC 20, System of Quality Control for a CPA Firm’s Accounting and
Auditing Practice
QC 20 provides that a firm should have a system of quality control that provides
the firm with reasonable assurance that its personnel comply with applicable professional
standards and the firm’s standards of quality.11 In the context of engagement
performance, the system of quality control should also provide reasonable assurance that
the work performed meets applicable regulatory requirements.12
The firm’s quality control policies and procedures should address the following
elements:
•

Independence, integrity, and objectivity;

See QC 20.04.

See PCAOB Rule 3400T, Interim Quality Control Standards; see also Establishment of Interim
Professional Auditing Standards, PCAOB Rel. No. 2003-006 (Apr. 18, 2003).

Under PCAOB Rule 3400T(a), all firms are required to comply with QC standards as described in
“the AICPA’s Auditing Standards Board’s Statements on Quality Control Standards, as in
existence on April 16, 2003 (AICPA Professional Standards, QC §§ 20-40 (AICPA 2002)), to the
extent not superseded or amended by the Board.”

See QC 20.03.

See QC 20.17.

•

Personnel management;

•

Acceptance and continuance of clients and engagements;

•

Engagement performance; and

•

Monitoring.13
These elements of quality control are interrelated.14 Policies and procedures

should be established to provide the firm with reasonable assurance with respect to each
of these elements of QC. An appropriate individual or individuals in the firm should be
assigned responsibility for the design and maintenance of the various quality control
policies and procedures.15 These policies and procedures should be communicated in a
manner that provides reasonable assurance that personnel will understand and comply.16
Additionally, documentation should be prepared to demonstrate compliance with the
firm’s policies and procedures for the elements of quality control.17
ii. QC 30, Monitoring a CPA Firm’s Accounting and Auditing Practice
QC 30 addresses how a firm should implement the monitoring element of quality
control discussed in QC 20. Monitoring involves an ongoing consideration and evaluation
of the following:
•

The relevance and adequacy of the firm’s policies and procedures;

•

The appropriateness of the firm’s guidance materials and any practice aids;

•

The effectiveness of professional development activities; and

•

Compliance with the firm’s policies and procedures.18

See QC 20.07.

See QC 20.08.

See QC 20.22.

See QC 20.23.

See QC 20.25.

See QC 30.02.

Under QC 30, monitoring procedures should enable the firm to obtain reasonable
assurance that its system of quality control is effective.19 A firm’s monitoring procedures
may include:
•

Inspection procedures;

•

Pre-issuance or post-issuance review of selected engagements;

•

Analysis and assessment of:

•

New professional pronouncements;

•

Results of independence confirmations;

•

Continuing professional education (“CPE”) and other professional development
activities undertaken by firm personnel;

•

Decisions related to acceptance and continuance of client relationships and
engagements;

•

Interviews of firm personnel;

•

Determination of any corrective actions to be taken and improvements to be made
in the quality control system;

•

Communication to appropriate firm personnel of any weaknesses identified in the
quality control system or in the level of understanding or compliance therewith;
and

•

Follow-up by appropriate firm personnel to ensure that any necessary
modifications are made to the quality control policies and procedures on a timely
basis.20
The nature and extent of monitoring procedures generally depends on the firm’s

size and the nature and complexity of the firm’s practice.21 QC 30 provides that

See QC 30.03.

See QC 30.03.

See, e.g., QC 30.05, .10, .11.

individuals in a small firm may perform monitoring procedures, including post-issuance
review of engagement working papers, reports, and clients’ financial statements, with
respect to their own compliance with the firm’s QC policies and procedures, but only if
such individuals are able to critically review their own performance, assess their own
strengths and weaknesses, and maintain an attitude of continual improvement.22
iii. QC 40, The Personnel Management Element of a Firm’s System of
Quality Control — Competencies Required by a Practitioner-in-Charge of an
Attest Engagement
QC 40 addresses the personnel management element of the quality control
system. Personnel management includes hiring, assigning personnel to engagements,
professional development, and advancement activities. Policies and procedures should be
established to provide the firm with reasonable assurance that:
•

Those hired possess the appropriate characteristics to enable them to perform
competently.

•

Work is assigned to personnel having the degree of technical training and
proficiency required in the circumstances. Personnel participate in general and
industry-specific continuing professional education and other professional
development activities that enable them to fulfill responsibilities assigned, and
satisfy applicable professional education requirements of the AICPA, and
regulatory agencies.

•

Personnel selected for advancement have the qualifications necessary for
fulfillment of the responsibilities they will be called on to assume.23
A firm’s policies and procedures related to personnel management should be

designed to provide a firm with reasonable assurance that practitioners-in-charge of

See QC 30.09, .10.

See QC 40.02.

engagements (i.e., engagement partners) possess the kinds of competencies that are
appropriate given the circumstances of the client engagement.24 Competencies are the
knowledge, skills, and abilities that enable an engagement partner to be qualified to
perform an engagement.25 Competencies may be gained in various ways, including
through relevant industry, governmental, and academic positions.26 A firm’s policies and
procedures should ordinarily address the following competencies for an engagement
partner:
•

Understanding of the role of a system of quality control and a code of professional
conduct;

•

Understanding of the service to be performed;

•

Technical proficiency;

•

Familiarity with the industry;

•

Professional judgment; and

•

Understanding the organization’s information technology systems.27
Under QC 40, these competencies are interrelated.28 When establishing policies

and procedures related to competencies needed by an engagement partner, a firm may
need to consider the requirements of policies and procedures established for other
elements of quality control.29
b. SECPS member requirements
The SECPS was a division of the AICPA for U.S. firms that audited public
companies, which established incremental quality control requirements for its members.

See QC 40.03.

See QC 40.04.

See QC 40.05.

See QC 40.08.

See QC 40.09.

See QC 40.10.

The SECPS requirements originally applied to all U.S. firms that audited public
companies under AICPA standards. The SECPS ceased to exist following the
establishment of the PCAOB.
Under PCAOB rules, certain SECPS requirements still apply to firms that were
members of the SECPS as of April 16, 2003.30 Based on current registration data, the
SECPS member requirements apply to 201 (approximately 12% of) PCAOB-registered
firms, including 11 of the 14 annually inspected firms in 2023.
i. Section 1000.08(d) – Continuing Professional Education of Audit Firm
Personnel
Section 1000.08(d) requires SECPS member firms to ensure that all professionals
residing in the United States, both CPAs and non-CPAs, participate in at least 20 hours of
qualifying CPE every year and at least 120 hours every three years.31 Professionals who
devote at least 25% of their time to performing audit, review, or other attest engagements,
or who have responsibility for supervision or review of such engagements, must obtain at
least 40% of their CPE hours in subjects related to accounting and auditing.32
Additional information on Section 1000.08(d)’s CPE requirements appears in
SECPS Section 8000, Continuing Professional Education Requirements Effective for
Educational Years Beginning After May 31, 2002.33 That information is summarized into
three categories: (1) record-keeping for each professional to ensure that each professional

PCAOB Rule 3400T(b) requires certain firms to comply with QC standards as described in “the
AICPA SEC Practice Section’s Requirements of Membership (d), (l), (m), (n)(1) and (o), as in
existence on April 16, 2003 (AICPA SEC Practice Section Manual 1000.08(d), (j), (m), (n)(1) and
(o)), to the extent not superseded or amended by the Board.” The note to Rule 3400T provides that
those requirements “only apply to those registered public accounting firms that were members of
the AICPA SEC Practice Section on April 16, 2003.” One of the SECPS member requirements,
concerning concurring partner review, was superseded in 2009 by the PCAOB’s adoption of AS
1220, Engagement Quality Review.

See SECPS 1000.08(d).

See SECPS 1000.08(d).

See SECPS 1000.08(d) (referring, in a footnote, to Section 8000).

adheres to all CPE requirements; (2) adherence to standards for CPE program sponsors
for each program sponsored by the member firm; and (3) compliance with additional
CPE requirements of the SECPS.34 Appendix A to Section 8000 includes the AICPA
policies related to CPE.
ii. Section 1000.08(l) – Communication by Written Statement to all
Professional Personnel of Firm Policies and Procedures on the
Recommendation and Approval of Accounting Principles, Present and
Potential Client Relationships, and the Types of Services Provided
Section 1000.08(l) requires SECPS member firms to communicate, through a
written statement, to all professional firm personnel the broad principles that influence
the firm’s quality control and operating policies and procedures.35 Periodic
communication also must inform professional firm personnel that compliance with those
principles is mandatory.36
iii. Section 1000.08(m) – Notification of the Commission of Resignations and
Dismissals from Audit Engagements for Commission Registrants
Section 1000.08(m) requires that, if an SECPS member firm has resigned,
declined to stand for reelection, or been dismissed as the auditor of an SEC registrant and
the registrant has not reported the change in auditors to the SEC in a timely filed Form 8K, the member firm is to report that the client-auditor relationship has ceased directly, in
writing, to the former SEC client and the SEC within five business days.37

See SECPS 8000.

See SECPS 1000.08(l). Section 1000.08(l) includes a cross-reference to Appendix H SECPS
Section 1000.42, Illustrative Statement of Firm Philosophy, which provides an illustration of such
a statement.

See id.

See SECPS 1000.08(m). Section 1000.08(m) cross-references Appendix D SECPS Section
1000.38, Revised Definition of an SEC Client, which provides the definition of an SEC client, as
well as Appendix I SECPS Section 1000.43, Standard Form of Letter Confirming the Cessation of
the Client-Auditor Relationship, which provides a standard form of such report.

iv. Section 1000.08(n) – Audit Firm Obligations with Respect to the Policies
and Procedures of Correspondent Firms and of Other Members of
International Firms or International Associations of Firms
Section 1000.08(n) requires SECPS member firms that are members of,
correspondents with, or similarly associated with international firms or international
associations of firms to seek adoption of policies and procedures that are consistent with
the objectives in Appendix K (SECPS Section 1000.45), SECPS Member Firms With
Foreign Associated Firms That Audit SEC Registrants.38
Appendix K was adopted with the intention of enhancing the quality of SEC
filings by issuers whose financial statements are audited by foreign associated firms of
SECPS member firms.39 It requires SECPS member firms to seek adoption by their
international organizations or individual foreign associated firms of certain policies and
procedures, including:
•

Procedures to be performed on certain SEC filings by a filing reviewer who is
knowledgeable in applicable accounting and auditing standards, independence
requirements, and SEC rules and regulations;

•

Inspection procedures for a sample of audit engagements performed by foreign
associated firms for issuer clients, to be performed by inspection reviewers who
are knowledgeable in the same areas as filing reviewers; and

•

Policies and procedures under which disagreements between the filing or
inspection reviewer and the audit partner-in-charge should be resolved in
accordance with the policy of the international organization or the filing or
inspection reviewer’s firm.40

See SECPS 1000.08(n).

See SECPS 1000.45.01.

See id.

v. Section 1000.08(o) – Policies and Procedures to Comply with
Independence Requirements
Section 1000.08(o) requires SECPS member firms to have policies and
procedures in place to comply with applicable independence requirements.41 Section
1000.08(o) cross-references Appendix L, SECPS Section 1000.46, Independence Quality
Controls, which requires firms to establish written policies42 covering relationships with
“restricted entities,” for example, relationships between the restricted entity and the
member firm, its benefit plans, and its professionals.43 These relationships include
investments, loans, brokerage accounts, business relationships, employment relationships,
proscribed services, and fee arrangements.44 Firms should maintain a database that
includes all restricted entities (“restricted entity list”) and make the restricted entity list
available to the firm’s professionals and to foreign associated firms.45
A senior-level partner should be designated to oversee the independence policies
and maintain and communicate the restricted entity list.46 The policies and procedures
also should require:
•

Reviewing the restricted entity list prior to obtaining any security;

•

Obtaining independence certifications from the firm’s professionals;

•

Reporting violations of policies;

•

Establishing a monitoring system; and

See SECPS 1000.08(o).

PCAOB rules do not mandate that writings be paper-based. See, e.g., paragraph .04 of AS 1215,
Audit Documentation (audit documentation may be in the form of paper, electronic files, or other
media).

See SECPS 1000.46 (requirement 1).

See id.

See SECPS 1000.46 (requirements 4, 5, and 6).

See SECPS 1000.46 (requirement 5).

•

Developing policies for potential sanctions for violations of the firm’s policies
and procedures or professional independence requirements.47
The policies and procedures should be made available to all professionals and a

training program should be established to provide reasonable assurance that professionals
understand the policies.48
3. Observations from oversight activities
In the course of conducting inspections of registered public accounting firms49
and investigating potential violations of PCAOB standards and other related laws and
rules governing audits of public companies and audits and attestation engagements of
broker-dealers, the PCAOB may identify deficiencies in firms’ execution of engagements
and in firms’ QC systems. Oversight activities also help the PCAOB to identify good
practices, both for engagements and for QC systems. The PCAOB also considers
information derived from the SEC’s enforcement program.
Over time, firms have implemented a number of changes to their QC systems to
remediate deficiencies identified through the PCAOB’s inspections program.50 Examples
of changes firms have made in response to the Board’s inspections include:51
•

Independence - Creating automated links between the firm’s tools for tracking
subcontractors and evaluating and tracking business relationships to ensure that
independence evaluations are complete and timely;

See SECPS 1000.46 (requirement 7).

See SECPS 1000.46 (requirement 3).

The information on inspections and remediation efforts is limited to those firms that are subject to
inspection by the PCAOB.

Additional information about the PCAOB remediation process is available on the PCAOB website
at https://pcaobus.org/oversight/inspections/remediation/remediation_process.

Examples are drawn from firms’ Rule 4009 submissions. A Rule 4009 submission is a confidential
submission prepared by a firm, pursuant to PCAOB Rule 4009, Firm Response to Quality Control
Defects, concerning the ways in which a firm has addressed a QC criticism. For additional
background, see The Process for Board Determinations Regarding Firms’ Efforts to Address
Quality Control Criticisms in Inspection Reports, PCAOB Rel. No. 104-2006-077 (Mar. 21,
2006).

•

Engagement Performance - Implementing new policies and procedures for
engagement teams to focus on obtaining a thorough understanding of how issuers
initiate, record, process, and report significant classes of transactions and how that
information is recorded in the financial statements;

•

Resources - Creating a committee to evaluate partner performance in relation to
audit quality and establishing an accountability framework with penalties for
negative audit quality events;

•

Monitoring and Remediation - Adding new leadership positions to the internal
inspection program, developing new analysis and reporting of internal inspection
findings, and disseminating such findings more broadly; and

•

Monitoring and Remediation - Adding in-process review and coaching programs
to assist engagement teams in certain challenging areas, including internal control
over financial reporting (“ICFR”) and accounting estimates.
Observations from PCAOB oversight activities have shown that improvements in

quality controls can enhance the quality of engagements.52 However, PCAOB inspections
continue to identify deficiencies related to engagements and the operation of firm QC
systems, suggesting that not all firms have made meaningful improvements in these
areas. Moreover, the pervasiveness of recent findings regarding such deficiencies—both
in terms of the number of firms affected and the percentage of deficient engagements—
suggests that an updated QC standard is needed to drive proactive, systemic, and
consistent improvements in audit quality rather than just case-by-case improvements in
response to firm-specific findings.

See, e.g., Spotlight: Staff Update and Preview of 2021 Inspection Observations (Dec. 2022)
(“2021 Inspection Observations Preview”), at 20-22, available at https://assets.pcaobus.org/pcaobdev/docs/default-source/documents/staff-preview-2021-inspection-observationsspotlight.pdf?sfvrsn=d2590627_4; Staff Inspection Brief: Staff Preview of 2018 Inspections
Observations (May 6, 2019) (“2018 Inspection Observations Preview”), at 1-4, available at
https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/inspections/documents/staffpreview-2018-inspection-observations.pdf?sfvrsn=b5f8cb09_0.

The following discussion summarizes recent observations from PCAOB
inspections53 and investigations of QC systems, including deficiencies and violations—
instances of noncompliance with PCAOB requirements—and good practices that the
Board believes support and strengthen QC systems. The Board has taken these
observations into account in developing the final QC standard and related amendments,
rules, and forms.
a. QC deficiencies and violations observed from oversight activities
PCAOB observations have generally revealed that while some firms have made
improvements to their QC systems, the progress has been uneven. Even taking that
progress into account, in roughly a third of the issuer audits the PCAOB inspected from
2020 to 2022, the auditor’s opinion was not adequately supported.54 This suggests that
there is significant room for improvement in QC systems’ ability to provide reasonable
assurance that firm engagements are performed in accordance with applicable
professional standards and regulatory requirements.
As described below, the PCAOB’s observations all too frequently indicate that firms’ QC
systems did not appear to provide reasonable assurance that firm personnel will comply
with applicable professional standards in, among others, the areas of: (1) acceptance of
engagements; (2) engagement performance; (3) independence, integrity, and objectivity;

PCAOB inspections are designed to assess a firm’s compliance with PCAOB standards and rules
and other applicable regulatory and professional requirements with respect to the firm’s QC
system and in the portions of engagements selected for review. An inspection does not involve a
review of all aspects of a firm’s QC system. An inspection also does not necessarily involve a
review of all of a firm’s engagements, nor is it designed to identify every deficiency in the
reviewed engagements. The inspection data are derived from PCAOB inspection reports. Part II of
PCAOB inspection reports include criticisms of, and potential defects in, a firm’s QC system, to
the extent any are identified. The PCAOB includes, in Part II of its inspection reports, deficiencies
observed in inspections of individual engagements when the results indicate that the firm’s QC
system does not provide reasonable assurance that firm personnel will comply with applicable
professional standards and regulatory requirements. In evaluating whether engagement
observations are indicative of QC deficiencies, PCAOB staff consider the nature, significance, and
frequency of deficiencies; related firm methodology, guidance, and practices; and possible root
causes.

See Figure 1 below, and accompanying text for an analysis of 2011-2022 inspections data.

(4) personnel management; (5) monitoring; and (6) engagement quality reviews. Below
are examples of the PCAOB’s observations in these areas.
i. Acceptance of engagements
A firm’s QC system should provide the firm with reasonable assurance that it
undertakes only those engagements that the firm can reasonably expect to be completed
with professional competence.55 This includes taking into consideration, among other
things, the availability of resources to perform an engagement and the competence of
those resources. The PCAOB has observed instances where a firm’s lack of policies and
procedures in the area of engagement acceptance and continuance resulted in accepting
new engagements that were not completed with professional competence and resulted in
numerous violations of PCAOB auditing standards.56
ii. Engagement performance
A properly functioning QC system should provide the firm with reasonable
assurance that the work performed by engagement personnel meets applicable
professional standards, regulatory requirements, and the firm’s standards of quality.57 A
QC system cannot provide reasonable assurance if, for example, there are severe,
frequent, or widespread deficiencies, or recurring instances of similar types of
deficiencies at the engagement level. The PCAOB has observed deficiencies and
violations in a range of areas of engagement performance, including, for example:

See QC 20.15.

See, e.g., In the Matter of WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-010 (Feb. 20,
2024); In the Matter of Jack Shama and Jack Shama, CPA, PCAOB Rel.e No. 105-2024-004 (Jan.
23, 2024); In the Matter of Shandong Haoxin Certified Public Accountants Co., Ltd., LIU Kun,
MA Yao, SUN Penghuan, and ZHU Dawei, PCAOB Rel. No. 105-2023-045 (Nov. 30, 2023); In
the Matter of Alfonse Gregory Giugliano, CPA, SEC Accounting and Auditing Enforcement
Release (“AAER”) No. 4458 (Sept. 12, 2023); In the Matter of Marcum LLP, PCAOB Rel. No.
105-2023-005 (June 21, 2023); In the Matter of Marcum LLP, SEC AAER No. 4423 (June 21,
2023).

See QC 20.17.

•

Failure to identify and test controls that address risks of material misstatement or
sufficiently evaluate review controls;

•

Insufficient evaluation of significant assumptions or data used in developing an
estimate;58

•

Unwarranted reliance on data or reports used in testing an issuer’s financial
reporting controls or in substantive testing;59

•

Engagement partners’ failure to adequately supervise the engagement with due
professional care, which contributed to not identifying deficiencies;60

•

Failure to implement and maintain adequate policies and procedures to provide
reasonable assurance that work is performed and documented;61 and

•

Failure to ensure audits are performed under PCAOB standards and not another
framework.62

See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-010.

See, e.g., PKF O’Connor Davies, LLP, PCAOB Rel. No. 105-2022-001.

See, e.g., Alfonse Gregory Giugliano, CPA, SEC AAER No. 4458; In the Matter of Deloitte
Touche Tohmatsu Certified Public Accountants, LLP, SEC AAER No. 4342 (Sept. 29, 2022); In
the Matter of RSM, SEC AAER No. 4346 (Sept. 30, 2022); In the Matter of Mancera, S.C.,
Alejandro Valdez Mendoza, C.P., and Angel Radames Corral Nieblas, C.P., SEC AAER No. 4198
(Dec. 17, 2020); In the Matter of Whitley Penn LLP, Susan Lunn Powell, CPA, Jeffry Shannon
Lawlis, CPA, and John Griffin Babb, CPA, PCAOB Rel. No. 105-2020-002 (Mar. 24, 2020); In
the Matter of David M. Burns, CPA, PCAOB Rel. No. 105-2017-055 (Dec. 19, 2017); In the
Matter of BDO Auditores, S.L.P., Santiago Sañé Figueras, and José Ignacio Algás Fernández,
PCAOB Rel. No. 105-2017-039 (Sept. 26, 2017); In the Matter of KPMG LLP and John Riordan,
CPA, SEC AAER No. 3888 (Aug. 15, 2017).

See, e.g., WithumSmith+Brown, PC, PCAOB Rel. No. 105-2024-010; In the Matter of SW Audit,
PCAOB Rel. No. 105-2024-009 (Feb. 20, 2024); Shama, PCAOB Rel. No. 105-2024-004; In the
Matter of Haynie & Company, PCAOB Rel. No. 105-2024-001 (Jan. 23, 2024); Shandong Haoxin
Certified Public Accountants Co., Ltd., PCAOB Rel. No. 105-2023-045; In the Matter of Deloitte
& Touche S.A.S., PCAOB Rel. No. 105-2023-025 (Sept. 26, 2023); Marcum LLP, SEC AAER No.
4423 ; Deloitte Touche Tohmatsu Certified Public Accountants, LLP, SEC AAER No. 4342; In
the Matter of HLB Mann Judd, Darryl Swindells, and Aidan Smith, PCAOB Rel. No. 105-2020008 (June 29, 2020); In the Matter of Castillo Miranda y Compañía, S.C., Ignacio García
Pareras, Juan Martín Gudiño Casillas, Luis Raúl Michel Domínguez, Juan Francisco Olvera
Díaz, Carlos Rivas Ramos, and Bernardo Soto Peñafiel, PCAOB Rel. No. 105-2019-028 (Oct. 31,
2019); In the Matter of Deloitte Anjin LLC, PCAOB Rel. No. 105-2019-025 (Oct. 31, 2019); In
the Matter of Deloitte Touche Tohmatsu Auditores Independentes, PCAOB Rel. No 105-2016-031
(Dec. 5, 2016).

See, e.g., In the Matter of Dale Matheson Carr-Hilton LaBonte LLP, PCAOB Rel. No. 105-2021021 (Dec. 14, 2021); In the Matter of WDM Chartered Professional Accountants and Mike Kao,
PCAOB Rel. No. 105-2021-016 (Sept. 30, 2021).

iii. Independence, integrity, and objectivity
A firm’s QC system should also provide the firm with reasonable assurance that
personnel maintain independence—in fact and in appearance—in all required
circumstances.63 Observations relating to auditor independence have been recurring over
the last several years.64 Examples of these observations frequently have included:
•

Violations of independence, including financial relationship and partner rotation
requirements of 17 CFR 210.2-01;65

•

Noncompliance by firm personnel in reporting their financial relationships during
the independence confirmation process;

•

Independence violations related to the firm providing impermissible non-audit
services;66

•

Noncompliance with PCAOB Rule 3524, Audit Committee Pre-approval of
Certain Tax Services, and PCAOB Rule 3526, Communication with Audit
Committees Concerning Independence;67

See QC 20.09.

See, e.g., 2022 Inspection Observations Preview at 18; 2021 Inspection Observations Preview at
19; PCAOB, Spotlight: Staff Update and Preview of 2020 Inspection Observations (Oct. 2021)
(“2020 Inspection Observations Preview”), at 12, available at https://pcaobassets.azureedge.net/pcaob-dev/docs/default-source/documents/staff-preview-2020-inspectionobservations-spotlight.pdf?sfvrsn=10819041_4; Spotlight: Staff Update and Preview of 2019
Inspection Observations (Oct. 8, 2020) (“2019 Inspection Observations Preview”), at 7, available
at https://pcaobus.org/Inspections/Documents/Staff-Preview-2019-Inspection-ObservationsSpotlight.pdf; Staff Inspection Brief: Inspections Outlook for 2019 (Dec. 6, 2018) (“2019
Inspections Outlook”), at 2, available at https://pcaob-assets.azureedge.net/pcaobdev/docs/default-source/inspections/documents/inspections-outlook-for2019.pdf?sfvrsn=538b8bb7_2.

See, e.g., In the Matter of Ernst & Young LLP, James G. Herring, Jr., CPA, James A. Young, CPA,
and Curt W. Fochtmann, CPA, SEC AAER No. 4239 (Aug. 2, 2021); In the Matter of Raich Ende
Malter & Co., PCAOB Rel. No. 105-2019-009 (Apr. 9, 2019); In the Matter of Marcum LLP and
Alfonse Gregory Giugliano, CPA, PCAOB Rel. No. 105-2019-022 (Sept. 10, 2019); In the Matter
of Marcum Bernstein & Pinchuk LLP, PCAOB Rel. No. 105-2019-023 (Sept. 10, 2019).

See, e.g., In the Matter of Pricewaterhousecoopers LLP, SEC AAER No. 4084 (Sept. 23, 2019); In
the Matter of RSM US LLP (f/k/a McGladrey LLP), SEC AAER No. 4066 (Aug. 27, 2019).

See, e.g., In the Matter of PricewaterhouseCoopers, S.C., PCAOB Rel. No. 105-2019-017 (Aug. 1,
2019); In the Matter of BDO Magyarorszag Konyvvizsgalo Kft., PCAOB Rel. No. 105-2017-024
(Apr. 12, 2017).

•

Improper inclusion of indemnification clauses in engagement letters, which
impaired independence based on the general standard of independence prescribed
by 17 CFR 210.2-01(b); and

•

Failure to implement and maintain adequate policies and procedures to provide
reasonable assurance that firm personnel timely consult on complex, unusual, or
unfamiliar independence issues.68
The PCAOB has also observed highly concerning, widespread instances where

firm personnel have improperly shared answers on examinations required to obtain or
maintain professional licenses.69 The Board has acted decisively in responding to this
conduct, which was prevalent both domestically and internationally.70 The PCAOB has
also observed instances where firm personnel have not acted with integrity by altering
work papers71 or failing to cooperate with the Board.72

See, e.g., In the Matter of PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2024-014 (Mar.
28, 2024).

See, e.g., In the Matter of Navarro Amper & Co., PCAOB Rel. No. 105-2024-025 (Apr. 10, 2024);
In the Matter of Imelda & Rekan, PCAOB Rel. No. 105-2024-024 (Apr. 10, 2024); In the Matter
of KPMG Accountants N.V., PCAOB Rel. No. 105-2024-022 (Apr. 10, 2024); In the Matter of
KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032 (Dec. 6, 2022); In the Matter of
Ernst & Young LLP, SEC AAER No. 4313 (June 28, 2022); In the Matter of
PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2022-002 (Feb. 24, 2022); In the Matter of
KPMG, PCAOB Rel. No. 105-2021-008 (Sept. 13, 2021); In the Matter of KPMG LLP, SEC
AAER No. 4051 (June 17, 2019).

See, e.g., In the Matter of PricewaterhouseCoopers Zhong Tian LLP, PCAOB Rel. No. 105-2023044 (Nov. 30, 2023); In the Matter of PricewaterhouseCoopers, PCAOB Rel. No. 105-2023-043
(Nov. 30, 2023); KPMG LLP (United Kingdom), PCAOB Rel. No. 105-2022-032
PricewaterhouseCoopers LLP, PCAOB Rel. No. 105-2022-002 KPMG, PCAOB Rel. No. 1052021-008.

See, e.g., In the Matter of Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-035 (Dec.
6, 2022); In the Matter of Edgar Mauricio Ramirez Rueda, PCAOB Rel. No. 105-2022-036 (Dec.
6, 2022); In the Matter of Marco Alexander Rodriguez Ramirez, PCAOB Rel. No. 105-2022-037
(Dec. 6, 2022); In the Matter of KPMG S.A.S., PCAOB Rel. No. 105-2022-034 (Dec. 6, 2022); In
the Matter of Jonathan B. Taylor, CPA, PCAOB Rel. No. 105-2022-025 (Oct. 18, 2022); Castillo
Miranda y Compañía, S.C.PCAOB Rel. No. 105-2019-028 Deloitte Anjin LLC, PCAOB Rel. No.
105-2019-025 Deloitte Touche Tohmatsu Auditores Independentes, PCAOB Rel. No 105-2016031.

See, e.g., Shandong Haoxin Certified Public Accountants Co., Ltd., PCAOB Rel. No. 105-2023045 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-035 Edgar Mauricio Ramirez
Rueda, PCAOB Rel. No. 105-2022-036 Marco Alexander Rodriguez Ramirez, PCAOB Rel. No.
105-2022-037 Jose Daniel Melendez Gimenez, PCAOB Rel. No. 105-2022-035 Castillo Miranda
y Compañía, S.C., PCAOB Rel. No. 105-2019-028 Deloitte Touche Tohmatsu Auditores
Independentes, PCAOB Rel. No 105-2016-031.

These recurring deficiencies and violations suggest that some firms and their
personnel either do not have the requisite understanding of applicable independence and
ethics requirements, or, as evidenced by the systemic nature of certain of these violations,
do not have appropriate controls in place to prevent violations.73
iv. Personnel management
The quality of a firm’s work ultimately depends on the integrity, objectivity,
intelligence, competence, experience, and motivation of personnel who perform,
supervise, and review the work.74 A firm’s QC system should provide the firm with
reasonable assurance that personnel participate in general and industry-specific CPE and
other professional development activities that enable them to fulfill responsibilities
assigned and satisfy applicable CPE requirements.75 A firm’s QC system also should
provide the firm with reasonable assurance that personnel possess the appropriate
characteristics to enable them to perform competently and that work is assigned to
personnel having the degree of technical training and proficiency required in the
circumstances.76
The PCAOB has observed deficiencies related to compliance with the firm’s
auditing policies and procedures.77 The PCAOB also has observed deficiencies and
violations where the firm did not assign personnel to engagements who had the training
and proficiency required to perform audit work in accordance with PCAOB standards.78

See 2021 Inspection Observations Preview at 19; 2019 Inspections Outlook at 2.

See QC 20.12.

See QC 20.13c.

See QC 20.13a. and b.

See 2022 Inspection Observations Preview at 18.

See, e.g., Jack Shama PCAOB Rel. No. 105-2024-004 ; In the Matter of Hall & Company
Certified Public Accountants & Consultants, Inc., and Anthony J. Price, CPA, PCAOB Rel. No.
105-2022-029 (Nov. 3, 2022); In the Matter of PKF O’Connor Davies, LLP, PCAOB Rel. No.
105-2022-001 (Jan. 25, 2022); In the Matter of WDM Chartered Professional Accountants,
PCAOB Rel. No. 105-2021-016 (Sept. 30, 2021); In the Matter of Grant Thornton LLP, PCAOB
Rel. No. 105-2017-054 (Dec. 19, 2017); BDO Auditores, S.L.P., Santiago Sañé Figueras, and José
Ignacio Algás Fernández, PCAOB Rel. No. 105-2017-039.

v. Monitoring
A firm’s QC system should provide the firm with reasonable assurance that its
policies and procedures are suitably designed and effectively applied.79 The PCAOB has
observed situations where a firm’s internal inspection procedures did not detect
significant audit deficiencies or the firm did not make changes to address repeated
identified audit deficiencies.80 These deficiencies and violations were subsequently
identified through SEC and PCAOB oversight.81
vi. Engagement quality reviews
Both the PCAOB and SEC have identified deficiencies and violations in audit
areas that require evaluation by the engagement quality reviewer (“EQR”),82 which
suggests the EQR did not perform the evaluation with due professional care.83
Additionally, for certain broker-dealer audit and attestation engagements, the PCAOB has

See QC 20.20.

See, e.g., 2022 Inspection Observations Preview at 19.

See, e.g., In the Matter of KPMG Assurance and Consulting Services LLP and Sagar Pravin
Lakhani, PCAOB Rel. No. 105-2022-033 (Dec. 6, 2022); In the Matter of Friedman LLP, SEC
AAER No. 4339 (Sept. 23, 2022); In the Matter of BMKR LLP and Joseph Mortimer, CPA,
PCAOB Rel. No. 105-2022-003 (Feb. 24, 2022); PKF O’Connor Davies, LLP, PCAOB Rel. No.
105-2022-001 WDM Chartered Professional Accountants, PCAOB Rel. No. 105-2021-016 ; In the
Matter of Haskell & White LLP, PCAOB Rel. No. 105-2021-006 (Aug. 13, 2021); In the Matter
of RBSM LLP, PCAOB Rel. No. 105-2021-004 (Aug. 9, 2021); Castillo Miranda y Compañía,
S.C., PCAOB Rel. No. 105-2019-028 Marcum LLP, PCAOB Rel. No. 105-2019-022 Marcum
Bernstein & Pinchuk LLP, PCAOB Rel. No. 105-2019-023 PricewaterhouseCoopers, S.C.,
PCAOB Rel. No. 105-2019-017; In the Matter of Bharat Parikh & Associates Chartered
Accountants, Bharatkumar Balmukund Parikh, FCA, and Anuj Bharatkumar Parikh, PCAOB Rel.
No. 105-2019-003 (Mar. 19, 2019); Grant Thornton, PCAOB Rel. No. 105-2017-054.

See, e.g., Spotlight: Inspection Observations Related to Engagement Quality Reviews (Oct. 2023),
available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/eqrspotlight.pdf?sfvrsn=95a345e6_4; 2022 Inspection Observations Preview at 19; 2021 Inspection
Observations Preview at 20; 2018 Inspection Observations Preview, at 4; 2020 Inspection
Observations Preview at 12.

See, e.g., In the Matter of RAM Associates & Company LLC and Parameswara K. Ramachandran,
PCAOB Rel. No. 105-2023-021 (Aug. 8, 2023); In the Matter of Total Asia Associates PLT,
PCAOB Rel. No. 105-2023-007 (June 23, 2023); In the Matter of RT LLP, PCAOB Rel. No. 1052023-002 (Apr. 11, 2023); In the Matter of Donald R. Burke, CPA, PCAOB Rel. No. 105-2021012 (Sept. 29, 2021); RBSM LLP, PCAOB Rel. No. 105-2021-00; In the Matter of Cheryl L.
Gore, CPA and Stanley R. Langston, CPA, PCAOB Rel. No. 105-2021-020 (Dec. 14, 2021);
Whitley Penn LLP, PCAOB Rel. No. 105-2020-002; In the Matter of Helen R. Liao, CPA,
PCAOB Rel. No. 105-2020-014 (Sept. 24, 2020); In the Matter of Crowe Horwath LLP, Joseph C.
Macina, CPA, and Kevin V. Wydra, CPA, SEC AAER No. 4007 (Dec. 21, 2018); In the Matter of
BDO Auditores, S.L.P., PCAOB Rel. No. 105-2017-039.

observed instances where engagement quality reviews were not performed or sufficiently
documented84 and policies and procedures did not provide reasonable assurance that
engagement quality reviews were performed with due professional care.85
b. Good practices observed from inspections
The following observations regarding good QC practices are based on inspections
in recent years.86 A good QC practice could be a procedure, technique, or methodology
that is appropriately comprehensive and suitably designed in relation to a firm’s size and
the nature and complexity of the firm’s practice. The Board has taken these observations
into account in its consideration of QC 1000, while recognizing that the nature, extent,
and formality of the design, implementation, and operation of QC systems can vary
across firms.
i. Well-defined QC system
A well-defined QC system includes all key elements of quality control and is
supported by documentation that helps to promote firm personnel’s understanding and
consistent application of the firm’s QC system. Helpful characteristics that the PCAOB
has observed in some firms’ QC systems include:
•

Narratives and process flows that articulate how and where quality objectives fit
within the QC processes and define risks posed to those quality objectives,
including considering what could go wrong along the way;87 and

•

Developing risk and control matrices that include well-defined controls.

See, e.g., In the Matter of Alvarez & Associates, Inc., Certified Public Accountants, and Vicente
Alvarez, CPA, PCAOB Rel. No. 105-2022-039 (Dec. 21, 2022); In the Matter of Citrin
Cooperman & Company, LLP, Joseph Puglisi, CPA, Mark Schniebolk, CPA, and John Cavallone,
CPA, PCAOB Rel. No. 105-2022-007 (May 11, 2022).

See Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers,
PCAOB Rel. No. 2023-005 (Aug. 10, 2023) (“2022 Broker-Dealer Inspection Report”), at 31.

See, e.g., 2022 Inspection Observations Preview; 2021 Inspection Observations Preview; 2020
Inspection Observations Preview; 2019 Inspection Observations Preview; and 2018 Inspection
Observations Preview.

See 2021 Inspection Observations Preview at 22; 2019 Inspection Observations Preview at 4.

ii. Accountability for audit quality
Leadership involvement in and commitment to a firm’s QC system sets the tone at
the top and drives clear expectations regarding the importance of audit quality. The
PCAOB observed positive behaviors where firms have placed an emphasis on the
importance of audit quality through extending accountability beyond engagement
partners to other key leaders at the firm, such as audit quality leaders, technical experts,
and office leaders, through performance management processes.88
iii. Root cause analysis of identified deficiencies
Identifying causal factors for engagement and QC deficiencies (i.e., root cause
analysis) can enable a firm to determine the appropriate response to and remediation of
deficiencies and modify policies and procedures to prevent similar occurrences in the
future. The PCAOB has observed that thorough root cause analyses drive better
remediation of identified deficiencies. If root cause analysis is performed by a centralized
team, having a defined process to share data and lessons learned outside of the root cause
analysis team may further enhance the performance of a firm’s QC system.
Through its inspection activities the PCAOB has observed that some firms’ root
cause analysis programs have significantly evolved since the PCAOB was formed. The
PCAOB has observed that some firms’ approach to root cause analysis includes one or
more of the following:
•

Interviews with engagement teams and firm leadership;

•

Use of proprietary tools to analyze large amounts of data;

•

Root cause analysis training and the use of templates to facilitate consistency;

•

Consideration of available performance metrics, such as engagement hours,
training records, audit milestone dates, and partner experience years; and

See 2018 Inspection Observations Preview at 2.

•

Consideration of positive quality events (i.e., actions, behaviors, or conditions that
resulted in positive outcomes, such as where aspects of the firm’s QC system
operated effectively or where no engagement deficiencies were identified for
individual engagements) to identify whether such actions, behaviors, or
conditions were present on engagements where QC deficiencies were identified.
iv. Timely monitoring and evaluation activities
Timely and effective monitoring activities drive high-quality audits. The PCAOB

has observed several good practices followed by some firms in their monitoring
activities, including:
•

Increased real-time monitoring of in-process audit engagements, for example,
through pre-issuance reviews or coaching programs;89

•

Formalized monitoring processes and actions for defined triggering events,
including restatements, internal and external inspection results, and results of peer
reviews; and

•

Mature QC processes including internal self-certifications of the effectiveness of
QC components and sub-components.

OTHER DEVELOPMENTS SINCE THE ADOPTION OF CURRENT PCAOB QC
STANDARDS
Since the PCAOB’s current QC standards were first developed and issued, the
auditing environment has changed significantly. The current QC standards were
developed in the context of the self-regulatory peer-review system that existed before the
establishment of the PCAOB. Therefore, they were not written with a view to inspection
and enforcement by a regulator and do not address the current regulatory environment,

See 2020 Inspection Observations Preview at 4, 13.

including firms’ responsibilities with respect to information brought to their attention
through the PCAOB inspection process.
Since the QC standards were established, there have been significant
developments in the availability and use of technologies and data analytic techniques, the
organizational structure and management of firms have changed, and some firms have
significantly increased their focus on governance and quality control.
For example, there have been significant developments in the use of technology
by firms in relation to QC activities and performing engagements. Some firms have made
significant investments in internally developed tools for use in the audit. The increased
availability of “off-the-shelf” technologies, such as analytical software packages, has
made some tools more readily available for use by firms. Firms developing or acquiring
new technology-based tools, making changes to existing tools, and training firm
personnel on how and when to use such tools have had impacts on QC. Many of these
tools may reduce risk, for example by reducing the possibility of human error and
enabling the analysis of whole populations of transactions rather than samples. But they
may also create new risks if they do not work as intended or are used incorrectly.
Furthermore, some firm management and organizational structures have evolved
to include more focus on centralization and a globally consistent methodology. Some
firms have increased their use of services and resources supplied by firm networks,
affiliates, and third-party providers. For example, some global networks are increasingly
imposing requirements on member firms regarding the use of methodologies, technology,
and policies and procedures that are developed or established at the network level. Some
firms have also increased their use of shared service centers to assist with QC activities or
performing engagements. In addition, some firms have changed their governance

structures either voluntarily or due to changes in legal requirements.90 At the same time,
some firms have begun to publish “transparency reports” that seek to inform the public
about the firm’s operations and quality control systems and practices.
Additionally, some firms have strengthened their approaches to firm governance
and leadership, incentive systems, culture, and accountability. For example, some firms
have added external parties to oversight roles. Some firms have also augmented their
monitoring and remediation processes, including through implementing or enhancing
ongoing monitoring activities and internal inspection processes, establishing processes
for considering PCAOB inspection findings, performing root cause analysis, and
increasing remediation efforts. Observations from PCAOB oversight activities have
shown that improvements in quality controls can enhance the quality of audits.91
However, as noted above, PCAOB oversight activities continue to identify pervasive
deficiencies, suggesting that many firms have meaningful improvements to make.
There have also been notable advances in internal control, quality management,
and enterprise risk management frameworks and approaches, including the Committee of
Sponsoring Organizations of the Treadway Commission (“COSO”) framework for
internal control92 and the International Organization for Standardization (“ISO”) quality
control standard ISO 9000:2015.93 Many of these share important commonalities,
stressing active involvement of leadership, focus on risk, clearly defined objectives,

See, e.g., the UK Financial Reporting Council, Audit Firm Governance Code (Apr. 2022)
available at https://www.frc.org.uk/getattachment/5af7cdb7-a093-4da8-94d7-f4486596e68c/FRCAudit-Firm-Governance-Code_April-2022.pdf, and the Japan Financial Services Agency, Audit
Firm Governance Code (Mar. 2017) available at https://www.fsa.go.jp/news/28/sonota/20170331auditfirmgc/3.pdf.

See, e.g., 2018 Inspection Observations Preview at 1-4.

See, e.g., COSO, Internal Control–Integrated Framework (May 2013). An executive summary of
COSO’s internal control framework is available at https://www.coso.org/_files/ugd/
3059fc_1df7d5dd38074006bce8fdf621a942cf.pdf.

More information about ISO 9000:2015 is available at https://www.iso.org/standard/45481.html.

objective-oriented processes, monitoring, and remediation of identified issues. Academic
research suggests that these frameworks improve company performance.94
ACTIONS BY OTHER STANDARD SETTERS
Following is a brief description of the quality control standards adopted by the
IAASB and the AICPA.
1. IAASB
The IAASB identified concerns related to its then effective QC standard,
International Standard on Quality Control (ISQC) 1, Quality Control for Firms that
Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements, and decided to take steps to improve the standard. In December
2020, the IAASB released a suite of new quality management standards, including
International Standard on Quality Management 1, Quality Management for Firms that
Perform Audits or Reviews of Financial Statements, or Other Assurance or Related
Services Engagements (“ISQM 1”),95 which became effective on December 15, 2022.96
2. AICPA
In May 2022, the Auditing Standards Board of the AICPA adopted new quality
management standards designed to improve a firm’s risk assessment and audit quality,
including Statement on Quality Management Standards (SQMS) No. 1, A Firm's System

See Benefits of related frameworks below.

In addition to ISQM 1, the IAASB adopted two other standards, International Standard on Quality
Management 2, Engagement Quality Reviews (“ISQM 2”), and International Standard on Auditing
220 (Revised), Quality Management for an Audit of Financial Statements (“ISA 220 (Revised)”).
ISQM 2 operates at the firm level, and is analogous to PCAOB AS 1220, Engagement Quality
Review. ISA 220 (Revised) operates at the engagement level and deals with the engagement
partner’s and the engagement team’s responsibilities for quality management for an audit of
financial statements. Similar topics are addressed in PCAOB standards in AS 1201, Supervision of
the Audit Engagement.

ISQM 1 sets forth eight components of a QC system that operate in an iterative and integrated
manner, as well as other requirements. See IAASB Fact Sheet, Introduction to ISQM 1, Quality
Management for Firms that Perform Audits or Reviews of Financial Statements, or Other
Assurance or Related Services Engagements (Dec. 2020), available at https://www.ifac.org/
system/files/publications/files/IAASB-ISQM-1-Fact-Sheet.pdf.

of Quality Management (“SQMS 1”).97 The AICPA’s quality management standards
closely align with the IAASB’s quality management standards, adapted for private
companies in the United States. The new AICPA standards will become effective on
December 15, 2025.
PCAOB OUTREACH AND RESEARCH
The Board and its advisory groups have long considered the potential for
improvements to PCAOB QC standards. For example, in 2010, the Standing Advisory
Group (“SAG”) discussed a potential QC rulemaking project, including considerations
and potential challenges in designing and implementing a QC system.98 In 2014, the SAG
discussed how QC standards may benefit from stronger requirements and other
enhancements with respect to, for example, firm culture and tone at the top, firm risk
assessment, and monitoring of the quality control system, including use of root cause
analyses.99 In 2018, the SAG discussed whether additional or more specific direction in
the quality control standards with respect to governance and leadership would lead to
enhancements in firm quality control systems.100 Advisory group members have

The AICPA’s other QC standards are SQMS No. 2, Engagement Quality Reviews; Statement on
Auditing Standards (SAS) No. 146, Quality Management for an Engagement Conducted in
Accordance With Generally Accepted Auditing Standards; and Statement on Standards for
Accounting and Review Services (SSARS) No. 26, Quality Management for an Engagement
Conducted in Accordance With Statements on Standards for Accounting and Review Services.

See Briefing Paper for the Standing Advisory Group, Designing and Implementing a System of
Quality Control (Oct. 13, 2010). An archive of SAG meeting agendas, briefing papers, and
webcasts is available at https://pcaobus.org/about/advisory-groups/archive-advisory/standingadvisory-group/sagmeetingarchive. The materials for the Oct. 13-14, 2010, SAG meeting are
available at https://pcaobus.org/news-events/events/event-details/standing-advisory-groupmeeting_476.

See Briefing Paper for the Standing Advisory Group, Initiatives to Improve Audit Quality—Root
Cause Analysis, Audit Quality Indicators, and Quality Control Standards (June 24, 2014) (“June
2014 SAG Briefing Paper”). The materials for the June 24-25, 2014, SAG meeting are available at
https://pcaobus.org/news-events/events/event-details/pcaob-standing-advisory-groupmeeting_772.

See Briefing Paper for the Standing Advisory Group, Quality Control: Governance and
Leadership (Nov. 29, 2018). The materials for the Nov. 29, 2018, SAG meeting are available at
https://pcaobus.org/news-events/events/event-details/standing-advisory-group-meeting_1137.

generally supported including requirements concerning firm governance and leadership
in PCAOB QC standards.
RULEMAKING HISTORY
On December 17, 2019, the Board issued the concept release to explore the
possibility of revising PCAOB QC standards. The concept release described an approach
similar to the approach taken by the then-proposed ISQM 1, with certain differences and
alternative requirements to specifically address the PCAOB’s objectives, including
establishing requirements that:
•

Align with U.S. Federal securities law, SEC rules, and other PCAOB standards
and rules;

•

Retain important topics in current PCAOB QC standards;

•

Address specific emerging risks and problems observed through PCAOB
oversight activities; and

•

Provide more definitive direction to prompt appropriate implementation of certain
requirements.101
The Board received 36 comment letters in response to the concept release.102

Commenters included firms and related groups, investors and related groups, academics,
trade groups, and others.
On November 18, 2022, the Board issued a proposal to supersede current PCAOB
QC standards with an integrated, risk-based standard, QC 1000, A Firm’s System of
Quality Control, that would apply to all registered firms. The Board received 42
comment letters in response to the proposal.103 Commenters included firms and related

See Concept Release at 6.

The comment letters received in response to the concept release are available on the Board’s
website in Docket 046.

The comment letters received in response to the proposal are available on the Board’s website in
Docket 046. In addition to 42 letters received from commenters, Docket 046 includes an analysis
prepared by the PCAOB Office of Economic and Risk Analysis.

groups, investors and related groups, academics, trade groups, and others. The Board has
considered all comments in developing the final standard and related amendments, and
commenter input is included where relevant in the discussion that follows.
AREAS OF IMPROVEMENT TO THE QC STANDARDS
Taking into account the foregoing considerations, as well as careful consideration
of comments received, the Board adopted changes to its QC standards that it believes will
drive significant improvements in firms’ QC systems, by:
•

Emphasizing accountability, firm culture and the “tone at the top,” and firm
governance through requirements for specified roles within and responsibilities
for the QC system, including at the highest levels of the firm; quality objectives
that link compensation to quality; and, for the largest firms, the requirement of an
independent perspective on firm governance;

•

Striking the right balance between a risk-based approach to QC—which should
drive firms to proactively identify and manage the specific risks associated with
their practice—and a set of mandates, including mandatory quality objectives;
mandatory processes for risk assessment, monitoring and remediation, and QC
system evaluation; and specific requirements in key areas—which should assure
that the QC system is designed, implemented and operated with an appropriate
level of rigor;

•

Addressing changes in the audit practice environment, including the increasing
participation of other firms and other outside resources, the role of firm networks,
the evolving use of technology and other resources, and the increasing importance
of internal and external firm communications;

•

Broadening responsibilities for monitoring and remediation of deficiencies to
encourage an ongoing feedback loop that drives continuous improvement; and

•

Requiring a rigorous annual evaluation of the firm’s QC system and related
reporting to the PCAOB, certified by key personnel, to underscore the importance
of the annual evaluation of the QC system, reinforce individual accountability,
and support PCAOB oversight.
In the Board’s view, the basic objectives of the QC system should be the same for

all firms, but the scope of the QC standard and how it applies should take into account
wide disparities in nature and circumstances across registered firms, in particular the
extent to which their practices include engagements required to be performed under
PCAOB standards, and the complexity of such engagements. The risks that firms face,
and therefore the specific policies and procedures necessary to appropriately serve
investor interests through an effective QC system, vary significantly from the largest
firms, operating as part of global networks, to local firms or sole proprietorships. The
scalability of the new QC standard is discussed in greater detail below.
QC 1000: BASIC STRUCTURE, TERMINOLOGY, AND SCALABILITY
BASIC STRUCTURE
1. Considerations informing the structure of QC 1000
Informed by its observations and assessment of changes to auditing practice, the
Board believes it is critical that its new QC standard strikes an appropriate balance
between risk-based elements, which should drive firms to proactively identify and
manage the specific risks associated with their practice, and a set of mandates to assure
that the QC system is designed, implemented, and operated with an appropriate level of
rigor. Moreover, the Board believes the new QC standard should foster a proactive
approach to QC that drives continuous improvement. Based in part on its observations,
the Board also believes its new standard should include specific requirements for some
important areas of the QC system that are addressed more generally in current PCAOB

QC standards, such as firm governance and leadership, technology and other firm
resources, and firm communications.
QC 1000 addresses all the areas of QC that Sarbanes-Oxley requires PCAOB QC
standards to address, which the Board believes will provide a robust framework for a
firm’s QC system. It incorporates eight components, which are based on mandatory
elements and mandatory processes that create a basic structure applicable to all firms. For
example, as discussed in more detail below, QC 1000 establishes mandatory, outcomebased quality objectives and mandatory processes for risk assessment and monitoring and
remediation. Within the structure created by these mandates, firms will develop their own
policies and procedures based on the specific risks created by their circumstances and
practice. QC 1000 also includes requirements for annual evaluation of the QC system and
reporting to the PCAOB on that evaluation, which the Board believes will add rigor and
accountability to the firm’s evaluation of whether the QC system has met its objectives,
and will strengthen the feedback loop that drives continuous improvement.
The structure itself addresses areas that current PCAOB standards do not directly
address, such as firm governance and leadership, technology and other firm resources,
and firm communications. In addition, to the extent it is principles-based and focused on
the specific risks faced by the firm, the structure is inherently scalable and can be applied
to firms of all sizes and circumstances.
The structure of QC 1000 has commonalities with the structure of ISQM 1 and
SQMS 1. While the approach taken in ISQM 1 and SQMS 1 has informed the Board’s
thinking, the Board has carefully analyzed every aspect of that approach and considered
where to align and where to further strengthen the PCAOB standard by including
alternative or incremental provisions that the Board believes will better serve investor
protection and the public interest. The Board believes that building on a well-understood
basic framework, appropriately tailored and strengthened to address its legal and

regulatory environment and its investor protection mandate, will enable firms to
implement and comply with QC 1000 more effectively. In designing, implementing, and
operating their QC systems, firms that are subject to both PCAOB standards and IAASB
or AICPA QC standards—which the Board believes constitute a very substantial majority
of firms that perform engagements under PCAOB standards104—can leverage the work
they have already done and the investments they have already made to comply with those
other requirements.
Many commenters, including firms and related groups, were generally supportive
of structuring QC 1000 in a manner similar to the structure of ISQM 1 and SQMS 1.
However, several commenters, including firms and related groups, suggested that further
alignment should be considered, and any differences should be minimized. Several
commenters suggested that firms would be subject to at least two different quality
management/quality control systems, and commented that this would be impractical for
firms to operate. The Board does not believe that QC 1000 conflicts with the
requirements of other standard setters or that anything prevents firms from developing a
single QC system for their entire practice that satisfies both PCAOB requirements and
other professional standards to which the firm is subject. The Board acknowledges
certain differences between QC 1000 and the quality management standards set by other
standard setters, in particular areas where QC 1000 establishes additional or more
stringent requirements. However, the Board believes that quality responses developed by
firms under QC 1000 can be considered by firms for the purposes of other quality
management standards to which they are subject, reducing the need for two or more
separate QC systems.

See below for a discussion of the assumptions regarding the baseline.

One investor-related group did not support the framework of the standard, arguing
that ISQM 1 is a process-driven and compliance-oriented framework that does not
encourage firms to meaningfully enhance their QC systems for the benefit of investors.
Another investor expressed concern regarding the reliance on ISQM 1 in the development
of QC 1000 on the basis that it does not always reflect the best interests of investors. The
Board continues to believe that a common basic structure among quality control
standards is beneficial. This is not only cost beneficial, but it also supports a firm’s ability
to operate a single, consistent QC system over its whole practice, which the Board
believes ultimately supports audit quality. Where appropriate, QC 1000 goes beyond
ISQM 1 to incorporate more detailed or more stringent provisions that are specifically
relevant to the U.S. regulatory environment and investors.
Several commenters supported a principles-based approach to QC 1000.
However, some commenters suggested that the specified quality responses throughout the
standard impose prescriptive requirements that are not consistent with maintaining a
principles-based approach. Others expressed a different perspective, suggesting that the
standard was too principles-based, providing the firms with too much flexibility in
designing, implementing, and operating their QC systems. For example, an investor
expressed concern that a principles-based approach does not always reflect the best
interests of investors. Other investor-related groups expressed concerns that a principlesbased approach allows audit firms to conduct their own risk assessment and design their
own controls to manage risks, including making the determination of whether QC
deficiencies exist and are remediated without any public awareness or accountability.
One of these investor-related groups suggested that an emphasis on a risk-based approach
will result in little to no change at the largest auditing firms as they believe that this
approach is already embedded in their QC systems. Another investor-related group

commented that the proposed standard set the bar too low and failed to focus on audit
quality and accountability such that it would only perpetuate the status quo.
The Board has retained the approach as proposed. The Board believes that
QC 1000 strikes the right balance between mandatory and risk-based elements. As
discussed in more detail below, QC 1000 establishes a mandatory minimum set of
outcome-based quality objectives that apply to all firms. Firms generally cannot omit or
modify any of the quality objectives set out in the standard. Therefore, firms do not
determine the criteria by which their QC systems will be assessed, only the means by
which they will meet those criteria. Moreover, QC 1000 establishes requirements with
which all firms will have to comply for roles and responsibilities within the QC system
and the firm’s risk assessment process, monitoring and remediation process, and
evaluation process, as well as specified quality responses applicable to all firms in areas
that the Board believes justify a more prescriptive approach. It also includes evaluation
and reporting requirements that the Board believes will add accountability and rigor to
the annual evaluation.
Within that framework, QC 1000 requires firms to develop the policies and
procedures they need to achieve the quality objectives and the overall objective of the QC
system. The Board believes this more principles-based aspect of the standard will prompt
firms to identify and focus on the most relevant risks to quality in the context of their
own practice and will make QC 1000 appropriately scalable. This approach also allows
for the standard to be operable by firms of all sizes. Smaller PCAOB audit practices can
scale down their responses to fit the risks associated with a small practice, and as the
practice grows, the firm can scale up to respond to new quality risks. In addition, the
Board believes that this approach will make it less likely that the standard will need to be
amended in the future in response to changes in the auditing environment, including the
use of technology.

2. Components of the QC system
Under QC 1000, the QC system consists of eight components that are designed to
be highly integrated:
Two process components
•

The firm’s risk assessment process

•

The monitoring and remediation process

Six components that address aspects of the firm’s organization and operations
•

Governance and leadership

•

Ethics and independence

•

Acceptance and continuance of engagements

•

Engagement performance

•

Resources

•

Information and communication

The risk assessment process applies to these six components, requiring firms to:
•

Establish outcome-based “quality objectives,” including those specified
throughout the standard (i.e., the desired outcomes to be achieved by the firm with
respect to that component);105

•

Identify and assess “quality risks” to the quality objectives;106

•

Design and implement “quality responses” (i.e., policies and procedures to
address quality risks);107 and

•

Establish policies and procedures to monitor internal and external changes that
may require modifications to the quality objectives, quality risks, or quality
responses.

“Quality objectives” are defined in QC 1000.A10.

“Quality risks” are defined in QC 1000.A12.

“Quality responses” are defined in QC 1000.A11.

The monitoring and remediation process applies to all of the components of the
QC system, including monitoring and remediation itself (i.e., firms are required to
identify and remediate deficiencies that are observed in their monitoring and remediation
activities).
The firm is also required to evaluate and report on its QC system annually, based
on the results of its monitoring and remediation activities.

The following diagram illustrates the structure of the firm’s QC system under
QC 1000:

3. Quality objectives, quality risks, and quality responses, including specified
quality responses
For each of the six components to which the risk assessment process applies,
QC 1000 specifies required quality objectives. While QC 1000 provides some flexibility
with regard to the quality risks that firms are required to identify and the quality
responses that firms are required to develop to address those risks, it does not provide the
same flexibility with regard to quality objectives. Instead, quality objectives that will
apply to all firms are specified in the standard. Firms can establish additional quality
objectives—indeed, they are required to do so if necessary to achieve the objective of the
QC system—but they generally cannot omit or modify any of the quality objectives set
out in the standard. The Board believes that, for many firms, the quality objectives
specified in the standard are likely to be comprehensive, and does not expect in the
current environment that additional quality objectives would generally be necessary.
However, the Board also recognizes that the nature and circumstances of a firm and its
engagements will vary and the environment may change. Accordingly, firms are required
to establish additional quality objectives, if necessary.108 The quality objectives
established by this standard set forth a floor rather than a ceiling.
Firms are required to identify and assess quality risks to the achievement of the
established quality objectives. They are required to develop quality responses to address
the assessed quality risks. Quality responses are defined as policies and procedures
designed and implemented by the firm to address quality risks; policies are statements of
what should, or should not, be done to address an assessed quality risk, and procedures
are actions to implement and comply with policies. As proposed, the definition of quality
responses provided that policies “may be documented or explicitly stated in

See “The Firm’s Risk Assessment Process” below.

communications.” In the final rule, that sentence was eliminated to avoid confusion or
potential conflict with the documentation requirements set out in QC 1000.81-83.
The correspondence across quality objectives, quality risks, and quality responses
is generally not one-to-one. Most quality objectives are likely to have multiple quality
risks. Some quality risks may affect one or more quality objectives, either within a single
component or across several components, and may require multiple quality responses.
Some quality responses may address multiple quality risks.
Quality responses would typically be specific to the firm, to respond to its
particular assessed quality risks. QC 1000 also includes some specified quality responses,
which are mandatory for the firms to which they apply. Specified quality responses carry
requirements from current PCAOB standards into QC 1000 or provide new requirements
that the Board believes are important to a firm’s QC system. The specified quality
responses are not intended to be comprehensive; on the contrary, for most of the
components of the firm’s QC system, the standard includes only a few specified quality
responses, and for the engagement performance component there are none. As a result,
the specified quality responses alone will not be sufficient to enable the firm to achieve
all established quality objectives; firms are required to design and implement their own
quality responses. Both the specified quality responses and the quality responses the firm
designs and implements on its own are critical in addressing quality risks. The following
graphic illustrates the relationship between all quality responses (i.e., the quality
responses necessary to achieve all established quality objectives) and the specified

quality responses established in QC 1000:

TERMINOLOGY
This section discusses some of the terminology used throughout QC 1000.
Appendix A to QC 1000 defines several terms used in the standard.
Two commenters indicated that the proposed terminology was understandable and
appropriate, but most commenters on the topic requested that the terminology used in
QC 1000 be consistent with the terminology used by other standard setters, primarily to
avoid potential confusion and ensure that the process of evaluating the QC system and the
conclusion reached as to its effectiveness would be the same under both standards. The
Board continues to believe that its proposed terminology is necessary to capture the basic
concepts used in QC 1000, which differ in some respects from the concepts used by other

standard setters, particularly as regards “other participants,” as the Board has defined that
term, and the annual QC system evaluation process, which is grounded in the concepts of
“engagement deficiency,” “QC deficiency,” and “major QC deficiency.” While this
approach will result in an incremental burden for firms that seek to comply with other QC
standards as well as QC 1000, the Board believes that the burden is justified. The Board
also believes that, just as firms can perform audits under different auditing standards,
they can learn to implement and operate a QC system under different QC standards.
Accordingly, with the clarifications described below, the Board adopted the terminology
substantially as proposed.
1. Applicable professional and legal requirements
As discussed in more detail below, compliance with applicable professional and
legal requirements is a fundamental concept under QC 1000, driving the objective of the
QC system as well as many quality objectives and specified quality responses. The
proposed standard defined “applicable professional and legal requirements” as
•

Professional standards, as defined in PCAOB Rule 1001(p)(vi);

•

Rules of the PCAOB that are not professional standards; and

•

To the extent related to the obligations and responsibilities of accountants or
auditors or to the conduct of engagements, rules of the SEC, other provisions
of U.S. Federal securities law, and other applicable statutory, regulatory, and
other legal requirements.

Two commenters supported the definition as proposed. One commenter
recommended including the profession’s ethical standards explicitly. Two commenters
stated the phrase “other applicable statutory, regulatory, and other legal requirements”
could be read broadly and extend beyond regulations that directly bear on the conduct of
audit engagements. Another commenter suggested amending the definition of

“professional standards” in PCAOB Rule 1001(p)(vi) to refer to “quality control
standards” rather than “quality control policy and procedures.”
In response to comments, the Board made changes to the third, more general
clause of the definition. As one commenter suggested, the Board expanded the definition
to explicitly mention ethics laws and regulations.109 While the definition as proposed
encompassed applicable ethics requirements, the Board believes an express reference will
help to remind firms and individuals of the centrality of ethics considerations. The Board
also refined the definition to make clear that it encompasses statutory, regulatory, and
other legal requirements beyond professional standards and other PCAOB rules “[t]o the
extent related to the obligations and responsibilities of accountants or auditors in the
conduct of engagements or in relation to the QC system.” This change is designed to limit
the breadth of the definition to the relevant circumstances.
The phrase “quality control policies and procedures,” used in PCAOB Rule
1001(p)(vi), is drawn from section 110(5) of Sarbanes-Oxley. The Board believes its rule
should continue to align with that statutory provision.
This definition captures all professional and legal requirements specifically
related to engagements under PCAOB standards of issuers and SEC-registered brokerdealers, including relevant accounting, auditing, and attestation standards, PCAOB and
SEC rules, other provisions of Federal securities law, other relevant laws and regulations
(e.g., state law and rules governing accountants), applicable ethics law and rules, and
other legal requirements related to the obligations and responsibilities of accountants or
auditors in the conduct of the firm’s engagements or in relation to the QC system.110 It

These include those arising under state law or the law of other jurisdictions (e.g., obligations
regarding client confidentiality). See QC 1000 footnote 10.

For avoidance of doubt, the requirements relating to compliance with applicable professional and
legal requirements are meant to make clear that, as relates to engagements subject to PCAOB
standards, all applicable professional and legal requirements must be followed. The requirement
does not suggest that application of “other applicable statutory, regulatory, and other legal

does not encompass requirements that apply to businesses generally, such as tax laws,
safety regulations, and employment law.
2. Engagement
The proposed standard defined “engagement” as (1) any audit, attestation, review,
or other engagement under PCAOB standards performed by a firm, or (2) any
engagement in which a firm “play[s] a substantial role in the preparation or furnishing of
an audit report” as defined in PCAOB Rule 1001(p)(ii).111 In the final standard, the term
“engagement” encompasses the same scope as it did in the proposal—when the firm
leads an engagement as lead auditor or practitioner, or plays a substantial role—but the
definition has been restructured for clarity.
The final standard defines “engagement” as any audit, attestation, review, or other
engagement performed under PCAOB standards:
•

Led by a firm; or

•

In which a firm “play[s] a substantial role in the preparation or furnishing
of an audit report” as defined in PCAOB Rule 1001(p)(ii).

The definition covers not only circumstances in which the firm serves as the lead
auditor or the “practitioner” for an attestation engagement, which is what is customarily
meant by the term engagement, but also any substantial role work the firm undertakes.
The Board’s view is that this additional breadth is appropriate because playing a
substantial role in an engagement for an issuer or broker-dealer is sufficient to require a

requirements” could supersede rules of the SEC, other provisions of U.S. Federal securities law,
rules of the PCAOB that are not professional standards, or PCAOB professional standards. On the
contrary, requirements relating to “applicable professional and legal requirements” are meant to
highlight the importance of adhering to other requirements when those requirements do not
conflict with or abridge requirements of Federal securities laws, PCAOB rules, or PCAOB
standards.
Generally, and as described in more detail in Rule 1001(p)(ii), a firm plays a substantial role in the
preparation or furnishing of an audit report if (1) its engagement hours or fees constitute 20% or
more of the total engagement hours or fees or (2) it performs the majority of the audit procedures
with respect to a subsidiary or component whose assets or revenues constitute 20% or more of the
consolidated assets or revenues of the issuer, broker, or dealer.

firm to register with the PCAOB. The definition covers all engagements under PCAOB
standards performed by the firm, whether the application of PCAOB standards is legally
required (e.g., for audits of issuers and broker-dealers) or undertaken pursuant to
contractual agreement, where permitted but not required under SEC rules, or for any
other reason.
Commenters on the definition of “engagement” generally supported it. One
commenter requested clarification as to why the definition does not include work
performed at less than a substantial role, given that the standard includes requirements
regarding such work.
The Board defined “engagement” to exclude work performed on other firms’
PCAOB engagements at less than a substantial role because it believes the auditor
responsibilities associated with such work, and the risks posed by it, are materially
different than the responsibilities and risks associated with a firm leading an engagement
or playing a substantial role.112 QC 1000 contains provisions specifically applicable to
work performed on other firms’ PCAOB engagements at less than a substantial role ,
which have been tailored to reflect those responsibilities and risks. The Board believes
this tailored approach is appropriate.
Also grounded in the Board’s views on relative risk and the investor interests at
stake, the concept of “engagement” marks an important distinction in the level of
responsibility created under QC 1000: while all registered firms are required to design a
QC system that complies with QC 1000, the threshold for a firm to implement and
operate the QC system is when the firm has responsibilities under applicable professional
and legal requirements with respect to a firm engagement. The distinction between scaled

PCAOB registration rules reflect this difference in risk profile: PCAOB registration is required for
firms that lead engagements or play a substantial role in audits of issuers and broker-dealers, but
not for work performed on other firms’ engagements at less than a substantial role. See PCAOB
Rule 2100, Registration Requirements for Public Accounting Firms.

applicability under QC 1000 (for firms that do not have responsibilities with respect to
engagements) and full applicability of QC 1000 (for firms that do perform engagements)
is discussed in more detail below.
The Board notes, however, that just because work performed on other firms’
PCAOB engagements at less than a substantial role is not considered an “engagement”
does not mean it is disregarded under the QC system. This work, by itself, does not
trigger the requirement to implement and operate the QC system under QC 1000.
However, once a firm is required to implement and operate the QC system, the system
will operate over all work performed by the firm under PCAOB standards, including
work performed on other firms’ PCAOB engagements at less than a substantial role. If a
firm is required to implement and operate a QC system under QC 1000, the Board
believes that the QC system should address every engagement under PCAOB standards
in which the firm participates.
3. Firm personnel
The proposed standard defined “firm personnel” as individual proprietors,
partners, shareholders, members or other principals, accountants, and professional staff of
a registered public accounting firm whose responsibilities include assisting with: (1) the
performance of the firm’s engagements; or (2) the design, implementation, or operation
of the firm’s QC system, including engagement quality reviews. Professional staff refers
not only to employees, but also to other individuals who work under the firm’s
supervision or direction and control and function as the firm’s employees. For example,
secondees and leased staff would fall under the definition of “firm personnel.”
Two commenters agreed with the definition as proposed. Some firms and related
groups objected to including non-employee contractors and consultants as firm personnel,
in particular because they are not subject to the firm’s performance evaluation or
promotion process. These commenters suggested that such persons be classified as other

participants instead. One commenter expressed concern about potential exposure due to
the differences between QC 1000 and the definitions of employees with Federal, State,
and local tax and labor laws.
The Board continues to believe it is appropriate for the definition of firm
personnel to include individuals, such as non-employee contractors and consultants, who
work under the firm’s supervision or direction and control and function as the firm’s
employees. In light of the range of legal structures and arrangements used by firms in
acquiring and deploying staff, the Board believes a definition based exclusively on legal
employment would be too narrow. Instead, the final rule retains an approach based on the
functional role played by the individual rather than a specific legal relationship.
When the firm is identifying quality risks to quality objectives that include firm
personnel, it may identify different risks associated with non-employee contractors and
consultants than other firm personnel, and accordingly would have to develop different
policies and procedures for them. For example, non-employee contractors and consultants
may be evaluated through the contracting process to determine whether the firm should
retain them instead of through the firm’s formal evaluation framework.
While the Board expresses no view on any tax or labor law consequences, it notes
that the definition does not conflate “firm personnel” with employees. On the contrary,
the Board acknowledges that firm personnel includes some non-employees.
Some commenters, generally firms and related groups, were opposed to the
definition including anyone who “assists with” engagements or the quality control
system, as it may include administrative staff. The Board revised the definition of firm
personnel to clarify that “professional staff does not include persons engaged only in

clerical or ministerial tasks,” which aligns with the definition of “Person Associated With
a Public Accounting Firm (and Related Terms)” in PCAOB Rule 1001(p)(i).113
4. Other participants
Over the years, audits of issuers have increasingly involved the use of entities and
individuals outside the firm in performing audit procedures and evaluating audit
evidence. In the context of amending the standards governing the involvement of other
auditors in an audit, the Board discussed the increasing prevalence and importance of the
use of other audit firms and individual accountants outside the firm, such as an EQR not
employed by the firm, and the use of auditor-engaged specialists.114 While it may be
beneficial, and in many cases essential, to use other participants in some engagements,
these arrangements can pose risks because other participants may not be subject to the
same quality controls as firm personnel (for example, with regard to personnel
assignments, training, supervision, and monitoring).
With respect to work performed in connection with the firm’s QC system or the
performance of its engagements, QC 1000 defines “other participants” as accounting
firms (foreign or domestic, registered or unregistered), accountants, and other
professionals115 or organizations, other than firm personnel, whose responsibilities
include assisting with the performance of the firm’s engagements or the design,

By aligning the QC 1000 definition of “firm personnel” with the definition of “Person Associated
with a Public Accounting Firm (and Related Terms)” in this regard, the Board does not mean to
suggest that only “firm personnel” can be associated persons. “Other participants” can also be
associated persons.

See Planning and Supervision of Audits Involving Other Auditors and Dividing Responsibility for
the Audit with Another Accounting Firm, PCAOB Rel. No. 2022-002 (June 21, 2022), at 13;
Amendments to Auditing Standards for Auditor’s Use of the Work of Specialists, PCAOB Rel.
No. 2018-006 (Dec. 20, 2018), at 10-15.

In this context, “professionals” refers broadly to workers who perform other than clerical or
ministerial tasks.

implementation, or operation of the firm’s QC system, including engagement quality
reviews.116
Some commenters expressed concerns with the use of “other participants”
throughout the standard. Many commenters said the proposed responsibilities of the firm
with regard to other participants were too broad. A few commenters suggested removing
the reference to other participants from certain specified quality responses and allowing
firms to tailor their responses to quality objectives for other participants. Some
commenters were specifically concerned about the inclusion of internal auditors and
external specialists in the standard through other participants, and believe they are
adequately addressed in other standards. Some commenters argued that other participants
should not be included in another firm’s quality control system because they are covered
by their own firm’s quality control system.
Some commenters suggested bifurcating the definition into other participants
whose responsibilities include assisting with the performance of the firm’s engagements
and other participants whose responsibilities include assisting with the design,
implementation, and operation of the firm’s QC system, on the basis that this would
enhance clarity regarding to whom the requirements apply. One commenter said the
policies and procedures related to other participants would differ depending on the type
of other participant (for example, an internal auditor providing direct assistance differs
from an auditor, specialist, or engagement quality reviewer) and QC 1000 imposes the
same requirements for each type. One commenter supported the definition. One
commenter agreed with separately defining “other participants” and “third-party
providers.”

It should be noted that “referred-to auditors,” as that term is defined in the amendments to AS
2101, Audit Planning, adopted in PCAOB Rel. No. 2022-002, are not “other participants” under
QC 1000 because the referred-to auditor performs its own engagement and does not participate in
the engagement of the lead auditor.

The final standard reflects the Board’s view that, in designing, implementing, and
operating its QC system, the firm will have to address not only firm personnel but also
other auditors117 and other professionals or organizations that the firm uses in connection
with the firm’s QC system or the performance of its engagements. References to other
participants are included throughout QC 1000 in a tailored and context-specific way that
recognizes the key roles that other participants play.
The Board recognizes that some other participants may be covered by their own
firm’s quality control system, and that fact may inform the firm’s risk assessment with
respect to their participation. But the firm’s own QC system must address all the work
done on the firm’s engagements and in connection with the design, implementation, and
operation of the firm’s QC system itself, regardless of who does it.
Commenters correctly pointed out that specific performance standards exist
related to the use of certain types of other participants in an audit, such as other
auditors,118 internal auditors,119 and specialists,120 but that does not mean that QC over
their use in the firm’s engagements is unnecessary. In part, the QC system operates to
assure compliance with those specific audit standards. But it must also provide more
general assurance about the performance of audits in which those types of other
participants are involved. For example, the Board expects that the firm’s policies and
procedures would cover, if applicable, engaging specialists, determining their compliance
with ethics and independence requirements, and communicating with them as part of the
firm’s quality control system.

See AS 1205, Part of the Audit Performed by Other Independent Auditors, and AS 1201 (which
takes effect for audits of financial statements for fiscal years ending on or after Dec. 15, 2024).

See, e.g., AS 1201, and AS 1206, Dividing Responsibility for the Audit with Another Accounting
Firm.

See, e.g., AS 2605, Consideration of the Internal Audit Function.

See, e.g., AS 1210, Using the Work of an Auditor-Engaged Specialist.

The Board does not believe it is necessary for QC 1000 to bifurcate other
participants between those that participate in engagements and those that are involved
with the QC system. Just because a quality objective or other provision of QC 1000 refers
to all types of other participants in the same way does not mean that the firm should
respond by treating all types of other participants in the same way. On the contrary, the
firm’s policies and procedures addressing other participants should differentiate based on
the types and roles of other participants to the extent necessary to be responsive to the
firm’s quality risks. When designing quality responses, the firm will address the specific
risks posed by the other participants and their responsibilities within the firm’s
engagements and QC system. For example, a firm that uses a network as a resource in
many areas, such as independence tracking and monitoring, engagement performance,
information and communication, and monitoring and remediation, would have many
quality risks and quality responses related to their use of the network. A smaller firm that
only uses one individual from outside the firm as an engagement quality reviewer may
have fewer quality risks and quality responses related to other participants to address in
its quality control system.

The following diagram provides QC 1000’s definitions of “firm personnel” and
“other participants” and provides examples of each type:

As noted in the diagram, the persons performing some roles, such as an EQR or
personnel at shared service centers, may be firm personnel or other participants,
depending on their relationship to the firm. For example, an EQR employed by the firm
would be considered firm personnel, whereas an EQR contracted from outside the firm
that is not functioning as a firm employee would be an other participant. Similarly,
personnel at shared service centers may be firm personnel (if they are employed by the
firm or function as firm employees) or other participants (if they are personnel of another
organization, such as a network affiliate).
5. Networks
QC 1000 acknowledges that networks of firms may be structured in a variety of
ways and could include arrangements between firms for sharing knowledge; developing
and implementing consistent policies, tools, and methodologies; conducting multilocation engagements; or executing other types of business or administrative matters.
Through its oversight activities, the PCAOB has observed that some networks provide or
require use of a wide range of resources and services and may involve various levels of
personnel, composed of a mix of the firm’s national and local office personnel. Some
examples of resources and services that networks provide include:
•

Audit methodologies;

•

Technology tools;

•

Training;

•

Risk management activities;

•

Consultations on accounting, auditing, and SEC matters;

•

Preventive engagement-level monitoring and coaching;

•

Support for inspections; and

•

Root cause analysis and remediation.

Since networks may involve a wide variety of different arrangements and
different degrees of coordination and cooperation across firms, rather than attempting to
define the term “network,” QC 1000 describes these types of arrangements in more
general terms.121 Under the standard, networks may include a combination of registered
and unregistered accounting firms and other entities.
6. Third-party providers
Commenters on this topic supported the definition of third-party providers as
proposed.
The standard addresses resources used by the firm that are sourced from third-party
providers. Third-party providers are individuals or organizations, other than other
participants, as defined above, that provide resources to the firm that are specifically
designed for use in the performance of engagements or to assist in the operation of its QC
system.122 The following diagram provides QC 1000’s definition of “third-party

In the standard, references to a “network” encompass all of the memberships and affiliations that
registered firms must report to the PCAOB in Item 5.2 of their annual report on Form 2, including
certain networks, arrangements, alliances, partnerships, and associations. See Item 5.2, PCAOB
Form 2 (describing reporting requirements for memberships, affiliations, and similar
arrangements).

Providers of resources that are not specifically designed for use in the performance of
engagements or to assist in the operation of firms’ QC systems (e.g., general word processing and
spreadsheet software) are not “third-party providers” as the Board has defined that term.

providers” and several examples of them:

SCALABILITY
The approximately 1,600 firms registered with the PCAOB differ significantly
based on their nature and circumstances:
•

Approximately 53% of firms are located in foreign jurisdictions, representing 89
foreign jurisdictions;

•

Approximately 20% of total firms, and 40% of firms located in foreign
jurisdictions, belong to one of six global networks that contain the largest number
of registered, non-U.S. firms that share resources such as methodology and
monitoring activities123;

The six global networks that contain the largest number of registered, non-U.S. firms as reported
on Form 2s filed in 2023 are: BDO International Limited, Deloitte Touche Tohmatsu Limited,
Ernst & Young Global Limited, Grant Thornton International Limited, KPMG International
Cooperative, and PricewaterhouseCoopers International Limited (the member firms of these
networks are collectively referred to herein as “GNFs”).

•

Approximately 60 firms are sole proprietorships;

•

Approximately 650 firms, or 41% of firms, performed an engagement under
PCAOB standards for an issuer or broker-dealer during the 12 months ended June
2023;
•

Approximately 70 only played a substantial role in such engagements in the
past year;

•
•

Approximately 140 performed audits of only broker-dealers in the past year;

Approximately 130 firms that did not perform an engagement under PCAOB
standards for an issuer or broker-dealer in 2022 did perform such an engagement
in the past five years; and

•

Approximately 51% of firms have not performed an engagement under PCAOB
standards for an issuer or broker-dealer in the past five years.124
While the Board believes the basic objectives of the QC system ought to be the

same across all firms, the Board believes the QC standard needs to be appropriately
scalable, so that firms of different sizes and characteristics can appropriately design their
QC system to address the risks associated with their own practice.
The specific policies and procedures necessary to achieve the objectives of the
QC system may vary significantly across firms, depending on their size, the types of
engagements they perform, and other factors. The Board believes that QC 1000 is
sufficiently principles-based and scalable that firms will be able to pursue an approach to
QC that is appropriate in light of their specific circumstances.

The data were obtained from Audit Analytics and publicly available data from the PCAOB’s
Registration, Annual and Special Reporting (RASR) available at https://rasr.pcaobus.org. The
PCAOB does not collect information about whether registered firms perform engagements under
PCAOB standards other than for issuers and broker-dealers. Firms may be engaged, for example,
in connection with the audit of a reporting company that does not meet the Sarbanes-Oxley
definition of “issuer” described in footnote 2 above, in connection with certain offerings of
securities that are exempt from registration under the Securities Act (e.g., offerings under
Regulation A, Regulation D, or Regulation Crowdfunding), pursuant to a contractual obligation
such as a loan covenant, or on an entirely voluntary basis.

In the Board’s view, firms that perform engagements under PCAOB standards
should generally be subject to the same QC requirements. In particular, the Board does
not believe the historical distinction between firms that were members of the SECPS in
2003 and those that were not has continuing relevance in determining the QC standards
that should apply today. Accordingly, the Board eliminated that distinction. As discussed
in more detail below, QC 1000 incorporates certain SECPS requirements, making them
applicable to all firms, and eliminates others. However, the Board also believes there are
specific areas, such as firm governance, where firms with larger PCAOB audit practices
should be subject to enhanced requirements. QC 1000 includes several requirements that
apply only to the firms that meet the statutory threshold for annual PCAOB inspection.
The Board is aware that there is a significant number of registered firms that do
not perform engagements under PCAOB standards every year—they only participate in
other firms’ engagements at less than the level of a substantial role or have no
involvement in issuer or broker-dealer engagements. The Board believes that the risk to
investor protection is minimal if the firm is not performing engagements under PCAOB
standards for issuers and SEC-registered broker-dealers, and that it is appropriate to
provide for more limited QC obligations in those circumstances. Under QC 1000, all
registered firms are required to design a QC system but only firms that are subject to
applicable professional and legal requirements with respect to a PCAOB engagement are
required to implement and operate the QC system.
1. Scaled applicability vs. full applicability
The Board created a fundamental distinction in QC 1000 between the obligation
to design a QC system in compliance with the standard, which will apply to all firms,125

QC 1000.06, discussed below, sets out the requirements for QC system design.

and the obligation to implement and operate an effective QC system, which, broadly
speaking, will apply only to firms that perform engagements under PCAOB standards.
Under the standard, firms are required to implement and operate an effective QC
system—that is, comply with all provisions of QC 1000—at all times that the firm is
required to comply with applicable professional and legal requirements with respect to
any of the firm’s engagements.126
As noted above, many registered firms do not perform engagements every year.
However, a firm that is not currently performing any engagements may nevertheless have
to comply with applicable professional and legal requirements with respect to a previous
or future firm engagement. For example, procedures for the acceptance of a new
engagement have to be performed before the engagement is conducted. Responsibilities
may also arise with respect to completed engagements long after the issuance of the
auditor’s report—for example, if the issuer requests the auditor’s consent to include its
report in a registration statement, if an engagement deficiency is identified that requires
remediation, or if the auditor becomes aware of facts that may have existed at the date of
the auditor’s report which may have affected the report. In the Board’s view, whenever a
firm has responsibilities under applicable professional and legal requirements with
respect to an engagement, those responsibilities should be performed under a QC system
that is implemented, is operating, and complies with PCAOB standards.
Importantly, if a firm is required to implement and operate an effective QC
system, the firm would not necessarily have to implement and operate every QC policy or
procedure that it has designed. An effective QC system provides reasonable assurance
that the firm is complying with “applicable” professional and legal requirements. The
extent of “applicable” requirements could change depending on the firm’s circumstances,

QC 1000.07.

and the QC system policies and procedures that the firm would have to implement and
operate could change in response. For example, if a firm last performed an engagement
(as defined in the standard) five or six years ago and has no current responsibilities with
respect to any other firms’ engagements, it might be subject only to requirements
regarding the retention of certain engagement-related documentation.127 In such a
circumstance, an effective QC system—i.e., a system that provides reasonable assurance
that the firm is complying with applicable professional and legal requirements regarding
such documentation—could be scaled back to address only engagement-related
documentation retention, as well as ongoing evaluation, reporting, and documentation
requirements with respect to the QC system itself. The Board asked in the proposing
release whether it was clear how a firm’s responsibilities under QC 1000 may change
depending on the extent of applicable professional and legal requirements to which the
firm is subject at a particular time, and commenters that responded on the issue were
generally supportive.
If the firm has no more responsibilities with respect to any engagement, the firm
is required to continue operating the QC system until the next September 30 (the annual
evaluation date). This would ensure that the firm would be required to evaluate and report
on the QC system for any year during which the QC system was required to operate.128
Firms that are not subject to the requirement to implement and operate the QC
system are still subject to the requirement to design a QC system that complies with
QC 1000.129 Paragraph .06 of QC 1000, discussed below, sets out the requirements for
design of the QC system in more detail.

See AS 1215; 17 CFR 210.2-06.

QC 1000.07. The proposed requirements for evaluation of and reporting on the QC system are
discussed below.

The standard makes clear that any existing obligations under QC 1000 (for example, reporting
obligations with respect to prior periods when the firm was required to implement and operate the
QC system) would continue.

The Board believes it is appropriate to limit the application of the requirements of
QC 1000 for firms that have no obligations under applicable professional and legal
requirements with respect to firm engagements. Indeed, in those situations it is hard to
see how a firm could, as a practical matter, “implement” or “operate” its QC system.
Implementation and operation contemplate, among other things, the application of QC
policies and procedures to the firm’s engagements, monitoring of work performed on
engagements, and identification and remediation of engagement deficiencies. Without
“engagements,” as the standard defines that term, implementation and operation of a QC
system would be largely hypothetical. Moreover, the population of firms that are subject
only to the design requirements of QC 1000 is comprised entirely of firms that are not
required to be registered with the PCAOB— because they do not participate in
engagements under PCAOB standards or do so only below the level of a substantial
role.130
Many commenters, including firms and related groups, investor-related groups,
academics, and others, did not support requiring firms that are not required to comply
with applicable professional and legal requirements to design a QC system under
QC 1000. Several of these commenters expressed concerns that this would be
unnecessarily costly to those firms, or suggested that there could be challenges associated
with implementing and operating a QC system based on hypothetical risks that could
differ from the actual risks at the time the firm accepts and performs engagements
pursuant to PCAOB standards. Some commenters suggested that this requirement may
cause firms to deregister with the PCAOB, decline to assist U.S. firms in executing their
global audits, or create a potential barrier to entry for new firms in the marketplace. One

If a firm requests leave to withdraw from PCAOB registration and is permitted to do so, the firm,
upon its withdrawal from registration, would no longer be subject to an obligation to design,
implement, or operate a QC system in accordance with QC 1000.

firm-related group commented that as this aspect of the proposal affects such a large
number of firms, the potential political impacts deserve further consideration. The firmrelated group further commented that foreign firms could see this as an accelerator to a
decision to not service specific audit markets, which potentially impacts audit markets
beyond the U.S., and that policy makers in other countries may view the potential for
further market concentration more significantly.
Firms and a related group raising cost concerns with the proposed QC system
design requirements suggested allowing firms that do not perform engagements the
flexibility to design their QC system in accordance with another QC standard, such as
ISQM 1 or SQMS 1. One of these firms further suggested that firms transitioning to
performing engagements under PCAOB standards be given an additional six months to
one year from their annual evaluation date to file their Form QC for the transition period.
The firm asserted that even if a firm has complied with the design requirements,
implementing and operating a QC system that complies with the standard would involve
significant effort. Another firm suggested that it would be more appropriate to have a
transition period for the registered public accounting firm to update their system of
quality control to adhere to the incremental requirements of the PCAOB. An academic
suggested that the design requirements for firms that have not performed and do not plan
to perform engagements pursuant to PCAOB standards should be limited to client
acceptance components. One firm suggested that the standard could include a
requirement that firms are not allowed to perform an engagement under PCAOB
standards until they have designed and implemented QC 1000. Other commenters
suggested that registered firms that do not intend to conduct PCAOB audits should not be
required to do anything under QC 1000.
Other commenters suggested a variety of approaches for when firms should be
required to implement and operate a QC 1000-compliant QC system. One firm suggested

that firms that only perform a substantial role in more than a certain threshold
(presumably to be specified by the PCAOB) of PCAOB engagements could be permitted
to comply with ISQM 1instead of being subject to full applicability of QC 1000. Another
commenter suggested that smaller firms (e.g., triennially inspected firms with fewer than
100 issuer engagements) be permitted the option of complying with ISQM 1 or SQMS 1
as an alternative to QC 1000. Another firm suggested that the PCAOB should permit
non-US firms to comply with ISQM 1 rather than adopting QC 1000. Another commenter
suggested that the criteria for full applicability of the standard should be based on
whether the engagements individually or in the aggregate involve a material amount of
market capitalization. The commenter suggested that under such an approach, the
requirement to operate the QC system could be optional for registered firms auditing
companies with a smaller market capitalization.
Some commenters, including a firm, a firm-related group, and an investor,
commented that the requirement to design a QC 1000-compliant QC system is
appropriate for any registered firm, even if it is not performing engagements or playing a
substantial role in other firms’ engagements. One firm-related group agreed that
whenever a firm has responsibilities under applicable professional and legal requirements
with respect to an engagement, those responsibilities should be performed under a fully
implemented and operating QC system that complies with PCAOB standards. However,
the commenter asked for clarification on the circumstances that trigger the need for a firm
to implement and operate a QC system in compliance with QC 1000, and suggested
targeted guidance in that area would be helpful.
The Board continues to believe that requiring all registered firms to design a QC
system that complies with the standard, regardless of whether they have obligations with
respect to engagements, is consistent with the PCAOB’s statutory mandate and historical
practice. Sarbanes-Oxley directs the PCAOB to include in its QC standards requirements

related to numerous topics for “every” registered public accounting firm.131 The statute
also directs the PCAOB that applications for registration with the PCAOB must contain
“a statement of the quality control policies of the [applicant] for its accounting and
auditing practices.”132 Consistent with that directive, as a condition to registration,
applicants are required to furnish “a narrative, summary description, in a clear, concise
and understandable format, of the quality control policies of the applicant for its
accounting and auditing practices, including procedures used to monitor compliance with
independence requirements,”133 and that description must provide an overview of the
applicant’s quality control policies regarding each element of quality control.134
Therefore, firms that register with the Board are already required to provide a summary
of the design of their QC system regardless of whether they have obligations with respect
to engagements.135
The Board also believes that requiring all firms to design a QC system that
complies with all provisions of QC 1000, and not just limiting the requirement to certain
components such as acceptance and continuance of engagements, is consistent with its
investor protection mandate. While the Board acknowledges that there could be
challenges associated with implementing and operating a QC system based on
hypothetical risks, it continues to believe that it is important for registered firms to design

Section 103(a)(2)(B) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B).

Section 102(b)(2)(D) of Sarbanes-Oxley, 15 U.S.C. 7212(b)(2)(D).

Item 4.1 of PCAOB Form 1 (“Applicant’s Quality Control Policies”). The Board modified the
information about QC required in Form 1. See below.

See Frequently Asked Questions Regarding Registration with the Board, PCAOB Rel. No. 2003011F (Dec. 4, 2017) (Question #32), available at https://pcaob-assets.azureedge.net/pcaobdev/docs/default-source/registration/information/
documents/registration_faq.pdf?sfvrsn=c50d7356_0. As part of this rulemaking the requirements
in Form 1 are being amended.

In a separate rulemaking, the Board proposed to create a new form, Form QC – Policies and
Procedures (“Form QCPP”), to require that, once QC 1000 becomes effective, any firm that
registered with the Board prior to the date that QC 1000 becomes effective must submit an
updated statement of the firm’s quality control policies and procedures pursuant to QC 1000. See
Firm Reporting, Rel. No. 2024-003 (Apr. 9, 2024) at 41.

a QC system based on the quality risks the firm likely would face if it were to perform
engagements. Because registering with the PCAOB enables a firm to issue audit reports
or play a substantial role on audits performed under PCAOB standards for issuers and
broker-dealers, and because investors and companies considering engaging the firm could
reasonably expect that any firm that could pursue such an engagement would already
have a PCAOB-compliant QC system designed and ready for implementation and
operation, the Board believes that imposing a design requirement on all registered firms
promotes its mission of protecting investors and promoting the public interest.
As discussed in more detail below, QC 1000 includes requirements that do not
appear in other QC standards or that are more prescriptive or more specifically tailored to
the PCAOB’s legal and regulatory environment than the provisions of ISQM 1 or SQMS
1. Because of these key differences, the Board does not believe that a QC system design
based on ISQM 1 or SQMS 1, as suggested by some commenters, would be sufficient.
Furthermore, the Board believes that compliance with ISQM 1 may not be the regulatory
baseline within certain jurisdictions. The PCAOB has observed other standard setters and
regulators adopt variations of ISQM 1, which typically include more detailed and
stringent requirements.136 Therefore, the Board believes that audit firms within some
jurisdictions will already have to design and operate a QC system that goes beyond the
requirements of ISQM 1, and it would not be appropriate for the Board to permit
compliance with a less stringent quality system than the one required in the local
regulatory environment. Similarly, the Board does not believe that it would be
appropriate for it to permit firms to comply with their locally applicable variation of
ISQM 1 as this would result in the PCAOB requiring and managing compliance with a
multitude of different QC standards.

See, e.g., International Standard on Quality Management (UK) 1, adopted by the Financial
Reporting Council (March 2023).

The Board also continues to believe that, whenever a firm has responsibilities
under applicable professional and legal requirements with respect to a firm engagement,
those responsibilities should be performed under a QC system that is implemented, is
operating, and complies with PCAOB standards. Given the unique features of QC 1000,
compliance with ISQM 1 or SQMS 1 would not, in the Board’s view, be an adequate
substitute, nor would the Board’s regulatory purposes be served by providing firms with
an extended compliance period after they take on an engagement.
The Board does not believe that this requirement will result in disruption to
competition in the audit market. Firms that are subject to applicable professional and
legal requirements with respect to engagements, including substantial role engagements,
are required to implement and operate a QC 1000-compliant QC system. If a registered
firm that has not led an engagement or played a substantial role in the past anticipates the
possibility of transitioning to performing engagements, the Board believes the
requirement to design a QC system that complies with QC 1000 will facilitate timely
implementation and operation of their QC 1000 QC system, which will in turn facilitate
appropriate performance of the engagements; appropriate monitoring and, if necessary,
remedial action; and timely evaluation and reporting on Form QC.137 QC 1000 shares a
basic structure and approach with ISQM 1 and SQMS 1, so designing for the incremental
features unique to QC 1000 should not be unduly burdensome for firms that are subject to
either or both of those other QC standards (which the Board believes will be the case for
a very substantial majority of firms that are in a position to perform PCAOB
engagements).138

The Board understands that the actual quality risks the firm faces when it takes on an engagement
may differ from the hypothetical risks considered in designing the QC system. QC 1000 requires
the firm to establish policies and procedures to monitor, identify, and assess changes to conditions,
events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or
quality responses may be needed, and to make timely modifications as needed. See QC 1000.2223.

See Section D.

The Board does not believe that QC 1000 conflicts with the requirements of other
standard setters or that anything prevents firms from developing a single QC system for
their entire practice that satisfies both PCAOB requirements and other professional
standards to which the firm is subject. The Board acknowledges certain differences
between QC 1000 and the quality management standards set by other standard setters, in
particular areas where QC 1000 establishes additional or more stringent requirements.
However, the Board believes that quality responses developed by firms under QC 1000
can be considered by firms for the purposes of other quality management standards to

which they are subject, reducing the need for two or more separate QC systems.

Firms participating in a PCAOB engagement below the level of a substantial role
do not require registration with the PCAOB. If such a firm does not lead and does not
plan to lead engagements or play a substantial role in engagements pursuant to PCAOB
standards, then the Board believes that the firm should assess whether the costs of

complying with the design requirement are commensurate with their perceived benefit of
being registered with the PCAOB.
2. Other scalability considerations
Aspects of QC 1000 are risk-based, which makes them inherently scalable. Firms
are required to apply a risk-based approach to the design, implementation, and operation
of the QC system in the context of their own audit practice. The standard provides that
the firm will tailor the design of its QC system to its specific facts and circumstances,
such as:
•

The size and complexity of the firm;

•

The types and variety of engagements it performs;

•

The types of companies for which it performs engagements; and

•

Whether it is a member of a network and, if so, the nature and extent of the
network relationship.
Several commenters, including firms and a firm-related group, suggested that the

proposed standard was too prescriptive. Many of these commenters suggested that, to
promote further scalability, specified quality responses could be replaced with quality
objectives to allow each firm to develop quality responses appropriate to the
circumstances and risks for their firm. One of these firms stated that it disagreed with the
notion in the proposing release that a specified quality response suggests that every firm
has the same or similar quality risks and that the responses to those risks will also be the
same or similar. Another firm suggested that the specified quality responses make the
standard inherently less scalable and could be a barrier to entry for smaller firms. The
firm further suggested that an overreliance on specified quality responses could
discourage firms from performing robust risk assessments and developing tailored quality
responses. Other commenters also suggested that more scalability could be incorporated
into the standard through consideration of concepts such as professional judgment,

relevance, or reliability. Some commenters suggested that further alignment of QC 1000
to ISQM 1 or SQMS 1 would promote further scalability. One firm stated that the
standard was overly prescriptive and suggested that specific guidance be provided to
small and medium-sized firms focused on operationality of the standard. Several
commenters expressed concern that the prescriptive nature of QC 1000 would negatively
affect smaller firms.
As discussed above, some specified quality responses carry requirements from
current PCAOB standards into QC 1000, while others provide new requirements that the
Board believes are important to a firm’s QC system. The Board believes that this
approach is appropriate and that the specified quality responses are required to address
certain quality risks that are present in all firms that perform PCAOB engagements and to
assure that the QC system is designed, implemented, and operated with an appropriate
level of rigor. The inclusion of specified quality responses in the standard should not be
interpreted to suggest that the Board believes all firms have the same or similar quality
risks overall; the specific risks addressed by specified quality responses are likely a small
subset of the overall population of quality risks identified by a firm, and the Board
expects potentially wide variation in the full set of risks faced by different firms.
The Board believes that the standard incorporates the concepts of professional
judgment, relevance and reliability where it is appropriate, for example, in the ability to
exercise professional judgment in the determination of whether a major QC deficiency
exists, or the discussion in the information and communication component noting that
information would have to be both relevant and reliable such that it supports the
operation of the firm’s QC system and the performance of the firm’s engagements in
accordance with applicable professional and legal requirements. The Board continues to
believe that the inclusion of prescriptive requirements in certain areas promotes its
mission of protecting investors and promoting the public interest.

An investor-related group commented that it supports a risk-based approach up to
a point, but it expressed concern that the standard placed too much emphasis on
scalability and recommended the development of a set of minimum requirements for the
establishment of quality control systems. Another commenter stated that the PCAOB
should not let scalability concerns get in the way of driving change and improving
quality, further suggesting that smaller-firm considerations should not get in the way of
doing the right thing for the largest audit firms. One commenter suggested more specific
requirements relating to the audits of broker-dealers, commenting that a high deficiency
rate in broker-dealer audits suggests the need for more specific requirements with respect
to audits of broker-dealers, such as requirements for specific expertise in the conduct of
broker-dealer audits, or, to the extent that the broker-dealer is a subsidiary of an issuer,
requirements relating to coordination between the broker-dealer audit team and the audit
team of the issuer parent company.
The final standard establishes a set of minimum requirements that all firms must
follow in the establishment of their QC system. As discussed in more detail below, while
QC 1000 provides some flexibility with regard to the quality risks that firms identify and
the quality responses that firms develop to address those risks, it does not provide the
same flexibility with regard to quality objectives or specified quality responses. Instead,
quality objectives and specified quality responses that will apply to all firms are specified
in the standard. Firms can establish additional quality objectives—indeed, they are
required to do so if necessary to achieve the reasonable assurance objective—but they
generally cannot omit or modify any of the quality objectives or specified quality
responses set out in the standard.
Within a uniform basic structure to be used by all firms, QC 1000 reflects a riskbased, scalable approach, particularly in the risk assessment process and the monitoring
and remediation process. The nature and extent of these processes would be

commensurate with the firm’s quality risks and would therefore vary across firms in
nature, scope, and complexity. The Board believes it is crucial that the standard be
scalable so that firms of different sizes and characteristics can appropriately design their
QC system to address the risks associated with their own practice, including specific risks
relating to the types of companies that they audit, such as broker-dealers. The Board
believes that an appropriate balance between quality objectives and specified quality
responses is the best approach to improve quality across firms of all sizes that perform
engagements pursuant to PCAOB standards, whether these be issuer or broker-dealer
engagements. Similarly, the form, content, and extent of required documentation related
to the QC system will be driven by a firm’s nature and circumstances. QC 1000 contains
both provisions that scale down, by tailoring for smaller PCAOB audit practices, and
provisions that scale up, by focusing on risks faced by the largest firms.
Some provisions of QC 1000 focus particularly on firms with a smaller PCAOB
audit practice. These include:
•

Depending on the nature and circumstances of the firm (including its size and
structure), a single individual may be assigned more than one of the QC system
oversight roles required under the standard; and

•

If the firm issued engagement reports with respect to five or fewer engagements
for issuers, brokers, and dealers during the prior calendar year, engagement
monitoring activities may include monitoring audits not performed under PCAOB
auditing standards. For firms with this number of engagements performed under
PCAOB standards, the Board understands that requiring a firm to annually
monitor its engagements that are performed under PCAOB standards increases the
likelihood of the same partner being inspected every year under QC 1000. The
Board believes this could disincentivize partners from serving as the engagement
partner and ultimately affect competitive conditions in the market.

Other provisions of QC 1000 impose incremental requirements on firms that
issued audit reports for more than 100 issuers in the prior calendar year, including:
•

An external oversight function for the QC system composed of one or more
persons who are not partners, shareholders, members, other principals, or
employees of the firm;

•

A program for collecting and addressing complaints and allegations that includes
confidentiality protections;

•

An automated system for identifying investments in securities that might impair
independence; and

•

A requirement to perform in-process monitoring of engagements.
These incremental requirements specifically target and respond to potential

quality risks that the Board believes are more likely to arise in audit practices of a certain
size and complexity. Firms that audit fewer than 100 issuers may still determine that the
incremental requirements are an appropriate quality response for quality risks that they
have identified specific to their firm, but these are not mandatory for these smaller
PCAOB audit practices to promote scalability of the standard.
Several commenters, including firms, suggested that the threshold for any
incremental requirements be raised to 500 issuers, to align with the existing SECPS
requirement that firms that audit more than 500 SEC registrants have an automated
system to identify investment holdings of partners and managers that might impair
independence.139 One of these firms also suggested a dual-threshold approach that would
consider both the number of issuers audited and the market capitalization of the issuers.
Two commenters, including an investor-related group and an academic, suggested that
there should not be a threshold for incremental requirements, and all requirements of the

See SECPS 1000.46 (requirement 4).

standard should apply to all firms regardless of the size of the firm. The academic
suggested that the incremental requirements may give rise to actual or perceived
differences in audit quality between larger audit firms that issue audit reports for more
than 100 issuers and smaller audit firms that issue audit reports for fewer than 100
issuers. One firm suggested that the incremental requirements only apply to those firms
subject to annual inspection under the PCAOB’s rules (in case the 100-issuer threshold
for regular inspection in Rule 4003, Frequency of Inspections, ever were changed), and
another firm suggested that these should only apply to the top six firms.
Two investor-related groups suggested that if the final standard does include a
threshold for certain incremental requirements, the threshold should relate to the market
capitalization of the issuers that the firm’s audit practice covers rather than the number of
issuer audit reports the firm issues. Other commenters were also supportive of a market
capitalization-based threshold.
Several commenters suggested that the nature of the firm’s audit practice be taken
into consideration when determining the applicability of the incremental requirements,
and that just looking to the number of issuers may not be an appropriate measure for the
size or complexity of the audit practice. One commenter suggested that the proportion of
the PCAOB audits to the size of the practice within a firm is also a relevant factor to
consider. Some commenters suggested that imposing a threshold of 100 issuers could
impose a barrier to entry for firms that wish to expand their audit practices beyond 100
issuers and, as a result, firms may manage their practice to stay below the 100-issuer
threshold.
The Board believes that requiring certain incremental requirements of firms with
larger PCAOB audit practices is appropriate and that the complexities inherent to large
and complex firms are likely to give rise to quality risks for which the incremental
requirements would be appropriate quality responses. Based on the comments received,

the Board considered whether alternative measures could be used that looked to the
nature and complexity of the issuers being audited, for example, through a market
capitalization-based threshold. The Board believes it is appropriate to retain the threshold
as proposed, based on the size of a firm’s issuer audit practice rather than referencing the
size of the companies subject to audit by the firm.
In general, the Board believes that the number of issuers is the most indicative
measure of a firm’s size and the complexity of its audit practice. Under a market
capitalization measure, a firm that audits a single very large issuer could look like a large
firm, but its practice may well be less complex than a firm that audits a large number of
small issuers. The incremental requirements in QC 1000 respond to specific issues or
risks—firm governance, confidential handling of complaints and allegations, tracking
investments that may bear on independence, and monitoring of in-process
engagements—that the Board believes are more significant in complex practices handling
large numbers of engagements. Therefore, the threshold was adopted as proposed.
In addition, the Board believes that larger PCAOB audit practices that audit a
greater number of issuers are more likely to have the resources to be able to effectively
comply with the incremental requirements at a level commensurate to the risk.
The Board also believes that firms are familiar with the proposed threshold of
issued audit reports for more than 100 issuers, because it is used to determine which firms
are subject to annual PCAOB inspection.140 The Board does not believe it to be
appropriate to increase the threshold to 500 issuers or to specifically limit the
requirements to certain firms. The Board believes that firms that audit between 100 and
500 issuers are sufficiently large such that potential quality risks may arise as a result,
and that the incremental requirements would be responsive to these risks.

See section 104(b)(1)(A) of Sarbanes-Oxley, 15 U.S.C. 7214(b)(1)(A); PCAOB Rule 4003,
Frequency of Inspections.

Several commenters suggested that a cut-off date for the measurement of the size
of the firm’s issuer practice relative to the 100-issuer threshold, and a related transition
period after a firm passes the 100-issuer threshold, be specified in the standard to allow
time for firms to implement the incremental requirements. One of these commenters
specifically requested consideration of the effective date for the implementation and
operation of the incremental requirements if, because of a merger or acquisition, the
resultant firm performs audits of more than 100 issuers.
The standard specifies a measurement cut-off date for the 100-issuer threshold of
the prior calendar year-end. Therefore, if a firm has issued audit reports with respect to
more than 100 issuers in the period January 1 to December 31, in any given year, the firm
must implement the incremental requirements beginning the following January 1 and
evaluate compliance with the incremental requirements as of the following September 30.
The Board believes that firms continuously track the size of their issuer audit practice for
the purpose of monitoring the threshold for annual inspection by the PCAOB. Therefore,
prior to the calendar year-end measurement cut-off date, the Board expects that firms
should have an informed view as to whether they will need to design, implement, and
operate the incremental requirements for the following year. Similarly, the Board
believes that a merger or acquisition between firms would take time to finalize such that
the firms would have an informed view of whether the incremental requirements would
be applicable to the successor firm, providing additional time for the firms to design,
implement, and begin operating the incremental requirements. In addition, the Board does
not believe that it is appropriate or consistent with its investor protection mandate to
allow a firm that audits over 100 issuers to not operate the incremental requirements
beginning the calendar year following the date of the merger or acquisition if that merger
or acquisition resulted in the firm auditing more than 100 issuers. The Board believes that
specific quality risks could arise as the result of a merger or acquisition; for example, a

sudden increase in the size of the firm could exacerbate the potential quality risks that
exist as a result of a firm’s size, to which the incremental requirements would be
responsive. Furthermore, there is nothing in the standard that prevents firms from
implementing the incremental requirements earlier than required, if they believe it to be
likely that the threshold will be met.
QC 1000: A FIRM’S SYSTEM OF QUALITY CONTROL
INTRODUCTION
This section describes the requirements of QC 1000 and highlights the key
differences between the final standard and current QC standards. Terms defined in
Appendix A to QC 1000, Definitions, are italicized throughout QC 1000.
The introduction section of the standard sets up the structure for providing the
standard’s requirements. Paragraphs .01-.02 describe the risk-based approach to the
firm’s QC system and acknowledge the important role of the QC system—supporting
consistent performance of engagements in accordance with applicable professional and
legal requirements—in protecting investors through the preparation of informative,
accurate, and independent engagement reports. To emphasize the auditor’s role in
investor protection, the Board added language to the final standard reminding auditors
that the firm’s QC system enhances investors’ ability to rely on engagement reports. The
Board also reversed the order of paragraphs .01 and .02 to improve flow.
One commenter suggested a risk-based approach to quality control with minimum
requirements integrated into it, instead of a purely risk-based approach. The Board agrees
that a purely risk-based approach would be inappropriate. As proposed and as adopted,
QC 1000 is not a purely risk-based standard. It establishes mandatory quality objectives
that every firm is required to achieve; lays out detailed, required processes for risk
assessment, monitoring and remediation, and annual evaluation of the QC system;
requires specified quality responses in many areas; and fosters accountability and rigor

through mandated key roles for the QC system with specified individual responsibility
and accountability and required reporting to the PCAOB.
THE FIRM’S QC SYSTEM
1. QC 1000
a. Objective of the QC system (QC 1000.05)
The proposal asked if the reasonable assurance objective was appropriate and if
there were additional objectives that the QC system should achieve. Many commenters,
including firms, supported the reasonable assurance objective and did not support
additional objectives for the QC system.
Some commenters, including investors and investor-related groups, said there
should be an explicit acknowledgement that auditing serves a public purpose and that the
system of quality control therefore should serve investors. Other investors and investorrelated groups suggested that the quality control system should seek a higher performance
standard than mere compliance. Two commenters suggested that the objective should be
expanded, so that in addition to complying with applicable professional and legal
requirements, engagements should be performed in a manner that is responsive to the
needs of investors by ensuring high-quality financial reporting. Another suggested that
the foundation of the system should promote high-quality and “useful” financial and nonfinancial information and achieve a high level of transparent financial reports. The
commenter also suggested removing the qualifier “reasonable” and emphasizing that the
term “assurance” refers to a high level of assurance.
The Board agrees with these commenters that QC 1000 should frame auditor
responsibilities in terms of investor protection, and revised paragraph .05 to reinforce
that, as discussed in more detail below. The Board also considered broadening the
objective of the QC system beyond compliance in a number of ways, as suggested by
commenters.

For example, the Board considered adding explicit references to “investor needs”
to the QC system objective. However, the Board are concerned that the concept of
“investor needs” is too vague and indefinite to be interpreted consistently as an objective
of the QC system. Consistent with the reasonable assurance objective, the Board believes
that all investors want informative, accurate, and independent engagement reports. But
beyond that, investors are not monolithic and may have different preferences. For
example, the needs of a large institutional investor with an actively managed portfolio are
different from those of a retail investor holding index funds. Investor needs could also
vary across issuers and different types of financial instruments, as well as with changes in
market conditions. As a result, the Board does not believe that a QC system objective that
was expressly phrased in terms of satisfying “investor needs” would be capable of
consistent interpretation or would provide firms with sufficient notice or direction about
the conduct required of them.
The Board believes that “high-quality” and “useful” financial reporting suffer
from the same issues. These terms are subjective, indefinite, and would mean different
things to different financial statement users and in different situations. In addition,
grounding auditor obligations in the quality or utility of financial reporting risks
conflating the role of the auditor with the role of the preparer. The fundamental
responsibility for financial reporting lies with the company. The auditor enhances
investors’ ability on company financial information through the preparation and issuance
of informative, accurate, and independent engagement reports, but the company prepares
the financial statements and retains ultimate responsibility for them.
The Board considered one commenter’s suggestion of phrasing the objective in
terms of “assurance,” rather than “reasonable assurance.” However, the Board believes
that this would weaken, rather than strengthen, the standard, in that it could be read to
suggest that any level of assurance, even if less than reasonable assurance, would be

appropriate. As proposed, the final standard includes a note emphasizing that reasonable
assurance is a high level of assurance.
Accordingly, the Board has not revised the objective of the QC system as these
commenters suggested. The Board continues to believe that investor needs will be best
served through an objective that is grounded in auditors’ existing obligations and can be
interpreted clearly and applied consistently. Auditor obligations under applicable
professional and legal requirements address investors’ fundamental priority: that the
financial statements be free of material misstatement. They also clearly delineate what
conduct is required, which enables both the Board and the firms that the Board regulates
to interpret and apply them on a consistent basis.
The Board has, however, made revisions to paragraph .05 that the Board believes
will be clarifying. The final rule specifies expressly that the firm’s objective is to design,
and if applicable, implement and operate an effective QC system. Further, although the
Board concluded that it could not express the objective of the QC system in such terms,
the Board does believe firms should be prompted to remember their critical role in
investor protection. With that in mind, the Board revised paragraph .05 to explicitly
acknowledge that a properly conducted engagement and related report enhance the
confidence of investors and other market participants in the company’s information to
which the firm’s report relates. The Board also revised the paragraph to remind auditors
that an effective QC system protects investors by facilitating the consistent preparation
and issuance of informative, accurate, and independent engagement reports in accordance
with applicable professional and legal requirements.
Paragraph .05 specifies that an effective QC system consistently provides a firm
with reasonable assurance that the firm, each member of firm personnel, and each other
participant conduct each engagement and fulfill their other responsibilities in compliance
with applicable professional and legal requirements, and that each engagement report

issued by the firm complies with applicable professional and legal requirements. The
Board revised the provision to refer to “each member of” firm personnel, “each” other
participant, “each” engagement, and “each” engagement report. This change clarifies that
the QC system provides reasonable assurance, not just over the pool of firm personnel,
the pool of other participants, and the portfolio of engagements, but over each individual
and each engagement. The objective is still reasonable assurance, not absolute assurance.
But an effective QC system has to be designed, implemented, and operate in such a way
that the firm has reasonable assurance that each individual who performs work on behalf
of the firm and each engagement the firm undertakes will comply with applicable
professional and legal requirements.
One commenter asserted that some prescriptive aspects of the standard result in
absolute assurance instead of reasonable assurance. The Board disagrees, as it believes
this is a misunderstanding of the standard. Specifically, the reasonable assurance
objective under QC 1000 is broadly consistent with the Board’s current QC standards, as
well as ISQM 1 and SQMS 1, all of which contemplate that the system of QC should
provide reasonable assurance.141 The Board believes that the combination of quality
objectives and specified quality responses in QC 1000 establishes a balance between
prescriptive requirements and a risk-based approach that contributes to the firm obtaining
reasonable assurance, but does not require absolute assurance. Of course, nothing
precludes a firm from going beyond the requirements in QC 1000 when designing its QC
system.
One commenter suggested that the concept of reasonable assurance was not clear
and could be clarified by retaining a footnote from QC 20 that reinforces that deficiencies
in individual engagements do not, in and of themselves, indicate a firm’s quality control

See ISQM 1.14; SQMS 1.15.

system is insufficient to provide reasonable assurance. The Board has not retained that
footnote. The concept of reasonable assurance should be familiar to auditors; it is a basic
concept under the Board’s current standards and the Board believes it can be interpreted
and applied consistently. In addition, in light of QC 1000’s detailed process for the
evaluation of the QC system, including the new defined terms “QC deficiency” and
“major QC deficiency,” discussed below, the Board does not believe such a footnote is
necessary. Under QC 1000, firms will determine whether the QC system meets the
reasonable assurance objective by determining whether any “major QC deficiencies”
exist. The existence of major QC deficiencies indicates that the QC system does not
provide reasonable assurance, whereas the existence of QC deficiencies that do not meet
the definition of major QC deficiency does not. Since that conclusion is apparent from
the definitions, the Board does not believe that the existing footnote is needed.
The “reasonable assurance objective” of the firm’s QC system is similar to the
objective of the QC system under existing PCAOB standards, except that the current
standard requires reasonable assurance as to compliance with applicable requirements
and “the firm’s standards of quality” (i.e., the firm’s policies and procedures),142 whereas
QC 1000’s reasonable assurance objective refers only to applicable requirements. This
change reflects the different role played by firm policies and procedures under the
Board’s current QC standards compared to QC 1000. Firm policies and procedures are
the linchpin of current PCAOB QC standards: Most of the Board’s current QC standards
simply require firms to establish, communicate, document, and monitor specified policies
and procedures. Policies and procedures also play an important role under QC 1000, but
they would have a different context because of the significant differences in the way in
which the standard is structured.

See QC 20.03; QC 20.17.

QC 1000 is grounded in the firm’s risk assessment process, whereby the firm’s
quality objectives and the risks to achieving them are identified and addressed by the firm
in an ongoing, structured fashion. This risk assessment process drives how the firm
develops and refines its policies and procedures; the “quality responses” are designed and
implemented to address quality risks. As such, policies and procedures are a means to an
end—addressing quality risks—rather than an end in themselves. QC 1000 provides more
detailed requirements regarding the structure, scope, and functioning of the firm’s QC
system, particularly in the monitoring and remediation component, than the Board’s
current QC standards.
This does not mean that firms’ QC policies and procedures are no longer
important. On the contrary, they are critical to addressing quality risks and thereby
achieving quality objectives and the reasonable assurance objective. However, firms may
no longer rely on simply promulgating policies and procedures as the central, and
sometimes only, component of their QC system. Compliance with the QC standard
ultimately is based on whether the firm has met its quality objectives and the reasonable
assurance objective—which are driven by whether the firm’s policies and procedures
have in fact been effective in addressing quality risks—and on whether the firm has
complied with the requirements of the standard in the design, implementation, and
operation of the QC system. Another commenter suggested that the QC system should
not address firm policies and procedures that go beyond applicable professional and legal
requirements, on the basis that it might undermine investor protection by disincentivizing
firms from developing policies and procedures that go beyond what is required. For the
reasons discussed above, the Board has not included policies and procedures in the
reasonable assurance objective. However, because policies and procedures play an
important role in the firm achieving the reasonable assurance objective, the Board has

determined that some quality objectives have to incorporate compliance with firm
policies and procedures as well as applicable professional and legal requirements.
The reasonable assurance objective also reflects the view that the purpose of the
QC system is to drive overall compliance by the firm, each member of firm personnel,
and each other participant with applicable professional and legal requirements, and not
necessarily to drive more narrow compliance with firm policies and procedures.
Under QC 1000, the reasonable assurance objective of the firm’s QC system is
generally consistent with the objective of the QC system under the Board’s existing QC
standards but, in addition to the changes discussed above, it places more emphasis in
three key areas:
•

Expressly reminding auditors that an effective QC system protects investors by
facilitating the consistent preparation and issuance of informative, accurate, and
independent engagement reports;

•

Specifying that responsibilities be fulfilled not only with respect to professional
standards, but also with respect to legal requirements to the extent they apply
(e.g., SEC and PCAOB rules, other provisions of U.S. Federal securities law, and
other applicable legal and regulatory requirements); and

•

Expressly mentioning compliant engagement reporting (an existing responsibility
under PCAOB standards), given the explicit reference to audit reports in
Sarbanes-Oxley.143
Responsibilities in this context include all responsibilities that are subject to

applicable professional and legal requirements—for example, in relation to the firm’s
engagements, work the firm does on other firms’ engagements, training, independence
monitoring, and other activities that are part of or subject to the firm’s QC system.

See, e.g., section 103(a)(1) of Sarbanes-Oxley, 15 U.S.C. 7213(a)(1); section 103(a)(2)(B) of
Sarbanes-Oxley, 15 U.S.C. 7213(a)(2)(B).

In addition, the objective covers the activities of a broader group than current
standards. It applies not only with respect to firm personnel and other auditors, but also to
other participants involved in the firm’s engagements and QC activities whose work is
performed at the direction of the firm. As discussed above, the Board believes that
QC 1000 should reach such other participants in light of, among other things, the
increasing prevalence and importance of the use of professionals and organizations
outside the firm, such as auditor-engaged specialists and service centers, in audits
performed under PCAOB standards. Many commenters, generally firms and related
groups, expressed concern about the inclusion of other participants in the reasonable
assurance objective. The Board believes that the firm’s own QC system must address all
the work done on the firm’s engagements and in connection with the design,
implementation, and operation of the firm’s QC system, regardless of who does it. The
reasonable assurance objective in QC 1000 appropriately reflects that scope.
b. Requirements to Design, Implement, and Operate a QC System (QC 1000.06.07)
QC 1000 requires all firms to design a QC system that complies with the standard.
This entails assigning QC-related roles and responsibilities as provided in paragraphs .10.17; establishing quality objectives, at least annually identifying and assessing quality
risks to the achievement of those objectives, and designing quality responses to address
those risks, as provided in paragraphs .18-.57; designing a monitoring and remediation
process that, upon implementation, would comply with paragraphs .58-.76; and
documenting the design of the QC system as provided in paragraphs .81-.86. The design
of the QC system is based on the quality risks the firm likely would face if it performed
engagements.
The PCAOB received a significant volume of comments on this aspect of the
proposal, which is discussed above. In addition, one commenter suggested emphasizing

the concept of professional judgment by incorporating it in paragraph .06 or .07 and
defining it in Appendix A of QC 1000. It is true that under QC 1000, judgment may have
to be exercised in areas of the QC system, such as assessing risk and evaluating QC
deficiencies. However, the basic approach of QC 1000, which specifies quality objectives
to be achieved through specified risk assessment and monitoring and remediation
processes, is outcome-based and not simply a matter of professional judgment. Moreover,
under paragraph .10, all activities related to the QC system must be performed with due
professional care. This means that even in judgmental areas, professional judgment is not
unbounded; individuals must exercise professional skepticism and use the requisite
knowledge, skill, and ability to diligently (and in good faith and with integrity) obtain and
objectively evaluate information. Accordingly, the Board adopted these requirements as
proposed.
In addition to the obligation to design the QC system, firms are required under
paragraph .07 to implement and operate an effective QC system (i.e., comply with all
provisions of the standard) at all times that the firm is required to comply with applicable
professional and legal requirements with respect to any of the firm’s engagements.144
This would occur, for example, whenever the firm has responsibilities with respect to the
acceptance of an engagement, the performance of an engagement, remediation of
deficiencies in an engagement, or matters associated with an engagement that arise or
continue after issuance of the engagement report, such as retention of audit
documentation, issuance of reports included in Securities Act filings (including consent
to the inclusion of such reports),145 other engagement deficiencies,146 and subsequently

Note, however, that the firm would not necessarily have to implement and operate every QC
policy and procedure it has designed. See Scalability above.

See AS 4101, Responsibilities Regarding Filings Under Federal Securities Statutes.

See AS 2901. The Board amended AS 2901 in connection with this rulemaking to expand auditor
responsibilities with respect to engagement deficiencies. See Amendments to AS 2901,

discovered facts.147 Once a firm no longer has any responsibilities under applicable
professional and legal requirements with respect to any firm engagements, the firm will
be required to continue operating the QC system until the next September 30 (the next
date as of which the firm is required to evaluate the QC system). This ensures that the
firm will evaluate and report on the QC system for any year during which the QC system
was required to operate.148
Note that firms may not have lengthy advance notice before responsibilities arise
under applicable professional and legal requirements with respect to an engagement. For
example, a firm may be contacted by an affiliated firm to play a substantial role in an
engagement or may be asked to consent to the inclusion of a previously issued audit
report in the registration statement of a company previously audited by the firm. Under
the standard, registered firms will have to stand ready to have their QC system
implemented and operating over such responsibilities whenever they arise.
Although all PCAOB-registered firms are required to design a QC system that
complies with the standard, the obligation to implement and operate that system applies
only when the firm is required to comply with applicable professional and legal
requirements with respect to the firm's engagements. Implementing and operating a QC
system means that assigned personnel are fulfilling their QC-related roles and
responsibilities under QC 1000, the relevant quality responses (i.e., policies and
procedures) and monitoring and remediation process that the firm has designed are
operational, and the firm is documenting the implementation and operation of its QC
system. As noted above in the discussion of scalability, the scope of the QC system is
driven by the professional and legal requirements that apply to the firm and its

Consideration of Omitted Procedures After the Report Date, and Related Amendments below for
additional discussion.
See AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report.

The requirements for evaluating and reporting on the QC system are discussed below.

engagements and the relevant risks, which may vary depending on the nature and extent
of the firm’s practice.
The standard also makes clear that existing obligations under QC 1000, such as
the obligation to evaluate and report on the QC system for periods in which the QC
system was required to be implemented and operating, are not extinguished when a firm
transitions from full applicability to scaled applicability.
As discussed in more detail above, the Board’s view is that requiring all registered
firms to design a QC system that complies with QC 1000 is consistent with the PCAOB’s
statutory mandate, historical practice, and investor protection mission, and that scaling
back obligations under QC 1000 to the design of the QC system, as described under
paragraph .06, is justified in cases where a firm is not subject to any obligations under
applicable professional and legal standards with respect to any firm engagement.
b. Risk-based approach (QC 1000.08-.09)
The Board did not receive comments specifically on these paragraphs and adopted
them as proposed. These paragraphs require a firm to employ a risk-based approach to
quality control, such that the firm proactively manages its QC system and the quality of
the work it performs on engagements.
Under the standard, the firm is required to design, implement, and operate a QC
system that reflects and responds to the firm’s particular risks through two process
components.
•

The firm’s risk assessment process—establishing quality objectives, identifying,
and assessing quality risks to the achievement of those objectives, and designing
and implementing quality responses to address the identified quality risks—is
applied to all of the aspects of the firm’s organization and operations that are
covered by the QC system and thus is tailored to each firm’s specific facts and
circumstances.

•

The monitoring and remediation process is carried out in a way that is informed
by and responsive to risks—for example, quality risks influence both the selection
of engagements to monitor and the design and extent of monitoring activities.
The requirement to evaluate the effectiveness of the QC system supports

continued improvement in these risk assessment and monitoring and remediation
processes by requiring the firm to evaluate and report on whether the quality objectives
and the reasonable assurance objective have been achieved. These requirements are
discussed in more detail below.
The aspects of QC 1000 that are risk-based are inherently scalable. In applying a
risk-based approach, the firm is required to tailor its QC system to the firm’s specific
facts and circumstances, including the size and complexity of the firm, the types and
variety of engagements it performs, the types of companies for which it performs
engagements, and whether it is a member of a network (and if so, the nature and extent of
the relationship between the firm and the network). Accordingly, a large, complex firm
that performs a wide variety of engagements will likely be required to have a more
complex QC system than a small firm that performs a small number of less complex
engagements.
2. Current PCAOB standards
As described above, under current QC standards, a QC system is broadly defined
as a process to provide a firm with reasonable assurance that its personnel comply with
professional standards applicable to its accounting and auditing practice and the firm’s
standards of quality.149 The QC system encompasses the firm’s organizational structure,
policies adopted, and procedures established to provide that reasonable assurance.150

See QC 20.03.

See QC 20.04.

Registered firms are required to design, implement, and operate a system of quality
control to provide this reasonable assurance.
ROLES AND RESPONSIBILITIES
Expectations of individuals within the QC system are established through the
assignment of roles and responsibilities that are essential to a well-functioning QC
system. This aspect of the QC system creates clearer lines of communication and
decision-making authority and greater accountability for those assigned to such roles.
One commenter on the overall requirements supported them as proposed. Some firm
commenters also supported the proposed roles and offered operational suggestions, while
other firm commenters asserted that the proposed roles and responsibilities were not clear
and appropriate for the reasons described in the following subsections.
1. QC 1000
a. Due professional care (QC 1000.10)
Paragraph .10 of the standard addresses due professional care in performing
responsibilities in relation to the QC system. Due professional care, applicable to all firm
personnel and other participants, includes professional skepticism. The concept of due
professional care imposes a responsibility upon firm personnel and other participants to
observe relevant professional standards including, in the context of quality control,
QC 1000. The Board believes that this provision is a helpful clarification because the
PCAOB standards describing due professional care do not specifically mention QC
activities.151
One commenter urged the PCAOB to clarify the need for professional skepticism
by leadership in quality control roles. The Board does not believe specific provisions are

A new auditing standard, AS 1000, is being adopted to combine and update the four standards that
set forth the general principles and responsibilities of the auditor, including AS 1015, Due
Professional Care in the Performance of Work. See Auditor Responsibilities Release.

needed in that regard, because paragraph .10 applies to all individuals performing QC
roles, including those in leadership roles.
The Board has adopted this provision with modifications to align with the
descriptions of due professional care and professional skepticism being adopted in AS
1000.152
b. Assignment of roles and responsibilities (QC 1000.11-13)
The Board proposed to require the highest-ranking executive in the firm to bear
ultimate responsibility and accountability for the QC system as a whole. If a firm has coprincipal executive officers, each of them would bear such ultimate responsibility and
accountability. The PCAOB did not prescribe the substantive qualifications the highestranking executive in the firm should have; the proposal did not include any such criteria
(unlike the assigned roles under paragraph .12, which only may be assigned to personnel
who have the experience, competence, authority, and time to carry out their
responsibilities). The Board’s intention was to establish accountability for QC at the
highest level within the firm and underscore the critical importance of the QC system.
One commenter supported this requirement, as it is analogous to the CEO being jointly
responsibly for the SEC certifications with respect to the financial statements and internal
controls. One commenter requested clarification on the structure of smaller firms where
the firm’s CEO may not be an audit practitioner and may rely on others to fulfill the
requirements of the QC system. The Board believes it is important for the firm’s principal
executive officer, irrespective of whether that person is an audit practitioner, to be
ultimately responsible and accountable for the firm’s QC system, because the Board
believes that this will lead to more vigorous oversight of the audit practice; benefiting
investors and other stakeholders that rely on the firm’s work.

Id.

The requirement in paragraph .12 of QC 1000 is limited to roles that are expected
to exist in any firm and allows each firm to assign these roles based on the nature and
circumstances of the firm, provided that those assigned have the experience, competence,
authority, and time to enable them to carry out their assigned responsibilities. This
approach also addresses scalability; as the note to paragraph .12 makes clear, depending
on the nature and circumstances of the firm, one individual may be assigned to more than
one of the roles in paragraphs .11 and .12.
A number of commenters suggested that the roles in paragraph .12 should be able
to be split into multiple roles or assigned to multiple people. Commenters asserted that
the roles, such as operational responsibility for the ethics and independence component,
are complex enough to require two individuals. Several of the same commenters
expressed that the requirement is generally too prescriptive. Several firms indicated that
many firms in larger networks may commonly have these specified roles filled by
individuals outside of the firm and the restriction of these roles to firm personnel may be
problematic operationally.
For the roles specified in paragraph .12, the final standard retains the requirement
that only one individual may be assigned responsibility for each role. A firm may have
multiple individuals or multiple layers of personnel supporting these roles, but the
responsibility for the assigned role may not be delegated and will remain with the one
assigned individual. For example, a firm could assign one person to ethics-related matters
and another person to independence-related matters, as long as both of these individuals
report to the person with operational responsibility for the firm’s compliance with ethics
and independence requirements. The Board acknowledges that some firms may seek
assistance from their network or other participants in performing some of their QCrelated activities, but the Board believes a single individual within the firm should remain
responsible for the operational responsibilities of the assigned roles. Regardless of

whether specific tasks are delegated to others, the individual assigned to a specified role
remains responsible and accountable for the role’s related responsibilities.
Commenters generally supported allowing one person to hold multiple
responsibilities under certain circumstances, such as smaller firms with limited resources.
Two commenters supported the roles as proposed and one commenter suggested the
firm’s head of audit practice also be included as a role.
The Board’s view is that the roles specified in paragraph .12 would be appropriate
for every firm. Provided that the criteria in paragraph .12 of QC 1000 are met, the
individual assigned ultimate responsibility and accountability for the QC system also may
assume responsibility for all aspects of the QC system, including operational
responsibility for the QC system, the firm’s compliance with ethics and independence
requirements, and the monitoring and remediation process. The Board has not been
specific about who should be assigned the roles identified in paragraph .12. A firm may
determine, based on its nature and circumstances, that it is appropriate to assign already
established leaders to one or more of these roles, such as the head of audit practice as
suggested by a commenter.
One commenter requested clarification of the intended role in .12d. The role in
paragraph .12d allows firms to assign operational responsibility for other components
(e.g., the resources component) based on the nature and circumstances of the firm. The
standard provides firms the ability to add additional roles and responsibilities, if
appropriate, and the flexibility to assign one individual to more than one of the roles
specified.
The proposal asked if firms would have difficulty filling the assigned roles. Two
commenters were optimistic these roles could be filled in light of the requirements.
Commenters cited increased liability or workload associated with these roles as potential
disincentives that may keep qualified individuals from accepting these roles. Specifically,

some commenters asserted that the proposal would lower the threshold for individual
liability compared to current requirements, and that the threat of enforcement sanctions
would deter individuals from accepting the roles.153 One commenter sought clarification
on the supervision obligations prescribed under QC 1000 and the Board’s authority to
bring enforcement actions for failure to reasonably supervise under section 105(c)(6) of
Sarbanes-Oxley. One commenter recommended amending paragraph .11 to acknowledge
that individuals assigned ultimate responsibility for the QC system as a whole can rely on
information provided to them and their responsibility is governed by a good faith
standard. Two commenters expressed concern that firms, especially smaller issuer or
broker-dealer practices, would have difficulty filling the specified roles. One commenter
was concerned with increased accountability and suggested balancing accountabilities
such that processes and outcomes, as well as rewards and penalties, are more
appropriately weighted.
Current QC standards generally impose responsibilities directly on the firm rather
than on individuals. Enforcement actions related to the failure to comply with current QC
standards can be brought against individuals for contributing to violations by the firm154
or for failing to reasonably supervise an associated person of the firm who commits
certain violations.155
Under QC 1000, the individuals who are assigned specific responsibilities with
respect to the QC system could be charged with violations if they fail to comply with

Analogous concerns were also raised by commenters in relation to the separate rulemaking
Proposed Amendments to PCAOB Rule 3502 Governing Contributory Liability, available on the
Board’s website in Docket 053.

See PCAOB Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations.
The Board has proposed to amend Rule 3502 in certain ways, including by changing the standard
of conduct for associated persons’ contributory liability from recklessness to negligence. See
Proposed Amendments to Rule 3502 Governing Contributory Liability, PCAOB Rel. No. 2023007 (Sept. 19, 2023).

See Sarbanes-Oxley sec. 105(c)(6), 15 U.S.C. 7215(c)(6).

those enumerated responsibilities, as well as for contributing to firm violations or failing
reasonably to supervise.156 As discussed further in the sections that follow, the
individuals who fill the roles specified in paragraphs .11 and .12 of QC 1000 have
specified responsibilities spelled out in paragraphs .14 through .17 of the final standard.
Those individuals must exercise due professional care (see paragraph .10), and their
failure to properly discharge their duties—for example, to establish or direct the
establishment of certain QC-system reporting lines (see paragraph .14b), to certify the
firm’s Form QC report to the PCAOB (see paragraphs .14d and .15b), or to timely
communicate certain information to others (see paragraphs .16b and .17b)—would
constitute violations of QC 1000. So while current QC standards generally require either
a primary violation by the firm to trigger an individual’s potential liability under Rule
3502 or a primary violation by another associated person to trigger a supervisory person’s
potential liability under section 105(c)(6) of Sarbanes-Oxley, QC 1000 creates a
framework in which an individual’s failure to discharge prescribed responsibilities could
give rise to individual liability without regard to whether primary violations were
committed by another.
That is not to say, however, that the individuals filling the roles specified in
paragraphs .11 and .12 of QC 1000 no longer can be charged with contributing to
violations by the firm or for failing to reasonably supervise an associated person who
commits certain violations. Because of the important role played by the individuals filling
those roles, their failure to properly fulfill their responsibilities may contribute to
violations by their firm. Furthermore, paragraphs .15a, .16a, and .17a of the final standard
make clear that the individuals who fill the roles discussed therein are supervisory

See PCAOB Rel. No. 2023-007.

persons who have supervisory responsibilities under the Board’s QC standards, for
purposes of section 105(c)(6) of Sarbanes-Oxley.
The Board believes that providing another basis for enforcement against
responsible individuals could enhance their accountability for the QC system. Enhanced
accountability emphasizes the importance of the firm assigning roles to firm personnel
who have the experience, competence, authority, and time needed to carry out their
assigned responsibilities. Although the Board recognizes that some commenters
expressed concern about whether individuals would be willing to assume these specified
roles, the Board believes that these roles are necessary and appropriate for every firm.
The Board also believes that, with appropriate incentives, firms should be able to fill
these roles. The PCAOB is adopting these requirements as proposed.
The Board discusses each of the QC roles identified in the standard in the
subsections that follow. Paragraph .13 provides that individuals assigned operational
responsibilities under paragraph .12 should have a direct line of communication to the
individual with ultimate responsibility and accountability for the QC system. This line of
communication would provide these individuals the information necessary to perform
their assigned roles. One commenter supported a feedback loop between the individuals
assigned responsibilities under paragraphs .11 and .12, but sought clarity regarding
whether individuals in the roles in paragraph .12 are required to report to the firm’s
principal executive officer. The Board has not prescribed the firm’s reporting structure
related to those roles, as it may vary based on the nature and circumstances of the firm.
c. Ultimate responsibility and accountability for the QC system as a whole (QC
1000.14)
The individual assigned ultimate responsibility and accountability for the QC
system as a whole reinforces the responsibility and accountability of firm personnel by
demonstrating a commitment to quality. The standard emphasizes the role of that

individual—by the individual recognizing and reinforcing professional ethics, values, and
attitudes through the individual’s actions, behaviors, and communications—in
establishing a firm’s tone at the top and attitude towards quality.
The individual assigned ultimate responsibility and accountability is responsible
for establishing, or directing the establishment of, structures, reporting lines, and
authorities and responsibilities for the roles involving operational responsibility for
aspects of the QC system and the QC system as a whole. For each firm, the approach to
fulfilling these responsibilities will be dependent on the firm’s nature and circumstances.
For example, in a smaller firm where there are fewer individuals with assigned roles,
structures may be less formal. Conversely, for a larger firm, it may be necessary to have
multiple individuals in roles with assigned responsibilities or to have multiple layers of
personnel supporting different activities. However, ultimate responsibility and
accountability cannot be delegated.
Also, the individual assigned ultimate responsibility and accountability is
accountable for the design, implementation, and operation of the firm’s QC system in
accordance with applicable professional and legal requirements and the firm’s policies
and procedures, as well as for the firm’s annual QC system evaluation. The functions
performed by the individual with ultimate responsibility and accountability may vary
across firms. For example, in a smaller firm, the individual assigned ultimate
responsibility and accountability may be directly involved in aspects of the QC system,
such as the firm’s monitoring and remediation process. In a larger firm, this person may
supervise others who perform these activities.
Lastly, the Board proposed requiring the individual assigned ultimate
responsibility and accountability for the QC system as a whole, along with the individual
assigned operational responsibility and accountability for the firm’s QC system as a
whole, to certify the firm’s annual evaluation of its QC system in a report to the PCAOB.

One commenter expressed concern that the certification requirements may create a
barrier to firms operating in environments that do not have Sarbanes-Oxley-style
reporting requirements. The same commenter also emphasized the certifications may
have a disproportional impact on smaller firms that have fewer resources. One
commenter suggested that certification by the firm’s CEO is an ineffective incentive and
a more appropriate incentive would be compensation that was heavily weighted towards
effective QC systems.
As discussed further below, the Board believes such certification will lead to
increased discipline in the evaluation process and reinforce the accountability of the
certifying individuals, and has adopted that requirement as proposed. The Board believes
certifications are commonly known among issuers within the regulatory environment and
would be familiar to their auditors. The Board also believes the certification requirements
will complement the revised provisions in paragraphs .25b and .44g of the final standard,
which address compensation incentives based on an effective QC system.
d. Operational responsibility and accountability for the QC system as a whole
(QC 1000.15)
This requirement did not draw comment and the Board adopted it as proposed.
The individual assigned operational responsibility and accountability for the QC system
as a whole is accountable for supervising the design, implementation, and operation of
the firm’s QC system. This includes overseeing the operation of the QC system in
achieving the reasonable assurance objective. Depending on the nature and circumstances
of the firm, this individual may be the same person assigned ultimate responsibility and
accountability for the QC system, or may be assigned other operational responsibilities,
such as for ethics and independence or monitoring and remediation.
In carrying out the specified responsibilities, the individual assigned operational
responsibility and accountability for the QC system as a whole may be supported by the

individuals assigned operational responsibility for the firm’s compliance with ethics and
independence requirements, the monitoring and remediation process, or other
components of the QC system. This includes receiving information from such individuals
regarding violations of ethics and independence requirements and the results of the
monitoring and remediation process.
Along with the individual assigned ultimate responsibility and accountability for
the QC system as a whole, and for similar reasons, the Board has required the individual
assigned operational responsibility and accountability for the QC system as a whole to
certify the firm’s annual report to the PCAOB on the evaluation of its QC system, as
discussed below.157
e. Operational responsibility for the firm’s compliance with ethics and
independence requirements (QC 1000.16)
Compliance with ethics and independence requirements is essential to the
performance of engagements and, in some situations, presents challenging, novel, or
complex issues. The current requirements for former SECPS member firms include
designating a senior-level partner to oversee the firm’s independence policies and
consultation process, among other independence-related activities. Like in the proposal,
in the final standard the individual assigned operational responsibility for compliance
with ethics and independence requirements will supervise the areas addressed by the
ethics and independence component of QC 1000, which include the firm’s risk
assessment process for ethics and independence and the design, implementation, and
maintenance of the firm’s policies and procedures related to ethics and independence.

If the same person were assigned both ultimate responsibility and accountability and operational
responsibility and accountability for the QC system, that person would sign the certification in
both capacities.

Within the ethics and independence component, there are quality objectives and
specified quality responses that address potential violations of ethics and independence
requirements, including a quality objective that potential violations are communicated to
the individual with operational responsibility for ethics and independence requirements.
That individual is then responsible for communicating such violations to the individuals
assigned operational responsibility for the monitoring and remediation process and
operational responsibility and accountability for the QC system as a whole.
Paragraph .16b, as well as several other requirements in the standard, refers to
actions being taken on a “timely basis.” In each of these cases, what constitutes “timely”
would depend on the underlying matter to which the action relates, including the matter’s
nature, scope, and impact. Timely communication and action should be sufficiently
prompt to achieve its objective. In some cases, for example, where there is a high risk of
a severe or pervasive problem, communication and action may have to be immediate to
be timely. The only commenter on this term agreed that what constitutes “timely” would
depend on the underlying matter to which action relates. The commenter also wanted
clarification that the firm’s policies and procedures assist in promoting communication
such that the appropriate individuals with responsibilities over the firm’s QC system
become aware of relevant matters in a timely manner, as appropriate for the size and the
scale of the firm and relative nature of the matter. Insofar as the comment may be read to
suggest that the size and scale of the firm, on its own, is a factor in determining
timeliness, the Board disagrees. In the Board’s view, timeliness is a function of the nature
and significance of the issue (appreciating that the size and scale of the firm may be
relevant in gauging the nature and significance of an issue).
One commenter expressed concern that the prescriptiveness of the communication
requirements may detract from the achievement of the intended objectives. Specifically,
the commenter was concerned that it may not be appropriate to require communication of

all violations to the individual with operational responsibility and accountability for the
QC system as a whole.
The specified communications are intended to enable these individuals to take
timely and appropriate actions in accordance with their responsibilities. In the Board’s
view, in order to do that, they need to be apprised of ethics and independence violations.
Ethics or independence violations may take a variety of forms, and therefore the nature
and extent of the communication may also take a variety of forms commensurate to the
severity and pervasiveness of the violation. Leaving aside the question of whether a
violation of ethics or independence requirements could ever be insignificant, individual
violations may evidence problems within specific areas of the firm’s policies and
procedures or an overall pattern of disregard for ethics and independence requirements
that requires timely intervention. The Board has adopted these requirements as proposed.
f. Operational responsibility for the monitoring and remediation process (QC
1000.17)
The monitoring and remediation process is a critical part of a firm’s QC system
because it creates a feedback loop to inform the firm’s risk assessment process, results in
an approach that drives continuous improvement, and provides the firm with information
about whether the QC system is operating effectively. As proposed, the individual
assigned operational responsibility for the monitoring and remediation process would be
responsible for supervising the design, implementation, and operation of the monitoring
and remediation process component and the evaluation of the QC system. This individual
would also be responsible for overseeing actions taken to respond to identified
engagement deficiencies, QC deficiencies, and major QC deficiencies.
One commenter was concerned that it would be a conflict of interest for this
individual to oversee both the monitoring and remediation process and the evaluation
process. Another commenter recommended that the responsibility for the annual

evaluation be shared between the individual with operational responsibility for the QC
system as a whole, who recommends the evaluation conclusion, and the individual with
operational responsibility for the monitoring and remediation process, who concurs or
recommends changes to the conclusion. The Board understands that in a smaller firm
these roles may all be performed by the same individual. In a larger firm that assigns
different individuals to the roles, the individual with operational responsibility for the
monitoring and remediation process supervises the evaluation process. Although the
individual overseeing the monitoring and remediation process also oversees the
evaluation process, other aspects of QC 1000 drive accountability for the evaluation.
Paragraph .14c makes the individual assigned ultimate responsibility and accountability
for the QC system as a whole accountable for the annual evaluation. Additionally,
paragraphs .14d and .15b impose certification requirements that also drive accountability
for the evaluation process. The Board has adopted this requirement as proposed.
The individual assigned operational responsibility for the monitoring and
remediation process is also responsible for communicating, on a timely basis, matters
related to monitoring and remediation to the individuals assigned ultimate responsibility
and accountability for the QC system as a whole and operational responsibility and
accountability for the QC system as a whole. These communications would include key
aspects of the monitoring and remediation process, such as the monitoring activities
performed, results of the monitoring activities, and the remedial actions taken. The
communication of this information to the individual assigned ultimate responsibility and
accountability for the QC system as a whole facilitates and supports that individual’s
overall accountability for the evaluation of the QC system.
2. Current PCAOB standards
QC 20.22 requires the assignment of responsibility for the design and
maintenance of QC policies and procedures to appropriate individuals but does not

specify the role or roles to which such responsibilities should be assigned. In addition,
members of the SECPS are required to designate a senior-level partner responsible for,
among other things:
•

Overseeing the functioning of the firm’s independence policies and consultation
process;

•

Maintaining the restricted entity list and providing it to all professionals; and

•

Supervising the monitoring system related to overseeing that independence
violations are addressed.
QC 1000 retains and expands on these concepts. However, rather than specifying

that a senior-level partner be responsible for independence matters, the standard takes a
more functional approach, requiring a person with the experience, competence, authority,
and time needed to enable that person to carry out the assigned responsibilities.
Another key difference, as discussed above, is that QC 1000 imposes specific
responsibilities on the individuals assigned the specific roles, such that enforcement
action could be brought against them individually if they fail to meet those
responsibilities.
THE FIRM’S RISK ASSESSMENT PROCESS
The risk assessment process is the basis for a risk-based approach to the design,
implementation, and operation of the firm’s QC system. The firm’s risk assessment
process, in combination with the monitoring and remediation process, creates a feedback
loop to drive continuous improvement of the firm’s QC system.
The proposal included a risk assessment process that would be principles-based
and could be tailored to the size and complexity of the firm and the types and variety of
engagements it performs. Several commenters, including firms, were generally
supportive of a risk-based approach to the firm’s QC system. One commenter, an
investor-related group, expressed concern that a principles-based approach would allow

audit firms too much discretion in conducting their own risk assessment. Another
commenter noted that while they generally supported a risk-based, scalable approach,
they supported a more prescriptive approach for the resources and monitoring and
remediation components.
The Board has retained the approach as proposed because it believes that applying
a risk-based approach to the design, implementation, and operation of the QC system will
prompt firms to identify and focus on the most relevant risks to quality in the context of
their own practice and will make QC 1000 appropriately adaptable to future changes in
technology, regulation, and the business environment. It will also ensure scalability,
allowing firms to right-size their QC systems as their practices grow and change. As
discussed above, QC 1000 contains a balance of prescriptive and risk-based elements.
One commenter requested clarity on whether QC 1000 would operate separately
or in concert with other quality control standards, specifically whether the risk
assessment process would apply only to engagements performed under PCAOB standards
or to the firm’s overall risk assessment of all its engagements, including those performed
under other standards. Consistent with the way the term “engagement” is defined in
QC 1000,158 the requirements of QC 1000, including those regarding the firm’s risk
assessment process, generally apply only to work performed under PCAOB standards.
However, nothing prevents a firm from designing, implementing, and operating a single
risk assessment process for its entire audit and assurance practice that satisfies both
QC 1000 and the other quality control standards that apply to the firm.
The risk assessment process should be familiar to firms because it is analogous to
existing auditor responsibilities for identifying, assessing, and responding to risks of
material misstatement of the financial statements. Audit procedures for identifying and

See Terminology discussed above.

assessing risks of material misstatement include information-gathering procedures to
identify risks (e.g., obtaining an understanding of the company, its environment, and its
internal control), assessment of risks based on information obtained, and design and
implementation of responses to address the identified risks.159 The standard creates
analogous responsibilities in relation to the QC system. Similarly, as the auditor is
required by auditing standards to modify the overall audit strategy and the audit plan if
circumstances change during the course of the audit,160 the firm is required by QC 1000
to monitor, identify, assess, and respond to changes in relevant conditions, events, and
activities that affect the firm’s QC system.
1. QC 1000.18
The firm’s risk assessment process applies to the six components of the firm’s QC
system that specify quality objectives. To design, implement, and operate this process,
the firm is required to:
•

Establish quality objectives;

•

Identify and assess quality risks to the achievement of the quality objectives; and

•

Design and implement quality responses to address the identified quality risks.
The process for establishing quality objectives, identifying, and assessing quality

risks, and designing and implementing quality responses is iterative, and the requirements
of the standard would not necessarily be addressed in a linear manner. For example, in
identifying and assessing quality risks, the firm may determine that one or more
additional quality objectives are required; in designing and implementing quality
responses, the firm may identify additional quality risks. The risk assessment process is
also iterative and ongoing, so that new or developing risks are identified and addressed as
they emerge. For smaller and less complex firms, the risk assessment process may be

See generally AS 2110, Identifying and Assessing Risks of Material Misstatement.

See AS 2110.74.

centralized and involve only a few individuals. For larger and more complex firms, the
risk assessment process may be more structured and decentralized, involving multiple
layers and groups. The Board believes that the risk assessment approach will prompt
firms to proactively identify, assess, and respond to quality risks, while at the same time
allowing them to apply judgment when identifying and assessing quality risks.
a. Establish quality objectives (QC 1000.19)
The standard defines quality objectives as the desired outcomes in relation to the
components of the QC system to be achieved by the firm. Establishing quality objectives
is the first step in the risk assessment process and forms the basis for the identification
and assessment of quality risks and the design and implementation of quality responses.
The quality objectives are outcome-based and the risk assessment process provides firms
the ability to determine how the quality objectives are to be achieved.
One investor-related group expressed concern with the lack of specificity in the
proposed standard regarding the design of an audit firm’s quality control system,
suggesting that the proposed standard would enable firms to design a QC system that
could too easily be certified as working properly. The Board believes that the quality
objectives specified in QC 1000 will promote an appropriate level of rigor in the QC
system. While QC 1000 provides some flexibility with regard to the quality risks that
firms identify and the quality responses that firms develop to address those risks, it does
not provide the same flexibility with regard to quality objectives. Instead, quality
objectives that will apply to all firms are specified in the standard. Firms can establish
additional quality objectives—indeed, they are required to do so if necessary to achieve
the reasonable assurance objective—but they generally cannot omit or modify any of the
quality objectives set out in the standard. Therefore, firms do not determine the criteria by
which their QC systems will be assessed, only the means by which they will meet those
criteria.

Quality objectives are specified in the standard for six of the components of the
QC system: governance and leadership, ethics and independence, acceptance and
continuance of engagements, engagement performance, resources, and information and
communication. A firm may determine that it is necessary to establish quality objectives
for its monitoring and remediation process. In those circumstances, the firm’s risk
assessment process would also apply to the monitoring and remediation process.
Otherwise, although monitoring and remediation would not be subject to the firm’s risk
assessment process as described in the standard, it would nevertheless be carried out in a
way that is informed by and responsive to quality risks.161
The Board believes that, for many firms, the quality objectives specified in the
standard are likely to be comprehensive and it does not expect, in the current
environment, that additional quality objectives would generally be necessary. However,
the Board also recognizes that the nature and circumstances of a firm and its engagements
will vary and conditions may change. Accordingly, a firm is required to establish
additional quality objectives if necessary to achieve the reasonable assurance objective.
The requirement for the firm to establish quality objectives necessary to achieve
the reasonable assurance objective is designed to prompt ongoing reexamination of the
quality objectives and modification as needed, which should enable the firm’s QC system
to adapt to a changing environment and remain fit for purpose. If a firm determines that
its quality objectives need to be more specific, it could establish sub-objectives to provide
a more direct link to quality risks and support the development of more comprehensive or
better-targeted responses.
b. Identify and assess quality risks (QC 1000.20)

See Monitoring and Remediation Process below. For example, quality risks and the reasons for
their assessment are factors a firm would take into account when determining the nature, timing,
and extent of its monitoring activities.

The proposal defined quality risks as risks that, individually or in combination
with other risks, have a reasonable possibility of adversely affecting the firm’s
achievement of one or more quality objectives if the risks were to occur, and are either (i)
risks that have a reasonable possibility of occurring or (ii) risks of intentional acts by firm
personnel and other participants to deceive or to violate applicable professional and legal
requirements. The “reasonable possibility” term in the definition of quality risks is
aligned with use of the term in PCAOB standards:162 there is a reasonable possibility of
an event when the likelihood of the event is either “reasonably possible” or “probable,”
as those terms are used in the FASB Accounting Standards Codification (“FASB ASC”)
Topic 450, Contingencies.163
A number of commenters raised questions or made suggestions about the
proposed treatment of intentional acts in the definition of quality risks. One commenter
suggested that intentional misconduct should not be explicitly addressed in the definition
because the necessary response, especially as it relates to colleagues’ behavior, may
negatively impact the trust among colleagues and could constrain the achievement of
quality objectives. Instead, this commenter suggested that the risk of intentional
misconduct may be more effectively considered and responded to as part of the broader
understanding of quality risks. Another firm expressed concern that requiring
consideration of all illegal acts would contradict a risk-based approach.
Several firms agreed that the definition of quality risks should explicitly address
the risk of intentional misconduct but suggested that the definition should also address
the possibility of occurrence related to acts of intentional misconduct. Several
commenters, including firms, firm-related groups, and an academic, recommended that

See generally, e.g., AS 1105, Audit Evidence; AS 2101; AS 2201, An Audit of Internal Control
Over Financial Reporting That Is Integrated with An Audit of Financial Statements.

See FASB ASC paragraph 450-20-25-1; see also, e.g., footnote 4 to AS 1105.12, which
incorporates the ASC definition.

the threshold of “reasonable possibility of occurring” should apply to all quality risks,
including risks of intentional misconduct. Many of these commenters said that not
applying the threshold of “reasonable possibility of occurring” to the risk of intentional
misconduct would not be practical and could harm audit quality as this would divert time,
resources, and attention from addressing more reasonably possible risks. Some
commenters referenced the inclusion of the “reasonable possibility of occurring”
threshold in AS 2110 and suggested that the same principle should apply to the risk of
intentional misconduct in QC 1000. Two of these commenters suggested that not
applying the threshold of “reasonable possibility of occurring” to the definition of quality
risks would be inconsistent with AS 2401, Consideration of Fraud in a Financial
Statement Audit, and could impose a threshold on firms that exceeds the current auditing
standards over auditors’ identification and assessment of fraud risks. Several commenters
also stated that the inclusion of other participants in addressing every conceivable risk of
intentional misconduct may be impractical as firms may have limited access to
information on the conduct of other participants. One firm suggested that additional
guidance may be beneficial with regard to assessing and responding to risks of intentional
misconduct by other participants that are not part of the firm.
A firm-related group suggested that not applying the threshold of “reasonable
possibility of occurring” to intentional misconduct appeared to go beyond the reasonable
assurance objective and expressed concern that, without further clarification of how firms
should deal with risks of intentional misconduct with less than a reasonable possibility of
occurring, a disproportionate level of resources could be allocated to this area, to the
detriment of other quality risks with more than a remote possibility of occurring.
After considering the comments received, the Board revised the definition of
quality risks such that the threshold of “reasonable possibility of occurring” applies to all
risks, including risks of intentional misconduct by firm personnel and other participants.

However, the Board continues to believe that firms should be explicitly prompted to
consider risks of intentional misconduct in their risk assessment process, because without
such a prompt, firms may discount the possibility that intentional misconduct may occur
and omit or underweight these types of risks in their risk assessment process. Therefore,
the final definition provides that, for all risks, whether or not related to intentional
misconduct, the firm would assess the possibility of occurrence and the possibility that
the risks would have an adverse effect on the achievement of its quality objectives.
One firm suggested that while the threshold of “adversely affecting” is reasonably
understood, additional guidance or examples would be welcomed. Another commenter
noted that more examples serve as helpful interpretive guidance to those implementing
the standard. Two firms believed the threshold is sufficiently clear and did not have
specific requests for further guidance. The Board will monitor the implementation of the
new standard by audit firms, and, if appropriate, consider the need for additional
guidance.
The standard requires the firm to identify and assess quality risks for each quality
objective it establishes. Most quality objectives are likely to have multiple quality risks.
Some quality risks may relate to multiple quality objectives, either within a single
component or across several components. The nature and extent of the firm’s risk
assessment process would be commensurate with the firm’s quality risks and therefore
will vary across firms in nature, scope, and complexity. In assessing risks, the firm would
consider how often the quality risks may occur and the magnitude of the impact of the
quality risks on the related quality objectives. The firm would then take this information
into account in determining the nature, timing, and extent of the quality response(s)
needed to address the quality risk.
One commenter requested clarification of whether the Board expects firms to
categorize the identified risks (for example as lower, higher, or significant). While there

is nothing in QC 1000 that requires such categorization, firms that find such an approach
helpful could certainly use it.
The standard requires the identification and assessment of quality risks annually.
Requiring an assessment annually, as well as when matters come to the firm’s attention,
drives a systematic, disciplined, and proactive approach to assessing the firm’s quality
risks. Through the Board’s oversight activities, it has observed that many firms update
their QC systems on an ad hoc basis, in response to changes in regulatory requirements or
deficiencies identified by internal or external inspections, and do not have a systematic
process of risk assessment. This reactive approach can result in firms taking corrective
actions only after deficient audits have been identified. The annual identification and
assessment requirement will instill a regular and disciplined approach to performing the
risk assessment process and to identifying new quality risks that require modifications to
the firm’s quality responses or quality risks identified in a prior year that may no longer
be sufficient or relevant.
The standard does not specify quality risks that must be assessed and responded to
by all firms; rather it includes factors for the firm to consider in its risk assessment
process. The Board believes that such an approach would result in the firm identifying
and assessing the quality risks that are most relevant in light of its facts and
circumstances.
i.

Obtain an understanding of the conditions, events, and activities that may
adversely affect the achievement of the firm’s quality objectives

The standard requires the firm, as part of identifying and assessing quality risks,
to obtain an understanding of the conditions, events, and activities that may adversely
affect the achievement of the firm’s quality objectives. This understanding underpins the
firm’s identification and assessment of the quality risks that are most relevant to the
achievement of the firm’s quality objectives. Appendix B of the standard provides

examples related to the nature and circumstances of the firm and its engagements that
may give rise to quality risks.
The considerations highlighted in paragraph .20a. and Appendix B could assist
the firm in identifying one or more quality risks to the achievement of one or more
quality objectives. For example, consideration of changes in a firm’s structure may be
relevant for a firm that has recently completed an acquisition of another firm. This
consideration may result in the identification of a number of quality risks, such as a
quality risk that the audit methodology used by the acquired firm may not be compatible
with the acquirer’s methodology or a quality risk that the firm is unable to retain
personnel post-acquisition, which may pose risks to quality objectives in areas like
engagement performance and resources.
Several commenters, including firms, noted that the examples provided in
Appendix B were helpful. Two commenters expressed concern with the language used in
paragraph .20a., specifically, that it was not sufficiently clear that the specific examples
in Appendix B are meant to be illustrative rather than a checklist for every firm to
consider. As the Board stated in connection with the proposal, the list in paragraph .20a.
is not intended to be exhaustive and the specific examples provided in Appendix B are
meant to be illustrative rather than a checklist for every firm to consider. Whether
particular conditions, events, and activities are relevant, and result in one or more quality
risks, depends upon the nature and circumstances of the firm and its engagements and
how the conditions, events, and activities relate to or affect the operation of the firm’s QC
system and the performance of its engagements. The firm may also identify quality risks
that do not relate to the list in paragraph .20a. or to any of the specific examples.
One firm expressed concern with the inclusion of proposed paragraph B10b. in
Appendix B, which discusses the extent of alignment of a third-party provider’s standards
of conduct with those of the firm. The firm suggested that the example may imply that

third-party providers from outside the public accounting profession may not be
appropriate or sufficient, because they may not be subject to a centrally governed code of
conduct. Nothing in the Board’s standards requires a third-party provider to have a
centrally governed code of conduct and the Board has added the phrase “if any” to the
example to eliminate any ambiguity in that regard. However, the Board does believe that
the existence of such a code of conduct, and the extent to which it aligns with the firm’s
own standards of conduct, is a relevant example that could be considered by a firm in
assessing whether there exist conditions, events, or activities, as a result of its use of
resources or services obtained from third-party providers, that may adversely affect the
achievement of its quality objectives.
1) The nature and circumstances of the firm
The standard includes a list of considerations related to the nature and
circumstances of the firm. Appendix B of the standard provides specific examples of each
consideration in paragraphs .B2 through .B11.
The Board continues to believe that to consistently execute quality audits, it is
important that a commitment to audit quality is embedded in the firm’s culture and exists
throughout the firm. In connection with this, the Board has added a new paragraph
.20a.(1)(d) and paragraph .B5 to provide firms with an additional risk assessment
consideration relating to the culture of the firm, and the extent to which a culture of
integrity and a commitment to audit quality, including ethics and independence, is
promoted within the firm and embraced by firm personnel across all levels of the firm.
In addition, the Board has added paragraph .B6e. to highlight that in
understanding the resources of the firm, the firm may also have to consider the risks
associated with technological resources, including their susceptibility to cybersecurity
breaches.

2) The nature and circumstances of the firm’s engagements
In obtaining an understanding of the nature and circumstances of the firm’s
engagements, the firm considers the types of engagements performed by the firm as well
as the types of entities for which such engagements are undertaken. Paragraph .B12 of
Appendix B of the standard contains a list of examples of these considerations. For
instance, a firm that conducts audits of broker-dealers may consider information from
relevant authorities, like the SEC and Financial Industry Regulatory Authority
(“FINRA”), in identifying risks associated with such audit engagements. The Board
added an example to paragraph .B12a. to highlight that in understanding the nature and
circumstances of the firm’s engagements, the firm may also consider the laws and
regulations to which the companies it audits are subject.
3) Other relevant information
Other relevant information captures other information sources that help the firm
to identify quality risks. One such source is the firm’s monitoring and remediation
activities. Consideration of information from those activities creates a feedback loop
within the QC system by informing the firm of the results of the monitoring and
remediation process that may help the firm identify quality risks.
Other sources are external inspections and oversight activities by regulators, and
other external reviews, such as peer reviews. For example, the results of an external
inspection may identify a high rate of noncompliance with independence requirements
within a specific office of the firm or within a certain employee staff level, which the
firm would take into account when identifying and assessing quality risks for the ethics
and independence component.
ii.

Identify and assess quality risks based on the understanding obtained

Under the standard, identifying and assessing quality risks is an ongoing, iterative
process. The firm assesses risks as part of the initial design and implementation of the QC

system, and thereafter annually, including in response to new information or changes in
its circumstances and environment.
The standard requires the firm to identify and assess quality risks for each of the
quality objectives established by the firm, based on the understanding of the relevant
factors and other relevant information and taking into account whether, how, and the
degree to which the achievement of the quality objectives may be adversely affected. The
note clarifies that this assessment is based on inherent risk, without regard to the effect of
any related quality responses. The assessment is similar to the determination made under
AS 2201 as to whether an account or disclosure is significant based on inherent risk,
without regard to the effect of controls.164 One commenter agreed with the clarification
provided in the note that the assessment is based on inherent risk, but expressed concern
that the note may not be sufficient to prompt or remind auditors of the independence of
quality risks from quality responses. The Board believes that the note to paragraph .20b.
provides clear direction for assessing quality risks without regard to the effect of quality
responses. The Board will monitor the implementation of the new QC standard, and, if
appropriate, consider the need for additional guidance. Quality risks may affect one or
more quality objectives, either within a single component or across several components.
For example, a quality risk that the firm may not be able to attract and retain qualified
personnel would affect several quality objectives in the resources component, and may
also affect quality objectives in other components, such as engagement performance or
engagement acceptance and continuance.
Under the definition of quality risks, the firm would not be required to identify
every conceivable risk, but only those that have a reasonable possibility of occurring and,
if they were to occur, a reasonable possibility of adversely affecting the firm’s

See AS 2201.A10.

achievement of one or more quality objectives. The identification of quality risks takes
into account individual risks as well as combinations of risks. For example, a risk that has
a reasonable possibility of occurring but individually does not have a reasonable
possibility of adversely affecting the achievement of the quality objective may meet the
proposed definition of a quality risk when analyzed in combination with other risks.
The firm may undertake the quality risk assessment separately or concurrently
with risk identification. Assessing the identified quality risks involves consideration of
the frequency with which the quality risks may occur and the magnitude of the impact of
the quality risks on the related quality objective(s). Identifying quality risks with the
appropriate degree of specificity (not too narrowly or too broadly) would help the firm
design quality responses that reduce to an appropriately low level the risk that the quality
objective will not be achieved. Quality risks that are defined too broadly may result in
quality responses that are not sufficiently targeted to the actual quality risk. Conversely,
if quality risks are defined too narrowly, the quality responses may not sufficiently
address the full extent of the actual quality risk.

The process of identifying and assessing quality risks is depicted below.

c. Design and implement quality responses (QC 1000.21)
The standard requires the firm to design and implement quality responses that
address quality risks in order to achieve the quality objectives. Quality responses are
defined as policies and procedures designed and implemented by the firm to address
quality risks. Under the definition, policies are statements of what should, or should not,
be done to address assessed quality risks. Procedures are actions to implement and
comply with policies.
Under the principles-based approach of the standard, the nature, timing, and
extent of quality responses depend on the underlying quality risks and the reasons why
these risks were assessed as quality risks. For example, a quality risk that is tied to an
event that is expected to occur multiple times per year, or that could have a very
significant impact, requires a more extensive response than a quality risk tied to a specific
event that is expected to occur only once and have a less significant impact.
The firm may decide to implement quality responses at the firm level or the
engagement level, or through a combination of responses at the firm and engagement
levels, depending on the nature of the quality risk. Quality responses may address
multiple quality risks related to one or more QC components.
Quality responses may vary depending on to whom they apply. For example,
based on the quality risks that are being addressed, the firm may develop some policies
and procedures that are applicable to all firm personnel and others that apply only to firm
leadership or personnel in a particular function or geographic location. Similarly, the
firm’s policies and procedures regarding other participants may be different for different
types of other participants (e.g., network affiliates, engaged specialists).
Information obtained from the identification and assessment of quality risks
enables the firm to develop quality responses that appropriately and adequately respond
to the quality risks. In assessing risks, the firm would consider how often the quality risks

may occur and the magnitude of the impact of the quality risks on the related quality
objectives. The firm would then take this information into account in determining the
nature, timing, and extent of the quality response(s) needed to address the quality risk.
In addition to the quality responses designed by the firm, the standard requires
certain specified quality responses for all firms. Some specified quality responses are
drawn from existing PCAOB requirements165 or from the specified responses in ISQM
1,166 and have been included either to carry existing requirements into the new standard
or to create other obligations that would have to be met in designing, implementing, and
operating the QC system. Other specified quality responses are new provisions that the
Board believes are sufficiently important to merit an explicit requirement. The specified
quality responses are not intended to be comprehensive; on the contrary, for most of the
components of the firm’s QC system, QC 1000 includes only a few specified quality
responses, and for the engagement performance component there are none. As a result,
the specified quality responses alone would not be sufficient to enable the firm to achieve
all established quality objectives, and firms must design and implement their own quality
responses in addition to the specified quality responses. The specified quality responses
and the quality responses the firm designs and implements on its own are critical in
addressing quality risks.
For example, the specified quality response requiring mandatory training167 may
address some of the quality risks related to certain quality objectives in the resources
component (e.g., hiring, developing, and retaining firm personnel).168 However,
mandatory training alone will not be sufficient to address all the quality risks that may be

See, e.g., QC 20.10, .13a, .13b, and .15a.

See paragraph .34 of ISQM 1.

See QC 1000.48.

See QC 1000.44a.

identified for that quality objective and will have to be combined with additional firmdeveloped quality responses.
d. Modifications to the quality objectives, quality risks, or quality responses (QC
1000.22-.23)
The standard requires firms to take proactive measures to address new quality
risks that may come up between the firm’s periodic risk assessments. To the extent
practical, these policies and procedures would be not just retrospective, but also forwardlooking, so the firm could anticipate and plan for significant changes. For example, a new
accounting standard may result in a firm identifying a new quality risk that firm
personnel may misinterpret the new standard. Identifying this risk prior to the next annual
risk assessment may prompt the firm to revisit its quality responses that are affected by
this event, and thus avoid potential problems in future engagements.
One commenter suggested that it may be cost beneficial to require or encourage
audit firms’ QC leaders to stay current with developments in auditing literature to put
them in a better position to triage newly identified quality risks and identify engagements
susceptible to those risks. Another commenter recommended that firms be required to
create an individual or other entity charged with maintaining situational awareness.
The Board notes that paragraph .22 of QC 1000 requires firms to establish
policies and procedures for monitoring changes to conditions, events, and activities that
indicate modifications to the firm’s quality objectives, quality risks, or quality responses
may be needed. In addition, the individual(s) responsible for monitoring such changes are
subject to the general due professional care standard of QC 1000.10, which requires a
critical assessment of the relevant information (which would include relevant literature).
In light of these overarching requirements, the Board does not consider it necessary to
add the specific provisions that commenters suggested. Rather, the Board believes that
allowing flexibility for firms to establish policies and procedures to monitor, identify, and

assess changes to conditions, events, and activities encourages firms to concentrate their
efforts on the risks most relevant to them and contributes to the standard being
appropriately scalable. A firm may of course determine, based on its nature and
circumstances, that it is appropriate to establish specific policies and procedures for the
monitoring of developments in auditing literature or to charge a specific individual with
maintaining situational awareness.
Policies and procedures in this area may vary, depending on the size and
complexity of the firm and the types and variety of engagements it performs. For a larger
firm operating in a complex environment and auditing a wide range of different types of
companies, such policies and procedures would be extensive. For example, they could
involve periodic meetings with teams across the firm to gather and analyze the necessary
information to enable the firm to identify changes to conditions, events, and activities that
may require modification of the firm’s quality objectives, quality risks, or quality
responses. Smaller and less complex firms, operating in a less varied and more stable
environment, may have a less extensive set of policies and procedures.
If the firm identifies changes to conditions, events, or activities indicating
modifications to the quality objectives, quality risks, or quality responses may be needed,
the standard requires the firm to determine what, if any, modifications are needed, and to
make them on a timely basis. The timing depends on the nature and extent of the
modification needed. In some circumstances, immediate action may be required, whereas
in other cases, if the impact on risk is less urgent, immediate action is not necessary.
Modifications not implemented in a timely manner may fail to prevent quality risks from
occurring and adversely affecting the quality objective. For example, in the case of a new
accounting standard, the firm would need to implement any necessary modifications to its
quality responses in time so that, once the standard became effective, firm personnel
would be able to apply it properly.

2. Current PCAOB standards
Under current PCAOB QC standards, firms have a responsibility to establish and
maintain a QC system to provide the firm with reasonable assurance that its personnel
comply with applicable professional standards and the firm’s standards of quality. The
current QC standards make few explicit statements about risk assessment.169
GOVERNANCE AND LEADERSHIP
The governance and leadership component of the firm’s QC system addresses the
environment that enables the effective operation of the QC system and directs the firm’s
culture, decision-making processes, organizational structure, and leadership. A firm’s
culture and tone, as set by leadership, can and should promote the importance of quality.
The PCAOB has long considered firm governance and leadership to be an
important aspect of firms’ QC systems. For example, PCAOB inspections have
historically covered the firm’s tone at the top, a foundational aspect of governance and
leadership, during the process for reviewing firms’ QC systems.170 PCAOB inspection
procedures focus on how firm management is structured and whether actions and
communications by the firm’s leadership—the tone at the top—demonstrates a
commitment to audit quality.171
1. QC 1000
a. Governance and leadership quality objectives (QC 1000.24)

See, e.g., QC 20.16 (explaining that a firm’s policies and procedures should provide for obtaining
an understanding with the client about the services to be performed, to minimize the risk of
misunderstandings); QC 30.05 (identifying risks associated with the firm’s practice as a
consideration in determining the need for and extent of internal inspection procedures in
monitoring the firm’s QC system).

See, e.g., Report on the PCAOB's 2004, 2005, 2006, and 2007 Inspections of Domestic Annually
Inspected Firms, PCAOB Rel. No. 2008-008 (Dec. 5, 2008) at 6, available at
https://pcaobus.org/Inspections/Documents/2008_12-5_Release_2008-008.pdf; Staff Inspection
Brief, Vol. 2017/3: Information about 2017 Inspections (Aug. 2017) at 8, available at
https://pcaobus.org/Inspections/Documents/inspections-brief-2017-3-issuer-scope.pdf.

See https://pcaobus.org/oversight/inspections/inspection-procedures for information related to the
PCAOB’s inspection procedures.

Under QC 1000, a firm is required to establish quality objectives for the
governance and leadership component in several different areas:
•

The firm’s commitment to quality;

•

Organization and governance structure; and

•

Resources.

i.

The firm’s commitment to quality (QC 1000.25.a-d)

The firm’s commitment to quality is an important factor in influencing the
behavior of firm personnel and the conduct of engagements. The Board believes that the
firm’s commitment to quality is most effectively demonstrated through the
communications, actions, behaviors, and directives of leadership at all levels of the firm.
Accordingly, the quality objectives related to commitment to quality are directed at the
communications, actions, and accountability of firm leadership.
Frequent and consistent communication from leadership to firm personnel
regarding the commitment to quality is important in order to create an appropriate culture
and tone at the top. Paragraph .25a. focuses on communicating and promoting key
professional attributes by recognizing and reinforcing the firm’s role in protecting the
interests of investors and the public interest by meeting the firm’s responsibilities; the
importance of adhering to appropriate standards of conduct; the importance of
professional ethics, values, and attitudes; and expected behavior and responsibility of
firm personnel for quality both in QC-related activities and the performance of
engagements. Collectively, these attributes and expected behaviors are the foundation of
an effective QC system.
To achieve an appropriate tone at the top, however, it is not enough for firm
leadership to “talk the talk.” They also have to “walk the walk.” Accordingly, paragraphs
.25b. and .25c. establish objectives with regard to leadership’s responsibility for and
commitment to quality, including through leadership’s own behavior. For example,

leadership would demonstrate a commitment to quality by acting in a manner consistent
with the firm’s communications described in paragraph .25a. regarding expectations of
firm personnel. Conversely, repeated failure to take steps to address known quality
concerns would demonstrate a lack of commitment to quality.
One commenter sought clarification on the term “leadership,” including whether
it relates only to the specified roles in paragraph .11 and .12, or to all partners and
equivalents in the firm. Under QC 1000, leadership is not limited only to those in
specified QC roles. While the composition of leadership may vary due to the nature and
circumstances of the firm and its engagements and how the firm chooses to organize
itself, it includes firm-wide leadership; the executive team; regional, office, and industry
segment leadership; and any other levels of leadership the firm may establish. Not all
partners or partner equivalents are necessarily leadership; it would depend on the role of
the individual.
Firms and firm-related groups were broadly supportive of the Board’s proposed
quality objectives for governance and leadership. However, several commenters, mostly
investors and investor-related groups, urged the Board to go further in stressing the role
of firm leadership and the QC system as a counterbalance to the economic incentives that
may drive firms to compromise on quality. Some suggested that compensation plans
should weigh quality as much as, or more than, revenue generation. One investor-related
group suggested that the standard should increase accountability for the firm and firm
leadership’s quality control efforts. Another investor stated that audit quality should be
required to be considered at the time of the appointment of firm leadership. One
commenter suggested that leadership’s accountability should not be limited to
deficiencies and outcomes but extended to acknowledge positive behaviors and
processes.

After considering these comments, the Board revised paragraph .25b to explicitly
mention performance evaluation and compensation in the context of defining leadership’s
responsibility for quality and holding leadership accountable. The Board believes this
will drive increased clarity about the scope of leadership’s responsibilities and increased
accountability for an effective QC system, and will prompt firms to focus on their
expectations for leadership behavior and the incentives that drive it. Firms can use a
variety of different means to define the responsibility for quality and drive
accountability—from firmwide communications and policies to individualized job
descriptions, performance targets, promotion criteria, compensation schemes, and
sanctions—and can acknowledge both outcome-based and process-based measures and
both positive and negative behaviors. The revised quality objective reflects that
performance evaluation and compensation play a necessary role in that process.
While the Board agrees with the commenter that quality considerations should be
taken into account in the appointment of firm leadership, the Board believes other quality
objectives already address that issue, such as paragraph .44g of QC 1000. Additionally,
the criteria for appointing firm leadership may appropriately vary based on the size of the
firm and the nature of its practice, so the Board has avoided being prescriptive in that
regard. For example, a larger firm may have numerous candidates for leadership roles
with many criteria considered for appointment, but smaller PCAOB audit practices may
have limited personnel eligible for leadership roles.
As noted in the proposal, paragraph .25d. focuses on the firm’s commitment to
quality in relation to its strategic decisions and actions, which include matters such as the
firm’s financial goals, growth of the firm’s market share, industry specialization, business
combinations, new geographic markets, and new service offerings. The quality objective
emphasizes that a firm’s strategic decisions and actions should be consistent with and
support the firm’s commitment to quality.

One commenter expressed concern that strategic actions may take extended
periods of time to yield benefits to quality, and it may be challenging for firms to
demonstrate that such actions are consistent with a commitment to quality. The Board
notes, however, that this quality objective does not prescribe any specific time horizon,
and the Board believes it is wholly consistent with both short-term measures and longterm investments in technology, training, knowhow, and other means of strengthening a
firm’s audit practice that may take an extended period to yield measurable improvements.
Some investors and investor-related groups suggested that the Board require a
clear separation of duties between those responsible for audit quality and those
responsible for commercial interests. Two of those commenters cited the regulation of
credit ratings agencies as an example of appropriate separation of regulated activity and
commercial interests.172 Another commenter cited with approval the 2007 amendments to
the AICPA QC standard, which included application material to the effect that QC
leaders should have the authority to implement policies and procedures to ensure that
others within the firm will not override those policies to meet short-term financial goals
(a concept that does not appear in other QC standards).173
The Board considered mandating a greater degree of separation between decisionmaking about QC and potential commercial motivations, as these commenters suggested,
but the Board does not believe such separation can be achieved by all firms, especially
firms with smaller PCAOB audit practices with limited leadership roles. As discussed in
more detail below, the Board is requiring firms with larger PCAOB audit practices to
include an element of independent oversight of their QC system. Moreover, the Board

See 17 CFR 240.17g-5(c)(8), pursuant to which ratings agencies are prohibited from having any
person who participates in determining or monitoring a credit rating, or developing or approving
procedures or methodologies used for determining a credit rating, also participate in sales or
marketing or be influenced by sales or marketing considerations.

See AICPA, QC Section 10, A Firm’s System of Quality Control, paragraph .A5.

does not believe it would be appropriate to mandate a fully separate or independent QC
function. Potential conflicts of interest at the engagement level are addressed in numerous
ways in the Board’s regulatory scheme: through independence requirements,174 ethical
requirements of integrity and objectivity,175 and the basic requirement of professional
skepticism, a critical aspect of due professional care.176 At the firm level, the Board
believes that those conflicts can best be addressed by emphasizing the responsibility and
accountability of firm leadership. QC 1000 requires that responsibility for QC reside at
the highest levels of firm leadership, and that leaders are evaluated and compensated in a
way that creates accountability. In the Board’s view, appropriately incentivized firm
leadership are best positioned to set the tone and establish a quality-focused culture
throughout the firm. Rather than requiring firms to segregate the governance of the firm's
audit practice from the firm's other commercial interests, the Board believes the quality
objectives described in paragraph .25 will promote responsibility for and commitment to
quality, while allowing firms to develop quality responses appropriate to their particular
governance structure.
Lastly, one commenter suggested the governance and leadership component
should promote diversity, equity, and inclusion in recruiting talented leaders, a
governance body, and auditors. Another commenter suggested leadership can
demonstrate its commitment to quality through providing ongoing, meaningful support of
scholarly audit and accounting research. The Board has not revised the standard to reflect
these specific suggestions; however, firms may identify quality risks and design and

See PCAOB Rule 3500T, Interim Ethics and Independence Standards.

See EI 1000, Integrity and Objectivity.

The general principles and responsibilities of the auditor when conducting an audit, including
professional skepticism and due professional care, are being reaffirmed and combined in AS 1000,
as adopted. See Auditor Responsibilities Release.

implement quality responses in these areas to achieve the quality objective in paragraph
.25a or other quality objectives established by the firm.
ii.

Organizational and governance structure (QC 1000.25.e)

Establishing and maintaining appropriate firm organizational structures provides
an institutional framework supporting the firm’s QC system and the performance of the
firm’s engagements. Organizational structures may include operating units, operational
processes, divisions, and geographical locations.
Firm organizational structures may differ based on the size and complexity of the
firm in order to be flexible, scalable, and proportionate to the circumstances of the firm.
Some firms may concentrate or centralize processes or activities and other firms may
have a decentralized approach. Some firms may use internal shared service centers in the
operation of the firm’s QC system or to enable the performance of its engagements.
A firm’s governance structure may include a governing board or committee with
representation from various service lines, or with members who are independent of the
firm.177 Such a governing board may have subcommittees to assist it with managing
specific areas, such as strategic planning, resource planning, the firm’s risk assessment
process, and the monitoring and remediation process.
Paragraph .25e., which did not attract specific comment and the Board adopted as
proposed, will drive a firm’s organizational and governance structure to enable the
design, implementation, and operation of the QC system and support performance of the
firm’s engagements in accordance with applicable professional and legal requirements.
This results-oriented approach focuses on whether the QC system actually works as
intended and allows firms to tailor the establishment of their governance structure.

When the Board refers to independence in the context of firm governance, it means the criteria
typically applied to independent directors of issuers. See, e.g., New York Stock Exchange
(“NYSE”) Listed Company Manual, Section 303A.01-.02; Nasdaq Rule 5605(a)(2). This is
distinct from the requirements for auditor independence from the audit client, discussed below.

Additionally, the firm would consider the complexity and operating characteristics of the
firm as part of performing its risk assessment process and identifying quality risks.178
The assignment of roles, responsibilities, and authority within the firm’s
organizational structure is a key aspect of the design, implementation, and operation of
the QC system. Establishing clear roles and responsibilities and clear lines of authority
helps to translate the broad institutional objectives of the QC system into individual
actions to be performed and monitored, and for which individuals can be held
accountable. The assignment of roles and responsibilities may vary across firms
depending on the nature and circumstances of the firm and its engagements.179 For
example, in a smaller firm with a limited number of individuals in leadership roles, the
individual with oversight of the firm may assume all of the roles and responsibilities
related to the QC system. A larger firm may have multiple levels of leadership that align
to the firm’s organizational structure.
iii.

Resources (QC 1000.25.f)

The firm’s resources180 enable the operation of the firm’s QC system and the
performance of the firm’s engagements. Firm leadership influences the nature and extent
of the resources that the firm obtains, develops, uses, and maintains, and how those
resources are allocated or assigned, including the timing of when they are used. This
quality objective, which did not draw comment and which the Board adopted as
proposed, emphasizes the importance of the firm having the necessary resources, and
allocating them appropriately, such that the firm’s QC system is designed, implemented,

Appendix B includes an example regarding the existence and extent of governance structures
providing oversight of leadership. See QC 1000.B2.g.

See Roles and Responsibilities above, for a discussion of specific roles and responsibilities that are
required to be assigned.

See Resources below, for a discussion of the different types of resources.

and operated effectively and the firm’s engagements are performed in accordance with
applicable professional and legal requirements.
b. Governance and leadership specified quality responses (QC 1000.26-29)
The proposal included three specified quality responses in the governance and
leadership component, discussed in greater detail below. Some firms and a firm-related
group objected generally that the specified quality responses were overly prescriptive and
unnecessary, and suggested they should be reformulated as risk-based quality objectives.
Other firms generally supported including specified quality responses.
The Board believes the specified quality responses address important risks that
justify specific requirements and has retained them in the final standard. Firms are
required to include these specified quality responses when designing and implementing
quality responses to address the quality risks in the governance and leadership
component.
Proposed QC 1000 included a requirement for the firm to establish and maintain
clear lines of responsibility and supervision within its QC system. A commenter argued
that the quality objective in paragraph .25e is sufficient and the specified quality response
was not necessary. While paragraph .27 may address a portion of the firm’s quality
response to .25e, the Board believes paragraph .27 provides additional direction that is
appropriate for all firms. Establishing and maintaining structures within the firm—
including defining authorities, responsibilities, accountabilities, and supervisory and
reporting lines for roles within the firm—will support the effective design and operation
of the QC system and the performance of the firm’s engagements, regardless of the size
of the firm or the types of engagements it performs. The requirement also complements
the documentation requirements of QC 1000.181

See QC 1000.82a. for the documentation requirements related to lines of responsibility and
supervision.

One commenter expressed concern that this requirement, in combination with the
requirements of paragraph .12, could result in a prescriptive, hierarchical approach that
would not be desirable or practical. The requirement in the final standard is intended to
enhance supervision within the context of firms’ existing QC systems and supervisory
structures. It does not require firms to develop or adopt any particular supervisory
structure and would be compatible with a range of different approaches, including very
flat structures.
The commenter also expressed concern that individuals acting in a supervisory
capacity could face liability beyond what exists under Sarbanes-Oxley, which may
disincentivize teaming. As discussed above, paragraphs .15, .16, and .17 of the final
standard prescribe specific supervisory roles within a firm’s QC system, and the
individuals who fill those roles are supervisory persons who must exercise reasonable
supervision for purposes of section 105(c)(6) of Sarbanes-Oxley. Additionally, to the
extent that other individuals are assigned supervisory responsibilities in light of
paragraph .27’s specified quality response, those individuals, like all who are involved in
the design, implementation, and operation of the QC system, must exercise due
professional care as set forth in paragraph .10 of the final standard.
Another commenter recommended that individuals in supervisory roles should be
held liable only for knowing or reckless violations. The Board notes that paragraph .27
does not itself create responsibilities for supervisory personnel or prescribe standards of
liability that apply when those responsibilities are not met. Those issues are addressed
elsewhere in the PCAOB’s standards and rules, including in the roles and responsibilities
component of QC 1000 and PCAOB Rule 3502,182 as well as in section 105(c)(6) of

See PCAOB Rule 3502. The Board has proposed to amend Rule 3502 to change the standard of
conduct for associated persons’ contributory liability from recklessness to negligence and to
provide that an associated person contributing to a violation need not be an associated person of
the registered firm that commits the primary violation. See PCAOB Rel. No. 2023-007.

Sarbanes-Oxley.183 In the Board’s view, the requirement to establish and maintain clear
lines of authority and supervision primarily serves to clarify how the QC system is
structured and how it operates, by laying out clearly the authorities, responsibilities,
accountabilities, supervisory and reporting lines, and who is responsible for each element
of the QC system. If the requirement has consequences in terms of individual
accountability and liability, that would only be because it removes any doubt about which
individuals are acting in a supervisory capacity and the scope of their respective
responsibilities, thereby clarifying how these other provisions should be applied.
The proposal included a specified quality response to incorporate an oversight
function for the audit practice including at least one person from outside the firm, which
would apply to firms that issue audit reports with respect to more than 100 issuers. See
Scalability above, for a discussion of the 100-issuer threshold.
Comments were mixed on the need for and potential breadth of this requirement.
The Board received several comments, primarily from investors and investor-related
groups, suggesting that the proposed requirement did not go far enough. Some
commenters stated that the oversight function should not be limited to one individual but
instead a larger number (such as three) of independent non-employee members should be
required, or potentially an advisory council or committee of the firm’s board of directors
with multiple or even a majority of independent non-employee members. Some of these
commenters asserted that requiring only one person with undefined authority to serve in

Under section 105(c)(6) of Sarbanes-Oxley, if an associated person of a registered public
accounting firm violates any provision of law, rules, or standards referenced in section 105(c)(6),
the Board may impose sanctions on the firm or its supervisory persons if the Board finds that there
was a failure reasonably to supervise that associated person with a view to preventing such a
violation. The Board has adopted a rule related to section 105(c)(6) that provides for commencing
a disciplinary proceeding if it appears that a firm or its supervisory personnel have failed
reasonably to supervise an associated person who has committed a violation. See PCAOB Rule
5200, Commencement of Disciplinary Proceedings, at (a)(2); see also, e.g., In the Matter of Scott
Marcello, CPA, PCAOB Rel. No. 105-2022-004 (Apr. 5, 2022) (imposing sanctions under section
105(c)(6)); In the Matter of WWC, P.C., PCAOB Rel. No. 105-2022-006 (Apr. 19, 2022) (same);
In the Matter of KPMG Inc., Cornelis Van Niekerk, and Coenraad Basson, PCAOB Rel. No. 1052022-015 (Aug. 29, 2022) (same).

an oversight role makes it unlikely to be effective and falls short of the 2008
recommendations of the U.S. Treasury Department’s Advisory Committee on the
Auditing Profession, which suggested consideration of “firms appointing independent
members with full voting power to firm boards and/or advisory boards with meaningful
governance responsibilities.”184 One commenter objected that the requirement only
mandates practices that are already in place at the largest firms, and so will not generate
any change. Another commenter asserted that there is little merit in requiring an
independent member of the firm’s oversight function without also considering the
balance of the oversight function and the contribution of the independent member. Others
called for more specificity about the individual’s role, including specific powers, such as
the power to meet with firm management and obtain relevant information. Some
investor-related groups also called for transparency on the role of the non-employee
members.
Many commenters, including some larger firms, supported the oversight role.
Two commenters suggested that the requirement for an independent oversight function be
extended to apply to all firms that issue audit reports for issuers and one of these
commenters suggested having firms consider whether an independent function is an
appropriate response to achieving the quality objectives.
Other commenters, including some mid-sized firms, did not support the specified
quality response and suggested it should be a quality objective instead. One firm
suggested that the objective could be better accomplished by designating an “audit
quality expert” on a firm’s board (similar to a “financial expert” on an audit committee)
or by hiring independent external QC advisers. Some commenters expressed concern
about the lack of specificity and clarity regarding the role, including questions regarding

U.S. Treasury Department, Advisory Committee on the Auditing Profession Final Report (Oct. 6,
2008) at VII.8.

the individual’s authority and function. One noted that the individual was not required to
be a CPA and asserted that the need for and benefits of the role had not been sufficiently
articulated; on that basis, the commenter did not support it. Another commenter did not
see the linkage between the specified quality response and the quality objectives and
suggested that the lack of definition of the role, coupled with a lack of clarity about
which quality objectives were being addressed, would make implementation challenging.
Other commenters stated that finding individuals to fill this role may be challenging.
Some commenters requested guidance on how to implement the requirement,
including with respect to the qualifications or roles of the individuals. One firm sought
clarity on whether supervisory liability under Sarbanes-Oxley section 105(c)(6) would
apply equally to members with an oversight or advisory function. Some commenters,
including firms, expressed concern about the potential scope and meaning of the terms
such as “governance structure,” “independent judgment,” and “oversight function,” and
requested confirmation that current practices such as independent advisory boards are a
permissible approach. One firm requested an extended implementation period to allow
time for firms to design and implement the oversight function, including identifying and
onboarding appropriate individuals.
Based on the comments received, the Board refined the proposed requirement to
provide additional specificity and clarity. The final rule refers to an “external” oversight
function “for the QC system composed of one or more persons,” none of whom has a
disqualifying relationship with the firm. This more precise language clarifies that the
focus is on the QC system and emphasizes that the function is to be carried out entirely
by one or more persons external to the firm, who are not principals or employees of the
firm and do not have any other relationship with the firm that would interfere with the
exercise of independent judgment with regard to QC-related matters. The Board also
added a name for the position—External QC Function, or EQCF—which it believes

clarifies and underscores that the person or persons are external to the firm and serve in a
QC-focused role.185 The Board also conformed the provision to the descriptions in QC
1000.12 of other specified QC system roles by providing that the EQCF should have the
experience, competence, authority, and time necessary to enable them to carry out the
responsibilities assigned to them by the firm.
To clarify what is entailed in “an external oversight function for the QC system,”
the final standard also specifies a baseline requirement that the EQCF’s responsibilities
should include evaluating, at a minimum, the significant judgments made and the related
conclusions reached by the firm when evaluating and reporting on the effectiveness of its
QC system. The Board believes this addition is responsive to commenters who requested
clarification of the proposal, as well as those suggesting that the standard include some
specific requirements with respect to the role. The Board expects that firms will make a
number of significant judgments in performing and reporting on their QC system
evaluation. The Board expects that the person or persons serving in this external
oversight function will evaluate judgments made by firm personnel in the firm’s
evaluation of the firm QC system and the required reporting.
The evaluation performed by the EQCF will be in some respects analogous to the
EQR’s evaluation of significant judgments made by the engagement team and the related
conclusions reached in forming the overall conclusion on the engagement and in
preparing the engagement report.186 Like the EQR, the EQCF will review and evaluate
work performed by others, not redo the work, and must exercise due professional care in
performing their responsibilities.187

Firms may assign other functions to the person or persons serving in the EQCF role so long as the
specified QC function can be carried out as set forth in the standard and discussed in this release.

See AS 1220.09.

See QC 1000.10; AS 1220.12.

However, there are important differences between the requirements for the EQR
and the EQCF. Unlike the EQR standard, QC 1000 does not impose specific limits on the
length of service of the EQCF, though firms should consider the potential for
arrangements relating to length of service, such as term limits and protections against
removal, to prevent the creation of a relationship with the firm that impairs independent
judgment. QC 1000 also does not specify the procedures the EQCF should perform to
evaluate the significant judgments made and related conclusions reached. These may vary
based on the circumstances of the firm and the design, implementation, and operation of
its QC system, but must be sufficient to enable the EQCF to perform their evaluation with
due professional care. In addition, unlike the EQR standard, QC 1000 does not require
that the EQCF provide concurring approval of reporting, although firms would be free to
establish such concurring approval as a matter of policy. Documentation will have to be
prepared and maintained in sufficient detail to evidence how the quality response
operated.188 This will form part of the QC documentation supporting the firm’s ongoing
risk assessment and monitoring and remediation efforts, as well as the Board’s oversight
activities. Under QC 1000.65, firms will be required to consider the EQCF’s evaluation
in their ongoing monitoring of the QC system (including monitoring of the evaluation
process).
Separately, the Board carefully considered commenter suggestions to increase the
required number of independent individuals and to establish specific eligibility criteria
for them. Given the oversight responsibility of an EQCF, the Board believes at least one
person is always necessary and firms may determine, based on their circumstances, that
more than one person is needed to appropriately carry out the function. The Board

QC 1000.83b. The board expects such documentation to include both (1) how the EQCF evaluated
the significant judgments made and the related conclusions reached by the firm when evaluating
and reporting on the effectiveness of its QC system and (2) the results of the EQCF’2 evaluation.

believes the requirement will respond to the quality objective in paragraph .25e by
ensuring an independent perspective on QC matters, but it does not supplant firm
leadership or relieve them of their fundamental responsibility to instill and maintain a
firm culture that appropriately prioritizes QC. Accordingly, the Board does not believe it
would be appropriate to mandate a specific number of individuals or the specific
credentials they must have (besides their ability to exercise independent judgment with
regard to matters related to the QC system and the general requirement that they have the
experience, competence, authority, and time necessary to enable them to carry out their
assigned responsibilities). Rather, the decision will be based on specific skillsets of the
person or persons in this function to be able to carry out the requirements of the function.
In that regard, firms may conclude that one or persons appointed to the EQCF should be
non-auditors to bring a greater diversity of perspectives to the function.
Beyond the minimum responsibilities specified in the standard, the Board gave
firms flexibility in establishing other responsibilities of the EQCF, enabling the function
to best respond to the nature and circumstances of the firm. For example, if the firm has
experienced an increase in recurring engagement deficiencies, the firm may charge the
EQCF with reviewing and evaluating the firm’s remediation actions and monitoring plan.
As another example, a firm may assign the EQCF with strategic responsibilities, such as
maintaining situational awareness through the identification and monitoring of emerging
risks or trends that could potentially affect the firm’s QC system. While QC 1000
specifies that the EQCF exercise oversight over the QC system, the firm may also choose
to extend its authority more broadly. The responsibilities assigned to the EQCF will in
turn drive decisions about the scope of the EQCF’s authority. At a minimum, that will
entail sufficient access to information, documentation, and firm personnel to enable
evaluation of the significant judgments made and the related conclusions reached by the
firm when evaluating and reporting on the effectiveness of its QC system, but it could be

broader depending on the scope of the EQCF’s responsibilities as assigned by the firm.189
Consideration of the experience, competence, and time necessary to serve in the role will
likewise depend on the responsibilities assigned by the firm.
The firm may consider many matters when establishing an EQCF. Such matters
could include:
•

The responsibilities assigned by the firm to the EQCF, including those specified
in QC 1000;

•

The qualifications required of the individual(s) assigned to fulfill those
responsibilities, including those specified in QC 1000;

•

The scope of authority afforded to the EQCF in light of the assigned
responsibilities;

•

Whether to establish a direct line of communication from the EQCF to the
individual assigned ultimate responsibility and accountability for the QC system
as a whole, or the individual assigned operational responsibility for the QC
system as a whole, or both;

•

Whether to require that the EQCF comply with independence requirements
applicable to auditors;190

•

The level of external transparency of the EQCF’s role and responsibilities;

•

The compensation structure for the EQCF; and

•

The term of service for the EQCF, including restrictions on removal and limits on
length of service.

The scope of the firm policies and procedures regarding the EQCF will also depend on its role and
the associated risks. For example, pursuant to QC 1000.53g, firms will have to develop policies
and procedures regarding information communicated to and obtained from the EQCF.

See Regulation S-X Rule 2-01(b)-(c), 17 CFR 210.2-01(b)-(c), and PCAOB Rules under Section
3, Auditing and Related Professional Practice Standards, Part 5-Ethics and Independence.

In making these determinations, the firm should be mindful of the requirement
that members of the EQCF not have any relationship with the firm that would interfere
with the exercise of independent judgment with regard to matters related to the QC
system.
The EQCF could be, but would not be required to be, in the “chain of command”
under the SEC independence rule.191 The Board does not believe that the EQCF would be
a “supervisory person” under Sarbanes-Oxley section 105(c)(6) solely by virtue of having
evaluated the significant judgments made and related conclusions reached by the firm
when evaluating and reporting on the effectiveness of the firm’s QC system. However,
depending on the nature and degree of their responsibility, ability, or authority to affect
the conduct of the firm’s associated persons, as established by the firm, the EQCF could
be subject to Sarbanes-Oxley section 105(c)(6).
The Board has not required the results of the EQCF’s evaluation to be publicly
disclosed.192 However, nothing set forth in this release would limit or prohibit firms from
disclosing any information about the EQCF’s activities—including the EQCF’s practices,
methods, or procedures, or the manner or results of the EQCF’s evaluation— if the firm
chooses.
Based on comments received and experience with inspections of firms’ systems
of quality control, the Board believes that investors, audit committees, and other
stakeholders will benefit from the EQCF’s evaluation even in the absence of public
disclosure. An external oversight function should enhance the discipline with which the
firm carries out its own QC system evaluation. As the Board observe the implementation

See 17 CFR 210.2-01(f)(8).

For a discussion of certain legal constraints imposed by Sarbanes-Oxley on the Board’s ability to
require public disclosure of certain QC-related information, see Section IV.L.1.c.ii. As part of a
separate project, the Board has proposed a requirement for firms that have an EQCF to disclose
the identity of the person or persons, an explanation for the basis of the firm’s determination that
each such person is independent of the firm (including the criteria used for such determination),
and the nature and scope of each such person’s responsibilities. See PCAOB Rel. No. 2024-003.

and performance of the EQCF through its inspection activities, the PCAOB may publish
observations or good practices. For these reasons, the Board believes that the EQCF will
support improvements in firms’ systems of quality control, ultimately benefiting
investors, audit committees, and other stakeholders.
People internal and external to the firm can help a firm identify instances of
noncompliance with applicable professional and legal requirements earlier than might be
possible through the firm’s own monitoring.193 The proposal included a specified quality
response requiring policies and procedures for addressing potential noncompliance with
applicable professional and legal requirements and with the firm’s policies and
procedures with respect to the QC system, the firm’s engagements, firm personnel, or
other participants.
This would include clearly defining channels within the firm that enable reporting
of complaints and allegations by firm personnel and external parties (e.g., employees of
companies or other participants) and establishing procedures for appropriately
investigating and addressing such complaints and allegations, including complying with
any applicable reporting or other requirements.194
The proposal sought comment on the appropriateness of this specified quality
response, and whether any additional specified quality responses should be considered.
Two firms that commented supported the specified quality response. Two other firms
expressed concern with the prescriptiveness of other participants being included in the

In addition, through this process information may be received regarding noncompliance with laws
and regulations by companies that engage the firm.

A firm’s program for addressing complaints and allegations may be subject to requirements under
applicable law regarding whistleblowers (such as, for example, N.Y. Labor Law Section 740).
However, such a program should not be confused with a whistleblower program established and
administered by the Federal government, including the program administered by the SEC, which
has its own requirements and protections. See, e.g., 17 CFR 240.21F-1 through .21F-18. To the
extent a firm’s program for addressing complaints and allegations provides protective measures,
such as confidentiality and non-retaliation, based only on firm policy and not on law, such
protective measures may not create legally enforceable rights.

requirement. One investor suggested there should be an explicit requirement for a
whistleblower mechanism with key protections such as confidentiality and protection
against retaliation, and that the individual responsible for the firm’s QC system be
responsible for the investigation of whistleblower complaints and remediation of QC
issues identified by whistleblowers.
The Board adopted the specified quality response with some modifications,
described below. The Board believes that establishing policies and procedures that
support the reporting and investigation of potential noncompliance will assist firms in
complying with applicable professional and legal requirements. It will also assist them in
identifying and dealing with individuals, including those in leadership, who fail to
comply with applicable professional and legal requirements or the firm’s policies and
procedures. Finally, it may result in firm personnel or external parties identifying and
communicating deficiencies in the QC system.
The final provision retains the reference to other participants, as the Board
believes it is important for the firm to capture any potential noncompliance with
applicable professional and legal requirements, including with regard to work performed
by other participants that relates to the firm’s QC system or the firm’s engagements.
The Board has expanded the requirements related to the firm’s policies and
procedures for collecting and addressing complaints and allegations to explicitly require
that they:
•

Be made available to all firm personnel and other participants;

•

Address processes and responsibilities for receiving, investigating, and addressing
complaints and allegations; and

•

Include protecting persons making complaints and allegations from retaliation.

The Board also expanded the specified quality response to require firms that
issued audit reports with respect to more than 100 issuers during the prior calendar year
to include confidentiality protections in their policies and procedures.
The firm’s policies and procedures regarding complaints and allegations should
be made available to all firm personnel and other participants, which could occur by
posting them on an intranet site or providing such policies and procedures to other
participants upon engagement. The policies and procedures should include identifying
who is responsible for receiving, investigating, and addressing complaints and
allegations; describing the process for submitting complaints and allegations; and
describing how the firm will investigate and address complaints and allegations received.
The Board also specified that the policies and procedures should explicitly address
protection against retaliation of persons making complaints and allegations, which the
Board believes is a critical element of any effective program for receiving complaints and
allegations.
The required policies and procedures regarding investigating and addressing
complaints and allegations allow scalability. The process for investigating and addressing
a complaint or allegation would vary, commensurate with and responsive to the
significance of the complaint or allegation.
For firms that issued audit reports with respect to more than 100 issuers during the
prior calendar year, the policies and procedures will have to provide a confidential and
anonymous submission process for complaints and allegations, similar to the
requirements for audit committees under the Exchange Act.195 For example, a firm may
have a confidential and anonymous submission process through a website, toll-free
number, or mobile app, and could manage the process in-house or through a third-party

See 15 U.S.C. §78j-1(m).

provider. The firm’s policies and procedures will also have to provide for protection,
during the investigation, of the confidentiality of individuals and entities who make
complaints and allegations. The Board believes this requirement specifically targets and
responds to potential quality risks that are more likely to arise in audit practices of a
certain size and complexity. However, firms that are not subject to this express
requirement may nevertheless determine that such requirements are a necessary or
appropriate quality response to address their quality risks.
2. Current PCAOB standards
Existing PCAOB QC standards contain limited references to firm governance and
leadership. For example:
•

QC 20 acknowledges that the QC system includes the firm’s organizational
structure;196

•

The SECPS member requirements on independence quality controls provide that
the importance of compliance with such independence standards, and the QC
standards, should be reinforced by management of the member firm, thereby
setting the appropriate tone at the top and instilling its importance into the
professional values and culture of the member firm;197 and

•

The SECPS member requirements provide that member firms should
communicate to all professional firm personnel the broad principles that influence
the firm’s quality control and operating policies and procedures on, at a minimum,
matters related to the recommendation and approval of accounting principles,
present and potential client relationships, and the types of services provided, and

See QC 20.04.

See SECPS 1000.46.

inform professional firm personnel periodically that compliance with those
principles is mandatory.198
ETHICS AND INDEPENDENCE
This component addresses the fulfillment of firm and individual responsibilities
under relevant ethics and independence requirements. Adhering to such requirements is a
foundational concept that not only promotes audit quality but also safeguards the vital
role that auditors play within the capital markets.
The ethics and independence component of the standard has been tailored to the
ethics and independence requirements that apply to engagements performed under
PCAOB standards. Under the standard, ethics and independence requirements include the
PCAOB’s ethics and independence standards and rules, the SEC’s rule on auditor
independence, and other applicable requirements regarding accountant ethics and
independence, such as those arising under state law or the law of other jurisdictions (e.g.,
obligations regarding client confidentiality).199 The Board clarified that the reference to
other applicable requirements is limited to those that are relevant to fulfilling auditor
obligations and responsibilities in the conduct of engagements or in relation to the QC
system. The standard requires firms to establish quality objectives related to ethics and
independence requirements and design and implement specified quality responses.
1. QC 1000
a. Ethics and independence quality objectives (QC 1000.31)

See SECPS 1000.08(l).

Footnote 10 to QC 1000 provides: Ethics and independence requirements include PCAOB
independence and ethics standards and rules, the U.S. Securities and Exchange Commission
(“SEC”) rule on auditor independence, and other applicable requirements regarding accountant
ethics and independence that are relevant to fulfilling their obligations and responsibilities in the
conduct of engagements or in relation to the QC system, such as those arising under state law or
the law of other jurisdictions. See, e.g., 17 CFR 210.2-01, and PCAOB Rules under Section 3.
Auditing and Related Professional Practice Standards, Part 5 – Ethics and Independence.

Understanding of and compliance with ethics and independence requirements are
fundamental to the auditor’s role. Adherence to standards of professional ethics is as
important as adherence to requirements regarding auditor independence, and firms’ QC
systems should address both. Under the standard, firms are required to establish quality
objectives that address understanding of and compliance with ethics and independence
requirements. While maintaining independence and adhering to ethical requirements is
each individual’s responsibility, the firm also has responsibility and plays a critical role in
ensuring that individuals understand those requirements and have the tools and resources
they need to comply.
One firm suggested that the Board clarify the ethical requirements that are subject
to the responsibility of the individual assigned operational responsibility for the firm’s
compliance with ethics and independence requirements. The firm specifically commented
that competence and due care are characteristics required by both ethical standards and
QC standards, and as a result, there could be confusion over whether such requirements
are ethical requirements or quality control requirements when determining the
responsibility of the individual assigned operational responsibility for the firm’s
compliance with ethical and independence requirements. In some cases, a matter may be
applicable to the responsibilities of both the individual assigned operational responsibility
for the firm’s compliance with ethics and independence requirements and the individual
assigned operational responsibility and accountability for the QC system as a whole. A
firm could divide responsibilities based on the specific issues involved, so long as the
lines of responsibility are clear (for example, duties of competence and due care in the
context of the audit, codified under the PCAOB’s ethics rules, could be assigned to the
individual with operational responsibility for compliance with ethics and independence
requirements, while duties of competence and due care in the context of QC system

activities, codified in QC 1000, could be assigned to the individual with operational
responsibility for the QC system).
Under the standard, the firm is required to establish a quality objective to identify
conditions, relationships, events, and activities that could result in violations of ethics and
independence requirements and evaluate and respond to such conditions, relationships,
events, and activities on a timely basis. This will help the firm reduce the risk of
noncompliance by identifying potential violations of ethics and independence
requirements in time to prevent many violations and to quickly remediate violations that
do occur. For example, a firm that plans to acquire another firm could identify the
acquisition as an event that could result in independence violations by the personnel of
the acquired entity. This could prompt the firm to develop policies and procedures that
address onboarding processes for firm personnel of acquired entities around
independence. These policies and procedures would assist in identifying and resolving
potential independence violations before the acquisition is completed. One firm
commented that as the proposed quality objectives for ethics and independence are
broadly consistent with other jurisdictional and international quality control/management
standards, it believes that they are appropriate, and no further changes are needed.
An investor-related group expressed concern that the proposal did not sufficiently
address conflicts of interest, such as when an audit firm performs other services for the
audited company. The investor-related group further commented that without clear
separation between those responsible for quality control and those responsible for
maintaining client relationships and winning consulting contracts, investors can have less
than full confidence the system of quality control will ensure the necessary level of audit
quality. The Board acknowledges that QC 1000 does not create new requirements
regarding auditor independence. However, in relation to the commenter’s specific
concern about the performance of non-audit services, QC 1000 requires the QC system to

operate over compliance with numerous restrictions on non-audit services that exist under
current independence rules enacted in response to previous independence conflicts.200
QC 1000 establishes quality objectives that apply to all firms. Within the ethics
and independence component, firms are required to establish quality objectives that
address both personal and firm-level compliance. Personal violations include such
matters as owning stock in companies that are audit clients of the firm or its affiliated
entities while a “covered person in the firm.”201 Firm-level violations include such
matters as providing prohibited services or failing to obtain required audit committee preapproval. The Board has also included specified quality responses that directly address
the firm’s policies and procedures for identifying and monitoring firm and personal
relationships with audit clients to help mitigate the risk of potential violations. In
addition, the roles and responsibilities requirements direct firms to assign an individual
operational responsibility for the firm’s compliance with ethics and independence
requirements to provide oversight specifically focused on this area.
The quality objectives address compliance with ethics and independence
requirements not just by firm personnel, but also by others who may be subject to ethics
and independence requirements in relation to work they perform on behalf of the firm.
These others may include, for example, “persons associated with a public accounting
firm” as defined in PCAOB rules202 or “covered persons in the firm” under the SEC
independence rule.203 The Board notes that these and other concepts used in the ethics
and independence rules do not map directly to the terminology the Board generally uses
in QC 1000. (For example, some “other participants,” such as other accounting firms, are

See, e.g., 17 CFR 210.2-01(c)(4); PCAOB Rules 3522-3526.

See 17 CFR 210.2-01(f)(11).

See PCAOB Rule 1001(p)(i).

For example, because the definition of “accounting firm” under 17 CFR 210.2-01(f)(2) includes
associated entities, “covered persons in the firm” may include personnel of network affiliates in
addition to firm personnel.

subject to independence requirements, while others, such as engaged specialists and the
company’s internal auditors, are not.) To ensure that the requirements for this component
of the QC system align with, and do not go beyond, the ethics and independence
requirements over which the QC system would operate, in this component the Board uses
terminology that incorporates or refers back to the underlying ethics and independence
requirements. For example, rather than having quality objectives address compliance by
“other participants,” in this component the quality objective addresses compliance by
“others subject to [ethics and independence] requirements.”
One firm commented that it supported the direction of the quality objectives, but
asserted that some of the terms were confusing as it related to “others subject to ethics
and independence requirements.” The firm questioned whether these correspond to other
participants as defined in the standard. The firm further commented that the terminology
used for others subject to ethics and independence requirements could create operational
challenges because those terms are open to interpretation and requested that the Board
clarify the language the standard used. The firm suggested that the proposed requirements
that contain this language could go beyond the intended applicability of the independence
rules to the various parties contemplated. Again, the Board uses terminology in this
component that incorporates or refers back to the terminology used in ethics and
independence rules, terminology which it believes is well understood in those contexts.
The Board uses it precisely to avoid going beyond the scope of existing ethics and
independence requirements, and to ensure that QC 1000 addresses exactly the same
population as the ethics and independence rules themselves.
One firm commented that while the proposed quality objectives for ethics and
independence are appropriate and important, further clarification may be needed of how
the objectives apply to firm personnel. Specifically, the firm argued that it could be
inferred that the ethics and independence requirements extend to all individuals involved

in the operation of the firm’s QC system, including those individuals who are not subject
to the requirements under the existing PCAOB and SEC independence rules, for example,
data research teams. QC 1000 does not impose ethics and independence requirements on
individuals who are not currently subject to them. References in the standard to
“requirements” and “obligations” are to existing requirements and obligations which
themselves specify to whom they apply. However, firms may choose to implement
broader policies regarding ethical behavior that impose requirements on individuals who
are not subject to the ethics and independence rules of the PCAOB and the independence
rule of the SEC.
With respect to the timing of communication of violations to the individual
assigned operational responsibility for the firm’s compliance with applicable ethics and
independence requirements, the quality objective states that such actions should take
place on a timely basis. One firm agreed that timely communication of ethics and
independence related matters within the firm is important for audit quality, but expressed
concern that the prescriptive nature of the requirements addressing communications may
detract from the achievement of the intended objectives. The firm suggested that it is
important to recognize that the evaluation of certain matters would be done in accordance
with the firm’s policies and procedures, which are designed to strike a balance between
prematurely alerting individuals to matters for which the facts and potential impacts are
not sufficiently known and making sure those with ultimate responsibility for decisions
are made aware on a timely basis. The final standard does not specify that all violations
need to be communicated immediately. However, the Board believes timely
communication and action should be sufficiently prompt to achieve its objective. In some
cases, for example, where there is a high risk of a severe or pervasive problem,
communication and action may have to be immediate to be timely.
b. Ethics and independence specified quality responses (QC 1000.32-.36)

The specified quality responses are primarily based on existing PCAOB ethics
and independence requirements and SEC independence requirements, including the
provisions regarding independence quality controls that currently apply to SECPS
member firms.204 The Board incorporated these SECPS member requirements into
QC 1000, with some refinements, and extending those requirements to all firms. The
Board’s view is that the SECPS requirements address matters that are generally relevant
to a QC system operating over compliance with SEC and PCAOB independence rules.
Since those rules apply to all firms that perform engagements for issuers and broker
dealers, the Board believes it is appropriate to extend the SECPS requirements to all
firms.
Under the standard, the firm is required to design, implement, and maintain
policies and procedures for the following:
•

General ethics and independence matters;

•

Certain specific matters that may reasonably be thought to bear on independence;

•

Communication regarding ethics and independence policies and procedures; and

•

Mandatory training on ethics and independence.
One firm commented that it generally supports the specified quality responses and

believes that it is appropriate to have the same set of independence requirements apply
for all firms. Another firm suggested that the specified quality responses are not
necessary to achieve the objectives of QC 1000. Instead of prescriptive specified
responses, the firm suggested that the standard include more specified quality objectives
which would promote scalability and allow for future adaptations to technological or
other innovations. Another commenter said that the proposal expanded on the
independence requirements in a granular manner and suggested that the details be moved

See SECPS 1000.46.

into an appendix or practice aid or provided as additional guidance to help reduce
differences between QC 1000 and other standard setters. The specified quality responses
for the ethics and independence component primarily carry forward existing requirements
from the PCAOB’s QC standards and extend certain existing requirements to all firms.
The Board believes that the specified quality responses relate to risks that apply to all
firms and therefore should be addressed by all firms. The Board intends them to be
obligations of all firms and have therefore codified them within the rule text rather than
as guidance.
i.

QC policies and procedures about general ethics and independence
matters (QC 1000.33)

The standard requires the adoption of policies and procedures regarding general
ethics and independence matters, carrying forward current PCAOB and SEC
requirements.
The proposed requirement in QC 1000.33.a did not draw comment and was
adopted as proposed.
The phrase “may reasonably be thought to bear on independence” is used in
PCAOB Rule 3526205 and should be familiar to all firms. It is taken from an
independence standard that predates the existence of the PCAOB,206 and, as the Board
noted in connection with the adoption of Rule 3526, it focuses auditors on the perceptions
of reasonable third parties when making independence determinations. It is consistent
with the SEC’s general standard on independence.207 The firm’s policies and procedures
are required to address all matters that may reasonably be thought to bear on the

See PCAOB Rule 3526 (requiring auditors to describe to the audit committee relationships that
may reasonably be thought to bear on independence).

See Independence Standards Board Standard No. 1, Independence Discussions with Audit
Committees. ISB No. 1 was included in the Board’s interim standards until it was superseded by
the adoption of Rule 3526.

See 17 CFR 210.2-01(b).

independence of the firm, firm personnel, and affiliates of the firm under SEC and
PCAOB rules.
In addition to the broad concept of matters that “may reasonably be thought to
bear on independence,” SEC and PCAOB rules address certain specific matters that bear
on independence. For example, 17 CFR 210.2-01(c) sets forth a non-exclusive list of
circumstances that the SEC considers to be inconsistent with independence.208 Such
circumstances include, among others, certain financial relationships, employment
relationships, business relationships, non-audit services, contingent fees, and
circumstances related to partner rotation. PCAOB rules also list certain prohibited tax
transactions and tax services that would make the firm not independent of its client.209
The underlying facts and circumstances and relevant requirements will determine
what actions need to be taken by the firm to address a matter that may reasonably be
thought to bear on independence. For example, in some situations, it will be sufficient to
communicate the matter to the audit committee. In other situations, further action may be
required.
The proposed requirements in QC 1000.33.b-c did not draw comment and were
adopted substantially as proposed.
Integrity and objectivity are important ethical concepts currently addressed in QC
20.210 Under the existing standard, integrity requires personnel to be honest and candid
within the constraints of client confidentiality, whereas objectivity imposes the obligation
to be impartial, intellectually honest, and free of conflicts of interest.
As discussed in more detail below, the Board rescinded the interim ethics and
independence standard, ET 102, Integrity and Objectivity, and replacing it with a new

See 17 CFR 210.2-01(c).

See PCAOB Rule 3522, Tax Transactions; PCAOB Rule 3523, Tax Services for Persons in
Financial Reporting Oversight Roles.

See QC 20.10.

standard, EI 1000, Integrity and Objectivity.211 QC 1000 includes a reference to that new
rule and to PCAOB Rule 3500T, Interim Ethics and Independence Standards.
The final standard clarifies that firm personnel are expected to demonstrate
integrity and objectivity in carrying out all of their professional responsibilities associated
with the QC system and the performance of engagements. This includes activities ranging
from the design and implementation of the QC system, monitoring and remediation, and
evaluation of the QC system, to training and professional development; planning,
performing, and supervising engagements; and internal and external communications.
The Board also believes that it is important for the firm’s policies and procedures to
address obligations related to integrity and objectivity for associated persons of the firm,
other than firm personnel, who perform work on behalf of the firm.
The proposed requirement in QC 1000.33.d did not draw comment and was
adopted as proposed.
Establishing a consultation process on independence matters is an existing
concept under SECPS independence requirements. Currently, SECPS member firms are
required to designate a senior-level partner responsible for overseeing the adequate
functioning of the firm’s independence policies and consultation process.212
The Board expanded this concept in QC 1000 by covering not only independence
matters, but also ethics matters, and by expressly requiring the firm’s policies and
procedures to address the identification of ethics and independence matters that require
consultation. The Board believes the specific focus on identifying matters requiring
consultation should prompt firm personnel and others subject to such requirements to
more effectively identify ethics and independence issues that are new, challenging, or

See Rescission of ET Section 102; adoption of EI 1000; related amendments.

See SECPS 1000.46 (requirement 5).

complex and that would benefit from evaluation by subject matter experts. The Board
applied the requirement to all firms, not just SECPS member firms.
Under existing SECPS requirements, member firms are required to establish a
monitoring system to determine that corrective actions are taken on all apparent
independence violations reported by firm personnel.213 Under those requirements, the
monitoring system should include procedures to provide reasonable assurance that (i)
investments of the firm and its benefit plans are in compliance with the firm’s policies
and (ii) information received from its partners and managers is complete and accurate.
The SECPS requirements do not prescribe specific activities for the monitoring system,
other than stating that generally it includes auditing, on a sample basis, selected
information such as brokerage statements, or alternative procedures that accomplish the
same objective. One firm requested clarification of whether auditing, on a sample basis,
selected information such as brokerage statements, will be mandatory under QC 1000.
The standard does not prescribe specific activities to monitor compliance with ethics and
independence requirements and the firm’s ethics and independence policies. This allows
scalability based on the firm’s size and specific circumstances. The Board expects that
firms that have developed monitoring systems to comply with SECPS requirements
would continue to use these systems as one aspect of monitoring compliance under the
standard. While auditing brokerage statements is not mandatory under QC 1000, the firm
must design, implement, and maintain policies and procedures to monitor compliance
with applicable ethics and independence requirements and related firm policies and
procedures. Based on the firm’s size and specific circumstances, a firm can choose which
monitoring activities are an effective response to meet the quality objective.

See SECPS 1000.46 (requirement 7.d).

With respect to compliance with applicable ethics and independence requirements
by the firm and its affiliates, the Board understands that firms employ various manual and
automated tools for evaluating whether the firm and its affiliates comply with SEC and
PCAOB independence requirements and the firm’s independence policies and
procedures. Some examples of such tools include having a centralized process to monitor
business relationships, establishing an independence confirmation process that includes
detailed guidance and questions related to independence and prohibited non-audit
services, and periodic review of the completeness and accuracy of information reported
on independence confirmations.
A firm may establish ethics and independence policies and procedures that are
more restrictive than the rules of the SEC and PCAOB—for example, to comply with
requirements of other jurisdictions or to simplify compliance with SEC and PCAOB
requirements by setting bright-line policies and reducing the range for individual
judgment. Under the standard, the firm’s evaluation of compliance covers applicable
ethics and independence requirements as well as the firm’s policies and procedures.
The proposed requirements in QC 1000.33.f were adopted substantially as
proposed.
As previously discussed, QC 1000 includes the existing SECPS requirement for
firms to have policies and procedures that address independence violations and expands
the requirement to cover all firms and to include ethics violations.
Under the standard, the firm is required to establish policies and procedures
addressing violations and potential violations of ethics and independence requirements.
These types of policies and procedures are intended to be preventive, detective, and
corrective by nature.
The firm’s policies and procedures are required to address identifying conditions,
events, relationships, or activities that could constitute ethics or independence violations

involving the firm, firm personnel, and, with respect to work performed on behalf of the
firm, others subject to such requirements. For example, if a firm or its network is
contemplating a reorganization or restructuring that would affect the relationships among
affiliated firms or other entities, identifying post-reorganization investment activities as
such an activity could assist the firm in designing and implementing appropriate policies
to prevent independence violations.
With respect to ethics and independence violations that do or could occur, the
firm’s policies and procedures are required to address the taking of preventive and
corrective actions to address violations on a timely basis. Such policies and procedures
could specify the individuals responsible for taking preventive and corrective actions (at
the engagement or firm level), the timing of preventive and corrective actions, and any
potential sanctions against firm personnel or other individuals for violating ethics and
independence requirements. While one firm supported bringing greater attention and
accountability to the ethics and independence component, it suggested that the level of
prescription may create operational challenges that could be detrimental to audit quality.
Specifically, with regards to paragraph .33f.(2), the firm commented that ethical or
independence violations may take a variety of forms and that dictating that preventive
and corrective actions must be taken does not promote a risk-based approach. The
standard requires that a firm’s policies and procedures address, with respect to violations
and potential violations, the taking of preventive and corrective actions, as appropriate.
Ethics or independence violations may take a variety of forms, and therefore the nature
and extent of the preventive and/or corrective actions may also take a variety of forms
commensurate to the severity and pervasiveness of the violation.
The firm’s policies and procedures are required to address reporting of ethics and
independence violations. QC 1000 requires that firm personnel and others performing
work on behalf of the firm that are subject to the ethics and independence requirements

report both their own violations and other violations of which they become aware that
may affect the firm. The Board revised the language in proposed paragraph .33f.(3) to
clarify that the requirement applies to others performing work on behalf of the firm that
are subject to the ethics and independence requirements.
The standard takes a principles-based approach, which allows each firm to
determine which reporting mechanisms best fit its structure and address its quality risks.
Through the Board’s oversight activities, it has observed that firms employ various
mechanisms for firm personnel to report violations. Some examples include direct
communication lines to an ethics and independence group, designated individuals within
the human resources department or the legal department, and whistleblower hotlines.214
Firms may assess each case individually and involve appropriate subject matter experts,
depending on the nature of the violation. Some firms also establish escalation protocols
for certain types of ethics and independence violations (e.g., violations involving a
partner in the firm).
In addition, the firm’s policies and procedures are required to address any
communications that need to take place as a result of a violation of ethics and
independence requirements. For example, PCAOB Rule 3526 requires certain
communications to the audit committee regarding matters that are thought to bear on the
firm’s independence, including violations of independence requirements.
ii.

QC policies and procedures about certain matters that may reasonably be
thought to bear on independence: restricted entities, independence and
ethics certifications, and matters requiring audit committee pre-approval

Under the standard, the firm’s policies and procedures on matters that may reasonably be
thought to bear on the independence of the firm are required to address, among other

See, e.g., paragraph .29 of QC 1000, discussed above, for requirements regarding firm processes
for addressing complaints and allegations.

things, (1) restricted entities, including the maintenance and dissemination of the list of
restricted entities; (2) independence and ethics certifications; and (3) matters requiring
audit committee pre-approval.
1) Restricted entities (QC 1000.34.a-d)
Most of the requirements related to restricted entities come from existing SECPS
member requirements,215 which will now apply to all firms. Under the standard, as under
current requirements, restricted entities include all audit clients (including affiliates of the
audit client) of the firm and affiliates of the firm. One firm commented that the proposal
did not define “affiliates” and recommended either referencing the definition provided in
PCAOB Rule 3501 or defining the term in the standard in a manner similar to Rule 3501.
“Audit client,” “affiliate of the audit client,” and “affiliate of the accounting firm” are
terms defined in existing PCAOB and SEC rules.216 As proposed, paragraph .34 includes
a footnote referring to those definitions.
Existing SECPS requirements require firms that audit more than 500 SEC
registrants to have an automated system to identify investment holdings of partners and
managers that might impair independence.217 As proposed, the Board required an
automated system for firms that issued audit reports with respect to more than 100 issuers
during the prior calendar year. The Board understands that firms that audit more than 500
SEC registrants already have automated systems in place, based on the SECPS

The SECPS term “restricted entities” includes all audit clients of the firm (and, where applicable,
its foreign-associated firms) that are SEC registrants, along with other entities that the firm is
required to be independent of under the applicable SEC requirements.

“Audit client” is defined for purposes of SEC rules in 17 CFR 210.2-01(f)(6), and for purposes of
PCAOB rules in PCAOB Rule 3501(a)(iv). “Affiliate of the audit client” is defined in PCAOB
Rule 3501(a)(ii) as having the same meaning as defined in 17 CFR 210.2-01(f)(4). “Affiliate of
the accounting firm” is defined in PCAOB Rule 3501(a)(i) and, for purposes of the Note to
paragraph .34a., “accounting firm,” which includes the firm’s associated entities, is defined in 17
CFR 210.2-01(f)(2).

See SECPS 1000.46 (requirement 4).

requirements to have an automated system 17 CFR 210.2-01(d).218 Firms that issued audit
reports for 100 or fewer issuers are required to consider whether the system needs to be
automated, taking into account the quality risks and the nature and circumstances of the
firm. For example, a firm with close to 100 issuers and a significant number of managers
and partners may assess timely identification of personal investments that may impair
independence as a quality risk, and a quality response to address that risk may include an
automated system to help facilitate a more timely relationship-checking process.
One firm commented that the specified quality response to have an automated
process for identifying direct or material indirect financial interests is appropriate, and
another firm commented that it did not object to the requirement. However, a firm and a
firm-related group recommended that the PCAOB consider if the existing SEC
requirements are sufficient such that no additional PCAOB requirements are needed, and
several firms commented that the costs of implementing the requirement would be
significant and instead the threshold should be increased to 500 issuers to be consistent
with the SEC requirements. Some of these firms suggested that the cost may be a
potential barrier to entry for firms approaching the 100-issuer audit client threshold. One
of these firms commented further that some firms that audit over 100 issuers will
consider decreasing the size of their practice due to the associated cost of the
requirement. This firm suggested that the specified quality response be removed and
instead, if necessary, implement a quality objective that firms could address through their
risk assessment process. Several firms suggested that firms that audit more than 100 but

17 CFR 210.2-01(d) provides that a firm’s independence is not impaired solely because a covered
person in the firm is not independent of an audit client, provided the covered person did not know
of the circumstances giving rise to the violation, the violation was corrected as promptly as
possible, and the firm maintains a quality control system meeting specified standards. 17 CFR
210.2-01(d)(4), describes, for firms that provide audit, review, or attest services to more than 500
SEC registrants, features necessary for the firm’s QC system to meet the specified standards,
including an automated system to identify investment holdings of partners and managers that
might impair independence.

no more than 500 issuers could consider implementing such a process, but it should not
be required. One firm-related group suggested that the threshold for requiring an
automated independence system be reduced further, given the number of repeated
independence issues among all firms.
One firm expressed concerns with both the proposed requirement in paragraph
.34a.(1) and the suggestion in paragraph .34a.(2) to automate this process, suggesting that
this would be cost prohibitive and firms should design processes that reflect their
respective size, complexities and risks identified. Another firm commented that firms
subject to the current SECPS requirements have likely invested significant capital and
resources to implement and maintain tools that enable compliance with those
requirements, and while the firm views that investment as worthwhile and believes the
procedures have contributed to audit quality over the years, it expressed concerns for the
cost of the requirement to firms that audit between 100 and 500 issuers. Another firm
commented that it has such an automated system in place, however it suggested that the
implementation of such a system within the timeframe set out in the proposed standard
may be challenging and costly. One firm commented that the determination of whether or
not to implement an automated process for identifying and tracking direct and material
indirect financial interests should be risk-based and not include a prescriptive
requirement based on an arbitrary count of greater than 100 issuers. The firm specifically
commented that the size, scope, nature, and complexity of firms’ issuer practices can vary
significantly among the annually inspected firms, noting for example that a large portion
of its issuer client count consists of Form 11-K audits and smaller reporting companies.
Another firm commented that while the size of the firm’s client base is one factor to
consider in determining an appropriate quality response, the nature and circumstances of
the firm and the firm’s clients are also factors that should be taken into consideration, as
well as the firm structure, industries served, and number of managers and partners.

Some firms sought clarity as to whether an automated process would be required
for other financial relationships, for example, employment relationships, business
relationships, or non-audit services, and commented that the identification of certain
financial relationships cannot be easily automated. Instead, the firms suggested limiting
the requirement to automate the process for identifying investments in securities that
might impair independence, to align with the SEC requirement. A number of firms and a
firm-related group requested clarity on what “automated” means and what the Board’s
expectations are with regards to the nature, extent and scope of automation.
After consideration of the comments, the Board adopted the 100-issuer threshold
as proposed. The Board believes it is important to maintain a consistent threshold for the
incremental requirements in QC 1000. As discussed in more detail above, the Board
believes that the 100-issuer threshold is appropriate, and while the nature of each firm’s
audit client list may vary, there still exist complexities inherent to firms with a large
number of issuer audit clients that may give rise to quality risks that apply to the firm’s
independence, for which the automated system would be an appropriate quality response.
The Board clarified in the final standard that the requirement for an automated
process is limited to the process to identify investments in securities that might impair the
independence of the firm or firm personnel, the same scope as required under 17 CFR
210.2-01(d). The Board has observed through its oversight activities that some firms have
systems that automate the identification of their professionals’ investment holdings
through direct broker feeds, but a direct broker feed is not the only type of automated
process that would meet the Board’s requirement. As discussed in a December 9, 1999,
letter from the SEC’s Chief Accountant,219 firms need to develop a system that tracks

See Letter From the Chief Accountant: Issues Related to Independence/Quality Control to SEC
Practice Section (II) (Dec.9, 1999), available at
https://www.sec.gov/info/accountants/staffletters/calt129a.htm

audit engagements and financial investments held by professionals such that the conflict
verification process is automated. Such a system may rely on firm professionals
accurately self-reporting and entering their investments into the system in a timely
manner. These holdings would automatically be compared to the list of restricted entities
to identify any relationships with restricted entities. Based on the size of the firm and
other characteristics, a firm may determine that a direct broker feed is an appropriate
quality response (for example, if the firm’s monitoring activities found high rates of noncompliance by firm personnel with the firm’s policies and procedures for reporting
financial investments), but a direct broker feed is not expressly mandated for firms
subject to the requirement to implement an automated process. The Board also made a
change to require that the process described in paragraph .34a.(1) must be automated to
conform the degree of responsibility that the requirement imposes on the auditor to that
required under paragraph .34.
One firm suggested that a longer transition period be provided for firms that are
not currently subject to a requirement to implement an automated system. The firm
commented that if two firms merged and one or both of the firms had previously not been
subject to the requirement, it is unlikely that a system of this nature could be
implemented and tested for effectiveness in the time period provided. The Board believes
that firms continuously monitor the size of their audit practice relative to the 100-issuer
threshold, and if a firm is considering a transaction such as a merger that would increase
its number of issuer audit clients significantly, then the firm could begin to implement
such a system in advance of the end of the calendar year in which the firm first surpasses
the 100-issuer threshold. Indeed, for a transaction such as a merger of audit firms, the
Board believes that there could exist specific risks to independence as a result, which in
itself may result in a firm developing an automated system as a quality response.

Current SECPS requirements require timely (generally monthly) communication
of additions to the Restricted Entity List.220 The proposal contemplated requiring that
firms have policies and procedures for maintaining and making available the list of
restricted entities to firm personnel and others performing work on behalf of the firm who
are subject to independence requirements, and updating and communicating changes to
the list of restricted entities at least monthly to such persons.
Several firms and a firm-related group suggested the specified quality response be
replaced with a quality objective regarding updates to and awareness of changes in the
restricted entity list. Two of these firms suggested that the requirement be amended to
limit communications to additions to the restricted entity list. Another firm suggested
communications be limited to firm personnel subject to independence requirements and
the requirements should allow for flexibility in the nature, timing, and extent of
communications. QC 1000 does not enlarge the population of individuals who are subject
to ethics and independence requirements. References in the standard to “requirements”
and “obligations” are to existing requirements and obligations which themselves specify
to whom they apply. In addition, after consideration of the comments received, the Board
amended the standard to limit the required communications to additions to the list of
restricted entities, rather than all changes.
Some firms did not support this communication to “others performing work on
behalf of the firm,” and suggested that communications should be limited to potential
covered persons affected by the additions. Two of these firms commented that these
individuals would likely not be considered covered persons for engagements other than
the engagement they are working on, and suggested that the Board allow firms to take a
risk-based approach when determining the scope and frequency of the communications.

See SECPS 1000.46 (requirement 5).

Another firm suggested that QC 1000 does not need to specifically address certain
communications to other participants where this is required by another standard,
specifically AS 2101 (as in effect for audits of fiscal years ending on or after December
15, 2024) paragraph .06D, which includes a “written description of all relationships
between the other auditor and the audit client of persons in financial oversight roles at the
audit client that may reasonably be thought to bear on independence. Another firm
commented that the goal of alerting others performing work on behalf of the firm to
specific engagement independence requirements could be achieved through engagementspecific independence certifications.
After consideration of the comments received, the Board amended the standard to
require at least monthly communication of additions to the list of restricted entities to
firm personnel and others performing work on behalf of the firm whose relationships and
arrangements with such additional restricted entities may reasonably be thought to bear
on the independence of the firm. The Board believes that it is appropriate to limit
communications of additions to the list of restricted entities to firm personnel and others
performing work on behalf of the firm to those additions that could reasonably be thought
to bear on the independence of the firm. For example, additions to the affiliate list for an
issuer would be relevant for an individual who is performing work on behalf of the firm
on that issuer, or a partner who is located in the same office of the firm in which the lead
audit engagement partner primarily practices in connection with the audit. This
communication should be made as frequently as necessary, and on an at least monthly
basis, through the period that the individual is subject to the independence requirements.
Several firms and a firm-related group commented that the requirement to
communicate the restricted entity list would not be more effective than the automated
systems already in place at larger firms. Two firms also commented that smaller firms
with infrequent changes to the restricted entity list may not need to communicate changes

monthly. One of these firms suggested that many firms already have policies where
individuals are required to review the restricted entities list prior to purchasing
stock/during proposal/acceptance procedures to determine whether an independence
conflict would exist, and that many firms also make those restricted lists readily available
to employees as part of their current QC systems. The Board believes, and has observed
through its oversight activities, that such automated systems may not fully mitigate
quality risks associated with the timely reporting of financial relationships by firm
personnel, for example, if the automated system is not equipped to identify certain
financial relationships, or if the firm is reliant on its professionals making timely
reporting of these relationships into the firm systems. The Board believes that requiring
the communication of additions to the list of restricted entities to firm personnel whose
relationships and arrangements with such additional restricted entities may reasonably be
thought to bear on the independence of the firm on an at least monthly basis may prompt
firm personnel to report a previously unreported relationship. If there are no additions,
there is no required communication.
One firm commented that it is unclear whether communication is intended to
mean a distributed communication (e.g., email of the updated list) or communication can
be made available (e.g., a website that hosts such list and is readily available to access).
Some firms may decide to communicate updates to the list of restricted entities on a more
frequent basis, as changes are being made, or in more targeted ways (such as to particular
offices or engagement teams). The standard does not prescribe the method of
communication. Through the Board’s oversight activities, it have observed that some
firms comply with existing SECPS requirements by communicating additions to the list
of restricted entities to all firm personnel weekly via email. These firms could continue
that practice to comply with the standard. However, other methods that result in an
effective communication may also be acceptable; for example, a firm might communicate

that there have been additions to the list of restricted entities via email, and include within
the email a link to an accessible website-hosted list of additions.221 While the standard
requires communications of additions to those individuals whose relationships and
arrangements with such additional restricted entities may reasonably be thought to bear
on the independence of the firm, the firm may choose to extend the communications of
additions more broadly. In addition, if the firm communicates additions to less than all
firm personnel, then the firm must have correctly identified the group of people whose
relationships and arrangements with such additional restricted entities may reasonably be
thought to bear on the independence of the firm.
The standard does not prescribe a specific process for maintaining and making
available the list of restricted entities to firm personnel and other individuals. Firms are
able to determine the specific methods and tools needed to keep the list of restricted
entities up to date and to ensure that any additions are communicated on a timely basis to
firm personnel and other individuals. This determination is based on factors such as the
size of the firm, the number of audit clients, and the complexity of those clients (e.g., the
number of audit client affiliates). For example, a smaller firm with a small group of
professionals, a stable portfolio of audit clients, and a manual process for maintaining the
list of restricted entities may decide to communicate changes monthly. For a larger firm
with many audit clients and firm affiliates, an automated tool could help facilitate more
frequent updates to the list of restricted entities. The firm is required to notify relevant
professionals of additions to the list at least monthly.
The Board recognizes that some firms are members of networks that may develop
systems, processes, and controls to monitor network firms’ compliance with
independence requirements, including maintaining a database of restricted entities. As

Firms are required to communicate additions to the list of restricted entities. For periods where
there were no changes, no such communication would be required.

described above, the standard does not prescribe a specific process for maintaining a
database of restricted entities, so this process could potentially be performed by a
network or outsourced to a third party. At the same time, the standard requires each firm
to establish its own quality objective, which places responsibility on the firm with respect
to resources or services provided by the network or a third-party provider.222
The Board incorporated into QC 1000 the existing SECPS requirements for firm
personnel223 to review the list of restricted entities prior to obtaining any security or other
financial interest in an entity, but with the following refinements:
•

Require firm personnel to review the list of restricted entities, not only before they
or their relevant family members224 obtain a direct or material indirect financial
interest in an entity or enter into a direct or material indirect relationship with an
entity,225 but also after additions to the list of restricted entities are communicated
by the firm, upon firm personnel’s employment at the firm, prior to changes in
position (e.g., going into a chain of command or other covered person role226),
and prior to entering into or modifying any business or employment relationships.

•

Require the firm and firm personnel to take required actions on a timely basis if
the review of the list of restricted entities indicates that action is required under
applicable professional and legal requirements or the firm’s policies and
procedures.

See below for a discussion of the firm’s responsibilities when it uses resources or services
provided by a network or third-party provider.

SECPS requirements use the term “professionals,” which means professional staff, including
partners. See SECPS 1000.46 (requirement 1.a).

Context determines which family members would be relevant. See, e.g., 17 CFR 210.2-01(f)(9)
(defining “close family members”); 17 CFR 210.2-01(f)(13) (defining “immediate family
members”); see generally 17 CFR 210.2-01(c) (referring to “close family member” or “immediate
family member” depending on the context).

The Board is using the terms direct and material indirect in the same sense as 17 CFR 210.2-01(c).

“Covered persons in the firm” is defined in 17 CFR 210.2-01(f)(11).

Under this approach, the firm’s policies and procedures will require that the list of
restricted entities be reviewed before the firm enters into any relationship, engagement to
perform non-audit services, or fee arrangement that might affect compliance with
independence requirements. This requirement serves the same purpose as review of the
list of restricted entities by the firm personnel and helps the firm to identify relationships
that may result in noncompliance with applicable professional or legal requirements.
One firm commented that, rather than requiring that the list of restricted entities
be reviewed before the firm enters into any relationships, engagements to perform nonaudit services, or fee arrangements that might affect compliance with independence
requirements, firms should be permitted to develop quality responses to identify
prohibited relationships and fee arrangements that appropriately respond to quality risks,
based on the firm’s facts and circumstances. The firm also suggested that the requirement
for firm personnel to review the list of restricted entities after changes to the list are made
should be deleted since firm personnel would already be notified of changes based on
paragraph .34b. The Board believes these specified quality responses are appropriate and
should be addressed by all firms, regardless of the specific facts and circumstances of the
firm. In addition, the Board views the requirements of paragraph .34b for the firm to
maintain and make available the list of restricted entities, and paragraph .34d for firm
personnel to review the list of restricted entities, as separate.
2) Independence and ethics certifications (QC 1000.34.e)
Certifications are intended to drive greater accountability for firm personnel’s
compliance with independence requirements and to deter independence violations. The
certification requirement is similar to an existing SECPS requirement, which requires
each professional to certify near the time of initial employment and at least annually
thereafter that he or she (1) has read the member firm’s independence policies, (2)
understands their applicability to his or her activities and those of his or her spouse and

dependents, and (3) has complied with the requirements of the member firm’s
independence policies since the prior certification.227
The proposal contemplated obtaining certifications from firm personnel regarding
familiarity and compliance with SEC and PCAOB independence requirements and the
firm’s independence policies and procedures (1) upon employment, (2) at least annually
thereafter, and (3) upon any change in personal circumstances, such as firm role,
geographic location, or marital status, that is relevant to independence.
Several commenters, including firms, did not support the requirement to obtain
additional certifications upon changes in personal circumstances, and three firms raised
practical concerns when the changes involved marital status. One firm suggested that the
standard should emphasize that a firm’s independence certification process should
consider timeliness in addressing the quality objective, and instead encourage firms to
consider the appropriateness of obtaining periodic certifications throughout the year. One
firm commented that a firm should have flexibility to determine its own policies and
procedures for certifications beyond requiring them at employment and annually
thereafter; the firm suggested that, for example, quarterly certification accompanied by
training on the impact of life events may be more effective and practicable than eventdriven review and certification. Another firm recommended that firms be allowed to
develop their own quality responses based on their own unique quality risks when
personal circumstances change rather than requiring certification upon changes in
personal circumstances as a quality response. Another firm suggested that this
requirement should instead be managed through proper education and awareness of
relevant independence requirements. Another firm suggested that these items would be
better suited as examples of considerations included in implementation guidance. One

See SECPS 1000.46 (requirement 7.b).

firm suggested that the certification requirements should be applicable for firms with over
500 issuers that already have an automated independence system. The firm further
commented that the requirement is onerous in terms of being able to identify the data on a
timely basis and suggested a semi-annual representation period instead of circumstancedriven.
In addition, the proposing release sought feedback on whether the standard should
require annual written certification regarding familiarity and compliance with ethics
requirements and the firm’s ethics policies and procedures, in addition to those regarding
independence. The proposing release further asked whether firms should be required or
encouraged to adopt firm-wide codes of ethics or similar protocols. One firm did not
support a specific quality response that includes a certification process for ethics
requirements and procedures. The firm suggested that firms should be permitted to adopt
a quality response that addresses the risks within their own practice, and that a
certification requirement that applies to all firm practice staff could turn into a “checkthe-box” compliance exercise that would not benefit audit quality. One firm commented
that such requirements would already be addressed by the requirement for mandatory
training in paragraph .36. Other commenters, including firms, investors, and investorrelated organizations, supported the requirement to obtain a written annual certification
regarding familiarity and compliance with ethics requirements and the firm’s ethics
policies and procedures. One of these investors commented that the main argument
against such certifications is that it imposes a cost and that it becomes a “tick-the-box
exercise,” but in the investor’s view the cost is de minimis given other annual
declarations needed by firm personnel, and firm leadership can send an appropriate signal
by embracing the ethics code to stop such annual declarations becoming a perfunctory
exercise. One firm and an investor-related organization supported a requirement that
firms should adopt firm-wide codes of ethics.

After consideration of the comments received, the Board made two changes to the
final standard. First, the Board removed from the standard the requirement to obtain a
certification from firm personnel regarding familiarity and compliance with SEC and
PCAOB independence requirements and the firm’s independence policies and procedures
upon any change in personal circumstances, and replaced this with the requirement that
such a certification must be obtained for any change in professional circumstances that is
relevant to independence. Rather than include examples of such changes in the text of the
standard, the Board provided in this release some examples of changed professional
circumstances that may be relevant to the independence of the firm's personnel under
applicable independence rules. These examples include changes within the firm such as
promotions, moving offices, or changing practice groups (e.g., changes to covered person
status). Although, in connection with this change, the Board removed a certification
requirement with regard to changes in personal circumstances, such changes can have
independence implications under SEC and PCAOB independence requirements, and a
firm's QC system must provide reasonable assurance of compliance with those
requirements. Secondly, the Board added a requirement for certification by firm
personnel regarding familiarity and compliance with the applicable ethics requirements
and the firm’s ethics policies and procedures as the Board believes such certification will
enhance individual accountability and, ultimately, compliance. The Board not added a
requirement for firms to adopt a firm-wide code of ethics or similar protocol, because it
believes that firms should have flexibility to determine whether this would assist them in
meeting the relevant quality objectives.
The standard does not prescribe a checklist of specific content for the
certifications, focusing instead on general concepts of familiarity and compliance. It is
possible that the form of certification called for by the existing SECPS requirement
would satisfy the standard. In addition, the standard expands on the existing SECPS

requirement by requiring firms to obtain certifications every time firm personnel have a
change in professional circumstances that is relevant to independence, such as a change
in role or geographic location. Changes within the firm such as promotions, moving
offices, or changing practice groups may have consequences under independence rules
(e.g., changes to covered person status) and result in noncompliance. The Board
continues to believe that a specified quality response requiring specific event-driven
independence and ethics certifications appropriately considers timeliness in addressing
the quality objective and applies to quality risks that exist in all firms.
3) Matters requiring audit committee pre-approval (QC 1000.34.f)
The proposed requirement did not draw comment and was adopted as proposed.
QC 1000 contains a new requirement regarding firm policies and procedures for
identifying matters that require pre-approval by the audit committee and obtaining such
approval. The primary responsibility for identifying matters that require audit committee
pre-approval and obtaining such pre-approval resides at the engagement level. The firm’s
policies and procedures, however, provide tools and guidance that enable engagement
teams to properly identify the relevant matters and obtain necessary pre-approvals on a
timely basis. Through the Board’s oversight activities, it has observed numerous
instances where firms did not have an effective mechanism in place for monitoring
whether matters that require audit committee pre-approval were properly disclosed to
audit committees. The new requirement should lead to more consistent compliance.
iii.

Communication of changes to ethics and independence policies and
procedures (QC 1000.35)

The proposed requirement did not draw comment and was adopted as proposed.
The final standard incorporates existing SECPS requirements regarding the dissemination
of the firm’s independence policies and procedures and expands the requirements to
cover ethics policies and procedures.

When deciding how to make ethics and independence policies and procedures
available, firms would consider how to make firm personnel and others performing work
on behalf of the firm aware of where and how to find these policies and procedures in a
way that supports those individuals’ ongoing compliance with certification and other
requirements. The standard requires the firm to communicate any substantive changes to
its ethics and independence policies and procedures on a timely basis.
iv.

QC policies and procedures about mandatory ethics and independence
training (QC 1000.36)

The proposed requirement did not draw comment and was adopted as proposed.
The standard includes a requirement for mandatory periodic training on ethics and
independence, which expands on the existing SECPS requirements that cover training on
independence. The mandatory training requirement promotes awareness and
understanding of the ethics and independence requirements, which should lead to better
compliance with such requirements. Under existing SECPS requirements, firms are
required to establish a training program for professionals to complete near the time of
initial employment and periodically thereafter.228
The specific content and extent and timing of the training will be determined by
the firm, but the program is required to cover both the relevant professional and legal
requirements (for example, regarding financial interests, business relationships,
employment relationships, proscribed services, and fee arrangements) and the firm’s
related policies and procedures.
By not specifying the content for such mandatory training, the standard allows firms the
ability to develop training programs based on their circumstances. For example, a firm
may develop its training to place a greater emphasis on areas with recurring ethics and

See SECPS 1000.46 (requirement 3).

independence findings across the firm, or it may target specific ethics and independence
findings in different regions. Similarly, the standard does not specify how the firm would
provide such training. A firm may develop and deliver its own training, contract with
others to provide training, or provide access to third-party training.
Under the standard, the firm is required to provide such training at least annually,
or more often as needed.
2. Current PCAOB standards
QC 20 provides that policies and procedures should be established to provide the
firm with reasonable assurance that personnel maintain independence (in fact and in
appearance) in all required circumstances, perform all professional responsibilities with
integrity, and maintain objectivity in discharging professional responsibilities.229 The
SECPS member requirements regarding independence quality controls apply only to
certain firms. The requirements for ethics and independence discussed above are more
detailed than the existing requirements in QC 20 and Appendix L of the SECPS and
would apply to all firms.
ACCEPTANCE AND CONTINUANCE OF ENGAGEMENTS
This component addresses the firm’s processes when considering whether to
accept or continue an engagement.
1. QC 1000
a. Acceptance and continuance of engagements quality objectives (QC 1000.38)
The proposal described the quality objectives related to acceptance and
continuance of engagements. Several commenters, including firms, were generally
supportive of the proposed quality objectives.

See QC 20.09.

A commenter on the AS 1000 rulemaking objected to the use of the term “client”
in that standard to refer to the company and its management. The commenter suggested
“company under audit” instead. The Board agrees with the commenter that the
terminology used in the PCAOB standards should help to remind auditors that they work
for the benefit of investors, not the management of the company. Accordingly, the Board
generally replaced references to the “client” with references to the “company” or
eliminated them altogether (for example, this component, called “Acceptance and
Continuance of Client Relationships and Specific Engagements” in proposed QC 1000, is
“Acceptance and Continuance of Engagements” in the final standard). The Board ,
however, retained references to the “client” where that aligns with other rules, such as in
the area of independence.
The quality objectives in this component were adopted substantially in the form
proposed, with the exception of the change throughout to focus on the engagement
instead of the client relationship and the other clarifications discussed below.
Acceptance and continuance of engagements is an aspect of a firm’s compliance
and risk management process. Each firm, depending on its nature and circumstances, may
approach acceptance and continuance of engagements differently. The acceptance and
continuance of engagements process assists the firm in mitigating reputational, business,
and litigation risk. The quality objectives stress the importance of focusing the
acceptance and continuance of engagements process on the firm’s ability to perform an
engagement in accordance with applicable professional and legal requirements.
i.

Timing (QC 1000.38.a(1))

The proposed standard required the firm’s judgment about whether to accept or
continue an engagement to be made as part of or before performing preliminary
engagement activities. Preliminary engagement activities, which are activities the auditor
should perform at the beginning of the audit, are described in AS 2101.06.

One commenter stated that the proposed requirement implied that the judgment
was only made during preliminary activities and not throughout the engagement. The
Board clarified the quality objective in paragraph .38a(1) to specify that the initial
judgment is to be made as part of or before preliminary engagement activities.
QC 1000.40, discussed below, addresses the firm’s obligation to continue to address
situations that could have caused it to decline the engagement had the information been
known prior to acceptance and continuance.
ii.

Independence and permissibility of services (QC 1000.38.a(2)(a) and (b))

This proposed quality objective did not draw significant comment and was
adopted as proposed.
The firm’s ability to perform the engagement includes considering whether the
firm is independent and whether the services are permissible. These are threshold
considerations for acceptance and continuance, because in general, under PCAOB
standards the firm is not allowed to accept an engagement unless it is independent of the
company for which the engagement will be performed and the services are permissible
under applicable professional and legal requirements (including obtaining audit
committee pre-approval where that is required).
The firm’s policies for acceptance and continuance in the areas of independence,
permissibility of services, and pre-approval relate to and to some extent overlap with the
ethics and independence component. The requirements in the ethics and independence
component more generally address the ongoing evaluation of compliance with applicable
professional and legal requirements relating to the independence of the firm, firm
personnel, and others subject to such requirements.
iii.

Access to company information and company personnel (QC
1000.38.a.(2)(c))

This proposed quality objective did not draw significant comment and was
adopted substantially as proposed.
The firm’s ability to perform an engagement in accordance with applicable
professional and legal requirements depends on the firm’s ability to obtain information
from the company and gain access to individuals at the company who can respond to the
firm’s inquiries. Restricted or limited access to company information or personnel—for
example, due to language differences, physical location, or local law restrictions—could
impair the firm’s ability to perform the engagement in accordance with applicable
professional and legal requirements.
iv.

Resources (QC 1000.38.a(2)(d))

Another aspect of the firm’s ability to complete the engagement in accordance
with applicable professional and legal requirements is the resources available to the firm.
The Board believes it is important for a firm to have the right resources available so that
the engagement can be performed in accordance with applicable professional and legal
requirements. This includes the availability of resources like the following, either internal
or external to the firm:
•

Firm personnel or other participants with competence to perform procedures (e.g.,
industry experience or experience with new or specialized accounting
pronouncements that apply to the company) and sufficient availability to meet
audit timing requirements;

•

Engagement partners;

•

Specialists;

•

EQRs;

•

Technology to be used in the performance of the engagement, such as technology
for testing the implementation and effectiveness of automated processes; and

•

Intellectual resources needed in the performance of the engagement (e.g.,
industry-specific audit programs).
One commenter suggested that consideration should be given to the availability of

industry-specific resources at the partner and manager level and the Board agrees that
industry-specific resources are important in certain audits. However, the Board believes
that issue is adequately addressed by the general reference to “resources to perform the
engagement,” which includes industry-specific resources where those would be needed.
The Board adopted this quality objective as proposed.
v. Other relevant factors (QC 1000.38.a(2)(e))
This proposed quality objective did not draw comment and was adopted as
proposed.
The firm’s ability to perform engagements in accordance with applicable
professional and legal requirements may also be affected by other factors associated with
providing professional services in the particular circumstances. Accordingly, the
standard, by directing firms to consider such other relevant factors, retains the breadth
and inclusiveness of QC 20.15b, which requires the firm to establish policies and
procedures to provide reasonable assurance that the firm appropriately considers the risks
associated with providing professional services in the particular circumstances.
v.

Information about the nature and circumstances of the engagement,
including the integrity and ethical values of the company (QC
1000.38.a(3))

In order for the firm to make appropriate judgments about whether to accept or
continue an engagement, the firm needs to obtain sufficient information about the nature
and circumstances of the engagement (e.g., the nature of the company and the
environment in which it operates) and the integrity and ethical values of the company,

including its management and audit committee.230 This information is relevant because it
can help identify potential risks to performing the engagement that may result in the firm
not being able to perform the engagement in accordance with applicable professional and
legal requirements. The nature and circumstances of the engagement may, for example,
reveal the need for specialized expertise that the firm does not have. A lack of
management integrity may affect the reliability of the company’s accounting records.
Designing and implementing policies and procedures that direct and standardize the
collection and evaluation of such information could help the firm in consistently making
appropriate judgments about whether to accept or continue an engagement. Additionally,
information obtained during the firm’s acceptance and continuance process about the
nature and circumstances of the engagement and the integrity of management and the
audit committee would in many cases be relevant when planning and performing the
engagement.231
One commenter requested clarification of whose integrity and ethical values are
relevant to the consideration of “the integrity and ethical values of the company
(including management and the audit committee)” – for example, whether consideration
could be limited to the audit committee chair. Since members of management and the
audit committee all have influence over the company’s financial reporting, the Board
believes their integrity and ethical values are important to the judgment of accepting or
continuing an engagement. Therefore, consistent with the proposal, the final standard
does not include such a limitation.
The quality objective in QC 1000.38.b retains the concept in QC 20.16 of having
policies and procedures regarding obtaining an understanding with the company about

For a prospective engagement, this includes evaluating information obtained from a predecessor
firm. See generally, e.g., AS 2610, Initial Audits—Communications Between Predecessor and
Successor Auditors.

See, e.g., AS 2110.41-.45.

the engagement and aligns with similar requirements under PCAOB auditing and
attestation standards.232 Achieving this objective should minimize the risk of
misunderstandings regarding the nature and scope of the engagement and any limitations
associated with it.
c. Acceptance and continuance of engagements specified quality response (QC
1000.39-.40)
The proposal included a specified quality response regarding policies and
procedures to address situations where the firm learns of information that would have
caused it to decline a previously accepted engagement. Two commenters were generally
supportive of the proposed specified quality response.
Under this specified quality response, the firm’s policies and procedures are
required to address situations in which the firm becomes aware of relevant contrary
information after the firm’s decision to accept or continue an engagement. This contrary
information may have existed at the time of the decision to accept or continue an
engagement but not been known by the firm at the time, or it may have emerged
subsequent to that decision. Depending on the circumstances, appropriate responses may
include such actions as:
•

Consulting with legal counsel or others within the firm to determine if the firm is
able to continue the engagement;

•

Discussing the information with management and the audit committee to
determine if the firm is able to continue the engagement;

•

Including this information in the auditor’s risk assessment procedures so that any
additional risks are responded to during the audit; and

See paragraph .05 of AS 1301, Communications with Audit Committees, and paragraph .46 of AT
Section 101, Attest Engagements.

•

Withdrawing from the engagement and notifying appropriate regulatory
authorities as required under applicable professional and legal requirements.
One commenter suggested that specific circumstances should require an

immediate reconsideration of client continuance, such as illegal acts, fraud, or material
omissions of fact. Existing auditing standards, such as AS 1301, include requirements
related to evaluating the continuation of the client relationship. The QC system would
address compliance with these requirements.
Under the proposal, a firm would be deemed to have become “aware” of
information if any partner, shareholder, member, or other principal of the firm was aware
of such information, the same standard that applies with respect to the reporting of
specified events on Form 3. One commenter stated that the concept of when a firm
becomes “aware” should take into account the size and scale of the firm, and the nature
of the matters related to the QC system, suggesting that alignment with the requirements
of Form 3 may be inappropriate because of Form 3’s relatively limited scope compared to
the matters addressed by QC 1000. The Board continues to believe that it would be
inappropriate to differentiate among firm principals in this regard; all firm principals
should be responsible for promptly communicating and acting upon relevant information.
Accordingly, the class of persons whose awareness is attributed to the firm was not been
narrowed.
Another commenter recommended clarifying the timing of when a firm becomes
“aware” of information subsequent to accepting or continuing a client relationship.
Footnote 26 of the final standard reflects the suggested clarification that the firm is

deemed “aware” of information when any partner, shareholder, member, or other
principal of the firm “first becomes aware” of such information.233
2. Current PCAOB standards
The quality objectives of QC 1000 paragraph .38 do not fundamentally change a
firm’s existing responsibilities regarding acceptance and continuance decisions under QC
20. 234 The quality objectives expand on the requirements in QC 20 with regard to
considering the necessary information and making appropriate judgments about the
associated risks and the firm’s ability to mitigate those risks and perform an engagement
in accordance with applicable professional and legal requirements.
ENGAGEMENT PERFORMANCE
This component addresses the firm’s processes relating to the performance of the
firm’s engagements in accordance with applicable professional and legal requirements.
Engagement performance encompasses the activities of firm personnel and other
participants in all phases of the design and execution of the engagement—planning,
performing, supervising, and documenting the engagement; conducting an engagement
quality review; and making communications regarding the engagement.235 In order for
the firm to consistently deliver compliant engagements, including when performing work
on other firms’ engagements, firm personnel and other participants need to understand
and fulfill their responsibilities in accordance with applicable professional and legal
requirements.
1. QC 1000

This approach aligns with the instructions to Form 3, under which a firm is deemed aware of
reportable facts on the first day that any partner, shareholder, principal, owner, or member of the
firm first becomes aware of the facts. See Form 3, Note to Instructions to Part II.

See QC 20.14-.16.

See QC 20.18.

The proposal described the quality objectives for the engagement performance
component and asked if there should be any specified quality responses for this
component. Firms that commented were generally supportive of the proposed quality
objectives. Two commenters wanted clarity on why some concepts in auditing standards
were or were not included in QC 1000. One of these commenters, an investor-related
group, suggested the standard address certain areas like fraud protection, crypto assets,
climate change, and critical audit matters. The Board believes these areas are
engagement-level specific, whereas QC 1000 focuses on the firm-level controls over
engagement responsibilities. Commenters, including firms and related groups, were also
supportive of not providing specified quality responses in this component. The Board
adopted these provisions substantially as proposed.
Under QC 1000, a firm is required to establish quality objectives for the
engagement performance component in the following areas:
•

Engagement responsibilities;

•

Consultations and differences in professional judgment; and

•

Engagement documentation.
a. Engagement responsibilities (QC 1000.42.a)
This proposed quality objective did not draw comment and was adopted as

proposed.
The standard uses the term “engagement partner” with its existing meaning under
PCAOB audit and attestation standards: the member of the engagement team236 with
primary responsibility for the audit, examination, or review, as the case may be.237 The

The term “engagement team” is used as defined in the amendments to AS 2101, Audit Planning,
adopted in PCAOB Rel. No. 2022-002, which takes effect for audits of financial statements for
fiscal years ending on or after Dec. 15, 2024.

See AS 1201.A2; AT No. 1 at paragraph .07 note; AT No. 2 at paragraph .06 note. AT 101 uses
the term “practitioner with final responsibility for the engagement,” which the Board construes as
having the same meaning.

definition of “engagement” under QC 1000, under which substantial role work is defined
as an engagement, does not change the meaning of engagement partner or affect the
responsibilities of individuals involved in substantial role engagements. No comments
were received on the use of this term.
i.

Responsibilities of the engagement partner (QC 1000.42.a(1))

The engagement partner is responsible for the engagement and its performance,
including managing and achieving consistent compliance with applicable professional
and legal requirements on the engagement. This quality objective focuses firms on
partner involvement throughout the engagement, including appropriately supervising firm
personnel and other participants.238
ii.

Due professional care (QC 1000.42.a(2)(a))

Due professional care means acting with reasonable care and diligence, exercising
professional skepticism, acting with integrity, and complying with applicable
professional and legal requirements.239 In the context of engagement performance,
professional skepticism is an attitude that includes a questioning mind and critical
assessment of audit evidence and other information that is obtained to comply with
PCAOB standards and rules. Exercising professional skepticism improves the quality of
judgments made while performing the engagement and is key to performing an
engagement in good faith and with integrity. PCAOB oversight activities have suggested
that the lack of professional skepticism contributes to some of the QC deficiencies
identified during PCAOB inspections.240 As an example, a firm’s policies and procedures
did not provide reasonable assurance that engagement partners supervised engagements

See generally, e.g., AS 1201.

The general principles and responsibilities of the auditor when conducting an audit, including
professional skepticism and due professional care, are being reaffirmed and combined in AS 1000,
as adopted. See Auditor Responsibilities Release.

See, e.g., 2022 Broker-Dealer Inspection Report, at 31.

with due professional care, which contributed to the failure to identify deficiencies in
those engagements.
The quality objective related to due professional care, including professional
skepticism, enables appropriate conclusions to be reached that are supported by sufficient
appropriate evidence.241
iii.

Supervision (QC 1000.42.a.(2)(b))

Proper supervision aims to ensure that work is performed as directed and supports
the conclusions reached.242 The quality objective emphasizes the importance of firm
personnel and other participants being supervised properly, consistent with AS 1201 and
AT No. 1.
iv.

Reporting and other communications (QC 1000.42.a(3))

PCAOB standards and rules impose a number of requirements relating to
reporting and communicating the results of the engagement.243 The engagement report
and communications to the audit committee are typically prepared at the engagement
level and may include information provided by the firm. For example, the firm may
provide information related to independence to be communicated in accordance with
PCAOB Rule 3524 or PCAOB Rule 3526. This quality objective emphasizes the
importance of auditor reporting and communication in accordance with applicable
requirements.
b. Consultations and differences in professional judgment (QC 1000.42.b-.c)
Consultations are an important aspect of engagement performance, as they
provide a mechanism to discuss and resolve complex, unusual, or unfamiliar matters with

See Roles and Responsibilities above.

See AS 1201.02.

See generally, e.g., AS 3101, The Auditor’s Report on an Audit of Financial Statements When the
Auditor Expresses an Unqualified Opinion; AS 2201.85-.89; AS 1301; paragraphs .34-.38 of AT
No. 1; and AT 101.63-.90.

individuals who have the requisite knowledge, skill, and ability. Under current PCAOB
standards, QC 20.19 highlights the significance of consultations, requiring appropriate
policies and procedures. The quality objective should drive firms to continue to focus on
the importance of consultation and resolution before the issuance of an engagement
report.
The quality objective in the proposed standard provided that consultations on
complex, unusual, or unfamiliar accounting and auditing matters are undertaken with
qualified individuals from within or outside the firm.
One commenter suggested that the standard require firms to adopt policies that
identify situations when national office consultation is required. The Board does not
believe it is appropriate to include such prescriptiveness in the standard, as not all firms
have national offices. Additionally, the quality objective provides that the firm will
identify the risks specific to their engagements and determine whether there are specific
situations that always require consultation.
Another commenter said that the reference to “unfamiliar” accounting and
auditing matters was unclear and was concerned that it creates an unnecessary level of
prescription that will be difficult to operationalize. The commenter also expressed
concern that an unintended consequence could be that auditors may infer that
consultations may compensate for lack of competence on the engagement team. The final
standard retains the term, consistent with the use of “unfamiliar” in current QC 20.19. It
is noted that inclusion of that term in paragraph .42 does not modify or limit auditor
obligations to have the competence necessary to conduct the engagement established
elsewhere in PCAOB standards.
Differences in professional judgment may occur when there is a concern or
disagreement regarding the application of applicable professional and legal requirements
during the performance of the engagement. The quality objective underscores the

importance of having and adhering to appropriate procedures for the resolution of
differences in professional judgment during the performance of engagements such that
the firm, firm personnel, and other participants comply with applicable professional and
legal requirements.
The proposed quality objective provided that differences in professional judgment
related to the engagement are brought to the attention of the individual(s) with
responsibility and authority for resolving such matters and are resolved before the
issuance of an engagement report. One commenter suggested clarifying that if the
engagement partner does not agree with the conclusions arising from the consultation
(addressed above), that would be treated as a difference in professional judgment that
would require compliance with the quality objective regarding differences of professional
judgment. The final standard clarifies that point.
c. Engagement documentation (QC 1000.42.d)
This proposed quality objective did not draw significant comment and the Board
adopted as proposed.
AS 1215 contains the general requirements for the documentation the auditor
should prepare and retain in connection with engagements. 17 C.F.R. 210.2-06 also
addresses documentation retention requirements.244 The quality objective regarding
engagement documentation in proposed QC 1000 is meant to drive firms to focus on
compliance with these requirements.
2. Appendix K requirements
Existing PCAOB standards (referred to as Appendix K requirements) require
SECPS member firms that are associated with international firms or networks to seek
adoption of policies and procedures by their associated international firms or network

17 CFR 210.2-06.

regarding filing reviews, inspection procedures, and disagreements between the
engagement partner and the reviewer.245 As noted in the proposal, the Board believes that
the purposes originally intended to be served by Appendix K have either been eliminated
(through the elimination of the U.S. GAAP reconciliation) or otherwise addressed
(through requirements for engagement quality review). Accordingly, the Board proposed
to not retain requirements like those in Appendix K.
The proposal asked whether the PCAOB should eliminate Appendix K and rely
exclusively on a risk-based approach. Commenters had mixed views regarding the
retention of Appendix K requirements. Some commenters supported the elimination of
Appendix K requirements and reliance on a risk-based approach. Other commenters
asserted that the Appendix K requirements are beneficial and should be retained or made
even more prescriptive. The Board believes it unnecessary to retain the Appendix K
requirements because under the risk-based approach, firms will have to assess and
respond to quality risks including, if applicable, a relative lack of experience in
performing engagements under U.S. professional and legal requirements.
Some commenters expressed concern that in a risk-based approach, a person
performing a limited review function similar to the current Appendix K reviewer would
be considered part of the engagement team, while another commenter requested
clarification that such a reviewer would not necessarily be a member of the engagement
team. Under QC 1000, the firm’s assessment of quality risks will determine the nature
and extent, if any, of additional resources or reviews that would need to be performed
over engagements to ensure compliance with PCAOB and SEC requirements. In some
circumstances, the response might involve adding one or more additional members to the

See SECPS 1000.08(n) (cross-referencing the objectives set forth in Appendix K, SECPS
1000.45). The types of SEC filings subject to review under Appendix K are registration
statements, annual reports on Form 20-F and Form 10-K, and other filings that include or
incorporate the foreign associated firm’s audit report on the financial statements of an SEC
registrant.

engagement team. In other circumstances, the response might involve resources that
would not constitute members of the engagement team because they perform a
contemporaneous quality control function and do not perform audit procedures or help
plan or supervise the audit work.246
One commenter expressed concern that reviewers’ firms would be considered
“other accounting firms” and reviewers’ hours would be included for purposes of Form
AP filings. Specific to Form AP filing requirements, firms should review the Note to Item
3.2 of the Form AP Instructions regarding the reporting of other accounting firms.247
3. Current PCAOB standards
Under current QC standards, engagement performance covers all phases of the
design and execution of the engagement, and engagement quality reviews.248 QC 20
contains general requirements regarding engagement performance, including planning,
performing, supervising, reviewing, documenting, and communicating the results of each
engagement; referring to authoritative literature; and consulting with qualified individuals
when appropriate. QC 20 provides that policies and procedures should be established to
provide reasonable assurance that the engagement is performed in accordance with
applicable professional standards. QC 1000 retains these concepts from the extant
standards.
As discussed above, QC 1000 does not contain provisions similar to the Appendix
K requirements that currently apply to former SECPS member firms.
RESOURCES
This component addresses the firm’s responsibilities for obtaining, developing,
using, maintaining, allocating, and assigning resources—including people, financial,

See PCAOB Rel. No. 2022-002 at A4-5.

See id. at A3-19.

See QC 20.18.

technological, and intellectual resources—to enable the design, implementation, and
operation of the firm’s QC system and the performance of its engagements.
1. QC 1000
a. Resources quality objectives (QC 1000.44)
The proposal asked if the Board’s proposed quality objectives for resources were
appropriate. Commenters that responded to this question generally supported the quality
objectives. One commenter suggested that the risks associated with the resources
component are greater and that a prescriptive approach would be warranted. The Board
believes the combination of quality objectives and specified quality responses
appropriately provides for scalability and prescriptiveness.
Under QC 1000, a firm is required to establish quality objectives for the resources
component in several different areas:
•

People;

•

Technological resources;

•

Intellectual resources; and

•

Resources from a network or third-party provider.
i.

People (QC 1000.44.a-.g)

The quality objectives in QC 1000.44.a-.b are similar to the personnel
management element of quality control addressed in QC 20 and QC 40, and the Board
adopted them as proposed with one change. The proposed standard included a note that
describes what competence comprises—knowledge, skill, and ability—which is derived
from QC 40.04.249 Two commenters suggested deleting the last sentence in the note,
which as proposed stated that “The measure of competence is qualitative rather than
quantitative…,” on the basis that it would discourage the use of quantitative performance

See QC 40.04 (competencies are not measured by periods of time because such quantitative
measurement may not accurately reflect the kinds of experiences gained in any given time period).

metrics. The Board believes that QC 40 should be understood as saying, not that
quantitative measures are wholly irrelevant, but that competence is not measured
exclusively on a quantitative basis because quantitative measurement alone may not
accurately reflect the nature of experience gained over time. The note in the final
standard has been revised to clarify that competence can be measured both qualitatively
and quantitatively.
These two quality objectives work together in addressing competence from the
perspective of both the firm and individual. The firm and its personnel have
responsibilities for developing and maintaining competence that will support the
operation of the firm’s QC system and the performance of the firm’s engagements in
accordance with applicable professional and legal requirements and the firm’s policies
and procedures.
Understanding the competence needed to carry out responsibilities for the
operation of the firm’s QC system and the performance of the firm’s engagements assists
a firm in identifying its personnel needs. This understanding also assists a firm in
identifying areas for personnel development. Competence can be developed through an
appropriate combination of education, professional experience in accounting and auditing
with proper supervision, and training such as CPE.
A commitment to quality can be demonstrated through a person’s actions and
behaviors, including consistent adherence to firm policies and procedures, demonstrating
key professional attributes like objectivity, integrity, and due professional care, and
taking the initiative to develop and maintain competence. Conversely, a lack of
commitment to quality can be seen through actions and behaviors such as inconsistent
compliance with professional standards, cheating on professional development and
compliance exams, or a “check the box” approach to professional development.

The quality objectives in QC 1000.44.c-.e address the assignment of firm
personnel and individuals who are other participants, in the firm’s engagements, QC
roles, and other firms’ engagements. As discussed previously, the firm’s people resources
may include firm personnel (generally, employees of the firm) or resources from outside
the firm (other participants). For example, EQRs or personnel at service centers may be
considered either firm personnel (if employed by the firm or functioning as firm
employees) or other participants (if contracted by the firm).250 One commenter was
concerned that the inclusion of other participants in the firm’s QC system may create
cross-jurisdictional legal issues, such as employment information that may be protected
by privacy laws. The Board believes it is important for the QC system to assess the
competence of other participants, which may include having policies and procedures on
what to do if the firm is unable to make such assessment due to legal issues. One
commenter mentioned that the responsibilities related to the use of specialists engaged by
the firm, other auditors, and internal auditors providing direct assistance are addressed in
existing auditing standards as engagement team responsibilities and are not needed within
this quality objective. While it is acknowledged that there are auditing standards that
address those topics at the engagement level, the quality objectives relate to the firm’s
processes for assigning the appropriate individuals to engagements and QC activities.
One commenter emphasized the need for firm resources to have time to fulfill
their assigned responsibilities. Another commenter suggested a prescriptive approach to
human capital management, including monitoring assignments and time requirements,
utilization, and engagements with high turnover and workloads. Given the wide range of
firms based on their size, scope, and nature of practice, the Board does not believe
prescriptive requirements in this area are appropriate. The Board clarified paragraphs

See QC 1000.A5 and .A7.

.44c and .44e by adding “needed” to the quality objective to increase the focus on
sufficient competency, objectivity, time, and when appropriate, the authority needed to
fulfill their assigned responsibilities. The PCAOB has also separately proposed new
reporting requirements regarding firm and engagement metrics that, if adopted by the
Board and approved by the SEC, would enhance transparency about, among other things,
firms’ human capital management.251
The quality objectives focus on three key aspects of the ability to fulfill the
assigned role: competence, objectivity, and time. Individuals need to have competence to
fulfill their assigned roles in accordance with applicable professional and legal
requirements and the firm’s policies and procedures. As previously discussed, both the
individual and the firm play a part in developing a person’s competence. The ability to
maintain objectivity is essential to performing QC activities or engagements; a lack of
objectivity may, for instance, create an unconscious bias that directly affects quality.
Individuals’ ability to devote appropriate time to their assignments also affects quality.
In addition to the competence, objectivity, and time needed to perform
engagement and QC activities, individuals need to have the requisite authority to perform
effectively. In the context of engagement activities, the auditing standards already
provide authority structures with respect to, for example, supervision and the
responsibilities of the engagement partner, and those standards are augmented by firm
policies on matters such as consultation. For QC activities, the need for appropriate
authority is specified in the quality objective.
The QC 1000.44.f quality objective to comply with the firm’s policies and
procedures did not attract comment and was adopted as proposed.

See PCAOB Rel. No. 2024-002.

This quality objective is based on a concept embedded in QC 20: that firm
personnel should adhere to the firm’s own standards of quality. The Board believes that
this should remain among the firm’s objectives, and also that it would play an important
role in the operation of the QC system under QC 1000.
The firm’s QC-related policies and procedures are essential to the proper
functioning of an effective QC system. By definition, those policies and procedures are
the “quality responses” the firm has designed and implemented to address quality risks.
Firm personnel need to understand those policies and procedures and operate in
compliance with them in order for the QC system to operate as designed and achieve its
objectives. Additionally, firm personnel need to understand and comply with firm
policies and procedures in order for the firm’s work on its own engagements and other
firms’ engagements to be performed appropriately.
Evaluations help support and promote the continuous development of the
competence of firm personnel. Some commenters, generally investor-related groups,
suggested the standard address incentives in partner compensation relative to quality
control systems and weight it at least as much as revenue growth. After considering
comments, the Board revised paragraph .44g to add “including through compensation
plans and decisions in which quality considerations play a critical part.” The Board
believes this change will prompt firms to appropriately weight quality concerns in their
organization-wide compensation plans and individual compensation decisions. The Board
believes his change, along with the change to the quality objective in paragraph .25b,
should result in firms giving appropriate weight to quality in compensation plans and
decisions regarding performance for both firm leadership and firm personnel.
The quality objective contemplates that evaluations should be performed at least
annually. Many firms currently utilize an annual performance review process in order to
facilitate such evaluations. A firm may have multiple quality responses to address the

quality risks associated with the different types of firm personnel. For example, nonemployee contractors and consultants, who work under the firm’s supervision or direction
and control and are considered firm personnel, may be evaluated through the contracting
process to determine whether the firm should retain them. The quality objective does not
specify the format of or approach to periodic evaluations.
The quality objective in QC 1000.44.g, which refers to accountability and
incentives, is principles-based, and firms will be able to design and implement incentive
systems based upon their nature and circumstances. The “appropriate standards of
conduct” identified in the quality objective include fulfilling engagement and QC
responsibilities with competence, integrity, objectivity, and due professional care and
complying with applicable professional and legal requirements and the firm’s policies
and procedures, as described in paragraph .46 of the standard.
ii.

Technological resources (QC 1000.44.h)

Technological resources cover many aspects that collectively comprise a firm’s
technological environment, including information technology applications, infrastructure,
and processes (e.g., firm processes to manage access to the IT environment, program
changes, changes to the IT environment, or IT operations). Technological resources may
be developed by the firm or obtained, for example, from the firm’s network or a thirdparty provider.
The nature and extent of the use of technological resources differs across firms.
For example, some audit firms are making significant investments in technological
resources and expanding their use of technology-based audit tools, such as software used
to perform data analytics or to access information from a distributed ledger. Some
technology facilitates the operation of firms’ QC systems, such as monitoring individual
financial investments for purposes of compliance with independence rules. The
availability of “off-the-shelf” technological resources continues to evolve, leading to an

increase in firms of all sizes employing technology to assist in operating their QC
systems or planning and performing engagements.
The quality objective in QC 1000.44.h highlights that the proper use of
technological resources, in a manner that enables the operation of the firm’s QC system
and the performance of its engagements in accordance with applicable professional and
legal requirements and the firm’s policies and procedures, is the firm’s responsibility.
The proposal asked if the quality objective and specified quality responses related to
technological resources provide sufficient direction to enable the appropriate use of
emerging technologies. Commenters that addressed this question, generally firms,
indicated the proposed quality objectives and specified quality responses provide
sufficient direction. One commenter suggested that the standard does not create
incentives to use technology to improve audit quality.
The technology environment is dynamic, and firms’ use of technological
resources will likely continue to evolve in the future. The Board believes that principlesbased standards are more adaptable to future developments, less likely to become
obsolete, and less likely to discourage the use of emerging technologies. As a result,
QC 1000 does not include any prescriptive requirements related to how firms address
emerging technology. Instead, it includes a risk factor to prompt consideration of
technology as part of the firm’s risk assessment process.252 Separately, the Board has
proposed certain amendments to PCAOB auditing standards that address certain aspects
of designing and performing audit procedures using technology-assisted data analysis of
information in electronic format.253

See paragraph .20a.(1)(e) and Appendix B paragraph .B6 of QC 1000.

See Proposed Amendments Related to Aspects of Designing and Performing Audit Procedures
that Involve Technology-Assisted Analysis of Information in Electronic Form, PCAOB Rel. No.
2023-004 (June 26, 2023).

The Board adopted the technological resources quality objective as proposed. The
Board believes the risk-based approach creates incentives for firms to obtain or develop,
implement, maintain, and use technological resources throughout the firm based on the
size and nature of the firm.
iii.

Intellectual resources (QC 1000.44.i)

The quality objective in QC 1000.44.i related to intellectual resources did not
attract comment and was adopted substantially as proposed. The Board revised the note
to add “to enable the operation of the firm’s QC system,” consistent with the quality
objective.
Intellectual resources generally include the information the firm uses to promote
consistency in the execution of the firm’s QC system and the performance of
engagements. Intellectual resources may be made available through a variety of media,
including via written manuals or technological resources (e.g., the firm’s methodology
may be embedded in the information technology application that enables the operation of
the firm’s QC system and facilitates the performance of the engagement).
Intellectual resources may be obtained or developed internally, or acquired
externally (for example, a commercially available audit or QC methodology or a
subscription data feed). Regardless of how intellectual resources are acquired, the firm
remains responsible for ensuring they are fit for purpose and properly implementing and
maintaining them. For example, if a firm acquired its QC methodology from a vendor,
the firm is responsible for choosing a methodology and implementing it (including
appropriately identifying risks and designing, implementing, and operating appropriate
responses) in a way that enabled the firm’s engagements to be properly performed and
the firm’s QC system to operate in accordance with QC 1000. If a firm developed
methodology to direct the performance of its engagements in accordance with applicable
professional and legal requirements, and a new auditing standard were issued after that

methodology was implemented by the firm, the methodology would need to be updated
to properly address the applicable professional and legal requirements.
The quality objective related to intellectual resources in the final standard is
similar to the technological resources quality objective, as both objectives relate to
resources enabling the operation of the firm’s QC system and the performance of its
engagements in accordance with applicable professional and legal requirements and the
firm’s policies and procedures.
iv.

Resources from a network or third-party provider (QC 1000.44.j)

In some circumstances, the firm may use resources provided by a network or a
third-party provider. Such resources may include methodologies, applications, and tools
used in the firm’s QC system or the performance of its engagements.
The proposal included a quality objective in QC 1000.44.j related to the resources
provided by a network or a third-party provider. One commenter requested the objective
be broken into two quality objectives, as a firm’s approach to each of these groups may
be significantly different. The Board agrees that a firm’s approach to resources provided
by the network may be different from resources provided by a third-party provider, and
that the approach to different types of third-party providers could also vary. But the
Board does not believe that such differences compel separate quality objectives. A firm
may identify multiple quality risks and develop multiple quality responses related to a
single quality objective.
For example, a firm may use multiple third-party providers for a variety of
different resources, such as an audit methodology provider or a confirmation
intermediary. If these different types of third-party providers or resources present
different risks, the firm would be required to develop different quality responses. In that
scenario, the firm could have different policies and procedures applicable to different
types of third-party providers and/or different types of resources. A firm that is not

affiliated with a network is not required to establish a quality objective related to
network-provided resources and therefore would not identify quality risks or related
quality responses.
Notwithstanding that a firm may use resources from a network or a third-party
provider, the firm remains responsible for the use of these resources in the QC system
and performance of its engagements.
Consideration of the nature of the resources provided by the network or thirdparty providers, how and to what extent the resources will be used, and the general
characteristics of the third-party provider will assist the firm in determining whether it
needs to supplement or adapt such resources. For example, the firm may obtain its
methodology from a third-party provider under an arrangement whereby the third-party
provider agrees to update the methodology when new standards are issued. In this
scenario, the firm remains responsible for verifying that such changes are incorporated
into the methodology and supplementing the methodology if such changes are not made,
so that the firm’s resources support its performance of compliant engagements. As
another example, the firm may obtain a service from a third-party provider that provides
a System and Organization Controls 1 (SOC 1) report. The firm would be responsible for
verifying that the controls are designed effectively at the third-party provider and for
designing and implementing any complementary user entity controls identified in the
report.
The firm is also responsible for taking any necessary actions in using a resource
from a network or third-party provider to enable the resource to function effectively. For
example, the network or third-party provider may need information related to the firm’s
restricted entities so that it can facilitate independence confirmations. In addition, if the
firm discovered a problem with the design or operation of the resource, it may need to

communicate such problems to the network or third-party provider so that the resource
can effectively operate.
b. Resources specified quality responses (QC 1000.45-.51)
The proposal asked if the specified quality responses for resources were
appropriate. Two commenters that addressed this question supported the specified quality
responses. Two other commenters objected that the specified quality responses were too
prescriptive and suggested they be rewritten as risk-based quality objectives.
One commenter stated that certain of these requirements relate closely to auditing
standards and requested clarity on how QC 1000 is intended to interact with engagementrelated auditing standards. QC 1000 focuses on firm-level controls over compliance with
auditing standards, including those related to engagement performance.
The Board adopted the specified quality responses as proposed, with one
modification suggested by commenters. These specified quality responses carry
provisions from the PCAOB’s existing QC standards into QC 1000 or establish firm-level
requirements that align with existing engagement-level requirements. They also include
new requirements that the Board believes are important to a firm’s QC system.
The specified quality response related to appropriate standards of conduct did not
attract comment and was adopted as proposed.
The reference to “appropriate standards of conduct” reflects a number of concepts
in existing PCAOB standards, including:
•

Fulfilling responsibilities with professional competence;254

•

Integrity and objectivity;255

See, e.g., QC 20.13a, .13b, and .15a.

See, e.g., QC 20.10.

•

Due professional care (including the exercise of professional skepticism);256 and

•

Complying with applicable professional and legal requirements and the firm’s
policies and procedures.257
Firm personnel are individually responsible for complying with the firm’s

standards of conduct, and the firm’s policies and procedures around these standards of
conduct are intended to result in firm personnel being held accountable for their behavior
and actions. This includes evaluating firm personnel’s adherence to such standards of
conduct, addressing deviations, and holding personnel accountable for fulfilling their
engagement and QC responsibilities, including through the firm’s incentive system. The
Board believes the standards of conduct included in this specified quality response are
foundational to fulfilling not only engagement responsibilities, but also QC
responsibilities.
QC 40 addresses requirements regarding the competencies of engagement
partners and, by extension, EQRs.258 The proposed standard, in QC 1000.47, required that
firms’ QC policies and procedures address certain enumerated competencies, as well as
other competencies as necessary in the circumstances. Some commenters suggested that
the competencies identified in proposed paragraph .47a-h be moved to a quality objective
or staff guidance and argued that they were redundant to the auditing standards. The
Board believes that the competencies in paragraph .47 are applicable to all firms and
accordingly are appropriate as specified quality responses. One commenter asked for
clarification of the expectation of “including an understanding of” and suggested that the
standard include consideration of “other competencies as necessary in the

The general principles and responsibilities of the auditor when conducting an audit, including
professional skepticism and due professional care, are being reaffirmed and combined in AS 1000,
as adopted. See Auditor Responsibilities Release.

See, e.g., QC 20.03.

See, e.g., QC 40.08; AS 1220.05.

circumstances,” consistent with QC 40.08. The Board believes that auditors should be
familiar with the concept of obtaining an understanding, and note that the construct of
QC 40 is a restrictive list whereas the list of competencies in this requirement is
identified as “including” and not intended to be comprehensive, so the Board does not
believe a reference to other competencies is necessary.
One commenter indicated that the firm would not be in a position to impose the
specific requirements in paragraph .47 on individuals that are not part of the firm. The
Board has narrowed the requirement to apply only to firm personnel, rather than “others
participating in an engagement,” as proposed. It is noted, however, that other quality
objectives, such as those in paragraphs .44c and .44e, continue to apply with respect to
individuals outside of the firm as well as firm personnel. As discussed in more detail
above in the Acceptance and Continuance of Engagements discussion, the Board also
revised “client” to “company” in paragraph .47.
Paragraph .47 of QC 1000 both expands the required competencies for
engagement partners and requires certain competencies for other firm personnel in
engagement roles commensurate with their responsibilities. This includes applying
existing requirements for engagement partners—an understanding of, among other
things, the importance of exercising sound judgment, the role of the firm’s QC system in
the performance of engagements, and the industry in which the company operates—to
everyone in an engagement role, at a level commensurate with their responsibilities.
To reflect changes in the environment since the existing QC standards were
issued, the Board required competencies related to understanding the subject matter of
attestation engagements, the internal control framework and technology used by the
company, and the technological and intellectual resources used in performing
engagement procedures. Regarding technological and intellectual resources, the Board
required an understanding of how and whether it is appropriate to use these resources in

performing the engagement. This specified quality response does not imply that the
engagement partner or other firm personnel participating on an engagement need to be
knowledgeable about how such resources are developed.
QC 20 provides that policies and procedures are required to be established to
provide the firm with reasonable assurance that personnel participate in CPE and other
professional development activities that enable them to fulfill responsibilities assigned
and satisfy applicable CPE requirements.259 In addition, SECPS member requirements
provide that member firms are required to ensure that (1) all professionals in the firm
residing in the United States, including CPAs and non-CPAs, participate in at least 20
hours of qualifying CPE every year and at least 120 hours every three years and (2)
professionals who devote at least 25 percent of their time to performing audit, review or
other attest engagements, or who have the partner- or manager-level responsibility for the
overall supervision or review of any such engagements, must obtain at least 40 percent
(eight hours in any one year and 48 hours every three years) of their required CPE in
subjects relating to accounting and auditing.260
Through the PCAOB’s oversight activities, the Board has observed situations
where a lack of understanding of professional standards appears to have contributed to
audit deficiencies. These problems have been observed in domestic firms and
international firms, including firms that were not SECPS members.
One commenter requested the standard set out more specific requirements with
respect to training, identify areas or categories that must be regularly addressed, and not
eliminate the CPE obligation in the existing standard. Another commenter requested the
standard include minimum requirements related to training of audit staff. The Board

See QC 20.13; QC 40.02, .05.

See SECPS 1000.08(d), 8000. The SECPS member requirements provide that “accounting and
auditing subjects” should be broadly interpreted, and include, for example, subjects relating to the
business or economic environments of the entities to which the professional is assigned.

believes it is important for firms to provide training focused on areas where firm
personnel need to develop or maintain their competence so that they may fulfill their QC
and engagement roles. If the Board were to set specific requirements with respect to
training, firms may not evolve their training over time to respond to changes in the firm
or in the needs of firm personnel. The Board maintained the principles-based approach to
training.
Under the specified quality response in QC 1000.48, the firm is required to
provide training, including training on applicable professional and legal requirements,
that is mandatory for all firm personnel on an annual basis. This specified quality
response provides firms the ability to determine the type and extent of training necessary
based on their personnel and the nature and circumstances of the firm and its
engagements. For example, a firm may determine that training is necessary on a wide
array of topics for a certain level of staff within the firm. Another firm may determine
that training is necessary for one or more staff in a certain area due to a new engagement
or as a result of an area of development identified as part of a performance evaluation. A
firm may also decide that it is necessary to repeat training as a periodic reminder of
existing requirements, such as those relating to internal control over financial reporting.
Ultimately, the type and extent of training should be directed at whatever is necessary to
enable firm personnel to fulfill their assigned QC and engagement roles in accordance
with applicable professional and legal requirements and the firm’s policies and
procedures.
This specified quality response in QC 1000.49 did not attract comment and was
adopted as proposed.
This specified quality response relates to the quality objective in paragraph .44g.,
which provides that firm personnel are evaluated at least annually, incentivized to fulfill
their assigned responsibilities and adhere to appropriate standards of conduct, including

through compensation plans and performance decisions regarding performance that
appropriately prioritize quality considerations, and held accountable for their actions and
failures to act.
Specific to the individuals assigned ultimate responsibility and accountability for
the QC system as a whole and operational responsibility and accountability for the QC
system as a whole, the firm’s periodic performance evaluations of these individuals are
required to take into account the results of the firm’s evaluation of its QC system.261 A
firm will be able to determine its approach to comply with this specified quality response.
For example, the firm may set targets and measure the outcome of the evaluation of the
QC system against those targets. As another example, the firm may consider the
individual’s actions taken in response to identified QC deficiencies or major QC
deficiencies, including the timeliness and effectiveness of such actions. The periodic
performance evaluation of these individuals may be informal in a less complex firm or
undertaken by a special committee in a more complex firm.
No comments were received on the specified quality response in QC 1000.50 and
it was adopted as proposed.
Laws or regulations may establish requirements for the professional licensing or
other qualifications of the firm and firm personnel. Under this specified quality response,
the firm is required to have policies and procedures regarding licensure such that the firm
and firm personnel hold the required licenses or qualifications. The policies and
procedures address such matters as (1) the jurisdiction(s) where firm and firm personnel
are required to hold licenses or other qualifications, and (2) whether the firm and such
firm personnel comply with the jurisdictions’ requirements.

Evaluation of a firm’s QC system is addressed in paragraphs .77-.78 of QC 1000 and discussed
below.

The quality objective in paragraph .44h. provides that technological resources are
obtained or developed, implemented, maintained, and used to enable the firm’s QC
system and the performance of its engagements. As part of the firm’s quality response to
this quality objective, the firm’s technological resources should also have the
characteristics described in paragraph .51. One commenter stated that the quality
objective in proposed paragraph .44h is sufficient and this specified quality response
should be removed. The Board believes the firm’s policies and procedures should address
its technological resources having the capacity (resource requirements for the necessary
output), integrity (guarding against improper information modification), resiliency
(ability to operate and recover under adverse conditions), availability (ensuring timely
and reliable access to and use of information), reliability (ability to function consistently),
and security (protection against intentional subversion).262 These characteristics enable
the ongoing operation of the firm’s QC system and performance of its engagements. The
Board believes this specified quality response provides additional direction and has
retained it in the final standard.
Also related to technology, the proposal asked if the standard should include a
specified quality response that would require the use of technological resources by the
firm to respond to the risks related to the use of certain technology by the companies for
which the firm performs engagements. Several commenters did not support inclusion of
such a specified quality response. One commenter requested a requirement to design and
implement controls to prevent unauthorized access to data and technology. The Board did
not make any changes or additions to the quality objective or specified quality responses
related to technological resources because it believes the more general provisions

See, National Institute of Standards and Technology Glossary, available at
https://csrc.nist.gov/glossary.

appropriately address this issue, and more specific provisions are at risk of quickly
becoming outdated as technology evolves.
2. Current PCAOB standards
QC 1000 largely covers the same areas addressed in QC 20 and QC 40 for
personnel management and assignment of responsibilities.263 Existing PCAOB QC
standards do not provide specific direction on the use of intellectual resources or
technological resources, except for one application regarding independence.264
INFORMATION AND COMMUNICATION
This component addresses the firm’s processes for obtaining, generating, sharing,
and using information to enable the design, implementation, and operation of the QC
system and the performance of the firm’s engagements, and for communicating
information within the firm and to external parties.265 As discussed in more detail below,
the Board made some changes in response to commenter input but adopted most
provisions as proposed.
1. QC 1000
The information and communication area of the firm’s operations serves the
critical function of generating, gathering, and disseminating the information needed for
the firm, including the QC system, to function. The process of determining information
needs is iterative and ongoing; as the nature and circumstances of the firm change,
information needs also change. The information and communication component of the
QC system operates over this area of the firm’s operations.

See QC 20.13 and .22.

See SECPS 1000.46 (requirement 4).

Other aspects of the standard also include specific provisions regarding communication (see, e.g.,
paragraphs 16-.17 in Roles and Responsibilities, and paragraphs .31 and .35 in Ethics and
Independence).

One firm suggested that the information and communication component refer to
“relevant and reliable” information to convey that not all information is intended to be
obtained and disseminated to the relevant individuals or roles. The firm disagreed that
relevance and reliability is implied within the context of the proposed requirements, and
argued that the term “information” needs parameters and qualifying language to provide
boundaries to the vast amount of information that exists or could be created in the context
of a firm’s QC system. The firm further argued that without appropriate qualifiers, the
breadth of information to be considered and/or communicated within a QC system will
inhibit firm leaders from identifying and focusing on information most relevant to the
successful operation of the QC system. As discussed in the proposal, in determining
specific information to be communicated to firm personnel, including the nature and
extent of such communication, the firm may consider the type of information that is
relevant to the recipients given their roles and responsibilities within the firm. The Board
continues to believe that information would have to be relevant and reliable to support the
operation of the firm’s QC system and the performance of the firm’s engagements in
accordance with applicable professional and legal requirements, so that a reference in the
standard to “relevant and reliable” information is unnecessary.
a. Information and communication quality objectives
The standard requires the firm to establish a number of quality objectives for the
information and communication component. These objectives are discussed in more
detail below. One firm commented that, as the proposed quality objectives for
information and communication are broadly consistent with other jurisdictional and
international quality control/management standards, they are appropriate, and no further
changes are needed.
i.

Identifying, capturing, processing, and maintaining information (QC
1000.53.a)

Identifying, capturing, processing, and maintaining information is an ongoing
process necessary to support the firm’s QC activities and the performance of its
engagements in accordance with applicable professional and legal requirements.
Information systems vary from firm to firm and encompass various sets of activities
involving people, processes, data, or technology, or some combination thereof. Some
firms’ information systems may be heavily reliant on IT aspects while other information
systems may require more manual intervention. Firms are able to determine the type of
information systems necessary to achieve their quality objectives.
One commenter suggested that the information and communication component
could be enriched by explicitly integrating academic audit and accounting studies as a
vital source of information to be used by firms to inform their QC system. The Board
believes that the quality objectives within the information and communication component
sufficiently establish the desired outcomes for the identification of external information
to support the operation of the firm’s QC system. A firm may determine that the
conclusions of certain academic studies inform the design or operation of its QC system.
Furthermore, depending on the nature and circumstances of the firm and its engagements,
the firm may consider any applicable academic studies in the firm’s risk assessment
process as it obtains an understanding of the conditions, events, and activities that may
adversely affect the achievement of its quality objectives. The requirement was adopted
as proposed.
ii.

Exchange of information (QC 1000.53.b-.c)

Information is essential to firm personnel being able to understand and fulfill their
responsibilities relating to the QC system and the performance of the firm’s engagements.
For example, through the Board’s oversight activities, it observed improved audit quality
when there was regular, consistent communication among members of the engagement

team.266 The quality objective prompts firms to tailor the nature, timing, and extent of
information communicated based on firm personnel’s responsibilities, including those
related to the firm’s policies and procedures.
Communication is generally an ongoing process that involves all firm personnel.
For example, the firm communicates information to engagement teams, such as
information obtained during the firm’s acceptance and continuance process that is
relevant in performing the engagement. Engagement teams also communicate
information to the firm—for example, information about the company obtained during
engagement performance that may assist the firm when evaluating whether to continue
the engagement. Two-way communication may also occur among firm personnel. For
example, firm personnel performing engagements may exchange information directly
with firm personnel performing activities within the firm’s QC system, such as
information to facilitate compliance with the firm’s independence policies and
procedures. The standard emphasizes the need for two-way communication within the
firm and the responsibility of all firm personnel to communicate information.
One commenter addressed the quality objectives set out in paragraphs .53b.-.53c.
of the proposed standard related to the timely exchange of information between firm
personnel and leadership, including those with responsibilities for the firm’s QC system.
The commenter recommended that the final release clarify that the firm’s policies and
procedures assist in promoting communication such that the appropriate individuals with
responsibilities over the firm’s QC system become aware of relevant matters in a timely
manner, as appropriate for the size and the scale of the firm and relative nature of the
matter. As discussed above, the Board believes timely communication and action should

See, e.g., 2019 Inspection Observations Preview at 5.

be sufficiently prompt to achieve its objective and that timeliness is a function of the
nature and significance of the issue. These requirements were adopted as proposed.
iii.

External parties (QC 1000.53.d-.e)

There are many circumstances in which firms communicate information about
themselves and their performance to external parties. Some external communications are
required by law or regulation, such as the transparency reporting that is required in some
jurisdictions, and others are made by firms voluntarily, for example, in connection with
marketing or recruitment efforts.
The standard requires the firm to establish a quality objective that addresses
communications to external parties in accordance with applicable professional and legal
requirements. This quality objective focuses firms on providing the necessary
communications to external parties when required. Among other things, this objective
(paragraph .53d.) covers the completeness, accuracy, and timeliness of a firm’s existing
annual and periodic reporting to the PCAOB (i.e., Forms 2 and 3, Form AP, and Form
QC). It would also cover reporting under the Board’s proposed revised reporting
requirements and metrics requirements267 if those are ultimately adopted by the Board
and approved by the SEC.
An investor expressed concern with the absence of references to investors or the
public from the examples of external parties, and further commented that the proposal
makes no mention of the role of quality control with respect to critical audit matters. This
provision relates to communications to external parties that are required under applicable
professional and legal requirements. Under current requirements, the only required
communication from the audit firm to investors is the audit report. Audit reporting is part
of engagement performance, is covered by a separate quality objective relating to

See PCAOB Rel. No. 2024-002.

engagement performance,268 and is not addressed by this quality objective. To the extent
that a communication to a regulator is ultimately available to the public (as is the case
with, for example, various forms filed with the PCAOB), such communications would be
covered by this quality objective, thus providing downstream benefits for investors and
the public.
A firm recommended that the scope of the requirement be limited to information
or communications regarding a firm’s audit practice and engagements performed in
accordance with PCAOB standards. As discussed in more detail above, the definition of
applicable professional and legal requirements in the final rule has been more narrowly
tailored to address engagements, as defined in QC 1000, and the QC system itself. The
Board believes this change addresses the commenter’s concern about the possible
overbreadth of the quality objective, and the Board adopted it as proposed.
The PCAOB also observed that some firms make public communications about
firm-level or engagement-level information, such as firm metrics and financial data. For
example, some firms publish transparency or audit quality reports, either voluntarily or in
response to the requirements of other jurisdictions, that contain data such as:
•

Revenue breakdown by service line, by year, or by geographic segment;

•

Professional staff ratios;

•

Staff turnover ratios;

•

Average training hours per professional; and

•

Partner workload.
In addition to transparency or audit quality reports, firms may communicate these

data via web pages or other media, such as promotional publications, social media,
interviews, or presentations via webcast or video. Furthermore, if adopted, the Firm and

See paragraph .42a.(3): “Responsibilities are understood and fulfilled . . . , including, as applicable
. . . Responsibilities for reporting and other communications with respect to the engagement.”

Engagement Metrics proposal will require firms to publicly report certain metrics relating
to their audits and their audit practices.
Regardless of the form of communication and the type of information presented,
the Board believes that firms’ QC systems should address the integrity of firms’ external
communications about themselves and the performance of their engagements. Such
information can influence the views of relevant stakeholders, including audit committees
determining whether to engage or retain an auditor and investors determining whether to
ratify such an appointment.
The proposed standard contemplated that the firm would establish a specific
quality objective that firm-level or engagement-level information communicated
externally is accurate and not misleading and, with respect to any performance metrics,
that the communication explains in reasonable detail how the metrics were determined
and, if applicable, how the metrics or the method of determining them changed since
performance metrics were last communicated. The Board’s view is that a specific quality
objective in this area will prompt firms to implement targeted policies and procedures
that address, for example, the quality and consistency of data and the need for context or
explanation. This in turn will improve the informativeness, reliability, and comparability
of such communications and avoid misleading the intended audience.
Several commenters, including firms and related groups, broadly supported the
quality objectives or agreed that it is important to address communications to
stakeholders about a firm’s or engagement’s performance, and that such communications
should be accurate and not misleading. However, many of the commenters on this topic
raised concerns with regard to the proposed quality objective addressing the firm’s
external communications relating to metrics.
Several commenters suggested that additional clarification be provided on the
metrics and communications that are in scope for the quality objective. Some

commenters recommended that the scope of the requirement be limited to metrics related
to audit quality that are required to be communicated under applicable professional, legal,
or other regulatory requirements and are communicated publicly. One firm recommended
that the scope of metrics be limited to those related to the effectiveness of the firm’s QC
system or audit quality, and that the scope of the communications be limited to “formal”
external reporting such as audit quality reports, transparency reports, communications
with audit committees, and other published reports. Another firm recommended that the
external communications in scope for the objective should be limited to communications
externally about audit quality and should not extend to other external information issued
by the firm that is not specifically related to audit quality such as marketing
communications or recruiting information. The firm further argued that this limitation on
scope to only audit-quality-related external communications should also apply to the
communication of how metrics were determined and explanations of year-on-year
changes. Another firm recommended that the scope be limited to information or
communications regarding a firm’s audit practice and engagements performed in
accordance with PCAOB standards.
One firm expressed concern regarding firms’ ability to design and implement
quality responses to address the risk of every type and form of information
communicated given the broad scope of the requirement. The firm recommended that the
scope should be limited to information resulting from and regarding the evaluation of the
firm’s QC system, which will allow firms to focus efforts on the information that is most
meaningful to stakeholders, which in turn will enhance the reliability of such information.
One firm commented that in addition to recommending limiting the quality
objective to engagements performed under PCAOB standards that would be subject to the
firm’s QC system, it may not be practicable to communicate in reasonable detail how a
metric was determined in all situations (e.g., if the metric was provided in a speech). The

firm asserted that it should be allowed to present the information about how a metric was
determined and, if necessary, how it changed, in a single, publicly available location
(e.g., on the firm’s website). One firm commented that the level of disclosure that would
be required may create confusion or may not ultimately be necessary, in particular in
instances when the metric does not relate to audit quality. Further, the firm stated that the
disclosures may conflict with requirements that may apply to registered firms outside of
the U.S. Another firm recommended that the words “explains in reasonable detail how
the metrics were determined and, if applicable, how the metrics or the method of
determining them changed since performance metrics were last communicated” be
removed from the quality objective. The firm asserted that this requirement may
discourage smaller firms from including many quality metrics in their audit quality,
transparency, and similar reports given limited time and resources available to produce
their voluntary report. Some commenters, including firms and a related group,
recommended that considerations related to metrics in QC 1000 be taken up as part of the
PCAOB’s research project on firm and engagement performance metrics.
After consideration of the comments received, the Board continues to believe it is
appropriate that all firm communications to external parties regarding themselves and
their audit practice, in whatever medium, meet the minimum standard of being accurate
and not misleading.
However, in response to commenters, the Board clarified the quality objective in
certain respects. It has clarified that the quality objective is limited to communications
regarding the firm’s audit practice, firm personnel, or engagements and removed the
word “performance” from the phrase “performance metrics,” to align with the
terminology use in the Board’s proposed metrics requirements.269 Additionally, the Board

See PCAOB Rel. No. 2024-002.

revised the quality objective to provide that only metrics communicated in writing require
an explanation of how the metrics were determined and, if applicable, how the method of
determining them changed since metrics were last communicated. The Board believes
this will address commenter concerns about the feasibility of providing such explanations
for metrics communicated orally. In addition, the Board removed the requirement to
explain in reasonable detail, if applicable, how the metrics themselves have changed
since they were last communicated. The Board believes that requiring an explanation of
how the metrics were determined and, if applicable, how the method of determining the
metric changed since it was last communicated will enhance the understandability and
comparability of the metrics made available to external parties. However, the Board does
not believe it to be necessary to require narrative discussion of numeric changes in the
metric period over period if there has been no change in the underlying calculation
method.
These disclosures may be incremental to requirements that could apply to
registered firms outside of the U.S., however, the Board does not believe that these
requirements will operate in conflict. The Board has observed variation and complexities
in how metrics are defined and calculated by firms, as well as changes in the calculation
method over time such that it believes this quality objective is necessary to improve the
informativeness, reliability, and comparability of such communications and avoid
misleading the intended audience. In addition, over 100 unique qualitative disclosures
and quantitative audit quality metrics have been observed by the Center for Audit Quality
(“CAQ”) in its analysis of the CAQ’s eight Governing Board firms’ most recent audit
quality reports.270 The Board believes this indicates both a demand for and an ability to

See Audit Quality Reports Analysis: A Year in Review, available at https://www.thecaq.org/aqranalysis-yir/.

supply metrics, which further emphasizes the need for consistency and comparability of
the metrics.
The Board considered whether it would be appropriate to allow for additional
disclosures relating to metrics to be presented in a single public location such as the
firm’s website. However, the Board believes that by limiting the requirement to written
communications, it has eliminated the concern about how to present such information
with respect to an oral communication, and given the importance of the information to
the intended audience, that this should be presented in the same written communication
as the disclosed metrics.
The Board received feedback from a number of commenters, including investors
and related groups, criticizing the proposal for failing to include required metrics or audit
quality indicators. The Board has proposed a separate standard on firm and engagement
metrics271 and it has addressed these comments in that proposal.
iv.

Networks (QC 1000.53.f)

If the firm belongs to a network, exchange of information between the firm and
the network may play an important role in supporting the operation of the firm’s QC
system and the performance of its engagements. For example, if the network performs
certain monitoring activities relating to the firm’s QC system, the network’s
communication of information (e.g., results of its monitoring activities or any changes to
its activities from the prior year) may result in the firm adjusting the nature, timing, and
extent of its own monitoring activities. On the other hand, the firm may need to
communicate to the network when there are changes to the firm’s QC system that may
affect the network’s monitoring activities.

See PCAOB Rel. No. 2024-002.

The Board did not receive comment on the proposed quality objective relating to
the exchange of information between a firm and a network and adopted it as proposed.
v.

Other participants (QC 1000.53.g-.h)

Many firms have increasingly involved parties outside the firm in QC functions,
such as independence compliance, and engagement functions, such as performing audit
procedures and evaluating audit evidence. Working with other participants can differ
from working with individuals within the firm. For example, auditor-engaged
specialists272 may have different professional training and experience and may operate
under a different type of QC system, or none at all. Firms may experience differences in
local norms and expectations when working with firms based in other jurisdictions. These
and other factors give rise to risks in the communication between firm personnel and
other participants, including the potential for misunderstandings regarding the audit effort
needed to meet the objective of the other participant’s work.273 It is therefore imperative
that appropriate communications take place between the firm and other participants to
enable the other participants to understand and carry out their responsibilities relating to
activities within the firm’s QC system and the performance of its engagements in
accordance with applicable professional and legal requirements and the firm’s policies
and procedures.
The Board broadened the language of the quality objective to clarify that it
applies to the use of participants in both the firm QC system and in engagements.
For other participants that are firms, the Board proposed that information obtained
from the other participants should include the conclusion of the most recent evaluation of
its QC system and a brief overview of remedial actions taken and to be taken, as well as a

AS 1210, establishes requirements regarding the use of a specialist engaged by the auditor’s firm
(“auditor-engaged specialist”) to assist the auditor in obtaining or evaluating audit evidence with
respect to a relevant assertion of a significant account or disclosure.

See, e.g., PCAOB Rel. No. 2022-002.

footnote clarifying that the most recent evaluation of the other participant firm’s QC
system refers to that firm’s evaluation under paragraph .77 of QC 1000 as of the most
recent evaluation date, if such an evaluation was performed, and otherwise to the most
recent QC evaluation performed by the other participant firm under any professional
standard.274
One commenter stated that audit firms monitor the quality of member firms but
have typically been reluctant to share negative information about a member firm, and that
requiring transparency in such information would be beneficial. However, several firms
and related groups expressed concerns about the impact of having other participant firms
share the most recent evaluation of their QC system based on the confidentiality
protections set out in Sarbanes-Oxley or other relevant local laws and regulations. Two
firms commented that these concerns would be alleviated if the definition of QC
deficiency was updated to align with the definition in ISQM 1 and SQMS 1. One firm
commented that the proposed quality objective addressing information and
communication related to other participants is appropriate, however if information is to
be shared at the deficiency level, the firm is concerned that this would violate the
confidentiality provision within Sarbanes-Oxley. Another firm suggested limiting the
extent of information shared to only what is necessary for firms to achieve the reasonable
assurance objective. This firm agreed with obtaining and considering the other participant
firm’s overall conclusion of the most recent evaluation of the QC system, however it
argued that this should not include information regarding deficiencies, if any, and
remedial actions taken and to be taken. Some commenters argued that firms should be
able to take a risk-based approach in determining whether it is necessary to request
specific information regarding an other participant firm’s QC system.

See, e.g., ISQM 1 paragraphs .53-.54; and SQMS 1 paragraphs .54-.55.

One firm-related group argued that certain international legislation may be an
issue for firms when reporting clients’ or individuals’ personal information. The
commenter further expressed concerns that those firms applying QC 1000 fully and
reporting thereunder may be selected in preference to those using other standards.
Another firm-related group expressed concern that a firm-level QC inspection finding
might result in the best firm for the component auditor role being bypassed. The
commenter further suggested that guidance is needed for when the evaluation and/or
overview of remedial actions is not forthcoming.
Some commenters, including firms and a related group, argued practical concerns
regarding the application of the requirement to other participants not registered with the
PCAOB. One firm commented that, while it is not aware of any legal or regulatory
concerns with other participants sharing the most recent evaluation of their QC system, it
suggested that the PCAOB state that firms will not violate this requirement if local laws
or regulations exist that prevent compliance.
After consideration of the comments received, the Board amended the standard to
limit the information that should be obtained to only the conclusion of the most recent
evaluation of the QC system. The Board believes that this addresses commenter concerns
relating to the risk of communicating privileged information. Furthermore, the Board
continues to believe that obtaining the communication of the conclusion of the other
participant’s most recent evaluation may assist a firm in determining the nature and
extent of supervision of the work of other participants or deciding whether other
participants are fit to participate in the firm’s engagements, including ensuring that the
best firm for the job is not bypassed. If necessary, the firm may discuss the conclusion
with the other participant firm to seek to gain a better understanding of the basis for such
conclusion.

The Board believes that in practically all cases, the firm would be able to obtain
the conclusion of the most recent evaluation of the other participant’s QC system.
However, if a firm is unable to obtain this (for example, if the other participant has not
performed an evaluation, or if local laws forbid them from sharing it), then the firm
should assess what other procedures are necessary to achieve the quality objective.275
One firm commented that paragraph 53f. specifically addressed networks, while
.53g. addresses other participants, and that it was unclear whether paragraph .53g. also
applies to networks given their inclusion in the definition of “other participants” or if the
Board intends for paragraph .53g. to apply to any other party defined within “other
participants.” Paragraph .53g. applies to firms within a network to the extent that the firm
is an other participant, as defined in QC 1000.A7 and discussed in more detail above.
Another firm expressed concerns that it may not be able to practically apply
paragraph .53g. to all “other participants.” Specifically, the firm requested clarification as
to the expectation regarding the extent to which firms design policies and procedures to
ensure other participants comply with applicable professional and legal requirements,
including bifurcation of participants that are part of the engagement team as compared to
participants in the firm’s quality control system. Another firm suggested it would be
impractical to suggest that a firm’s QC system can be applied to other participants or that
they would explicitly comply with the firm’s policies and procedures as if they were part
of the firm. As discussed in more detail above, just because a quality objective or other
provision of QC 1000 refers to all types of other participants in the same way, this does
not mean that the firm should respond by treating all types of other participants in the
same way. The firm’s policies and procedures addressing other participants should
differentiate based on the types and roles of other participants to the extent necessary to

See PCAOB Rule 3101(a)(2).

be responsive to the firm’s quality risks (for example, the firm would have different
policies for the use of engaged specialists versus external EQRs).
The proposed requirement in paragraph .53.h did not draw comment and was
adopted as proposed.
The firm may also participate in another firm’s engagement as an other
participant. For the same reasons that apply when the firm is issuing the engagement
report and using the work of other participants, it is important that there is an appropriate
exchange of information in order to enable the firm serving as an other participant to
fulfill its role in accordance with applicable professional and legal requirements.
d. Information and communication specified quality responses (QC 1000.55-.56)
One firm commented that the proposed specified quality responses for
information and communication are appropriate. Other comments that are specific to each
specified quality response are discussed below.
The requirement in paragraph .55 carries forward an existing requirement from
the PCAOB’s QC standards and extends it to cover other participants, not just firm
personnel.276 One firm suggested that, as it relates to other participants, the quality
objective in paragraph .53g. was sufficient, and the specified quality response was not
needed. Another firm commented that it is concerned that expanding the requirement to
communicate quality control policies and procedures beyond firm personnel to include
other participants may not be operational due to the size, content, and methods of
accessing the policies and procedures. The firm further asserted that the proposed
standard may inappropriately blur the lines between a firm’s system of quality control
and engagement-level requirements that are already addressed through existing PCAOB
standards and rules. The Board believes that other participants play an important role in

See QC 20.23.

the operation of the firm’s QC system and the performance of its engagements and that it
is imperative for these other participants to be aware of the firm’s policies and procedures
to the extent required to enable them to carry out their responsibilities. For that reason,
the Board believes it is necessary to expand the existing requirement to include other
participants in a specified quality response.
To address the concern about the volume of material required to be shared with
other participants, the Board clarified the requirement by providing that policies and
procedures should be communicated “to the extent” and in a manner reasonably designed
to enable firm personnel and other participants to carry out their responsibilities; in other
words, the requirement is to communicate what firm personnel and other participants
need to know, not necessarily all of the firm’s policies and procedures. For example, a
firm would communicate to an EQR contracted by the firm its policies and procedures
related to EQR review and independence. In addition, although the wording of the
requirement is different, the substance of the existing requirement277 is unchanged.
Reference to “reasonably designed and implemented” captures the existing requirement
to communicate in “a manner that provides reasonable assurance that those policies and
procedures are understood and complied with” without repeating the reasonable
assurance already captured by the overarching objective of the QC standard.
Another commenter requested clarification as to whether the communication of
policies and procedures is required in narrative, flowchart, or other form. The Board
believes that the policies and procedures should be in writing and in a manner that is
reasonably designed to enable firm personnel and other participants to understand and
carry out their responsibilities relating to activities within the firm’s QC system and the
performance of its engagements. The format of these policies and procedures may vary

See QC 20.18.

depending on the specific responsibilities being addressed and how the firm wants to
communicate them.
Under the existing PCAOB standard, the firm is also required to make timely
communications to appropriate personnel regarding changes to its established quality
control policies and procedures. The Board does not think it is necessary to address
changes to policies and procedures separately; the requirement is to communicate
policies and procedures as in effect, which includes changes to such policies and
procedures over time. If the firm needs to communicate changes to its policies and
procedures to enable firm personnel and other participants to understand and carry out
their responsibilities, then the specified quality response will require such
communication.
Given the importance of information generated from the monitoring and
remediation process, paragraph .56 includes a specified quality response that requires the
firm to communicate such information to firm personnel to enable them to take timely
action. In determining specific information to be communicated to firm personnel,
including the nature and extent of such communication, the firm may consider the type of
information that is relevant to the recipients given their roles and responsibilities within
the firm. For example, information communicated to engagement teams may be focused
on a description of identified engagement deficiencies and related remedial actions that
are likely to be relevant to such firm personnel and their engagements. Information
communicated to all firm personnel may relate to deficiencies identified through QC
system-level monitoring activities, such as compliance issues in connection with the
firm’s ethics and independence policies and procedures.
One firm asserted that the requirement to communicate identified engagement
deficiencies and QC deficiencies to firm personnel could hold firms to a higher standard
than may be prudent, and that a perceived requirement to communicate each engagement

deficiency seems imbalanced to appropriately influence change. The specified quality
response requires that such communications be made to enable firm personnel to take
timely action in accordance with their responsibilities. Based on the results of the
monitoring and remediation process, the firm can assess the nature and extent of the
communications to be made, and this should be commensurate with the risk that other
similar unidentified engagement deficiencies exist; for example, for engagement
deficiencies related to the examination of broker-dealer compliance reports, the firm may
limit the communications to firm personnel working on broker-dealer engagements and
adjacent industry sectors.
In addition, under paragraph .57 the firm is required to communicate the results of
the annual evaluation of its QC system to certain individuals in firm leadership positions.
These individuals may use this information in various ways, for example, as a basis for
further communications to firm personnel about the importance of quality or to address
concerns about the QC system in a timely manner. The requirement reinforces firm
leadership’s responsibility and accountability for the firm’s QC system.
2. Current PCAOB standards
Existing PCAOB QC standards focus principally on communication of certain
information, specifically:
•

Firm QC policies and procedures;278

•

Weaknesses identified in the QC system or the level of understanding or
compliance therewith;279

•

Internal inspection findings;280

See QC 20.23.

See QC 30.03.

See QC 30.06.

•

Principles that influence the firm’s policies and procedures on matters related to
the recommendation and approval of accounting principles, present and potential
client relationships, and the types of services provided;281

•

Additions to the Restricted Entity List;282 and

•

Notification to the SEC of resignations and dismissals from audit engagements for
SEC registrants.283
QC 1000, by contrast, more broadly addresses the firm’s responsibilities

regarding its information system and internal and external communications.
MONITORING AND REMEDIATION PROCESS
1. QC 1000
a. Overview (QC 1000.58)
The monitoring and remediation process is an integral part of an effective QC
system because it creates a feedback loop to inform the firm’s risk assessment process.
The feedback loop will help the firm identify and assess new and evolving quality risks
and design and implement effective quality responses. It drives a firm’s focus on
continuing to improve its QC system, with a view to preventing future engagement
deficiencies. The monitoring and remediation process applies to the design,
implementation, and operation of all QC system components, including the monitoring
and remediation component, and provides the basis for a firm’s evaluation of whether its
QC system is effective and for reporting on the QC system.284
The Board has observed through its oversight activities that some firms have
made significant efforts to enhance their monitoring and remediation process, which has

See SECPS 1000.08(l), 1000.42.

See SECPS 1000.46 (requirement 5).

See SECPS 1000.08(m); see also Appendix 5 for a proposed new standard, AS 1310, Notification
of Termination of the Auditor-Issuer Relationship, that would retain existing requirements of
SECPS 1000.08(m) and apply those requirements to all firms.

For further discussion of the evaluation of a firm’s QC system, see below.

led to improvements in the firms’ QC systems and in audit quality. These efforts include
increased attention to ongoing monitoring activities, internal monitoring of both inprocess and completed engagements, root cause analysis of both positive outcomes and
QC deficiencies, and remedial actions to address QC deficiencies. However, PCAOB
inspections continue to identify deficiencies for some firms, suggesting that not all firms
have made meaningful improvements in these areas.
Under QC 1000, the monitoring and remediation process addresses the following:
•

General requirements;

•

Engagement monitoring activities;

•

QC system-level monitoring activities;

•

Monitoring activities performed by a network;

•

Determining whether engagement deficiencies exist;

•

Responding to engagement deficiencies;

•

Determining whether QC observations exist;

•

Determining whether QC deficiencies exist;

•

Responding to QC deficiencies; and

•

Monitoring the implementation and operating effectiveness of remedial actions.
Under the standard, a firm performs monitoring activities to determine whether its

quality responses are properly designed and operating as intended, such that the firm’s
quality risks are sufficiently mitigated and its quality objectives are achieved. As
described later, the results of the firm’s monitoring and remediation process are to be
evaluated annually as part of the evaluation of the QC system. Therefore, the monitoring
activities conducted need to be sufficient to support the conclusions reached during such
an evaluation.
b. General requirements (QC 1000.59-.61)
The standard specifies three goals for the monitoring and remediation process:

•

Relevant, reliable, and timely information. Monitoring and remediation must
provide information about the design, implementation, and operation of the firm’s
QC system that is relevant, reliable, and timely. The information obtained from
monitoring activities informs a firm about actions, behaviors, or conditions that
contributed to issues that need to be addressed and may also provide insights as to
factors that help prevent deficiencies from occurring. For example, information
obtained about actions, behaviors, and conditions related to an engagement that
was subject to internal or external monitoring activities where no deficiencies
were identified may provide insights about good practices to use when addressing
issues on similar engagements.

•

Reasonable basis for timely detection of engagement deficiencies and QC
deficiencies. The standard uses the concept of “reasonable basis,” which is present
throughout PCAOB auditing standards, including the standards governing the
auditor’s report.285 Therefore, this concept is well understood by the profession.
“Timely” as it relates to the detection of engagement deficiencies means that the
firm’s monitoring activities are designed to identify deficiencies as promptly as
practicable. For example, the Board expects that the firm’s monitoring activities
will generally enable the firm to identify deficiencies in calendar year-end
engagements in time to include them in its evaluation of the QC system as of the
following September 30.

•

Timely remediation. The firm’s monitoring and remediation process must enable
timely remediation of identified engagement deficiencies and QC deficiencies.
What constitutes “timely” depends on the deficiency’s nature, scope, and impact.

See, e.g., AS 3101.09f (noting that one of the elements in the Basis for Opinion section of the
auditor’s report is “[a] statement that the auditor believes that the audit provides a reasonable basis
for the auditor’s opinion”).

For example, where there is a high risk of severity or pervasiveness, remedial
actions may have to be immediate to be timely.
The first element of monitoring and remediation is designing and performing
monitoring activities for engagements and the QC system itself. The Board believes that
the selected frequency and timing of the firm’s monitoring activities (e.g., a combination
of ongoing and periodic monitoring activities) are important elements in achieving an
overall effective monitoring and remediation process. Ongoing monitoring activities are
generally those activities that are routine in nature, built into the firm’s processes, and
performed on a real-time basis. Periodic monitoring activities, by contrast, are conducted
from time to time at set intervals. The use of ongoing and periodic monitoring activities
would vary by firm and be influenced by the nature and circumstances of the firm.
The other elements of the monitoring and remediation process specified in the
standard are:
•

Determining whether engagement deficiencies exist and responding to them.

•

Determining whether QC observations exist.

•

Determining whether QC deficiencies exist.

•

Performing root cause analysis of QC deficiencies.

•

Designing and implementing remedial actions to respond to QC deficiencies and
determining whether such actions are implemented as designed and operate
effectively.

These other elements are discussed below, in relation to the requirements of paragraphs
.61-.76.

QC 1000 requires that the firm’s QC system include both engagement monitoring
activities and QC system-level monitoring activities. The standard differentiates
engagement monitoring activities from QC system-level monitoring activities. The two
types of activities would provide different kinds of information and, in the Board’s view,
a firm would need both in order to have a reasonable basis for detecting engagement and

QC deficiencies and evaluating its QC system. Engagement monitoring activities are
monitoring procedures performed on engagements, including in-process and completed
engagements. QC system-level monitoring activities are monitoring procedures regarding
aspects of a firm’s QC system, including the firm’s risk assessment and monitoring and
remediation processes.
Notwithstanding the differences between engagement monitoring activities and
QC system-level monitoring activities, a firm could design and perform dual-purpose
monitoring activities – i.e., activities directed at individual engagements that also address
aspects of the firm’s QC system. For example, a firm could perform engagement
monitoring activities related to acceptance and continuance of engagements that would
also address the design, implementation, and operation of the acceptance and continuance
of engagements component of the firm’s QC system.
QC 1000 defines “engagement” as any audit, attestation, review, or other
engagement performed under PCAOB standards (1) led by a firm or (2) in which a firm
plays a substantial role in the preparation or furnishing of an engagement report. Under
the standard, substantial role engagements that the firm undertakes would be required to
be included in the population of engagements on which the firm performs monitoring
activities. In situations where the firm participates in another firm’s engagement but does
not play a substantial role, while such work would not be treated as the firm’s own
“engagement” for purposes of the standard, any firm that was required to implement and
operate an effective QC system under the standard is required to extend its QC system to
all audit, attestation, review, and other work it performs under PCAOB standards,
including other firms’ engagements in which the firm plays less than a substantial role.
In general, for purposes of QC 1000, engagement monitoring activities are
performed only on “engagements” as that term is defined in the standard. One firm
suggested that audit quality should consistently be measured for all engagements,

whether performed under the PCAOB standards or other auditing standards, and therefore
a firm’s QC system should provide reasonable assurance of performing all such
engagements in compliance with applicable laws and professional requirements. This
firm urged the Board to consider whether the monitoring-related requirements in
QC 1000 that use the term “engagements” (as defined in QC 1000) may result in a lost
opportunity to fully capitalize on the expected benefits of a more comprehensive
monitoring program. Given the limits of the Board’s statutory authority under SarbanesOxley, the Board does not believe it would be appropriate to expand the scope of the term
“engagements” to include work performed under standards of other standard-setters.
However, nothing prevents firms from developing a single QC system for their entire
audit practice that satisfies both PCAOB requirements and other professional standards to
which the firm is subject, which could include performing the same types of monitoring
activities for both PCAOB engagements and other audits.
The Board also understands that firms that perform only a small number of issuer
and broker-dealer engagements would be significantly affected by a requirement to
perform monitoring activities over PCAOB “engagements” every year.286 In the extreme
case, a firm that issues an audit report for only one issuer would have to monitor the same
engagement every year. The prospect of annual monitoring could disincentivize partners
from serving as the engagement partner and ultimately affect competitive conditions in
the market. Accordingly, paragraph .61a includes a note that permits firms that issued
engagement reports for five or fewer issuers, brokers, and dealers in the previous year to
include audits not performed under PCAOB auditing standards in their engagement
monitoring activities for purposes of QC 1000, so long as the audits are selected taking
into account the factors in determining the nature, timing, and extent of engagement

Firms that issued audit opinions for between one and five issuers or broker-dealers represented
38% of all registered firms in 2022, 39% in 2021, and 43% in 2020.

monitoring activities set forth in paragraph .64. This accommodation takes into
consideration the structure of the SEC’s partner rotation requirements exemption for
small firms,287 and is limited to audits rather than attestation work because audits are
performed under more rigorous standards. These firms will still have to design,
implement, and operate a monitoring and remediation process that meets the
requirements of QC 1000, including the requirements regarding the objectives and
elements of the monitoring and remediation process set forth in paragraphs .59 and .60,
which focus on “engagements” as defined in the standard. The firms will also be subject
to the requirement under paragraph .62b to inspect at least one completed PCAOB
engagement for each engagement partner on a cyclical basis, as discussed below.
Current PCAOB QC standards provide that, in some circumstances, individuals
may perform monitoring procedures over the same areas for which they are
responsible.288 Such monitoring procedures are a type of self-assessment and under the
proposed standard, self-assessments would not have been permissible. Individuals would
lack the requisite objectivity if they reviewed engagements in which they participated (or,
in the case of audits, for which they performed the engagement quality review), or
monitoring activities for which they participated in the design, implementation, or
operation of the activity.
Two commenters agreed that self-assessment should not be permitted in QC 1000.
Other commenters, including firms and a related group, raised concerns regarding the
proposal’s disallowance of self-assessments as part of a firm’s monitoring and
remediation process. Specific concerns included the impact of this requirement on
smaller firms and the resource constraint that may be very difficult for firms to overcome

See 17 CFR 210.2-01(c)(6)(ii).

See QC 30.10, which applies to small firms with a limited number of management-level
individuals.

if individuals who may be involved in an engagement through consulting with
engagement teams, evaluating engagement team progress, or monitoring turnover on the
engagement team are ineligible to perform monitoring activities.
While the Board appreciates the concerns around resource constraints raised by
commenters, allowing individuals to review their own work is inconsistent with the
quality objective in paragraph .44e that individuals assigned to perform activities within
the QC system have the objectivity needed to perform such activities in accordance with
applicable professional and legal requirements and the firm’s policies and procedures.
Taking into account commenter feedback, the Board added a note to the standard to
clarify that the restriction on self-assessment is grounded in that quality objective. The
note further explains the implication, in the context of the monitoring and remediation
process, that individuals generally cannot perform monitoring activities over their own
work, for example by performing engagement monitoring activities on an area of an
engagement in which they participated. The impact of this restriction will depend on the
role that the individual played in the engagement. For example, individuals who have
consulted on a particular area of an engagement would be permitted to perform
monitoring activities on other areas of an engagement that were unrelated to the
consultation. However, individuals that served as the engagement quality reviewer on an
engagement may not perform monitoring activities on that engagement, even if they did
not review every area of the engagement.
e. Engagement monitoring activities (QC 1000.62-.64)
Engagement monitoring activities provide valuable information to firms on
whether engagement or QC system-level areas may require additional attention. For
example, monitoring procedures may highlight an area on an audit engagement where
insufficient audit evidence was obtained to support the auditor’s opinion. More broadly,
engagement monitoring activities may identify pervasive issues where a number of

engagements have similar problems, possibly highlighting the need to revise
methodology, provide additional training, or take other actions at the QC-system level.
i.

Monitoring completed engagements (QC 1000.62)

Similar to the proposal, the final standard requires firms to perform engagement
monitoring activities on completed engagements. Two commenters expressed support for
the requirement to monitor completed engagements. One commenter suggested that
paragraph .62 be amended to permit the legacy flexibility of QC 20 for a firm to have
pre-issuance or post-issuance, or both, monitoring programs, depending on the individual
firm’s risk assessment. This commenter asserted that some smaller firms, in particular,
have already implemented robust pre-issuance quality monitoring reviews on
substantially all issuer audits.
The Board continues to believe that the information derived from performing
inspections of completed engagements provides the firm a perspective on its
engagements that cannot be obtained through other monitoring activities. The Board also
noted that the standard does not prescribe specific monitoring activities, so firms will be
able to determine what activities to perform when monitoring completed engagements.
Based on PCAOB oversight activities, the Board has observed that most firms perform
engagement monitoring activities on their completed engagements as part of their
existing QC practices. Requiring the inspection of completed engagements would
therefore not change practice for most firms and, accordingly, seems unlikely to impose
incremental costs in most instances.
The proposed standard also included a requirement for firms to establish a
cyclical basis for monitoring completed engagements such that each engagement partner
would have at least one engagement subject to monitoring in each cycle. Some firms and
a related group supported that requirement in principle. Some commenters suggested that
firms should be permitted to include all of the engagements within a particular

engagement partner’s portfolio of engagements, not only PCAOB engagements, since the
firm operates a single QC system. One commenter stressed that if firms are not permitted
to consider all engagements in an engagement partner’s portfolio, it may unnecessarily
drive firms to two separate cyclical inspection programs (that is, doubling inspection
program activities) based on the applicable set of professional standards. This commenter
also suggested that the standard should allow firms to consider whether engagement
partners have been subjected to external inspections/reviews when determining if, and
when, to subject them to an internal inspection.
Similar to the proposal, the final standard requires firms to inspect at least one
completed PCAOB engagement for each engagement partner over a cyclical period.
Although, as discussed above, firms with five or fewer issuer and broker-dealer
engagements may be permitted to include non-PCAOB engagements in their monitoring
activities, inspections under this paragraph must be of “engagements” as defined in
QC 1000. This will ensure that firms regularly evaluate the work of every partner under
PCAOB standards to determine whether engagement deficiencies or QC deficiencies
have occurred and can design and implement appropriate remedial actions. The note to
the final standard clarifies that point.
The proposed standard also included a note stating that if a firm uses a cycle
longer than three years, the firm would be required to demonstrate how its cycle is
adequate to provide the firm with a reasonable basis for detecting engagement
deficiencies and QC deficiencies, taking into account the factors in paragraph .64.
Several commenters, including an investor-related group, disagreed with this aspect of
the proposal, suggesting that each firm should be allowed to determine the appropriate
cycle for engagement partner selection. Some of these commenters stated that requiring a
set interval for engagement partner selection could actually result in a reduced ability by
the firm to incorporate unpredictability into the selection process. One firm further stated

that the proposed requirement regarding the engagement partner selection cycle could
also decrease the frequency of other monitoring activities, such as in-process reviews, or
curb investment and innovation in pre-issuance monitoring programs.
The Board continues to believe it is appropriate to incorporate an expectation that
each engagement partner will be subject to inspection at least every three years and
adopted that aspect as proposed. A three-year period appears to be a norm for other
standard setters and, based on PCAOB oversight activities, is common in practice.289 The
Board appreciates that requiring a set interval could make the timing of selection
predictable for an engagement partner, so a three-year cycle is a baseline expectation, not
a requirement. Firms can of course adopt a shorter cycle, or can adopt a longer cycle if
they are able to demonstrate how that cycle is adequate to provide a reasonable basis for
detecting engagement deficiencies and QC deficiencies. Regardless of the cyclical period
used by the firm, risks or other circumstances related to an engagement or an engagement
partner may trigger the need for the firm to inspect an engagement partner’s completed
engagement(s) more than once during the cyclical period.
The proposed note to paragraph .62b also included language requiring firms to
consider incorporating a level of unpredictability when determining when, during the
cyclical period, an engagement partner has an engagement selected for monitoring and
which completed engagement(s) to select. This was intended to make it less likely that
engagement partners would be in a position to manage engagements with the expectation
that they would or would not be inspected. However, commenters, including firms and
investors and related groups, suggested that this language should be strengthened to
require that the firm “should” incorporate unpredictability into the selection process. One

The application material accompanying the IAASB and AICPA QC standards provide an example
of a three-year inspection cycle for engagement partners performing financial statement audits.
See ISQM 1 paragraph A153, SQMS 1 paragraph A165.

of these commenters went further to suggest that the PCAOB also incorporate language
requiring unpredictability in the focus areas subject to internal inspection monitoring, in
addition to the timing of such monitoring. The Board agreed with the comments raised
with respect to requiring firms to incorporate unpredictability into their selection process
and this change is reflected in the note to paragraph .62b. Additionally, in order to allow
sufficient flexibility for firms to determine how to incorporate unpredictability in the
selection process, language has been added to the note to clarify that the firm should
include an element of unpredictability in “at least one of” the elements listed in the note
to paragraph .62b.
The firm’s selection of completed engagements should be responsive to
information obtained from various sources, including prior monitoring activities. The
standard, in paragraph .64 (discussed further below), includes factors for a firm to take
into account when selecting engagements for monitoring. These factors will assist a firm
when determining its cyclical basis and selecting at least one engagement to inspect for
each engagement partner.
ii.

Monitoring in-process engagements and other work (QC 1000.63)

Monitoring in-process engagements can help firms detect and prevent potential
engagement deficiencies before an engagement report is issued, resulting in a more
proactive, preventive monitoring approach. Through its oversight activities, the PCAOB
has observed a variety of different in-process engagement monitoring activities,
including:
•

Monitoring activities on a specific area of the audit after the engagement team has
conducted certain audit procedures or used a specific tool or template (e.g., an inprocess reviewer evaluates an engagement team’s testing of management’s
earnings forecast used in an impairment analysis);

•

Engagement team coaching by an individual who is not part of the engagement
team (e.g., a member of the firm’s national office works with an engagement team
to review their audit approach, including the nature, timing, and extent of planned
audit procedures);

•

Evaluating an engagement team’s progress against certain defined milestones or
metrics and taking appropriate action when such milestones or metrics are not
achieved (e.g., if an engagement partner did not review an engagement team’s
planning memo before interim audit procedures were to start, adjusting the
engagement team’s schedule so that the document could be reviewed and
comments addressed before starting interim work; if an engagement team’s hours
exceed a certain weekly threshold, taking action by identifying the issue and
adding additional resources to the team); and

•

Monitoring engagement team turnover during the engagement and taking
appropriate action when issues arise (e.g., if more experienced or senior personnel
on the engagement, such as the manager or senior manager, leaves the firm during
the engagement and prior to the completion of procedures, taking actions to
ensure the engagement team has the necessary resources to complete the
engagement).
The proposed standard contemplated that firms that issue audit reports with

respect to more than 100 issuers during the prior calendar year would be required to
monitor in-process engagements. The proposal noted the Board’s understanding that
monitoring in-process engagements may be challenging for some firms based on their
size and nature, so the proposed standard also included a “should consider” requirement
to provide sufficient scalability for firms that issue audit reports with respect to 100 or
fewer issuers. Under the proposed standard, firms that audit 100 or fewer issuers would

be expected to reach a conclusion about whether to monitor in-process engagements in
light of identified quality risks and quality responses.
Firms that commented on this requirement supported the concept of monitoring
in-process engagements and the flexibility the standard provided for firms to design their
in-process monitoring based on the nature and circumstances of the firm. Two firms
stated that the purposes of in-process monitoring are clear and appropriate and that the
proposed standard clearly distinguished between in-process engagement monitoring and
engagement quality reviews under AS 1220. Two firms suggested that the 100-issuer
threshold is not necessary, and that all firms should only be required to consider whether
to monitor in-process engagements.
The Board believes that differentiating a firm’s obligation based on the number of
issuer clients is appropriate because, in its view, firms with larger, more complex audit
practices generally are subject to quality risks for which in-process monitoring is an
appropriate quality response. The Board based the requirement on the size of a firm’s
issuer audit practice rather than its broker-dealer audit practice, as it believes the number
of a firm’s issuer clients is more indicative of the firm’s size and the complexity of its
practice. And, as noted above, firms are familiar with the threshold of more than 100
issuer audit reports. The majority of firms with 100 or fewer issuers do not perform inprocess engagement monitoring activities. Requiring these firms to perform such
monitoring activities could significantly change current practice and is not justified by the
circumstances of every firm. However, due to the benefits of this proactive engagement
monitoring, the standard requires that firms that do not meet the 100-issuer threshold
should consider monitoring in-process engagements. The Board believes that this
approach strikes an appropriate balance between prescriptiveness and scalability, and
adopted the requirement as proposed.

One individual commenter suggested that audit firms would find it cost
prohibitive to build in “in process” controls that would be akin to doing an inspection of
an audit in process, with the exception of certain circumstances, but the PCAOB did not
receive any specific comments from firms expressing that concern. In addition, firms
with over 100 issuer clients typically have the resources to implement such procedures,
and based on PCAOB oversight activities, the majority of them already monitor inprocess engagements to some extent.290
In situations where the firm participates in another firm’s engagement but does
not play a substantial role, paragraph .63c provides that the firm should consider
performing monitoring activities on such work. Some commenters agreed with the
requirement for firms to consider performing monitoring activities on their work on other
firms’ engagements. When deciding whether and when to do so, and what monitoring
activities to perform, firms would take into account the factors identified in paragraph
.64, such as the firm’s monitoring and external inspection history and the risks associated
with the performance of the work. In addition, if a substantial portion of the firm’s
activities that are subject to the QC system relate to work performed on other firms’
engagements at less than a substantial role, the firm would have to make that decision in
light of the overall objectives of the QC system.291
One commenter requested clarification as to whether the in-process monitoring
activities the Board has observed would be sufficient to meet the requirement, or whether
the Board expects such activities to be expanded or enhanced. The standard does not
specify any particular monitoring activities, so the firm has discretion to select activities
based on the nature and circumstances of the firm and its engagements and the scope and

In 2023, 11 of the 14 annually inspected firms performed some in-process engagement monitoring
activities.

See QC 1000.05a.(2).

nature of its other monitoring activities. For example, when determining which
engagements to select for in-process monitoring, a firm would leverage the factors
presented in paragraph .64 of the standard to identify engagements where there is a
greater risk of noncompliance with applicable professional or legal requirements.
Similarly, these factors will also assist a firm in determining the riskier areas of such
engagements upon which to perform in-process engagement monitoring activities.
iii.

Designing engagement monitoring activities, including selecting which
engagements to monitor (QC 1000.64)

Similar to the proposal, the final standard requires a firm to take into account
certain factors when determining the nature, timing, and extent of engagement
monitoring activities, including which completed or in-process engagements to select for
monitoring. These factors reflect aspects of a firm and its engagements that could create a
greater risk of noncompliance with applicable professional and legal requirements. A
firm will need to tailor its monitoring activities to address the particular circumstances of
the firm and select engagements for monitoring based upon their specific risks.
The factors are:
•

Quality risks and the reason for their assessments, and quality responses. For
example, the complexity of or changes to applicable professional and legal
requirements and the firm’s policies and procedures may present a quality risk
that the firm may not timely communicate the required use of a practice aid for
planning audit procedures when certain fraud risk factors are present. In response
to this risk, the firm would design its engagement monitoring activities to verify
the engagement team’s use of the practice aid. The earlier these monitoring
activities are performed, the more proactive the firm could be in planning audit
procedures that address audit issues as they arise. Regarding the proposed factor
in paragraph .64b related to the “design of the quality responses,” the final

standard has removed the word “design” from the factor and made other edits to
clarify that the firm should also take into account the scope and operation of
quality responses, for example related to information about how those quality
responses operated in previous years.
•

The nature, timing, extent, and results of previous monitoring activities. This
includes insights learned from previous engagements and QC system-level
monitoring activities that are applied when determining engagement monitoring
activities to perform. For example, in selecting engagements for monitoring, the
firm would take into account deficiencies identified in previous engagements for
the same client and other engagements where a similar deficiency may exist. As
another example, engagement deficiencies related to inventory obsolescence
testing identified by a firm through prior year engagement monitoring activities
may prompt a firm to monitor the testing of inventory obsolescence on more
engagements in the current year. One commenter recommended a clarifying
revision to paragraph .64c to change the reference to “inspections of in-process
engagements” to “monitoring of in-process engagements.” The commenter
explained that the characterization of in-process engagement monitoring as an
“inspection” is not consistent with how in-process engagement monitoring was
described in the proposal, as the in-process monitoring activities observed by the
PCAOB do not include inspections of in-process engagements. The Board agreed
and included this revision in the final standard.

•

Information obtained from oversight activities by regulators, other external
inspections or reviews, and, if applicable, monitoring activities performed by a
network. Information obtained from network monitoring activities or external
reviews provides a firm direction as to, for example, the type of procedures to
perform or when to perform them. The results of network monitoring activities or

information obtained from external reviews could also identify issues that may
exist on other similar engagements of the firm, prompting a decision to monitor
some or all of these other engagements. For example, if an engagement was
recently inspected through network monitoring activities or an external review, a
firm may determine that selecting the same engagement for internal inspection
would be unnecessary.
The proposal included a note that a firm cannot rely solely on network monitoring
activities or external inspections by regulators of individual engagements without
performing its own inspections of completed engagements. One commenter, a firm,
agreed with the proposed requirements for firms to perform their own monitoring
activities rather than solely relying on the monitoring activities performed by the
network. Another firm disagreed and recommended that the standard permit networks to
perform monitoring activities on behalf of a member firm, including in certain
circumstances as the sole source of a firm’s QC engagement monitoring. This commenter
stated that monitoring of completed and in-process engagements by the network may
provide member firms in the network with more objective and experienced monitoring
resources, and that smaller member firms may not have the resources to perform
objective monitoring on completed and/or in-process engagements without leveraging the
network. Similar to what is described below as it relates to a firm’s QC system and the
extent of monitoring activities performed by a network, regardless of whether a network
performs engagement monitoring activities on a firm’s engagements, the firm is
ultimately responsible for its QC system and for evaluating any information it obtains
from the network about any engagement monitoring activities the network performs. The
firm would take into account the nature and extent of activities performed by a network
in designing and implementing its own activities but all firms are required to perform
some level of engagement monitoring. The final standard includes a clarifying revision to

this note that replaces “inspections of completed engagements” with “engagement
monitoring activities.”
•

Characteristics of a particular engagement. Factors such as the industry, the type
of engagement (e.g., issuer audit, broker-dealer audit, attestation), the location(s)
or jurisdiction(s) in which the client is located or the work is to be performed,
whether it is a new engagement for the firm, and the experience and competence
of the engagement team could affect conduct and outcomes of the engagement.
For example, if the engagement team members are all new to the engagement,
their lack of historical knowledge may present an additional risk for that
engagement and provide a basis for its selection for monitoring.

•

Characteristics of particular engagement partners. Factors such as the experience
and competence of engagement partners, the results of internal and external
inspections of their work, and the firm’s cycle for inspecting their engagements
could affect the quality risks associated with an engagement, whether positively
or negatively. For example, an engagement partner’s lack of experience in an
industry the company under audit recently entered may create additional risks to
complying with applicable professional and legal requirements. Therefore,
performing engagement monitoring activities on such engagements may be
appropriate.

•

Other information relevant to the quality risks. The standard includes a nonexhaustive list of examples. For clarity, this factor was rephrased in terms of
“quality risks” rather than “risks of noncompliance with applicable professional
and legal requirements.” The standard also includes a footnote referencing
footnote 26, which explains that the firm is deemed “aware” of information when
any partner, shareholder, member, or other principal of the firm first becomes
aware of such information.

The requirement is both principles-based and risk-centered, rather than
prescriptive. It provides for scalability by including factors for firms to take into account
when determining the nature, timing, and extent of engagement monitoring activities. In
addition to the factors included in the standard, a firm may identify other factors that are
also relevant based on the nature and circumstances of the firm and its engagements.
d. QC system-level monitoring activities (QC 1000.65)
Similar to the proposal, the final standard requires a firm to take into account
certain factors when determining the nature, timing, and extent of QC system-level
monitoring activities.
Due to their nature, some of the factors are consistent with the factors a firm is
required to take into account when determining the nature, timing, and extent of
engagement monitoring activities, such as the quality responses, including their timing,
frequency, scope and operation. Regarding the proposed factor in paragraph .65b related
to the “design of the quality responses,” conforming to the change made in paragraph
.64b, the word “design” was removed from the factor and made other edits to clarify that
the firm should also take into account the scope and operation of quality responses, for
example related to information about how those quality responses operated in previous
years. The specific features of a firm’s quality responses are also relevant for a firm to
consider when designing QC system-level monitoring activities. For example, a firm’s
quality responses related to acceptance and continuance of engagements might include a
policy that firm personnel complete a checklist and assemble information evaluated by
the engagement partner before making a recommendation to firm leadership on whether
to continue with an engagement for the upcoming year. Based on this quality response, a
firm might design QC system-level monitoring activities that include a review of the
checklist and documentation for a selection of engagements.

Some other factors the standard requires firms to take into account when
determining the nature, timing, and extent of QC system-level monitoring activities
include:
•

The design of a firm’s risk assessment and monitoring and remediation processes.
The design of these processes is relevant when designing monitoring activities to
evaluate if such processes are implemented and operating effectively. For
example, a firm may monitor the cyclical basis determined by the firm for
inspecting engagement partners’ completed engagements. A firm’s monitoring
activities in this area could include whether the firm is complying with the
established period for selecting completed engagements as well as evaluating
whether changes to the period may be necessary based on the results of other
monitoring activities. The firm could also develop metrics for its QC system and
use them in its monitoring and remediation process.

•

Changes in the QC system. As a firm’s QC system is continuously evolving in
response to changes in risks, the firm would have to consider whether and how
such changes necessitate changes to the nature, timing, and extent of QC-system
level monitoring activities. For example, changes to a quality response would be
an indication that changes to the activities that monitor the design,
implementation, and operation of such response may be necessary. It should be
noted that, even in the absence of changes in the QC system, for example in cases
where the firm determines that there have been no changes related to a particular
quality response, the firm would still need to consider whether previous
monitoring activities related to that quality response continue to provide the firm
with a reasonable basis to evaluate the QC system, including the appropriateness
of the firm’s monitoring activities for the current period.

•

When applicable, services provided by other participants in the firm’s QC system.
A firm may use other participants in its QC system (for example, other
participants may assist with engagement quality reviews). The firm would take
that into account when deciding what QC system-level monitoring activities to
undertake (for example, assessing other participants’ compliance with PCAOB
standards regarding engagement quality reviews).292
A firm’s monitoring activities are likely to vary over time as a firm takes into

account the factors included in the standard (see paragraphs .64–.65). Since a firm’s QC
system is a continuous and iterative process, such factors will generally lead a firm to
perform different monitoring activities or employ different monitoring approaches over
time.
Several commenters, including investor-related groups, suggested that the
standard should require that the monitoring and remediation process, or more generally
QC 1000, provide for use of quantitative metrics. QC 1000 does not require firms to use
quantifiable metrics in their monitoring activities or suggest the use of any particular
metrics. The Board has recently proposed a new set of firm reporting requirements that
includes both firm-level and engagement-level metrics, and the comments regarding
metrics received in response to the QC 1000 proposal are addressed in that proposing
release.293
Other than removing the word “performance” from the phrase “performance
metrics,” to align with the terminology used in the PCAOB’s proposed metrics
requirements, the Board adopted as proposed paragraph .65c, which requires the firm to
take into account any metrics that the firm may use in its QC system when determining
the nature, timing, and extent of QC system-level monitoring activities. This could

See generally, e.g., AS 1220.

See PCAOB Rel. No. 2024-002 at 12-13.

include, but is not required to include, any metrics firms would be required to report if the
metrics proposal is ultimately adopted by the Board and approved by the SEC, as well as
any additional metrics a firm may develop. Depending on their circumstances, firms may
find that developing metrics to monitor engagements and the QC system would enhance
their ability to identify deficiencies, measure whether quality objectives have been met,
and evaluate the effectiveness of remediation activities.
e. Monitoring activities performed by a network (QC 1000.66)
The Board adopted substantially as proposed the requirements that apply when
networks perform monitoring activities relating to a firm’s QC system or engagements.
Networks employ a variety of different approaches to monitoring firm QC systems. Some
networks perform monitoring activities either directly on the firm’s QC system, such as
monitoring a firm’s compliance with QC policies and procedures established by the
network and adopted by the firm, or on tools or other resources developed or purchased
by the network and used by the firm, such as an independence tracking system. Other
networks perform no monitoring activities.
The nature and extent of a network’s monitoring activities will inform a firm’s
approach to monitoring. To illustrate, if a firm used a network independence tracking
system to identify matters that may bear on the independence of firm personnel, and if the
network monitored the design and operation of the tracking system and provided the firm
with relevant information about those activities, the firm is required to evaluate the
monitoring activities performed by the network on the tracking system. In performing its
evaluation, the firm needs to understand the scope of the network monitoring activities,
such as whether the firm’s personnel were selected for monitoring procedures, and if so,
whether the population selected was sufficient to provide a reasonable basis for detecting
engagement and QC deficiencies. To the extent provided, the firm is also required to
evaluate the results of the testing performed by the network, and if deficiencies were

identified, the remedial actions, if any, taken or proposed to be taken by the network.
Under this example, the firm would also determine its responsibilities in assisting the
network with any monitoring or remediation activities related to the tracking system.
Regardless of any QC monitoring activities that a network may perform on behalf
of the firm, the firm is ultimately responsible for its QC system. Therefore, under the
standard, the firm is responsible for evaluating any information it obtains from the
network about any QC monitoring activities the network performs. Some commenters, all
of which were firms, supported the proposed requirements related to monitoring activities
performed by a network.
A firm is required to adjust its monitoring activities as necessary, based on the
scope of the network’s monitoring activities and the information the firm receives (or
does not receive) from the network about those activities. One commenter expressed
concern that the proposal allows the firm to request certain categories of information
from a network but does not require that the information actually be received. In
situations where a firm does not receive information requested from the network about
the monitoring activities the network performed, the firm would not be in a position to
take such activities into account in planning its own activities. To illustrate, a network
may provide information to a firm regarding the results of member firms’ internal
engagement monitoring activities, which the firm uses to evaluate the competence of
other network firm personnel and their ability to participate in the firm’s engagements. If,
due to a change in a particular network firm’s local privacy laws, the network is unable to
provide such information regarding that member firm, the firm will need to evaluate that
member firm’s competence and ability using a different approach.294 To illustrate another
case, if a firm requests but does not receive any information from the network regarding

Irrespective of how the evaluation is performed, the engagement partner’s responsibility for the
engagement and its performance would not change. See AS 1201.03.

QC monitoring activities related to independence that the network performed on behalf of
the firm, and the firm does not perform any monitoring activities related to its QC system
in that area, the firm would have no basis for concluding that the quality objectives
related to independence were achieved.
f. Determining whether engagement deficiencies exist (QC 1000.67)
The requirements for determining whether engagement deficiencies exist did not
draw comment and were adopted with one modification, described below..
As defined by the standard, an engagement deficiency is an instance of
noncompliance with applicable professional or legal requirements by the firm, firm
personnel, or other participants with respect to an engagement of the firm, or by the firm
or firm personnel with respect to an engagement of another firm. Engagement
deficiencies include:
•

Instances of noncompliance in which a firm did not adequately support its
opinion—because the firm did not perform sufficient procedures, obtain sufficient
appropriate evidence, or reach appropriate conclusions with respect to relevant
financial statement assertions;

•

Instances in which the firm did not fulfill the objective of its role in the
engagement, such as not performing attestation services in accordance with AT
No. 2; and

•

Other instances of noncompliance with applicable professional and legal
requirements with respect to a firm’s engagement, which may include, for
example, not satisfying applicable independence requirements,295 not making
required communications to the audit committee,296 or not filing Form AP.297

See generally, e.g., 17 CFR 210.2-01; PCAOB rules under Section 3. Auditing and Related
Professional Practice Standards, Part 5-Ethics and Independence.

See generally AS 1301.

See PCAOB Rule 3211, Auditor Reporting of Certain Audit Participants.

The standard requires a firm to evaluate a variety of information in making its
determination about whether an engagement deficiency exists, including internally
developed information from monitoring activities, information from external parties like
regulators and peer reviewers, and other relevant information of which the firm becomes
aware. Beyond the sources specified in the standard, a firm is not expected to seek out
other sources of information that may indicate an engagement deficiency exists.
However, if the firm becomes aware of such information, the firm is expected to evaluate
it. For purposes of the standard, the firm is deemed “aware” of information when any
partner, shareholder, member, or other principal of the firm first becomes aware of such
information. The Board made a change to the proposed note in paragraph .67e item (4) to
clarify that complaints the firm becomes aware of, that may indicate the existence of an
engagement deficiency, could be related to either a company or the firm. The language
was also broadened to clarify that complaints are not limited to those submitted through a
formal whistleblower program.
The standard does not specify how a firm would evaluate information to
determine whether an engagement deficiency exists. Rather, it provides firms the ability
to develop an approach for such evaluation. A determination that an engagement
deficiency exists due to the firm not complying with a PCAOB reporting requirement
may be relatively simple to make. For example, evaluating whether the firm filed a Form
AP in accordance with PCAOB Rule 3211 would not require a significant amount of
effort. However, evaluating information indicating the firm did not perform the necessary
audit procedures for an issuer’s revenue transactions to determine whether an
engagement deficiency exists could be more complex, and therefore require a more indepth analysis.

A firm’s determination that an engagement deficiency exists may pertain to an inprocess engagement, a completed engagement, or work performed on other firms’
engagements.
If a firm obtains information about a potential deficiency in an in-process
engagement, whether from monitoring activities or other sources, the firm is expected to
evaluate the information to determine whether an engagement deficiency exists before
the engagement report is issued. In that regard, it should be noted that identifying a
problem while an engagement is in process may enable the firm to rectify the problem
before an engagement deficiency could arise. Many professional and legal requirements
that apply to performing an engagement impose ongoing responsibilities that are not
completed until the engagement itself is completed. In relation to such ongoing
responsibilities, if a problem is identified in an in-process engagement but resolved
before the engagement is completed, no engagement deficiency would arise. For
example, if an engagement team initially failed to obtain sufficient appropriate audit
evidence in its testing of revenue because it failed to perform a necessary procedure, the
engagement team could still perform the procedure at a later time during the engagement;
as long as sufficient appropriate audit evidence was obtained prior to the issuance of the
report, there would be no engagement deficiency. QC 1000 does not have specific
provisions to address remediation of this type of problem because the auditor’s
responsibility is already addressed by applicable professional and legal requirements.
However, even in instances where an engagement deficiency does not arise because a
problem was identified and corrected prior to issuance of an engagement report, a firm
would still need to consider whether the existence of the problem constitutes a QC
observation—an observation about the design, implementation, or operation of the firm’s
QC system that may indicate one or more QC deficiencies exist—and, ultimately, a QC
deficiency.

By contrast, some applicable professional and legal requirements (such as those
relating to preliminary engagement activities, including engagement acceptance
procedures, and certain required communications to the audit committee) are required to
be complied with prior to or at the beginning of the engagement. With respect to those
requirements, an engagement deficiency would arise if the required time for performance
had passed and the required activities were not performed appropriately, even if the
engagement was still in process.
The standard requires determinations to be made on a timely basis. For completed
engagements, the timeliness of the determination depends on the nature of the
information subject to evaluation. For example, if the information suggested other
engagements may present a similar issue, then it would be expected that determination
would be made sooner so that the risk of engagement deficiencies on other
engagements—whether in-process or completed—is mitigated.
The final standard was revised to clarify that the evaluation and determination of
whether engagement deficiencies exist must both be done on a timely basis.
g.

Responding to engagement deficiencies (QC 1000.68)

Under the final standard, when a firm determines an engagement deficiency
exists, the firm is required to take action to address the deficiency. The action taken
would depend on whether the engagement deficiency related to an in-process
engagement, a completed engagement, or work performed by the firm on other firms’
engagements. In some instances, a firm may find it beneficial to perform a root cause
analysis to determine what action to take.
i.

Engagement deficiency related to an in-process engagement

For an engagement deficiency related to an in-process engagement, the proposed
standard provided that the firm take action to address the deficiency in accordance with
applicable professional and legal requirements. The nature of the engagement deficiency

would determine what a firm would need to do to address it and the timing of the
required action. For engagement deficiencies that could affect the auditor’s report, under
the proposed standard, remedial action would be required before the engagement report is
issued, such that the engagement report issued is appropriate in the circumstances. In
other instances, action would still be required to address the deficiency, but the firm
would have more flexibility regarding when such actions are performed; action could be
performed either before the report is issued or afterwards (if afterwards, the provisions of
paragraph .68b would apply). The Board adopted substantially as proposed the
requirement for responding to an engagement deficiency on an in-process engagement.
ii.

Engagement deficiency related to a completed engagement

For an engagement deficiency related to a completed engagement, the proposed
standard included a requirement for firms to take action to address the engagement
deficiency in accordance with applicable professional and legal requirements (discussed
in more detail below in connection with paragraph .70). However, under the proposed
requirement, no action would have been required if it was probable that the engagement
report was not being relied upon.298
The proposed standard included a note that stated the firm must treat an auditor’s
report as being relied upon if the auditor’s report is included in the most recent SEC filing
on a form that requires its inclusion. Because this note also appeared in the proposed
amendments to AS 2901 in paragraph .01, refer to the detailed discussion below for
commenter feedback and the Board’s responses. The note to paragraph .68b. was revised
to provide that, in the absence of circumstances indicating that reliance is impossible or
unreasonable (e.g., cessation of a trading market for issuer securities), inclusion of an

The use of “probable” in the note to paragraph .68 is consistent with how the term is used in
FASB ASC, Contingencies Topic, paragraph 450-20-25-1, which provides that an event is
“probable” when it is likely to occur.

engagement report in the most recent filing on an SEC form that requires inclusion of
such an engagement report generally evidences that the report is being relied upon. The
Board believes this is responsive to commenter concerns and allows for sufficient
flexibility for such circumstances. The note was also revised to clarify that an
engagement report can be included in an SEC filing either directly or through
incorporation by reference.
iii.

Engagement deficiency related to work performed on other firms’
engagements

For an engagement deficiency related to work performed on other firms’
engagements, the standard requires a firm to communicate to the other firm the
engagement deficiency. The communication needs to be sufficient to enable the other
firm to develop a response commensurate with the extent of noncompliance. These
engagement deficiencies, while there may or may not be additional remedial actions for
the firm to take related to the particular work performed, should be included in the
population of QC observations to be evaluated to determine whether QC deficiencies
exist. The Board did not receive comment on this aspect of the proposal and adopted it as
proposed.
iv.

Evaluating whether similar engagement deficiencies exist

The proposed standard also required a firm to evaluate whether similar
engagement deficiencies exist in other in-process engagements, completed engagements
(unless it is probable that the engagement report is not being relied upon), and work
performed on other firms’ engagements, and if so, to take actions as required by
paragraphs .68a.-c. for in-process engagements, completed engagements, and any other
work performed by the firm on other firms’ engagements at less than a substantial role.
Understanding the nature of the engagement deficiency will assist the firm in determining
the extent of the necessary evaluation. To illustrate, if the engagement deficiency was

caused by an error in the firm’s methodology for auditing a company’s loan valuation
allowance, then the firm would evaluate whether similar engagement deficiencies exist
on engagements that were also using that methodology. As another example, if
engagement team members did not comply with PCAOB standards when auditing
accounts receivable because they failed to perform certain procedures in the firm’s audit
program, the firm would evaluate whether the person(s) who were responsible for
performing the procedures and the person(s) supervising the work participated in any
other audit engagement’s accounts receivable testing, and if so, whether similar
engagement deficiencies exist.
One commenter requested that the Board provide additional examples of
engagement deficiencies, as the concept of applicability to other in-process engagements
could be subject to different interpretations. The Board will consider whether application
guidance in this area would be appropriate.
Another commenter stated that the expectation of what “evaluate,” as used in this
context, may require is not clear and suggested that the evaluation be limited to certain
engagements based on a risk-based assessment, taking into consideration the root cause
of the identified engagement deficiency. As noted above, understanding the nature of the
engagement deficiency would assist the firm in determining the extent of the actions to
take in order to evaluate whether similar engagement deficiencies exist on other
engagements.

The Board adopted this aspect of the standard as proposed.

v.

Addressing engagement deficiencies (QC 1000.69-70)

Paragraph .69 of the standard requires firms to respond to engagement
deficiencies by taking into account the nature and severity of the engagement deficiency.
In other words, the response should be targeted based on the nature of the problem and
proportionate to the severity of the problem.
Understanding the nature and severity of an engagement deficiency could assist
firms in:
•

Developing an appropriate response to the engagement deficiency;

•

Determining whether an engagement deficiency could relate to other
engagements; and

•

Assessing whether the engagement deficiency, which represents a QC
observation, is also a QC deficiency.
The actions taken by the firm to respond to engagement deficiencies may include

preventive or corrective actions (or a combination of these actions):
•

Corrective actions are actions taken to rectify an identified deficiency in a current
or completed engagement (for example, performing a procedure that had been
omitted, designing and performing additional or alternative procedures if audit
evidence is insufficient, or filing a required report).

•

Preventive actions are actions taken to prevent the occurrence of a deficiency in
future engagements (for example, training, developing audit tools, or enhancing
audit methodology).
The proposed note to this requirement also appeared in the proposed amendments

to AS 2901.04 and a detailed discussion of commenter feedback and the Board’s views
appears below. As adopted, the note in paragraph .69 includes clarifying changes. The
requirement was otherwise adopted as proposed.

The proposed requirement in paragraph .70 did not draw comment and the Board
adopted it as proposed. Firms should comply, as applicable, with other standards related
to engagement deficiencies on completed engagements.
•

AS 2901 addresses auditor responsibilities with respect to engagement
deficiencies on completed audit engagements. AS 2201.99 directs the auditor to
comply with AS 2901 as it relates to audits of internal control over financial
reporting.

•

AS 2905 deals with auditor responsibilities when, subsequent to the date of a
report on audited financial statements, the auditor becomes aware of facts that
might have affected the report had he or she then been aware of such facts before
issuing the report. AS 2201.98 is a similar provision relating to auditor’s reports
on internal control over financial reporting.

•

AT No. 1 and AT No. 2 incorporate responsibilities similar to those required
under AS 2901 for attestation engagements relating to certain broker-dealer
reports.
The amendments to AS 2901 are discussed below.
h. Determining whether QC observations exist (QC 1000.71)
The proposed standard would have required firms to determine the existence of

“QC findings,” defined as “[a] finding about the design, implementation, or operation of
the firm’s QC system that may indicate one or more QC deficiencies exist. Engagement
deficiencies are QC findings.”
Commenter feedback on this defined term was in most instances directly related
to the last sentence in the defined term, urging that engagement deficiencies should not
automatically be considered QC findings. The Board was concerned that commenters
may have misinterpreted “QC findings” as akin to “QC deficiencies,” whereas the
intention is only to designate matters that have to be evaluated as potential QC

deficiencies. To alleviate the potential confusion, the defined term was changed to “QC
observation” and the definition reworded. The definition of a QC observation in the final
standard is “(1) An engagement deficiency; or (2) Any other observation about the
design, implementation, or operation of the firm’s QC system that may indicate one or
more QC deficiencies exist.”299
Under the definition, any information that may indicate a problem with the
design, implementation, or operation of the firm’s QC system would be a QC
observation. Because a QC system provides reasonable assurance that engagements are
conducted in accordance with applicable professional and legal requirements, all
engagement deficiencies would be QC observations. Examples of other QC observations
include an error in the design or operation of a technology tool or methodology, or
information suggesting that a firm may not have achieved a quality objective.
The determination of QC observations involves collecting observations and
related evidence that may indicate a QC deficiency exists, including information from
monitoring activities, information from external parties like regulators and peer
reviewers, and other relevant information of which the firm becomes aware.
Under the standard, the results of all monitoring activities performed by the firm,
and if applicable, those performed by a network relating to the firm’s QC system or its
engagements, are required to be analyzed by the firm to determine if there are QC
observations. It is possible that a firm’s engagement monitoring activities could identify
not only engagement deficiencies, but also QC observations that are not engagement
deficiencies. For example, if, as part of the firm’s quality response related to
technological resources, the firm’s technology leader must review and approve all
software audit tools used on engagements, and if a firm’s engagement monitoring

QC deficiencies are defined and discussed in the next subsection. See below.

activities reveal that an engagement team did not receive the appropriate authorization to
use a specific tool, that observation would be a QC observation, regardless of whether the
use of the tool also gave rise to an engagement deficiency.
Oversight activities by regulators and external inspections or reviews include
activities of the PCAOB and other regulators. As a firm typically has one QC system for
its entire audit practice, the results of the inspections, reviews, and other oversight
activities performed by these external parties would likely be relevant to a firm’s
determination of whether QC observations exist.
Other relevant information of which the firm becomes aware would comprise
information obtained from within and outside the firm. A firm would not be expected to
seek out such other sources of information; however, if other relevant information came
to the firm’s attention, a firm is expected to determine whether it is a QC observation. For
example, the firm may become aware of an issue with a formula in a practice aid used to
assist engagement teams in auditing stock-based compensation if a member of an
engagement team communicates that issue to firm personnel supporting the firm’s QC
system.
The final standard has been revised to clarify that the evaluation and
determination must both be done on a timely basis.
i.

Determining whether QC deficiencies exist (QC 1000.72)

The standard requires firms to determine whether QC deficiencies exist, and
(except for the change in terminology to “QC observation”) was adopted as proposed.
i. Definition of QC Deficiency
In response to commenter input, the Board made changes to the definition of the
term “QC deficiency.” As proposed, the definition provided in part that a QC deficiency
was a QC finding that results in “a reduced likelihood of the firm achieving the
reasonable assurance objective or one or more quality objectives,” and included a note

providing examples of circumstances where that likelihood could be reduced. Two
commenters questioned the operability of that aspect of the proposed definition of QC
deficiency, in particular its linkage to the definition of an internal control deficiency
under COSO in its integrated framework through the phrase “reduced likelihood.” Two
commenters suggested that the definition of QC deficiency should incorporate the
concept of “a significantly reduced likelihood.” Another commenter requested guidance
relative to the application of the “reduced likelihood” model. Other commenters
suggested that the definition should be more closely aligned with that of other standard
setters, for example ISQM 1, by incorporating the concept of an “acceptably low level.”
Taking into account commenter feedback, the standard defines a QC deficiency as
a QC observation that, based on the evaluation under paragraph .72, individually, or in
combination with one or more other QC observations, evidences:
•

That the likelihood of the firm not achieving the reasonable assurance objective or
one or more quality objectives has not been reduced to an acceptably low level;
Note: The likelihood of not achieving the reasonable assurance objective or one or
more quality objectives would be above an acceptably low level if, for example, a
quality objective is not established, a quality risk is not properly identified or
assessed, or a quality response is not properly designed or implemented or is not
operating effectively.

•

Noncompliance with requirements of this standard, other than those under
“Documentation”; or

•

Noncompliance with requirements of this standard under “Documentation” that
adversely affects the firm’s ability to comply with any of the other requirements
of this standard.

The first subparagraph of the definition of QC deficiency incorporates an existing
concept of “acceptably low level” that is currently used in PCAOB auditing standards300
so this concept should be familiar to firms. In addition, it aligns more closely with similar
definitions of other standard setters, for example the definition of “deficiency” in ISQM
1. The Board made conforming changes to the note that follows subparagraph (1) of the
definition.
Similar to the proposal, the definition of QC deficiency in the final standard also
includes noncompliance with the requirements of the proposed standard other than
documentation requirements, such as the requirements related to roles and
responsibilities, the firm’s risk assessment process, the monitoring and remediation
process, and the evaluation of the QC system. Two commenters expressed concern with
this requirement, stating that there may be instances where the firm may not comply with
a requirement in the standard but the quality objectives and specified quality responses
were met, and a firm should be able to apply judgment to determine whether a QC
deficiency exists under those circumstances. The Board continues to believe that
compliance with the requirements of QC 1000 is a baseline element of any firm’s QC
system, such that failure to comply is always a QC deficiency, and adopted this aspect of
the QC definition as proposed.
The definition also includes noncompliance with the documentation requirements
of QC 1000, to the extent that such noncompliance adversely affects the firm’s ability to
comply with any of the other requirements of the proposed standard, while excluding
other documentation issues. For example, a firm’s failure to document some details of its
monitoring activities, in a context where the firm otherwise sufficiently documents the
evaluation of the results from its monitoring activities, would not meet the definition of a

See, e.g., AS 2315, Audit Sampling.

QC deficiency. The Board received no comment on this aspect of the definition of QC
deficiency and adopted it as proposed.
Under the final standard, the determination of whether something identified as a
QC observation meets the definition of a QC deficiency would be based on the nature,
severity, and pervasiveness of the underlying matter; the likelihood that it could affect
other component(s) of the QC system or other engagements; and the severity of such an
effect if it were to occur. In the case of engagement deficiencies, this evaluation would
take account of the basis for the firm’s determination of the actions required under
paragraph .68 of QC 1000, including any root cause analysis performed. These
considerations are discussed, in turn, in the following subsections.
The final standard has been revised to clarify that the evaluation and
determination must both be done on a timely basis.
ii. Nature, severity, and pervasiveness of the matter that gave rise to the QC
observation
The nature, severity, and pervasiveness of the matter that gave rise to the QC
observation should be taken into account when determining whether a QC deficiency
exists. For a QC observation that is also an engagement deficiency, the results of the
firm’s evaluation of whether a similar engagement deficiency exists on other in-process
and completed engagements would provide useful information to the firm when
determining whether a QC deficiency exists.
The standard explains that the nature, severity, and pervasiveness of the matter that gave
rise to the QC observation includes:
•

The component(s) of the QC system, quality objective(s), or quality risk(s) to
which the QC observation relates. Depending on the quality risks that a firm
identifies, some components may play a greater role in its QC system than others.
For example, for a small firm that audits one issuer and has no intention to expand

its issuer audit practice, the engagement performance component would have a
greater role than acceptance and continuance of engagements because the quality
risks associated with the new engagement would be mitigated by the firm’s policy
of not taking on new issuer audit engagements. Based on the firm’s risk
assessment, certain quality risks may pose a greater threat to the firm’s QC system
than others. In addition, some QC observations may relate to a single component
of the QC system or a single quality objective, while others may relate to multiple
components of the QC system or multiple quality objectives. For example, an
engagement deficiency may relate to the resource component (e.g., competence
and training of firm personnel, firm methodology), the information and
communication component (e.g., failure to communicate changes to the
methodology), or the engagement performance component (e.g., failure to consult
when required), or all three of those components.
•

Whether the QC observation is in the design, implementation, or operation of the
QC system. For example, a matter that gave rise to a QC observation in the design
of a process has a greater likelihood of being pervasive to a firm’s practice than a
process that did not operate as designed on one occasion.

•

The frequency with which the QC observation occurred. Frequency relates to the
number of times the matter that gave rise to the QC observation occurred—for
example, on engagements within a particular industry sector or practice group, a
particular office, or firmwide. It might also relate to the number of times the
observation was identified, the number of firm personnel involved, or the number
of quality objectives affected. When related to the execution of a firm’s quality
response, it would also include relative frequency of QC observations compared
to the number of times the procedure was executed properly.

The duration of time that the QC observation existed. Duration addresses how
long the matter that gave rise to the QC observation existed. In order to
understand duration, a firm would need to understand whether there were other
instances prior to those initially identified by the firm as QC observations.
iii. Likelihood that the matter that gave rise to the QC observation could
affect other component(s) of the QC system or other engagements, and the
severity of such an effect
Whether a QC observation is a QC deficiency would also depend on the
likelihood that the matter that gave rise to the QC observation could affect other QC
system components or other engagements.
Other engagements include in-process engagements, completed engagements,
engagements to be performed in the future, as well as work performed on other firms’
engagements. A firm may design and implement mitigating actions to address an
engagement deficiency when such a deficiency comes to the firm’s attention. When
considering the likelihood that future engagements could be affected (for purposes of
determining whether a QC deficiency exists), a firm would not take into account any
mitigating actions, even if they have been implemented. This is because the
determination of whether a QC deficiency exists must be made based on the nature,
severity, and pervasiveness of the matter that gave rise to the QC observation, viewed on
its own. That shows the extent to which the QC system failed in allowing the underlying
matter to occur. Whether the firm was subsequently able to partially or fully remediate
the QC deficiency does not eliminate the fact that the failure occurred.
In addition to the likelihood of a matter’s recurrence, the standard also requires a
firm to evaluate the matter’s severity if it were to affect other component(s) or
engagements.

One commenter suggested that the standard address the concept of compensating
responses as a factor when considering QC findings in proposed paragraph .72. In
considering whether a QC observation is a QC deficiency (on the basis that the likelihood
of the firm not achieving the reasonable assurance objective or one or more quality
objectives has not been reduced to an acceptably low level) the firm could consider
compensating responses that address the same quality risk. Additional discussion in
response to this commenter’s feedback appears below in the context of discussion of

remedial actions.

j. Responding to QC deficiencies
i. Root cause analysis (QC 1000.73-.74)
The requirement to perform root cause analysis on all identified QC deficiencies
did not draw comment and was adopted as proposed.
Root cause analysis is a widely used concept in QC frameworks.301 Identifying
and understanding the underlying causes of a problem supports developing solutions that
address those causes, rather than just the symptoms. Proper determination of the causal
factors that led to QC deficiencies is essential to developing effective remedial actions.
For example, a policy or procedure could be inappropriately designed or implemented or
a person may not have complied with a policy or executed a procedure as it was intended.
As another example, an audit tool may not have operated as intended. Root cause analysis
looks for different types of causes through investigating the patterns of negative effects,
finding hidden flaws in the QC system, and discovering specific actions that contributed
to the problem. Improvements in audit quality have generally been observed through
PCAOB oversight activities where a firm has established an effective root cause analysis
program.302 Many different types of causes may contribute to a problem.
A firm might find it helpful when performing root cause analysis to leverage
information obtained from its evaluation of whether a QC deficiency exists. That is,
information about the nature, severity, or pervasiveness of the matter that gave rise to the
QC observation and the likelihood that the matter that gave rise to the QC observation
could affect other components of the QC system or other engagements may provide
evidence of what caused the problem to occur.

See Spotlight: Root Cause Analysis – An Effective Practice to Drive Audit Quality (April 2024)
available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/root-casuespotlight.pdf?sfvrsn=55f82206 2.

See 2018 Inspection Observations Preview.

Root cause analysis procedures could take different forms depending on the
circumstances, which allows for scalability. Some key elements that the PCAOB has
observed that may lead to more robust and comprehensive root cause analysis include:303
•

Monitoring audit deficiencies identified and performing root cause analysis on a
continual basis. This allows firms to obtain information that allows them to react
more timely and implement remedial actions to reduce recurring deficiencies in
other audits.304

•

Process mapping at the engagement level and the firm level of the underlying
work flows of how a firm conducts its practice. A well-defined process makes it
easier to analyze negative events to determine what went wrong.

•

Consideration of both positive and negative quality events (i.e., actions,
behaviors, or conditions that resulted in positive or negative outcomes) to identify
whether such actions, behaviors, or conditions were present on engagements
where QC deficiencies were identified.

•

Measuring, in real time, the effectiveness of remedial actions and audit quality
improvement plans or initiatives to identify whether remedial efforts are effective.
The standard does not require firms to perform root cause analysis on QC

observations that are not QC deficiencies.
Paragraph .74 of the standard requires that the nature, timing, and extent of the
root cause analysis be commensurate with the nature, severity, and pervasiveness of the
QC deficiency. This provision did not draw comment and was adopted as proposed.

See June 2014 SAG Briefing Paper at 2.

See Staff Inspection Brief, Vol. 2017/4: Preview of Observations from 2016 Inspections of
Auditors of Issuers (Nov. 2017), at 16, available at https://assets.pcaobus.org/pcaobdev/docs/default-source/inspections/documents/inspection-brief-2017-4-issuerresults.pdf?sfvrsn=c216d8a7_0.

A QC deficiency that could affect multiple engagements may require more urgent
root cause analysis, depending on the circumstances. To illustrate, a QC deficiency
related to a firm’s approach to testing business combinations would be more urgent if a
firm’s clients regularly enter into such transactions. Taking into account the nature,
severity, and pervasiveness of the QC deficiency, root cause analysis may be performed
at different points in time or, depending on the size and nature of the firm, operate as
more of a continual process. At times, it might be effective to combine similar QC
deficiencies and perform root cause analysis on them collectively rather than on an
individual basis.
In some instances, the causal factors may be relatively apparent and therefore
require less analysis than in a situation where the cause of the deficiency is complex and
requires significant investigation and analysis. As previously mentioned, there may be
multiple causes contributing to a QC deficiency. Generally, the more thorough the
analysis, the more likely the causal factors will be identified and the greater the
likelihood that a firm could design and implement remediation efforts that will be
effective in preventing similar QC deficiencies from occurring again.
It is important for firms to have well-defined processes in order to perform
sufficient root cause analysis. The better delineated the underlying processes, the less
work that may be necessary to determine why the QC deficiency occurred.
ii.

Remedial actions (QC 1000.75)

The requirement to design and implement timely remedial action for QC
deficiencies did not attract comment and was adopted as proposed.
The timing of a firm’s efforts to design and implement remedial actions depends
on the results of the firm’s root cause analysis and the nature, severity, and pervasiveness
of the QC deficiency. The Board expects a firm to respond in a manner that would

mitigate the occurrence of additional QC deficiencies related to similar underlying
causes.
In some circumstances, due to the extent of remedial actions necessary to address
the QC deficiency, a firm might design and implement temporary remedial actions until
permanent actions can be designed and implemented. For example, a firm could design
and implement supplemental audit practice aids to address QC deficiencies until the firm
is able to revise its comprehensive audit methodology. In some situations, a complex QC
deficiency may result in the firm developing a multi-step plan with milestones necessary
to be achieved as the firm designs and implements its remedial actions.
In other situations, the extent of remedial actions the firm needs to take to address
a particular QC deficiency may be reduced by other compensating responses that the firm
has in place. If the remedial actions, including any relevant compensating responses, have
been tested and found effective in addressing the issue, the firm might determine, based
on the facts and circumstances, that no further remedial action is necessary.
The process of identifying QC observations, determining QC deficiencies,
performing root cause analysis, and designing and implementing remedial actions is
iterative. For example, a firm may learn information from performing root cause analysis
that may identify issues that would have been relevant when evaluating a different QC
observation had such information been known at the time. If this were to occur, a firm
would further evaluate the other QC observation to determine if a QC deficiency exists
based on this new information. As another example, the work entailed in a root cause
analysis could potentially help a firm identify other quality objectives that are not being
met. To illustrate, the firm’s root cause analysis may show that a lack of training caused
deficiencies in a complex audit or accounting area that is common to the firm’s
engagements, and may also lead to the identification of other problems in the same area,

such as inadequate audit methodology or a missed consultation due to the lack of a wellunderstood, robust consultation process.
PCAOB oversight activities have identified that some firms evaluate positive
quality events associated with engagements where no engagement deficiencies were
identified. For example, certain procedures, techniques, or voluntary practice aids may
have contributed to an engagement performed in accordance with applicable professional
and legal requirements. These firms use the information obtained from such evaluations
to assess the actions of individuals on engagements with deficiencies, ultimately
highlighting potential actions to prevent future engagement deficiencies. The Board
believes that evaluating positive outcomes could contribute to the success of the firm’s
root cause analysis and remediation efforts. Therefore, the standard includes a note
highlighting that it may be beneficial for firms to consider actions, behaviors, or
conditions that resulted in positive outcomes, such as where aspects of the firm’s QC
system operated effectively or where no engagement deficiencies were identified for
individual engagements.
In some circumstances, a firm may determine the root cause of a QC deficiency is
related to the use of a resource or service provided by a third-party provider. If this were
to occur, under the standard, the firm is responsible for addressing the effect of the
deficiency on its QC system. This could include, among other things, working with the
third-party provider to design and implement remedial actions or deciding to end the
relationship with the third-party provider and, as part of the firm’s remedial actions,
revising its policies and procedures in the area affected. Irrespective of the approach
taken and the extent of participation by third parties, the firm remains responsible for its
QC system.
If a firm belongs to a network and uses network resources or services to enable
the operation of the firm’s QC system or the performance of its engagements, a root

cause of a QC deficiency could be related to the network resource or service. Similar to a
firm’s use of resources or services provided by a third-party provider, a firm is
responsible for addressing the effect of the deficiency on its QC system regardless of
whether the remedial actions taken by the firm are coordinated with the network or
designed and implemented exclusively by the firm. Further, the firm remains responsible
for determining whether the actions taken by the network sufficiently remediate the QC
deficiency.
Under the standard, firms are able to design their approach to conducting root
cause analysis and developing remedial actions. Firms’ approaches will vary based on the
nature and circumstances of the firm and its engagements. In addition, approaches will
likely change as new technologies become available and other techniques develop.
k. Monitoring the implementation and operating effectiveness of remedial
actions (QC 1000.76)
The requirement to monitor the implementation and operating effectiveness of
remedial action for QC deficiencies did not attract comment and was adopted as
proposed.
Under the final standard, a firm monitors the effectiveness of its remedial actions
through engagement monitoring activities and/or QC system-level monitoring activities,
depending on the nature of the QC deficiency. If a firm determines the remedial actions
were not properly implemented or operating effectively, the firm would be required to
take timely actions until the monitoring activities indicate the QC deficiency was
remediated. Timely actions could include, among others, one or more of the following:
•

Adjusting the implemented remedial actions;

•

Designing and implementing additional remedial actions; or

•

Performing additional root cause analysis to determine if other causes exist and, if
so, designing and implementing remedial actions to address such causes.

Once additional actions are taken, a firm is required to perform monitoring
activities on such changes to determine whether the QC deficiency was remediated.

2. Current PCAOB standards
Current PCAOB QC standards require firms to establish policies and procedures
to provide the firm with reasonable assurance that the policies and procedures relating to
each of the other QC elements are suitably designed and are being effectively applied.305

See QC 20.20.

The standards also address how a firm implements the monitoring element of a QC
system in its accounting and auditing practice.306 The standards discuss various
monitoring procedures that a firm may perform, such as reviewing engagements before or
after the engagement reports are issued, reviewing selected administrative and personnel
records pertaining to the QC elements, considering systemic causes of findings that
indicate improvements are needed, determining corrective actions, and following up to
ensure that any necessary modifications are made to the firm’s QC policies and
procedures on a timely basis.307 Although current PCAOB QC standards provide that
monitoring procedures taken as a whole should enable firms to obtain reasonable
assurance that their QC systems are effective,308 there are no express obligations for firms
to perform any specific types of monitoring.
EVALUATION OF AND REPORTING ON THE QC SYSTEM
1. QC 1000
a. Annual evaluation of the effectiveness of the QC system (QC 1000.77)
A firm’s evaluation of the results of its monitoring and remediation process helps
the firm identify the areas within the QC system that are designed, implemented, and
operating effectively, as well as areas that require attention. This perspective will assist
firm leadership in allocating resources to address QC deficiencies and provide them with
a basis for communicating to others—within or outside the firm—the status of the firm’s
QC system.
Current PCAOB QC standards do not require such an evaluation. The Board
understands that some firms already evaluate their QC systems, either voluntarily or in

See generally QC 30.

See QC 30.03; QC 30.06.

See QC 30.03.

response to other requirements.309 However, not all firms evaluate their QC systems, and
those that do may not apply the same degree of rigor.
i.

Evaluation requirement

The proposed standard included a requirement for the firm to evaluate annually
whether its QC system is effective, is effective except for one or more unremediated QC
deficiencies that are not major QC deficiencies, or is not effective (i.e., one or more
major QC deficiencies exists). Pursuant to proposed paragraph .07c, firms that were not
required to implement and operate a QC system at any time within the previous 12
months would not be subject to the requirement to evaluate and report on their QC
system.
Some commenters expressed support for the proposed annual evaluation
requirement. However, several commenters suggested that the Board conform the
terminology to ISQM 1, such that the conclusions reached in evaluating the QC system
would be the same under both standards. Some commenters expressed concern about the
potential for stakeholder confusion because the criteria and terminology used in QC 1000
differ from ISQM 1. One commenter expressed concern that the more stringent criteria of
QC 1000 would create a competitive disadvantage.
One commenter recommended that the Board eliminate the middle category
(effective except for one or more unremediated QC deficiencies that are not major QC
deficiencies), so that a firm’s QC system would be evaluated as either effective or not
effective based on whether any unremediated major QC deficiencies exist as of the
evaluation date, such that the reasonable assurance objective has not been achieved. The
commenter analogized to ICFR reporting, where management is only required to report
material weaknesses.

See, e.g., NYSE Listed Company Manual, Section 303A.07(b)(iii)(A); Section 2(d) of Article 13,
Regulation (EU) 537/2014.

The Board adopted the evaluation requirements as proposed. The Board does not
believe there is any likelihood of confusion among external stakeholders arising from
differences in evaluation criteria between QC 1000 and ISQM 1 because, under the final
PCAOB standard, the conclusion reached about the effectiveness of a firm’s QC system
is not required to be made public. The same is true under ISQM 1. Therefore, if a firm
were to evaluate its QC system under both standards and reach different conclusions,
market participants would be unaware of that fact unless the firm chose to make the
results of its evaluation public (in which case, it could also choose to provide an
explanation of the difference). Additionally, while ISQM 1 requires communication to
those charged with governance about how the system of quality management supports the
consistent performance of quality audit engagements, QC 1000 does not require any such
communication to the audit committee.310 Firms would of course be free to discuss the
evaluation of their QC system with the audit committee, potentially as part of the report
required under listing standards that may apply to the issuer.311 The Board believes most
audit committee members are already well acquainted with reviewing information
prepared under different frameworks, e.g., financial statements prepared under U.S.
GAAP and under IFRS, and could readily understand that the more stringent criteria
under QC 1000 could lead to a different conclusion about the effectiveness of the QC
system.
Similarly, the Board believes that firms that are required to perform multiple QC
system evaluations will be able to train their personnel and acquire other resources as
necessary to avoid confusion among internal stakeholders and perform the evaluation
under QC 1000 appropriately. A firm will be subject to both QC 1000 and other QC
standards only if it is performing audits under multiple sets of auditing standards. Just as

See Reporting to the audit committee, discussed below.

See NYSE Listed Company Manual, Section 303A.07(b)(iii)(A).

such firms manage the differences in audit requirements and methodology associated
with different auditing standards, the Board believes they will be capable of managing
differences in the QC system requirements under QC 1000 and other QC standards,
including differences in the criteria and terminology used in evaluating the QC system.
The Board also believes that requiring three categories for the QC system
evaluation, as proposed—effective, effective except for one or more unremediated QC
deficiencies that are not major QC deficiencies, and ineffective—will result in a more
rigorous QC system evaluation, a greater incentive for firms to address QC deficiencies
promptly, and more detailed and informative reporting to the PCAOB. Given that
reporting is only to the PCAOB, the Board does not believe an analogy to management’s
public reporting regarding ICFR, where only material weaknesses are required to be
reported, is appropriate.
Firms will be required to perform an evaluation of their QC system annually. The
firm’s evaluation is based on data and evidence provided by the firm’s monitoring and
remediation activities. An annual evaluation will provide leadership with timely
information to facilitate an effective feedback loop.312 This approach highlights the
importance of the QC system in driving continuous improvement in firms’ ability to
perform compliant engagements on a consistent basis. The evaluation requirement will
drive firms to collect and analyze the results of their monitoring and remediation
processes in order to identify deficiencies and will provide an additional incentive for
firms to focus on areas requiring the most immediate attention and improvement.
The evaluation requirement also reinforces the responsibility and accountability
of leadership for the firm’s QC system.313 As discussed above, the individual charged

Firms could decide to evaluate the QC system more frequently than required under the standard.
For example, a firm with one or more major QC deficiencies may decide to perform a mid-year
evaluation to gauge the effectiveness of its remedial actions.

See QC 1000.13–.17.

with ultimate responsibility and accountability for the QC system as a whole will be
accountable for the annual evaluation, and both that individual and the individual charged
with operational responsibility and accountability for the QC system as a whole will be
required to certify the firm’s annual report regarding the evaluation of its QC system.314
The Board believes this will send a clear message about the importance of the evaluation
and incentivize firm leadership to take ownership of both the annual evaluation of the QC
system and the results.
While the Board adopted as proposed a requirement for annual evaluation of the
QC system, it made some changes in response to commenter input, as described below.
ii.

Evaluation frequency and date

The proposed standard would have required the firm to evaluate its QC system
annually as of November 30 and conclude on whether any unremediated QC deficiencies
(including major QC deficiencies) exist as of that date.
One commenter, an investor-related group, supported the proposed November 30
evaluation date and opposed allowing firms to set their own reporting date.
Many commenters, generally firms and firm-related groups, suggested that firms
should be permitted to choose their own evaluation date, primarily because it would
enable them to choose a date based on their own operating and business cycle or
inspection cycle. These commenters also noted other considerations, such as alignment
with the firm’s fiscal year end or the date already chosen for the evaluation required
under ISQM 1. Several commenters suggested that firms should be able to choose a date
that would allow them sufficient time to perform root cause analysis, remediate identified
issues, and test the effectiveness of their remediation efforts. One commenter noted that
firms could choose a date with a view to enabling real-time conversations with audit

See QC 1000.14c.-d. and .15b.

committees. Another commenter suggested that additional flexibility on the evaluation
date would enhance the scalability of the standard. Some commenters stated that
requiring a specific evaluation date could lead firms to perform assessments twice a year.
Several commenters also raised a concern about potential resource limitations in
performing the evaluation on the timetable the Board proposed.
Other commenters suggested various options for potential alternative evaluation
dates:
•

March 31, on the basis that it is better aligned with a natural business cycle for
many firms or aligns with the Form 2 reporting date. (These commenters
generally preferred allowing firms to choose their own evaluation date over a
mandated date applicable to all firms and suggested March 31 as a second-best
approach.)

•

September 30, which would allow firms to report to the PCAOB by November 15
and, in turn, report to audit committees before the end of the calendar year.

•

September 30 or October 31, if the proposed January 15th reporting date is
implemented, to allow additional time to complete reporting.

•

February 28, to allow reporting by April 1, in advance of the April/May proxy
season.

•

A window, for example, November to March, within which firms could choose a
date.
Taking into account commenter feedback on the proposed evaluation date of

November 30, the evaluation date was revised to September 30 for all firms. The Board
believes this earlier date addresses commenter concerns that the November 30 date would
have caused potential resource limitations during the traditional busy period for many
firms. Further, the Board believes an evaluation date of September 30 would provide the
firm with enough time to identify and potentially remediate any QC deficiencies

identified from the most recent calendar year-end engagements, which might not be
possible if an earlier date were selected.
As summarized above, some firms expressed concern that a firm that has already
chosen its evaluation date under ISQM 1 would be required to perform two QC system
evaluations per year since the PCAOB’s evaluation date differs from ISQM 1’s. The
Board believes firms can build on work already done for the purpose of complying with
the requirements of one QC standard in performing the other, to the extent applicable.
However, since the nature of the two evaluations is inherently different (e.g., the
determination of major QC deficiencies, the differing definitions of QC deficiency under
QC 1000 vs. deficiency under ISQM 1), the Board believes that there would always be
some differences between the evaluation required under QC 1000 and the evaluation
required under ISQM 1. While there could be additional costs associated with multiple
evaluations if a firm chose to have separate evaluation dates for purposes of QC 1000 and
other QC standards to which it is subject, firms would be free to change their evaluation
date under other QC standards so that the evaluation dates coincide.
The proposed standard also included a note clarifying what unremediated means
in the context of this requirement: remedial actions that completely address the QC
deficiency have not been fully implemented, tested, and found effective. While this note
did not draw specific comment, one commenter suggested that the framework afforded
by section 104(g)(2) of Sarbanes-Oxley, which the commenter said focuses on substantial
good faith progress instead of complete remediation, is necessary and should be retained.
The Board disagrees as, in its view, the two provisions serve fundamentally different
purposes and a different approach is appropriate for firm evaluation and reporting under
QC 1000.
Sarbanes-Oxley section 104(g)(2) governs the circumstances under which the
PCAOB is permitted to make portions of an inspection report dealing with quality control

criticisms and potential defects public. It forbids publication if the criticisms or defects
“are addressed by the firm, to the satisfaction of the Board,” not later than 12 months
after the date of the report. In describing its process for determining whether a matter has
been addressed to its satisfaction, the Board indicated that a “favorable Board
determination reflects the Board’s assessment that the firm has demonstrated substantial,
good faith progress toward achieving the relevant quality control objectives, sufficient to
merit the result that the criticisms remain nonpublic. A favorable determination does not
necessarily mean that the firm completely and permanently cured any particular quality
control defect.”315
By contrast, reporting on Form QC is simply factual: as of the evaluation date, has
each identified QC deficiency been fully remediated or not? Under QC 1000, firms will
perform a self-evaluation, based on the process and criteria set forth in the standard. This
is very different from the process by which the Board determines whether a matter has
been remediated to its satisfaction for purposes of section 104(g)(2),316 not least because
it involves the firm’s self-assessment rather than the Board’s judgment. Moreover, the
Board does not believe the consequences of a firm reporting an unremediated QC
deficiency to the PCAOB would be the same as the consequences of the PCAOB
publishing QC criticisms in an inspection report; in particular, the Board does not believe
that the legislative policy choice reflected in section 104(g)(2), which, as the Board has
said, favors “the correction of quality control problems over the exposure of them,”317
applies in this context, given the nonpublic nature of the Form QC reporting.
Accordingly, the Board adopted the note to paragraph .77 as proposed.

PCAOB Rel. No. 104-2006-077 at 6.

See PCAOB Rule 4009, Firm Response to Quality Control Defects.

PCAOB Rel. No. 104-2006-007 at 2.

b. Determining whether major QC deficiencies exist (QC 1000.78)
The standard requires firms to evaluate unremediated QC deficiencies as of the
evaluation date to determine whether major QC deficiencies exist. While the
identification of QC deficiencies will be an ongoing process throughout the year, the
determination of whether any of those QC deficiencies, alone or in combination,
constitute major QC deficiencies will be required only as part of a firm’s annual
evaluation of its QC system.
i.

Definition of a major QC deficiency

The proposed standard provided that a major QC deficiency was “an
unremediated QC deficiency or combination of unremediated QC deficiencies, based on
the evaluation under paragraph .78, that severely reduces the likelihood of the firm
achieving the reasonable assurance objective or one or more quality objectives.” One
commenter supported the concept of major QC deficiency. However, a number of
commenters expressed concern with that proposed definition:
•

Several commenters expressed concern that the definition could cause a firm to
come to a different conclusion about its QC system during the annual evaluation
process under QC 1000 than the conclusion a firm may reach under ISQM 1 and
suggested that the definition be revised to include the concepts of severe and
pervasive, similar to the concepts that appear in relation to the evaluation of QC
deficiencies under ISQM 1.

•

One commenter stated that it was unclear why a new term, “major QC
deficiency,” would be necessary and questioned the need for a reference to a
threshold other than “achieving reasonable assurance.”

•

Another commenter was concerned that the concept of major QC deficiency,
which other QC standards do not use, will redirect time and resources to
analyzing the level of a deficiency instead of the important elements to remediate

the deficiency such as root cause analysis and implementing timely changes to a
firm’s system.
•

Another commenter stated that the phrase “severely reduces the likelihood” in the
definition of major QC deficiency is vague and not sufficiently defined in the
proposed QC standards and suggested that the phrase be replaced with the phrase
“prevents the firm from concluding.”
The Board considered the commenter feedback and determined to adopt this

language as proposed. The Board agrees it is possible that firms could reach different
conclusions as to the effectiveness of their QC system under QC 1000 and ISQM 1 or
SQMS 1. However, the concept of severe and pervasive, which commenters suggested be
incorporated in the definition, appears in the factors for firms to consider when
determining the existence of a major QC deficiency (see paragraph .78b. below). The
Board believes that including this concept in the factors clarifies the process firms will
need to go through in making their determination of whether a major QC deficiency
exists.
The defined term “major QC deficiency” is unique to QC 1000, but the concept it
embodies—that the QC system does not provide the firm with reasonable assurance that
the objectives of the QC system have been met—is not, and appears in both ISQM 1 and
SQMS 1. Accordingly, the Board does not believe that phrasing the requirements as it
has, including the use of a defined term, will require a different evaluation process than if
it had simply required a determination that the QC system was ineffective. The standard
does not require the determination of major QC deficiencies to be performed at any time
other than the evaluation date. However, firms may choose to perform such an analysis
ahead of the annual evaluation date to enable sufficient time to design, implement, and
test remedial actions related to the QC deficiencies that have the greatest potential impact
on the QC system.

As with the defined term “QC deficiency,” the defined term “major QC
deficiency” is analogous to a term in COSO’s integrated framework, major deficiency,
which includes the concept of “severely reduces the likelihood.” The Board believes that
this concept is already well-understood by firms.
Another commenter expressed concern that a major QC deficiency would exist if
there was a severely reduced likelihood that the firm did not achieve a single quality
objective, even when the firm had in fact achieved the reasonable assurance objective. In
the Board’s view, this concern is more theoretical than real. The quality objectives in
QC 1000 relate to compliance with applicable professional and legal requirements in each
component of the QC system and in the aspects of the firm’s practice that are addressed
by each component. Failing to achieve such a quality objective implies that the
reasonable assurance objective has not been achieved. Some quality objectives,
particularly in the resources component, also relate to compliance with the firm’s policies
and procedures. These quality objectives are directed to the QC system itself: compliance
with policies and procedures is necessary for the QC system to operate as designed.
While failure to comply with firm policies and procedures does not necessarily imply
failure to comply with applicable professional and legal requirements, it does mean that
the QC system is not operating as designed, which may raise questions about the level of
assurance it provides.
In response to commenter feedback regarding the proposed concept of presumed
major QC deficiencies (discussed in the next section), the lead-in language of paragraph
.78 was revised to clarify that the factors in paragraph .78b are to be applied by the firm
both (i) when a presumption arises that a major QC deficiency exists and the firm
attempts to rebut the presumption, and (ii) in instances where no presumption arises.
ii.

Presumed major QC deficiency (QC 1000.78.a)

The proposed definition of a major QC deficiency provided for two circumstances
that would be presumed to evidence a major QC deficiency. These circumstances
included an unremediated QC deficiency or combination of unremediated QC
deficiencies that:
•

Relates to the firm’s governance and leadership that affect the overall
environment supporting the operation of the QC system. Firm governance and
leadership establish the environment that determines how firm personnel carry out
responsibilities for the operation of a firm’s QC system and the performance of its
engagements. Because of the pervasive impact of leadership and the “tone at the
top,” one or more unremediated QC deficiencies related to firm governance and
leadership that affect the overall environment supporting the operation of the QC
system would almost always severely reduce the likelihood of the firm achieving
the reasonable assurance objective or one or more quality objectives.

•

Results in or is likely to result in one or more significant engagement deficiencies
in engagements that, taken together, are significant in relation to the firm’s total
portfolio of engagements conducted under PCAOB standards. A significant
engagement deficiency exists when (1) the engagement team failed to obtain
sufficient appropriate evidence in accordance with the standards of the PCAOB or
failed to perform interim review or attestation procedures necessary in the
circumstances, (2) the engagement team reached an inappropriate overall
conclusion on the subject matter of the engagement, (3) the engagement report is
not appropriate in the circumstances, or (4) the firm is not independent of its
client.318 An unremediated QC deficiency that would likely result in one or more
of these deficiencies in engagements that, taken together, are significant in

See Notes to AS 1220.12, .17, .18B.

relation to the firm’s total portfolio of engagements conducted under PCAOB
standards would give rise to a presumption that a major QC deficiency exists. The
definition included examples of quantitative and qualitative criteria that may
signal such significance.
One commenter argued that the proposed presumption regarding deficiencies in
the governance and leadership component was unnecessary, on the basis that not every
deficiency in governance and leadership was necessarily a major QC deficiency. Other
commenters expressed concern that the circumstances presumed to evidence a major QC
deficiency remove the auditor’s ability to apply professional judgment. Another
commenter suggested that the presumptions could be replaced with indicators of a major
QC deficiency, similar to how AS 2201 treats material weaknesses. Another commenter
stated that it is not appropriate to include in the proposed definition circumstances when a
major QC deficiency is presumed to exist because the factors provided in paragraph .78
are sufficient to make the evaluation of whether a QC deficiency is a major QC
deficiency. Another commenter suggested that these presumed major QC deficiencies
could be relocated from the definition and into paragraph .78 and achieve the same
objective.
The Board considered the commenter feedback. However, as described above, the
Board continues to believe that because of the pervasive impact of leadership and the
“tone at the top,” one or more unremediated QC deficiencies related to firm governance
and leadership that affect the overall environment supporting the operation of the QC
system would almost always severely reduce the likelihood of the firm achieving the
reasonable assurance objective or one or more quality objectives—that is, would almost
always result in a major QC deficiency.
The Board also noted that, consistent with the proposal, the presumptions are not
conclusive and can be rebutted by the firm in appropriate circumstances. The note to

paragraph .78a clarifies that in order to rebut a presumption that a major QC deficiency
exists, a firm must demonstrate, by taking into account both of the factors in paragraph
.78b. (including all of the listed examples in paragraph .78b.(1)), that a major QC
deficiency does not exist.319 The standard thus allows for circumstances in which a
deficiency related to one of the presumptions does not amount to a major QC deficiency,
and creates an opportunity for firms to exercise professional judgment in deciding
whether to attempt to rebut the presumption and, if so, how to apply the paragraph .78b
factors. However—appropriately, in the Board’s view—the presumptions shift the burden
of proof to the firm, which will have to demonstrate that circumstances generally
reflecting a major QC deficiency do not constitute a major QC deficiency in its case. The
Board believes the term “presumption” achieves this burden shifting more clearly than
“indicators” or other terms would do.
The Board agrees with the commenter that suggested that the presumed major QC
deficiencies should not be included in the definition of major QC deficiency and have
taken another commenter’s suggestion to relocate the presumption to paragraph .78.
Accordingly, the Board made the following revisions to paragraph .78:
•

Relocated the circumstances presumed to evidence a major QC deficiency from
the definition into paragraph .78a, so they are explicitly part of the process of
determining whether a major QC deficiency exists.

•

Included a note to clarify what the firm has to demonstrate in order to rebut the
presumption that a major QC deficiency exists.

When circumstances exist that are presumed to evidence a major QC deficiency, but the firm
demonstrates that it does not have a major QC deficiency, the firm will be required to disclose the
basis for its determination in its report to the PCAOB on Form QC, as discussed further below.
See Form QC, Report on the Evaluation of the Firm’s System of Quality Control, Item 2.5.

Importantly, the circumstances where a major QC deficiency is presumed to exist
are not an exhaustive list of possible major QC deficiencies. For example, any deficiency
that requires significant effort and resources to remediate may be a major QC deficiency.
One firm requested clarification of the relationship between the definitions of
“engagement deficiencies” and “significant engagement deficiencies.” As is evident from
their respective definitions, significant engagement deficiencies are a subset of
engagement deficiencies. QC 1000 defines an engagement deficiency as “an instance of
noncompliance with applicable professional and legal requirements by the firm, firm
personnel, or other participants with respect to an engagement of the firm, or by the firm
or firm personnel with respect to an engagement of another firm.” As the footnote to
paragraph .78 of the standard provides, “A significant engagement deficiency exists when
(1) the engagement team failed to obtain sufficient appropriate evidence in accordance
with the standards of the PCAOB or failed to perform interim review or attestation
procedures necessary in the circumstances, (2) the engagement team reached an
inappropriate overall conclusion on the subject matter of the engagement, (3) the
engagement report is not appropriate in the circumstances, or (4) the firm is not
independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.”
iii.

Factors for consideration

To help firms make the determination of whether a major QC deficiency exists,
the standard provides factors on which to base the determination, which assist firms in
applying the definition. Several commenters expressed general support for the proposed
factors, and the Board adopted them as proposed.
The Board did not receive comments on the examples that illustrated the proposed
factors, and adopted this aspect of the proposal substantially as proposed, with one
addition, in a renumbered paragraph .78b.(1)(d). The added example relates to the
persistence of an unremediated QC deficiency or combination of unremediated QC

deficiencies over time. Through its oversight activities the PCAOB has observed repeat
or persistent criticisms—appearing in consecutive inspections, or occurring consistently
over multiple years, even if not every year—which the Board believes may be indicative
of a problem so pervasive and/or so severe that the firm has been unable to effectively
remediate it, or of significant failures in the firm’s remediation process. Firms will need
to consider whether and how the existence of a persistent unremediated QC deficiency or
combination of unremediated QC deficiencies year over year might indicate the existence
of a major QC deficiency.
Under the standard, the factors for determining whether a major QC deficiency
exists are:
•

The severity and pervasiveness of the unremediated QC deficiency or combination
of unremediated QC deficiencies. A firm assesses an unremediated QC
deficiency, considering both quantitative and qualitative implications. For
example, a firm will assess how many of the components of its QC system,
quality objectives, and quality responses are affected by the deficiency, the
number of root causes, and the number of affected engagements or engagements
likely to be affected in the future, as well as the impact on those engagements,
including engagements where the opinion was not appropriately supported or the
financial statements or management’s internal control assessment had to be
revised or restated. The firm would also consider the implications of the
deficiency for the QC system overall, based on ways in which the design or
operation of other aspects of the QC system may be affected, the pervasiveness of
the root causes, and the risk of the firm issuing inappropriate engagement reports
or otherwise performing deficient engagements in the future. Viewed this way, for
example, an unremediated QC deficiency that affects engagements only in a
single industry, where the firm has few clients and no intention to acquire more

and the engagements represent an insignificant portion of the firm’s total portfolio
of engagements under PCAOB standards, is less likely to be severe or pervasive.
The Board views the concepts of severity and pervasiveness as overlapping and
the factors in paragraph .78b.(1) that indicate the severity and pervasiveness of an
unremediated QC deficiency, or combination of unremediated QC deficiencies,
represent both aspects. The standard does not require the firm to determine that an
unremediated QC deficiency is both severe and pervasive in order for it to
constitute a major QC deficiency, nor is the list of examples exhaustive.
•

The extent to which remedial actions have been implemented, tested, and found to
be effective. Before the annual evaluation date, a firm may implement remedial
actions that reduce the severity or pervasiveness of an unremediated QC
deficiency. To illustrate, if a firm identifies an issue with its audit software, it
could develop a temporary “work around” to mitigate the unremediated QC
deficiency until a permanent solution is employed. For this factor to be relevant
for a firm when determining whether a major QC deficiency exists as of the
annual evaluation date, the remedial actions have to be tested and the results have

to show that such remedial actions are operating effectively.

c. Firm reporting on QC system evaluation (QC 1000.79-.80)
i.

Reporting to the PCAOB
1) Annual reporting

Under the proposal, firms were to report to the Board annually the outcome of the
evaluation of the firm’s QC system with respect to any period during which the firm was
required to implement and operate the QC system. Many commenters supported the
proposed annual reporting requirement. However, one commenter stated that this annual
firm reporting would be of no meaningful incremental benefit to the PCAOB and has the
potential to create an adversarial dynamic that would not promote audit quality or well
serve investor protection goals. Another commenter suggested that if the required
reporting on Form QC to the PCAOB would lead to follow-on requests from the PCAOB
to furnish more detailed information as to specific findings, then confidentiality
legislation may be an issue for firms. Other commenters argued that, because the PCAOB
could obtain the same information through the inspections process, reporting to the
PCAOB would be unnecessarily duplicative. Another commenter argued that all
unremediated QC deficiencies should not have to be reported on Form QC, specifically
commenting that the PCAOB already has the ability to access QC documentation for all

registered firms to view this information. Another commenter suggested that the value of
the report when not accompanied by independent attestation is likely to be limited.
The Board acknowledges that it has the ability to request from firms information
relating to their QC systems. However, the Board continues to believe that annual
reporting to the Board will provide the PCAOB with important information about firm
QC systems in a timely and structured way and will provide an effective and efficient
means of gathering information about firm QC systems. Currently, only 14 of the
approximately 1,600 registered firms are subject to annual inspection. Approximately 640
registered firms are required to be inspected on a triennial basis, of which approximately
one third are inspected in any given year.320 Therefore, the Board does not believe that
collecting firms’ QC information during an inspection would provide timely information
regarding the majority of registered firms’ QC systems. Data collected by the PCAOB
will inform its inspections process, including decisions about the selection of firms and
engagements as well as focus areas to inspect and the nature and extent of its inspection
procedures (both for QC processes and individual engagements), and will enable the
PCAOB not only to make more refined data requests from the firms, but also to focus its
inspection resources on those firms and engagements with the greatest risk. The Board
believes that this will help better advance its investor protection mandate. Additionally,
the Board believes that a formal reporting process will result in enhanced accountability
of firm leadership for QC and an additional incentive for prompt remediation of
identified QC deficiencies. While the standard does not require attestation over the firm’s
evaluation process, the Board believes that the requirements regarding the form,
including required certifications, will provide sufficient incentive for firms to report
accurately and completely (and enforcement remedies will be available if they do not).

The data were obtained from Audit Analytics and publicly available data from the PCAOB’s
Registration, Annual and Special Reporting (RASR) available at https://rasr.pcaobus.org.

The incremental effort for a firm to report its evaluation to the PCAOB will not be
substantial, as the firm is simply communicating the results of its evaluation process and
any related remediation activities, which it is required to conduct and document under
QC 1000 in any case.
One firm suggested that the Board only require reporting to the PCAOB if a firm
performed engagements in accordance with PCAOB standards during the one-year period
ending on the evaluation date. The Board considered whether this change would be of
significant benefit to firms and would further enhance the scalability of the standard.
However, firms that are not currently performing engagements may have responsibilities
with respect to past engagements.321 Moreover, regardless of whether they are required to
report the results of the annual evaluation, firms will still be required to perform an
evaluation pursuant to QC 1000 in such a circumstance. On that basis, the Board believes
that reporting would be valuable even for firms that did not perform an engagement
during the year preceding the evaluation date, and that reporting should not constitute an
undue burden.
2) Reporting mechanism: Form QC
As proposed and under the final rules, firms are required to report their annual QC
evaluation on a new form, Form QC. Several commenters supported the use of a separate
Form QC, with some of these commenters asserting that because firms should be allowed
to select their own evaluation date, this would necessitate the use of Form QC, rather than
an existing form such as Form 2. Another commenter supported the view that expanding
Form 2 to incorporate QC information was not favorable as this would make the form
longer and more complex. The Board continues to believe that separate reporting on new
Form QC remains appropriate. The contents of Form QC are the result of a separate

See, e.g., AS 2901; AS 2905.

evaluation process by a firm and the Board believes that it is simpler for the results of the
annual evaluation to be reported on a separate form. In addition, as discussed in more
detail above, QC 1000 requires firms to conduct an annual evaluation of their QC system
as of September 30. The use of a separate Form QC for reporting the results of the annual
evaluation will facilitate closer alignment of the timing of the reporting and the annual
evaluation date. For example, the submission deadline for Form 2 is June 30, which is
nine months after the annual evaluation date of September 30. Furthermore, Form 2
reporting is public and, as discussed in more detail below, Form QC will not be publicly
available.
The proposal asked whether Form QC should be permitted to be filed in XML or
another machine-readable format. In response, one commenter supported the PCAOB
permitting widely accepted formats that support usability. Another commenter supported
that the web-based system for submitting the information be navigable and easy to use.
Reporting to the PCAOB will be done using the same platform as its other reporting
forms (currently, its web-based RASR system and, in the future, potentially new means
of information exchanges as the PCAOB continues to modernize its reporting technology
aimed at simplifying and automating data collection, processing, and interoperability).
3) Contents of Form QC
The contents of Form QC will address the matters listed in paragraphs .79-.80. In
addition, Form QC will elicit certain information about the firm and the individuals
responsible for the QC system, aggregated information about the items required to be
reported in paragraph .80, the areas of QC to which any unremediated QC deficiencies
relate, and a certification of the evaluation of the QC system by certain designated
individuals (discussed below).
One firm asserted that the requirement to report unremediated deficiencies is at
too granular a level to be meaningful. The Board considered several alternatives,

including requiring firms to report to the Board on the outcome of the annual evaluation
of the firm’s QC system only when the firm identifies a major QC deficiency. While this
approach could reduce some of the costs associated with preparing the annual evaluation
to the PCAOB, it would also significantly reduce the value of the reporting of the firm’s
annual evaluation to the PCAOB, as well as potentially affecting the rigor of the firm’s
evaluation process. As noted above, reporting on all unremediated QC deficiencies will
inform various aspects of the Board’s oversight activities. In addition, to the extent that
reporting may increase firm leadership’s focus on their responsibility and accountability
for quality, reduced reporting would be less beneficial. Therefore, the Board decided that
annual reporting to the PCAOB of the results of firms’ annual evaluation of the QC
system, including unremediated QC deficiencies, is the appropriate approach.
One commenter supported the inclusion of Item 4.1 of Form QC on whether the
Board should inform a party of a subpoena for information on Form QC, but another
commenter argued that it was unnecessary, may interfere with investigations, may create
a potential ground for firms to sue the Board in the event notification did not occur, or
potentially involve the PCAOB in private litigation. Because Form QC will be nonpublic,
the Board believes that firms should be given the opportunity to request such notification,
consistent with the PCAOB’s treatment of the other nonpublic form filed with the
PCAOB.322
An investor suggested firms should also affirm to the PCAOB on Form QC that
any information that the firm voluntarily released (e.g., in transparency reports, audit
quality reports, and CEO speeches) over the time period covered by Form QC was
consistent with the state of their quality control system, as of the time of the voluntary
disclosure. This commenter also suggested that the affirmation should be publicly

See General Instructions 5 to PCAOB Form 1-WD, Request for Leave to Withdraw from
Registration.

available. An investor-related group suggested that firms should report publicly on Form
QC how an independent QC board committee (established under paragraph .28 of
QC 1000) carries out its responsibilities. As discussed in more detail below, Form QC
will not be publicly available, so there would be no benefit to the public in adding this
information to Form QC. However, the Board remains committed to finding additional
ways of providing public disclosure to better inform investors about firms, and to that
end, has separately proposed to amend Form 2 to identify whether the firm has an
external oversight function for the audit practice (established under paragraph .28 of QC
1000) and, if so, the identity of the person or persons and an explanation for the basis of
the firm’s determination that each such person is independent (including the criteria used
for such determination) and the nature and scope of each such person’s responsibilities.323
Some commenters indicated that there might be circumstances in which
information required by Form QC may be restricted from disclosure by the operation of
legal requirements (such as data protection laws). Two of these commenters suggested
that the instructions to Form QC should include a provision found in other PCAOB forms
allowing firms to decline to provide information if the firm believes that providing such
information would violate non-U.S. law. Another commenter, while acknowledging that
it was not aware of non-U.S. laws that would prohibit reporting the information required
on Form QC, suggested that the Board state that firms would not violate the requirement
to file Form QC if laws or regulations exist in the jurisdiction(s) of the firm that prevent
compliance with this requirement.
The Board acknowledges that certain PCAOB forms include a general instruction
for assertions of conflicts with non-U.S. law. In these circumstances, the instructions
identify the specific parts and items within the form for which the firm may withhold

See PCAOB Rel. No. 2024-003 at 29.

responsive information on the basis that the firm could not provide such information
without violating non-U.S. law. Form QC, however, calls for certain discrete information
that the Board does not believe, and that no commenter has suggested, would be
restricted from disclosure under non-U.S. law (e.g., the firm’s name, the evaluation date,
the overall conclusion of the firm’s evaluation, the number of unremediated QC
deficiencies, and for each unremediated QC deficiency, whether it is or is not major and
the areas of the QC system to which it relates). Beyond that, Form QC requires firms to
provide narrative information, including a description of each unremediated QC
deficiency, the basis for the firm’s QC deficiency determination, a summary of remedial
actions, and the firm’s major QC deficiency presumption analysis (if applicable). The
Board believes that the narrative information required to be reported in Form QC can be
provided at a sufficiently summarized level such that the reporting of such information by
the firm would not require disclosure of information that could be restricted by legal
requirements such as data protection laws. For example, if a firm reports an unremediated
QC deficiency on Form QC, the Board believes that the firm could provide a description
of the deficiency and a summary of the remedial actions taken and planned to be taken
without violating non-U.S. law.
Some commenters suggested that the standard should clarify that firms submit
Form QC in connection with an inspection under section 104 of the Sarbanes-Oxley Act
and that Form QC should receive the same confidentiality protections of section
105(b)(5)(A) of the Act that other inspections-based documents and information receive.
One of these commenters further suggested that the Board should make clear that all of
Form QC and its contents benefit from the privilege established by section 105(b)(5)(A),
regardless of how a deficiency has come to light. Another commenter suggested that the
Board consider requesting firms to provide the information proposed to be in Form QC
through the inspection process, and that such requests could be made at any time to

facilitate the PCAOB’s inspections. The commenter explained that under this suggested
alternative approach, Part II and the related exhibits of Form QC could be removed and
instead, the PCAOB could request this as part of the inspection process, to allow the
information to be privileged under section 105(b)(5), while retaining the certification.
The Board does not believe that it is appropriate to specify that Form QC is
provided in connection with an inspection. The obligation to furnish Form QC to the
PCAOB does not derive from a request from PCAOB inspection staff; instead, that
obligation arises expressly from paragraph .79 of QC 1000. And while Form QC, like
other forms filed with the PCAOB (such as annual reports on Form 2), may be used to
inform the PCAOB inspection process, that is not the only purpose of the form; it may be
used, for example, in connection with PCAOB standard-setting processes, its economic
and risk analysis, and its registration program, to name a few examples. Furthermore,
Form QC submissions may not directly relate to an inspection. For example, triennially
inspected firms are required to report on Form QC annually, including in years in which
they are not subject to inspection. Firms that are no longer performing engagements
making them subject to PCAOB inspection may still be required to report on Form QC in
light of their post-issuance QC responsibilities, such as their audit documentation
retention obligations under AS 1215. Accordingly, the Board does not believe that Form
QC is received by the Board in connection with an inspection for purposes of section
105(b)(5)(A) of the Act, though it notes, as discussed further below, that certain
information contained within a Form QC may be subject to the protections of section
105(b)(5)(A).
4) Reporting date
The proposal contemplated that firms would have until January 15 of the year
following the November 30 evaluation date to file Form QC. This provided firms 46 days
from the evaluation date to the reporting date. As adopted, the standard provides that

firms have until November 30 to report on Form QC to the PCAOB. This provides firms
with 61 days after the evaluation date of September 30 to file Form QC. A general
instruction was added to Form QC to clarify the reporting period covered by the firm’s
evaluation. The reporting period is the period beginning on October 1 of the year
preceding the year in which Form QC is required to be filed (or, if a firm's obligation to
implement and operate a QC system arises under paragraph .07a after October 1 of that
year, the date on which that obligation arises)) and ending September 30 of the year Form
QC is required to be filed. Under this provision, the reporting period will generally be 12
months long, but will be shorter if the obligation to implement and operate the QC system
arises mid-period (whether by virtue of the effective date of QC 1000 or the firm’s
otherwise becoming subject to the requirement to implement and operate the QC system).
Several commenters suggested a 90-day period from the evaluation date to the
reporting date would be appropriate because this would allow for testing of controls that
operate at the evaluation date, and allow firms to perform thorough and detailed
evaluations. Several commenters suggested that additional time is required for Form QC
preparation beyond 45 days to be able to compile relevant information, including
information on remedial actions, with some commenters supporting a 60-day period that
would align with the shortest due date applicable to issuers to report on their conclusion
on internal control over financial reporting. Another commenter suggested that reporting
should be in advance of the April/May proxy season, suggesting a reporting date of April
1 using an evaluation date of February 28. One commenter did not support a January 15
reporting deadline, suggesting that this would be close to the conclusion of the audit and,
if there are matters to be reported to the audit committee, would leave the audit
committee with little time to consider and respond to the information before the due date
of the issuer’s Form 10-K. The commenter also suggested that for firms subject to both
ISQM 1 and QC 1000, having different reporting dates would create unnecessary

complexities for audit committees receiving reports under different standards and
different points in time. Several commenters suggested that a January 15 reporting
deadline would be challenging for many firms given the proximity to year-end holidays.
One commenter suggested that coinciding the reporting date of January 15 with the
PCAOB’s inspection process should not be a key consideration for firms in determining
the most appropriate date for their annual assessment.
The Board believes that extending the number of days from the evaluation date to
the reporting date to 61 days will provide firms sufficient time to complete their
evaluation and report to the PCAOB. In addition, the reporting date of November 30 as
adopted is prior to the calendar year end and the traditional busy period for many firms,
which the Board believes will further benefit firms in performing their evaluations.
ii.

Form QC: not publicly available

The proposed standard contemplated that Form QC would be nonpublic. Many
commenters, including firms, supported requiring the contents of Form QC to be
nonpublic. One firm commented that to require public reporting would be inconsistent
with the balance that Congress struck in sections 104(g)(2) and 105(b)(5) of SarbanesOxley. One commenter asserted that the PCAOB should not use rulemaking to cause
firms to disclose quality control matters that the PCAOB is prohibited by Sarbanes-Oxley
from disclosing or cause firms to otherwise disclose information that would be
confidential under statute. Another commenter suggested that public disclosure of
unremediated QC criticisms could allow companies that have a lower demand for audit
quality to select a lower quality auditor.
Other commenters, generally investors and investor-related groups, objected to
the lack of public disclosure. Two investors commented that the proposed disclosure to
audit committees but not to the public leaves investors in the dark, and that disclosure
requirements provide an effective incentive for remediation of identified quality control

issues. Another commenter asserted that if the PCAOB is permitted to compel firms to
disclose quality control information to audit committees, then they expect that the
PCAOB could also compel disclosure of such information to the public. The commenter
suggested that QC disclosures only to audit committees may have unintended
consequences for the public markets as companies will have more information regarding
the quality of their auditors than individual investors. Some investors and investor-related
groups commented that the proposal provides little public accountability with no
mandated or meaningful disclosures about the operation of the QC system. Two investors
and an investor-related group commented that firms furnish a statement of the quality
control policies of the firm when registering with the PCAOB, however this information
is not required to be updated and can quickly become out of date. Therefore, providing
the public with additional disclosure about a firm’s quality control system will act as an
updating function.
One firm suggested that it would be difficult for the public to synthesize in a
useful manner the information in Form QC without the right level of context. However,
three investor-related groups did not support the view that partial disclosure of Form QC
would result in potentially incomplete or misleading picture of a firm’s QC system, and
favored disclosing elements of Form QC and leaving to investors the assessment of the
relative importance of the information. One of the investors further suggested a
restructuring of Form QC that would allow confidential information to remain
confidential while sharing decision-useful information with investors. Another investor
suggested that investors would directly benefit from the disclosure of firm-identified
deficiencies that omits PCAOB-identified deficiencies, further commenting that to the
extent firms do not disclose any deficiencies to the public, investors may have concern
that the system of quality control was not sufficient to proactively identify deficiencies.

The Board continues to recognize the desire of investors and other stakeholders
for information related to audit quality and the effectiveness of firms’ QC systems. But
its ability to require firms to publicly disclose their QC deficiencies is subject to certain
legal constraints imposed by Sarbanes-Oxley.
As a threshold matter, some or all of the unremediated QC deficiencies identified
during a firm’s annual evaluation may have been identified as QC criticisms or potential
defects during a PCAOB inspection.324 Furthermore, the Board believes that the QC
deficiencies identified during PCAOB inspections are likely to be important information
from the perspective of investors and other stakeholders, especially because PCAOB
inspection teams customize their QC-related procedures based on, among other things,
the firm’s structure, procedures performed in prior inspections, past and current
inspection observations, the size of the firm, and an assessment of risk related to each
focus area. Notably, however, section 104(g)(2) of Sarbanes-Oxley provides that if a
quality control criticism or potential defect identified during a PCAOB inspection is
addressed by the firm to the Board’s satisfaction within 12 months of the date of the
Board’s inspection report, no portions of the inspection report that deal with that criticism
or potential defect will be made public.325 Making or requiring public disclosure through
a publicly available form of QC deficiencies that have been identified during a PCAOB
inspection would be inconsistent with this provision of Sarbanes-Oxley, if disclosure
were required before the Board has determined whether it is satisfied with the firm’s
remediation efforts or after the Board has determined that the firm has satisfactorily
addressed the deficiencies.
The limitation imposed by section 104(g)(2) is a significant one. In light of
section 104(g)(2), it appears that even if the PCAOB were to require Form QC to be

See QC 1000.71b.

See section 104(g)(2) of Sarbanes-Oxley, 15 U.S.C. 7214(g)(2); see also PCAOB Rule 4009.

publicly available, the PCAOB could not require the disclosure of information regarding
the existence or nature of QC deficiencies that are still subject to the Board’s remediation
determination. However, if information reported by a firm on Form QC informs a QC
criticism contained within an inspection report, and if that QC criticism is not addressed
to the Board’s satisfaction within 12 months of the date of that report, then the QC
criticism would be made public in accordance with section 104(g)(2).
The Board believes that the omission of deficiencies that are still subject to the
Board’s remediation determination (or as to which the Board has made a favorable
remediation determination) would result in a publicly available Form QC that supplies an
incomplete and potentially misleading picture of the effectiveness of the firm’s QC
system. This view is guided by the familiar principle that omitting material facts from a
disclosure can cause the statements that are made to be misleading.326 The Board’s
decision not to mandate public disclosure of Form QC, in a context where material
information (namely, the existence and nature of QC deficiencies that are still subject to
the Board’s remediation determination) may often be omitted, is motivated in part by that
concern, not by any lack of confidence in investors’ ability to interpret the information
provided to them. For example, a firm may have self-identified a number of relatively
minor QC deficiencies in its own evaluation, while QC deficiencies identified by the
PCAOB are more severe or could be of greater public interest. In a partial disclosure
scenario, the firm would disclose the minor matters, but not the more significant ones that
are still subject to the Board’s remediation determination, creating a misleading picture of
the state of its QC system.
The Board was also concerned that, in certain circumstances, even such partial
disclosure would conflict with section 104(g)(2) of Sarbanes-Oxley. For example, assume

See, e.g., 17 CFR 240.10b-5(b).

firms were required to disclose the conclusion of their most recent evaluation and any QC
deficiencies that were self-identified, but not any PCAOB-identified QC deficiencies that
remain subject to the Board’s remediation determination. Under such an approach, if a
firm had PCAOB-identified QC deficiencies but no additional self-identified QC
deficiencies, then the firm would not disclose any specific QC deficiencies but would
disclose an overall conclusion (either “effective except for one or more QC deficiencies
that are not major QC deficiencies” or “ineffective,” depending on the nature of the
PCAOB-identified deficiencies) that nonetheless reveals that the firm has unremediated
QC deficiencies, without specifically identifying them. In such a scenario, the Board
would be indirectly requiring firms to disclose the existence of PCAOB-identified QC
deficiencies that are still subject to the Board’s remediation determination,
notwithstanding section 104(g)(2) of Sarbanes-Oxley.
Moreover, public disclosure of portions of Form QC may in some cases be subject
to other legal constraints imposed by Sarbanes-Oxley. Depending on how a QC
deficiency has come to light, certain information contained within a Form QC might be
confidential pursuant to section 105(b)(5)(A) of Sarbanes-Oxley, which addresses
documents and information prepared or received by or specifically for the Board in
connection with an inspection or investigation.327 Additionally, Form QC requires firms
to report on remedial actions that in certain (though likely rare) circumstances may be
subject to laws relating to the confidentiality of proprietary, personal, or other
information, or might reasonably be identified by a firm as proprietary. In such a
scenario, the Board, in accordance with section 102(e) of Sarbanes-Oxley, would need to
honor a firm’s properly substantiated request for confidential treatment of such
information.328

See section 105(b)(5)(A) of Sarbanes-Oxley, 15 U.S.C. 7215(b)(5)(A).

See section 102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e); PCAOB Rule 2300(b).

The Board also believes that firms may be in a better position to report fully and
candidly to the PCAOB about their annual evaluation—more effectively supporting both
their own remediation efforts and PCAOB oversight activities—if they are confident that
the information would be understood and used in the context of a broader understanding
of their overall audit practice and an ongoing dialogue between the firm and the PCAOB.
Accordingly, the Board adopted Form QC as a nonpublic form, as proposed.
To that end, the Board adopted new PCAOB Rule 2203A, which establishes the
Form QC reporting requirement and specifies that the Board will not make a filed Form
QC or the contents thereof (including any amendment thereto) public.329 The rule does
not, however, prohibit a firm from voluntarily disclosing its Form QC or the contents
thereof to the public or to particular stakeholders. Nor does the rule prohibit the PCAOB
from sharing Form QCs or their contents and related documentation with the SEC or
other entities, consistent with Sarbanes-Oxley.330 The rule expressly provides that Form
QCs and their contents may be publicly disclosed in enforcement proceedings.331
One commenter noted that Form QC or its contents may not be relevant to all
enforcement proceedings and suggested that the Board explicitly clarify in the final

Sections 102(b)(2) and (d) of Sarbanes-Oxley authorize the Board to adopt rules requiring firms to
periodically update the information contained in their registration applications or provide to the
Board information as necessary or appropriate in the public interest or for the protection of
investors. See section 102(b)(2)(D), (b)(2)(H), and (d) of Sarbanes-Oxley, 15 U.S.C.
7212(b)(2)(D), (b)(2)(H), and (d). section 102(e) of Sarbanes-Oxley, in turn, permits the Board to
designate in its rules the portions of registration applications and annual reports that will be made
available for public inspection (subject to applicable laws relating to the confidentiality of
proprietary, personal, or other information, and provided that the Board shall protect from public
disclosure information reasonably identified by the firm as proprietary information). See section
102(e) of Sarbanes-Oxley, 15 U.S.C. 7212(e); see also PCAOB Rule 2300(a)(2) (providing that
forms filed pursuant to Part 1 or Part 2 of Section 2 of the Board’s rules will be publicly available
“except to the extent otherwise specified in the Board’s rules or the instructions to the form”).

See, e.g., section 105(b)(5)(B) of Sarbanes-Oxley, 15 U.S.C. 7215(b)(5)(B).

On Form QC, firms may elect to request notification from the Board if the Board is requested by
legal subpoena or other legal process to disclose information contained in Form QC. The Board
will make reasonable efforts to honor such a request. This notification process does not apply to
the PCAOB’s or the SEC’s use of Form QC or its contents in an enforcement proceeding, because
those scenarios do not involve Board disclosure of Form QC information in response to a legal
subpoena or other legal process.

standard that the Form QC may become public as part of an enforcement proceeding
where Form QC or its content is relevant to the respective enforcement proceeding. The
Board does not believe that such a clarification is necessary. When a Form QC or its
content is relevant to an enforcement proceeding, it would be admissible, and when it is
not relevant to an enforcement proceeding, PCAOB adjudication rules already specify
that it shall be excluded.332
The rule also provides that the Board may publish Form QC information in
summaries, compilations, or other general reports, provided that the firm or firms to
which particular Form QC information relates are not identified (unless the information
has previously been made public by the firm or firms involved or by other lawful means).
Two commenters suggested that the Board could publish Form QC information in
summaries, compilations, or other general reports, provided that the firms are not
identified. However, another commenter did not support aggregated anonymized
information and suggested that this would depart from the spirit and letter of the
confidentiality provisions of Sarbanes-Oxley. The Board believes that summaries,
compilations, or general reports that present relevant QC-related information on an
aggregated and anonymized basis may provide useful insight to investors, audit
committees, firms, and other stakeholders about firm QC systems, the implementation of
QC 1000, and related matters. The Board also continues to believe that presenting such
data on an aggregated and anonymized basis would not run afoul of any limitations of
Sarbanes-Oxley.333

See PCAOB Rule 5441, Evidence: Admissibility.

For comparison, see PCAOB Rule 4010, Board Public Reports, which provides, in pertinent part,
that the Board may publish summaries, compilations, or other general reports concerning the
findings and results of its inspections, including discussion of QC criticisms or potential QC
defects, provided that no such published report shall identify the firm or firms to which such
criticisms relate, or at which such defects were found, unless that information has previously been
made public in accordance with PCAOB Rule 4009, by the firm or firms involved, or by other
lawful means.

While firm reporting on Form QC will be nonpublic due to the aforementioned
legal constraints and policy considerations, the Board notes that other aspects of QC 1000
and related requirements promote transparency about firm QC systems within the
confines of those constraints. For example, the PCAOB has observed the emerging
practice of firm transparency reporting, including that the nature and content of these
reports continues to evolve and expand in response to market demand. Advances in
thinking about firm and engagement metrics could also affect what financial statement
users demand and what firms could usefully provide. QC 1000 requires that the QC
system operate over any public reporting that firms do provide, including any public
reporting of metrics. Firms have to establish a specific quality objective with regard to
their public reporting, including that any firm-level or engagement-level information with
respect to the firm’s audit practice, firm personnel, or engagements communicated to
external parties be accurate and not misleading, and—as with any quality objective—they
have to monitor their performance in relation to that objective and remediate identified
deficiencies.
As part of their annual reporting on Form 2, all registered firms will also be
required to provide an annual confirmation with regard to the design of their QC system
under QC 1000 and whether they were required to implement and operate the QC system.
The Board believes an annual confirmation will be a useful reminder to all firms of their
responsibilities regarding the design, implementation, and operation of an effective QC
system. The Board also believes that the public will benefit from being able to determine
whether a particular firm has been required to implement and operate its QC system from
year to year. Such information on Form 2 will be publicly available on the PCAOB
website and will be accessible to investors and other financial statement users, audit
committees, and other stakeholders. It will also inform PCAOB oversight efforts.

To accompany the changes to Form 2, a similar confirmation has been added to
the application for PCAOB registration, Form 1. The Board believes such a confirmation
will appropriately put applicants on notice of their obligations with respect to their QC
systems, which would apply from and after the time that their registration is approved.
iii.

Certification of the evaluation of the firm’s QC system by firm leadership

As proposed, the Board required that both the individual assigned ultimate
responsibility and accountability for the QC system as a whole and the individual
assigned operational responsibility and accountability for the firm’s QC system as a
whole (the “QC certifiers”) certify the firm’s report to the PCAOB on the evaluation of
its QC system.334 Several commenters were supportive of the certification requirement,
including a commenter that stated that individual certifications are likely to focus the
mind and it seems likely that improvements will be seen as a result of such a requirement.
Some commenters opposed the certification requirement, saying it adds little
value to the evaluation of the QC system, may not provide a full view of the subject
matter it purports to be certifying to and may create an unjust reliance by a third party on
the certification, or is an ineffective incentive for making quality control a higher priority
within a firm. Another suggested that while certification may sharpen an individual’s
sense of accountability, this may not necessarily lead to and cannot guarantee enhanced
engagement quality. Another commenter suggested that certification requirements could
act as a barrier to registration for firms operating in environments in which there are no
Sarbanes-Oxley style reporting requirements,335 and that it could have a disproportionate
impact on smaller firms.

See QC 1000.14d and .15b.

Under SEC rules adopted pursuant to section 302 of Sarbanes-Oxley, CEOs and CFOs of issuers
are required to certify, for each quarterly or annual report of the issuer, among other things, that
(1) they have reviewed the report; (2) based on the officer’s knowledge, the report does not
contain any untrue statement of a material fact or omit to state a material fact necessary to make
the statements made not misleading; (3) based on the officer’s knowledge, the financial statements

The Board continues to believe that, analogous to the CEO and CFO certifications
required under Sarbanes-Oxley, certification of Form QC will lead to increased discipline
in the evaluation process and will reinforce the accountability of the certifying
individuals, which in turn should improve the quality of the firm’s evaluation. The text of
the certification, which is unchanged from the proposal, appears in Item 3.2 of Form QC.
That item requires certification of certain information regarding the design and evaluation
of a firm’s QC system, including that each QC certifier reviewed the Form QC and that
the disclosures made in the Form QC are complete and accurate in all material respects to
the individual’s knowledge.336
As proposed, the final rules require certification from both the individual assigned
ultimate responsibility and accountability for the QC system (i.e., the firm’s principal
executive officer(s)) and the individual assigned operational responsibility and
accountability for the QC system. One commenter suggested that certification be required
only from the individual with ultimate responsibility and accountability for the firm’s QC
system on the basis that, in the event of differences of opinion between the two certifiers,
the individual responsible for the operational responsibility and accountability for the QC
system could be subject to excessive pressure from the firm’s principal executive officer.

and other financial information included in the report fairly present in all material respects the
financial condition and results of operations of the issuer; (4) they (a) are responsible for
establishing and maintaining internal control over financial reporting, (b) have designed ICFR to
ensure that material information is made known to them, (c) have evaluated the effectiveness of
ICFR, and (d) have presented their conclusions about the effectiveness of ICFR in the report; and
(5) they have disclosed to the issuer’s auditors and audit committee any significant deficiencies in
ICFR and any fraud involving management or others involved with ICFR. See 17 CFR 240.13a14(a), 240.15d14(a).
See e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys, Corporate Governance Reform and
Executive Incentive: Implications for Investments and Risk Taking, 30 Contemporary Accounting
Research 1298 (2013) (finding that their sample of firms significantly reduced investments in
risky projects in the period following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and
Birendra K. Mishra, CEOs’/CFOs’ Swearing by the Numbers: Does it Impact Share Price of the
Firm?, 81 The Accounting Review 22 (2006) (concluding that the SEC order requiring filing of
sworn statements by CEOs and CFOs had a positive effect on the market value of certifying
firms); Gerald J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase after the
Sarbanes-Oxley Act? Initial Evidence, 20 Accounting Horizons 57 (2006).

However, under EI 1000, certifiers will be subject to a duty to act with integrity, which
includes not subordinating their professional judgment, and the individual with ultimate
responsibility and accountability for the firm’s QC system will have a number of
obligations (for example, under QC 1000.14a.) that are inconsistent with the exercise of
undue influence over a subordinate.
The Board does not require similar certifications from other personnel in the QC
system, but firms may choose to institute policies that require levels of certification
internal to the firm to assist those certifying Form QC.
Some commenters raised concerns about the potential liability of the QC
certifiers. Several requested clarification on whether the QC certifiers could be held
personally liable for an inaccurate statement only if they made the statement knowing it
was false or recklessly not knowing it was false. One of these commenters further stated
it had concerns about the potential for unnecessary and excessive liability that the
certification could impose upon the QC certifiers, and the effect that this could have on
firms’ ability to recruit qualified professionals to serve. The commenter further suggested
that the final adopting release expressly state that while the QC certifiers are responsible
for exercising professional competence in connection with the design and operation of the
firm’s QC system (and may face consequences for failure to do so), the QC certifiers
shall not be held responsible for inevitable system errors or the wrongful acts of others
which may, in limited circumstances, overcome the best of those efforts.
If a QC certifier fails to certify the firm’s Form QC, such conduct would
constitute a violation of the individual’s obligation under either paragraph .14d or .15b of
QC 1000, as applicable to the particular individual. The Board believes this requirement
is important for creating accountability within the firm to achieve the reasonable
assurance objective.

Beyond that, QC certifiers’ potential liability for statements contained within the
Form QC certification is informed by the particular language of those statements. Certain
statements in the certification reflect objective facts that the Board believes are readily
knowable by the individual. Paragraph 1 of the certification, for instance, recites that the
individual reviewed the firm’s report on Form QC. Paragraph 3(a) of the certification
contains an acknowledgement that the individual is responsible and accountable for the
firm’s QC system as a whole and has designed, or caused to be designed, the QC system
to ensure that it meets QC 1000’s reasonable assurance objective. Notably, this paragraph
is not tantamount to a certification that the firm’s QC system in fact meets QC 1000’s
reasonable assurance objective; on the contrary, Form QC contemplates that a firm might
conclude, and report on its certified Form QC, that its QC system is not effective. Rather,
in paragraph 3(a), the QC certifiers acknowledge their role in designing (or causing to be
designed) the firm’s QC system. Paragraph 3(b) of the certification states that the
individual evaluated the effectiveness of the firm’s QC system and has presented in Form
QC the conclusions reached. With respect to each of these statements in the Form QC
certification, the Board believes that the QC certifiers can and should reach a conclusion
about their accuracy through the exercise of due professional care. In light of the nature
of these statements, the Board does not agree with the commenters that a showing of
recklessness or knowing misconduct is necessary to establish a violation with respect to
these aspects of the Form QC certification.
The other statements in the Form QC certification are subject to knowledge
qualifiers. In paragraph 2, the QC certifier states that the disclosures made in Part II of
Form QC regarding the evaluation of the effectiveness of the firm’s system of quality
control are complete and accurate in all material respects “[b]ased on my knowledge.”
Similarly, paragraph 3(c) states that the QC certifier has disclosed, based on the
evaluation of the QC system, all unremediated QC deficiencies “of which I am aware.”

These statements would be inaccurate, and the QC certifier’s certification would
therefore constitute violative conduct, only if they were knowingly false (if the QC
certifier knew that Part II was not complete and accurate in all material respects, or if the
QC certifier was aware of undisclosed unremediated QC deficiencies), or if they were
made recklessly not knowing they were false.
One commenter suggested that the certification say “to the best of my knowledge”
rather than “based on my knowledge,” and another commenter suggested that the
wording of the certification be updated to “in my capacity as the individual assigned
[ultimate/operational] responsibility” rather than “who have been assigned
[ultimate/operational] responsibility.“ After consideration of these comments, the Board
believes that the proposed language is clear, appropriate, and likely to be easily
understood, and does not believe that the proposed certification text requires amending.
One commenter did not support the clause in the proposed certification that states
that the firm has disclosed all unremediated quality control deficiencies. The commenter,
while acknowledging that this statement is subject to a knowledge qualifier, suggested
that this certification could lead to unnecessary disputes over what the QC certifiers
should have known in a particular circumstance and suggested that obtaining a
certification from the firm (not the individual) may sufficiently address this item without
discounting the standards to which auditors are held. As discussed above, the inclusion of
“of which I am aware” in paragraph 3(c) of certification means that liability would arise
with respect to that paragraph only if the QC certifier made the statement knowing it was
false or recklessly not knowing it was false.
Another commenter also suggested that the standards clarify that such
certification relates to the “firm’s evaluation” of its QC system, and not a specific
individual’s evaluation of the quality management system. As reflected in paragraph .77
of QC 1000, the annual evaluation is conducted by the firm, but the firm, as a legal entity,

acts through individuals, and the QC certifiers are the individuals who, under the
standard, are responsible and accountable for the QC system as a whole and are required
to certify the firm’s report to the PCAOB on its annual evaluation.
Another commenter asserted that the text of the certification suggests that a
certifying individual should be considered to have violated QC 1000 only to the extent
that the inaccuracy in a submitted certification is material to an investor’s or reasonable
auditor’s understanding of the QC system as a whole, and asked that the Board confirm
that is the case. The Board does not agree with this characterization of Form QC. Some
statements in Form QC, such as the one in paragraph 2, are expressly conditioned on
materiality, while other statements, such as that in paragraph 3(b), are not.
One commenter suggested that creating a potential Sarbanes-Oxley type
certification for privately held accounting firms and making this available to the public
could create market confusion as to what exactly is being certified and the level of
reliance users should place on such a certification. The certification does not contain the
outcome of the firm’s annual evaluation of its QC system or identify any unremediated
QC deficiencies, but rather certifies the completeness and accuracy of the information
being reported to the PCAOB on Form QC. That information is set forth elsewhere in
Form QC and, as explained above, that information is treated as nonpublic. Because the
certified information is treated as nonpublic, the Item 3.2 certifications are likewise
treated as nonpublic; in the Board’s view, the certifications do not present a full or useful
picture of a firm’s QC system without the underlying information.
iv.

Requirement for Form QC amendments

The proposed general instructions for Form QC included provisions detailing
when amendments of Form QC should be filed. Those instructions indicate that Form QC
should be amended only to correct information that was incorrect at the time that the
form was filed or to provide information that was omitted from the form and was

required to be provided at the time the form was filed. The Board considered
commenters’ feedback, and retained the language regarding amendments in the proposed
general instructions for Form QC, which mirrors the standard for amending certain other
PCAOB forms.
Two commenters requested clarification on how firms should consider
information that comes to their attention after the evaluation date or the reporting date
that is relevant to the firm’s conclusion on Form QC, including how this interacts with
relevant provisions in proposed EI 1000. Other commenters suggested that revisions to
Form QC not be required for inconsequential matters. Other commenters requested
guidance on when an amendment to Form QC would be required, and some suggested
that a threshold be developed for potential amendments.
QC 1000 requires firms to conduct the annual evaluation of their QC system’s
effectiveness as of September 30 and to file their report on Form QC regarding that
evaluation by November 30. Consequently, annual evaluations under QC 1000 should
conclude sometime between October 1 and November 30 of each year. Information that
relates to the firm’s QC system as of the evaluation date (September 30), and that comes
to the firm’s attention after the evaluation date but before the firm has filed Form QC,
should be factored into the firm’s evaluation and reflected, if and as appropriate, in Form
QC. In contrast, any information that relates to the firm’s QC system as of the evaluation
date, but that comes to the firm’s attention after the firm has filed its Form QC, would not
need to be reflected on Form QC or on an amendment to Form QC (although it may
constitute a QC observation to be considered in the next annual evaluation of the QC
system).
In other words, Form QC captures, and conveys to the Board, the conclusions
reached by the firm as a result of its completed annual evaluation, and that evaluation
cannot disregard information that comes to light before Form QC has been filed.

Therefore, when Form QC is filed, it should be complete and accurate as of the date of its
filing. Similar to PCAOB staff guidance on Form 2 reporting,337 if a firm discovers that it
provided incorrect information in a filed Form QC or omitted information that should
have been included based on information that the firm was aware of at the time of filing,
then the firm should file an amended Form QC. That amendment obligation is not subject
to any materiality or other thresholds, because the Board believes it is entitled to receive
Form QCs that contain information that is correct and that do not omit information that
was required to be provided. The Board does not believe that any of the information on
Form QC is inconsequential.
v. Reporting to the audit committee
In connection with the proposal of QC 1000, the Board also proposed
amendments to AS 1301, Communications with Audit Committees, which contemplated
communication to the audit committee of certain information about the firm’s most recent
evaluation of its QC system. Several commenters supported the amendments as proposed.
Other commenters supported limiting the communications to the conclusion of the annual
evaluation or limiting communication of deficiencies to only major QC deficiencies. One
commenter expressed concern with reporting to audit committees about all unremediated
QC deficiencies that exist as of the evaluation date, in part because of the interaction of
such communications with the confidentiality restrictions under section 105(b)(5)(A) of
Sarbanes-Oxley. The commenter further suggested that requiring all QC deficiencies to
be communicated would create more extensive communication requirements for firms
related to QC deficiencies than what auditors are required to communicate to audit
committees in an audit of ICFR, and in addition, this approach would differ from

See Staff Questions and Answers Annual Reporting on Form 2, at Q34, available at
https://assets.pcaobus.org/pcaob-dev/docs/default-source/registration/rasr/documents/staff_qaannual_reporting.pdf?sfvrsn=5e7259ff_0.

management’s external reporting on its ICFR to its stakeholders, which solely discloses
deficiencies that are material weaknesses.
One commenter asserted that audit committees are likely to find more value in
understanding quality matters specific to the engagement and having a broader dialogue
about the firm’s approach to quality control. Two commenters argued that a firmwide
report on audit quality would have little utility to each individual audit committee. One of
these commenters suggested instead that audit committees would be more influenced by
an independent verification of the QC system such as the PCAOB inspection report on
their auditor, and information relating to the auditor’s performance on their engagement,
including audit quality indicators. The other commenter recommended that firms report
relevant human resource metrics to the audit committee and explain what was done to
assure audit quality was not compromised. One commenter asserted it could be extremely
challenging for audit committees to understand and reconcile the information that would
be communicated to them under the proposed changes to AS 1301, especially given the
considerable time period between the issuance of public portions of firm inspection
reports and the potential release of nonpublic inspection findings. One commenter did not
support the requirement to disclose a firm’s QC deficiencies to audit committees, and
stated that QC deficiencies may have little to no impact on a given reporting issuer’s
audit or that area of the firm’s practice. Another commenter questioned whether or not
the audit committee would be inclined to seek a new auditor based only on a firm-wide
evaluation of quality control furnished to the audit committee by the auditor. One
commenter was generally supportive of the requirements but expressed concern with the
timing of the required communication due to existing important year-end
communications. The commenter expressed concern that not communicating QC
deficiencies known at a January 15 reporting date could potentially introduce legal
considerations that could place tension on the engagement team and the firm’s obligation

to comply with other existing required communications under AS 1301. One commenter
recommended specifying that this communication is not required to be in writing due to
confidentiality concerns, and two commenters did not support any required
communication of the annual evaluation of the QC system to the audit committee.
One commenter asserted that requiring firms to communicate to audit committees
about their most recent annual QC evaluations is inconsistent with the Congressional
balance struck in Sarbanes-Oxley section 104(g)(2). In addition, the commenter
suggested that the requirement indirectly regulates the actions of audit committees and
imposes a fiduciary duty of care on audit committees, regardless of whether quality
control issues relate to the performance of the engagement, which is beyond the scope of
the PCAOB’s jurisdiction. Another commenter asserted that the proposed communication
could also be construed as contradictory to the PCAOB’s conclusion that Form QC
would be treated as nonpublic.
Several commenters were concerned about the proposed requirement to discuss
remedial actions taken and to be taken, and suggested that some of this information may
be protected by section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley. One
commenter suggested that the communication of a brief overview of remedial actions
taken or to be taken should only be required upon the determination that substantial good
faith progress has not been made on the remedial actions.
After consideration of the comments received, the Board determined not to adopt
the proposed amendments to AS 1301. Although the Board continues to believe that
firms could communicate the overall conclusion of their annual evaluation and their
planned remedial actions to audit committees without expressly disclosing information
subject to section 104(g)(2) or section 105(b)(5)(A) of Sarbanes-Oxley, the Board
recognizes that such a disclosure obligation could present implementation challenges.
Specifically, and as discussed in more detail above, there may be challenges associated

with compelling firms to publicly disclose certain information about their QC systems
while simultaneously preserving their ability not to disclose other related information that
may be subject to confidentiality protections, privileges, or prescribed disclosure
procedures under Sarbanes-Oxley. The Board believes that the same challenges could
arise if firms were compelled to make disclosures to audit committees.
The Board also recognizes that firms and audit committees have direct interaction,
so while PCAOB standards do not require firms to make disclosures to audit committees,
an audit committee may ask a firm to voluntarily disclose information about its QC
system. As the Board has previously noted, such inquiries could include requesting the
firm to keep the audit committee apprised of the status of the quality control remediation
process (including whether the firm made a submission to the Board responding to
inspection report quality control criticisms by the 12-month deadline) and whether the
Board has made a final remediation determination (including a negative determination
that has not yet become public).338
2. Current PCAOB standards
Current PCAOB QC standards do not require firms to evaluate their QC systems
or to report on any such evaluations. As previously noted, some firms conduct
evaluations and share their results in published reports, either voluntarily or under other
regulatory requirements.

See Information for Audit Committees about the PCAOB Inspection Process, PCAOB Rel. No.
2012-003, at 11 (Aug. 1, 2012), available at
https://pcaobus.org/Inspections/Documents/Inspection_Information_for_Audit_Committees.pdf.

DOCUMENTATION
Documentation supports a firm’s QC system in a number of ways. It helps
provide clarity around roles and responsibilities and the firm’s policies and procedures,
which promotes consistent compliance by firm personnel and other participants.
Documentation enables proper monitoring and supports the evaluation and continuous
improvement of a firm’s QC system. It makes it easier to train firm personnel and other
participants and facilitates the retention of organizational knowledge, providing a history
of the basis for decisions made by the firm about its QC system. Further, documentation
assists others conducting reviews of the firm’s QC system by providing evidence of the
system’s design, implementation, and operation. Current PCAOB standards provide only
general direction on the nature and extent of QC documentation and specific
requirements for documentation of certain items.339
Through its oversight activities, the PCAOB has observed that the nature and
extent of firms’ documentation of their QC systems vary greatly. Some firms have
detailed documentation for all areas of their QC systems. Other firms have significantly
less documentation. For example, some firms have documentation only in areas that have
been subject to PCAOB inspections, such as remediation, root cause analysis, or internal
inspections. QC 1000 establishes more comprehensive requirements for firms to
document their QC systems.
1. QC 1000
The proposal included an overarching documentation requirement that captured
the design, implementation, and operation of the firm’s QC system and the annual
evaluation of the QC system. The scope of that requirement was then specified in
proposed paragraphs .82 and .83.

See, e.g., QC 20.21, .24-.25.

The documentation of the design and implementation of the QC system captures
decisions made regarding “the who, what, when, where, why, and how” of the QC
system. This aspect of documentation will help firm personnel and others understand
what is expected of them in fulfilling their responsibilities and support consistent
implementation and operation of the firm’s QC system. For example, documentation of
the design of policies and procedures regarding general and specific independence
matters would enable a consistent understanding by firm personnel and others about who
is responsible for what, when the responsibilities are triggered, and why certain actions
are necessary.340 Such documentation will allow for consistent actions by firm personnel
and others in implementing the design of those policies.
The documentation of the operation of the firm’s QC system enables the firm to
determine if the policies and procedures were operated in the manner that the firm
intended.341 It would also provide evidence of compliance with the specified quality
responses and other requirements of QC 1000. For example, it would provide evidence of
how the firm complied with specific communication requirements related to the operation
of the firm’s QC system and the performance of its engagements342 and whether the
quality responses implemented by the firm operated as designed.
The Board received no comments on the general obligation to prepare and retain
documentation regarding the QC system and paragraph .81 was adopted as proposed. The
comments received regarding the scope of the proposed documentation requirement are
addressed below, in connection with the discussion of paragraphs .82 and .83.
The proposal included a list of specific matters that firms would be required to
document. Documentation of the lines of responsibilities and supervision within the QC

See, e.g., QC 1000.33-.34.

Firms that are not required to implement and operate their QC system would not be expected to
have anything to document with respect to the operation of the QC system.

See, e.g., QC 1000.55-.57.

system should reduce operational ambiguity and provide clarity about who within the
firm is accountable for various firm supervisory responsibilities within the firm’s QC
system. One firm suggested that the phrase “successive senior levels” may not be clear.
As discussed in more detail above, under QC 1000.27, the firm should establish and
maintain clear lines of responsibility and supervision–including defining authorities,
responsibilities, accountabilities, and supervisory and reporting lines for roles within the
firm, up to and including the principal executive officer(s)–within the QC environment. A
description of these successive lines of responsibility and supervision must be included in
the documentation of the QC system, and a reference to paragraph .27 was added to
clarify that point.
The requirement for the firm to document aspects of its risk assessment process
ensures that the firm will have adequate evidence to support its annual risk assessment.
Specifically, the firm is required to document identified quality risks, reasons these risks
were identified, and policies and procedures the firm had put in place in response. This
documentation is valuable in subsequent risk assessments and could help to support
decisions about, for example, whether to establish additional quality objectives, identify
new or modified quality risks, or design and implement new quality responses.
The requirements for the firm to document aspects of its monitoring and
remediation process will also support its monitoring and remediation activities. For
example, a firm’s documentation of engagement and QC system-level monitoring
activities performed, its evaluation of the results of those monitoring activities, actions
taken to address engagement deficiencies, and identified QC deficiencies would
demonstrate the firm’s approach to complying with certain requirements of the standard
for the monitoring and remediation process component. This documentation will also
assist the firm in monitoring its monitoring and remediation process and in making its
annual evaluation of the effectiveness of the QC system pursuant to paragraph .77.

The standard also requires the firm to document the basis for the conclusion it
reached in evaluating the effectiveness of its QC system pursuant to paragraph .77. This
documentation provides evidence of the decisions made in reaching the conclusion about
the effectiveness of the firm’s QC system, which may be valuable in future evaluations
and in establishing compliance with the firm’s reporting obligations to the PCAOB.
The standard requires the firm to document certain matters if the firm uses
resources or services provided by a network or a third-party provider in the firm’s QC
system or the performance of the firm’s engagements. When a firm uses resources or
services provided by a network or a third-party provider, the standard requires the firm to
document how the resources or services are developed and maintained and, if such
services or resources were supplemented or adapted, how and why they were
supplemented or adapted. Firms will also have to document how the resources or services
were implemented and operated. Documentation of such matters will serve as evidence of
decisions made regarding resources or services used by the firm.
Some networks or third-party providers may provide documentation about their
services or resources to the firm. For example, the firm may obtain an understanding of
how the resources were developed and maintained by the network through documentation
provided by the network. This documentation may need to be supplemented by the firm
depending on various factors, including the extent of the documentation provided and
whether the firm supplements or adapts the resource or service.
As discussed above, a reference to paragraph .27 was added to paragraph .82a. to
clarify that a description of the successive lines of responsibility and supervision must be
included in the documentation of the QC system. Paragraph .82 was otherwise adopted as
proposed.
Requiring documentation to be in sufficient detail to support a consistent
understanding of the QC system by firm personnel, including an understanding of their

roles and responsibilities with respect to the firm’s QC system, will help to clarify the
firm’s expectations of its personnel and promote consistent compliance with the firm’s
QC policies and procedures.
One firm expressed concern that this “consistent understanding” threshold may
not be easily understood. The Board believes that firms will be able to determine the
nature and extent of the documentation needed to facilitate a consistent understanding by
firm personnel based on the functioning of their QC system. Based on the requirements in
paragraph .83a, firms would initially determine the appropriate level of detail of
documentation based on the experience they already have in implementing and operating
a QC system under current standards and whether their personnel understand their roles
and responsibilities, and modify documentation as needed over time based on their
monitoring and remediation activities and the results of their QC system evaluations.
As described previously, documentation supports a firm’s QC system in a number
of ways. For example, it provides clarity around the firm’s policies and procedures,
enables proper monitoring, and supports the evaluation and continuous improvement of a
firm’s QC system. Documentation also facilitates the retention of organizational
knowledge, providing a history of the basis for decisions made by the firm about its QC
system. Further, it assists others conducting reviews of the firm’s QC system by
providing evidence of the system’s design, implementation, and operation.
In particular, the Board believes that appropriate documentation of the QC system
is necessary for the PCAOB to fulfill its statutory mandate to protect investors and the
public interest. Sarbanes-Oxley requires that, in conducting an inspection of a registered
public accounting firm, the PCAOB evaluates the sufficiency of the quality control
system of the firm and the manner of the documentation and communication of that

system by the firm.343 Sarbanes-Oxley further authorizes the PCAOB to perform such
other testing of quality control procedures as are necessary or appropriate in light of the
purpose of the inspection and the responsibilities of the Board.344 In addition, the Board’s
rules provide that a regular inspection will include, but is not limited to, the steps and
procedures as specified in sections 104(d)(1) and (2) of Sarbanes-Oxley and any other
tests of the audit, supervisory, and quality control procedures of the firm as the Director
of the Division of Registration and Inspections or the Board determines appropriate.345
As part of the Board’s inspection procedures, firms will be expected to provide the
PCAOB with evidence relating to the effectiveness of the QC system.
Given that mandate, the level of documentation that would be sufficient to enable
PCAOB inspectors to evaluate the effectiveness of a firm’s QC system through an
inspection may be different from the level of documentation that would be sufficient for
the firm to support its annual evaluation. Under QC 1000, a firm must evaluate the
effectiveness of its QC system based on the results of its monitoring and remediation
activities,346 and firms can determine the nature, timing, and extent of QC system-level
monitoring activities taking into account a number of factors.347 There could be certain
quality responses, or certain instances of the operation of quality responses, that are not
monitored by the firm within a given year and not considered in connection with the
firm’s annual evaluation. If the firm were required to prepare and retain documentation
only to the extent related to its own annual evaluation, the firm might not prepare and
retain documentation to evidence that these quality responses operated effectively.

See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C 7214(d)(2).

See section 104(d)(3) of Sarbanes-Oxley, 15 U.S.C 7214(d)(3); see also Rule 4001, Regular
Inspections.

See Rule 4001, Regular Inspections.

See QC 1000.77.

See QC 1000.65.

However, in light of the scope of the PCAOB’s statutory mandate, its inspection
procedures cannot be limited to quality responses (and, to the extent applicable, samples
of the operation of quality responses) that the firm chose to monitor in the period. On the
contrary, firms will be expected to provide evidence of the operating effectiveness of any
quality responses selected for inspection in connection with the PCAOB’s evaluation of
the effectiveness of the firm’s QC system.
Therefore, the proposed standard contemplated that, in order to effectively
support the firm’s QC system, the documentation of the QC system needs to be at the
level of detail to enable an experienced auditor that understands QC systems but has no
experience with the design, implementation, and operation of the firm’s QC system to
understand the design, implementation, and operation of the QC system, including the
quality objectives, quality risks, quality responses, monitoring activities, remedial
actions, and basis for the firm’s conclusions reached in the evaluation of the QC system
(“experienced auditor threshold”). Incorporating the experienced auditor threshold when
describing the extent of detail firms are required to document and maintain regarding
their QC system is appropriate because that level of detail will facilitate the firm’s
monitoring activities and external monitoring, including PCAOB inspections conducted
in accordance with Sarbanes-Oxley. Two firms agreed that the experienced auditor
threshold was appropriate.
Several commenters, including firms and a related group, argued that the
proposed documentation requirements were too broad, and suggested a variety of
different limitations to narrow their scope. Some firms suggested that the standard
differentiate data relating to the operation of the QC system from data relating to the
design, implementation, and annual evaluation of the QC system, with a shorter retention
period for the former. Other commenters, including firms and a related group,
recommended that the documentation requirements be comparable to the documentation

requirements that Sarbanes-Oxley imposes on issuers with regard to management’s
assessment of the effectiveness of the issuer’s internal control over financial reporting.348
Another firm suggested that the documentation requirements be comparable and
analogous to the documentation retention requirements set out in the SEC’s rules for
issuer audits and related interpretive guidance.349 One firm and a related group suggested
that the documentation requirements be limited to the evidence to support the annual
evaluation of the QC system and related monitoring. Two firms suggested that additional
guidance or clarity would be necessary in order for firms to appropriately adopt
documentation retention policies related to the operation of controls that meet the
expectations of the proposed standard.
The Board does not believe that any of the more narrowly scoped documentation
requirements suggested by commenters would be appropriate. QC 1000’s documentation
requirements need to be aligned with the PCAOB’s mandate, provided by Congress, to
“evaluate the sufficiency of the quality control system of a firm” through its inspection
procedures.350 Therefore, the Board believes that it is imperative that documentation that
enables the experienced auditor to evaluate the operation of the quality responses should
be included in the documentation that is prepared and retained by the firm.
To clarify the level of detail of the documentation relating to the operation of the
QC system that is to be prepared and retained under QC 1000, paragraph .83 was revised
to include a note to .83b. stating that with respect to the operation of the QC system, the

See 17 CFR 229.308 (requiring issuers to maintain evidential matter, including documentation, to
provide reasonable support for management’s assessment of the effectiveness of ICFR).

See 17 CFR 210.2-06(a) (requiring, for audits or reviews of an issuer’s financial statements,
retention of records relevant to the audit or review, including workpapers and other documents
that form the basis of the audit or review, and memoranda, correspondence, communications,
other documents, and records (including electronic records), which: (1) Are created, sent or
received in connection with the audit or review, and (2) Contain conclusions, opinions, analyses,
or financial data related to the audit or review).

See section 104(d)(2) of Sarbanes-Oxley, 15 U.S.C 7214(d)(2).

documentation must include documentation that enables the experienced auditor to
evaluate the operation of the quality responses. As discussed in connection with
paragraph .86 below, the Board continues to believe that all of the documentation
required under the standard should be retained for seven years.
Commenters also expressed concern that firms would be required to retain large
volumes of documentation. Several commenters suggested that the costs associated with
retaining documentation of the operation of the QC system would be burdensome, and
some further commented that the data relating to the operation of the QC system could
include sensitive data, and a requirement to prepare and retain all such data could also
introduce heightened data security risks. One firm suggested the Board consider adding
language that appears in SQMS 1 clarifying which matters require documentation,
specifically referencing SQMS 1 paragraphs A224 and A227.351
In considering commenters’ concerns that the documentation to support that the
quality responses operated effectively in every instance would result in a substantial
volume of documentation, the Board believes that the ability to effectively monitor
whether the firm’s quality responses are properly designed and operating effectively
should not be restricted by the documentation requirements of the standard. Furthermore,
the Board believes that the new note to paragraph .83b clarifies that the firm need not
prepare and retain excessively voluminous documentation of the day-to-day operation of

Paragraph A224 of SQMS 1 states that it is neither necessary nor practicable for the firm to
document every matter considered, or judgment made, about its system of quality management.
Furthermore, compliance with this SQMS may be evidenced by the firm through its information
and communication component, documents or other written materials, or IT applications that are
integral to the components of the system of quality management. Paragraph A227 of SQMS 1
states that the firm is not required to document the consideration of every condition, event,
circumstance, action, or inaction for each quality objective or each risk that may give rise to a
quality risk. However, in documenting the quality risks and how the firm’s responses address the
quality risks, the firm may document the reasons for the assessment given to the quality risks (that
is, the considered occurrence and effect on the achievement of one or more quality objectives) to
support the consistent implementation and operation of the responses.

every action of its QC system, provided the information is not required to satisfy the
requirements of paragraphs .82-.83.
The Board believes that the extent of documentation sufficient to evidence
whether the quality responses operated effectively would scale with the size of the firm’s
PCAOB practice and the risks and complexities of their engagements and, in turn, the
assessed quality risks and the quality responses established to address them. Therefore,
the documentation requirements of the standard should be less costly and burdensome for
firms with smaller PCAOB audit practices, which the Board believes is appropriate.
In addition, firms are able to evaluate the nature and extent of the documentation
that is necessary to evidence the operation of the quality responses. In determining the
sufficiency of the detail and extent of the QC documentation, the firm may identify
quality responses for which the evidence required to be able to demonstrate that the
quality response operated effectively may not entail retention of all the information
produced in the day-to-day operation of the QC system. For example, in the event that a
large volume of automated emails sent by the firm to its employees are evidence
supporting that a quality response operated, the firm could evaluate whether alternative
evidence (such as email delivery reports or other aggregated data) would provide
sufficient support regarding the operation of the quality response—without having to
prepare and retain all of the individual emails within the QC documentation. In addition,
to the extent that the operation of the firm’s QC system includes sensitive data, the firm
has flexibility to not include the sensitive data fields in the documentation that is prepared
and retained to the extent that they are not necessary to evidence that the quality response
operated effectively. Furthermore, informed by its oversight activities, the PCAOB has
observed that firms currently archive and retain documentation for extended periods of
time and are able to implement processes to appropriately safeguard the information. The
PCAOB has also observed instances where firms have migrated systems and still

maintained the appropriate documentation through archives or through migration of the
information onto the new systems.
As the note to paragraph .83b makes clear, documentation of every aspect of the
operation of the firm’s QC system may not be required to evidence that each quality
response operated effectively. For example, there may be certain documentation, such as
emails or meeting invitations that are sent as part of the day-to-day operation of the QC
system, that may not be necessary to enable an experienced auditor to evaluate the
effective operation of the quality responses. In these circumstances, the firm may
determine it is not required to prepare and retain this information within the
documentation of its QC system. However, the Board also believes that there may be
circumstances in which an email or meeting invitation needs to be retained because it
evidences how a quality response operated to address a quality risk and is necessary to
enable an experienced auditor to evaluate the operation of the quality response.
Although some commenters suggested the documentation requirements be
analogous to the SEC’s ICFR documentation retention guidance, the Board does not
believe that is an appropriate threshold. The SEC’s guidance indicates that management’s
documentation needs to provide “reasonable support” for its ICFR assessment and that
management’s documentation need not include all controls that exist within a process that
impacts financial reporting, but should be focused on those controls that management
concludes are adequate to address the financial reporting risks.352 QC 1000 is not a
“reasonable support” standard and instead requires documentation to understand how the
firm’s quality responses are designed to address the quality risks and evidence the
operation of the QC system.

See Commission Guidance Regarding Management’s Report on Internal Control Over Financial
Reporting Under section 13(a) or 15(d) of the Securities Exchange Act of 1934, SEC Rel. No. 338810 (June 27, 2007), available at https://www.sec.gov/files/rules/interp/2007/33-8810.pdf.

The standard’s approach to documentation requirements is principles-based and
provides for scalability. When determining the form, content, and extent of
documentation, the firm will consider, among other things, the nature and circumstances
of the firm and the nature and complexity of the matter being documented. For example,
for a large multi-office firm that performs many audits under PCAOB standards, the
extent of documentation would be greater than for a small, single-office firm with a few
firm personnel that audits one issuer or broker-dealer. The firm’s documentation may
take the form of formal written manuals and checklists or may be informally documented
(e.g., in email communications), subject to the requirement of paragraph .83 that the
documentation be in sufficient detail to support a consistent understanding of the QC
system by firm personnel and for an experienced auditor to understand the design,
implementation, and operation of the QC system. The firm may determine that a detailed
memo is a more appropriate form of documentation for more complex matters, whereas,
for less complex matters, briefer communications, such as email, may suffice. The nature
and circumstances of the firm and the nature and complexity of the matter being
documented are not the only factors that could drive the form, content, and extent of
documentation. There may be other factors, such as the nature of the firm’s engagements
or the frequency and extent of changes in the firm’s QC systems. The Board believes this
principles-based approach provides for scalability and that providing specific guidelines
and detailed examples of various types of documentation would potentially limit firms’
flexibility unnecessarily.
The proposal contemplated that firms would have to concurrently file their Form
QC and assemble their documentation for retention by the same date. As adopted, the
standard provides that firms have an additional 14 days after the date that the firm is
required to file Form QC to assemble their documentation. Several commenters
expressed concern with having the QC documentation completion date be concurrent

with the date that the firm must report annually to the PCAOB on Form QC pursuant to
paragraph .79. Many of these commenters recommended a document completion date 45
days after the reporting date, with some of these commenters suggesting that 45 days
would ensure consistency with the requirements of AS 1215. One firm suggested that a
full 45 days to assemble a complete and final set of documentation was not necessary, but
the time period needed to assemble documentation should be built into an evaluation of
the length of the reporting period if the final standard retained a document completion
date concurrent to the reporting date.
After consideration of the comments received, the Board revised paragraph .84 to
provide firms up until December 14 (a total of 75 days after the evaluation date) to
complete a final set of QC documentation. This includes an additional 14 days after the
date that the firm is required to report to the PCAOB on Form QC. The 14-day period
aligns with the changes to PCAOB requirements for engagement documentation.353 The
Board believes that larger PCAOB audit practices with more complex and scaled up QC
systems will employ the use of electronic tools in the assembly of the documentation of
the QC system, and therefore a 14-day period to the QC documentation completion date
is feasible. In addition, for smaller PCAOB audit practices with scaled down QC systems,
the Board expects that the volume of documentation to be assembled will be smaller such
that a 14-day period is also feasible for those firms. Furthermore, the Board notes that,
because the final rule includes a longer period from evaluation date to reporting date than
proposed, under the final standard firms will have 75 days after the evaluation date to
assemble their documentation, rather than 45 days as proposed.
The standard permits additional documentation supporting a firm’s QC system to
be added after the QC documentation completion date in a manner similar to the addition

Amendments to the engagement documentation requirements in AS 1215 are addressed in a
separate release. See Auditor Responsibilities Release.

of audit evidence to audit documentation under AS 1215.16. When this occurs, the
standard requires a firm to indicate the date the information was added, the name of the
person who prepared the additional documentation, and the reason for adding it. The
standard also requires all previously retained documentation supporting the firm’s
evaluation of its QC system to remain intact and not be discarded.
The proposed standard contemplated that the firm would retain QC
documentation for seven years from the QC documentation completion date, unless a
longer period is required by law.
Two firms commented that they believed the seven-year retention period to be
cost-prohibitive. One of these firms commented that if the firm changed its systems, for
example, it will have to maintain additional licenses for old systems to access and use the
data and pay for up to seven years’ worth of storage, and it believes that maintaining that
much data would introduce unnecessary cost as well as increased cybersecurity risk. The
firm also commented that the seven-year retention period goes beyond the retention
requirements of the quality management standards set forth by the AICPA354 and
IAASB,355 and that this difference could cause operational challenges. The firm
recommended aligning the documentation requirements with the firm’s inspection and
remediation cycle or allowing the firm to use a risk-based approach based on its
judgment. Two firms opposed the seven-year period and suggested that it be based on the
most recent inspection (for example, one year from the most recent inspection period), or
until the inspection for a particular period has been completed.

SQMS 1 requires the firm to establish a period of time for the retention of documentation for the
system of quality management that is sufficient to enable the firm and its peer reviewer to monitor
the design, implementation, and operation of the firm’s system of quality management or for a
longer period if required by law or regulation. See paragraph 61. Of SQMS 1.

ISQM 1 requires the firm to establish a period of time for the retention of documentation for the
system of quality management that is sufficient to enable the firm to monitor the design,
implementation and operation of the firm’s system of quality management, or for a longer period
if required by law or regulation. See paragraph 60. of ISQM 1.

As discussed in the proposal, the Board was concerned that requiring the retention
period to be aligned with the PCAOB inspection cycle would be too short. A firm’s
remediation activities may span multiple years and the actions taken by the firm in certain
areas may be informed by prior actions. Further, the objective of the documentation
requirement is much broader than providing evidence for inspection purposes or enabling
proper remediation. As described in the proposal, the Board believes that the
documentation may also be useful for training purposes, ensuring the retention of
organizational knowledge, and providing a history of the basis for decisions made by the
firm about its QC system. One firm commented on these purposes and suggested that
firms should determine what documentation has continuing relevance based on the
circumstances. Another firm suggested that this could be reasonably handled by firms on
a case-by-case basis, and any necessary documentation that could impact or inform future
periods could be specifically retained. The firm further commented that some information
would become stale over time and that it does not anticipate information retained early on
being used for training or the retention of organizational knowledge in later years. A firm
and a related group commented that a seven-year retention requirement is appropriate as
it pertains to documentation that supports a firm’s evaluation of its system of quality
control and the related testing.
After consideration of the comments received, together with the amendment made
to paragraph .83. of the standard, the Board adopted the requirement to retain
documentation for seven years from the QC documentation completion date, unless a
longer period of time is required by law, as proposed. Paragraph .86 was amended to
clarify that the documentation to be retained for this period is the documentation of its
QC system required under paragraphs .81-.83 and paragraph .85. This requirement aligns
the QC document retention requirement with other requirements in PCAOB standards
and SEC rules (such as 17 CFR 210.2-06). Furthermore, the documentation relating to the

firm’s engagements must be retained for seven years,356 and the Board believes that it is
appropriate for the firm to also retain documentation of the QC system that operated over
those engagements for the same time period. For consistency and practical application,
the retention period is the same for all firms and applies to all documentation the firm is
required to accumulate to meet the documentation requirements of the standard.
2. Current PCAOB standards
Existing QC 20 provides that:
•

Appropriate consideration should be given to the extent to which QC policies and
procedures, and compliance with them, should be documented.357

•

The form, content, and extent of documentation depends on relevant factors,
including the size, structure, and nature of the firm’s practice.358

•

A firm should prepare appropriate documentation to demonstrate compliance with
its policies and procedures for the QC system.359

•

Documentation should be retained for a period sufficient to enable those
performing monitoring procedures and a peer review to evaluate the extent of the
firm’s compliance with its QC policies and procedures.360
QC 30 and the SECPS membership requirements include documentation

requirements for certain items such as findings from certain monitoring activities, CPE,
notification of cessation of client relationships, filing reviews under Appendix K, and
corrective actions to address apparent independence violations.361
ADDITIONAL AMENDMENTS

See AS 1215.14

See QC 20.21.

See QC 20.24-.25.

See QC 20.25.

See QC 20.25.

See, e.g., QC 30.08; SECPS 1000.08(m), 1000.45, 1000.46, 8000.

QC 1000 supersedes the existing PCAOB interim QC standards in their entirety.
Currently, Rule 3400T requires registered firms and their associated persons to comply
with the AICPA’s quality control standards as in existence on April 16, 2003, to the
extent not superseded or amended by the Board. Rule 3400T identifies the AICPA’s
Statements on QC Standards (QC 20, QC 30, QC 40) and certain of the AICPA’s SECPS
membership requirements, which are applicable only to firms that were members of the
AICPA SEC Practice Section on April 16, 2003. The Board rescinded Rule 3400T. In
consequence, the interim quality control standards referenced in Rule 3400T are no
longer part of PCAOB standards. Rule 3400T is replaced with Rule 3400, which
describes the auditor’s responsibilities for complying with quality control standards
adopted by the Board and approved by the SEC.
Other amendments to PCAOB standards, rules, and forms are described below.
AMENDMENTS TO AS 2901, CONSIDERATION OF OMITTED PROCEDURES
AFTER THE REPORT DATE, AND RELATED AMENDMENTS
1. Background
Currently, AS 2901 applies when the auditor concludes, after issuing its report on
the financial statements, that procedures “considered necessary at the time of the audit in
the circumstances then existing” were omitted from an audit of the financial statements,
but there is no indication that the financial statements are not fairly presented.362 Existing
AS 2901 requires remedial action if (i) the auditor concludes that the omitted procedures
impair its ability to support the previously issued opinion, and (ii) people are likely to
rely on the report. If remedial action is required but the auditor is not able to perform the
omitted procedures or alternative procedures that support the opinion, the standard directs

AS 2905, rather than AS 2901, applies if the auditor subsequently learns of facts regarding the
financial statements existing at the date of its report that might have affected its opinion.
Paragraph .98 of AS 2201 is an analogous provision in the context of ICFR audits.

the auditor to consult with counsel. Existing AS 2901 does not apply to ICFR audits or to
attestation engagements.
2. Amendments to AS 2901
The Board believes that amendments to AS 2901 are appropriate to modernize the
standard, incorporate the concepts and terminology introduced in QC 1000, and bring the
standard into alignment with the auditor’s existing responsibility to obtain sufficient
appropriate audit evidence to support the opinion.
QC 1000 introduces a new term, “engagement deficiency,” defined as an instance
of noncompliance with applicable professional or legal requirements by the firm, firm
personnel, or other participants with respect to an engagement of the firm, or by the firm
or firm personnel with respect to an engagement of another firm. For an engagement
deficiency related to a completed engagement, QC 1000 requires firms to take action to
address the engagement deficiency “in accordance with applicable professional and legal
requirements” (e.g., AS 2901, AS 2905, AS 2201.98-.99).
The Board broadened the scope of AS 2901 to incorporate this new terminology,
so that remedial action is required for engagement deficiencies for both financial
statement audits and ICFR audits unless it was probable that the engagement report is not
being relied upon.363 Reflecting this broader scope, the name of the standard was also
changed to “Responding to Engagement Deficiencies After Issuance of the Auditor’s
Report.”
a. Scope and applicability (AS 2901.01-.02)
Note that, under PCAOB Rule 1001(a)(xii), “auditor” as used in AS 2901 means
both firms and their associated persons.
i.

Engagements covered

See QC 1000.68b.

Existing AS 2901 predates ICFR audit requirements and applies only to financial
statement audits. The Board proposed to extend the scope of AS 2901 to cover
engagement deficiencies in ICFR audits as well. Several commenters, generally firms,
agreed with the proposal to extend the scope of AS 2901 to include engagement
deficiencies in ICFR audits, and the Board adopted that change in scope.
Similar to the concept in existing AS 2901, the Board proposed that the revised
standard would not apply to engagements where it is probable that the audit report is not
being relied upon.364 The proposed standard included a note providing that the firm must
treat an engagement report as being relied upon if the engagement report is included in
the most recent SEC filing on a form that requires its inclusion. One commenter pointed
out that the use of the term “must” in the proposed note did not allow for the auditor to
take into account situations that may indicate an auditor’s report is not being relied upon
even when the auditor’s report is included in the most recent filing on an SEC form. Two
commenters suggested that the standard should also exclude engagements where the
issuance of the subsequent year’s auditor’s report is imminent.
The Board agrees that the standard should allow for circumstances where the
auditor’s report is included in the most recent filing on an SEC report, but the auditor
may nonetheless conclude that the auditor’s report is no longer being relied upon.
However, in the Board’s view, the fact that the issuance of the subsequent year’s
auditor’s report is imminent is not determinative of whether the report continues to be
relied upon.
The Board revised the note to paragraph .01 to provide that, in the absence of
circumstances indicating that reliance is impossible or unreasonable (e.g., cessation of a

Under current AS 2901, the test is whether the auditor believes there are persons currently relying,
or likely to rely, on the audit report. Under the final standard, the test would be whether it is
probable that no one is relying, without reference to the auditor’s belief. The term “probable” has
the same meaning as described in the FASB ASC paragraph 450-20-25-1.

trading market for issuer securities), inclusion of an auditor’s report in the most recent
filing on an SEC form that requires inclusion of such an auditor’s report evidences that
the report is being relied upon. The Board believes this is responsive to commenter
concerns and allows for sufficient flexibility. The note has also been revised to clarify
that an auditor’s report can be included in an SEC filing either directly or through
incorporation by reference.
The determination that an auditor’s report is not being relied upon would
primarily be influenced by whether the auditor’s report and related financial statements
are readily available and whether a trading market exists for the company’s securities.
Circumstances that may suggest the engagement report is no longer being relied upon
could include:
•

So much time has elapsed that the financial statements covered by the auditor’s
report are no longer required to be included in SEC periodic reports.

•

The issuer’s or broker-dealer’s business has been dissolved or gone into
liquidation.
ii.

Compliance with AS 2905/AS 2201.98

Under the amendments, AS 2901 points the auditor to AS 2905 or AS 2201.98 to
the extent they apply. This preserves the difference in treatment that exists under current
auditing standards between situations where financial statements and potentially the audit
opinion may be in doubt (AS 2905 or AS 2201), and other circumstances where remedial
action is required but there is no initial indication that the financial statements might be
misstated (AS 2901).
iii.

Deficiencies covered

Existing AS 2901 applies when the auditor concludes that procedures considered
necessary at the time of the audit in the circumstances then existing were omitted. As
proposed, AS 2901 was extended to cover all engagement deficiencies identified. The

Board believes it is more consistent with the basic philosophy of QC 1000 and better
supports the ultimate goal of improving audit quality to require remedial action for all
engagement deficiencies, regardless of whether the audit opinion is unsupported.
b. Activities to address engagement deficiencies
AS 2901 currently requires remedial action when, due to omitted procedures that
were considered necessary at the time of the audit, the auditor’s opinion is not
sufficiently supported. The required action is to perform the omitted procedures or
alternative procedures that would support the opinion. If that is not possible, the auditor is
directed to consult an attorney to determine an appropriate course of action.
Under the proposal, remedial action would be required for all engagement
deficiencies—both those engagement deficiencies that affect the auditor’s opinion and
those that do not. Many commenters expressed concern with the proposal to require
remedial actions for all engagement deficiencies, with one commenter suggesting that
remedial actions should only be required for major deficiencies, and another commenter
suggesting that the need for remedial actions should be assessed on a case-by-case basis,
taking into account the severity of the engagement deficiency. Several commenters
suggested that firms should be able to exercise judgment about whether remediation is
necessary and observed that in practice most identified engagement deficiencies are
remediated. Other commenters considered the proposed requirement overly prescriptive
and one commenter suggested that the requirement was unnecessarily burdensome for
instances where the auditor’s report is adequately supported despite an identified
engagement deficiency. On the other hand, two commenters expressed support for the
Board’s approach to the obligation to remediate engagement deficiencies, with one
commenter stating that requiring remedial action for all identified engagement
deficiencies, not just in situations where the auditor’s opinion may be unsupported, would
contribute to improving audit quality.

The Board continues to believe that requiring firms to take action to address all
engagement deficiencies, whether related to an unsupported auditor’s opinion or not, is
appropriate and reinforces a firm’s obligation to comply with all applicable professional
and legal requirements, and adopted this requirement as proposed. As discussed below,
when the opinion is appropriately supported, the firm may determine which actions to
take in response to an engagement deficiency.
i.

Addressing engagement deficiencies related to an unsupported auditor’s
opinion (AS 2901.03)

Under the proposal, in cases where the auditor did not obtain sufficient
appropriate audit evidence to support the opinion, the auditor would have been required
to either obtain additional evidence such that the opinion is adequately supported or take
action to prevent future reliance on the report. One firm suggested that further guidance
regarding these requirements would assist a firm in distinguishing between the
engagement deficiencies that are subject to this provision rather than paragraph .04
(discussed below), or in the alternative, explicit alignment to the PCAOB’s definition of a
Part I.A or Part I.B deficiency.365 The Board is reluctant to incorporate terminology into
its standards that does not have a fixed meaning under PCAOB rules and is subject to
change.366 The Board also does not want to suggest that the requirements apply only to
deficiencies identified by the PCAOB. However, in order to address this concern,
paragraphs .03a and .03b were revised to make it explicit that the auditor’s actions in
paragraph .03b relate specifically to instances where the auditor is not able to obtain
sufficient appropriate audit evidence to support the auditor’s opinion.

Subsequent to the date of the comment letter, the PCAOB created an additional category, Part I.C
deficiencies. Definitions of Part I.A, Part I.B, and Part I.C deficiencies are available on the
PCAOB website at https://pcaobus.org/oversight/inspections/inspection-procedures.

As an example of how the Board’s inspection reporting framework can change over time, in May
2023, the Board introduced several transparency enhancements to its inspection reports, including
a new section of the inspection report focused on independence violations (Part I.C).

The type of procedures that the auditor performs in response should be guided by
the type and amount of evidence needed to support the auditor’s opinion. If the auditor is
not able to obtain sufficient appropriate evidence to support the opinion, the auditor is
required to take appropriate action to prevent future reliance on the audit report. The
Board also amended AS 2201 as part of this rulemaking to include a reference to AS
2901 as a reminder of auditor responsibilities under that section with respect to audits of
internal control over financial reporting.367
ii.

Addressing all other engagement deficiencies

Under the proposed standard, for all other deficiencies on audit engagements, the
auditor would have been required to perform remedial actions, similar to those described
in QC 1000.69, based on the auditor’s determination of what action (corrective,
preventive, or both) is appropriate based upon the specific facts and circumstances. The
proposal described the following potential responses to engagement deficiencies:
•

Take corrective action to completely remediate the deficiency, where appropriate.

•

For deficiencies that cannot be completely remediated, remediate to the extent
possible and implement measures to prevent recurrence. For example, if a Form
AP was filed late, the auditor would not be able to remediate the lateness but
could improve the controls over the filing process.

•

Determine, based on the facts and circumstances, that no further remedial action
is necessary, e.g., because of remedial actions already taken to respond to other
deficiencies.
One commenter suggested including language in the lead-in to the note to

paragraph .04 to further clarify that the actions a firm may take to remediate an

See Appendix 5, Other Amendments.

engagement deficiency could be either corrective or preventive, or could be a
combination of the two. The note in the final standard reflects this clarification.
Additionally, the term “remedial” was removed from the final standard in the
lead-in to the note to paragraph .04 in order to encompass all actions required under
applicable professional and legal requirements, some of which (e.g., notification to the
board of directors or regulatory agencies) may not be remedial in nature.
c. Documentation
The proposed documentation requirement did not draw comment and was adopted
as proposed.
When the auditor’s response to engagement deficiencies involves adding
additional information to the auditor’s working papers, the requirements of AS 1215.16
will apply.
Under AS 2901, the auditor should document the actions taken pursuant to paragraphs
.03 and .04 to address engagement deficiencies in an audit engagement where the audit
report has previously been issued. This documentation requirement is consistent with the
documentation requirements in proposed QC 1000.82c for all engagement deficiencies.
3. Related amendments
The Board proposed to add provisions similar to AS 2901 to the standards for
broker-dealer attestation engagements, AT No. 1 and AT No. 2, to prompt auditors of
brokers and dealers to take appropriate action if they discover that the opinion or
conclusion in a previously issued attestation report was not supported. Currently, those
standards are silent as to the responsibilities that apply when a deficiency is identified
after the engagement report is issued.
One commenter, who recommended changes to proposed AS 2901 (including that
remediation should be required only when the auditor’s opinion may not be supported),
suggested that the same changes be incorporated into AT No. 1 and AT No. 2. For the

reasons discussed above in the context of AS 2901, the Board does not believe such a
limitation is appropriate. However, the Board made a conforming change, similar to a
change made to AS 2901, to the note to clarify that the auditor must treat reports as being
relied upon when the examination report (in the case of AT No. 1) or review report (in
the case of AT No. 2) is included (either directly or through incorporation by reference)
in an SEC filing on an SEC form that requires inclusion of such an examination report or
review report. The Board also made revisions to the proposed requirements in AT No. 1
and AT No. 2 by removing the word “remedial” from the lead-in language to the notes in
each of the respective standards in order to encompass all actions required under
applicable professional and legal requirements, some of which (e.g., notification to the
board of directors or regulatory agencies) may not be remedial in nature. With these
modifications, the Board adopted the proposed amendments to AT No. 1 and AT No. 2.
The Board also amended AS 2201 as part of this rulemaking to include a
reference to AS 2901 as a reminder of auditor responsibilities under that section with
respect to audits of internal control over financial reporting.368
The Board did not propose to amend its interim attestation standards to include
provisions similar to AS 2901. One commenter encouraged the Board to consider
creating a separate attestation standard like AS 2901 to minimize repetition within each
attestation standard, especially if the Board plans to adopt new standards beyond AT No.
1 and AT No. 2 in the future. At this time, the Board did not amend its interim attestation
standards to include provisions similar to AS 2901, though it may consider doing so in
the future.

See Appendix 5, Other Amendments.

RESCISSION OF ET SECTION 102; ADOPTION OF EI 1000; RELATED
AMENDMENTS
1. Rescission of ET Section 102 and adoption of EI 1000, Integrity and Objectivity
The Board rescinded an interim ethics and independence standard, ET 102,
Integrity and Objectivity, replacing it with a new standard, EI 1000, Integrity and
Objectivity. EI 1000 is based on existing ET 102, including its related interpretations
codified as ET 102.02, .03, and .05, but reflects revisions that align PCAOB ethics
requirements with the scope, approach, and terminology of QC 1000. To take one
example, the new EI 1000 applies to registered public accounting firms and their
associated persons rather than current AICPA “members” as referenced in ET 102.
Integrity and objectivity are foundational to the audit and critical to the
performance of engagements under PCAOB standards. They lend credibility and
engender trust in financial reporting. As the U.S. Supreme Court pointed out in United
States v. Arthur Young:
By certifying the public reports that collectively depict a corporation’s financial
status, the independent auditor assumes a public responsibility transcending any
employment relationship with the client. The independent public accountant
performing this special function owes ultimate allegiance to the corporation’s
creditors and stockholders, as well as to the investing public. This “public
watchdog” function demands that the accountant maintain total independence
from the client at all times, and requires complete fidelity to the public trust.369
The responsibility to maintain integrity and objectivity is an important
counterbalance to the risk that the auditor may be unduly influenced by company

United States v. Arthur Young, 465 U.S. 805, 817-818 (1984).

management or may be subject to cognitive or other biases in performing the audit.370 In
turn, an auditor’s integrity and objectivity can help to increase investor trust in financial
reporting and strengthen capital markets.
Currently, paragraph .01 of ET 102 sets out three requirements that apply in the
performance of a professional service: (i) maintaining integrity and objectivity, (ii) being
free of conflicts of interest, and (iii) not knowingly misrepresenting facts or subordinating
judgment. The remaining paragraphs of the rule and the relevant portions of ET 191
provide more detailed direction in specific contexts.
The Board proposed creating two overarching requirements in EI 1000: (i)
maintaining integrity, which would include being honest and candid, not knowingly or
recklessly misrepresenting facts, and not subordinating judgment; and (ii) maintaining
objectivity, which would include being impartial, intellectually honest, and free of
conflicts of interest. The proposal incorporated descriptions of integrity and objectivity
that were substantially based on existing requirements in QC 20.10.371
In addition to substantially recodifying existing requirements, the Board also
proposed to clarify the scope of the rule and more closely align it with the scope,
approach, and terminology of QC 1000.
With two clarifications discussed below, the Board adopted EI 1000 as proposed
and rescinded ET 102.
a. General
As proposed, the Board modernized the standard and aligned it with other
PCAOB standards and rules by renumbering it in accordance with the PCAOB’s

See, e.g., Auditing Accounting Estimates, Including Fair Value Measurements and Amendments to
PCAOB Auditing Standards, PCAOB Rel. No. 2018-005 (Dec. 20, 2018), at 30-35 (discussing
auditor incentives and potential cognitive biases).

QC 20.10 states: “Integrity requires personnel to be honest and candid within the constraints of
client confidentiality…. The principle of objectivity imposes the obligation to be impartial,
intellectually honest, and free of conflicts of interest.”

reorganized standards framework, incorporating PCAOB terminology, and eliminating
outdated provisions.
The final rule clarifies that the requirements of EI 1000 apply in connection with
all responsibilities under “applicable professional and legal requirements” (as defined in
QC 1000) and the firm’s related policies and procedures, whether in relation to the firm’s
engagements, work the firm does on other firms’ engagements, training, independence
monitoring, or other activities that are part of or subject to the firm’s QC system. In
addition, EI 1000 applies to registered firms and their associated persons, rather than to
“members” as ET 102 currently provides.
The final rule also corrects a reference in EI 1000.02.b(2) from “materially false
and misleading” to “materially false or misleading.”
One commenter supported the replacement of ET 102 with EI 1000, but
recommended labeling it “OI” for Objectivity and Integrity. As described in the proposal,
the Board created a designation not only for its standard on objectivity and integrity, but
for future standards as well. The Board intends to use “EI” for all ethics and
independence standards, just as it uses “AS” to designate auditing standards.
While one commenter confirmed that the terms used in EI 1000 are generally
clear, another commenter recommended clarifying the expectations for the terms “being
honest and candid” in EI 1000.02 and “being intellectually honest” in EI 1000.03. This
language is drawn from existing QC 20.10, has a clear plain English meaning, and the
Board believes should be well understood.
b. Integrity
EI 1000.02 notes that, as part of maintaining integrity, a firm and its associated
persons must be “honest and candid.” This requirement is drawn from existing QC 20.10.
The Board omitted the reference to “within the constraints of client confidentiality” in
order to avoid suggesting that “client confidentiality” could limit a firm’s or its associated

persons’ obligations to comply with the requirements of PCAOB rules or standards. This
is consistent with the Board’s interpretation of QC 20.10, under which a firm or its
associated persons must be honest and candid in complying with PCAOB rules and
standards, including during PCAOB inspections. It also confirms, among other things,
that associated persons have the ability to report wrongdoing within the firm and to the
appropriate regulatory authorities without constraints of confidentiality, consistent with
PCAOB rules and standards. Similar to current QC 20.10, EI 1000.02 does not address
the requirements of client confidentiality beyond the requirements set forth in PCAOB
rules and standards and applicable requirements of the Federal securities laws, including
the Sarbanes-Oxley Act.372
One commenter suggested that, rather than removing the reference to
confidentiality, the Board should instead refer to IESBA Code Section 260 related to
noncompliance with laws or regulations. In general, the Board does not incorporate by
reference the concepts and terminology used by other standard setters. In relation to
noncompliance with laws and regulations in particular, the Board has proposed its own
new standard.373 If a new PCAOB standard in that area is ultimately adopted by the
Board and approved by the SEC and makes it appropriate for the Board to amend EI
1000, the Board would of course intend for EI 1000 to align with its new standard rather
than the IESBA code.

As a general matter, the Uniform Accountancy Act excludes from the prohibition against
voluntary disclosure, in part, “information required to be disclosed by the standards of the public
accounting profession in reporting on the examination of financial statements or as prohibiting
compliance with applicable laws, government regulations or PCAOB requirements.” AICPA,
Uniform Accountancy Act (January 2018). available at
https://us.aicpa.org/content/dam/aicpa/advocacy/state/downloadabledocuments/uaa-eighth-editionjanuary-2018.pdf.

See Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s
Noncompliance with Laws and Regulations And Other Related Amendments, PCAOB Rel. No.
2023-003 (June 6, 2023).

The proposal clarified that the responsibility to avoid factual misrepresentations
covers not only knowing, but also reckless behavior, and that this responsibility applies to
any knowing or reckless misrepresentation of fact, including situations where
documents—such as work papers and communications with the PCAOB and the SEC—
containing materially false or misleading information are knowingly or recklessly signed,
permitted or directed to be signed, or left uncorrected by those with authority to correct
them.
One commenter suggested that the concept of failing to correct a document that is
materially false and misleading when having the authority to do so should be limited to
circumstances in which the document was materially false and misleading “when made.”
The Board agrees that the duty to correct is not unbounded, and generally applies at the
time that a document is made (including when filed with or submitted to a regulatory
authority). The Board notes, however, that while EI 1000 does not independently impose
a duty to correct a document that was not materially false or misleading when made, such
a duty may arise under other statutes, laws, or regulations, and the Board believes that in
such a circumstance, the failure to discharge that duty should also constitute a violation
of EI 1000. The Board added language to EI 1000.02b to clarify the circumstances under
which failure to correct a document would constitute a knowing or reckless
misrepresentation of facts.
The Board proposed to broaden the responsibility to avoid subordination of
judgment so it would apply to any dispute or disagreement over applicable professional
and legal requirements or how to apply them. One commenter suggested that, as part of
the provision on subordination of judgment, the Board should address the risk of
supervisors exercising undue influence over subordinates in the same manner as under

the AICPA Code of Professional Conduct.374 The relevant interpretive provision of the
AICPA Code, 1.130.020, Subordination of Judgment, identifies undue influence by a
supervisor as a potential threat to compliance with the AICPA’s Integrity and Objectivity
Rule375 and provides safeguards to be applied when the threat is not at an acceptable
level. The safeguards to be applied are essentially the same as the process required under
EI 1000.02c, including research and consultation to determine whether the supervisor’s
position is supportable, consultation with higher levels of management, and, if
appropriate action is not taken, consideration of potential duties to notify third parties and
consideration of the appropriateness of continuing a relationship with the firm. In
addition to the provision in EI 1000, QC 1000 also addresses the risk of undue influence
through a quality objective in the engagement performance component related to the
appropriate resolution of differences in professional judgment,376 as well as general
provisions that would apply to undue influence by a supervisor, including in the
governance and leadership component,377 the ethics and independence component,378 and
the resources component.379 The Board believes these provisions address the concerns
raised by this commenter and have adopted the subordination of judgment provision of EI
1000 as proposed.
c. Objectivity
One commenter suggested that the Board could clarify the standard by including
references to the AICPA or IESBA concepts of conflict of interest. As noted above, it is
not generally Board policy to incorporate by reference the concepts and terminology used

AICPA Code of Professional Conduct 1.130.020, Subordination of Judgment.

Id. at 1.100.001.

QC 1000.42.c.

QC 1000.25.

QC 1000.33b, c., and f.

QC 1000.46a.

by other standard setters. The Board also believes that a cross reference is not appropriate
because EI 1000 addresses essentially the same conduct as the AICPA and IESBA
provisions.
d. Rescission of Certain AICPA Interpretations
Additionally, the Board rescinded the former AICPA interpretations currently
codified as ET 102.04, .06, and .07, which address members’ obligations to their
employer’s external accountant, performance of educational services, and professional
services involving client advocacy, respectively. These are generally not relevant to
engagements performed under PCAOB standards. In addition, the matters addressed in
paragraph .07 are either effectively superseded by 17 CFR 210.2-01 or more effectively
addressed elsewhere in PCAOB standards (e.g., AS 2610, Initial Audits—
Communications Between Predecessor and Successor Auditors).
2. Amendments to ET Section 191
In connection with EI 1000, the Board also proposed amending ET 191 by
making a conforming amendment to paragraph .062 and rescinding paragraphs .130,
.131, .170, .171, .186, .187, .198, .199, .202, and .203. The only commenter on this topic
supported these amendments. The Board adopted the amendments as proposed. The
interpretations the Board rescinded (addressing, respectively, use of the CPA designation
by accountants not in public practice, service as a director of a bank, service on the board
of directors of United Way or a similar federated fund-raising organization, providing
services for company executives, and providing client advocacy services) are generally
not relevant to engagements performed under PCAOB standards or are addressed
elsewhere in PCAOB and SEC rules. The Board did not amend the portions of ET 191
that pertain to ET 101, which is not being substantively amended in this rulemaking.
3. Amendments to Rule 3500T, Interim Ethics and Independence Standards, and
ET Section 101, Independence

The Board proposed amending paragraph (a) of Rule 3500T to eliminate the
introductory phrase “In connection with the preparation or issuance of any audit report,”
which it believes may cause the rule to be read unduly narrowly. The Board also
proposed eliminating references to ET 102, Integrity and Objectivity, and substituting a
reference to EI 1000, Integrity and Objectivity. These proposed amendments did not
receive any comment and were adopted as proposed.
Lastly, the Board amended paragraphs .04, .13, and .16 of ET 101, Independence,
to conform the references to ET 102, which will be rescinded, to EI 1000.
OTHER AMENDMENTS
In connection with the adoption of QC 1000, the Board also adopted amendments
to other professional standards, PCAOB rules, and PCAOB forms. As discussed in more
detail below, these amendments:
•

Align terminology, concepts, and cross-references with QC 1000;

•

Rescind standards that are unnecessary in light of the adoption of QC 1000;

•

Recodify certain provisions of requirements that are rescinded into other PCAOB
standards and rules; and

•

Make other technical and clarifying amendments.
The one commenter that addressed this topic generally supported the amendments

and also recommended an amendment to PCAOB Rule 1001(p)(vi) to use the term
“quality control standards” instead of “quality control policies and procedures.” The
language used in PCAOB Rule 1001(p)(vi) is drawn from section 110(5) of SarbanesOxley and the Board believes its rule should continue to align with that statutory
provision.
These amendments are discussed further below.
1. Rescission of Rule 3400T, Interim Quality Control Standards; Adoption of Rule
3400, Quality Control Standards

These rule changes did not receive any comment and were adopted as proposed.
PCAOB Rule 3400T, Interim Quality Control Standards, requires registered
public accounting firms and their associated persons to comply with the Board’s interim
quality control standards. The Board rescinded Rule 3400T, including all current QC
standards identified in the rule, which the Board adopted on an interim, transitional
basis.380 The Board adopted in its place a new rule, Rule 3400, to codify the auditor’s
responsibilities for complying with the Board’s quality control standards.
2. Rescission of AS 1110, Relationship of Auditing Standards to Quality Control
Standards
The Board received no comment on the proposed rescission of AS 1110 and
rescinded it, as proposed.
At the time AS 1110 was issued, it served to describe the relationship between the
then already-existing auditing standards and the new set of standards that governed a
firm’s system of quality control. This relationship is now well understood by firms and
clarified within QC 1000. In addition, the first two paragraphs of AS 1110 merely repeat
the requirements to comply with the auditing and QC standards that are addressed by
other PCAOB standards and rules. Accordingly, the Board rescinded AS 1110.
3. Adoption of AS 1310, Notification of Termination of the Auditor-Issuer
Relationship

Under PCAOB Rule 3400T(a), all firms are required to comply with QC standards as described in
“the AICPA’s Auditing Standards Board’s Statements on Quality Control Standards, as in
existence on April 16, 2003 (AICPA Professional Standards, QC §§ 20-40 (AICPA 2002)), to the
extent not superseded or amended by the Board.”. PCAOB Rule 3400T(b) requires certain firms to
comply with QC standards as described in “the AICPA SEC Practice Section’s Requirements of
Membership (d), (l), (m), (n)(1), and (o), as in existence on April 16, 2003 (AICPA SEC Practice
Section Manual 1000.08(d), (j), (m), (n)(1), and (o)), to the extent not superseded or amended by
the Board.” PCAOB Rule 3400T(b). The note to Rule 3400T provides that those requirements
“only apply to those registered public accounting firms that were members of the AICPA SEC
Practice Section on April 16, 2003.”

The Board adopted a new standard, AS 1310, which recodifies existing
requirements of SECPS 1000.08(m), Notification of the Commission of Resignations and
Dismissals from Audit Engagements for Commission Registrants, and applies those
requirements to all firms and all issuer engagements. As noted above, the Board
rescinded the QC standards that pertain only to firms that were SECPS members at the
time the PCAOB was created. In lieu of the SECPS requirement, the Board adopted a
new standard that requires the auditor to notify the SEC upon resignation or dismissal
from an audit engagement of an issuer if the issuer does not report such change in a
current report on Form 8-K.
The only commenter to address this proposed standard agreed that it could
provide valuable and timely information to investors to alert them when audit committees
have failed to fulfill their reporting responsibilities. The Board notes, however, that
notifications provided under the current SECPS requirement might not be made publicly
available. Nevertheless, the Board believes that notices provided to the SEC under the
standard could provide valuable information to the SEC. Therefore, the Board adopted
the standard substantially as proposed, with a revision to conform to the precise language
on Form 8-K. This requirement applies to all issuer engagements, regardless of whether
the firm was a member of the SECPS and regardless of whether the issuer is required to
report on Form 8-K.
4. Amendments to AT Section 101, Attest Engagements
These amendments did not receive any comment and were adopted as proposed.
The amendments to AT Section 101 align with the rescission of AS 1110
discussed above, by deleting the paragraphs that address the relationship of attestation
standards to QC standards. Additionally, the deletion of footnote 23 removes language
related to monitoring compliance with quality control policies and procedures, which is
unnecessary in light of the adoption of QC 1000.

5. Amendments to Form 1, Application for Registration
The Board proposed to amend Form 1 to (i) refer to QC 1000 in the instructions in
order to prompt firms to consider their obligations with respect to QC in connection with
their application for registration, and (ii) add a new item whereby firms confirm whether
they have designed a QC system in accordance with PCAOB standards. The only
commenter to address this amendment agreed that the amendments would be appropriate.
The Board adopted these amendments as proposed.
6. Amendments to Form 2, Annual Report Form
The Board proposed to amend Form 2 to add a new item whereby firms would
confirm (i) that they have designed a QC system in accordance with PCAOB standards;
and (ii) whether they were required to implement and operate a QC system in accordance
with PCAOB standards at any time during the period of time covered by Form 2. The
only commenter to address this amendment agreed that the amendments would be
appropriate. The Board adopted these amendments as proposed.
7. Technical and conforming amendments
These amendments did not receive any comment and were adopted as proposed.
The Board implemented a number of technical and conforming amendments to
align terminology and concepts in existing standards and one PCAOB form with
QC 1000.
The Board also implemented a technical amendment to the instructions to Form
AP to clarify an exclusion from disclosing the identity of, and hours incurred by,
accounting firms in certain circumstances. The Board, when it adopted Form AP, stated
that it intended to exclude the reporting of “hours incurred in the audit of entities in
which the issuer has . . . an investment” using the equity method of accounting.381 Form

See Improving the Transparency of Audits: Rules to Require Disclosure of Certain Audit
Participants on a New PCAOB Form and Related Amendments to Auditing Standards, PCAOB
Rel. No. 2015-008 (Dec. 15, 2015), at 26.

AP currently excludes hours “of an accounting firm performing the audit of entities in
which the issuer has an investment that is accounted for using the equity method,” but the
Board is concerned that such language might be read to exclude all of the audit work
performed by such an accounting firm on an audit, rather than only those hours spent
performing the audit of entities in which the issuer has an investment accounted for using
the equity method. The Board revised the instruction in Part IV of the form to exclude
from its disclosure requirements the identity of, and hours incurred by, accounting firms
“in performing” the audit of entities in which the issuer has an investment that is
accounted for using the equity method, which clarifies that the identity of, and hours
incurred by, such firms with respect to other work on the audit must be disclosed on
Form AP, unless they are subject to other Form AP exclusions.
EFFECTIVE DATE
In the proposing release, the Board sought comment on the amount of time
auditors would need before the proposed new quality control standard and the other
proposed amendments to PCAOB standards, rules, and forms, if adopted by the Board
and approved by the SEC, become effective. We proposed an effective date of December
15 of the year after approval by the SEC.
One commenter agreed that the proposed effective date should be reasonable in
practical terms. Another commenter asserted that the standard is not clear on the effective
date as it relates to design and implementation and operating effectiveness, and
recommended that the Board allow firms significant time between the release of the final
standard and its effective date. One commenter suggested that an 11-month period from
the effective date to the first evaluation date would not be practicable, and firms would
need time to consider whether and how to transition from their evaluation date previously
established under ISQM 1.

Several commenters suggested that if the standard is approved in 2023, and
becomes effective on December 15, 2024, this would provide challenges to auditors.
Some of these commenters further suggested that the proposed effective date would be
particularly challenging for smaller firms that might not have already implemented ISQM
1 and do not have to implement SQMS 1 until December 15, 2025. Commenters
suggested alternative effective dates such as December 15, 2025; 18 months after
approval by the SEC and no sooner than December 15, 2025; the later of 12 months after
approval by the SEC or December 15, 2025; or two years after SEC approval. One
commenter suggested a phased approach such that the effective date would be different
for firms that are annually inspected than for other firms, while other commenters
suggested that firms that are required to implement incremental requirements based on
the size of the firm should be provided additional time to implement the incremental
requirements. One commenter suggested that an overly speedy adoption timeline could
create unintended consequences such as disruption to QC systems and increased
difficulty of getting buy-in on the proposed QC changes from stakeholders. Another
commenter suggested that an additional one to two years may be needed for firms with
less than 100 issuers, or that have not adopted ISQM 1, to develop and implement the
additional monitoring, evaluation and remediation requirements. The commenter further
suggested that a proposed initial evaluation date that is eleven and a half months after the
effective date may not allow enough time for remediation and that the PCAOB should
consider a longer onboarding process.
After considering the comments received subject to approval by the SEC, the final
standard and related amendments to auditing standards, rules, and forms will take effect
on December 15, 2025.
The Board believes that an effective date of December 15, 2025 strikes an
appropriate balance between the benefits to investors of having QC 1000 take effect as

promptly as practicable, while allowing sufficient time for firms to design and implement
robust, QC 1000-compliant QC systems.
One commenter suggested the Board consider how mergers and acquisitions of
firms would impact the effective date for the standard, and suggested the Board consider
similar guidance to the SEC that provides that issuers may exclude an acquired business’s
internal control over financial reporting from its assessment of internal control for up to
one year or for one assessment. After consideration of the comment received, the Board
appreciates that it could take time to fully integrate a newly acquired firm’s QC system
and perform an evaluation of its effectiveness. However, the Board does not believe that
it is appropriate or consistent with its investor protection mandate to allow for a portion
of a firm’s QC system to be excluded from the annual evaluation. The Board believes that
specific quality risks could arise as the result of a merger or acquisition, and that firms
should be designing, implementing, and operating quality responses to address these as
part of merger planning and execution. Furthermore, if, as a result of a merger or
acquisition between registered public accounting firms, the resultant firm is unable to
conclude that the QC system is effective as of the evaluation date, then the Board
believes that it is essential that the firm has identified and is remediating the QC
deficiencies that exist as a result of the merger or acquisition and is monitoring any
impact on the firm’s engagements.
Unlike ISQM 1 and SQMS 1, under QC 1000, the requirements for QC system
evaluation are not being implemented on a delayed basis. When QC 1000 takes effect, all
provisions of QC 1000 will take effect. Because the evaluation date of September 30
builds in over a nine-month delay between the effective date of the standard and the first
evaluation date, the Board does not believe further delaying the effective date of the
evaluation requirements would be necessary or appropriate. However, the first evaluation
period will be of the period beginning on the effective date of the standard (i.e.,

December 15, 2025) and ending on the next September 30, rather than the 12-month
period ending on that September 30.
D.

Economic Considerations and Application to Audits of Emerging Growth

Companies
Economic analysis is an important aspect of the rulemaking process. This
economic analysis describes the baseline for evaluating the economic impacts of the
rulemaking, the need for rulemaking, its expected economic impacts (including benefits,
costs, and potential unintended consequences), and reasonable alternatives considered.
Due to data limitations, much of the economic analysis is qualitative in nature; however,
where reasonable and feasible, the analysis incorporates quantitative information,
including information from PCAOB inspections of registered firms.
The Board has sought information relevant to the economic analysis over the
course of this rulemaking.382 To the extent that commenters expressed views related to
the economic analysis, many commenters generally agreed with the need for QC 1000,
but some commenters raised concerns with certain impacts of the proposed standard.
Several commenters expressed concerns about costs associated with certain key
requirements, such as documentation. Some commenters suggested that the economic
analysis should more explicitly consider costs that could disproportionately impact
smaller and mid-size firms. Some commenters asserted potential unintended
consequences with the proposed standard, including demand on staff resources and
potential competitive effects, while other commenters suggested alternatives to help
manage costs associated with certain proposed requirements, such as the 100-issuer
threshold and evaluation and reporting dates. Some commenters offered a quantitative
perspective regarding impacts. Several commenters referenced additional academic

See PCAOB Rel. No. 2022-006; PCAOB Rel. No. 2019-003.

research for the Board’s consideration. The Board considered all the comments received,
including the quantitative perspectives and academic research the comments referenced,
and has developed the following economic analysis that evaluates the expected benefits
and costs of the final requirements, discusses potential unintended consequences, and
facilitates comparison to alternative actions considered.
BASELINE
The discussion above provides an overview of current PCAOB QC standards;
summarizes observations from PCAOB oversight activities; and describes developments
in the auditing environment since the adoption of current PCAOB QC standards,
including the actions of other standard setters. This section expands on that discussion by
describing additional aspects of the economic baseline against which the economic
impacts of the requirements can be considered and presenting other relevant information
on the audit services market for issuers and broker-dealers. Specifically, this expanded
discussion includes:
•

Three complementary proxies for the level of compliance with professional
standards applicable to the performance of engagements, derived from PCAOB
inspections data. Analysis of these proxies informs the baseline for considering
the expected benefits of the requirements (e.g., improved compliance with
professional standards).383

•

Information on resources that U.S. global network firms (“GNFs”) invest in their
QC systems. As the requirements are expected to result in changes to some firms’
QC systems, this information informs the baseline for considering the expected
costs of the requirements.

See below for further discussion.

•

Changes firms have made to their QC systems to remediate QC deficiencies
identified by PCAOB inspections staff and presents QC deficiencies related to
firms’ management of their audit practices. This discussion provides information
on the evolution of QC systems and informs the evaluation of the need for and the
economic impacts of the requirements.

•

A concise survey of academic literature on quality-threatening behaviors that
suggest certain weaknesses in some QC systems in practice.

•

Key assumptions regarding how QC systems are likely to evolve absent the
requirements.
In describing the baseline,384 the analysis presents anonymized and aggregated

summary statistics regarding deficiencies included in past PCAOB inspection reports.
Since PCAOB inspection reports do not consider broker-dealer engagements, the analysis
also presents anonymized and aggregated summary statistics regarding audit and
attestation engagement deficiencies included in annual reports on the PCAOB’s interim
inspection program related to audits of brokers and dealers. The following background
information associated with this quantitative inspection information bears emphasizing:
•

QC deficiencies presented in Part II of a PCAOB inspection report385 may relate
to: (1) a firm’s management of its audit practice or (2) a firm’s performance of

The scope of the information on inspections and remediation efforts presented in the baseline
section is limited to those firms that are subject to inspection under Sarbanes-Oxley; specifically,
firms that provide one or more audit reports for an issuer, broker, or dealer and firms that play a
substantial role in the preparation or furnishing of such audit reports. See section 104(a)(1), (2),
and (b)(1) of Sarbanes-Oxley, 15 U.S.C. 7214(a)(1), (2), and (b)(1). In particular, PCAOB’s
analysis of deficiencies included in past PCAOB inspection reports does not include registered
firms that would be subject only to design requirements on the basis that they do not perform
“engagements” as defined in QC 1000. Based on Form 2 reporting as of June 30, 2023,
approximately 60% of registered firms reported that they had not issued an audit report for an
audit of an issuer or broker-dealer or played a substantial role in such an engagement during the
preceding 12 months.

Part II of a firm’s inspection report includes any criticisms of, and potential defects in, the firm’s
QC system, that were communicated to the firm as part of a PCAOB inspection. As required under
Sarbanes-Oxley, any QC deficiencies observed during a PCAOB inspection are not included in the
public portion of the relevant inspection report when first issued. If a firm does not address to the

audit procedures.386 QC deficiencies of the first type refer to the operation of QC
policies and procedures. For example, a QC deficiency related to a firm’s
management of its audit practice may be identified through inspection staff’s
review of how the firm considers and addresses risks in connection with
engagement acceptance and continuance decisions. QC deficiencies of the second
type are inferred through analysis of deficiencies identified during inspections of
individual issuer audit engagements. For example, a QC deficiency related to a
firm’s performance of audit procedures may be identified through inspection staff
review of the performance of audit procedures related to management’s
accounting estimates.387
•

Deficiencies presented in Part I.A of an inspection report represent deficiencies in
issuer audits selected for inspection that were of such significance that the Board
believes that the firm, at the time it issued its audit report, had not obtained
sufficient appropriate audit evidence to support its opinion on the issuer’s
financial statements and/or internal control over financial reporting. As part of the
PCAOB’s process for reviewing firms’ QC systems, PCAOB inspection teams
evaluate whether identified deficiencies in individual audits indicate a defect or
potential defect in a firm’s QC system. However, a Part I.A deficiency does not,
on its own, necessarily imply significant defects or potential defects in a firm’s
QC system. The PCAOB inspection team will consider the nature, significance,
and frequency of deficiencies and related firm methodology, guidance, practices,
and possible root causes when assessing whether Part I.A deficiencies in

Board’s satisfaction criticisms of, and potential defects in, the firm’s QC system within 12 months
after the issuance of the PCAOB inspection report, Part II of the report will be issued publicly to
include such deficiencies. Additional information is available on the PCAOB website at
https://pcaobus.org/oversight/inspections/remediation.
See PCAOB Rel. No. 2012-003, at 8-9.

See PCAOB Rel. No. 2012-003, at 8.

individual audits indicate significant defects or potential defects in a firm’s QC
system that should appear in Part II of the firm’s inspection report.388
•

The Dodd-Frank Wall Street Reform and Consumer Protection Act gave the
PCAOB oversight of auditors of broker-dealers registered with the SEC. In June
2011, the PCAOB established an interim program to inspect these auditors and
identify and address with them any significant issues observed in their audits and
related attestation engagements. This interim inspection program remains in place
today. The inspection processes for audits of issuers and broker-dealers are
different in many respects, including the applicable laws, rules, and professional
standards; the inspection selection process; inspection focus areas; and reporting
of inspection results. In particular, unlike PCAOB inspections of issuer audits,
which lead to an inspection report for each inspected firm, the PCAOB issues a
single annual report on the interim inspection program related to audits of
brokers-dealers, which summarizes the results of the PCAOB’s inspections of
broker-dealer engagements performed during the previous year.389

•

The analysis of QC and issuer audit deficiencies below is presented over a twelveyear period for three separate categories of firms: (1) U.S. GNFs, (2) other firms
having more than five inspected issuer engagements, and (3) other firms having
five or fewer inspected issuer engagements.390 Categorizing inspections

Additional information on PCAOB inspection procedures is available on the PCAOB website at
https://pcaobus.org/oversight/inspections/inspection-procedures.

See Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers,
PCAOB Rel. No. 2023-005 (Aug. 10, 2023). Additional information on the interim inspection
program is available on the PCAOB website at https://pcaobus.org/resources/information-foraudit-firms/information-for-auditors-of-broker-dealer.

Time trends can help to identify associative relationships and may suggest how the audit market
could evolve absent the requirements. However, time trends in PCAOB inspection deficiencies
depend on, among other things, changes in the set of firms and engagements selected for
inspection. Firms that issue 100 or fewer audit reports for issuers are, in general, inspected at least
once every three years. Firms that issue audit reports for more than 100 issuers are inspected
annually. Therefore, the set of inspected firms and engagements is not fixed year over year.

information among firms of different sizes helps account for the significantly
skewed variation in audit firm size present in the audit market.391 The 2011
through 2022 period is used because information from earlier inspection years is
less comparable and information from later inspection years was not completely
available as of the date of this analysis. Information was preliminary for the 2022
inspection year as of the date of the PCAOB staff analysis.
•

The analysis of audit and attestation engagement deficiencies included in annual
reports on the PCAOB’s interim inspection program related to audits of brokers
and dealers below is presented over a 12-year period. The 2011 through 2022
period is used because 2011 was the first year of the interim inspection program
and 2022 is the most recent year that data are available as of the date of this
analysis. Information on deficiencies associated with attestation examinations or
reviews is not available prior to 2015 because 2015 was the first full year during
which the PCAOB was able to review attestation engagements of brokers and
dealers.

Current PCAOB QC standards recognize that the nature, extent, and formality of a firm’s QC
policies and procedures should take into account various factors, including the size of the firm.
Because PCAOB QC assessments also take into account these factors, the number of QC
deficiencies across each of the three categories of firms are not directly comparable. See PCAOB
Rel. No. 104-2006-077 , at 9-10.

1. Proxies related to compliance with professional standards
This subsection presents analyses of three quantitative proxies for the level of
compliance with professional standards and thus provides information on the baseline for
considering the key expected benefit of the requirements: improved compliance with
professional standards. Specifically, it presents information on Part I.A deficiencies, QC
deficiencies related to audit performance, and broker-dealer engagement deficiencies,
from the audits or engagements PCAOB inspected. Overall, the analyses suggest that
some firms’ QC systems may not be providing the required reasonable assurance.
Broker-dealer engagements and issuer audits performed by firms other than U.S. GNFs
appear to have more room for improvement on average based on the period examined.
a. Part I.A deficiencies
Figure 1 presents for categories of PCAOB-inspected audits the percentage of
inspected issuer audits having at least one Part I.A deficiency. PCAOB staff calculated
the Part I.A deficiency rates by dividing the number of inspected issuer audits that had at
least one Part I.A deficiency by the number of inspected issuer audits for each given year.
The Part I.A deficiency rate should not be equated with the rate of audit deficiencies
across the whole issuer population. It may understate the true rate of issuer audit
deficiencies because some deficiencies may not rise to the level of a Part I.A deficiency
and because PCAOB inspectors do not inspect all aspects of inspected audits. However, it
may also overstate the true rate of issuer audit deficiencies because PCAOB inspectors
generally focus their attention on, among other things, audits and audit areas with a
heightened risk of material misstatement.
Despite these potential biases in the Part I.A deficiency rate, the Board believes
that the Part I.A deficiency rates presented in Figure 1 are indicative of underlying issuer
audit deficiencies. However, there are two caveats that may impact the interpretation of
Figure 1. First, because the audits with deficiencies are not drawn from a random sample,

the deficiencies could be driven in part by changes over time in the proportion of
reviewed audits that were selected based on characteristics associated with high-risk
audits. Second, PCAOB inspections staff review more focus areas during reviews of U.S.
GNF issuer audits than they do during reviews of other firms’ issuer audits, increasing
the opportunity for a reviewed U.S. GNF issuer audit to have at least one Part I.A
deficiency.
For U.S. GNFs, Figure 1 shows that the percentage of inspected issuer audits
having at least one Part I.A deficiency was 37% in 2011 and 30% in 2022 For other
firms, the percentage has remained in the 31% to 53% range.
Figure 1. Percentage of Inspected Issuer Audits Having at Least One Part I.A
Deficiency (2011-2022)

Figure 2 provides additional insight on how the percentage of inspected issuer
audits having at least one Part I.A deficiency varies by firm. Each bar indicates the
percentage of 2020, 2021, and 2022 firm inspections with a Part I.A deficiency rate
within a given range. For example, Figure 2 indicates that 22% of all 2020, 2021, and

2022 U.S. GNF inspections and 11% of all 2020, 2021, and 2022 inspections of other
firms with more than five inspected engagements had a Part I.A deficiency rate below
10%. Figure 2 excludes firm inspections with five or fewer inspected engagements
because the Part I.A deficiency rate is a less informative proxy in these cases due to the
small number of inspected engagements.
Figure 2. Percentage of Firm Inspections with a Part I.A Deficiency Rate within a
Given Range (2020-2022)

Note: During the 2020, 2021, and 2022 inspection years, there were in total 18
inspections of U.S. GNFs and 35 inspections of other firms having more than five
engagements reviewed.
b. QC deficiencies related to audit performance
Figure 3 presents the average number of QC deficiencies related to audit
performance per inspected firm. QC deficiencies related to audit performance are inferred
through analysis of inspections of individual audits and thus represent another proxy for
the level of compliance with professional standards. To prepare Figure 3, PCAOB staff

counted the number of distinct QC deficiencies related to audit performance in Part II of
PCAOB inspection reports. Staff assigned a zero to firm inspections that resulted in no
QC deficiencies related to audit performance. Staff then calculated averages per inspected
firm by year and firm group, assigning equal weight to each QC deficiency regardless of
its nature or whether it was a repeat deficiency. While the total number of QC
deficiencies is not readily comparable across each of the three categories of firms because
of differences in inspection approach, the averages have ranged between 3.3 and 15.8 for
U.S. GNFs, between 2.9 and 8.0 for other firms having more than five engagements
reviewed, and between 0.9 and 2.7 for other firms having five or fewer engagements
reviewed. Two caveats may impact the interpretation of Figure 3. First, starting in 2019,
the PCAOB revised its approach to identifying QC deficiencies related to audit
performance. The Board believes this policy change reduced the number of QC
deficiencies related to audit performance for some of the inspections of non-affiliated
firms (“NAFs”) but not for the U.S. GNFs. Second, the variability in the deficiency rate
in the second panel may be due in part to year-over-year changes in the set of firms
having more than five engagements reviewed, which may include triennial firms.392

Firms that issued audit reports with respect to 100 or fewer issuers during the prior calendar year
(“triennial firms”) must be inspected at least once every three years.

Figure 3. Average Number of QC Deficiencies Related to Audit Performance Per
Inspected Firm (2011-2022)

c. Broker-dealer engagement deficiencies
Figure 4 presents the percentage of broker-dealer audits with deficiencies and the
percentage of attestation engagements and reviews with deficiencies, among the selected
sample of PCAOB engagements. The percentages are reproduced from the PCAOB’s
annual reports on the interim inspection program related to the audits of broker-dealers.
The percentages are equal to the number of inspected engagements for which there were
deficiencies divided by the number of inspected engagements. The percentages of audits
and attestation examinations with deficiencies have remained greater than 45%. The
percentage of attestation reviews with deficiencies has remained in the 23% to 54%
range.

Figure 4. Percentages of Broker-Dealer Engagements with Deficiencies (2011-2022)

100%

Deficiencies Associated
with Audits

80%

Deficiencies Associated
with Attestation
Examinations
Deficiencies Associated
with Attestation Reviews

60%

40%

20%

0%
2013

2017

2021

2. Resources associated with QC systems
Firms implement their QC systems through a set of policies and procedures.
These policies and procedures vary across firms, reflecting both the principles-based
nature of current QC standards and the variation in firms’ particular circumstances. To
inform the baseline for considering the expected costs of the requirements, PCAOB staff:
(1) held initial discussions with U.S. GNFs to obtain qualitative information regarding the
resources associated with their QC systems and (2) conducted a voluntary survey of U.S.
GNFs on the resources they employ to design, implement, and operate QC policies and
procedures. Overall, the information indicates the resources that U.S. GNFs are already
devoting to the design, implementation, and operation of QC policies and procedures
related to the ISQM 1 requirements.
The U.S. GNF survey requested both qualitative and quantitative information for
each of the eight QC system components specified by ISQM 1: risk assessment,
governance and leadership, independence and ethics, acceptance and continuance,
engagement performance, resources (human, intellectual, and technological), information

and communication, and monitoring and remediation.393 In addition, the survey requested
qualitative and quantitative information related to network requirements or network
services, evaluation of the QC system, and documentation.394 The request referred to
ISQM 1 explicitly in order to facilitate comparability of the information gathered across
firms and to the proposed QC standard.
All six U.S. GNFs provided qualitative information and five provided quantitative
information. Staff received completed surveys between June 23 and July 6, 2021. The
respondents provided the information as of their most recently completed fiscal year-end
or QC system assessment date.
The qualitative information that PCAOB staff received indicates that U.S. GNFs’
QC policies and procedures are extensive and highly integrated with the audit process.
Multiple groups, teams, functions, and individuals participate in the design,
implementation, and operation of QC policies and procedures. Engagement teams play a
key role in the operation of many QC policies and procedures. Among other QC-related
responsibilities, engagement teams often assist in acceptance and continuance decisions;
initiate consultations; help maintain accurate and complete information within
independence systems; attend training; and initiate and complete individual performance
evaluations.
The U.S. GNFs’ QC systems involve multiple IT systems that support QC
activities and may also serve other operational functions. These QC systems may also
rely upon work or services provided by the firm’s global network and/or third-party
vendors. Global network services may relate to development and maintenance of
technological and intellectual resources (e.g., global audit methodology, global
independence and assurance policies and procedures, etc.) or monitoring the quality of

See paragraphs 23-33 and 35-47 of ISQM 1.

See paragraphs 48-60 of ISQM 1.

audit services performed by network affiliates. The firms report making ongoing
investments in their QC systems, including implementation of new technology that
supports QC activities.
The quantitative portion of the survey asked the U.S. GNFs to estimate: (1) the
number of firm personnel involved in designing, implementing, or operating QC policies
and procedures on an annual basis (by partner vs. non-partner); (2) the percentage of their
time committed; and (3) the expected percentage change in QC resource requirements as
of December 15, 2022, when ISQM 1 became effective.395 PCAOB staff asked the firms
to include in their estimates only those resources directly related to the design,
implementation, and operation of QC policies and procedures over audits of U.S. issuers
and broker-dealers. In cases where removing time spent on QC policies and procedures
related to audits of private companies was prohibitively difficult or impossible, staff
asked firms to include this time in their estimates and describe the inseparable portion.
Firms reported that their QC policies and procedures generally apply across their entire
audit practice and thus their estimates typically included resources dedicated to QC
systems over engagements performed under PCAOB standards as well as audits
performed under other standards.
In initial discussions with the U.S. GNFs, firms reported that identifying all firm
personnel hours related to their QC systems would be an enormous challenge. To make
the data request feasible, PCAOB staff directed firms to exclude from their quantitative
estimates time spent by engagement teams operating QC policies and procedures (e.g.,

More specifically, staff asked U.S. GNFs to estimate the number of firm personnel who are
directly involved in the design, implementation, or operation of each QC system component by
commitment level (i.e., <10%, 10-40%, 40-60%, 60-90%, or >90% of the individual’s time). If an
individual committed time to multiple QC system components, staff asked firms to count the
individual once for each QC component and to indicate the time committed to each component.
For example, if an individual committed 100% of the individual’s time to the firm’s QC system,
50% to acceptance and continuance and 50% to monitoring and remediation, firms were asked to
count the individual under the 40-60% commitment level for both components.

performing independence procedures, planning for or engaging in consultations,
executing the firm’s methodology) and facilitating internal inspections. Staff also asked
firms to exclude: (1) time spent by firm personnel attending training; (2) time spent by
individuals on compliance with personal independence policies and procedures; (3) time
spent performing engagement quality reviews of individual engagements; and (4) any
resources invested at the global network level to design, implement, or operate QC
policies or procedures. The qualitative information received from the firms suggests that
these aspects of their QC systems are likely resource-intensive.
Table 1 summarizes the quantitative information received in aggregate form. It
presents the means and standard deviations of partner, non-partner, and total full-time
equivalents (FTEs) by QC system component.396 The means provide a sense of average
scale while the standard deviations provide a sense of average variability across the firms.
Overall, the means presented in Table 1 indicate that U.S. GNFs commit a mean of 647.9
total FTEs to designing, implementing, and operating their QC policies and procedures.
QC policies and procedures related to: (1) independence and ethics utilize a mean of
189.9 total FTEs and (2) human, intellectual, and technological resources utilize a mean
of 252.6 total FTEs. Non-partner FTEs are roughly 3.5 times partner FTEs, but partners
play a relatively larger role in the governance and leadership, engagement performance,
and monitoring and remediation components of QC systems. The standard deviations

To calculate the means presented in Table 1, staff summed the number of individuals directly
involved in the design, implementation, or operation of each QC system component, weighting
individuals by the mid-point of their respective commitment level and divided by the number of
firms that were able to provide data for the respective QC system component. The “Total” row
mean is equal to the number of individuals directly involved in the design, implementation, or
operation of any QC system component, weighting individuals by the mid-point of their respective
commitment level divided by five (i.e., the number of firms that provided quantitative
information). Therefore, the “Total” row mean does not equal the sum of the QC component-level
means. The standard deviations presented in Table 1 were calculated without Bessel corrections.
The standard deviation for the “Other” component is equal to the geometric mean of the standard
deviations of the network requirements or network services, evaluation of the system of quality
management, and documentation components. The Board’s data are insufficient to account for
potential covariances between these components.

presented in Table 1 indicate that the average variability across firms is 499.9 total FTEs.
The average variability for the independence and ethics component is 173.9 total FTEs
and for the resources component is 295.2 total FTEs.
The mean “Total” row values presented in Table 1 may include some
underestimation error for several reasons. First, some firms were unable to reasonably
estimate all of the resources for certain components, most notably for the governance and
leadership component. Second, firms were generally unable to reliably estimate the cost
of IT infrastructure that supports the QC system. Third, firms were generally unable to
reliably estimate the portion of common-pool resources attributable to the QC system that
support broader operational or financial objectives of the firm. Fourth, due to estimation
challenges as described above, firms were directed to exclude certain resources from their
estimates, including time spent by engagement teams executing QC policies and
procedures and time spent by firm personnel attending training.
By contrast the mean “Total” row values may also include some overestimation
error. For example, firms broadly reported that their QC policies and procedures apply to
both issuer and non-issuer audits and it would generally be infeasible to identify firm
personnel hours related to quality control over issuer audits only. In these cases, PCAOB
staff asked firms to include both issuer and non-issuer QC hours in their estimates.
Some firms were unable to separately break out the level of resources committed
to designing, implementing, and operating QC policies and procedures for risk
assessment, information and communication, network requirements or network services,
evaluation of the system of quality management, and documentation. These firms
distributed these resources across the remaining components. While this leads to some
overestimation error to the remaining components, the information provided by the firms
that were able to separately break out these components indicates that these components
are relatively less resource-intensive and, therefore, the overestimation error is likely

small. This overestimation error does not apply to the mean “Total” row values because
any errors in how the firms allocated across components nets out when summing.
Table 1. Resources Associated with U.S. GNFs’ QC Policies and Procedures

Risk Assessment
Governance and Leadership
Independence and Ethics
Acceptance and Continuance
Engagement Performance
Resources
Information and
Communication
Monitoring and Remediation
Other*
Total

Partner (FTEs)
Mean
Per
St. Dev
Firm
2.1
1.4
10.0
5.8
17.7
15.7
11.5
6.1
38.9
23.1
42.4
36.6

Non-Partner
(FTEs)
Mean
Per
Firm
St. Dev
4.6
2.3
9.2
9.3
172.2
164.2
13.7
13.8
52.8
29.0
210.2
267.0

Total (FTEs)
Mean
Per
Firm
St. Dev
6.7
2.4
19.2
14.7
189.9
173.9
25.2
14.2
91.7
49.0
252.6
295.2

2.6
22.1
4.1
143.6

8.6
34.9
11.6
504.3

11.2
56.9
15.6
647.9

2.6
7.1
0.6
85.3

3.3
15.1
2.5
428.9

4.9
21.1
2.8
499.9

* The “Other” category includes network requirements or network services, evaluation of the system of
quality management, and documentation.

Most U.S. GNFs were unable to provide precise estimates regarding expected
future changes in QC system resource requirements as of December 15, 2022, when
ISQM 1 became effective. The qualitative information provided by the firms indicates
that: (1) additional resources likely were required; (2) some of the U.S. GNFs had
assigned teams to manage ISQM 1 implementation; and (3) the risk assessment
component and the evaluation of the system of quality management component were
expected to require the most additional resources.
The Board also received information regarding non-GNFs through the proposal
comment process that indicates that non-GNFs have devoted resources to the design,
implementation, and operation of QC policies and procedures related to ISQM 1 and/or
SQMS 1 requirements. One commenter noted that national firms with fewer than 500

issuers have significantly fewer resources associated with QC policies and procedures.397
One commenter noted that firms have invested significant time and resources to comply
with the existing quality management standards from other standard setters, and another
commenter noted that, at least with respect to QC roles and responsibilities, smaller firms
have already designed their processes to accord with ISQM 1 and SQMS 1. One firm
explained that its implementation efforts of ISQM 1 required a great deal of evaluation of
risks and related responses, and another firm explained that its implementation effort was
a significant undertaking that involved a number of people across the firm. Another
commenter suggested that non-U.S. firms may be incorporating quality management
frameworks adopted by their local regulator, such as CPAB’s Quality Management
System framework. Several commenters representing non-GNF perspectives focused
more generally on the provisions of QC 1000 that diverge from ISQM 1 and SQMS 1,
which the Board understands as implying that these firms had expended resources to
construct and operate quality control systems in compliance with those standards.
However, at least one commenter noted that for small firms that do not need to comply
with ISQM 1, efforts may be ongoing to implement SQMS 1, indicating that some of
these firms may be focused on resources for design and may not yet be spending
resources to operate QC policies in line with SQMS 1.
One commenter noted research that appears to be too tangential or unrelated to
actual resources employed by firms to be useful for advancing the Board’s understanding
of resources associated with the design, implementation, and operations of their QC
systems. The commenter noted that most academic studies related to resources employed

The commenter asserted that the mean total FTEs reported in Table 1 for GNFs represent
approximately 10% of partners and employees for firms of similar size and composition to the
commenter. However, the commenter also reported having approximately 90% fewer partners and
employees than some U.S. GNFs and approximately 99% fewer than other U.S. GNFs, so the
resources reported in Table 1 would likely be scaled down accordingly for the commenter and
similar sized firms.

by NAFs or foreign affiliates of GNFs in the design, implementation, and operations of
their QC systems focus on either: (1) the contributions of internal quality reviews to audit
firm quality398 or (2) the association of audit firm network arrangements, as proxies for
resources, with audit quality.399 For example, one study suggests that when firms have
formal connections via networks or large alliance arrangements, audits within those
arrangements have similar levels of quality,400 which the commenter noted may imply
that formal connections are a vehicle to share and enforce QC practices.
3. Developments in firms’ QC policies and procedures
This subsection provides information on the evolution of firms’ QC policies and
procedures. First, it describes changes firms have made to their QC policies and
procedures to remediate QC deficiencies identified in inspection reports. Second, it
presents analyses of QC deficiencies related to firms’ management of their audit
practices. QC deficiencies related to firms’ management of their audit practice relate to
the operation of QC policies and procedures. Overall, the information suggests that QC
policies and procedures are advancing.
Many firms have implemented a number of changes to their QC systems to
remediate their QC deficiencies.401 Changes brought about through remediation are wide-

See, e.g., Richard W. Houston and Chad M. Stefaniak, Audit Partner Perceptions of Post-Audit
Review Mechanisms: An Examination of Internal Quality Reviews and PCAOB Inspections, 27
Accounting Horizons 23 (2013); Denise Hanes Downey and Kimberly D. Westermann,
Challenging Global Group Audits: The Perspective of US Group Audit Leads, 38 Contemporary
Accounting Research 1395 (2021); Olof Bik and Reggy Hooghiemstra, Cultural Differences in
Auditors’ Compliance with Audit Firm Policy on Fraud Risk Assessment Procedures, 37 Auditing:
A Journal of Practice & Theory 25 (2018).

See, e.g., Renee Flasher and Kristy Schenck, Exploring PCAOB Inspection Results for Audit
Firms Headquartered Outside of the US, 37 Journal of International Accounting, Auditing and
Taxation 1 (2019); Philip Keejae Hong, David S. Kerr, and Casper E. Wiggins, PCAOB
International Inspections: Updates and Extensions, 26 International Journal of Auditing 279
(2022); Matthew S. Ege, Young Hoon Kim, and Dechun Wang, Do Global Audit Firm Networks
Apply Consistent Audit Methodologies across Jurisdictions? Evidence from Financial Reporting
Comparability, 95 The Accounting Review 151 (2020).

See Flasher and Schenck, Exploring PCAOB Inspection Results 1.

Additional information about the PCAOB remediation process is available on the PCAOB website
at https://pcaobus.org/oversight/inspections/remediation/remediation_process.

ranging and can touch upon all major elements of the current QC standards. The nature,
extent, and formality of changes made by a firm vary based on the size of the firm and
the nature and complexity of its practice. Examples of changes made by various types of
firms include:402
•

Adding in-process review and coaching programs to assist engagement teams in
certain challenging areas, including ICFR and accounting estimates;

•

Creating a committee to evaluate partner performance in relation to audit quality
and issuing an accountability framework with penalties for negative audit quality
events;

•

Implementing a new template that includes guidance to facilitate the assessment
and documentation of partner performance, including guidance related to various
performance metrics (such as technical knowledge; leadership and training skills;
and compliance with firm quality control policies and procedures);

•

Requiring audit partners to articulate specific actions they will take to achieve
performance goals related to audit quality and providing additional guidance and
information around partner workload management;

•

Implementing new policies and procedures for engagement teams to focus on
obtaining a thorough understanding of how issuers initiate, record, process, and
report significant classes of transactions and how that information is recorded in
the financial statements;

•

Hiring external consultants to work with the firm to develop a new ICFR audit
approach;

Examples are drawn from firms’ Rule 4009 submissions. A Rule 4009 submission is a submission
prepared by a firm, pursuant to PCAOB Rule 4009, concerning the ways in which a firm has
addressed a QC criticism. For additional background, see PCAOB Rel. No. 104-2006-077.

•

Adding new leadership positions to the internal inspection program, developing
new analysis and reporting of internal inspection findings, and beginning to
disseminate findings more broadly;

•

Creating a committee to provide oversight on the firm’s audit quality initiatives
and a new leadership position to drive consistency across regions; and

•

Implementing new templates that provide guidance related to performing a root
cause analysis, including identifying areas of a firm’s quality control process to
perform causal analysis, collecting relevant data, and documenting the results.
The Board took these observations into account in developing QC 1000.
One commenter, an academic, referred to a recent unpublished study examining

how firms change and manage their QC systems, which involved surveying QC leaders
from eight U.S. accounting firms. The commenter reported that the three most common
changes currently underway in the firms relate to: (1) engagement monitoring and use of
data analytics; (2) organizational structure (e.g., a dedicated ISQM team, independent
advisors); and (3) a more proactive approach to identifying QC issues.403
Figure 5 presents the average number of QC deficiencies related to firms’
management of their audit practice per inspected firm. To prepare Figure 5, PCAOB staff
counted the number of distinct QC deficiencies related to firms’ management of their
audit practice in Part II of PCAOB inspection reports. Staff assigned a zero to firm
inspections that resulted in no QC deficiencies related to the firm’s management of its
audit practice. Staff then calculated averages per inspected firm by year and firm group,
assigning equal weight to each QC deficiency regardless of its nature or whether it was a
repeat deficiency. While the total number of QC deficiencies are not readily comparable

The commenter also reported that the three most commonly described ideal changes relate to: (1)
engagement monitoring and use of data analytics; (2) human talent-related initiatives such as
changes to hiring and promotion practices; and (3) client risk assessment processes. Ideal changes
are described as changes the QC leaders would make if the firms did not face resource constraints.

across each of the three categories of firms, the averages have ranged between 0.8 and
10.2 for U.S. GNFs, between 0.3 and 1.5 for other firms having more than five
engagements reviewed, and between 0.3 and 0.6 for other firms having five or fewer
engagements reviewed.
Figure 5. Average Number of QC Deficiencies Related to Firms’ Management of
Their Audit Practice per Inspected Firm (2011-2022)

4. Academic literature on quality-threatening behaviors and quality control
This subsection discusses academic research on behaviors that suggest certain
weaknesses in QC systems in practice. Over time, researchers have documented a variety
of quality-threatening behaviors, including “premature sign-off of audit procedures,
failure to perform required procedures, inappropriate reductions in substantive testing or
other forms of under-auditing, underreporting of time, inadequate adjustments of audit
procedures in response to changing risk conditions, and over-reliance on management
explanations of unusual deviations in analytical procedures.”404
Some commenters provided additional specific examples of quality-threatening
behaviors. For example, one commenter reported that some academic research finds

Monika Causholli and W. Robert Knechel, An Examination of the Credence Attributes of an Audit,
26 Accounting Horizons 631, 647 (2012).

auditors may not always be objective when deciding on the acceptability of
management’s accounting choices or when recommending audit adjustments that would
reduce reported income or assets.405 Citing a settlement between a U.S. GNF and the
Federal Deposit Insurance Corporation, another commenter asserted that one firm’s QC
system failed when one of the firm’s engagement teams inappropriately assigned a
responsibility to an intern.
Research suggests that quality-threatening behaviors imply a failure of QC
systems to provide reasonable assurance of compliance.406 Moreover, some research
suggests that, while not solely responsible, certain features of firms’ management of their
audit practice may encourage quality-threatening behaviors.407 For example, experimental
research suggests that certain cognitive biases in auditor evaluation and reward systems
may inadvertently deter appropriate professional skepticism408 and other studies suggest
that partner reward systems at some firms may weight revenue generation more heavily
than professional competencies.409 Some research finds that reward systems oriented
toward revenue generation are associated with lower proxies for audit quality.410

See, e.g., Kathryn Kadous, Jane S. Kennedy, and Mark E. Peecher, The Effect of Quality
Assessment and Directional Goal Commitment on Auditors’ Acceptance of Client-Preferred
Accounting Methods, 78 Accounting Review 759 (2003); Christopher Koch and Steven E.
Salterio, The Effects of Auditor Affinity for Client and Perceived Client Pressure on Auditor
Proposed Adjustments, 92 Accounting Review 117 (2017); Lori Shefchik Bhaskar, Patrick E.
Hopkins, and Joseph H. Schroeder, An Investigation of Auditors’ Judgments When Companies
Release Earnings before Audit Completion, 57 Journal of Accounting Research 355 (2019).

See, e.g., Jean C. Bedard, Donald R. Deis, Mary B. Curtis, and J. Gregory Jenkins, Risk
Monitoring and Control in Audit Firms: A Research Synthesis, 27 Auditing: A Journal of Practice
& Theory 187 (2008).

See, e.g., David P. Donnelly, Jeffrey J. Quirin, and David O'Bryan, Attitudes Toward
Dysfunctional Audit Behavior: The Effects of Locus of Control, Organizational Commitment, and
Position, 19 Journal of Applied Business Research 95 (2003).

See, e.g., Joseph F. Brazel, Scott B. Jackson, Tammie J. Schaefer, and Bryan W. Stewart, The
Outcome Effect and Professional Skepticism, 91 The Accounting Review 1577 (2016).

See, e.g., Marie-Laure Vandenhaute, Kris Hardies, and Diane Breesch, Professional and
Commercial Incentives in Audit Firms: Evidence on Partner Compensation, 29 European
Accounting Review 521 (2020).

See, e.g., Jürgen Ernstberger, Christopher Koch, Eva Maria Schreiber, and Greg Trompeter, Are
Audit Firms’ Compensation Policies Associated With Audit Quality? 37 Contemporary

Synthesizing several recent academic studies, one commenter reported that an excessive
focus on commercialism, rather than professionalism, continues to be a dominant focus
within firms’ cultures and may negatively impact audit quality.411 The commenter also
reported that academic research indicates quality-threatening behaviors may be
negatively associated with audit team leadership characteristics.412 For example, skeptical
auditors may be penalized if they do not find a material misstatement,413 audit managers
sometimes reward senior associates for performing the unethical act of under-reporting
time when the client is more desirable,414 or while internal inspections lead to increased
auditor effort in the inspection year, positive internal inspection results may lead auditors
to decrease effort in the future.415

Accounting Research 218 (2020); Thomas Riise Johansen and Jeppe Christoffersen, Performance
Evaluations in Audit Firms: Evaluation Foci and Dysfunctional Behavior, 21 International Journal
of Auditing 24 (2017).
See, e.g., Christina Thomas Alberti, Jean C. Bedard, Olof Bik, and Ann Vanstraelen, Audit Firm
Culture: Recent Developments and Trends in the Literature, 31 European Accounting Review 59
(2022); Chris Carter and Crawford Spence, Being a Successful Professional: An Exploration of
Who Makes Partner in the Big 4, 31 Contemporary Accounting Research 949 (2014); Ken H.
Guo, The Institutionalization of Commercialism in the Accounting Profession: An IdentityExperimentation Perspective, 35 Auditing: A Journal of Practice and Theory 99 (2016); ClaireFrance Picard, Sylvain Durocher, Yves Gendron, The Colonization of Public Accounting Firms by
Marketing Expertise: Processes and Consequences, 37 Auditing: A Journal of Practice & Theory
191 (2018); Jonathan S. Pyzoha, Mark H. Taylor, and Yi-Jing Wu, Can Auditors Pursue FirmLevel Goals Nonconsciously on Audits of Complex Estimates? An Examination of the Joint Effects
of Tone at the Top and Management’s Specialist, 95 The Accounting Review 367 (2020).

See, e.g., Noel Harding and Ken T. Trotman, The Effect of Partner Communications of Fraud
Likelihood and Skeptical Orientation on Auditors’ Professional Skepticism, 36 Auditing: A
Journal of Practice & Theory 111 (2017); Sean A. Dennis and Karla M. Johnstone, A Field Survey
of Contemporary Brainstorming Practices, 30 Accounting Horizons 449 (2016); Jodi L. Gissel
and Karla M. Johnstone, Information Sharing During Auditors’ Fraud Brainstorming: Effects of
Psychological Safety and Auditor Knowledge, 12 Current Issues in Auditing P1 (2018).

See, e.g., Brazel, et al., The Outcome Effect.

See, e.g., Christopher P. Agoglia, Richard C. Hatfield, Tamara A. Lambert, Audit Team Time
Reporting: An Agency Theory Perspective, 44 Accounting, Organizations & Society 1 (2015).
Desirability in this case is determined by various situational and contextual factors that are
inherent to the client, such as a client that is convenient for the audit manager’s work schedule, a
client that is easy to get to, client management that the audit manager gets along particularly well
with personally, a client that is within the audit manager’s industry of interest, or an engagement
that involves an influential partner at the audit manager’s office.

See, e.g., Daniel Aobdia and Reining C. Petacchi, The Effect of Audit Firm Internal Inspections on
Auditor Effort and Financial Reporting Quality, 98 The Accounting Review 1 (2023).

An excessive focus on commercial objectives may also lead to undue focus on
cost-control in the execution of audits. For example, in one study, audit staff report
working, on average, five hours per week, and sometimes 20 hours per week, past the
threshold where they feel audit quality begins to deteriorate.416 In another study, audit
staff report working on average 72 hours per week during busy season.417 Other research
finds that a heavier workload in the fieldwork phase of the audit is negatively associated
with proxies for audit quality418 and that high levels of time pressure are positively
associated with audit quality-threatening behaviors.419 Referring to academic research,
one commenter reported that engagement-level pressures, including meeting budgets, can
affect audit quality.420 The commenter also reported that academic research finds that
audit partner workload compression is negatively associated with audit quality.421
One commenter noted academic papers that study various factors that may impact
audit quality but appear to be too tangential or unrelated to quality-threatening behaviors
that suggest certain weaknesses in QC systems. The commenter included academic
research that studies the relationship between audit teams’ use of the work of other

See Julie S. Persellin, Jaime J. Schmidt, Scott D. Vandervelde, and Michael S. Wilkins, Auditor
Perceptions of Audit Workloads, Audit Quality, and Job Satisfaction, 33 Accounting Horizons 95
(2019).

See Dana R. Hermanson, Richard W. Houston, Chad M. Stefaniak, and Anne M. Wilkins, The
Work Environment in Large Audit Firms: Current Perceptions and Possible Improvements, 10
Current Issues in Auditing A38 (2016).

See, e.g., Brant E. Christensen, Nathan J. Newton, and Michael S. Wilkins, How Do Team
Workloads and Team Staffing Affect the Audit? Archival Evidence from US Audits, 92 Accounting,
Organizations and Society 1 (2021).

See, e.g., Tobias Svanström, Time Pressure, Training Activities and Dysfunctional Auditor
Behaviour: Evidence from Small Audit Firms, 20 International Journal of Auditing 42 (2016).

See, e.g., Mark E. Peecher, M. David Piercey, Jay S. Rich, and Richard M. Tubbs, The Effects of a
Supervisor’s Active Intervention in Subordinate’s Judgments, Directional Goals, and Perceived
Technical Knowledge Advantage on Audit Team Judgments, 85 Accounting Review 1763 (2010);
Koch and Salterio, The Effects 117; and William F. Messier and Martin Schmidt, Offsetting
Misstatements: The Effect of Misstatement Distribution, Quantitative Materiality, and Client
Pressure on Auditors’ Judgments, 93 Accounting Review 335 (2018).

See, e.g., Jun Chen, Wang Dong, Hongling Han, and Nan Zhou, Does Audit Partner Workload
Compression Affect Audit Quality? 29 European Accounting Review 1021 (2020).

participants and audit quality.422 The commenter also cited research from other countries
that finds evidence that partner-related characteristics influence audit quality.423 In
addition, the commenter noted academic papers that find evidence that non-audit services
can negatively affect audit quality through mechanisms other than independence
impairment.424 Moreover, the commenter included research that has examined the
association between PCAOB inspections of audit firms and audit quality but does not
appear to relate specifically to weaknesses in QC systems.425

See, e.g., Candice T. Hux, Use of Specialists on Audit Engagements: A Research Synthesis and
Directions for Future Research, 39 Journal of Accounting Literature 23 (2017); Joseph F. Brazel,
Tina D. Carpenter, and J. Gregory Jenkins, Auditors’ Use of Brainstorming in the Consideration
of Fraud: Reports from the Field, 85 The Accounting Review 1273 (2010); J. Gregory Jenkins,
Eric M. Negangard, and Mitchell J. Oler, Getting Comfortable on Audits: Understanding Firms’
Usage of Forensic Specialists, 35 Contemporary Accounting Research 1766 (2018); Emily E.
Griffith, Jacqueline S. Hammersley, and Kathryn Kadous, Audits of Complex Estimates as
Verification of Management Numbers: How Institutional Pressures Shape Practice, 32
Contemporary Accounting Research 833 (2015); Nathan H. Cannon and Jean C. Bedard, Auditing
Challenging Fair Value Measurements: Evidence from the Field, 92 The Accounting Review 81
(2017); Steven M. Glover, Mark H. Taylor, and Yi-Jing Wu, Current Practices and Challenges in
Auditing Fair Value Measurements and Complex Estimates: Implications for Auditing Standards
and the Academy, 36 Auditing: A Journal of Practice & Theory 63 (2017); J. Efrim Boritz, Natalia
Kochetova-Kozloski, and Linda Robinson, Are Fraud Specialists Relatively More Effective than
Auditors at Modifying Audit Programs in the Presence of Fraud Risk, 90 The Accounting Review
881 (2015); Aleksandra “Ally” B. Zimmerman, Dereck Barr-Pulliam, Joon-Suk Lee, and Miguel
Minutti-Meza, 61 Journal of Accounting Research 1363 (2023).

See, e.g., W. Robert Knechel, Ann Vanstraelen, and Mikko Zerni, Does the Identity of
Engagement Partners Matter? An Analysis of Audit Partner Reporting Decisions, 32
Contemporary Accounting Research 1443 (2015); Yanyan Wang, Lisheng Yu, Yuping Zhao, The
Association between Audit-Partner Quality and Engagement Quality: Evidence from Financial
Report Misstatements, 34 Auditing: A Journal of Practice & Theory 81 (2015); W. Robert
Knechel, Lasse Niemi, and Mikko Zerni, Empirical Evidence on the Implicit Determinants of
Compensation in Big 4 Audit Partnerships, 51 Journal of Accounting Research 349 (2013); Simon
Dekeyser, Ann Gaeremynck, W. Robert Knechel, and Marleen Willekens, The Impact of Partners’
Economic Incentives on Audit Quality in Big 4 Partnerships, 96 The Accounting Review 129
(2021); Herman Van Brenk, Barbara Majoor, and Arnold M. Wright, The Effects of Profit-Sharing
Plans, Client Importance, and Reinforcement Sensitivity on Audit Quality, 40 Auditing: A Journal
of Practice & Theory 107 (2021).

See, e.g., Erik L. Beardsley, Andrew J. Imdieke, and Thomas C. Omer, The Distraction Effect of
Non-audit Services on Audit Quality, 71 Journal of Accounting and Economics 1 (2021); Dain C.
Donelson, Matthew Ege, Andrew J. Imdieke, and Eldar Maksymov, The Revival of Large
Consulting Practices at the Big 4 and Audit Quality, 87 Accounting, Organizations and Society 1
(2020).

See, e.g., Daniel Aobdia, The Impact of the PCAOB Individual Engagement Inspection Process—
Preliminary Evidence, 93 The Accounting Review 53 (2018); Inder K. Khurana, Nathan G.
Lundstrom, and K.K. Raman, PCAOB Inspections and the Differential Audit Quality Effect for Big
4 and Non-Big 4 US Auditors, 38 Contemporary Accounting Research 376 (2021); Lindsay M.
Johnson, Marsha B. Keune, and Jennifer Winchel, U.S. Auditors’ Perceptions of the PCAOB
Inspection Process: A Behavioral Examination, 36 Contemporary Accounting Research 1540
(2019); Kimberly D. Westermann, Jeffrey Cohen, and Greg Trompeter, PCAOB Inspections:

5. Assumptions regarding the baseline
Absent the requirements, the Board believes that many firms would continue to
design and implement new QC policies and procedures or modify existing QC policies
and procedures in response to evolving audit market conditions, technological advances,
PCAOB oversight activities, internal monitoring, and actions of other standard setters.426
The Board believes that most firms have either implemented ISQM 1 or will implement
SQMS 1 when it goes into effect. PCAOB-registered firms with an international presence
or that are part of a global network will likely find it efficient to design and implement a
QC system that complies with both PCAOB standards and ISQM 1 and have that system
operate over their entire assurance practice. For similar reasons, PCAOB-registered firms
with a private company audit practice will likely find it efficient to design and implement
a QC system that complies with both PCAOB standards and SQMS 1 and have that
system operate over their entire assurance practice.
Supporting that view, comment letters on the proposing release suggest that some
firms have already designed and implemented, or are in the process of designing and
implementing, QC policies and procedures consistent with the requirements of other QC
standards. For example, one commenter said that nearly all firms are subject to multiple
QC standards, including ISQM 1. Another commenter said that firms in Europe have
invested heavily to implement ISQM 1. Another commenter said that nearly all firms that
will need to adopt QC 1000 are also subject to other QC standards, including ISQM 1 and
SQMS 1, and that firms have already invested significant time and resources to comply
with them. Another commenter presented its recent survey research that finds firms have

Public Accounting Firms on “Trial”, 36 Contemporary Accounting Research 694 (2019); Bradley
E. Hendricks, Wayne R. Landsman, and F. Peña-Romera, The Revolving Door between Large
Audit Firms and the PCAOB: Implications for Future Inspection Reports and Audit Quality, 97
The Accounting Review 261 (2022).
See above for additional background on the actions of other standard setters.

started to prepare for ISQM 1 and SQMS 1 implementation but that there is variation in
their level of preparedness.427 Overall, the comments indicate that firms have made
progress implementing the quality control standards of other standard setters.
The Board’s view is also informed by several public information sources. First,
the AICPA website indicates that most registered firms that are headquartered in the U.S.
were reviewed as part of the AICPA’s Peer Review program since 2019, and therefore
were required to comply with AICPA QC standards at that time.428 Second, among the
U.S.-headquartered firms that signed an issuer or broker-dealer audit opinion in 2021 but
were not peer reviewed since 2019, most indicate on their web page that they perform
audits or tax services that require them to comply with AICPA QC standards. Third, most
foreign jurisdictions require companies to have a statutory audit performed, which the
Board believes suggests that most registered firms headquartered in foreign jurisdictions
likely perform audits under IAASB QC standards. Finally, firms’ annual reports filed
with the PCAOB on Form 2 for the April 1, 2022, through March 31, 2023, reporting
period indicate that most firms collected fees for services aside from the performance of
issuer audits and therefore may have performed services subject to AICPA or IAASB QC
standards during that time. Overall, the Board believes these public information sources
support its view that most firms will be complying with either ISQM 1 or SQMS 1.
Furthermore, most firms that will not be complying with ISQM 1 or SQMS 1 will likely
be scaled-applicability firms and therefore less impacted by the requirements.
NEED
1. Introduction and summary

See Christie Hayne, Market E. Peecher, Jeff Pickerd, and Yuepin (Daniel) Zhou, Managing
Quality Control Systems: How Audit Firms Experience and Navigate Conflicting Institutional
Demands, available at https://ssrn.com/abstract=4339512.

See AICPA Peer Review web page, available at https://us.aicpa.org/interestareas/peerreview.

This section discusses the problem that the requirements are intended to address
and explains how the requirements address it. Overall, three observations suggest that
there is a problem that the requirements will help to address:
•

Under current PCAOB QC standards, a firm’s QC system is required to provide
reasonable assurance that the firm’s personnel comply with applicable
professional standards, regulatory requirements, and the firm’s standards of
quality.429 However, the audit market does not currently provide sufficient
incentives for all firms to design, implement, and operate QC systems that achieve
this requirement on a consistent basis.

•

Current PCAOB QC standards contain higher-level principles and do not directly
address recent developments in QC. As a result, the current regulatory baseline is
not rigorous enough to sufficiently support PCAOB oversight, further
undermining firms’ and individuals’ incentives to provide the required reasonable
assurance.

•

The lack of incentives to provide the required reasonable assurance is evidenced
by the prevalence of audit performance deficiencies—i.e., Part I.A deficiencies
and QC deficiencies related to audit performance discussed above—which, as
noted in the first two observations above, suggest that some firms’ QC systems
are not providing the required reasonable assurance.
The requirements of QC 1000 will help address the problem by establishing three

overarching features, which are discussed further below:
•

The requirements mandate firms’ QC systems to more proactively assess risks
and monitor and remediate deficiencies.

See above for more discussion of current QC requirements.

•

The requirements improve accountability within firms with respect to the
reasonable assurance objective.

•

The requirements use more precise language and include more prescriptive
requirements in key areas to reflect best practices.

2. The audit market does not provide sufficient incentives for all firms to design,
implement, and operate QC systems that provide reasonable assurance
A diverse set of investors and other financial statement users need and request
high quality audits. However, due to the presence of asymmetric information430 and
positive externalities431 in the audit market, there are not sufficient incentives for all firms
to design, implement, and operate QC systems that provide reasonable assurance that a
firm’s personnel comply with applicable professional standards, regulatory requirements,
and the firm’s standards of quality. This lack of incentives can lead to an inefficient
allocation of audit services as described in the following paragraphs.
Investors and other financial statement users cannot easily observe the services
performed by an auditor. This information asymmetry creates a risk that, unbeknownst to
investors and other financial statement users, auditors may under-audit and gather
insufficient audit evidence to support their opinion or may otherwise depart from
applicable requirements. Economic theory refers to this effect as moral hazard.432 While
this may enable the auditor to do less work and reduce potential conflicts with company

See N. Gregory Mankiw, Principles of Economics 468 (6th ed. 2008) (“A difference in access to
relevant knowledge is called an information asymmetry.”).

See Mankiw, Principles of Economics 196 (“An externality arises when a person engages in an
activity that influences the well-being of a bystander but neither pays nor receives any
compensation for that effect…If it is beneficial, it is called a positive externality.”).

See, e.g., Mankiw, Principles of Economics 468 (“Moral hazard is a problem that arises when one
person, called an agent, is performing some task on behalf of another person, called the principal.
If the principal cannot perfectly monitor the agent’s behavior, the agent tends to undertake less
effort than the principal considers desirable.”).

management and may therefore lead to short-run benefits for the auditor, it may also lead
to a net welfare loss in the audit market as a whole.433
A positive externality inherent to the current audit market may exacerbate this
risk. The services of an auditor provide benefits to a variety of investors and financial
statement users, including current shareholders, potential shareholders, investors in other
companies, creditors, and regulators, among others. However, auditors do not bargain
with all of these parties. Rather, Sarbanes-Oxley requires that the audit committee be
responsible for the appointment, compensation, and retention of the auditor.434 In
practice, company management may also play a role through its influence over the audit
committee.435 This creates a de facto principal-agent relationship between the company
and the auditor. Moreover, some beneficiaries of the auditor’s work (e.g., investors
generally, who benefit from overall confidence in the quality of financial information
provided to the market) may have no influence on the auditor at all. Economic theory
suggests that, in the presence of positive externalities such as these, markets may
undersupply goods or services.436 As a result, the positive externality in the audit market
may create an additional risk that auditors may gather insufficient audit evidence to
support their opinion or otherwise depart from applicable requirements.

See, e.g., Mankiw, Principles of Economics 145 (“Consumer surplus and producer surplus are the
basic tools that economists use to study the welfare of buyers and sellers in a market. Consumer
surplus is the benefit that buyers receive from participating in a market, and producer surplus is
the benefit that sellers receive. It is therefore natural to use total surplus as a measure of society’s
economic well-being…Total surplus in a market is the total value to buyers of the goods, as
measured by their willingness to pay, minus the total cost to sellers of providing those goods.”).

See section 301 of Sarbanes-Oxley, 15 U.S.C 78j-1.

See, e.g., Liesbeth Bruynseels and Eddy Cardinaels, The Audit Committee: Management
Watchdog or Personal Friend of the CEO?, 89 The Accounting Review 113 (2014) (finding that
social ties between management and the audit committee are present in 39% of the companies in
their sample and “may reduce the quality of the audit committee’s oversight”).

See, e.g., Mankiw, Principles of Economics 200, 201 (“In the presence of a positive externality,
the social value of the good exceeds the private value. The optimal quantity is therefore larger than
the equilibrium quantity… Positive externalities lead markets to produce a smaller quantity than is
socially desirable.”).

A firm also faces its own management challenges in implementing its desired
service, economic, and regulatory compliance objectives. Individual offices or personnel
may have incentives that diverge from the firm’s collective best interest. For example,
some research suggests that certain partners or offices may be commercially dependent
on particular clients and may be willing to take risks to retain those clients that the firm
as a whole would not—a form of free riding on the firm’s reputation and capacity to
absorb potential litigation costs.437 In addition, research suggests that an audit firm’s QC
system is essential to increase audit effort and audit quality because it aligns incentives of
individual partners with those of the firm.438 Even if QC systems were able to align the
incentives of individual offices and personnel to the firm’s collective best interest, some
research suggests that behavioral biases (e.g., confirmation bias, over-optimism, and
anchoring bias) may lead offices or personnel to act in ways contrary to both their own
self-interest and the firm’s collective best interest.439 One commenter presented its recent
unpublished survey research regarding challenges firms face when implementing changes
to their QC systems. The commenter reported that challenges include obtaining buy-in
and acceptance from staff as well as managing different perspectives from various
offices.440
Some firms may manage these challenges by adopting centralized control
practices that may have ambiguous impacts on their QC systems. For example, academic
research suggests that firms carefully screen new partners to act in the best interest of the

See, e.g., Robert A. Prentice, The Case of the Irrational Auditor: A Behavioral Insight into
Securities Fraud Litigation, 95 Northwestern University Law Review 133 (2000).

See, e.g., Daniel Aobdia, The Economic Consequences of Audit Firms’ Quality Control System
Deficiencies, 66 Management Science 2883 (2019).

See, e.g., Prentice, The Case of the Irrational Auditor 133, 162.

See Hayne, et al., Managing Quality Control Systems.

firm441 and emphasize meeting engagement budgets—an easily monitored metric that ties
directly to profitability.442 One commenter asserted that audit firms’ financial incentives
to operate too lean undermine audit quality. Investors and other financial statement users
may have trouble monitoring how firms incentivize, implement, and monitor compliance
with applicable professional requirements. These monitoring challenges, as well as the
lack of specificity in current PCAOB QC standards, give firms the flexibility to design,
implement, and operate QC systems that may not fully meet the needs of investors and
other financial statement users.
In the absence of sufficient market incentives to achieve an efficient allocation of
audit services,443 regulatory intervention can introduce incentives that generate changes
in behavior and impact audit quality.444 For example, economic research suggests that
auditing standards play a role in determining the amount of effort an auditor exerts,
which ultimately impacts audit quality.445 In addition, auditing standards can introduce

See, e.g., C. J. McNair, Proper Compromises: The Management Control Dilemma in Public
Accounting and its Impact on Auditor Behavior, 16 Accounting, Organizations and Society 635
(1991).

See, e.g., Bernard Pierce and Breda Sweeney, Cost–Quality Conflict in Audit Firms: An Empirical
Investigation, 13 European Accounting Review 415 (2004).

An efficient allocation of resources occurs when total surplus is maximized. Total surplus is
maximized when the good or service in question is supplied until the marginal benefit is equal to
the marginal cost. See Mankiw, Principles of Economics 146-148.

See, e.g., W. Robert Knechel, Do Auditing Standards Matter?, 7 Current Issues in Auditing A1
(2013) (explaining that auditing standards send a message to auditors that it is inappropriate to
intentionally under-audit, regardless of incentives). Note that QC standards are not auditing
standards but that auditing standards are a closely related form of regulatory intervention. Also,
academic research suggests that a positive association among standard setting, auditor effort, and
audit quality depends on a number of factors. See, e.g., Pingyang Gao and Gaoqing Zhang,
Auditing Standards, Professional Judgment, and Audit Quality, 94 The Accounting Review 201
(2019) (showing that auditing standards can help align auditor incentives with investor interests by
compelling the auditor to exert more effort, which improves audit quality, but that auditing
standards can weaken the auditor’s incentive to acquire expertise, which reduces audit quality);
Mark DeFond and Jieying Zhang, A Review of Archival Auditing Research, 58 Journal of
Accounting and Economics 275 (2014) (concluding that the effectiveness of auditing standard
setting is difficult to gauge since it involves broader consideration of the social welfare of all
stakeholders).

See, e.g., Marleen Willekens and Dan A. Simunic, Precision in Auditing Standards: Effects on
Auditor and Director Liability and the Supply and Demand for Audit Services, 37 Accounting and
Business Research 217 (2007) (showing that decreasing the precision of auditing standards
initially incentivizes auditors to produce higher audit quality by exerting more effort but that
decreasing precision beyond a certain point leads auditors to decrease effort).

incentives by providing a baseline against which an auditor manages legal liability.446
Auditing standards also provide a benchmark for regulatory inspections and enforcement
actions that introduce incentives for firms to initiate changes that impact audit quality.447
Moreover, research suggests that PCAOB Part II inspection findings introduce strong
incentives for firms to make changes necessary to remediate QC deficiencies in order to
avoid public disclosure of the deficiencies.448
3. Current PCAOB QC standards do not directly address recent QC developments
Developments in the auditing environment since the development of the current
PCAOB QC standards by the AICPA and subsequent adoption of these standards on an
interim basis by the Board are discussed above. In brief and as discussed above, the audit
market has changed significantly since the AICPA developed the current PCAOB QC
standards in 1997. At that time, the audit market was largely self-regulated by firms and
QC inspections were performed through a peer review program. Since then, PCAOB
oversight has led firms to address deficiencies identified during inspections, including
making changes to their QC systems to remediate QC deficiencies.449 There have also
been significant developments in the use of technology by firms in relation to QC

See, e.g., Ronald A. Dye, Auditing Standards, Legal Liability, and Auditor Wealth, 101 Journal of
Political Economy 887 (1993) (showing that an auditor who intends to comply with standards
typically prefers higher standards when the auditor’s personal wealth is observable by potential
litigants but prefers lower standards when the auditor’s wealth is unobservable); Causholli and
Knechel, An Examination of the Credence 631 (explaining that regulation and litigation play an
important role in shaping the audit process and an auditor’s behavior); Knechel, Do Auditing
Standards A1 (explaining that auditing standards can influence the likelihood and extent of underauditing by providing a basis for auditor liability that is an increasing function of the extent to
which auditor effort falls short of the standard-compliant level).

See, e.g., Aobdia, The Impact of the PCAOB Individual 53 (finding that firms take corrective
action on engagements with PCAOB Part I inspection findings and the effects spillover to noninspected engagements); Phillip T. Lamoreaux, Michael Mowchan, and Wei Zhang, Does Public
Company Accounting Oversight Board Regulatory Enforcement Deter Low-Quality Audits?, 98
The Accounting Review 335 (2023) (finding that large audit firm offices improve audit quality
following enforcement naming another office within their firm while small firm offices improve
following enforcement of local small firm competitors).

See, e.g., Aobdia, The Economic Consequences 2883.

See discussion on the developments in firms’ QC policies and procedures within the baseline
discussion above.

activities and performing engagements. Some firm management and organizational
structures have also evolved to include more focus on centralization and a globally
consistent methodology. Some firms have strengthened their approaches to firm
governance and leadership, incentive systems, and accountability. In addition, thought
leadership in quality management has advanced,450 as have the QC standards adopted by
other standard setters.
The current PCAOB QC standards are based on the higher-level principles
described above and do not directly address the developments described in the previous
paragraph. While research suggests that PCAOB oversight is associated with higher audit
quality,451 the current PCAOB QC standards were not written with a view to inspection
and enforcement by a regulator. As a result, the current PCAOB QC standards yield a
regulatory baseline that is not rigorous enough to sufficiently support the Board’s ability
to address audit performance deficiencies through PCAOB inspection and enforcement
activities related to firms’ QC systems. For example, some firms have added external
parties to oversight roles as described above, but current PCAOB QC standards contain
limited references to firm governance and leadership. At the same time, the current
PCAOB QC standards do not provide sufficiently specific requirements to directly
incentivize firms and individuals to establish and implement QC policies and procedures
that achieve the reasonable assurance objective as evidenced by the prevalence of audit
performance deficiencies.
4. Prevalence of audit performance deficiencies

See, e.g., COSO, ISO 9000, and the audit firm governance codes of the UK Financial Reporting
Council and Japan Financial Services Agency.

See, e.g., Albert L. Nagy, PCAOB Quality Control Inspection Reports and Auditor Reputation, 33
Auditing: A Journal of Practice & Theory 87 (2014) (concluding that audit firms lose market share
following public disclosure of PCAOB Part II inspection findings, suggesting that disclosure
provides a credible signal of auditor quality). The results from this study that suggests a positive
association between PCAOB oversight and audit quality does not necessarily mean that PCAOB
oversight causes higher audit quality.

The three proxies for the level of compliance with applicable professional
standards discussed above—i.e., Part I.A deficiencies, QC deficiencies related to audit
performance, and deficiencies arising during inspections of broker-dealer engagements—
as well as the recent PCAOB enforcement actions discussed above suggest that some
firms’ QC systems are not providing reasonable assurance as required under current
PCAOB QC standards.452 To be sure, this analysis of PCAOB inspection activities does
suggest that some improvements in audit performance have followed from remedial
changes firms have made to their QC systems453 and that some firms have already
reduced the number of QC deficiencies related to management of their audit practice.454
However, the Board continues to observe high rates of audit performance deficiencies455
and believes that a new QC standard will address these audit performance deficiencies
because the new standard will incentivize firms to design, implement, and operate
effective QC systems.
5. How the requirements address the need
The requirements provide substantial additional direction to firms regarding the
design, implementation, and operation of their QC systems that the Board believes
address the need for standard-setting. Three overarching features of the requirements help
address the problem. The first feature pertains to the mandate for a more integrated,
proactive, and risk-based QC system. The second pertains to the enhancements to
accountability within the firm to achieve the reasonable assurance objective. The third
pertains to more precise language and more prescriptive requirements in several key
areas.

See Background discussion above for more discussion of current regulatory requirements.

This point is discussed more fully in below.

See Figure 5 above.

See Figures 1 and 3 above.

Regarding the first feature, the new risk assessment process, coupled with a
detailed monitoring and remediation process, form a feedback loop designed to foster a
proactive approach to QC that drives continuous improvement. For example, the risk
assessment process requires the firm to obtain an understanding of the conditions, events,
and activities that may adversely affect the achievement of its quality objectives; identify
and assess quality risks; and then design and implement quality responses. The
monitoring and remediation process will help the firm evaluate whether the QC system is
working effectively in practice. This more proactive approach to QC should help address
the positive externality problem in the audit market by leading firms to implement QC
systems that more consistently satisfy the interests of all beneficiaries of the audit.
Additionally, as discussed above, information asymmetry may cause investors and other
financial statement users not to have sufficient information to understand whether their
issuer’s audit firm has an effective QC system that consistently produces high-quality
audits, and investors and other financial statement users may not have a sufficient voice
in the financial reporting ecosystem to be able to demand or incentivize audit firms to
implement one. Requiring the auditor to implement a robust QC system substitutes a
compliance incentive for the insufficient market incentive.
Regarding the second feature, the Board believes QC 1000 will improve
accountability within the firm to achieve the reasonable assurance objective. Several of
the requirements that improve accountability within the firm address the positive
externality problem directly by leading firms to implement QC systems that more
consistently satisfy the interests of all beneficiaries of the audit. For example, QC 1000
requires the firm to document and assign roles and responsibilities; communicate
information related to the monitoring and remediation process to firm personnel to enable
them to take timely action in accordance with their responsibilities; and establish a
quality objective to incentivize individuals to fulfill their assigned responsibilities,

through means such as performance evaluations and compensation. Leadership will also
be accountable for the design, implementation, and operation of the firm’s QC system,
including through means such as their performance evaluation and compensation, and the
firm will be required to establish a quality objective that leadership communicate and
promote the firm’s role in protecting the interests of investors and the public interest. The
requirements that improve accountability within the firm will help address the
information asymmetry problem by requiring the firm’s QC system to operate over any
public reporting regarding firm or engagement metrics that the firm provides.456 Overall,
this second feature reinforces the first through an additional incentive that is personal to
responsible individuals within the firm and reinforces the general incentives for the firm
to comply with the standard.
Regarding the third feature, while the requirements provide substantial additional
guidance to firms regarding the design, implementation, and operation of their QC
systems, QC 1000 also provides more precise and prescriptive requirements that will
enhance the Board’s ability to inspect and enforce and incentivize firms to design,
implement, and operate effective QC systems. For example, QC 1000 includes more
unconditional responsibilities than current PCAOB QC standards and specifies precise
conditions under which a firm must design, implement, and operate an effective QC
system. Together with the features described above—i.e., a more integrated, proactive,
and risk-based QC system and enhanced accountability within the firm to achieve the
reasonable assurance objective—these features establish a regulatory baseline that more
directly incentivizes firms and individuals to comply in order to avoid enforcement.
ECONOMIC IMPACTS

See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.

This section discusses the expected benefits and costs, and the potential
unintended consequences, that may result from the requirements. The expected impacts
of several key provisions are highlighted. These provisions relate to:
•

Scaled applicability;

•

In-process monitoring activities;

•

Firm governance structure;

•

The automated independence process;

•

Complaints and allegations policies and procedures;

•

Reporting the annual QC system evaluation;

•

Certification of the annual QC system evaluation;

•

Responding to engagement deficiencies identified after issuance of the audit
report; and

•

SECPS requirements.
While the analysis of economic impacts is largely qualitative in nature due to data

limitations, the analysis does, in part, use PCAOB inspections data to help evaluate the
expected benefits. Technical details regarding the quantitative analysis of the expected
benefits are included in a separate staff white paper.457
The economic impacts of the requirements will arise out of changes firms will
make to their QC systems that they would not otherwise make but for the requirements.
As discussed above, the Board expects that, absent the requirements, many firms would
continue to make changes to their QC systems in response to evolving audit market
conditions, advances in technology, PCAOB oversight activity, internal monitoring, and

See PCAOB, Staff White Paper, The Impact of Quality Control System Remediation on Audit
Performance and Financial Reporting Quality (Nov. 18, 2022), (“QC White Paper”), available at
https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket046/qc-staff-whitepaper-november-2022.pdf?sfvrsn=ddb22504_4.

the actions of other standard setters. This attenuates both the benefits and the costs
attributable to the requirements.
1. Benefits
The expected benefits of the requirements are described using four
complementary views: (1) the benefits of quality management frameworks generally; (2)
the direct benefits of the requirements in the form of improved compliance with
applicable professional and legal requirements; (3) the indirect benefits of the
requirements in the form of improved financial reporting quality and capital market
efficiency; and (4) the benefits of key provisions.
a. Benefits of related frameworks
QC 1000 bears resemblance to existing quality management and enterprise risk
management frameworks (e.g., ISO 9000 and COSO). These frameworks share several
features in common with QC 1000, including embedding risk in decision making,
proactive involvement of leadership, clearly defined objectives, objective-oriented
processes, monitoring, and remediation. Using a variety of proxies (e.g., market reaction),
academic research has found that these frameworks improve company performance.458 In
particular, researchers have found that the COSO framework—the closest antecedent to
QC 1000—effectively improves financial reporting.459 Similarly, research finds that
markets penalize public companies with weaker internal control systems and reward the
remediation of those weaknesses.460 While differences between QC 1000 and existing

See, e.g., Iñaki Heras‐Saizarbitoria and Olivier Boiral, ISO 9001 and ISO 14001: Towards a
Research Agenda on Management System Standards, 15 International Journal of Management
Reviews 47 (2013); Robert E. Hoyt and Andre P. Liebenberg, The Value of Enterprise Risk
Management, 78 Journal of Risk and Insurance 795 (2011).

See, e.g., Hanwen Chen, Wang Dong, Hongling Han, and Nan Zhou, A Comprehensive and
Quantitative Internal Control Index: Construction, Validation, and Impact, 49 Review of
Quantitative Finance and Accounting 337 (2017); Ifeoma Udeh, Observed Effectiveness of the
COSO 2013 Framework, 16 Journal of Accounting & Organizational Change 31 (2020).

See, e.g., Hollis Ashbaugh‐Skaife, Daniel W. Collins, William R. Kinney, Jr., and Ryan Lafond,
The Effect of SOX Internal Control Deficiencies on Firm Risk and Cost of Equity, 47 Journal of
Accounting Research 1 (2009).

frameworks as well as differences between audit firms and other companies may limit the
relevance of this research to some extent, this research suggests that QC 1000 may help
firms design, implement, and operate more effective QC systems.
b. Improved compliance with applicable professional and legal requirements
The Board expects the requirements will benefit investors and other financial
statement users by improving compliance with applicable professional and legal
requirements via a more detailed QC standard. As described above, the requirements are
expected to achieve this through three principal mechanisms. First, they explicitly
connect the components of the QC system into an integrated cycle of risk assessment,
performance monitoring, and remediation. Second, several of the new requirements will
support the effectiveness of QC systems by emphasizing accountability to the reasonable
assurance objective. Third, more precise and prescriptive requirements will enhance the
Board’s ability to inspect and enforce. Broker-dealer engagements and issuer audits
performed by firms other than U.S. GNFs may see more improvement because they
appear to have more room for improvement on average. However, the recent uptick in
deficiencies for U.S. GNFs suggests that QC 1000 will also be a valuable resource for
these firms to address those deficiencies and, thus, further protect investors.
Some commenters described how a risk-based QC standard would improve audit
quality. However, one commenter argued that the requirements are too risk-based (e.g.,
they could result in too little change at the larger firms) and suggested an even stronger
prescriptive approach to certain aspects of the standard (e.g., training and supervision).
The Board believes the standard reflects a balanced approach that includes prescriptive
requirements where appropriate.
PCAOB staff analysis of PCAOB inspections data supports the view that more
effective QC policies and procedures will lead to improved compliance with applicable
professional and legal requirements. Staff examined the historical association between

satisfactory remediation of QC deficiencies and subsequent Part I.A deficiencies for
triennial firms. Satisfactory remediation of a QC deficiency reflects substantial good-faith
progress toward achieving a quality control objective.461 As such, an association between
historical satisfactory remediation efforts and a subsequent decrease in Part I.A
deficiencies would suggest that more effective QC policies and procedures lead to
improved compliance with applicable professional and legal requirements. After
controlling for auditor and issuer characteristics that may also drive Part I.A deficiencies
using standard statistical techniques, the staff analysis indicates that, on average,
satisfactory remediation is associated with reduced likelihood of subsequent Part I.A
deficiencies. This suggests that more effective QC policies and procedures may lead to
improved compliance with applicable professional and legal requirements.462 One
commenter reported observing that satisfactory remediation of QC deficiencies results in
fewer audit failures and asserted that this was in line with certain key findings of the staff
analysis.
The staff analysis is subject to several important caveats. First, remedial actions
typically target specific aspects of a firm’s QC system. By contrast, implementation of
QC 1000 may require a broader set of changes. Second, due to the transformational
nature of QC 1000, the changes firms will make to their QC systems could be
substantially different from firms’ historical satisfactory remedial actions. Third, U.S.
GNFs were intentionally excluded from the analysis, potentially limiting its applicability
to the U.S. GNFs. However, though association does not imply causation, the historical
association between the number of QC deficiencies related to U.S. GNFs’ management of
their audit practice463 and U.S. GNFs’ compliance with applicable professional

See Staff Guidance Concerning the Remediation Process (Nov. 18, 2013), available at
https://pcaobus.org/Inspections/Pages/Remediation_Process.aspx.

For additional details, including definitions of all control variables, see QC White Paper.

See Figure 5 above.

standards464 suggests that, even among the U.S. GNFs, more effective QC systems could
lead to improved compliance with applicable professional and legal requirements.465
Overall, the Board expects the association between satisfactory remediation and
subsequent Part I.A deficiencies among triennial firms more likely understates the impact
of QC 1000 due to its transformational nature.
Observations from PCAOB inspections and academic research also suggest that
the requirements may improve compliance with applicable professional and legal
requirements. PCAOB inspectors have observed that root cause analyses, effective design
and implementation of remedial actions, and appropriate governance practices related to
leadership’s tone can drive audit quality,466 and one academic study reports that, as
perceptions of the strength of the QC system increase, the likelihood of “reduced audit
quality behaviors” decreases.467 These findings likewise support the view that the
requirements, which place greater emphasis on root cause analysis, remediation, and
governance practices, if successfully implemented, will lead to improved compliance
with applicable professional and legal requirements.
c. Improved financial reporting quality and capital market efficiency
Academic research provides evidence that compliance with auditing standards is
positively associated with proxies for financial reporting quality.468 Research also finds a

See Figures 1 and 3 above.

Several nuances of smaller firms’ QC systems and the PCAOB inspections process may explain
the absence of such an association for these firms. First, although there is a downward trend in QC
deficiencies related to management of the audit practice (Figure 5 above), smaller firms’ QC
systems may be deficient in certain important respects that render them less effective overall.
Second, the roughly increasing trend in QC deficiencies related to audit performance for the
smallest firms (Figure 3 above) may be driven in part by deficiencies in the application of new
auditing requirements by these firms. Third, the inspection approach to QC assessments for the
smaller firms is simplified and does not lend itself to such a correlation analysis.

See, e.g., 2018 Inspection Observations Preview

See, e.g., Charles F. Malone and Robin W. Roberts, Factors Associated with the Incidence of
Reduced Audit Quality Behaviors, 15 Auditing: A Journal of Practice & Theory 49 (1996).

See, e.g., Daniel Aobdia, Do Practitioner Assessments Agree with Academic Proxies for Audit
Quality? Evidence from PCAOB and Internal Inspections, 67 Journal of Accounting and

positive association between firms’ successful remediation of QC deficiencies—a proxy
for adopting effective QC system practices—and the financial reporting quality of their
issuer clients.469 PCAOB staff analysis also provides some evidence that successful
remediation may be associated with improved financial reporting quality.470 The fact that
the results from each of these studies that suggest a positive association with financial
reporting quality does not necessarily mean that auditing standards or remediation of
deficiencies cause better financial reporting quality.
Investors and other financial statement users may benefit from improved issuer
financial reporting quality because it helps solve information asymmetries and agency
problems inherent to capital markets. Economic theory suggests that investors face a
separation-of-ownership-and-control problem whereby issuer management may
misappropriate investors’ capital.471 Relevant and accurate financial reporting can
alleviate these problems by providing investors and other financial statement users with
more accurate information regarding the financial position and operating results of
companies. Investors may use this information to improve the efficiency of their capital
allocation decisions (e.g., investors may more accurately identify companies with the
strongest prospects for generating future risk-adjusted returns and allocate their capital
accordingly). Investors may also perceive less risk in capital markets generally, leading to
an increase in the supply of capital. An increase in the supply of capital could increase
capital formation while also reducing the cost of capital to companies.472 While some

Economics 144 (2019); Katherine A. Gunny and Tracey Chunqi Zhang, PCAOB Inspection
Reports and Audit Quality, 32 Journal of Accounting and Public Policy 136 (2013).
See, e.g., Aobdia, The Economic Consequences 2883.

See QC White Paper.

See, e.g., Michael C. Jensen and William H. Meckling, Theory of the Firm: Managerial Behavior,
Agency Costs and Ownership Structure, 3 Journal of Financial Economics 305 (1976); Adolf
Augustus Berle and Gardiner Coit Means, The Modern Corporation and Private Property (1991).

See, e.g., Richard Lambert, Christian Leuz, and Robert E. Verrecchia, Accounting Information,
Disclosure, and the Cost of Capital, 45 Journal of Accounting Research 385, 387 (2007)

uncertainty remains regarding the economic impacts of financial reporting,473 empirical
academic research has affirmed this basic premise under certain conditions.474 Moreover,
some studies have identified a direct association between auditors’ compliance with
PCAOB standards and capital market efficiency.475
The requirements may also lead to improved compliance with applicable
professional and legal requirements on broker-dealer audit engagements and, in turn,
improved financial reporting quality and investor protection. An auditor’s work on these
engagements, if appropriately performed, should make it more likely that a broker-dealer
will maintain appropriate controls over compliance and less likely that there will be
material reporting errors. The auditor’s work also has the potential to make it more
difficult for broker-dealers to engage in fraud and other misconduct. Improved brokerdealer financial reporting quality also gives industry overseers, such as the SEC and
FINRA, as well as other users of broker-dealer financial information, such as the
Securities Investor Protection Corporation, more accurate information relevant to a

(discussing how increasing the quality of mandated disclosures should in general move the cost of
capital to the risk-free rate for all firms in the economy); William Robert Scott and Patricia C.
O’Brien, Financial Accounting Theory (2003), 412 (explaining that regulation is intended to
improve the operation of capital markets by enhancing public confidence in their fairness).
See, e.g., Christian Leuz and Peter D. Wysocki, The Economics of Disclosure and Financial
Reporting Regulation: Evidence and Suggestions for Future Research, 54 Journal of Accounting
Research 525 (2016) (explaining the relative rarity of evidence on causal effects of disclosure and
reporting regulation); Matthias Breuer, Christian Leuz, and Steven Vanhaverbeke, Mandated
Financial Reporting and Corporate Innovation, No. w26291. National Bureau of Economic
Research (2020), at 41 (reporting evidence consistent with the notion that mandatory reporting
deters firms’ incentives to innovate and generate proprietary know-how because of concerns about
the loss of proprietary information).

See, e.g., Christian Leuz and Robert E. Verrecchia, The Economic Consequences of Increased
Disclosure, 38 Journal of Accounting Research 91 (2000) (finding that German companies that
elect to commit to International Accounting Standards or U.S. GAAP exhibit lower percentage
bid-ask spreads and higher share turnover than firms using German GAAP); Utpal Bhattacharya,
Hazem Daouk, and Michael Welker, The World Price of Earnings Opacity, 78 The Accounting
Review 641 (2003) (finding that an increase in overall earnings opacity in a country is linked to an
economically significant increase in the cost of equity and an economically significant decrease in
trading in the stock market of that country based on financial statements from 34 countries for the
period 1984-1998). Because U.S. institutions differ from other countries and the studies pre-date
Sarbanes-Oxley, the results may not be directly relevant to all PCAOB-registered firms.

See, e.g., Nemit Shroff, Real Effects of PCAOB International Inspections, 95 The Accounting
Review 399 (2020).

broker-dealer’s financial condition, its ability to continue as a going concern, and its
handling of customer securities and cash. This, in turn, enhances the ability of these
organizations to carry out their responsibilities in ways that protect investors. Compliance
with applicable professional and legal requirements may also contribute to the early
identification or prevention of broker-dealer failures. Failures of large broker-dealers can
have a negative impact on the stability and liquidity of financial markets, and failures
caused by misconduct may damage investor confidence. A reduction in such failures
could help improve the strength and safety of the financial system.
d. Benefits of key provisions
i. Scaled applicability
QC 1000 will require that a firm implement and operate an effective QC system at
all times when the firm is required to comply with applicable professional and legal
requirements with respect to any of the firm’s engagements, and thereafter through the
next September 30.476 The discussion above provides further information on this
provision. As of June 30, 2023, up to 60% of firms may not meet this criterion but will be
required to design a QC system in compliance with QC 1000.477 Because registering with
the PCAOB enables a firm to issue audit reports or play a substantial role on audits
performed under PCAOB standards for issuers and broker-dealers, and because investors
and companies considering engaging the firm could reasonably expect that any firm that

See QC 1000.07.

The 60% reported here is based on Form 2 reporting as of June 30, 2023, and reflects registered
firms that reported they had not issued an audit report for an audit of an issuer or broker-dealer or
played a substantial role in such an engagement during the preceding 12 months. As noted above,
approximately 51% of firms have not performed an engagement under PCAOB standards for an
issuer or broker-dealer in the past five years. The PCAOB does not collect information about
whether registered firms perform engagements under PCAOB standards other than for issuers and
broker-dealers. Firms may be engaged, for example, in connection with the audit of a reporting
company that does not meet the Sarbanes-Oxley definition of “issuer” described in footnote 2
above, in connection with certain offerings of securities that are exempt from registration under
the Securities Act (e.g., offerings under Regulation A, Regulation D, or Regulation
Crowdfunding), pursuant to a contractual obligation such as a loan covenant, or on an entirely
voluntary basis.

could pursue such an engagement would already have a PCAOB-compliant QC system
designed and ready for implementation and operation, the Board believes that imposing a
design requirement on all registered firms promotes its mission of protecting investors
and promoting the public interest. The Board also believes that designing the QC system
will better position these firms to accept and perform engagements in compliance with
applicable professional and legal requirements to the extent that the firm will have a
PCAOB-compliant QC system ready for implementation and operation.
ii. In-process monitoring activities
QC 1000 will require firms that issued audit reports with respect to more than 100
issuers during the prior calendar year to monitor in-process engagements and will require
all other firms to consider monitoring in-process engagements.478 The discussion above
provides further information on this provision. Monitoring in-process engagements can
help firms detect and prevent engagement deficiencies before the engagement report is
issued, resulting in a more proactive and preventive monitoring approach that has the
potential to benefit investors through improved audit quality. The benefits will depend on
the extent to which firms already have in-process monitoring activities in place.
Information gathered through PCAOB inspection activities indicates that 11 out of 14
annually inspected firms perform some in-process engagement monitoring activities.
iii.

Firm governance structure

QC 1000 will require firms that issued audit reports with respect to more than 100
issuers during the prior calendar year to incorporate into their governance structure an
external oversight function for the QC system composed of one or more persons who are
not principals or employees of the firm and do not otherwise have a commercial, familial,
or other relationship with the firm that would interfere with the exercise of independent

See QC 1000.63.

judgment with regard to matters related to the QC system (i.e., EQCF).479 The final
standard specifies a baseline requirement that the EQCF’s responsibilities should include,
at a minimum, evaluating the significant judgments made and the related conclusions
reached by the firm when evaluating and reporting on the effectiveness of its QC system.
The discussion above provides further information on this provision. Such an oversight
function could reduce negative impacts of commercial considerations on decision making
by firms about their QC system and thereby improve incentives to implement QC
systems that more fully meet the interests of investors and other financial statement users.
Some academic research finds that the level of board of directors independence is
associated with certain benefits, such as improved operating performance and company
value, which implies independent oversight in a firm‘s governance structure could
potentially improve the quality of audit services provided by the firm.480
iv. The automated independence process
QC 1000 will require firms that issued audit reports with respect to more than 100
issuers during the prior calendar year to automate the process to identify investments in
securities that might impair the independence of the firm or firm personnel that are
managerial employees or partners, shareholders, members, or other principals.481 The
discussion above provides further information on this provision. Automating this process
should help firms more effectively and efficiently identify such investments. The
automated process could also indirectly improve compliance with other relevant

See QC 1000.28.

See, e.g., Anzhela Knyazeva, Diana Knyazeva, and Ronald W. Masulis, The Supply of Corporate
Directors and Board Independence, 26 The Review of Financial Studies 1561 (2013). Other
academic research indicates that a tradeoff of more independent board of directors may be less
efficient monitoring by directors. See, e.g., Praveen Kumar and K. Sivaramakrishnan, Who
Monitors the Monitor? The Effect of Board Independence on Executive Compensation and Firm
Value, 21 The Review of Financial Studies 1371 (2008).

See QC 1000.34a.

independence requirements. For example, automating this process may lead firms to
maintain and make available the list of restricted entities more efficiently and effectively.
v. Complaints and allegations policies and procedures
QC 1000 will require firms to design, implement, and maintain policies and
procedures that address processes and responsibilities for receiving, investigating, and
addressing complaints and allegations and include protecting persons making complaints
and allegations from retaliation.482 Firms that issued audit reports with respect to more
than 100 issuers during the prior calendar year will be required to include confidentiality
protections in their policies and procedures. The discussion above provides further
information on this provision. Overall, the Board expects the policies and procedure
regarding complaints and allegations will help reduce information asymmetry within the
firm by alerting responsible individuals to instances of non-compliance of which they
may otherwise be unaware. Some academic research suggests that the complaints and
allegations provisions will increase the likelihood that individuals will submit complaints
and allegations related to potential non-compliance. For example, one survey of public
company auditors finds that (1) greater protection of individual identity and (2) trust that
the firm would investigate and act on a report are both positively associated with
intention to report non-compliance with auditing standards.483 A survey of accounting
students finds that a weaker threat of retaliation is positively associated with the
propensity to submit a complaint.484 The Board acknowledges that some experimental
research finds that explicit protections may unintentionally deter internal complaints and
allegations because the protections signal to potential persons making complaints that

See QC 1000.29.

See Mary B. Curtis and Eileen Z. Taylor, Whistleblowing in Public Accounting: Influence of
Identity Disclosure, Situational Context, and Personal Characteristics, 9 Accounting and the
Public Interest 191 (2009).

See Gregory Liyanarachchi and Chris Newdick, The Impact of Moral Reasoning and Retaliation
on Whistle-Blowing, 89 Journal of Business Ethics 37 (2009).

retaliation is a risk.485 However, overall, the Board expects the complaints and allegations
provisions will benefit investors by reducing non-compliance with auditing standards
and, thus, improving audit quality.
vi. Reporting the annual QC system evaluation
QC 1000 will require firms to report to the PCAOB about the annual evaluation of
their QC system.486 The discussion above provides further information on this provision.
This requirement will help the Board obtain more timely, structured, and consistent
information regarding the effectiveness of firms’ QC systems relative to what could be
gathered through the inspections process, especially for the triennial firms. The Board
will use this information to support its oversight activities (e.g., to select firms, audits, or
focus areas for review). Reporting to the PCAOB will also improve incentives within a
firm to design, implement, and operate an effective QC system.
vii. Certification of the annual QC system evaluation
QC 1000 will require certain individuals in firms’ leadership to certify the annual
evaluation of their firm’s QC system.487 The discussion above provides further
information on this provision. This requirement will help address the positive externality
problem in the audit market by creating greater accountability within firm leadership to
implement an effective QC system. As noted in the proposal, PCAOB staff reviewed
academic literature on the impacts of CEO and CFO certification requirements in the
U.S. and engagement partner signature requirements in the United Kingdom and found
both supportive and unsupportive findings.488 One commenter noted academic research

See James Wainberg and Stephen Perreault, Whistleblowing in Audit Firms: Do Explicit
Protections from Retaliation Activate Implicit Threats of Reprisal?, 28 Behavioral Research in
Accounting 83 (2016).

See QC 1000.79.

See QC 1000.14d. and .15b.

See, e.g., Daniel A. Cohen, Aiyesha Dey, and Thomas Z. Lys, Corporate Governance Reform and
Executive Incentive: Implications for Investments and Risk Taking, 30 Contemporary Accounting

that has found there is little, if any, effect of CEO and CFO certifications required under
Sarbanes-Oxley.489 Citing academic literature on accountability frameworks, the same
commenter noted that imposition of accountability is largely positive490 but that the
increased accountability that would result from the certification requirement could have
negative consequences.491 As discussed below, the Board acknowledges that increased

Research 1298 (2013) (finding that their sample of firms significantly reduced investments in
risky projects in the period following SOX); Hsihui Chang, Jengfang Chen, Woody M. Liao, and
Birendra K. Mishra, CEOs’/CFOs’ Swearing by the Numbers: Does it Impact Share Price of the
Firm?, 81 The Accounting Review 1, 22 (2006) (concluding that the SEC order requiring filing of
sworn statements by CEOs and CFOs had a positive effect on the market value of certifying
firms); Jeffrey R. Cohen, Colleen Hayes, Ganesh Krishnamoorthy, Gary S. Monroe, and Arnold
M. Wright, The Effectiveness of SOX Regulation: An Interview Study of Corporate Directors, 25
Behavioral Research in Accounting 61 (2013) (discussing that CEO certification was viewed as
having led to heightened ownership and diligence on the part of decision agents throughout the
financial reporting decision hierarchy but was also identified as a source of the costly resourceintensive reaction to Sarbanes-Oxley).
See, e.g., Paul A. Griffin and David H. Lont, Taking the Oath: Investor Response to SEC
Certification Under Sarbanes-Oxley, 1 Journal of Contemporary Accounting & Economics 27
(2005); Gerald J. Lobo and Jian Zhou, Did Conservatism in Financial Reporting Increase after the
Sarbanes-Oxley Act? Initial Evidence, 20 Accounting Horizons 57 (2006); Utpal Bhattacharya,
Peter Groznik, and Bruce Haslem, Is CEO Certification of Earnings Numbers Value-Relevant?, 14
Journal of Empirical Finance 611 (2007).

See, e.g., Andrew Quinn and Barry R. Schlenker, Can Accountability Produce Independence?
Goals as Determinants of the Impact of Accountability on Conformity, 28 Personality and Social
Psychology Bulletin 472 (2002); Virginia R. Stewart, Deirdre G. Snyder, and Chia-Yu Kou, We
Hold Ourselves Accountable: A Relational View of Team Accountability, 183 Journal of Business
Ethics 691 (2023); Angela T. Hall, Michael G. Bowen, Gerald R. Ferris, M. Todd Royle, Dale E.
Fitzgibbons, The Accountability Lens: A New Way to View Management Issues, 50 Business
Horizons 405 (2007); Marko Pitesa and Stefan Thau, Masters of the Universe: How Power and
Accountability Influence Self-Serving Decisions under Moral Hazard, 98 Journal of Applied
Psychology 550 (2013); Constantine Sedikides, Deletha Hardin, Kenneth Herbst, and Gregory
Dardis, Accountability as a Deterrent to Self-Enhancement: The Search for Mechanisms, 83
Journal of Personality & Social Psychology 592 (2002).

See, e.g., Jennifer J. Dose and Richard J. Klimoski, Doing the Right Thing in the Workplace:
Responsibility in the Face of Accountability, 8 Employee Responsibilities & Rights Journal 35
(1995); Jennifer S. Lerner and Philip E. Tetlock, Accounting for the Effects of Accountability, 125
Psychological Bulletin 255 (1999); Randall A. Gordon, Richard M. Rozelle, and James C. Baxter,
The Effect of Applicant Age, Job Level, and Accountability on Perceptions of Female Job
Applicants, 123 Journal of Psychology 59 (1989); Philip E. Tetlock, The Impact of Accountability
on Judgment and Choice: Toward a Social Contingency Model, 25 Advances in Experimental
Social Psychology 331 (1992); Angela T. Hall, Dwight D. Frink, and M. Ronald Buckley, An
Accountability Account: A Review and Synthesis of the Theoretical and Empirical Research on
Felt Accountability, 38 Journal of Organizational Behavior 204 (2017); Sheldon Adelberg and
Daniel C. Batson, Accountability and Helping: When Needs Exceed Resources, 36 Journal of
Personality and Social Psychology 343 (1978); Mark E. Peecher, Ira Solomon, and Ken T.
Trotman, An Accountability Framework for Financial Statement Auditors and Related Research
Questions, 38 Accounting, Organizations and Society 596 (2013); Angela T. Hall, M. Todd Royle,
Robert A. Brymer, Pamela L. Perrewé, Gerald R. Ferris and Wayne A. Hochwarter, Relationships
Between Felt Accountability as a Stresser and Strain Reaction: The Neutralizing Role of
Autonomy Across Two Studies, 11 Journal of Occupational Health Psychology 87 (2006).

accountability could lead to potential unintended consequences. However, the Board
continues to believe that the certification requirement will benefit investors by increasing
discipline in the evaluation process and reinforcing the accountability of the certifying
individuals.
viii.

Responding to engagement deficiencies identified after issuance of the
audit report

The amendments to AS 2901, Consideration of Omitted Procedures After the
Report Date, include: (1) addressing engagement deficiencies in addition to omitted
procedures and (2) including the ICFR audit within its scope. Relatedly, the amendments
to AT No. 1 and AT No. 2 mirror the amendments to AS 2901. The discussion above
provides further information on this provision. The Board expects these amendments will
lead auditors to perform additional procedures to obtain sufficient appropriate evidence
or take additional action to prevent future reliance on insufficiently supported audit
opinions (or review reports in the case of review engagements) that are being relied on. In
such cases, PCAOB standards will require firms to advise their client to make appropriate
disclosure of the newly discovered facts and their impact on the financial statements (or
examination or review reports in the case of attestation engagements) to persons who are
known to be currently relying or who are likely to rely on the financial statements and the
related auditor’s report (or review report in the case of a review engagement). Academic
research on ICFR suggests that such disclosures will be valuable to capital market
participants with improvements in company performance and financial reporting.492

See discussion on economic impacts above and the research cited therein.

ix. SECPS requirements
The requirements will refine, integrate into QC 1000, and extend to all firms the
SECPS member requirements currently required under PCAOB Rule 3400T. Based on
current registration data, approximately 13% of PCAOB-registered firms are already
subject to these requirements under PCAOB Rule 3400T. The discussion above provides
an overview of these requirements. The Board expects that this feature of the rulemaking
will benefit investors by enhancing audit quality through improved compliance with SEC
and PCAOB independence rules on engagements performed by firms not already subject
to these requirements under PCAOB Rule 3400T.
2. Costs
The Board expects the requirements will result in additional direct and indirect
costs to auditors and, potentially, indirect costs to the companies that they audit. The
extent of these costs will depend on the degree to which firms otherwise have QC
systems in place designed to comply with other QC standards and the specific policies
and procedures adopted by the firm. The information presented above suggests that U.S.
GNFs commit hundreds of partner and non-partner FTEs to their QC systems, including,
individually, each of the major QC system components specified in ISQM 1. Resources
are particularly utilized in the areas of independence, ethics, and resources. As discussed
above, the Board believes most firms are subject to other QC standards. In designing,
implementing, and operating their QC systems, firms that are subject to both PCAOB
standards and other QC standards can leverage the investments they make to comply with
the requirements of the other standards. Therefore, the Board expects that a portion of the
overall costs of designing, implementing, and operating policies and procedures to
comply with QC 1000 have been or will be incurred by most firms regardless of whether
QC 1000 is adopted. As a consequence, for most firms, the Board expects the costs

discussed below will derive primarily from the provisions in QC 1000 that go beyond the
requirements of other QC standards.
Several commenters noted there will be costs and challenges to implement and
operate features of QC 1000 that are incremental to the systems firms have established to
comply with other QC standards. One commenter said that the need to accommodate
nuances among different standards results in firms maintaining different methodologies,
practices, and procedures that puts pressure on limited firm resources. Several
commenters asserted that firms that audit between 100 and 500 issuers will be
significantly impacted by costs associated with some or all of QC 1000’s incremental
requirements for firms that issue audit reports for more than 100 issuers, and some of the
commenters noted resource differences between GNFs and annually inspected NAFs.
Since QC systems are resource-intensive, the efforts required to respond to the additional
provisions in QC 1000 or to otherwise adapt the QC system to the auditing environment
for issuers and SEC-registered broker-dealers could be significant.
While the PCAOB lacks data to quantify the costs that could result from QC
1000, some studies have estimated costs associated with ICFR under Sarbanes-Oxley
section 404.493 The Board acknowledges differences between section 404 and QC 1000,

Based on a sample of companies that voluntarily disclosed Section 404 cost information in their
SEC filings during the period Jan. 2003 to Sept. 2005, one study found that the mean total
compliance costs for Section 404 was $2.2 million ($3.7 million adjusted for inflation), and the
median was $1.2 million ($2.0 million adjusted for inflation). See Jagan Krishnan, Dasaratha
Rama, and Yinghong Zhang, Costs to Comply with SOX Section 404, 27 Auditing: A Journal of
Practice & Theory 169 (2008). Using a sample of Fortune 1000 companies, another study
estimated the companies spent an average of $5.9 million ($9.6 million adjusted for inflation) to
comply with Section 404 in the first year of implementation. See Charles River Associates,
Sarbanes-Oxley 404 Costs and Remediation of Deficiencies: Estimates from a Sample of Fortune
1000 Companies (2005). Another study found that direct costs of Section 404 fell by as much as
40% by the second year after implementation and varied significantly by company size. See John
C. Coates IV, The Goals and Promise of the Sarbanes-Oxley Act, 21 Journal of Economic
Perspectives 91 (2007). Another study reported an SEC survey sample that showed an overall
average Section 404 compliance expense of $1.2 million ($1.7 million adjusted for inflation) in
the latest fiscal year before the survey (Dec. 2008 to Jan. 2009) and respondents reported a decline
over time in such costs. See Cindy R. Alexander, Scott W. Bauguess, Gennaro Bernile, Yoon-Ho
Alex Lee, and Jennifer Marietta-Westberg, Economic Effects of SOX Section 404 Compliance: A
Corporate Insider Perspective, 56 Journal of Accounting and Economics 273 (2013). To adjust

but section 404 is similar to QC 1000 in that section 404 was a policy shock that led large
public companies to improve their internal control practices. In addition, while QC 1000
is not an internal control framework per se, it does reflect similar principles as COSO, the
industry standard control framework that was widely relied upon to implement section
404. One commenter observed that the requirements under QC 1000 are similar in certain
ways to the requirements related to ICFR under Sarbanes-Oxley for companies and
suggested that the impacts of QC 1000 on auditors will be similar to the impact SarbanesOxley had on companies notwithstanding key differences between a company’s ICFR
and an audit firm’s QC system.
a. Direct and indirect costs of the proposed requirements
The Board expects the requirements will lead to several direct and indirect costs.
There will be a direct cost to audit firms to design a QC system that complies with
QC 1000. For example, firms will likely spend time reviewing QC 1000; assigning roles
and responsibilities; identifying staffing and training needs; and developing a set of
quality objectives, quality risks, and quality responses. Once a QC system is designed,
firms will incur costs to monitor, identify, and assess changes to conditions, events, and
activities that indicate modifications to the firm’s quality objectives, quality risks, or
quality responses may be needed. Some firms may outsource certain aspects of QC
system design. The Board also expects that customization will be necessary to ensure that
each QC system design appropriately addresses each firm’s circumstances. The extent of
the design costs will likely depend on facts and circumstances unique to each firm.
Among firms that will be subject to other QC standards, which the Board believes

results from the studies for inflation, PCAOB staff used an inflationary factor as of the third
quarter 2023 from the current dollar index number of the Employment Cost Index for private
workers employed in the professional, scientific, and technical services industry published by the
U.S. Bureau of Labor Statistics (available at https://www.bls.gov/eci/data.htm). This inflationary
adjustment does not account for any potential differences between QC 1000 costs and Section 404
costs or any potential structural changes over time.

represents most firms, the design costs will likely be reduced and limited to incremental
requirements around ethics, independence, monitoring, and remediation.
For full applicability firms—those that will be required to implement and operate
an effective QC system—there will likely be additional costs. Firms may need to
implement fixed resources (e.g., people, financial, technological, or intellectual) prior to
operating their QC system. For example, a firm may need to invest in an IT system or
train individuals having QC roles or responsibilities. Several commenters identified
significant implementation costs and called for an extended implementation period due to
these costs. Describing the results of its recent survey of assurance service QC leaders,
one commenter reported that obtaining “buy in” and acceptance from organizational
members is the most common challenge firms face when implementing changes to their
QC systems.494 As discussed, the Board agrees there will be implementation costs;
however, these implementation costs will be reduced to the extent that firms already
implement the requirements to comply with the actions of other standard setters or due to
other developments. Furthermore, the Board expects the design and implementation costs
will be largely fixed in nature and will decline over time.
Firms may also incur new operating costs, at the firm level and the engagement
level. At the firm level, firms may require additional resources to administer new or
revised quality responses after they are implemented, execute the annual risk assessment,
perform the annual evaluation of the QC system, report the results of the evaluation to the
PCAOB using the same PCAOB platform as the other reporting forms, and prepare and
retain the required documentation. Several commenters identified significant operating
costs. For example, one commenter argued that the proposed independent oversight
function could entail insurance costs. At the engagement level, engagement team time

See Hayne, et al., Managing Quality Control Systems.

may be required to execute new or revised quality responses. For example, an
engagement team may carry out procedures regarding continuance of the firm’s
relationship with the client served by that engagement team. These operating costs will be
reduced for firms that would be subject to other standard setters or other developments.
Several commenters asserted that the documentation costs, as originally proposed,
could be particularly onerous. For example, several commenters asserted that firms
would be required to retain large volumes of documentation to support the operation of
the firm’s quality responses for each instance related to all years for which firms are
required to maintain such documentation. One commenter noted that information
evidencing the operation of a firm’s QC system can vary in size, type, and storage
requirements and that the costs of modifying the firm’s existing IT systems to comply
with the documentation requirement could be significant. Some commenters noted that
the amount of documentation to be retained is expected to require considerably more
storage space for each evaluation period, which the commenters suggested translates to a
need for new servers and extended licensing agreements. One commenter said that firms
that change their systems will have to maintain licenses for old systems for up to seven
years. The same commenter said the seven-year retention period goes well beyond the
retention requirements of ISQM 1 and SQMS 1 and asserted that firms with a significant
private company client base would be challenged to have different documentation
retention policies since many aspects of quality control relate to the firm as a whole.
Some commenters suggested that retaining sensitive information introduces heightened
cybersecurity risks for firms, firm personnel, clients, and other stakeholders. The Board
acknowledges that the documentation requirement could create costs for firms, including
costs related to retention and cybersecurity infrastructure. To clarify the expected cost
burden, the discussion above notes that documentation of every aspect of the operation of

the firm’s QC system may not be required to evidence that each quality response operated
effectively.
Several commenters asserted that smaller firms may be especially affected by the
new QC requirements, including requirements incremental or alternative to ISQM 1 and
SQMS 1. One commenter said that smaller firms will need to hire consultants or
additional staff for the monitoring, remediation, and evaluation functions,
notwithstanding the scalability of QC 1000. Another commenter asserted that QC 1000
will impose disproportionate costs on smaller firms but noted that the commenter did not
analyze in detail the cost of each incremental requirement and therefore did not have an
estimate of the disproportionate costs. Relatedly, research finds that implementation and
operating costs of internal control frameworks precipitated by Sarbanes-Oxley are
proportionally greater for smaller companies.495
The Board acknowledges that the direct costs will likely vary depending on the
size of the firm and the nature of its audit practice. Larger PCAOB audit practices that
already have extensive QC systems in place may benefit from economies of scale or
scope when incorporating the new requirements into their existing systems, which would
decrease the cost of QC 1000 per engagement. Larger PCAOB audit practices will be
able to distribute fixed implementation costs over a larger number of engagements, while
smaller practices will distribute fixed implementation costs over a smaller number of
engagements. On the other hand, it may also be difficult for firms with more complex
clients and diverse client portfolios—characteristics of larger PCAOB audit practices—to
implement effective QC systems. To the extent that smaller firms may be
disproportionately impacted as commenters have suggested, the Board continues to
believe that the principles-based features and scalable nature of QC 1000, described in

See, e.g., John C. Coates and Suraj Srinivasan, SOX after Ten Years: A Multidisciplinary Review,
28 Accounting Horizons 627 (2014).

greater detail above, as well as the 100-issuer threshold for some provisions, help to
mitigate their costs because smaller firms will rely on proportionally fewer resources for
design, implementation, and operation of their QC systems.
In addition to the direct costs to auditors to comply with the requirements, indirect
costs may arise. To the extent that compliance with the requirements will improve
compliance with applicable professional and legal requirements at the engagement level,
costs may increase for the affected engagements. For example, in bringing their work into
compliance with PCAOB auditing standards, some engagement teams may gather
additional or more persuasive audit evidence and prepare more documentation than they
previously did. However, firms should be incurring these costs already.
Audited companies may also incur indirect costs related to the requirements. For
example, some commenters asserted that the 100-issuer threshold could deter triennially
inspected firms from accepting new public company audit engagements or encourage
firms to resign from existing audit engagements to avoid crossing the 100-issuer
threshold. Although the Board recognizes this possibility, for context regarding the
number of firms currently around the 100-issuer threshold, PCAOB staff analysis of audit
reports included in SEC filings indicates that, during the 2022 calendar year, two NAFs
audited between 80 and 100 issuers and two NAFs audited between 100 and 120 issuers.
Firms may pass on part of any increased costs they incur at the firm or engagement level
by raising the fees they charge their clients. In addition, to the extent that the
requirements improve compliance with applicable professional and legal requirements,
some audited companies could face additional costs to respond to their auditors’ requests
for additional or more extensive audit evidence. Audited companies may incur other costs
due to changes in audit firm QC policies and procedures. For example, if QC 1000 results
in changes to firms’ client acceptance and continuance practices, firms may require
greater fees or refuse to accept or retain high-risk clients. While this outcome would

represent a cost to audited companies, the result could be a more efficient audit market if
riskier companies pay more. These indirect costs will be reduced to the extent that firms
will have already implemented the requirements in response to similar actions of other
standard setters or due to other developments.
b. Costs of key provisions
i.

Scaled applicability

Scaled-applicability firms will incur the design costs discussed above. Should a
scaled-applicability firm ever become subject to the implementation and operation
requirements, the firm will then incur the implementation and operation costs discussed
above. As with other registered firms, the costs to scaled-applicability firms will be less
to the extent they will already be complying with ISQM 1 or SQMS 1. Firms and a
related group suggested allowing firms that do not perform engagements the flexibility to
design their QC system in accordance with another QC standard, such as ISQM 1 or
SQMS 1, to help manage costs. However, the Board expects the design costs for those
firms to be limited to incremental requirements around ethics, independence, monitoring,
and remediation. Furthermore, scaled-applicability firms may choose to avoid the design
costs by withdrawing from PCAOB registration given that they are not required to be
registered.
ii.

In-process monitoring activities

The Board believes the in-process monitoring requirement may contribute to the
direct and indirect costs discussed above such as: (1) developing documentation, (2)
providing training, (3) gathering additional audit evidence, and (4) other potential indirect
costs such as the time required of issuers to provide their auditor with additional or more
extensive audit evidence. The costs will depend on the extent to which firms already have
in-process monitoring activities in place. In addition, in-process monitoring may result in
increased audit fees. Information gathered through PCAOB inspection activities indicates

that 11 out of 14 annually inspected firms perform some in-process engagement
monitoring activities.
iii. Firm governance structure
The Board believes there could be costs to design, implement, and operate the
oversight function (i.e., EQCF). For example, firms that are required to incorporate the
oversight function into their governance structure for the first time may incur costs when
retaining appropriate individuals from outside of the firm.496 Firms with an existing
oversight function may incur costs to find different individuals to fill the role. In addition,
firms with an existing oversight function may incur incremental costs to incorporate the
baseline requirement to evaluate, at a minimum, significant judgments made and the
related conclusions reached by the firm when evaluating and reporting on the
effectiveness of its QC system.
Several commenters expressed concern that the oversight function would be
costly or difficult to fulfill, especially for firms that audit between 100 and 500 issuers.
One commenter suggested the oversight function could add costs that ultimately have to
be passed on through higher audit fees, which investors in smaller issuers are unlikely to
support, particularly when the costs are spread over a small amount of invested public
capital in a firm’s issuer audits clients. Conversely, one commenter said that the costs of
the oversight function could be reduced by engaging an independent accounting firm to
provide weekly advisory services.
To help address these cost concerns, the requirement will allow firms to
implement an oversight function into their QC system suitable for their circumstances.

According to Spencer Stuart, the average compensation per non-employee director was $327,764
in 2023. See 2023 U.S. Spencer Stuart Board Index (2023), available at
https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index2021.pdf (analyzing 489 DEF-14A proxy statements filed by S&P 500 companies with the SEC
between May 1, 2022, and Apr. 30, 2023). PCAOB staff notes that variation between the
responsibilities of an oversight function and a non-employee director function may limit the
relevance of this cost reference to some extent.

Costs, as well as the associated benefits, could be attenuated for U.S. GNFs by the fact
that all of the U.S. GNFs indicate, as of the 2020 inspection cycle, that they already have
a governance structure that includes a non-employee.
iv.

The automated independence process

The Board believes there could be costs to design, implement, and operate the
required automated process to identify investments in securities that might impair
independence. The costs will depend on the extent to which firms already have such an
automated process in place. Information gathered through PCAOB inspection activities
indicates that nine out of 14 annually inspected firms already have one in place. The
remaining five have processes in place that are not fully automated. Firms will be able to
automate the process in a way that is suitable to their unique facts and circumstances.
Most firms will likely need to: (1) convert their restricted entity list into a searchable
electronic form; (2) maintain the electronic restricted entity list; and (3) develop queries
that can compare a manager’s or partner’s relevant investments in securities to the
electronic restricted entity list. Some firms may choose to integrate the automated process
with existing systems related to client acceptance or time and expense. Firms with simple
restricted entity lists (e.g., fewer clients, fewer subsidiaries) or simpler QC policies and
procedures for restricted entities (e.g., any investment in any security of a restricted entity
is restricted) may require less investment in software and expertise than other firms.
Several commenters said that the proposed automated process will entail
significant costs. One commenter emphasized that there will be upfront and ongoing
investments in technology and other overhead to operate such a process. Another
commenter noted that implementing and maintaining an automated independence
monitoring system is costly for smaller firms, which audit predominantly privately held
companies and have not previously been subject to the automated independence system
requirement under SEC rules. One commenter said it was unaware of any truly off-the-

shelf system responsive to the proposed requirement. One commenter emphasized that
for firms that audit between 100 and 500 issuers, the main potential downside of an
automated process is the associated time and incremental cost to develop an efficient and
effective system. The commenter noted that, in addition to software costs, there will be
costs to oversee the system to ensure the data entered are correct and firm personnel are
trained to use the system. Another commenter noted that the six largest firms represent
60% of issuers and approximately 98.7% of the capital markets and asserted that the
automated independence process will nearly triple the number of firms required to
implement automated investment tracking systems but pick up less than 15% of issuers,
which represent less than 1% of the capital markets. The same commenter also asserted
that the differences in size, scope, nature, and complexity between the six largest
annually inspected firms and other annually inspected firms can be immense and that
more than 80% of the commenter’s issuer client count consists of either Form 11-K
audits or audits of smaller companies, which have less impact on capital markets. While
the commenter provided these figures in response to costs of the automated independence
process, the same figures could apply to the costs and benefits of each of the key policy
provisions that invoke the 100-issuer threshold.
To help address these views, the final standard clarifies that the required
automated process: (1) will apply only to the identification of relevant investments in
securities and (2) will permit firms to rely on firm professionals accurately self-reporting
and entering their investments into the system (e.g., direct brokerage feeds will not be
expressly mandated). In addition, the Board believes that existing software products
likely could be adapted to respond to the requirements. Furthermore, off-the-shelf
systems more tailored to the requirements may enter the market in the future.
Notwithstanding the commenters’ views, the Board retained the automated independence

process requirement, and acknowledges there will be costs to design, implement, and
operate it.
v.

Complaints and allegations policies and procedures

The Board expects the policies and procedures regarding complaints and
allegations will entail direct costs to firms to design, implement, and maintain. Most
notably, firms will incur additional variable costs to receive, investigate, and address
complaints and allegations. Firms that issued audit reports with respect to more than 100
issuers during the prior calendar year will incur costs to implement confidentiality
protections. The costs will depend on the extent to which firms already have policies and
procedures regarding complaints and allegations in place. Information gathered through
PCAOB inspection activities indicates that 10 out of 14 annually inspected firms already
have hotlines in place that may satisfy certain of the complaints and allegations
requirements.497
vi.

Reporting the annual QC system evaluation

The Board expects the requirement to report the annual QC system evaluation to
the PCAOB will entail an additional annual cost to firms to prepare Form QC. However,
since firms will already be required to perform and document the evaluation, any
additional costs associated with preparing Form QC should be minimal. The requirement
may also result in some increased litigation risk to the extent that information reported to
the PCAOB is not subject to privilege under section 105(b)(5) of Sarbanes-Oxley, and to
the extent that reporting of this information to a third party may vitiate other privileges
that otherwise could have been used to protect the information from compelled disclosure
in third-party actions. Non-protected material may become subject to compulsory

According to one hotline vendor that posted their service prices online, the annual fee for a hotline
that covers up to 75 employees starts at $1,200 and the annual fee for a hotline that covers more
than 5,000 employees starts at $7,000 (see https://www.allvoices.co/basic-purchase). The Board
notes that the complaints and allegations provisions include more than having a hotline.

production, which could impose indirect costs on firms to the extent that legal or other
consequences may flow from that production.
vii.

Certification of the annual QC system evaluation

The certification requirement itself may not impose much direct cost on firms
because the evaluation activities precede certification. However, to the extent that firms
choose to implement a more robust internal compliance infrastructure (e.g., by requiring
sub-certifications from personnel with direct responsibility for certain functions), those
costs could also be attributable to the certification requirement. Moreover, firms may be
exposed to litigation costs because the certifications in Form QC are not subject to
privilege under section 105(b)(5) of Sarbanes-Oxley, meaning that third parties may be
able to compel production of the certifications, and the certifications may have an impact
in third-party litigation. For example, the threat of liability for negligent conduct could
lead to costs if individuals demand additional remuneration or take additional steps to act
reasonably and demonstrate that they have acted reasonably (e.g., assuring themselves
that the QC system is appropriately designed) or to defend against enforcement
allegations. The Board believes, however, that the internal compliance exercise, and even
potentially the threat of third-party litigation, can reinforce the importance of the firm’s
QC system within the firm, which in turn can help produce the benefits the Board expects
this provision will generate.
viii.

Responding to engagement deficiencies identified after issuance of the
audit report

The amendments to AS 2901, Consideration of Omitted Procedures After the
Report Date, and related amendments to AT No. 1 and AT No. 2 will contribute to the
engagement-level costs discussed above to the extent auditors will perform additional
procedures to obtain sufficient appropriate evidence or take additional action to prevent
future reliance on insufficiently supported audit opinions (or review reports in the case of

review engagements) that are being relied on. The Board expects the requirement to
extend the scope of AS 2901 to include the ICFR audit within its scope will be
particularly impactful because the audit of internal control over financial reporting is both
resource-intensive 498 and a common and recurring area of deficiency.499
ix.

SECPS requirements

The requirements will refine, integrate into QC 1000, and extend to all firms the
SECPS member requirements currently required under PCAOB Rule 3400T. The Board
expects this will increase development, implementation, and operating costs for firms not
already subject to these requirements. However, the Board believes the costs should be
minimal because, based on its oversight activities, the Board believes these firms already
have in place policies and procedures related to compliance with SEC and PCAOB
independence rules.
3. Unintended consequences
The requirements could give rise to unintended consequences. Overall, however,
the Board expects any potential unintended consequences will be mitigated by other
factors.
a. Human capital
Some firms may require additional staff resources to implement the requirements.
To meet this demand, firms may transfer personnel from engagement-level roles to QC
roles. This could create a risk that engagements are insufficiently staffed. Alternatively,
some firms may assign more junior staff to QC roles or to new openings on engagements.
This could create a risk that QC system or engagement personnel lack sufficient training
or experience. One commenter reported the commenter’s own analysis to demonstrate

See, e.g., U.S. Securities and Exchange Commission Office of Economic Analysis, Study of the
Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements
(Sept. 2009), at Table 8 (reporting that roughly one-third of total audit fees may be attributable to
the ICFR audit).

See, e.g., 2020 Inspection Observations Preview.

that audits are largely conducted by non-CPAs with limited experience in the field of
auditing. QC 1000 includes quality objectives that mitigate these risks. For example,
firms will be required to establish quality objectives that individuals who are assigned to
engagements or perform QC system activities have the competence, objectivity, authority
(in the case of activities within the QC system), and time to perform their responsibilities
in accordance with applicable professional and legal requirements and the firm’s policies
and procedures.500
Some commenters argued that the costs of QC 1000 would be especially
significant due to labor shortages. One commenter asserted that an aggressive
enforcement atmosphere may create disincentives for individuals to join the profession,
harming the talent pipeline that is necessary for the production of high-quality audits.
Another commenter raised concerns that recruiting and retaining partners and employees
for a firm's QC system will be a tremendous challenge for firms willing and able to
absorb additional costs to properly implement the requirements of QC 1000 given the
tight labor market. One commenter reported that some market research indicates
significant declines in the number of new CPA candidates and annual accounting degree
completions.501 The commenter also reported commentary from a survey that reveals the
largest accounting firms regularly score low along dimensions that are most indicative of
their desirability as places to work.502 Another commenter cited news articles503 and
academic research504 that suggest attracting and retaining talent is a serious concern for

See QC 1000.44c. and e.

See AICPA Trends Report.

See Mark Kolakowski, Best Accounting Firms (Vault Top 50 Accounting Firms) (Jan. 14, 2020).

See, e.g., Lindsay Ellis, Why so Many Accountants are Quitting, Wall St. J. (Dec. 28, 2022);
Stephen Foley, Accountants Work to Shed “Boring” Tag Amid Hiring Crisis, Financial Times
(Oct. 3, 2022).

See, e.g., Hermanson, et al., The Work Environment in Large Audit Firms A38; Dana R.
Hermanson, Heather M. Hermanson, Susan D. Hermanson, Where is Public Company Auditing
Headed?, 90 CPA Journal 54 (2020); Westermann, et al., PCAOB Inspections 694.

accounting firms and university accounting programs. However, based on its preliminary
survey research, another commenter reported that some QC leaders do not feel resource
constrained.505
The Board acknowledges the commenters’ concerns about the potential impact on
staff resources. However, the potential impact on staff resources is likely the result of the
interplay among numerous factors in the labor market, such as the rigor of qualifying for
and completing the requirements for CPA licensure and the relatively low starting
salaries being cited by college students as one of the main hurdles to choosing accounting
as a major. To meet increased demand for staff resources, some firms may choose to hire
additional experienced staff. It is possible that the labor demand shock could result in
increased wages and potentially higher audit fees, which could be exacerbated by the
concentration of large firms in the audit market. Higher wages could in turn help firms
attract and retain a skilled workforce or encourage qualified individuals to take essential
roles at firms.506 The principles-based features and scalable nature of QC 1000 described
above, as well as the 100-issuer threshold for some provisions, help mitigate this risk
because fewer resources will be required for firms based on those features.
b. Competition
The requirements could also cause firms to exit the public company audit market
or deter other firms from future entry. Entry deterrence could be exacerbated by the fact
that being registered with the PCAOB will subject firms to certain QC requirements even
if they do not perform engagements. Several commenters agreed that the proposed
requirements, if adopted, could impact competition. One commenter expressed concern

See Hayne, et al., Managing Quality Control.

There are some indications that retention and recruitment of staff is currently a challenge for audit
firms. See, e.g., Persellin, et al., Auditor Perceptions 95; AICPA Private Companies Practice
Section, 2021 PCPS CPA Top Issues Survey; AICPA, 2021 Trends: A Report on Accounting
Education, the CPA Exam and Public Accounting Firms’ Hiring of Recent Graduates (“AICPA
Trends Report”) (Apr. 2022).

that the incremental requirements of QC 1000 relative to other QC standards could lead
smaller high-quality firms to exit the market. One commenter asserted that the
certification requirement would be an especially significant driver of exit, particularly for
smaller firms. Some commenters suggested that the design requirement for scaledapplicability firms could lead some scaled-applicability firms to deregister with the
PCAOB or create a barrier to entry. One commenter added that the design requirement
for scaled-applicability firms could impact audit markets beyond the U.S. by creating a
disincentive for foreign firms to serve specific audit markets. Another commenter
suggested that further enhancing the scalability of QC 1000 may be helpful for smaller
firms to stay competitive. One commenter noted that QC 1000 requirements may serve as
an impediment to audit firm mergers and acquisitions and otherwise perturb market
activity. Correspondingly, less consolidation could mitigate concentration or help
preserve a competitive dynamic amongst firms. Nevertheless, the presence of fewer firms
could reduce competition in the public company audit market even in light of additional
scalability or fewer mergers and acquisitions. Some commenters said that some firms
may resign existing issuer clients or decline new ones to avoid incremental QC 1000
requirements for firms that issue more than 100 audit reports. This could lead to a further
reduction in competition for engagements that these firms would otherwise compete. This
reduction in competition would likely only apply to actual or potential issuer clients of
firms that are close to the 100-issuer threshold. As noted above, PCAOB staff analysis of
audit reports included in SEC filings indicates that, during the 2022 calendar year, the
number of firms currently around the 100-issuer threshold includes two NAFs that
audited between 80 and 100 issuers and two NAFs that audited between 100 and 120
issuers.

Confirming the widely held view that audit firms compete on price, some research
suggests that reduced competition is indeed associated with higher audit fees.507
However, any exit would likely be limited primarily to firms with small market shares
and to the smaller issuer or broker-dealer audit markets, which research suggests tend to
be competitive.508 For example, firms that would manage their client portfolio to avoid
incremental QC 1000 requirements would likely prefer to resign (or decline to accept)
smaller issuer clients than larger issuer clients. Moreover, some research suggests that
reduced competition may have a positive impact on audit quality because it curtails
issuers’ opportunity to opinion shop.509 Compounding this effect, the requirements may
further deter opinion shopping as a basis for competition to the extent they would
improve auditors’ compliance with professional standards. One commenter argued that
opinion shopping is not prevalent and any reduction in opinion shopping would be
minimal.

See, e.g., Joshua L. Gunn, Brett S. Kawada, and Paul N. Michas, Audit Market Concentration,
Audit Fees, and Audit Quality: A Cross-Country Analysis of Complex Audit Clients, 38 Journal of
Accounting and Public Policy 1 (2019).

While research generally has focused on competition for the largest public company audits and the
corresponding concentration amongst the largest audit firms, less is known about market forces
within the smaller audit firm market. However, some research has studied competitive aspects of
the smaller firm market. See, e.g., Tracy Ti Gu, Dan A. Simunic, Michael T. Stein, Minlei Ye, and
Ping Zhang, The Market for Audit Services: The Role of Market Power, 19 Journal of International
Accounting Research 3 (2020) (concluding that small public companies can potentially purchase
audit services from any audit firm and that the number of suppliers to small public companies is
relatively higher than the number of suppliers to large public companies); Kenneth L. Bills and
Nathaniel M. Stephens, Spatial Competition at the Intersection of the Large and Small Audit Firm
Markets, 35 Auditing: A Journal of Practice and Theory 23 (2016) (concluding that smaller and
larger firms compete locally in some cases); Andrew Kitto, Phillip T. Lamoreaux, and Devin
Williams, Do Entry Barriers Allow Low Quality Audit Firms to Enter the Public Company Audit
Market?, available on SSRN: https://ssrn.com/abstract=3572688(2023) (concluding that current
barriers to entry likely deter some audit firms from entering the audit market but that current
barriers fail to prevent entry by firms that are significantly lower quality compared to incumbent
firms); Brant Christensen, Kecia Williams Smith, Dechun Wang, and Devin Williams, The Audit
Quality Effects of Small Audit Firm Mergers in the United States, 42 Auditing: A Journal of
Practice & Theory 75 (2023) (concluding that audit quality decreases post-merger based on data
regarding mergers of very small audit firms).

See, e.g., Nathan J. Newton, Julie S. Persellin, Dechun Wang, and Michael S. Wilkins, Internal
Control Opinion Shopping and Audit Market Competition, 91 The Accounting Review 603
(2016); Nathan J. Newton, Dechun Wang, and Michael S. Wilkins, Does a Lack of Choice Lead to
Lower Quality? Evidence From Auditor Competition and Client Restatements, 32 Auditing: A
Journal of Practice & Theory 31 (2013).

c. Network resources
Some commenters expressed concern that the requirements could diminish the
availability of global network resources and that smaller firms around the world could
decline to assist U.S. firms in their global audits. One commenter added that this could be
detrimental to overall engagement quality. Several factors could mitigate this potential
unintended consequence. First, staff analysis of 2021 Form AP filings finds that 74% of
all audits (32% of Fortune 500 audits) do not use other auditors.510 Second, this potential
unintended consequence would likely be limited primarily to firms that lack the network
resources to implement QC 1000. One academic study finds that 94% of component
auditors identified on Form AP are affiliated with the principal auditor (99% when the
principal auditor is a GNF).511 Third, other auditors that do not play a substantial role on
any PCAOB engagement would be able to deregister with the PCAOB and continue to
perform their existing roles on the engagements. Fourth, the competitiveness of the
smaller issuer audit market suggests that principal auditors would be able to retain a
different component auditor of comparable quality. Finally, to the extent the requirements
would lead a firm to retain a lower-quality component auditor, existing PCAOB
standards related to audits involving other auditors could help mitigate the risk that the
new component auditor performs a low-quality component audit.512 It is possible that,
despite the requirements, firms may not improve compliance with applicable professional
and legal requirements when performing their engagements. For example, personnel
assigned to QC roles may adopt a perfunctory, “check the box” attitude toward
compliance. The firm’s risk assessment process and monitoring and remediation process

See PCAOB Rel. No. 2022-002, at Figure 2.

See William M. Docimo, Joshua L. Gunn, Chan Li, and Paul N. Nichas, Do Foreign Component
Auditors Harm Financial Reporting Quality? A Subsidiary-Level Analysis of Foreign Component
Auditor Use, 38 Contemporary Accounting Research 3113 (2021).

See, e.g., PCAOB Rel. No. 2022-002.

requirements, which require personnel assigned to QC roles to think proactively about the
reasonable assurance objective, could help to mitigate this risk. As another example,
engagement partners may overestimate the ability of their firm’s QC system to support
achievement of the reasonable assurance objective and relax their efforts to self-monitor
or monitor others. While QC 1000 centralizes responsibility for QC to a degree, other
requirements could mitigate this risk. For example, individual responsibility features
prominently in QC 1000 and PCAOB auditing standards emphasize the responsibility of
the engagement partner for the engagement and its performance.513
d. Accountability
Some commenters expressed concern that the accountability provisions of
QC 1000 could have potentially harmful unintended consequences. For example, one
commenter asserted that good faith actions with regard to supervisory responsibilities
could become subject to PCAOB enforcement. Some commenters suggested that the
roles and responsibilities requirements could reduce audit quality or increase costs by
creating a disincentive for the most qualified individuals to take on the specified roles.
One commenter noted that individual certification poses a potential threat of additional
liability and could affect the recruitment of talented individuals needed to fill critical
roles within firms. Another commenter noted that for firms with an issuer practice that
makes up a small portion of the overall practice, it can be difficult to find partners to fill
lead and engagement quality reviewer roles on engagements when those roles are subject
to a higher risk of individual enforcement actions.
The Board acknowledges that, in addition to positive consequences,
accountability can have negative consequences, such as disincentives from taking on QC

See, e.g., QC 1000.42a.(1); AS 1201.03. The Board has also proposed to clarify the engagement
partner’s existing responsibilities for supervision and review in AS 1201, AS 1215, and AS 2101
to provide more specificity about the engagement partner’s responsibility to exercise due
professional care related to supervisory and review activities required to be performed under
existing auditor requirements. See PCAOB Rel. No. 2023-001 at 15.

roles with greater accountability. One commenter suggested that the incorporation of
rewards into the firms’ accountability model could mitigate this potential unintended
consequence. QC 1000 contemplates that the firm’s compensation plans and performance
evaluations will appropriately incentivize firm personnel to fulfill their assigned
responsibilities514 and that firm leadership will be held accountable for quality, including
through their performance evaluations and compensation.515 Depending on the firm’s
specific quality risks, including the risk that qualified individuals may be unwilling to
take on QC roles, firms can incorporate both positive incentives (“carrots”) and negative
incentives (“sticks”) in the design of their incentive plans.
e. Scalability
One commenter expressed concern based on academic research that limiting the
applicability of certain requirements to firms of a certain size could give rise to audit
quality differences between larger and smaller firms. In general, the incremental
requirements for larger PCAOB audit practices are less suitable to smaller PCAOB audit
practices’ QC systems. For example, a smaller firm may not need an automated system to
track investments if it has a stable number of issuer clients and a small group of persons
subject to independence requirements. But if a smaller firm does not achieve its quality
objectives or the reasonable assurance objective, it will have to take remedial action,
which could include implementing some or all of the incremental QC system features that
are expressly required for larger PCAOB audit practices.
f. Design requirements under scaled applicability
Some commenters expressed concern that scaled-applicability firms could design
QC systems inappropriate for the future circumstances that would arise should the firm
eventually become a full-applicability firm. One commenter cited research that suggests

See QC 1000.44g.

See QC 1000.25b.

audit firm personnel designing a QC system to address hypothetical future circumstances
will need to overcome numerous cognitive biases.516 The Board believes this potential
unintended consequence is mitigated by QC 1000’s proactive approach. For example, the
firm will be required to establish policies and procedures to monitor, identify, and assess
changes to conditions, events, and activities that indicate modifications to the firm’s
quality objectives, quality risks, or quality responses may be needed. When such changes
are identified, the firm will be required to determine what, if any, modifications are
needed to make them on a timely basis. In effect, a scaled-applicability firm’s QC system
design should be appropriate for its circumstances in the event it becomes a fullapplicability firm.
g. Other potential unintended consequences
Because firms’ QC systems will likely operate over all of their engagements,
including those that are not subject to PCAOB standards, the engagement-level costs
discussed above could apply to those engagements as well. Moreover, one commenter
asserted that firms with a significant private company client base will be challenged by
different documentation retention policies based on client base since many aspects of QC
relate to the firm as a whole. Correspondingly, the requirements could improve
compliance on those engagements because they would be governed by more effective QC

See, e.g., Paul J.H. Schoemaker, Forecasting and Scenario Planning: The Challenges of
Uncertainty and Complexity, in Blackwell Handbook of Judgment & Decision Making, eds. D.J.
Koehler and N. Harvey, 274 (2004); Edward J. Joyce and Gary C. Biddle, Anchoring and
Adjustment in Probabilistic Inference in Auditing, 19 Journal of Accounting Research 120 (1981);
Noel Harding and Ken T. Trotman, Improving Assessments of Another Auditor’s Competence, 28
Auditing: A Journal of Practice & Theory 53 (2009); Byron J. Pike, Mary B. Curtis, and Lawrence
Chui, How Does an Initial Expectation Bias Influence Auditors’ Application and Performance of
Analytical Procedures?, 88 The Accounting Review 1413 (2013); Amos Tversky and Daniel
Kahneman, Judgment under Uncertainty: Heuristics and Biases, 185 Science 1124 (1974); Steven
M. Glover, James Jiambalvo, and Jane Kennedy, Analytical Procedures and Audit-Planning
Decisions, 19 Auditing: A Journal of Practice & Theory 27 (2000); Vicky B. Hoffman and Mark
F. Zimbelman, Do Strategic Reasoning and Brainstorming Help Auditors Change their Standard
Audit Procedures in Response to Fraud Risk?, 84 The Accounting Review 811 (2009); Tim D.
Bauer, Sean M. Hillison, Mark E. Peecher, and Bradley Pomeroy, Revising Audit Plans to Address
Fraud Risk: A Case of “Do as I Advise, Not as I Do”?, 37 Contemporary Accounting Research
2558 (2020).

policies and procedures. Indeed, one commenter said that requiring all firms to design a
QC system that complies with QC 1000 could have a beneficial impact on private
company audits.
Research on other quality management and enterprise risk management systems
suggests other potential unintended consequences. For example, research on ISO 9000
adoption indicates that it may reduce staff morale, stifle innovation, and require excessive
levels of documentation.517 The principles-based features and scalable nature of QC 1000
described above, as well as the 100-issuer threshold for some provisions, help mitigate
these concerns by providing firms the ability to design, implement, and operate policies
and procedures to support achievement of the reasonable assurance objective based on
their facts and circumstances.
ALTERNATIVES CONSIDERED
During the development of the requirements, the Board considered a number of
alternative approaches to address the need described above. This section explains: (1)
why standard setting is preferable to other policy-making approaches, such as providing
interpretive guidance or enhancing inspection or enforcement efforts; (2) why the chosen
standard-setting approach is preferable to other standard-setting approaches; and (3) key
policy choices made in determining the details of the standard-setting approach.
1. Why standard setting is preferable to another approach
As potential alternatives to standard setting, the Board considered whether
interpretive guidance or greater focus on inspections or enforcement could better address
the need described above.

See, e.g., John Seddon, Ten Arguments Against ISO 9000, 7 Managing Service Quality: An
International Journal 162 (1997); Bozena Poksinska, Jörgen AE Eklund, and Jens Jörn Dahlgaard,
ISO 9001:2000 in Small Organisations Lost Opportunities, Benefits and Influencing Factors, 23
International Journal of Quality & Reliability Management 490 (2006).

Interpretive guidance assists firms in the implementation of existing PCAOB
standards and rules and can advance audit quality by establishing a common
understanding of a firm’s obligations under PCAOB standards and rules. For example,
interpretive guidance may address, among other things, specific, common audit
deficiencies identified during PCAOB inspections and the applicable requirements under
PCAOB standards and rules. By contrast, as discussed above, some firms’ QC systems
appear to not be providing reasonable assurance of compliance generally. Moreover,
current PCAOB QC standards were developed decades ago in a very different audit
environment and have not been updated to reflect the risk-based, proactive approach to
QC that the Board believes would be most effective. Therefore, the Board believes
revisions to the current PCAOB QC standards are needed to require firms to make the
necessary enhancements to their QC systems to help drive compliance with professional
standards.
While the PCAOB will continue to address firms’ compliance with PCAOB
standards and rules through inspection and enforcement activities, QC standard setting
provides certain unique benefits. Firms’ QC systems operate over all aspects of all issuer
audits and broker-dealer engagements, whereas PCAOB inspections assess compliance
with only certain aspects of the issuer audits and broker-dealer engagements selected for
review. In addition, inspection and enforcement efforts take place after the engagement
has occurred and after investors and other financial statement users have potentially
suffered harm. Therefore, greater focus on inspecting and enforcing compliance with
PCAOB standards and rules may not be as effective as updating the QC standards and
amending other related standards.
2. Why the chosen standard-setting approach is preferable to other standardsetting approaches

QC 1000 shares the same basic structure as ISQM 1 and SQMS 1. The Board also
considered basing QC 1000 on a different quality management framework, such as
COSO or ISO 9001, or developing its own risk-based approach. The essential features of
these other quality management frameworks are broadly similar to ISQM 1 and SQMS 1.
For example, they typically are risk-based and focus on monitoring and remediating
deficiencies. However, ISQM 1 and SQMS 1 have the further advantage of being
specifically tailored to audit firms. Furthermore, an original risk-based approach would
likely include the same essential features as ISQM 1 and SQMS 1. Overall, the Board
believes that the benefits of basing QC 1000 on a different quality management
framework or an original PCAOB risk-based approach (e.g., improved compliance with
applicable professional and legal requirements) would be similar to the benefits of using
a structure similar to ISQM 1 and SQMS 1.
Basing QC 1000 on a different quality management framework or an original
PCAOB risk-based approach would likely be more costly. As highlighted above, the
Board expects that many firms are familiar with ISQM 1 or SQMS 1 and have made, or
will make, investments in their QC systems to comply with those requirements. Firms
may be less familiar with other quality management frameworks than they are with
ISQM 1 and SQMS 1. Basing QC 1000 on a different quality management framework or
an original PCAOB risk-based approach therefore would likely require additional effort
by firms to understand and apply the standard. Some firms may be required to employ or
engage persons with the necessary expertise in the particular quality framework to
facilitate appropriate implementation. While the largest firms may employ consultants
with this expertise, smaller firms may not, and acquiring or engaging the necessary
consultants could be costly. In addition, basing QC 1000 on a different quality
management framework or an original PCAOB risk-based approach may introduce an

element of regulatory complexity, which could both increase cost and detract from audit
quality for firms that would be required to comply with ISQM 1 or SQMS 1.518
3. Key policy choices
This section discusses several potential provisions that the Board decided against
including in QC 1000. These provisions relate to: (1) applicability; (2) the threshold for
incremental requirements; (3) firm governance structure; (4) self-assessment monitoring;
(5) in-process monitoring activities; (6) the evaluation and reporting dates; (7) reporting
the annual QC system evaluation; (8) certification of the annual evaluation; (9) public
reporting; and (10) audit committee communications.
a. Applicability
The discussion above explains the distinction between scaled applicability and
full applicability. The Board considered requiring all firms to design, implement, and
operate a QC system that meets the requirements only upon being required to comply
with applicable professional and legal requirements with respect to a firm engagement.
This approach would reduce the costs of the requirements to firms not performing
engagements by allowing them to defer the costs of designing their QC system. However,
scaled-applicability firms may reduce their costs under the approach by withdrawing
from PCAOB registration. Furthermore, any reduced costs would not address the risk that
firms could be unprepared to accept and perform engagements in compliance with
applicable professional and legal requirements.

One commenter suggested that the Board look at any lessons learned or studies published by the
IAASB or the AICPA related to their quality management standards to help inform any
refinements that might be needed or additional implementation guidance that might be useful for
adoption of QC 1000. As discussed above, the Board took into consideration actions by other
standard setters and requirements of their quality management standards in the development of QC
1000. PCAOB staff searched for studies but did not find any available. The recent effective date of
ISQM 1 on Dec. 15, 2022, and the forthcoming effective date of SQMS 1 on Dec. 15, 2025, may
explain a dearth of lessons learned or post-implementation studies published by IAASB or the
AICPA to date.

The discussion above also addresses commenters’ views on alternative
approaches to this key policy choice. For example, several commenters suggested
allowing scaled applicability firms to design a QC system that complies with ISQM 1.
One commenter suggested limiting the design requirements to acceptance and
continuance policies. One commenter suggested limiting the design requirement to firms
that satisfy an issuer client market capitalization criterion. While these alternative
approaches could reduce some of the costs to scaled-applicability firms associated with
designing their QC systems, they could also reduce the benefit of firms having a
PCAOB-compliant QC system ready for implementation and operation. Furthermore, as
discussed above, firms could avoid the costs of designing a QC system that complies with
QC 1000 by deregistering.
b. Threshold for incremental requirements
The incremental requirements that will apply only to firms that issued audit reports for
more than 100 issuers in the prior calendar year (e.g., requirements related to firm
governance structure) are discussed above. Several commenters suggested alternative
thresholds. For example, some commenters suggested the threshold should consider the
market capitalizations of issuer clients. One commenter suggested that the threshold
should consider the types of financial statements being audited.519 These alternative
approaches could help ensure QC 1000 is appropriately scalable to the facts and
circumstances of all firms. However, the Board believes there could be practical
challenges with implementing a more complex threshold. For example, market
capitalization can be volatile and would require PCAOB and firm resources to track.
Some firms may cross an issuer market capitalization threshold multiple times within a
short period of time. Issuer count, by contrast, aligns with Rule 4003, Frequency of

The commenter noted that a large percentage of their issuer audit counts consist of Form 11-K
audits, which have limited impact on the capital markets.

Inspections, is easier to track, and may not be as volatile as market capitalization. Finally,
while market capitalization may be a useful proxy for investor exposure to the issuers
audited by the firm, it would be a less useful proxy for the complexity of a firm’s QC
system.
c. Firm governance structure
Specified quality responses related to governance and leadership are discussed
above. The Board considered extending to all firms the requirement to incorporate into
their governance structure an external oversight function for the QC system composed of
one or more persons who are not principals or employees of the firm and do not
otherwise have a commercial, familial, or other relationship with the firm that would
interfere with the exercise of independent judgment regarding matters related to the QC
system. However, in light of the direct cost of such an oversight function, which could
disproportionately impact smaller PCAOB audit practices, and reflecting the Board’s
view that the public interest in such independent oversight is strongest in relation to the
largest firms, the requirement applies only to firms that issued audit reports with respect
to more than 100 issuers during the prior calendar year.
Some commenters suggested that more than one independent member of the
oversight function should be required. In support of this view, one commenter noted that
the independent member(s) would be in the minority and cited academic research
regarding audit committees that suggests oversight functions are more effective with a
greater proportion of independent members.520 Another commenter referred to a report
that cites survey research that suggests female directors improve corporate governance

See, e.g., F. Todd DeZoort, Dana R. Hermanson, Deborah S. Archambeault, and Scott A. Reed,
Audit Committee Effectiveness: A Synthesis of the Empirical Audit Committee Literature, 21
Journal of Accounting Literature 38 (2002); Jean Bédard and Yves Gendron, Strengthening the
Financial Reporting System: Can Audit Committees Deliver?, 14 International Journal of Auditing
174 (2010); Joseph V. Carcello, Dana R. Hermanson, and Zhongxia (Shelly) Ye, Corporate
Governance Research in Accounting and Auditing: Insights, Practice Implications, and Future
Research Directions, 30 Auditing: A Journal of Practice & Theory 1 (2011).

and that the positive influence is most significant when there are three or more female
directors.521 The same commenter suggested that the oversight function should have
public reporting responsibilities. Some commenters suggested that the independent
oversight member should have more control. The Board acknowledges the commenters’
views on the potential additional benefits of additional independent oversight
requirements. However, the Board is also sensitive to the costs of any additional
requirements, which several commenters suggested may be costly or difficult to fulfill.522
d. Self-assessment monitoring
The Board considered permitting individuals to perform monitoring procedures
over the same areas for which they are responsible. It decided against this approach
because the Board feels it would be inconsistent with the quality objective that
individuals who are assigned to perform activities within the QC system have the
objectivity to monitor work in accordance with applicable professional and legal
requirements and the firm’s policies and procedures.523 As emphasized above, this quality
objective is important for creating accountability within the firm to achieve the
reasonable assurance objective. Information gathered through PCAOB inspection
activities indicates that roughly 3% of firms inspected between 2018 and 2020 performed
self-assessments. This suggests that relatively few firms would be impacted by this policy
choice. The Board considered allowing self-assessment monitoring under certain
conditions to reduce costs for impacted firms but ultimately decided against it out of
concern that individuals may not be able to objectively assess their own work. In these

See The Conference Board, Maximizing the Benefits of Board Diversity: Lessons Learned from
Activist Investing at 13 (June 2020); Alison M. Konrad, Vicki W. Kramer, and Sumru Erkut,
Critical Mass: The Impact of Three or More Women on Corporate Boards, 37 Organizational
Dynamics 145 (2008).

See previous discussion on economic impacts above.

See QC 1000.44e.

circumstances, the firm may use other participants or third-party providers to perform
monitoring activities.
e. In-process monitoring activities
In-process monitoring activities are discussed above. The Board considered
extending the requirement to monitor in-process engagements to all firms but decided to
limit the requirement to firms that issue audit reports with respect to more than 100
issuers. The Board believes that differentiating a firm’s obligation based on the number
of issuer clients may be appropriate because, in the Board’s view, firms with larger, more
complex audit practices are generally subject to quality risks for which in-process
monitoring is an appropriate quality response. The Board also understands through
PCAOB oversight activities that the majority of smaller PCAOB audit practices do not
perform in-process monitoring activities and may lack the resources to do so. Therefore,
to balance these concerns, QC 1000 includes a “should consider” requirement to provide
sufficient scalability for firms that issue audit reports with respect to 100 or fewer issuers.
f. Evaluation and reporting dates
Several commenters suggested that QC 1000 should allow firms to choose their
own evaluation date. This alternative could reduce the cost of QC 1000 by allowing firms
to perform the evaluation when most convenient. For example, some firms could set their
QC 1000 evaluation date near their ISQM 1 evaluation date and use parts of their ISQM 1
evaluation for their QC 1000 evaluation. However, the information reported to the
PCAOB on Form QC would be less current and therefore less informative to the PCAOB
when it selects firms and engagements for inspection, inspection focus areas, and
inspection procedures. Tracking firms’ compliance with the evaluation requirements
could also be more challenging. In addition, the inherent differences between the
QC 1000 and ISQM 1 evaluations will require incremental effort from firms to comply
with QC 1000.

The Board initially proposed a November 30 evaluation date followed by 46 days
from the evaluation date to both report and document the QC system evaluation. This
timeline would provide the PCAOB with timely information to inform PCAOB oversight
activities. Some commenters expressed concern that a November 30 evaluation date
could present costs and other challenges because some firms have already chosen an
alternative evaluation date under ISQM 1 or because the timeframe for the evaluation
could conflict with some firms’ inspection cycles or business cycles and can encompass
holidays and religious observances. The Board was persuaded that a November 30
evaluation date could have led to unnecessary incremental resource demands during the
busy and holiday seasons. Accordingly, the Board instead required firms to adopt a
September 30 evaluation date as discussed above. Some commenters expressed concern
that 46 days would be insufficient to report on and document their evaluation. The Board
was persuaded that 46 days to report on and document the QC system evaluation could
have created unnecessary costs to firms. Therefore, under the final standard, a firm will
have 61 days to evaluate their QC system and an additional 14 days after the evaluation
to assemble their documentation.
g. Reporting the annual QC system evaluation
Firm reporting on the QC system evaluation is discussed above. One commenter
asserted that an explicit reporting requirement is unnecessary because the PCAOB
inspection process provides the Board and staff with any relevant contemporaneous
quality control information for both annual and triennially inspected firms. The Board
considered obtaining the annual QC system evaluation as part of the PCAOB inspection
process rather than an explicit reporting requirement. Under this alternative approach, the
evaluation would be less timely, structured, and consistent and likely would not inform
the PCAOB’s inspection approach as effectively, especially for triennial firms. It could
also diminish the beneficial incentive effect of mandatory reporting to the PCAOB. This

alternative approach could eliminate or reduce the costs to firms associated with
preparing a summary report of the firm’s QC system evaluation. In addition, if, under this
alternative approach, the privilege protections of section 105(b)(5) were determined to
apply to some or all of the information generated by the firm pursuant to QC 1000, that
could diminish the discoverability of such information in litigation, thereby decreasing
third-party litigation risk. However, this alternative approach would not address the lost
information value, particularly for the triennial firms.
The Board also considered requiring firms to report to the Board on Form QC
only when the firm identifies a major QC deficiency. This approach would reduce some
of the variable costs associated with preparing and transmitting Form QC to the PCAOB.
However, this approach would also reduce the value of Form QC to the PCAOB. For
example, reporting on unremediated QC deficiencies would inform various aspects of
PCAOB oversight activities, including focusing inspection resources on higher risk firms,
engagements, and focus areas; designing the nature and extent of inspection procedures,
both for QC processes and individual engagements; and making more refined data
requests from the firms. This alternative approach could also diminish the beneficial
incentive effect of mandatory reporting to the PCAOB.
Several commenters suggested that the PCAOB clarify that Form QC is submitted
under the PCAOB’s inspections authority, as a way of bestowing the confidentiality
protections of section 105(b)(5) upon the information provided therein. This would,
according to commenters, alleviate uncertainty about the extent to which information
submitted thereon may be subject to discovery or other disclosures, diminish a risk of
unwarranted legal exposure, and help place the information in the context of the ongoing
inspections dialogue. The Board acknowledges the commenters’ concerns about these
issues. However, as discussed above, QC 1000 is not an inspections rule; it is a QC
standard that places obligations on all registered firms regardless of their inspection status

(annual, triennial, or exempt), and as such the Board is not able to say that Form QC
information is necessarily submitted “in connection with an inspection” as would be
necessary to trigger the confidentiality protections of section 105(b)(5) of SarbanesOxley.
h. Certification of the annual evaluation
Some commenters requested that the Board specify a heightened legal standard
(e.g., recklessness) at which liability could be imposed on individuals for making a
certification that is later determined to be false, or create safe harbors for inevitable
system errors or the wrongful acts of others. As discussed above, the standard for liability
turns on the particular language of each statement in the certification: some statements
are subject to a negligence standard, while others (namely those with knowledge
qualifiers) give rise to liability only if the certifier knew that the statement was false or
recklessly did not know it was false. The Board acknowledges that alternative approaches
urged by commenters could have saved some costs. Specifically, limiting liability to
recklessness in all circumstances would provide individuals with comfort that their
decisions would not be second-guessed in litigation. This result may make the
performance of those services more efficient by removing an incentive to perform tasks
that are not directly related to quality. For example, individuals may be less incentivized
to engage in self-protective behaviors if a heightened legal standard (e.g., recklessness) is
imposed. In addition, more staff may be willing to take these roles (or to take them at a
lower price) if liability or workload would have been more limited by a heightened legal
standard.524 However, that approach would have attenuated the benefits sought to be
achieved by the certification requirement by removing the Board’s ability to hold

See Economic benefits – improved compliance with applicable professional and legal
requirements – above for a discussion of commenters’ concerns regarding increased liability or
workload associated with the roles as potential disincentives that may keep qualified individuals
from accepting the roles.

individuals accountable for conduct that fails to meet a reasonable person standard of
care.
i. Public reporting
The discussion above summarizes commenters’ views on public reporting about
firms’ QC systems and legal constraints on public disclosure that are imposed by
Sarbanes-Oxley. Some commenters suggested that the non-confidential portions of Form
QC could be made publicly available. Such public reporting could in principle provide
investors with additional information on audit quality and thereby help address the
problem discussed above. However, the Board believes that significant portions of Form
QC may be confidential. As a result, the non-confidential portions of Form QC could
have been misleading and difficult to compare across firms. Public reporting of nonconfidential portions of Form QC could also lead firms to be less candid in their Form
QC reporting and thereby diminish its value to the PCAOB. Some commenters also
expressed concern that any public reporting could be contrary to Sarbanes-Oxley. After
considering the benefits and costs of alternative approaches, including those identified by
commenters, the Board believes that firm reporting on Form QC should be nonpublic.
Several commenters suggested that QC 1000 should require firms to publicly
disclose information related to audit quality. As discussed above, the Board has proposed
separate rules related to firm and engagement metrics as well as firm reporting.525
j. Audit committee communications
Commenters’ views on potential required reporting to audit committees are
discussed above. The Board initially proposed to require the firm to discuss with the audit
committee the conclusion of the firm’s most recent annual evaluation of its QC system
and a brief overview of remedial actions taken and to be taken. This information could

See PCAOB Rel. No. 2024-002 and PCAOB Rel. No. 2024-003.

give audit committees greater insight into the quality of their auditor. Several
commenters were supportive of the proposed requirement. However, several other
commenters asserted that the information could be largely difficult to understand,
irrelevant to an individual audit committee, and potentially inconsistent with SarbanesOxley. Furthermore, one commenter noted research and expressed concern that
disclosure regarding the annual QC system evaluation to the audit committee only could
enable audit committees to shop for lower-quality auditors.526 Similarly, another
commenter expressed concern with an approach that would provide mandatory disclosure
to audit committees but not to investors and the public. As discussed above, the Board
determined not to adopt the proposed amendments to AS 1301 after consideration of the
comments received.
SPECIAL CONSIDERATIONS FOR EMERGING GROWTH COMPANIES
Pursuant to section 104 of the Jumpstart Our Business Startups (“JOBS”) Act,
rules adopted by the Board subsequent to April 5, 2012, generally do not apply to the
audits of emerging growth companies (“EGCs”), as defined in section 3(a)(80) of the
Exchange Act, unless the SEC “determines that the application of such additional
requirements is necessary or appropriate in the public interest, after considering the
protection of investors and whether the action will promote efficiency, competition, and
capital formation.”527 As a result of the JOBS Act, the rules and related amendments to
PCAOB standards that the Board adopts are generally subject to a separate determination
by the SEC regarding their applicability to audits of EGCs.

See, e.g., Melissa Carlisle, Wei Yu, and Bryan K. Church, The Effect of Small Audit Firms’
Failure to Remediate the PCAOB’s Quality Control Criticisms on Audit Market Segmentation, 41
Journal of Accounting and Public Policy 1 (2022).

See Pub. L. No. 112-106 (Apr. 5, 2012). Section 103(a)(3)(C) of Sarbanes-Oxley, 15 U.S.C.
7213(a)(3)(C), as added by section 104 of the JOBS Act, also provides that any rules of the Board
requiring (1) mandatory audit firm rotation or (2) a supplement to the auditor’s report in which the
auditor would be required to provide additional information about the audit and the financial
statements of the issuer (auditor discussion and analysis) shall not apply to an audit of an EGC.
None of the rules and amendments would fall within either of these two categories.

To inform consideration of the application of PCAOB standards to audits of
EGCs,528 PCAOB staff prepares a white paper annually that provides general information
about characteristics of EGCs.529 As of the November 15, 2022, measurement date, there
were 3,031 companies530 that self-identified as EGCs and filed audited financial
statements with the SEC between May 16, 2021, and November 15, 2022, that included
an audit report signed by a firm. Of the 263 registered firms that audited EGCs, 227 firms
(or 86%) performed audits for both EGC and non-EGC issuers.531 Approximately 98% of
EGCs were audited by these 227 firms.532
PCAOB staff also gathered information on Part I.A deficiencies for the audits of
EGCs between 2013 and 2022. Figure 6 presents the percentage of inspected EGC and
non-EGC issuer audits having at least one Part I.A deficiency. The data suggest that Part
I.A deficiencies are even more common among audits of EGCs, raising questions about
whether QC systems of firms that audit EGCs are effective in preventing audit
deficiencies for these types of audit engagements.

Figure 6. Percentage of Inspected EGC and Non-EGC Issuer Audits Having at
Least One Part I.A Deficiency (2013-2022)

This analysis of the impact on EGCs is provided to assist the SEC in making the determination
required under section 104 to the extent that the requirements apply to “the audit of any emerging
growth company” within the meaning of section 104 of the JOBS Act.

See PCAOB, Characteristics of Emerging Growth Companies and Their Audit Firms at November
15, 2022 (Feb. 20, 2024) (“EGC White Paper”), available at https://assets.pcaobus.org/pcaobdev/docs/default-source/economicandriskanalysis/projectsother/documents/white-paper-oncharacteristics-of-emerging-growth-companies-as-of-nov-15-2022.pdf?sfvrsn=a8294f3_2.

The EGC White Paper uses a lagging 18-month window to identify companies as EGCs. Please
refer to the “Current Methodology” section in the EGC White Paper for details. Using an 18month window enables PCAOB staff to analyze the characteristics of a fuller population in the
EGC White Paper but may tend to result in a larger number of EGCs being included for purposes
of the present EGC analysis than would alternative methodologies. For example, an estimate using
a lagging 12-month window would exclude some EGCs that are delinquent in making periodic
filings. An estimate as of the measurement date would exclude EGCs that have terminated their
registration or that have exceeded the eligibility or time limits.

See EGC White Paper, at 17.

See id.

60%
50%
40%
30%

EGC
Non-EGC

20%
10%
0%
2013 2014 2015 2016 2017 2018 2019 2020 2021 2022

In general, any new PCAOB standards and amendments to existing standards
determined not to apply to the audits of EGCs would require auditors to address differing
requirements within their methodologies or policies and procedures with respect to audits
of EGCs and non-EGCs, which would create the potential for confusion. This may not be
practical in the context of the QC standards; while some components of the QC system
(such as engagement monitoring) may enable different approaches for audits of EGCs
compared to audits of other companies, other elements (for example, resources and
governance and leadership) are necessarily firm-wide and cannot easily be differentiated
for different types of audits. Even where differentiation is possible, maintaining separate
QC system components for EGC and non-EGC audits and separate methodologies with
respect to, for example, auditor obligations with respect to deficiencies in completed
engagements and foundational ethics requirements, may add cost or lead to confusion,
and could run counter to the objective of integrating QC practices into a single virtuous
cycle of risk assessment, monitoring, and remediation. These methodology and QC
system differentiation costs would affect at least the 227 registered firms that audit both
EGCs and non-EGCs and that, collectively, audit approximately 98% of EGCs.

The discussion of economic impacts of the requirements is generally applicable to
the audits of EGCs. In particular, the benefits to financial reporting quality articulated
above may be especially pertinent for EGCs, including improved efficiency of capital
allocation, lower cost of capital, and enhanced capital formation. EGCs tend to be smaller
and have a shorter SEC financial reporting history than the broader population of

public companies. Academic research suggests that, for several reasons, smaller public
companies tend to exhibit greater information asymmetry between management and
investors.534 Accordingly, EGCs are likely to exhibit greater information asymmetry
between management and investors and hence the importance of the external audit to
investors in enhancing the credibility of EGC financial reporting may be more
pronounced.
The requirements could impact competition in an EGC product market if the
indirect costs to audited companies of the requirements disproportionately impact the
EGCs relative to their competitors. EGCs may be forced to raise prices, thereby diverting
market share toward their competitors. This could increase competition in markets where
EGCs have a dominant market share and decrease competition in markets where EGCs
have a less than dominant market share. The potential impact to competition in EGC
product markets would be reduced to the extent EGC auditors will already be required to
comply with ISQM 1 or SQMS 1 or otherwise would choose not to pass on incremental
costs arising from the requirements in the form of higher audit fees.

See EGC White Paper, at Figure 9 and Figure 12 (indicating that exchange-listed EGCs have
lower market capitalization and revenue than exchange-listed non-EGCs).

For example, smaller public companies tend to have less analyst coverage and a greater share of
insider holdings. See, e.g., Raymond Chiang and P. C. Venkatesh, Insider Holdings and
Perceptions of Information Asymmetry: A Note, 43 Journal of Finance 1041 (1988); Ravi
Bhushan, Firm Characteristics and Analyst Following, 11 Journal of Accounting and Economics
255 (1989).

The proposal sought comment on the applicability of the proposed requirements
to audits of EGCs. Some commenters agreed that the proposed requirements should apply
to the audits of EGCs.
Accordingly, and for the reasons explained above, the Board requests that the
Commission determine that it is necessary or appropriate in the public interest, after
considering the protection of investors and whether the action will promote efficiency,
competition, and capital formation, to apply QC 1000 and the related amendments to
Board standards, rules, and forms to audits of EGCs.
III.

Date of Effectiveness of the Proposed Rules and Timing for Commission
Action
Within 45 days of the date of publication of this notice in the Federal Register or

within such longer period (i) as the Commission may designate up to 90 days of such date
if it finds such longer period to be appropriate and publishes its reasons for so finding; or
(ii) as to which the Board consents, the Commission will:
(A) By order approve or disapprove such proposed rules; or
(B) Institute proceedings to determine whether the proposed rules should be
disapproved.
IV.

Solicitation of Comments
Interested persons are invited to submit written data, views and arguments

concerning the foregoing, including whether the proposed rules are consistent with the
requirements of Title I of the Act. Comments may be submitted by any of the following
methods:
Electronic comments:
•

Use the Commission’s internet comment form (https://www.sec.gov/rules/pcaob); or

•

Send an email to rule-comments@sec.gov. Please include PCAOB-2024-02 on the
subject line.

Paper comments:
•

Send paper comments in triplicate to Vanessa A. Countryman, Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to PCAOB-2024-02. This file number should be included
on the subject line if email is used. To help the Commission process and review your
comments more efficiently, please use only one method. The Commission will post all
comments on the Commission’s internet website (https://www.sec.gov/rules/pcaob).
Copies of the submission, all subsequent amendments, all written statements with respect
to the proposed rules that are filed with the Commission, and all written communications
relating to the proposed rules between the Commission and any person, other than those
that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552,
will be available for website viewing and printing in the Commission’s Public Reference
Room, 100 F Street, NE, Washington, DC 20549, on official business days between the
hours of 10 a.m. and 3 p.m. Copies of such filing will also be available for inspection and
copying at the principal office of the PCAOB. Do not include personal identifiable
information in submissions; you should submit only information that you wish to make
available publicly. We may redact in part or withhold entirely from publication submitted
material that is obscene or subject to copyright protection. All submissions should refer
to PCAOB-2024-02 and should be submitted on or before [INSERT DATE 21 DAYS
AFTER DATE OF PUBLICATION IN THE FEDERAL REGISTER].

For the Commission, by the Office of the Chief Accountant.535

Vanessa A. Countryman,
Secretary.

[FR Doc. 2024-12692 Filed: 6/10/2024 8:45 am; Publication Date: 6/11/2024]

17 CFR 200.30-11(b)(1) and (3).