The PCAOB has just released a new resource for audit committees about critical audit matters, designed to "inform audit committees as they engage with their auditors on the new CAM requirements." The new auditing standard for the auditor's report (AS 3101), which requires CAM disclosure, will be effective for audits of large accelerated filers for fiscal years ending on or after June 30, 2019. For audits of all other companies to which they apply (e.g., not EGCs), CAM requirements will be effective for fiscal years ending on or after December 15, 2020. The resource document provides information about CAM basics, as well as PCAOB staff guidance through responses to FAQs and, importantly, questions audit committees could consider asking their auditors. At the same time, the PCAOB also issued a new resource about CAMs for investors.

As you may recall, CAMs are defined as "matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment." Essentially, the concept is intended to capture the matters that kept the auditor up at night, so long as they meet the standard's criteria. According to the resource document, CAM disclosure is designed to "make the auditor's report more informative and relevant to investors and other financial statement
users. CAMs are intended to provide tailored information specific to the
audit—from the auditor's point of view—on matters that require especially
challenging, subjective, or complex auditor judgment." For each CAM, the auditor is required to identify the CAM, describe the principal considerations that led to the determination that the matter was a CAM, describe how the CAM was addressed in the audit, and refer to the relevant financial statement accounts or disclosures that relate to the CAM.

FAQs

Below is a summary of the staff FAQs:

  • Audit committee communications. The new requirement of the auditor to communicate CAMs should not change required audit committee communications, other than a new requirement for the auditor to provide and discuss with the audit committee a draft of the auditor's report. The information should not be a surprise to the committee because matters that will be disclosed as CAMs should have already been discussed with the audit committee.
  • Role of committee in CAMs. The audit committee does not have a role in determining and approving CAM communications—no veto power. Rather, CAMs are "the sole responsibility of the auditor," and the purpose of the CAM requirement is "to elicit more information about the audit directly from the auditor." The auditor is, however, required to share with the audit committee the draft auditor's report, which includes any CAMs, and, if there is any sensitive information that might be included in the CAM communication, the auditor "could discuss with management and the audit committee the treatment of any sensitive information."

SideBar

In remarks before the American Institute of CPAs in 2017, then-SEC Chief Accountant Wesley Bricker provided some advice as to what audit committees should expect from their auditors with regard to discussion about CAMs:

"expectations for timely, ongoing communication will continue to be an important element to the auditor-audit committee relationship as the auditors implement this new auditor reporting standard. In that regard, audit committees should have reasonable expectations that auditors prepare to take members through the application of the standard on their engagement. For example, what would the critical audit matters be this year? What would be the close calls? When could those matters have been raised, and which ones could have been identified at the start of the audit cycle? What does the auditor expect to say about those matters? When would we expect to see a draft report or at least a draft of the critical audit matters? These are illustrative examples of the communication planning and expectation setting that audit committee members may wish to consider as part of the transition period."

As discussed in this PubCo post, because the selection of and disclosure regarding CAMs will certainly present a challenge for both auditors and audit committees, auditors have been taking steps to prepare for the change, including conducting "dry runs" to get a better handle on how the new CAM disclosures will look and how the process will affect financial reporting. As reported in Compliance Week, Bricker said that there are certainly "possibilities of material disagreements....We have a system designed to resolve those situations, but it's better to know what those areas are so they can be resolved over the course of preparing the information, so the end product reflects the trio of voices—management, audit committee, and auditors—with as much consistency and clarity as the three can work out." The dry run process, he said, has helped to ensure that the information communicated to investors reflects "the best calibration of the requirements."

The prospect of CAM disclosures may drive audit committees and managements to revisit the company's own disclosures. Why? Because, generally, audit committees and managements much prefer that the company get a jump on the disclosure so that the auditors will not need to resort to the creation of original material and the company can best frame the discussion from its own perspective. The Center for Audit Quality cautions, however, that any "modifications of a company's disclosures should be based on management's reporting requirements and should be independent of the auditor's identification of CAMs." (See this PubCo post.)

 

  • No negative implication. Communication of a CAM is intended to be informative to investors and is not necessarily intended to indicate that there was a misstatement in the financial statements, a deficiency in internal control over financial reporting or otherwise reflect negatively on the company. In addition, a "CAM also does not alter the auditor's opinion on the financial statements, and the auditor is not providing a separate opinion on the CAM, or on the accounts or disclosures to which they relate."
  • No minimum. There is no requirement that any minimum number of CAMs be disclosed, and some companies' auditors may even report no CAMs at all. The number will "depend on the nature and complexity of each company's audit," and "not every matter discussed with the audit committee will necessarily be a CAM."
  • Audit procedures. With regard to CAMs, the only new audit procedures are the requirements to determine, communicate and document CAMs, including the requirement to document the basis for determining whether a matter was or was not a CAM. There are no other new required audit procedures.
  • Audit-specific. The requirements for determining CAMs are principles-based. As a result, why a matter is a CAM and how it is addressed will be audit-specific, depending on the facts and circumstances of each company and each audit. There are no CAMs prescribed for particular industries, although there may be similarities among CAMs within industries—or not.
  • Consistency across years. CAMs are not expected to be the same each year: "Depending on the circumstances, some matters may be considered CAMs each year, while others may not." For example, implementation of a new accounting standard may be a CAM in the first year if it required especially challenging, subjective or complex auditor judgment, but in the next year, it may not require that type of judgment or it could require that type of judgment (and be a CAM) for a different reason.
  • Significant events. Because the requirements for determining CAMs are principles-based and depend on the facts and circumstances of each audit, significant events, such as cybersecurity breaches, may or may not be CAMs. If a significant event affects the financial statements and becomes the subject of communications between the auditor and the audit committee, the auditors will evaluate the event to determine if it is a CAM, taking into account the impact of the event on the audit and the nature and extent of the audit response required.

SideBar

In other PCAOB staff guidance, A Deeper Dive on the Determination of CAMs, the staff advised that events of this type—natural disasters, cybersecurity breaches, significant changes in regulations, standards, government policy or the economic or business environment—are sometimes the subject of communications between the auditor and the audit committee, leading auditors to consider the impact on the audit and the audit response. The example the staff provides is of a cybersecurity breach that targets the company's general ledger system, which could affect specific accounts or could be pervasive. With regard to CAM determination, the auditors would assess the impact of the breach on the financials and the audit. (See this PubCo post.)

  • CAMs and CAEs. Critical accounting estimates and CAMs may overlap, but they are not congruent. Under SEC interpretation, CAEs are estimates to be discussed in MD&A where the "nature of the estimates or assumptions is material because of the levels of subjectivity and judgment needed to account for matters that are highly uncertain or susceptible to change[, and the] effect of the estimates and assumptions is material to the financial statements." The source of CAMs is broader, including all matters communicated or required to be communicated to the audit committee, and matters that are not CAEs may be determined to be CAMs.
  • Disclosures not in the financial statements. CAMs, by definition, must relate to financial statement accounts or disclosures; however, company disclosures outside of the financial statements may be relevant to a CAM communication. Ordinarily, the auditor would not include in the CAM description information about the company that had not been made publicly available by the company unless the information was "necessary to describe the principal considerations that led the auditor to determine that a matter is a CAM or how the matter was addressed in the audit." However, public disclosures by the company outside the financials can be used in the CAM description. Information is considered publicly available if it has been disclosed in any type of public communication, whether within or outside the financial statements, including SEC filings, press releases and other public statements.
  • CAMs and KAMs. CAMs are similar, but not identical, to Key Audit Matters (KAMs), which are used in the International Auditing and Assurance Standards Board (IAASB)'s standard. Although both use auditor communications with the audit committee as the starting point, KAMs focus on matters that were of most significance during the audit, while CAMs look at matters involving especially challenging, subjective or complex auditor judgment related to material financial statement accounts or disclosures. So CAMs and KAMs may or may not identify the same matters.
  • PCAOB's next steps. The PCAOB expects to monitor and analyze implementation in three stages and may issue additional guidance.
    • Once initial implementation begins in June, the PCAOB will perform an interim analysis of stakeholders' experiences with CAMs after engaging with stakeholders, including auditors, investors, financial statement preparers and audit committee members. Feedback can be provided by contacting the PCAOB Stakeholder Liaison.
    • After the changes have been implemented starting in the second half of 2019, to promote compliance, the PCAOB will inspect audit firms, and expects to include its preliminary observations in subsequent report.
    • After a reasonable period of time following the completion of implementation in December 2020, the PCAOB will conduct a another review "to analyze the effectiveness of the new requirements, and reevaluate costs and benefits of the new standard, including any unintended consequences, to understand the overall impact on investors, the audit profession, public companies, and other users of the financial statements."

Questions Audit Committees Could Consider Asking their Auditors

The PCAOB has provided some sample questions for audit committees to consider—in their discretion—asking their auditors about CAM implementation, copied below:

  • "What has the audit firm done to prepare for the identification and communication of CAMs in the auditor's report?
  • Does the audit firm have a methodology, practice aids, or other training available to its auditors?
  • Has the audit firm done any dry runs? If so:
    • What did the audit firm learn as a result of the dry runs?
    • Were there any matters considered to be "close calls," but ultimately not identified as a CAM during the firm's dry run? What was the thought process behind the final determination?
  • Were our CAMs similar or different from our industry peers?
    • What is the nature of the differences (or similarities)?
  • Has the audit team discussed with management how and by whom any investor or stakeholder question regarding CAMs will be addressed?"

See also this PubCo post and this PubCo post regarding publications from the CAQ discussing some lessons learned from early dry runs of CAM communications conducted by auditors in advance of the implementation date as well as common questions and responses for audit committee members to consider in developing their understanding of the requirements, designed to facilitate the dialogue between auditors and audit committees regarding CAMs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.