United States: PCAOB Provides Guidance On CAMs

Last Updated: April 17 2019
Article by Cydney Posner

Coming soon to a financial statement near you: CAMs! Late this summer, in audit reports for large accelerated filers with June 30 fiscal year ends, auditors will begin to disclose "critical audit matters." Under the new auditing standard for the auditor's report (AS 3101), CAMs are defined as "matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment." Essentially, the concept is intended to capture the matters that kept the auditor up at night, so long as they meet the standard's criteria. Compliance will be required for audits of large accelerated filers for fiscal years ending on or after June 30, 2019, and for audits of all other companies to which the requirement apply (not EGCs) for fiscal years ending on or after December 15, 2020. With that in mind, the PCAOB has released three new documents offering guidance on CAM implementation: The Basics; A Deeper Dive on the Determination of CAMs; and Staff Observations from Review of Audit Methodologies. (See also thecorporatecounsel.net blog and this article in ComplianceWeek.)

You may remember that the PCAOB requirement to disclose CAMs in audit reports was approved in 2017 after many years of self-examination, meditation, rumination, reflection, cogitation, outreach, discussion, debate and deliberation about the concept of the audit report. Following the financial crisis of 2008, the fact that clean audit reports were given to a number of failed or failing companies, together with the lack of transparency in the current form of audit report, led to a demand for a new look at whether the pass/fail report model might be improved; the current model has long been disparaged as just boilerplate that doesn't really convey to investors any of the auditor's insight into judgment calls and business risks. In 2011, the PCAOB sought to address this concern in a Concept Release by floating various alternatives, principle among them the "auditor's discussion and analysis." (See this Cooley news brief.) But the ADA concept was widely criticized because, among other things, it was viewed as "fundamentally changing the auditor's current role from attesting on information prepared by management to providing an analysis of financial statement information," thus causing the auditors to step into a role of management. After a number of proposals and reproposals, the final standard was adopted. Then SEC Commissioner Kara Stein observed in her statement on approving the new standard that it "marks the first significant change to the auditor's report in more than 70 years."

In "The Basics," the staff of the PCAOB runs through the "basic" provisions of the rule at a high level. No surprises here. The PCAOB summarizes how CAMs are determined, provides the required introductory language, outlines the documentation necessary (particularly in connection with matters determined not to be CAMs), as well as the required communications with the audit committee. (For a summary of the requirements in the adopting release, see this PubCo post.)

In "Deeper Dive," the staff delves further into the subject of CAM determinations, first observing that "CAMs are required to relate to accounts or disclosures that are material to the financial statements. Materiality is not solely based on quantitative factors; it also reflects qualitative factors." For example, a potential loss contingency might be a CAM, but not if the likelihood was determined to be remote and it was not recorded in the financial statements; in that case it would "not relate to an account or disclosure that is material to the financial statements." A potentially illegal act could be qualitatively material (and potentially a CAM), even if the amounts involved were not quantitatively material, so long as there was an accrual or disclosure in the financial statements. A CAM could also relate to many accounts or disclosures and have a pervasive effect on the financial statements, such as in the event of a potential going-concern qualification.

The staff also runs through a number of FAQs, as summarized below:

  • It's all relative. The staff notes that the "standard uses the word 'especially,' instead of 'most' as originally proposed, to convey more clearly that there could be multiple CAMs and that matters are assessed on a relative basis within the specific audit." Each of the specific criteria in the definition are to be considered individually and in combination. The description of the CAM should be specific and discuss why the auditor determined that the matter was a CAM—what especially challenging, subjective or complex auditor judgments were implicated.
  • Consistency across auditors? Although the requirements for determining CAMs are principles-based and fact-specific, some issues inherently fit the bill, regardless of the auditor. For example, the staff observes, "[b]y their nature, accounting estimates generally involve subjective assumptions and measurement uncertainty and may involve complex methods." That's generally the case with estimates regardless of the characteristics of the auditor, according to the staff. However, other matters may well reflect differences in auditor judgments.
  • Consistency across years? That depends on the circumstances. Some issues may meet the definition every year, while others my occur only in one year, for example, implementation of a new accounting standard or accounting for a significant unusual transaction. Some may be CAMs sporadically, such as the audit of deferred tax assets accounts and disclosures when the auditor is required to assess the company's ability to use NOL carryforwards.
  • Evaluation of events related to overall business or the economic or regulatory environment. Events of this type—natural disasters, cybersecurity breaches, significant changes in regulations, standards, government policy or the economic or business environment—are sometimes the subject of communications between the auditor and the audit committee, leading auditors to consider the impact on the audit and the audit response. The example the staff provides is of a cybersecurity breach that targets the company's general ledger system, which could affect specific accounts or could be pervasive. With regard to CAM determination, the auditors would assess the impact of the breach on the financials and the audit.
  • Internal control weaknesses or deficiencies. The evaluation of control weaknesses or deficiencies are not, by themselves, CAMs because they do not relate to a financial statement account or disclosure. However, in light of the possibility of material misstatements of account balances or disclosures resulting from a control weakness or deficiency, the audit response to the deficiency or weakness could involve especially challenging, subjective or complex auditor judgment and could be a CAM. In describing the related CAM, if "a significant deficiency was among the principal considerations in determining that a matter was a CAM, the auditor would describe the relevant control-related issues over the matter in the broader context of the CAM without using the term 'significant deficiency.' For material weaknesses, unlike significant deficiencies, there is reporting by the company, so there would be no sensitivity around using that term in a CAM description if referring to the existence of a material weakness was responsive to the requirements for CAM communication."
  • CAMs and critical accounting estimates. CAEs (estimates to be discussed in MD&A because high levels of subjectivity or uncertainty make them material or subject to change or the effect on the financials is material) and CAMs may overlap, but they are not congruent. The source of CAMs is broader, and matters that are not CAEs may be determined to be CAMs.
  • "Significant risks" as CAMs. These two matters may also overlap but are not the same. Among the factors to be considered by the auditor in determining whether a matter is a CAM is the auditor's assessment of the risks of material misstatement, including significant risks. However, if responding to a significant risk did not involve especially challenging, subjective or complex auditor judgment, that response would not be a CAM. And, while audit responses to risks of material misstatement may not amount to "significant risks," they could still meet the CAM definition, "particularly when the risks relate to areas in the financial statements which involve greater degrees of judgment and estimation."
  • Audit strategy and CAMs. While decisions and changes to audit strategy may not themselves be CAMs, they could be indicative of CAMs and included in the description of how the auditor addressed the CAM, such as the degree of auditor judgment, the extent of audit effort or the nature of the audit evidence.
  • Disclosures not in the financial statements and CAMs. CAMs, by definition, must relate to financial statement accounts or disclosures. Ordinarily, the auditor would not include in the CAM description information about the company that had not been made publicly available by the company unless the "information is necessary to describe the principal considerations that led the auditor to determine that a matter is a CAM or how the matter was addressed in the audit." However, public disclosures by the company outside the financials can be used in the CAM description.


As discussed in this PubCo post, because the selection of and disclosure regarding CAMs will certainly present a challenge for both auditors and audit committees, auditors have been taking steps to prepare for the coming change, including conducting "dry runs" to get a better handle on how the new CAM disclosures will look and how the process will affect financial reporting. To provide some lessons learned from these early dry runs and enhance the understanding of audit committees, auditors and other participants in the process, the Center for Audit Quality has published Critical Audit Matters: Lessons Learned, Questions to Consider, and an Illustrative Example. What does the CAQ tell us about the first lessons learned from these dry runs?

  • The principles-based process of determining which matters are CAMs involves "significant auditor judgment." The auditor's exercise of that judgment will be affected by a number of different factors, with the result that the determination of which matters amount to CAMs will be "unique to each audit."
  • To avoid surprises, communication among the auditor, audit committee and management should occur early and often. As discussed in this PubCo post, the prospect of CAM disclosures may drive audit committees and managements to revisit the company's own disclosures. Why? Because, generally, audit committees and managements much prefer that the company get a jump on the disclosure so that the auditors will not need to resort to the creation of original material and the company can best frame the discussion from its own perspective. The CAQ cautions, however, that any "modifications of a company's disclosures should be based on management's reporting requirements and should be independent of the auditor's identification of CAMs."
  • The process will take substantial time, and auditors and other participants in the process need to build appropriate time into the schedule, taking into account the necessity of discussions of draft CAM communications with management and the audit committee "well in advance of when the auditor's report is to be issued."
  • A key lesson learned is that drafting "informative, but not overly technical" CAM disclosure is not easy, particularly with regard to achieving "the right balance between the CAM description in the auditor's report and information in the company's disclosures, to convey concisely the essence of why a matter is a CAM, and to describe how the CAM was addressed in the audit."

As discussed further in the post, to facilitate the dialogue between auditors and audit committees regarding CAMs, the CAQ has developed a list of questions and responses for audit committee members to consider in developing their understanding of the requirements.

In "Staff Observations," the PCAOB staff has reviewed CAM methodologies and materials submitted by 10 US audit firms (collectively auditing approximately 85% of large accelerated filers), and provides some insights gleaned from that review. Generally, the observations cautioned auditors to be specific in their disclosures and not to view the new standard too narrowly. Auditors were advised:

  • Not to exclude any audit committee communication from the population of potential CAMs.
  • In determining CAMs, to consider, in addition to the six factors identified in the standard (see this PubCo post), other factors specific to the audit, as provided in the standard.
  • To be specific in describing the principal considerations that led to the CAM determination—not just that the matter was especially challenging etc., but why it involved especially challenging, subjective or complex auditor judgment.
  • When describing how a matter was addressed in the audit, to tailor discussion to the specific audit and the specific matter and to avoid standardized language. For example, instead of a general reference to internal control testing, the auditor should "describe the testing of the relevant controls."


As reported by Bloomberg BNA, SEC Chair Jay Clayton, commenting in 2017 on the new CAM requirement in the auditor's report, observed that "if it results in boilerplate, I'll be really bummed out." The PCAOB's admonition here to be specific is surely intended to discourage any lapses into the much-feared boilerplate. Commenters on the proposed standard had indeed raised doubts regarding, among other things, the usefulness of the information in CAMs, particularly the concern that they would fall into overly standardized prose. The SEC acknowledged that, as with "Risk Factors," standardization was a possibility, but contended that the narrower definition of CAMs and related disclosure requirements should mitigate that risk. Notably, an earlier PCAOB staff study of expanded auditor reporting in the UK did not find standardization, at least for the first year of implementation: "the descriptions of the risks of material misstatement in the auditor's reports in the first year of implementation were not presented in standardized language, but included variations in content length, description, and presentation. The most frequently described risk topics related to revenue recognition, tax, and goodwill and intangible assets." (See this PubCo post.)

  • To recognize that the communication can refer to both the relevant financial statement account and the relevant disclosure; they are not necessarily alternatives.
  • To recognize that "publicly available" information, which may be included in the CAM description, may include information made public by the company outside the financial statements.
  • To recognize that, although the auditor is required to provide a draft of the CAM to the audit committee and is expected to discuss the draft with the committee, "CAMs are the responsibility of the auditor—not the audit committee."


Although the CAM adopting release suggested that the process related to CAM disclosure would be an iterative one between the company and the auditors, the level of input the auditors will allow audit committees or managements in reviewing the auditors' selection or disclosure remains an open question. In his remarks before the American Institute of CPAs in 2017, SEC Chief Accountant Wesley Bricker provided some advice as to what audit committee should expect from their auditors in that regard:

"expectations for timely, ongoing communication will continue to be an important element to the auditor-audit committee relationship as the auditors implement this new auditor reporting standard. In that regard, audit committees should have reasonable expectations that auditors prepare to take members through the application of the standard on their engagement. For example, what would the critical audit matters be this year? What would be the close calls? When could those matters have been raised, and which ones could have been identified at the start of the audit cycle? What does the auditor expect to say about those matters? When would we expect to see a draft report or at least a draft of the critical audit matters? These are illustrative examples of the communication planning and expectation setting that audit committee members may wish to consider as part of the transition period."

"Dry runs" and an iterative process may help to mitigate the possibility of auditor/client disagreements about CAMs. As reported in Compliance Week, Wes Bricker, SEC Chief Accountant, said that there are certainly "possibilities of material disagreements....We have a system designed to resolve those situations, but it's better to know what those areas are so they can be resolved over the course of preparing the information, so the end product reflects the trio of voices—management, audit committee, and auditors—with as much consistency and clarity as the three can work out." The dry run process, he said, has helped to ensure that the information communicated to investors reflects "the best calibration of the requirements."

What's more, companies may want to take a proactive approach with respect to their own disclosures of matters that are likely to be identified as CAMs. In particular, the prospect of CAM disclosure and the dry-run process may well precipitate a reassessment by audit committees and companies of related corporate disclosure to ensure that companies stay ahead of the curve. Generally, audit committees might prefer that the company get a jump on the disclosure so that the auditors will not need to resort to the creation of original material and the company can best frame the discussion from its own perspective. See this PubCo post.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions