Notes from an evening with the Public Company Accounting Oversight Board
If you sit on a public company board, especially on the audit committee, your life already revolves around financial reporting, the audit and the audit process. The auditors are constantly in the foreground and the background of everything that goes on. Annual audits, quarterly reviews, internal controls. At larger companies, the internal controls audit goes deep, and sometimes, it surfaces significant deficiencies or, worse, material weaknesses. (Nobody wants to hear those words.) They hand you thick representation letters to sign and questionnaires that need filling out. They want documents. They want interviews. Filing your 10-K and 10-Q can feel like a cliffhanger. The work eats up audit committee meetings. It costs a fortune. It takes forever.
What we often don’t realize is what makes this process so hard, and why (exactly).
Last week, we hosted an evening that filled out some of the answers to that question we had never thought of. We brought the NACD Northern California Chapter to our Palo Alto office, right on the heels of Stanford Directors’ College. Our featured guests were George Botic, a board member of the Public Company Accounting Oversight Board (the “PCAOB”), and his colleague Ellen Graper.
Between the two of us, we have advised founders, investors, and boards for over 25 years. But auditor oversight isn’t our usual beat, as we are usually in the room for deals, governance, and capital raises. So we came to listen. And we have to say, we left a lot smarter. Here is some of what stuck with us.
First: what is the PCAOB?
The simplest way we can put it is that the PCAOB is the auditor of the auditors (think of the “internal affairs” group at police headquarters).
Here is how it works. Your company is audited by a registered public accounting firm that is independent. That firm is one of the Big Four, Big Six, or other registered public accounting firms that are vying to provide the vital “audit” service that public company financial reporting requires. The PCAOB then inspects those registered public accounting firms. The PCAOB drills down into a sample size of actual audits these firms did of public companies like yours. So when your auditor signs the audit of your company’s financial statements and internal controls, your auditors are looking over their shoulders at the PCAOB, who they know will have the benefit of 20/20 hindsight to Monday-morning quarterback the job did at your company, and that those observations will get published and have consequences for everyone involved.
Once you understand the PCAOB role and process, a lot of the mystery clears up: the forms, the document requests, the extra caution around certain issues. Your audit firm knows it could be inspected, and believe us, it really doesn’t want your file to come back with a problem. Once you peek at the PCAOB behind the curtain of the audit, the whole production starts to make sense.
How an inspection works
Typically, an inspection runs on two tracks.
The first track looks at the whole firm: leadership, ethics, independence, how they pick clients, training, and compensation. Inspectors call that last one the firm’s “culture” because how you pay partners shapes the choices they make on every audit. The second track pulls specific audits and reviews them in detail.
Typically, bigger firms get more scrutiny. The Big Four are inspected year-round and see 50 to 60 specific company audits reviewed annually, while smaller firms might see about 30 specific company audit reviews.
Here’s the key: the PCAOB doesn’t pick audits at random. It picks based on risk. Inspectors watch the economy, industry trends, and companies that stand out. Those files get pulled first.
Here’s the translation for directors: Did your company close a complex deal last year? An acquisition? A tough impairment analysis? Are you operating in a struggling industry? Or is your company at the crescent of a hype cycle? Then your audit is more likely to get a closer look. That’s why your auditor leans in so hard on those areas, because they know someone might be watching. They might have a scar from a prior or ongoing inspection or review.
According to PCAOB leaders, they see issues that transcend cycles year-in and year-out: revenue recognition, inventory, acquisition accounting, impairment, credit losses at banks, and internal controls.
Good news: negative findings have dropped from their pandemic highs. Bad news: internal controls remain the toughest area.
The finding you’ll never see unless you ask
This next point really changed how we think about the whole thing.
The PCAOB regulates the audit firms. It does not regulate you. So its findings flow to your auditor, not to your boardroom. There is no rule that sends them your way. No schedule. No channel.
Maybe your auditor was inspected last year. Maybe a problem turned up on your audit, or on another company’s audit in your industry, done by your same firm. You won’t necessarily hear about it unless you ask the question.
That was a big learning for me. Unless you ask, you and your board can be caught off guard on issues to avoid. The good news? The fix costs you nothing: one question, asked on the record, every year.
A new audit standard called “QC1000”
There’s a new quality-control standard for audit firms in the United States called QC1000. It was previously approved, but the effective date has been pushed out, and is expected to be pushed out again. Will it be abandoned or watered down? It’s anyone’s guess.
You don’t need to track every step. But you do need to know where your firm stands. Readiness is uneven across the industry. “We’re working on it” isn’t an answer. Ask what QC 1000 readiness looks like at your firm. Ask what gaps remain. Push for specifics.
AI arrived before the rules did
This is something we’re seeing everywhere in our practice: the technology shows up before the rules do.
Audit firms are already using AI on engagements. The PCAOB is asking the obvious questions: Does AI need new audit standards? New documentation rules? Better risk guidance? The honest answer (and we appreciated their candor) is that the regulator is still figuring it out. They don’t yet know what it means to inspect an audit that relied on AI.
There are two sides to this. The second side is inside your own building. Your CFO’s office is starting to use AI for the books and the reporting. So your committee has to understand both halves. What the auditor does with AI on your audit. And what controls your own finance team has on its AI-generated numbers.
A machine can make a judgment. But it still has to be documented in a way that satisfies an auditing standard. If no one owns that, you have a gap.
Can a firm push back?
One audit committee chair in the room raised a sharp point, and we were glad. Firms have a built-in reason not to fight a finding. A dispute starts a long process and a firm under review is not eager to push back on the body inspecting it.
Our guests from the PCAOB explained that they run several layers of internal review before any finding goes into a report. The Board supports a firm’s right to disagree, and written responses do get read carefully. Reasonable people can weigh that differently. But it was good to hear the process described.
Five questions to take back to your auditor
If you read nothing else today, notes these questions for your next audit committee meeting (and every year).
- Was our company’s audit reviewed this past cycle as part of your firm’s annual inspection? What areas, and any findings? And if not us, were there findings on your firm’s audits of other companies in our industry?
- What is the auditor doing with AI on our audit? Under what controls? How are those AI-assisted judgments documented?
- What are we doing with AI? How is our own finance team’s use of it weighed in the audit’s risk review? Are we ahead of, even with, or behind our peers?
- Where does the accounting firm stand on QC1000? What is changing, and what gaps should we watch?
- Of the PCAOB’s usual problem areas, revenue, impairment, internal controls, deal accounting, which apply to us this cycle? And what is the firm doing about them?
And for the CFOs and legal teams reading along: questions two and three are yours too. Your auditor’s use of AI and your own will be judged together. Be the one who framed that story not the one explaining it after the fact.
Where to learn more
The PCAOB publishes more for audit committees than most directors realize. Look up its Inspection Information for Audit Committees, its Resources page, and its Staff Update on 2024 Inspection Activities. (The 2025 edition isn’t out yet.) Sign up for their email list. All worth bookmarking.
The takeaway
Here’s what we keep coming back to.
The audit has always felt like a black box to a lot of directors. It happens to you. You don’t steer it. The PCAOB is the part that explains the rest. And almost none of what it learns reaches you, unless you make the ask.
So ask. Every cycle. The information is there. The questions are straightforward. The directors who ask are doing real oversight. The rest of us? We’re just talking about it.
Our thanks to George Botic and Ellen Graper of the PCAOB for creating an evening that was candid and useful in equal measure. Thanks also to Lisa Spivey and Kate Azima of the NACD Northern California Chapter, and to Marcel Bucsescu of the NACD, for bringing the room together. The best evenings are the ones where the audience does half the work, and this was one of them.
More soon.
Louis Lehot is a partner at Foley & Lardner LLP in Silicon Valley. Kelly Boyd is Of Counsel in the San Francisco office. Together, they advise entrepreneurs, investors, boards, and public companies on corporate governance, securities, capital markets, and M&A matters.