QC 1000, A Firm's System of Quality Control (effective on 12/15/2025)

The following new standard, QC 1000, A Firm’s System of Quality Control, has been adopted by the PCAOB and approved by the U.S. Securities and Exchange Commission. The new standard will be effective on December 15, 2025. See PCAOB Release No. 2024-005, SEC Release No. 34-100968.

Summary Table of Contents

(.01 - .04) Introduction
(.05 - .09) The Firm’s QC System
(.10 - .17) Roles and Responsibilities
(.18 - .23) The Firm’s Risk Assessment Process
(.24 - .29) Governance and Leadership
(.30 - .36) Ethics and Independence
(.37 - .40) Acceptance and Continuance of Engagements
(.41 - .42) Engagement Performance
(.43 - .51) Resources
(.52 - .57) Information and Communication
(.58 - .76) Monitoring and Remediation Process
(.77 - .80) Evaluation of and Reporting on the QC System
(.81 - .86) Documentation
(.A1 - .A13) APPENDIX A – Definitions
(.B1 - .B12) APPENDIX B – Examples Relevant to Obtaining an Understanding of the Nature and Circumstances of the Firm and its Engagements

Introduction

.01 A quality control (“QC”) system of a registered public accounting firm (“firm”), as described by this standard, consists of components that are present, function, and operate together, not exclusively in a linear manner, enabling the consistent performance of engagements¹ and the issuance of informative, accurate, and independent engagement reports² in accordance with applicable professional and legal requirements. A QC system is a continual and iterative process that is responsive to changes in the nature and circumstances of the firm and its engagements and to relevant information that the firm gathers through its monitoring activities and from other sources. The QC system reflects and reinforces the firm’s role in protecting the interests of investors through the preparation of informative, accurate, and independent engagement reports.

.02 This standard sets forth the requirements for a firm with respect to the design, implementation, and operation of a QC system. This standard establishes a risk-based approach to the firm’s QC system such that the firm proactively manages the quality of engagements it performs and compliance with applicable professional and legal requirements. This risk-based approach includes establishing quality objectives, identifying and assessing quality risks to the achievement of the quality objectives, designing and implementing quality responses to address the quality risks, and monitoring the firm’s QC system.

.03 This standard describes the following eight integrated components of a firm’s QC system:

The firm’s risk assessment process;
Governance and leadership;
Ethics and independence;
Acceptance and continuance of engagements;
Engagement performance;
Resources;
Information and communication; and
The monitoring and remediation process.

Note: The components of the QC system interact with each other in a variety of ways. For example, the firm’s risk assessment process applies to the components for which quality objectives are established. The monitoring and remediation process applies to all of the components of the QC system, including the monitoring and remediation component itself.

.04 In addition to the requirements relating to the components of the QC system, this standard includes requirements related to:

Roles and responsibilities (see paragraphs .10-.17);
Evaluation of and reporting on the QC system (see paragraphs .77-.80); and
Documentation of the QC system (see paragraphs .81-.86).

The Firm’s QC System

.05 A properly conducted engagement and the related report enhance the confidence of investors and other market participants in the company’s information to which the firm’s report relates. The objective of the firm is to design and, if applicable, implement and operate an effective QC system. An effective QC system protects investors by facilitating the consistent preparation and issuance of informative, accurate, and independent engagement reports in accordance with applicable professional and legal requirements. To accomplish this, an effective QC system consistently provides a firm with reasonable assurance that:

The firm, each member of firm personnel, and each other participant:
1. Conduct each of the firm’s engagements in accordance with applicable professional and legal requirements; and
2. Fulfill their other responsibilities that are part of or subject to the firm’s QC system in accordance with applicable professional and legal requirements; and
Each engagement report issued by the firm is in accordance with applicable professional and legal requirements

(hereinafter referred to as the “reasonable assurance objective”).

Note: Reasonable assurance is not absolute assurance, but a high level of assurance. It is obtained when a firm’s QC system reduces to an appropriately low level the risk that the objectives set forth in a. and b. are not achieved.

.06 A firm must design a QC system that complies with this standard. To design such a QC system, the firm must:

Assign QC-related roles and responsibilities (see paragraphs .10-.17);
Establish quality objectives, annually identify and assess quality risks to the achievement of those objectives, and design quality responses to address those risks (see paragraphs .18-.57);
Design a monitoring and remediation process (see paragraphs .58-.76); and
Document the design of the QC system (see paragraphs .81-.86).

.07 The requirement to implement and operate the QC system applies as follows:

A firm must implement and operate an effective QC system at all times when the firm is required to comply with applicable professional and legal requirements with respect to any of the firm’s engagements,³and thereafter through the following September 30.⁴
During the time the firm’s QC system is required to be operating effectively, the firm’s QC system must operate over any audit, attestation, review, or other work performed under PCAOB standards by the firm, regardless of the level of the firm’s participation in such work (i.e., even if the firm plays less than a substantial role).⁵
A firm that is required to implement and operate its QC system is also required to annually evaluate its QC system as of September 30 and report on that evaluation (see paragraphs .77-.80).
For any time that a firm is not required to implement and operate an effective QC system, this standard will apply to the firm only in regard to the design of the QC system (based on the quality risks the firm likely would face if it were to perform engagements) as provided in paragraph .06.

Note: Any obligations under QC 1000 that exist at the time a firm is no longer required to implement and operate the QC system, such as obligations to evaluate and report on the QC system for previous periods, will continue.

.08 In applying a risk-based approach to its QC system, the firm must:

Design, implement, and operate a risk assessment process, including:
1. Establishing quality objectives necessary to achieve the reasonable assurance objective;
2. Identifying and assessing quality risks to the achievement of the quality objectives; and
3. Designing and implementing quality responses to address the quality risks;
Design, implement, and operate a monitoring and remediation process; and
Evaluate the effectiveness of the QC system and report on that evaluation.

.09 In applying a risk-based approach to the firm’s QC system, the firm must take into account the nature and circumstances of the firm, its engagements, and other relevant information. Accordingly, the firm should tailor its QC system to the firm’s specific facts and circumstances (e.g., the size and complexity of the firm, the types and variety of engagements it performs, the types of companies for which it performs engagements, and whether it is a member of a network and, if so, the nature and extent of the relationship between the firm and the network).

Note: Networks may be structured in a variety of ways and could include arrangements between firms for the purpose of sharing knowledge; developing and implementing consistent policies, tools, and methodologies; conducting multi-location engagements; or executing other types of business or service matters. Networks may include both registered and unregistered accounting firms.

Roles and Responsibilities

.10 All firm personnel and other participants involved in the design, implementation, and operation of the QC system must exercise due professional care in all matters related to the QC system. Due professional care concerns what those individuals do and how well they do it. Due professional care means acting with reasonable care and diligence, exercising professional skepticism, acting with integrity, and complying with applicable professional and legal requirements. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of the relevant information.

.11 The firm’s principal executive officer (i.e., the highest-ranking executive, regardless of formal title) is ultimately responsible and accountable for the QC system as a whole.

Note: If a firm has co-principal executive officers, the references to “the individual assigned ultimate responsibility and accountability for the QC system as a whole” apply to each of the co-principal executive officers and each of them is ultimately responsible and accountable for the QC system as a whole.

.12 The firm must assign other roles and responsibilities with respect to the QC system to firm personnel who have the experience, competence, authority, and time needed to enable them to carry out their assigned responsibilities.⁶ Such roles should include the following:

Operational responsibility and accountability for the QC system as a whole;
Operational responsibility for the firm’s compliance with ethics and independence requirements;
Operational responsibility for the monitoring and remediation process; and
If appropriate based on the nature and circumstances of the firm, operational responsibility for other components of the QC system.

Note: Each of the roles identified in subparagraphs a.-c. above cannot be shared, but rather must be assigned to only one individual. However, depending on the nature and circumstances of the firm (including its size and structure) and its engagements, the firm may assign one individual to more than one of the roles identified in paragraphs .11 and .12.

.13 The firm should establish a direct line of communication from each individual assigned operational responsibilities (see paragraph .12) to the individual assigned ultimate responsibility and accountability for the QC system as a whole (see paragraph .11).

.14 The individual assigned ultimate responsibility and accountability for the QC system as a whole should:

Demonstrate a commitment to quality through the individual’s actions, behaviors, and communications. This includes recognizing and reinforcing the importance of professional ethics, values, and attitudes, and establishing the expected behavior of firm personnel related to activities within the firm’s QC system and the performance of its engagements.
Establish or direct the establishment of structures, reporting lines, and authorities and responsibilities for the following roles:
1. Operational responsibility and accountability for the QC system as a whole;
2. Operational responsibility for the firm’s compliance with ethics and independence requirements;
3. Operational responsibility for the monitoring and remediation process; and
4. If assigned, operational responsibility for other aspects of the QC system.
Be accountable for the design, implementation, and operation of the firm’s QC system in accordance with applicable professional and legal requirements and the firm’s policies and procedures and for the annual evaluation of the firm’s QC system required by paragraph .77.
Certify the firm’s report to the PCAOB on its annual evaluation of the QC system (see paragraph .79).

.15 The individual assigned operational responsibility and accountability for the QC system as a whole should:

Supervise the design, implementation, and operation of the firm’s QC system in accordance with applicable professional and legal requirements and the firm’s policies and procedures; and
Certify the firm’s report to the PCAOB on its annual evaluation of the QC system (see paragraph .79).

.16 The individual assigned operational responsibility for the firm’s compliance with ethics and independence requirements should:

Supervise the design, implementation, and operation of the firm’s ethics and independence component (see paragraphs .30-.36); and
Communicate, on a timely basis, violations of ethics or independence requirements, including personal independence violations, to the individuals assigned (1) operational responsibility for the firm’s monitoring and remediation process and (2) operational responsibility and accountability for the QC system as a whole.

.17 The individual assigned operational responsibility for the monitoring and remediation process should:

Supervise the design, implementation, and operation of the firm’s monitoring and remediation process (see paragraphs .58-.76) and the annual evaluation of the QC system (see paragraphs .77-.78), including:
1. The evaluation of the results of the monitoring activities;
2. The evaluation of whether remedial actions are implemented as designed and operate effectively to remediate QC deficiencies and, if not, the taking of timely action until such QC deficiencies are remediated; and
3. The firm’s other policies and procedures with regard to monitoring and remediation.
Communicate, on a timely basis, to the individuals assigned (1) ultimate responsibility and accountability for the QC system as a whole and (2) operational responsibility and accountability for the QC system as a whole, a description of:
1. Monitoring activities performed and the results of such activities, including, if applicable, monitoring activities performed by a network;
2. Identified engagement deficiencies, QC deficiencies, and major QC deficiencies, including the nature, severity, and pervasiveness of such deficiencies; and
3. Actions taken to address engagement deficiencies, QC deficiencies, and major QC deficiencies.

The Firm’s Risk Assessment Process

.18 The firm’s risk assessment process provides the basis for the design, implementation, and operation of the firm’s QC system. The risk assessment process consists of establishing quality objectives, identifying and assessing quality risks to the achievement of the quality objectives, and designing and implementing quality responses to address the quality risks.

.19 The firm must establish the quality objectives necessary to achieve the reasonable assurance objective. This consists of the quality objectives specified in this standard and any other quality objectives that are necessary under paragraph .08a.(1).

Note: Quality objectives are specified in this standard for six of the components of the QC system: governance and leadership (see paragraph .25), ethics and independence (see paragraph .31), acceptance and continuance of engagements (see paragraph .38), engagement performance (see paragraph .42), resources (see paragraph .44), and information and communication (see paragraph .53).

.20 Annually, the firm must identify and assess quality risks to achieving each of the quality objectives established by the firm. The firm should:

Obtain an understanding of the conditions, events, and activities that may adversely affect the achievement of its quality objectives, which includes an understanding of the following:
1. The nature and circumstances of the firm, including:
  1. The complexity and operating characteristics of the firm;
  2. The firm’s business processes and strategic and operational decisions and actions;
  3. The characteristics and management style of leadership;
  4. The extent to which a culture of integrity and a commitment to audit quality, including ethics and independence, is promoted within the firm and embraced by firm personnel across all levels;
  5. The resources of the firm;
  6. The environment in which the firm operates, including applicable professional and legal requirements;
  7. If the firm belongs to a network, the characteristics of the network and the network’s resources and services and the nature and extent of such resources and services used by the firm;
  8. If the firm uses other participants, the nature and extent of their involvement;
  9. If the firm participates in other firms’ engagements, the nature and extent of the firm’s participation; and
  10. If the firm uses resources or services obtained from third-party providers, the nature and extent of those resources or services.
    
    (See Appendix B for specific examples.)
2. The nature and circumstances of the firm’s engagements (see Appendix B for specific examples).
3. Other relevant information, including information from the firm’s monitoring and remediation activities, external inspections or reviews, and other oversight activities by regulators.
Note: The firm might identify conditions, events, and activities that may adversely affect the achievement of its quality objectives by asking “what could go wrong?” in relation to the achievement of a given quality objective.
Identify and assess quality risks based on the understanding obtained pursuant to paragraph .20a. and taking into account whether, how, and the degree to which the achievement of the quality objectives may be adversely affected.

Note: The assessment of quality risks is based on inherent risk (i.e., without regard to the effect of any related quality responses).

.21 The firm must design and implement quality responses that (1) are based on the quality risks and the reasons for the assessments given to the quality risks, and (2) reduce to an appropriately low level the risk that the quality objective will not be achieved.

Note: Certain components include requirements for specified quality responses. These specified quality responses are to be included in the quality responses designed and implemented by the firm. Specified quality responses may address multiple quality risks within multiple components but are not intended to be comprehensive and alone will not be sufficient to enable the firm to achieve all established quality objectives of the firm’s QC system. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

Modifications to the Quality Objectives, Quality Risks, or Quality Responses

.22 In addition to identifying and assessing quality risks annually, the firm should establish policies and procedures to monitor, identify, and assess changes to conditions, events, and activities that indicate modifications to the firm’s quality objectives, quality risks, or quality responses may be needed. Such policies and procedures should specify that the firm take into account, among other sources, information from the firm’s monitoring and remediation process.

.23 If the firm identifies changes to conditions, events, or activities indicating that modifications to the quality objectives, quality risks, or quality responses may be needed, the firm should determine what, if any, modifications are needed and make them on a timely basis.

Governance and Leadership

.24 This component addresses the environment that enables the effective oversight and operation of the QC system and directs the firm’s culture, decision-making processes, organizational structure, and leadership.

Governance and Leadership Quality Objectives

.25 The quality objectives established by the firm with respect to its governance and leadership should include the following:

The firm’s commitment to quality is communicated and promoted by leadership to recognize and reinforce:
1. The firm’s role in protecting investors and the public interest by consistently fulfilling its responsibilities under applicable professional and legal requirements;
2. The importance of adherence to appropriate standards of conduct by firm personnel;⁷
3. The importance of professional ethics, values, and attitudes; and
4. The expected behavior and responsibility of firm personnel for quality relating to activities that are subject to applicable professional and legal requirements, including activities within the firm’s QC system and the firm’s performance on engagements.
The firm clearly defines leadership’s responsibility for quality and holds leadership accountable, including through their performance evaluation and compensation.
Leadership demonstrates a commitment to quality through its actions and behaviors.
The firm’s strategic decisions and actions, including financial and operational priorities, are consistent with and support the firm’s commitment to quality.
The firm’s organizational and governance structure and the assignment of roles, responsibilities, and authority enable the design, implementation, and operation of the firm’s QC system and support performance of the firm’s engagements in accordance with applicable professional and legal requirements.
Resource needs are planned for, and resources are obtained or developed and allocated or assigned, in a manner that enables the effective design, implementation, and operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements.

Note: Resources include people, financial, technological, and intellectual resources, and resources from a network or third-party provider.⁸

Governance and Leadership Specified Quality Responses

.26 In designing and implementing quality responses to address the quality risks in the governance and leadership component, the firm should include the specified quality responses in paragraphs .27-.29. These specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives for this component. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

.27 The firm should establish and maintain clear lines of responsibility and supervision—including defining authorities, responsibilities, accountabilities, and supervisory and reporting lines for roles within the firm, up to and including the principal executive officer(s)⁹ or equivalent—within the QC system.

.28 If the firm issued audit reports with respect to more than 100 issuers during the prior calendar year, the firm’s governance structure should incorporate an external oversight function for the QC system composed of one or more persons who are not partners, shareholders, members, other principals, or employees of the firm and do not otherwise have a commercial, familial, or other relationship with the firm that would interfere with the exercise of independent judgment with regard to matters related to the QC system (an “External QC Function” or “EQCF”). The EQCF should have the experience, competence, authority, and time necessary to enable them to carry out the responsibilities assigned to the EQCF by the firm. The responsibilities of the EQCF should include, at a minimum, evaluating the significant judgments made and the related conclusions reached by the firm when evaluating and reporting on the effectiveness of its QC system.

.29 The firm should design, implement, and maintain policies and procedures for addressing potential noncompliance with applicable professional and legal requirements and with the firm’s policies and procedures with respect to the QC system, the firm’s engagements, firm personnel, and other participants. Such policies and procedures should be made available to all firm personnel and other participants and address:

Processes and responsibilities for receiving complaints and allegations from internal and external parties (for example, policies and procedures regarding a complaints mailbox or hotline or a whistleblower program);
Protecting persons making complaints and allegations from retaliation;
Investigating and addressing complaints and allegations; and

Note: The nature, timing, and extent of the process to investigate and address complaints and allegations should be commensurate with and responsive to the significance of the related complaint or allegation.
If the firm issued audit reports with respect to more than 100 issuers during the prior calendar year, providing a confidential and anonymous process for submitting complaints and allegations and protecting the confidentiality of the individuals and entities that made a complaint or allegation during the investigation.

Ethics and Independence

.30 This component addresses the fulfillment of firm and individual responsibilities under ethics and independence requirements.¹⁰

Ethics and Independence Quality Objectives

.31 The quality objectives established by the firm with respect to ethics and independence requirements should include the following:

Ethics and independence requirements are understood and complied with by the firm and firm personnel and, with respect to work performed on behalf of the firm, by others subject to such requirements.¹¹
Conditions, events, relationships, or activities that could constitute violations of ethics and independence requirements are properly identified, evaluated, and responded to by the firm and firm personnel on a timely basis.
Violations are communicated on a timely basis to the individual assigned operational responsibility for the firm’s compliance with ethics and independence requirements.

Ethics and Independence Specified Quality Responses

.32 In designing and implementing quality responses to address the quality risks in the ethics and independence component, the firm must include the specified quality responses in paragraphs .33 -.36. These specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives for this component. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

.33 The firm must design, implement, and maintain policies and procedures that address ethics and independence requirements, including:

Identifying and addressing matters that may reasonably be thought to bear on the independence of the firm, firm personnel, and affiliates of the firm;¹²
Obligations of firm personnel to perform with integrity and objectivity all activities associated with the operation of the QC system and the performance of engagements (such as training and other professional development activities; engagement planning, performance, and supervision; and communication with companies for which the firm performs engagements, other firm personnel, and regulators);¹³
Obligations of associated persons of the firm,¹⁴ other than firm personnel, to perform work on behalf of the firm with integrity and objectivity;
Consultations on ethics and independence matters, including identifying ethics and independence matters requiring consultation;
Monitoring compliance (e.g., internal inspection of independence compliance at least annually) with applicable ethics and independence requirements and related firm policies and procedures by the firm, firm personnel, affiliates of the firm, and, with respect to work performed on behalf of the firm, others subject to such requirements; and
With respect to violations and potential violations of ethics and independence requirements:
1. Identifying conditions, events, relationships, and activities that could constitute ethics or independence violations involving the firm, firm personnel, and, with respect to work performed on behalf of the firm, others subject to such requirements;
2. Taking preventive and corrective actions to address ethics or independence violations, as appropriate, on a timely basis;
3. Reporting requirements for firm personnel and others performing work on behalf of the firm who are subject to such requirements regarding ethics or independence violations of which they become aware that may affect the firm, including requirements for escalating reporting of such violations; and
4. Communicating, as appropriate, to external parties (for example, to audit committees).¹⁵

.34 The firm’s policies and procedures for matters that may reasonably be thought to bear on the independence of the firm, firm personnel, and affiliates of the firm (see paragraph .33a.) must include:

Identifying firm and personal relationships and arrangements with restricted entities, including a process for identifying direct or material indirect financial interests that might impair the firm’s independence of firm personnel that are managerial employees or partners, shareholders, members, or other principals;
1. If the firm issued audit reports with respect to more than 100 issuers during the prior calendar year, the process to identify investments in securities that might impair the independence of the firm or such firm personnel must be automated;
2. If the firm issued audit reports with respect to 100 or fewer issuers during the prior calendar year, the firm should consider automating the process to identify investments in securities that might impair the independence of the firm or such firm personnel, taking into account the quality risks and the nature and circumstances of the firm;
Note: Firm and personal relationships and arrangements with restricted entities include, for example, financial relationships, employment relationships, business relationships, non-audit services, contingent fee arrangements, partner rotation, certain tax services, and arrangements requiring audit committee pre-approval.¹⁶ The term “restricted entities” includes all audit clients (including affiliates of the audit client) of the firm and affiliates of the firm.¹⁷
Maintaining and making available the list of restricted entities to firm personnel and others performing work on behalf of the firm who are subject to independence requirements;

Note: This includes updating and communicating, at least monthly (and more frequently, if appropriate), additions to the list of restricted entities to firm personnel and others performing work on behalf of the firm whose relationships and arrangements with such additional restricted entities may reasonably be thought to bear on the independence of the firm.
Requiring that the list of restricted entities be reviewed before the firm enters into any relationships, engagements to perform non-audit services, or fee arrangements that might affect compliance with independence requirements, and, if such review indicates that action is required under applicable professional and legal requirements or the firm’s policies and procedures, taking required actions on a timely basis;
Requiring firm personnel to review the list of restricted entities (1) upon employment or engagement, (2) after additions to the list of restricted entities are communicated by the firm, (3) prior to themselves or a relevant family member¹⁸ obtaining any direct or material indirect financial interest in or entering into or modifying a direct or material indirect relationship with an entity, (4) prior to changes in position (e.g., going into a chain of command or other covered person role¹⁹), and (5) prior to entering into any business or employment relationships, and, if such review indicates that action is required under applicable professional and legal requirements or the firm’s policies and procedures, taking required actions on a timely basis;
Obtaining certifications from firm personnel regarding familiarity and compliance with (1) SEC and PCAOB independence requirements, applicable ethics requirements, and the firm’s independence and ethics policies and procedures upon employment and at least annually thereafter, and (2) SEC and PCAOB independence requirements and the firm’s independence policies and procedures upon any change in professional circumstances that is relevant to independence; and
Identifying matters that require audit committee pre-approval and obtaining such pre-approval.²⁰

.35 The firm must make available its ethics and independence policies and procedures to firm personnel and others performing work on behalf of the firm who are subject to ethics and independence requirements, including communicating any substantive changes to such policies and procedures on a timely basis.

.36 The firm must provide mandatory training to firm personnel near the time of initial employment and periodically (at least annually) thereafter that addresses ethics and independence requirements and the firm’s ethics and independence policies and procedures.

Acceptance and Continuance of Engagements

.37 This component addresses the firm’s processes for making decisions about whether to accept or continue an engagement.

Acceptance and Continuance of Engagements Quality Objectives

.38 The quality objectives established by the firm with respect to the acceptance and continuance of engagements should include the following:

Judgments about whether to accept or continue an engagement are:
1. Initially made as part of or before performing preliminary engagement activities;²¹
2. Consistent with the firm’s ability to perform the engagement in accordance with applicable professional and legal requirements, based on:
  1. Whether the firm is independent;
  2. Whether the services are permissible and any required audit committee pre-approval has been or will be obtained;²²
  3. The extent to which the firm is or will be able to gain access to company information to perform the engagement, including to company personnel who provide such information;
  4. The extent to which the firm has or can obtain resources to perform the engagement;²³ and
  5. Other relevant factors associated with providing professional services in the particular circumstances; and
3. Based on and supported by information about the nature and circumstances of the engagement and the integrity and ethical values of the company (including management and the audit committee).²⁴
The terms of the engagement, including the objective of the engagement and responsibilities of the firm and management, are consistent with applicable professional and legal requirements and are understood by the firm and the company.²⁵

Acceptance and Continuance of Engagements Specified Quality Response

.39 In designing and implementing quality responses to address the quality risks in the acceptance and continuance of engagements component, the firm should include the specified quality response in paragraph .40. This specified quality response alone will not be sufficient to enable the firm to achieve all established quality objectives for this component. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

.40 The firm should design, implement, and maintain policies and procedures to address situations in which the firm becomes aware of information subsequent to accepting or continuing an engagement that could have caused the firm to decline such engagement had that information been known prior to acceptance or continuance.²⁶

Engagement Performance

.41 This component addresses the firm’s processes relating to the performance of the firm’s engagements by firm personnel and other participants in accordance with applicable professional and legal requirements.

Engagement Performance Quality Objectives

.42 The quality objectives established by the firm with respect to the performance of its engagements, including work performed on other firms’ engagements, should include the following:

Responsibilities are understood and fulfilled by firm personnel and other participants in accordance with applicable professional and legal requirements, including, as applicable:²⁷
1. The responsibilities of the engagement partner for an engagement and its performance;²⁸
2. Responsibilities for planning and performing the engagement, including:
  1. Exercising due professional care, including professional skepticism, such that conclusions reached are appropriate under applicable professional and legal requirements and supported by sufficient appropriate evidence; and
  2. Properly supervising the work performed by firm personnel and other participants;²⁹ and
3. Responsibilities for reporting and other communications with respect to the engagement.
Consultations on complex, unusual, or unfamiliar accounting and auditing matters are undertaken with qualified individuals from within or outside the firm, and conclusions are:
1. Agreed to by the engagement partner and the parties consulted or addressed as a difference in professional judgment in accordance with paragraph .42c;
2. In accordance with applicable professional and legal requirements; and
3. Implemented before the issuance of the engagement report.³⁰
Differences in professional judgment related to the engagement that arise among firm personnel, among other participants, or between firm personnel and other participants, including the engagement quality reviewer or those that provide consultation, are brought to the attention of the individual(s) with responsibility and authority for resolving such matters and are resolved before the issuance of an engagement report, such that the engagement is performed in accordance with applicable professional and legal requirements.³¹
Engagement documentation is prepared, reviewed, assembled, and retained in accordance with applicable professional and legal requirements.³²

Resources

.43 This component addresses the firm’s processes for obtaining, developing, using, maintaining, allocating, and assigning the firm’s resources to enable the design, implementation, and operation of the firm’s QC system and the performance of its engagements. The firm’s resources include people, financial, technological, and intellectual resources, and resources from a network or third-party provider.

Resources Quality Objectives

.44 The quality objectives established by the firm with respect to the firm’s resources should include the following:

Firm personnel are hired, developed, and retained who have the competence to perform activities and carry out responsibilities for the operation of the firm’s QC system and the performance of the firm’s engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.³³

Note: Competence consists of having the knowledge, skill, and ability that enable individuals to act in accordance with applicable professional and legal requirements and the firm’s policies and procedures. Competence is measured both qualitatively and quantitatively.
Firm personnel demonstrate a commitment to quality through (1) their actions and behaviors and (2) development and maintenance of the competence to perform their roles.
Firm personnel and individuals who are other participants assigned to engagements, including the engagement partner and engagement quality reviewer, have the competence, objectivity, and time needed to fulfill their responsibilities on such engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.
Firm personnel who are assigned to participate in another firm’s engagement have the competence, objectivity, and time to perform such activities in accordance with applicable professional and legal requirements and the firm’s policies and procedures.
Firm personnel and individuals who are other participants assigned to perform activities within the QC system have the competence, objectivity, authority, and time needed to perform such activities in accordance with applicable professional and legal requirements and the firm’s policies and procedures.³⁴
Firm personnel comply with the firm’s policies and procedures related to the operation of the firm’s QC system and the performance of its engagements and the work performed on other firms’ engagements.
Firm personnel are (1) evaluated at least annually, (2) incentivized to fulfill their assigned responsibilities and adhere to appropriate standards of conduct, including through compensation plans and decisions in which quality considerations play a critical part, and (3) held accountable for their actions and failures to act.³⁵
Technological resources are obtained or developed, implemented, maintained, and used to enable the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.

Note: Technological resources generally include information technology applications, infrastructure, and processes.
Intellectual resources are obtained or developed, implemented, maintained, and used to enable the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.

Note: Intellectual resources generally include resources that a firm makes available, or requires the use of, to enable the operation of the firm’s QC system and the performance of its engagements, including, for example, the firm’s policies and procedures, methodologies, guides, practice aids, and standardized documentation templates.
If the firm belongs to a network that provides or requires the use of network resources or services or if the firm obtains resources or services from a third-party provider:³⁶
1. An understanding is obtained of how such resources or services are developed and maintained; and
2. Such resources or services are supplemented or adapted as necessary such that their use enables the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.

Resources Specified Quality Responses

.45 In designing and implementing quality responses to address the quality risks in the resources component, the firm should include the specified quality responses in paragraphs .46 -.51. These specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives for this component. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

.46 The firm should design, implement, and maintain policies and procedures for firm personnel to adhere to appropriate standards of conduct, which include:

Fulfilling engagement and QC responsibilities with competence, integrity, objectivity, and due professional care; and
Complying with applicable professional and legal requirements and the firm’s policies and procedures.

.47 The firm should design, implement, and maintain policies and procedures for the engagement partner and, commensurate with their responsibilities, other firm personnel participating in an engagement to obtain and maintain the competence to fulfill their respective assigned engagement roles, including an understanding of the following:

The importance of exercising sound judgment, including the ability to be objective and exercise professional skepticism;
The role of the firm’s QC system in the performance of its engagements (e.g., engagement quality reviews, consultation process);
Their responsibilities with respect to the performance and supervision of the engagement;
For attestation engagements, the subject matter of the assertion on which the engagement is based;
The industry in which the company operates and its relevant characteristics (e.g., applicable standards, industry-specific risks, and industry-specific estimates);
The internal control framework used by the company;
The use of technology by the company in the preparation of its financial statements and related internal controls; and
The use of technological and intellectual resources in performing engagement procedures, including obtaining and evaluating evidence.

.48 In addition to the training required under paragraph .36, at least annually, the firm should provide mandatory training, including training on applicable professional and legal requirements, to firm personnel to develop and maintain their competence and enable them to fulfill their assigned QC and engagement roles in accordance with applicable professional and legal requirements and the firm’s policies and procedures.

.49 The firm’s periodic performance evaluations of the individual(s) assigned (1) ultimate responsibility and accountability for the QC system as a whole and (2) operational responsibility and accountability for the QC system as a whole should take into account the outcome of the evaluation of the QC system.

.50 The firm should design, implement, and maintain policies and procedures regarding licensure such that the firm and firm personnel hold licenses or other qualifications required by the relevant jurisdiction(s) under applicable professional and legal requirements.

.51 The firm should design, implement, and maintain policies and procedures so that technological resources have the capacity, integrity, resiliency, availability, reliability, and security necessary to enable the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements.

Information and Communication

.52 This component addresses the firm’s processes for obtaining, generating, and using information to enable the design, implementation, and operation of the QC system and the performance of its engagements, and for communicating information within the firm and to external parties on a timely basis.

Information and Communication Quality Objectives

.53 The quality objectives established by the firm with respect to information and communication should include the following:

Information, whether from internal or external sources, is identified, captured, processed, and maintained by the firm’s information system(s) to support the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements.
The nature, timing, and extent of information communicated to firm personnel enables them to understand and carry out their responsibilities relating to activities within the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.
Firm personnel communicate information to the firm and other firm personnel to support the operation of the QC system and the performance of the firm’s engagements in accordance with applicable professional and legal requirements.
Information is communicated to external parties in accordance with applicable professional and legal requirements.

Note: External parties may include, for example, company management, audit committees, and boards of directors; the SEC; the PCAOB; and other regulators.³⁷
If a firm communicates firm-level or engagement-level information with respect to the firm’s audit practice, firm personnel, or engagements, such as firm or engagement metrics, to external parties, such information is accurate and not misleading and, with respect to any such metrics that are communicated in writing, the communication explains in reasonable detail how the metrics were determined and, if applicable, how the method of determining them changed since the metrics were last communicated.
If the firm belongs to a network, information is communicated to or obtained from the network to enable the operation of the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements.
If other participants are used in the firm’s QC system or engagements:
1. The nature, timing, and extent of information communicated to other participants enables them to understand and carry out their responsibilities relating to activities within the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures; and
2. Information is obtained from the other participants, such that the aspects of the QC system and the engagements in which they are involved can be performed in accordance with applicable professional and legal requirements.³⁸
Note: With respect to other participants that are firms, information to be obtained should include the conclusion of the most recent evaluation of the QC system³⁹ of the other participant firm.
If the firm participates in another firm’s engagement, information is communicated to and obtained from the other firm such that the firm’s work on the engagement is performed in accordance with applicable professional and legal requirements.

Note: This communication includes any instances of noncompliance with applicable professional and legal requirements that the firm identifies related to the other firm’s engagements during the firm’s monitoring and remediation procedures.

Information and Communication Specified Quality Responses

.54 In designing and implementing quality responses to address the quality risks in the information and communication component, the firm should include the specified quality responses in paragraphs .55 -.57. These specified quality responses alone will not be sufficient to enable the firm to achieve all established quality objectives for this component. Depending on the quality risk being addressed, specified quality responses may need to be combined with other quality responses designed and implemented by the firm.

.55 The firm should communicate in writing its policies and procedures related to the operation of the firm’s QC system and the performance of its engagements to firm personnel and other participants to the extent and in a manner that is reasonably designed and implemented to enable firm personnel and other participants to understand and carry out their responsibilities relating to activities within the firm’s QC system and the performance of its engagements in accordance with applicable professional and legal requirements and the firm’s policies and procedures.

.56 The firm should communicate information related to the monitoring and remediation process to firm personnel to enable them to take timely action in accordance with their responsibilities, including, to the extent necessary, a description of:

Monitoring activities performed and the results of such activities, including, if applicable, monitoring activities performed by a network;
Identified engagement deficiencies and QC deficiencies, including the nature, severity, and pervasiveness of such deficiencies; and
Actions to address the identified engagement deficiencies and QC deficiencies.

.57 The firm should communicate the result of the annual evaluation of the firm’s QC system to the firm’s partners, shareholders, members, or other principals, and the firm’s board of directors or equivalent.

Monitoring and Remediation Process

.58 The monitoring and remediation process is an integral part of a QC system because it informs the firm’s risk assessment process (i.e., the results of the monitoring and remediation process are taken into account when determining if changes to quality objectives, quality risks, or quality responses are necessary). The monitoring and remediation process applies to all of the components of the QC system, including monitoring and remediation, and provides the basis for evaluating and reporting on the QC system.

.59 The firm must design, implement, and operate a monitoring and remediation process to:

Provide relevant, reliable, and timely information about the design, implementation, and operation of the QC system;
Provide a reasonable basis for timely detection of engagement deficiencies and QC deficiencies; and
Remediate identified engagement deficiencies and QC deficiencies and take any other required actions in relation to such deficiencies in accordance with applicable professional and legal requirements on a timely basis.

.60 The firm’s monitoring and remediation process includes:

Designing and performing activities to monitor engagements and the design, implementation, and operation of the QC system (see paragraphs .62-.66);
Determining whether engagement deficiencies exist and responding to such deficiencies (see paragraphs .67-.70);
Determining whether QC observations and QC deficiencies exist (see paragraphs .71-.72);
Performing root cause analysis of QC deficiencies (see paragraphs .73-.74); and
Designing and implementing remedial actions to address QC deficiencies and determining whether such actions are implemented as designed and operate effectively (see paragraphs .75-.76).

.61 The firm’s monitoring activities must include:

“Engagement monitoring activities,” which are directed at individual engagements; and

Note: For firms that issued engagement reports with respect to five or fewer engagements for issuers, brokers, and dealers during the prior calendar year, engagement monitoring activities may include monitoring audits not performed under PCAOB auditing standards, provided that such audits are selected taking into account the factors in paragraph .64 and that instances of noncompliance with applicable auditing standards identified through monitoring are treated as if they were “engagement deficiencies” for purposes of paragraph .68d and “QC observations” for purposes of paragraph .72. Audits not performed under PCAOB auditing standards cannot be included in the monitoring required under paragraph .62b.
“QC system-level monitoring activities,” which are directed at the performance of activities under the requirements of this standard, including requirements relating to the components of the QC system.

Note: In accordance with paragraph .44e, it is a quality objective that individuals performing monitoring activities have, among other things, the objectivity needed to perform such activities in accordance with applicable professional and legal requirements and the firm’s policies and procedures. Generally, individuals cannot perform monitoring activities over their own work.

Engagement Monitoring Activities

.62 The firm should:

Monitor completed engagements; and
As one element of its engagement monitoring, inspect on a cyclical basis at least one completed engagement for each engagement partner.

Note: A firm that uses a cycle longer than three years should demonstrate how that cycle is adequate to provide a reasonable basis for detecting engagement deficiencies and QC deficiencies, taking into account the factors in paragraph .64. Firms should incorporate a level of unpredictability in their selection and monitoring of completed engagements, such that an engagement partner would not be certain of at least one of: (i) which engagement would be selected, (ii) which areas within the engagement would be selected, or (iii) when an engagement would be selected. While some firms may be permitted to perform engagement monitoring activities on audits not performed under PCAOB auditing standards (see Note to paragraph .61a), inspections under this subparagraph b must be of engagements.

.63 In addition to monitoring completed engagements,

If the firm issued audit reports with respect to more than 100 issuers during the prior calendar year, the firm should monitor in-process engagements;
If the firm issued audit reports with respect to 100 or fewer issuers during the prior calendar year, the firm should consider monitoring in-process engagements; and
If the firm participates at a level below a substantial role in another firm’s engagements, the firm should consider performing monitoring activities on such work.

.64 In determining the nature, timing, and extent of engagement monitoring activities, including which completed or in-process engagements to select for monitoring, the firm should take into account the following factors:

Quality risks and the reasons they were assessed to be quality risks;
Quality responses, including their timing, frequency, scope, and operation;
The nature, timing, extent, and results of previous monitoring activities undertaken by the firm and, if applicable, a network, including from inspections of completed engagements, monitoring of in-process engagements, monitoring of work performed on other firms’ engagements, and QC system-level monitoring activities;
Information obtained from oversight activities by regulators, other external inspections or reviews, and, if applicable, monitoring activities performed by a network;

Note: The firm cannot rely solely on monitoring activities performed by others (e.g., network activities, regulatory inspections, or peer reviews) in lieu of performing its own engagement monitoring activities.
Characteristics of particular engagements, such as the industry, the type of engagement (e.g., issuer audit, broker-dealer audit, attestation), the location(s) or jurisdiction(s) in which the company is located or the work is to be performed, whether it is a new engagement for the firm, and the experience and competence of the individuals assigned to the engagement;
Characteristics of particular engagement partners, such as their experience, their competence, the results of internal and external inspections of their work, and the firm’s cycle for inspecting their engagements; and
Other information relevant to the quality risks, such as emerging developments, changes in economic conditions, new accounting or auditing standards, circumstances in which the firm has withdrawn its engagement report, restatements, complaints and allegations of which the firm is aware,⁴⁰ and other events affecting one or more engagements.

QC System-Level Monitoring Activities

.65 In determining the nature, timing, and extent of QC system-level monitoring activities, the firm should take into account the following factors:

Quality risks and the reasons they were assessed to be quality risks;
Quality responses, including their timing, frequency, scope, and operation;
For monitoring activities over the firm’s risk assessment process and monitoring and remediation process, the design of those processes (including any metrics the firm may use in its QC system);
Changes or anticipated changes in the QC system;
The services or resources provided by other participants or third-party providers in the firm’s QC system, when applicable;
The results of previous monitoring activities and remedial actions taken to address previously identified QC deficiencies;
Information obtained from oversight activities by regulators, other external inspections or reviews, and, if applicable, monitoring activities performed by a network;

Note: The firm cannot rely solely on monitoring activities performed by others (e.g., network activities, regulatory inspections, or peer reviews) in lieu of performing QC system-level monitoring activities.
Complaints and allegations of which the firm is aware; and
Other relevant information of which the firm is aware.

Monitoring Activities Performed by a Network

.66 In circumstances when a network performs monitoring activities relating to the firm’s QC system or its engagements, the firm should:

Request and, if provided, evaluate:
1. Information about the activities performed;
2. Results of such activities; and
3. Planned remedial actions by the network;
Determine its responsibilities in relation to the monitoring activities of the network, such as assisting with monitoring activities or responding to the results of the activities performed by the network, and perform such responsibilities; and
Adjust its monitoring activities as necessary.

Note: Network monitoring activities may include, for example, monitoring the effectiveness of network resources or services that firms in the network are required to or may use in their QC system and monitoring of other aspects of the firm’s QC system and its engagements.

Determining Whether Engagement Deficiencies Exist

.67 The firm must, on a timely basis, evaluate the following information and determine whether engagement deficiencies exist:

Information from engagement monitoring activities;
QC deficiencies identified by QC system-level monitoring activities, as provided in paragraph .72;
Information from monitoring activities performed by a network, if applicable;
Information from oversight activities by regulators and other external inspections or reviews; and
Other relevant information of which the firm becomes aware.

Note: The firm may become aware of other relevant information through, for example: (1) documentation being assembled for retention; (2) procedures performed on the subsequent year’s engagement; (3) post-balance sheet review activities in connection with a securities offering; (4) whistleblower or other complaints regarding either a company or the firm; and (5) restatements.

Responding to Engagement Deficiencies

.68 When an engagement deficiency exists, the firm should:

For engagement deficiencies relating to in-process engagements, take action to address the deficiency in accordance with applicable professional and legal requirements (to the extent necessary, before the issuance of the related engagement report(s)), such that the engagement report(s) are appropriate in the circumstances;
For engagement deficiencies relating to completed engagements, take action to address the deficiency in accordance with applicable professional and legal requirements,⁴¹ unless it is probable that the engagement report(s) are not being relied upon;⁴²

Note: In the absence of circumstances indicating that reliance is impossible or unreasonable (e.g., cessation of a trading market for issuer securities), inclusion of an engagement report (either directly or through incorporation by reference) in the most recent filing on an SEC form that requires inclusion of such an engagement report evidences that the report is being relied upon.
For engagement deficiencies relating to work performed on other firms’ engagements, communicate the engagement deficiency to the other firm and take such action as the other firm determines is necessary; and
Evaluate whether similar engagement deficiencies exist on:
1. Other in-process engagements, or would arise if remedial action is not taken;
2. Other completed engagements, unless it is probable that the engagement report(s) are not being relied upon; and
3. Work performed by the firm on other firms’ engagements;
and if so, take actions described in paragraphs .68a.-c. above, as applicable.

.69 The firm should take action pursuant to paragraph .68, taking into account the nature and severity of the engagement deficiency.

Note: As appropriate, actions a firm may take include preventive or corrective actions, or a combination, such as actions: (1) on in-process engagements to address engagement deficiencies before the issuance of the engagement report; (2) to address engagement deficiencies on completed engagements; and (3) to deter future engagement deficiencies.

.70 For each engagement deficiency relating to a completed engagement, the firm should comply with paragraphs .98-.99 of AS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements; AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report; AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report; paragraphs 39.-42. of AT No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers; and paragraphs 21.-24. of AT No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers, as applicable.

Determining Whether QC Observations Exist

.71 The firm must, on a timely basis, evaluate the following information and determine whether QC observations exist:

Information from engagement monitoring activities and QC system-level monitoring activities (including, if applicable, those performed by a network);
Information from oversight activities by regulators and other external inspections or reviews; and
Other relevant information of which the firm becomes aware.

Determining Whether QC Deficiencies Exist

.72 The firm must, on a timely basis, evaluate QC observations and determine whether QC deficiencies exist. The firm’s determination should be based on:

The nature, severity, and pervasiveness of the matter(s) that gave rise to the QC observation, which includes:
1. The component(s) of the QC system, quality objective(s), or quality risk(s) to which the QC observation relates;
2. Whether the QC observation is in the design, implementation, or operation of the QC system;
3. The frequency with which the QC observation occurred; and
4. The duration of time that the QC observation existed; and
The likelihood that the matter(s) that gave rise to the QC observation could affect other components of the QC system, other engagements (including in-process engagements and completed engagements), engagements to be performed in the future, or work performed on other firms’ engagements, and the severity of such an effect if it were to occur.

Responding to QC Deficiencies

.73 The firm should perform root cause analysis of all QC deficiencies. Root cause analysis involves identifying and evaluating the causal factors that led to each QC deficiency. The firm may perform root cause analysis of QC deficiencies individually or may group similar QC deficiencies together.

.74 The nature, timing, and extent of the root cause analysis should be commensurate with the nature, severity, and pervasiveness of the QC deficiency.

.75 For each QC deficiency, the firm should design and implement timely remedial actions, taking into account the results of its root cause analysis and the nature, severity, and pervasiveness of the QC deficiency.

Note: When performing root cause analysis and identifying potential remedial actions for a QC deficiency, it may be beneficial for firms to consider actions, behaviors, or conditions that resulted in positive outcomes, such as where aspects of its QC system operate effectively or where no engagement deficiencies were identified for individual engagements. This information could provide useful insights when evaluating situations where QC deficiencies were identified and such actions, behaviors, or conditions were not present or were not present to the same degree.

.76 The firm should monitor the implementation and operating effectiveness of remedial actions to address the QC deficiency and determine whether such actions are implemented as designed and operate effectively to remediate the QC deficiency. If those actions do not remediate the QC deficiency, the firm should take timely action until the QC deficiency is remediated.⁴³

Evaluation of and Reporting on the QC System

Annual Evaluation of the QC System

.77 Annually, the firm must evaluate the effectiveness of its QC system, based on the results of its monitoring and remediation activities, and conclude, as of September 30 (the “evaluation date”), that its QC system:

Is effective with no unremediated QC deficiencies; or
Is effective except for one or more unremediated QC deficiencies that are not major QC deficiencies; or
Is not effective (one or more major QC deficiencies exists).

Note: An unremediated QC deficiency is one for which remedial actions that completely address the QC deficiency have not been fully implemented, tested, and found effective.

Determining Whether Major QC Deficiencies Exist

.78 As of the evaluation date, the firm must evaluate unremediated QC deficiencies to determine whether major QC deficiencies exist. The firm’s determination should be based on whether either of the presumptions described in paragraph .78a. arises and, when relevant, the factors listed in paragraph .78b.

A major QC deficiency would be presumed to exist if there is an unremediated QC deficiency or combination of unremediated QC deficiencies that:
1. Relates to the firm’s governance and leadership that affect the overall environment supporting the operation of the QC system; or
2. Results in or is likely to result in one or more significant engagement deficiencies⁴⁴ in engagements that, taken together, are significant in relation to the firm’s total portfolio of engagements (for example, because of the number of engagements or firm personnel affected or likely to be affected, the associated revenue or profit, the associated risks, or the relevant industry).
Note: A firm may rebut the presumption that a major QC deficiency exists only if the firm demonstrates, taking into account both factors listed in paragraph .78b. (including all of the listed examples in paragraph .78b.(1)), that the unremediated QC deficiency or combination of unremediated QC deficiencies does not constitute a major QC deficiency.
The following factors are relevant (i) in rebutting a presumption under paragraph .78a., and (ii) for unremediated QC deficiencies that do not give rise to a presumption under paragraph .78a., in determining whether a major QC deficiency exists:
1. The severity and pervasiveness of the unremediated QC deficiency or combination of unremediated QC deficiencies, which may be evidenced by, for example:
  1. The number of components or quality objectives directly or indirectly affected;
  2. The extent to which the unremediated QC deficiency or combination of unremediated QC deficiencies relate to a component, quality objective, or quality response that affects the design or operation of other aspects of the QC system;
  3. The number and pervasiveness of root causes;
  4. The persistence of the unremediated QC deficiency or combination of unremediated QC deficiencies over time;
  5. The number of engagements that are affected by the unremediated QC deficiency or combination of unremediated QC deficiencies or are likely to be affected in the future if the QC deficiencies are not remediated;
  6. The number of engagements that may have unsupported opinions unless additional procedures are performed; and
  7. The number of engagements for which the firm revised and reissued its engagement report(s) because, after additional procedures were performed, the financial statements or management’s report on internal control over financial reporting was restated or revised; and
  Note: In evaluating each unremediated QC deficiency or combination of unremediated QC deficiencies, the firm would consider both quantitative and qualitative implications.
2. The extent to which remedial actions have been implemented, tested, and found to be effective.

Reporting to the PCAOB

.79 The firm must report annually to the PCAOB on Form QC, in accordance with the instructions to that form, the results of the evaluation of its QC system not later than November 30.

.80 The contents of the firm’s reporting to the PCAOB must include the following:

The firm’s conclusion that, as of the evaluation date, the firm’s QC system:
1. Is effective with no unremediated QC deficiencies;
2. Is effective, except for one or more unremediated QC deficiencies that are not major QC deficiencies; or
3. Is not effective (one or more major QC deficiencies exists).
If the firm reports a conclusion under paragraph .80a.(2) or paragraph .80a.(3), a description of each unremediated QC deficiency, including each major QC deficiency, consisting of:
1. The requirements of this standard or the quality objective(s) to which it relates;
2. The firm’s basis for determining it was a QC deficiency as of the evaluation date; and
3. A summary of the remedial actions taken and planned to be taken to address the QC deficiency, as well as the timing and the status of such actions, including a summary of actions taken or to be taken by the firm to address the risk that the QC deficiency resulted or could result in the issuance of unsupported engagement reports.
If a major QC deficiency is presumed to exist but the determination was made that there is no major QC deficiency, the basis for such determination.

Documentation

.81 The firm must prepare and retain documentation of the design, implementation, and operation of the QC system and of the annual evaluation of the QC system.

.82 Documentation must include descriptions of the following matters:

Lines of responsibility and supervision within the firm’s QC system at successive senior levels up to and including the principal executive officer(s) or equivalent, as required by paragraph .27.
Regarding the firm’s risk assessment process:
1. Quality objectives;
2. Quality risks related to the established quality objectives and the basis for the assessment of quality risks; and
3. Quality responses and how the firm’s quality responses are designed to address the quality risks.
Regarding the monitoring and remediation process:
1. The engagement and QC system-level monitoring activities performed, including, if applicable, monitoring activities performed by a network;
2. If a firm determines an engagement deficiency exists but that there is sufficient appropriate audit evidence to support the auditor’s opinion, the basis to support the firm’s determination;
3. Actions taken to address engagement deficiencies pursuant to paragraphs .68 and .69;⁴⁵
4. The evaluation of QC observations to determine whether QC deficiencies exist and the basis for each determination;⁴⁶ and
5. Root cause analysis and remedial actions to address identified QC deficiencies and the monitoring activities performed to evaluate the implementation and operating effectiveness of such remedial actions.⁴⁷
Regarding the evaluation of the firm’s QC system, the basis for the conclusion reached pursuant to paragraph .77.
If the firm belongs to a network that provides or requires the use of resources or services in the firm’s QC system or the performance of the firm’s engagements, or uses resources or services obtained from a third-party provider:
1. The firm’s understanding of how the resources or services used by the firm are developed and maintained;
2. If the firm supplemented or adapted such resources or services, how and why they were supplemented or adapted; and
3. How the firm implemented and operated such resources or services.

.83 The documentation must be in sufficient detail to:

Support a consistent understanding of the QC system by firm personnel, including an understanding of their roles and responsibilities with respect to the firm’s QC system; and
Enable an experienced auditor that understands QC systems, but has no experience with the design, implementation, and operation of the firm’s QC system, to understand the design, implementation, and operation of the QC system, including the quality objectives, quality risks, quality responses, monitoring activities, remedial actions, and basis for the conclusions reached in the evaluation of the QC system.

Note: With respect to the operation of the QC system, the documentation must include documentation that enables an experienced auditor to evaluate the operation of the quality responses.

.84 A complete and final set of documentation as required by paragraphs .81-.83 with respect to the 12-month⁴⁸ period ended the prior September 30 and any evaluation required as of that date should be assembled for retention not later than December 14 (“QC documentation completion date”).

.85 Circumstances may require additions to documentation after the QC documentation completion date. Documentation must not be deleted or discarded after the QC documentation completion date; however, information may be added. Any documentation added must indicate the date the information was added, the name of the person who prepared the additional documentation, and the reason for adding it.

.86 The firm must retain the documentation of its QC system required under paragraphs .81-.83 and paragraph .85 for seven years from the QC documentation completion date, unless a longer period of time is required by law.

APPENDIX A – Definitions

.A1 For purposes of this standard, the terms listed below are defined as follows:

.A2 Applicable professional and legal requirements –

Professional standards, as defined in PCAOB Rule 1001(p)(vi);
Rules of the PCAOB that are not professional standards; and
To the extent related to the obligations and responsibilities of accountants or auditors in the conduct of engagements or in relation to the QC system, rules of the SEC, other provisions of U.S. federal securities law, ethics laws and regulations, and other applicable statutory, regulatory, and other legal requirements.

.A3 Engagement – Any audit, attestation, review, or other engagement performed under PCAOB standards:

Led by a firm; or
In which a firm “play[s] a substantial role in the preparation or furnishing of an audit report” as defined in PCAOB Rule 1001(p)(ii).

.A4 Engagement deficiency – An instance of noncompliance with applicable professional and legal requirements by the firm, firm personnel, or other participants with respect to an engagement of the firm, or by the firm or firm personnel with respect to an engagement of another firm.

.A5 Firm personnel – Individual proprietors, partners, shareholders, members or other principals, accountants, and professional staff of a registered public accounting firm whose responsibilities include assisting with:

The performance of the firm’s engagements; or
The design, implementation, or operation of the firm’s QC system, including engagement quality reviews.

Professional staff includes employees as well as individuals, such as non-employee contractors and consultants, who work under the firm’s supervision or direction and control and function as the firm’s employees.These individuals include, for example, secondees and leased staff who work under the supervision or direction and control of the firm. Professional staff does not include persons engaged only in clerical or ministerial tasks.

.A6 Major QC deficiency – An unremediated QC deficiency or combination of unremediated QC deficiencies, based on the evaluation under paragraph .78, that severely reduces the likelihood of the firm achieving the reasonable assurance objective or one or more quality objectives.

.A7 Other participants – With respect to work performed in connection with the firm’s QC system or the performance of its engagements, other participants are accounting firms (foreign or domestic, registered or unregistered), accountants, and other professionals or organizations, other than firm personnel, whose responsibilities include assisting with:

The performance of the firm’s engagements; or
The design, implementation, or operation of the firm’s QC system, including engagement quality reviews.

.A8 QC deficiency – A QC observation that, based on the evaluation under paragraph .72, individually, or in combination with one or more other QC observations, evidences:

That the likelihood of the firm not achieving the reasonable assurance objective or one or more quality objectives has not been reduced to an acceptably low level;

Note: The likelihood of not achieving the reasonable assurance objective or one or more quality objectives would be above an acceptably low level if, for example, a quality objective is not established, a quality risk is not properly identified or assessed, or a quality response is not properly designed or implemented or is not operating effectively.
Noncompliance with requirements of this standard, other than those under “Documentation”; or
Noncompliance with requirements of this standard under “Documentation” that adversely affects the firm’s ability to comply with any of the other requirements of this standard.

.A9 QC observation –

An engagement deficiency; or
Any other observation about the design, implementation, or operation of the firm’s QC system that may indicate one or more QC deficiencies exist.

.A10 Quality objectives – The desired outcomes in relation to the components of the QC system to be achieved by the firm.

.A11 Quality responses – Policies and procedures designed and implemented by the firm to address quality risks:

Policies are statements of what should, or should not, be done to address an assessed quality risk.
Procedures are actions to implement and comply with policies.

.A12 Quality risks – Risks (whether or not related to intentional acts by firm personnel or other participants to deceive or to violate applicable professional and legal requirements) that, individually or in combination with other risks, have a reasonable possibility of occurring and, if they were to occur, a reasonable possibility of adversely affecting the firm’s achievement of one or more quality objectives.

.A13 Third-party providers – Individuals or organizations, other than other participants, that provide resources or services to the firm that are designed specifically for use in the performance of engagements (e.g., purchased methodologies, related templates, and IT applications) or to assist with the operation of its QC system (e.g., broker and dealer monitoring systems to track personal financial interests of firm personnel).

APPENDIX B – Examples Relevant to Obtaining an Understanding of the Nature and Circumstances of the Firm and its Engagements

.B1 This appendix provides examples related to paragraphs .20a.(1) and .20a.(2). Whether a particular example is relevant, whether it results in one or more quality risks, or how it affects the assessment of quality risks will depend upon the nature and circumstances of the firm and its engagements.

.B2 The complexity and operating characteristics of the firm (.20a.(1)(a)). This includes the size of the firm, the geographical distribution of the firm’s operations, how the firm is structured, and the extent to which the firm concentrates or centralizes its processes or activities. Examples include:

Complexity of the organizational structure, including the number of managerial levels;
Structure of reporting lines, including overlapping or interconnected reporting lines;
Centralized or decentralized nature of the firm;
Changes in firm structure and firm ownership (e.g., reorganizations, mergers and acquisitions, divestitures, or extent of non-CPA ownership);
Internal or external factors limiting the availability or use of resources, including financial resources, for the firm’s QC system or its engagements;
The nature and extent of use or involvement of shared service centers and whether these are internal or external to the firm; and
The existence and extent of governance structures providing oversight of leadership.

.B3 The firm’s business processes and strategic and operational decisions and actions (.20a.(1)(b)). This includes decisions about financial and operational matters, including the firm’s strategic goals. Examples include:

Pressure to meet financial targets and commercial goals that could affect resource availability or other aspects of the firm’s QC system;
Changes in firm business strategy or goals affecting the firm’s audit practice; and
Mergers, acquisitions, and divestitures.

.B4 The characteristics and management style of leadership (.20a.(1)(c)). This includes the composition of firm leadership, leadership tenure, distribution of authority among leadership, and how leadership motivates and encourages firm personnel. Examples include:

Changes in firm leadership (e.g., senior leadership turnover);
The extent to which senior leadership consists of individuals without experience in auditing;
Highly concentrated or distributed management authority, particularly for the size of the firm;
Leadership tone or conduct;
Actions or inactions that result in a history of recurring QC deficiencies or engagement deficiencies (regardless of whether identified internally or externally);
Timing of actions in response to identified QC deficiencies or engagement deficiencies;
The extent to which firm personnel are held accountable for violations of applicable professional and legal requirements or of the firm’s policies and procedures; and
The extent of focus on commercial goals (e.g., revenue generation or business development) compared to the quality of the firm’s engagements.

.B5 The extent to which a culture of integrity and a commitment to audit quality, including ethics and independence, is promoted within the firm and embraced by firm personnel across all levels (20a.(1)(d)). This includes how a commitment to quality is embedded in the firm’s culture and exists throughout the firm. Examples include:

Recognizing the firm’s fundamental obligation to protect investors through the preparation and issuance of informative, accurate, and independent auditor’s reports;
Emphasizing the importance of professional ethics, values and attitudes;
Emphasizing the responsibility of all firm personnel for quality relating to the performance of engagements or activities within the QC system, and their expected behavior;
Establishing and adhering to a code of conduct;
Defining and communicating how quality will be measured and incorporating quality-related measures in personnel evaluations, with associated effects on compensation and promotion;
Establishing developmental opportunities for personnel that reinforce quality; and
Defining the purpose and values of the firm, and ensuring that these recognize quality.

.B6 The resources of the firm (.20a.(1)(e)). This includes people, financial, technological, and intellectual resources and the characteristics and availability of such resources. Examples include:

Availability of skilled individuals;
Availability of financial, technological, and intellectual resources;
Highly centralized or decentralized environments to manage resources;
Dependency on, and complexity of, technology used by the firm;
The firm’s ability to obtain and use technological resources in performing engagements that are commensurate with the technology risk profiles of the companies for which the firm performs engagements and the risks associated with such technological resources, including their susceptibility to cybersecurity breaches; and
Nature of technology development and resources to maintain the technology (e.g., internally developed versus purchased).

.B7 The environment in which the firm operates, including applicable professional and legal requirements (.20a.(1)(f)). This includes economic stability; social and technological factors; laws and regulations directly relevant to the firm; and applicable professional and legal requirements affecting engagements performed by the firm. Examples include:

Changes to the external environment (e.g., economic, political, or technological) affecting the firm and its QC system;
Economic conditions or other external factors limiting the availability of resources; and
Changes to applicable professional and legal requirements relevant to the firm, including its QC system and firm personnel.

.B8 If the firm belongs to a network, the characteristics of the network and the network’s resources and services and the nature and extent of resources and services used by the firm (.20a.(1)(g)). This includes the nature of the network, the nature and extent of the requirements established by the network, and the resources and services provided by the network. Examples include:

How the network is organized and operates;
The extent and frequency of communication from the network to the firm related to resources and services provided by the network;
The extent to which network requirements or network services are or should be supplemented or adapted for the firm’s use;
The process used to develop technological and intellectual resources provided by the network; and
Observations from monitoring activities regarding the design of network resources and services and their use by the firm.

.B9 If the firm uses other participants, the nature and extent of their involvement (.20a.(1)(h)). This includes the types of and extent to which the firm uses other participants and the characteristics of such other participants. Examples include:

The extent of reliance by the firm on other participants;
Information regarding the reliability and quality of the services performed and the experience and competence of the individuals performing those services; and
Whether the other participants belong to the same network as the firm.

.B10 If the firm participates in other firms’ engagements, the nature and extent of the firm’s participation (.20a.(1)(i)). This includes the nature of the procedures performed, the extent of participation, and other characteristics, including characteristics of the other firms. Examples include:

The type of work performed by the firm on the other firms’ engagements;
The extent of participation in the other firms’ engagements;
Prior experience in participating in the other firms’ engagements; and
The reputation of the other firms.

.B11 If the firm uses resources or services obtained from third-party providers, the nature and extent of those resources or services (.20a.(1)(j)). This includes the types of and extent to which the firm uses third-party providers and the characteristics of such third-party providers. Examples include:

The extent of usage by the firm of third-party providers;
The extent of alignment of the third-party providers’ standards of conduct, if any, with those of the firm;
Observations from monitoring activities regarding the design of the services performed and their use by the firm; and
Information regarding the experience, reliability, and quality of the services performed and the experience and competence of the individuals performing those services.

.B12 The nature and circumstances of the firm’s engagements (.20a.(2)). This includes the types of engagements performed by the firm and the types of companies for which such engagements are undertaken. Examples include:

Size, industry, complexity, and risk profile of the companies for which the firm’s engagements are performed (e.g., the laws and regulations to which the companies are subject), including the potential need for external resources (e.g., specialists, valuation reports, analyst or short-seller reports);
Complexity of or changes to applicable professional and legal requirements and the firm’s policies and procedures relevant to the firm’s engagements;
The extent of the firm’s and its personnel’s experience with the relevant types of engagements (e.g., audits of internal control over financial reporting or attestation engagements of brokers and dealers) or industries;
Complexity of technology used by the company and used by the firm when performing engagements;
Changes in the external environment affecting the firm’s engagements;
Impediments to the firm’s ability to perform the required engagement procedures, whether due to lack of available evidence or otherwise; and
Information obtained from external inspections or reviews and oversight activities by regulators.

¹ Terms defined in Appendix A, Definitions, are italicized throughout the standard.

² “Engagement reports” refers to reports issued in connection with engagements (e.g., audit, attest, examination, or review).

³ With respect to firm responsibilities subsequent to the issuance of an audit report, see, for example, AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report; AS 2905, Subsequent Discovery of Facts Existing at the Date of the Auditor’s Report; AS 4101, Responsibilities Regarding Filings Under Federal Securities Statutes.

⁴See paragraph .77 (requiring evaluation of the effectiveness of the QC system as of September 30).

⁵ See PCAOB Rule 1001(p)(ii).

⁶ See Note in paragraph .44a. of this standard for a description of competence.

⁷ See paragraph .46.

⁸ See paragraphs .44h. and .44i. for an explanation of technological and intellectual resources.

⁹ See paragraph .11.

¹⁰ Ethics and independence requirements include PCAOB independence and ethics standards and rules, the U.S. Securities and Exchange Commission (“SEC”) rule on auditor independence, and other applicable requirements regarding accountant ethics and independence that are relevant to fulfilling their obligations and responsibilities in the conduct of engagements or in relation to the QC system, such as those arising under state law or the law of other jurisdictions. See, e.g., Regulation S-X Rule 2-01, 17 C.F.R. § 210.2-01, and PCAOB Rules under Section 3. Auditing and Related Professional Practice Standards, Part 5 – Ethics and Independence.

¹¹ Others subject to such requirements may include, for example, “associated persons” of a firm (as defined in PCAOB Rule 1001(p)(i)) and “covered persons in the firm” (as defined in Regulation S-X Rule 2-01(f)(11), 17 C.F.R. § 210.2-01(f)(11)) that in each case are not firm personnel.

¹² PCAOB Rule 3526, Communication with Audit Committees Concerning Independence, requires the firm to communicate with the audit committee regarding matters that may reasonably be thought to bear on the independence of the firm, firm personnel, and affiliates of the firm. Some, but not all, such matters are the subject of specific SEC or PCAOB requirements. See, e.g., Rule 2-01 of Regulation S-X, 17 C.F.R. § 210.2-01; PCAOB Rule 3522, Tax Transactions; PCAOB Rule 3523, Tax Services for Persons in Financial Reporting Oversight Roles.

¹³ See PCAOB Rule 3500T, Interim Ethics and Independence Standards; EI 1000, Integrity and Objectivity.

¹⁴ See PCAOB Rule 1001(p)(i).

¹⁵ The term “audit committee” has the same meaning as it does in AS 1301, Communications with Audit Committees.

¹⁶ See, e.g., Regulation S-X Rule 2-01(c), 17 C.F.R. § 210.2-01(c); PCAOB Rules 3522 and 3523.

¹⁷ “Audit client” is defined for purposes of SEC rules in Regulation S-X Rule 2-01(f)(6), 17 C.F.R. § 210.2-01(f)(6), and for purposes of PCAOB rules in PCAOB Rule 3501(a)(iv). “Affiliate of the audit client” is defined in PCAOB Rule 3501(a)(ii) as having the same meaning as defined in Regulation S-X Rule 2-01(f)(4), 17 C.F.R. § 210.2-01(f)(4). “Affiliate of the accounting firm” is defined in PCAOB Rule 3501(a)(i), and, for purposes of this Note to paragraph .34a., “accounting firm,” which includes the firm’s associated entities, is defined in Regulation S-X Rule 2-01(f)(2), 17 C.F.R. § 210.2-01(f)(2).

¹⁸ Context determines which family members would be relevant. See, e.g., Regulation S-X Rule 2-01(f)(9), 17 C.F.R. § 210.2-01(f)(9) (defining “close family members”); Regulation S-X Rule 2-01(f)(13), 17 C.F.R. § 210.2-01(f)(13) (defining “immediate family members”); see generally Regulation S-X Rule 2-01(c), 17 C.F.R. § 210.2-01(c) (referring to “close family member” or “immediate family member” depending on the context).

¹⁹ See Regulation S-X Rule 2-01(f)(11), 17 C.F.R. § 210.2-01(f)(11) (defining “covered persons in the firm”).

²⁰ See, e.g., Regulation S-X Rule 2-01(c)(7), 17 C.F.R. § 210.2-01(c)(7); PCAOB Rule 3524, Audit Committee Pre-approval of Certain Tax Services; PCAOB Rule 3525, Audit Committee Pre-approval of Non-audit Services Related to Internal Control Over Financial Reporting.

²¹ See, e.g., paragraph .06 of AS 2101, Audit Planning.

²² See, e.g., Regulation S-X Rule 2-01(c)(7), 17 C.F.R. § 210.2-01(c)(7); PCAOB Rule 3524; PCAOB Rule 3525.

²³ See, for example, paragraph .06H of AS 2101, and paragraph .08 of AS 1210, Using the Work of an Auditor-Engaged Specialist, when evaluating when such resources are or will be involved in the engagement.

²⁴ For a prospective engagement, this includes evaluating information obtained from a predecessor firm. See generally, e.g., AS 2610, Initial Audits—Communications Between Predecessor and Successor Auditors.

²⁵ See, e.g., AS 1301.05.

²⁶ For purposes of this standard, the firm is deemed “aware” of information when any partner, shareholder, member, or other principal of the firm first becomes aware of such information.

²⁷ See PCAOB Rule 3100, Compliance with Auditing and Related Professional Practice Standards, which requires compliance with all applicable auditing and related professional practice standards adopted by the Board and approved by the SEC.

²⁸ For purposes of this standard, the “practitioner with final responsibility” in AT Section 101, Attest Engagements, is treated as the “engagement partner.”

²⁹ See generally, e.g., AS 1201, Supervision of the Audit Engagement.

³⁰ Consultation does not alter the responsibilities of the engagement partner for designing and performing procedures to obtain sufficient appropriate evidence to support the engagement report. See generally, e.g., AS 1201.

³¹ See, for example, paragraph .48 of AT Section 101, regarding the elements of supervision, including dealing with differences of opinion among personnel, and paragraph .12d of AS 1215, Audit Documentation, regarding documentation of disagreements.

³² See generally AS 1215.

³³ For certain specified activities and responsibilities of certain firm personnel, see paragraphs .10-.17.

³⁴ These individuals include engagement quality reviewers and those performing activities within the QC system, such as monitoring activities.

³⁵ Paragraph .46 describes appropriate standards of conduct by firm personnel.

³⁶ Resources acquired from a third-party provider may include methodologies, applications, and tools used in the firm’s QC system or the performance of its engagements.

³⁷ See, e.g., AS 1301; PCAOB Rules 3524, 3525, and 3526; Section 10A(b) and (k) of the Securities Exchange Act of 1934 (“Exchange Act”), 15 U.S.C. § 78j-1(b), (k); Regulation S-X Rule 2-07, 17 C.F.R. § 210.2-07; Rule 10A-1 under the Exchange Act, 17 C.F.R. § 240.10A-1.

³⁸ AS 1201.08-.13.

³⁹ The most recent evaluation of the other participant firm’s QC system refers to that firm’s evaluation under paragraph .77 of this standard as of the most recent “evaluation date” (as defined in paragraph .77), if such an evaluation was performed. If the other participant firm did not evaluate its QC system under paragraph .77 of this standard as of the most recent evaluation date, then this provision refers to the most recent QC evaluation performed by the other participant firm under any professional standard.

⁴⁰ With respect to the aspects of the monitoring and remediation process that are based on the firm’s awareness, see footnote 26.

⁴¹ See paragraph .70.

⁴² The term “probable” has the same meaning as used in the FASB Accounting Standards Codification, Contingencies Topic, paragraph 450-20-25-1.

⁴³ See paragraphs .64 and .65 when determining the nature, timing, and extent of monitoring activities for remedial actions.

⁴⁴ A significant engagement deficiency exists when (1) the engagement team failed to obtain sufficient appropriate evidence in accordance with the standards of the PCAOB or failed to perform interim review or attestation procedures necessary in the circumstances, (2) the engagement team reached an inappropriate overall conclusion on the subject matter of the engagement, (3) the engagement report is not appropriate in the circumstances, or (4) the firm is not independent of its client. See, e.g., Notes to AS 1220.12, .17, .18B.

⁴⁵ See AS 1215.16 for documentation requirements regarding actions taken to address engagement deficiencies on completed audit engagements.

⁴⁶ See paragraph .72.

⁴⁷ See paragraphs .73-.76.

⁴⁸ In the first year that the firm is required to evaluate its QC system under paragraph .77, the period is from the date on which the firm becomes subject to such requirement to the next September 30.