Lessons for every CPA firm from public audit

Lessons can be learned from regulatory enforcement activity even if a firm’s practice does not include audits services. Learn about 2022 enforcement trends and how to help mitigate risk in 2023.
By Nicole L. Graham, Esq., Aon Risk Consultant
This article appeared in the March 2023 issue of the Journal of Accountancy.

Recent enforcement efforts from the SEC and the PCAOB indicate regulators are ramping up their efforts to hold accountable firms that fail to follow professional standards. Let’s review enforcement trends from 2022 and discuss how maintaining proper internal controls can help keep your firm out of the crosshairs of regulators and/or claims by clients in 2023.
Even if your practice does not include audits of public companies — or even audit services — review and continuous monitoring of your internal controls are still useful risk management practices. Such actions create an environment where staff know what is expected of them in terms of service quality and are comfortable escalating problems or concerns from the start to seek support for a resolution process. Delay and avoidance may also result in increased regulatory penalties or large-dollar claim awards when eventually brought to light.
In 2022, the SEC filed 760 enforcement actions, a 9% increase from 2021, and the PCAOB imposed the highest total penalties in its history, more than quadrupling the total dollar amount of penalties imposed against firms. Both the SEC and PCAOB have signaled they intend to continue to aggressively pursue enforcement efforts in 2023. PCAOB Chair Erica Y. Williams has stressed that the board is approaching enforcement with renewed vigilance. SEC Chair Gary Gensler has also expressed that the SEC’s crackdown is just getting started and that it would continue to pursue violations wherever and however they occur. As evidenced by some of the penalties imposed against CPA firms in 2022, these are not hollow threats.
In 2022, the SEC’s and PCAOB’s enforcement actions appeared more punitive in nature — if firms exhibited systemic issues, the penalties against the firms and/or the individuals involved were harsher, ostensibly to serve as a deterrent to continued violations. Violations involving a failure or lack of internal controls, including instances where firm culture or firm management either failed to recognize or permitted the violations to continue over a period of time, seemed to draw the ire of the agencies. The penalties for such violations were significant both in terms of monetary penalties and required remedial measures.

Lessons learned and risk mitigation practices to adopt

Systemic failure of internal controls and/or quality control protocols allows noncompliance with rules and standards to start and to continue unabated. Though errors and missteps can and will happen, how your firm responds when issues arise is important. You need to have procedures in place that will uncover the issue and set forth protocols for resolving the problem. Regardless of practice area, every firm should have a risk management program in place that includes internal control protocols and written quality control practices and procedures, and encourages regular communication with and training for employees for identifying, managing, and escalating potential risk areas.
How errors or mistakes are handled by the firm can affect the fallout, including penalties from regulators or claims/lawsuits by clients. For example, if an associate in the tax practice incorrectly applies a rule or regulation that causes a client to pay more tax than what is owed, such an event may be relatively easy to address, and the potential damages may be easily quantified and/or mitigated. However, if the tax associate is not properly trained and/or supervised and makes the same mistake on multiple returns over several years, the potential damages and possible penalties increase exponentially.
Below are risk management practices to help enhance your firm’s culture of quality control.

Be clear about what is expected

Creating and consistently enforcing practices and procedures keeps everyone focused on what is expected. Employee handbooks as well as written practices and procedures set the tone by identifying the expected ethical and technical obligations of all employees, officers, shareholders, and partners. Service-specific quality control protocols should be included in the firm’s written policies and procedures.
Protocols and procedures should clearly articulate what is expected and provide instruction for reporting any concerns, issues, or suspected violations. Instructions should be detailed and explicit. Provide examples of situations where reporting is required. Each person at the firm should know how to report issues or concerns, including to whom they should report.
Make clear in your practices and procedures that retaliation for good-faith reporting of concerns, issues, or suspected violations will not be tolerated. Be equally explicit that failing to report or concealing concerns, issues, or suspected violations will likewise not be tolerated.

Create a firmwide culture of quality control

At least annually, share and review quality control practices and procedures with all employees, officers, and shareholders/partners. Highlight the importance of continued vigilance in following all procedures by sharing potential liability concerns for failures or violations. Give examples of issues that should be addressed with management, human resources, or other appropriate personnel. Explain with whom various scenarios should be addressed and how they should be documented.

Consider discussing appropriate examples (while maintaining confidentiality, when necessary) of how issues at the firm were raised and addressed during the past year to create an environment where your people understand they can and should voice concerns. Use news of enforcement actions and large settlements or verdicts from lawsuits that are published to highlight the importance of your message.
When discussing quality control procedures with employees, make the communication interactive to start a dialogue with staff. Keep an open-door policy to address any questions employees may have about the procedures or their responsibilities.
Express that ignoring concerns or failing to report is frowned upon, and state the potential consequences for such behaviors. Aim to reinforce the idea that if someone at the firm has a problem, the firm is there to help resolve the problem and insulate both the firm and its employee from further liability.

Follow through

If staff report a concern, issue, or suspected violation, your firm should undertake an internal investigation, with or without the assistance of outside counsel. Investigating the conduct of members of your firm can be uncomfortable. Doing the right thing is not always easy. It is, however, necessary to proactively manage risk and maintain accountability.
If the investigation confirms a violation, the firm should uniformly carry out any reprimand or other deterrent measures in accordance with those delineated in the practices and procedures as well as HR guidelines. The firm should also explore and implement remedial measures to prevent similar conduct from occurring in the future.
Remember, failure to address misconduct, mistakes, or other violations may result in increased penalties or large loss claims. Regulatory investigations, claims, and lawsuits can take substantial time away from your practice and damage your firm’s reputation. Creating, implementing, and enforcing internal procedures relating to all aspects of your firm’s practice is key to avoiding a culture of complacency and advancing one of vigilance relating to quality control.

$6.4 billion
Amount the SEC issued in penalties in 2022, the highest in its history.
Source: “SEC Announces Enforcement Results for FY22,” SEC news release, Nov. 15, 2022.


How Helpful Was This Article?


Related Content

Related Products

Nicole L. Graham, Esq., is a risk consultant at Aon. For more information about this article, contact nicole.graham@aon.com.

This article is provided for general informational purposes only and is not intended to provide individualized business, insurance, or legal advice. You should discuss your individual circumstances thoroughly with your legal and other advisors before taking any action with regard to the subject matter of this article.

Aon Insurance Services is the brand name for the brokerage and program administration operations of Affinity Insurance Services, Inc., a licensed producer in all states (TX 13695); (AR 100106022); in CA & MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services Inc.; in CA, Aon Affinity Insurance Services, Inc., (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency and in NY, AIS Affinity Insurance Agency.