What to know about the new PCAOB auditing standards  

 

Audit firms are facing several important regulatory changes as new auditing standards issued by the Public Company Accounting Oversight Board (PCAOB) take effect this December.

Two of the most significant updates are QC 1000, A Firm’s System of Quality Control, and AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. While many of the changes are designed to strengthen audit quality and accountability, they will also require firms to adjust their processes, documentation practices, and quality control systems.

For auditors, the question is not just what these new PCAOB auditing standards require, but how to operationalize them. Understanding the standards’ purpose and preparing early can help audit teams avoid last-minute disruptions and maintain consistent audit quality.

 

Jump to ↓

What is QC 1000, and when is it effective?

---

What is AS 2901?

---

What are the conforming amendments to core PCAOB audit standards?

---

How auditors can stay on top of new auditing standards

What is QC 1000, and when is it effective?

QC 1000 is the most impactful update to the new PCAOB auditing standards. The standard requires registered public accounting firms to design, implement, and operate a comprehensive quality control system that proactively identifies and manages risks to audit quality.

The PCAOB originally scheduled QC 1000 to become effective on December 15, 2025, but later postponed the effective date by one year to December 15, 2026.

The PCAOB explained that it delayed the effective date after finding that some firms faced implementation challenges that could not be realistically resolved within the original timeframe. It concluded that granting an extra year would help firms design and implement QC 1000-compliant quality control systems.

The good news is that QC 1000 was intentionally designed to align closely with existing quality management frameworks, including the AICPA’s Statement on Quality Management (SQMS) No. 1 and international quality management standards that many global firms already follow. As a result, many firms already have foundational systems in place and can focus on the incremental PCAOB-specific requirements.

“At this point, firms that audit issuers should be in that additional PCAOB requirements stage, and focusing on things like monitoring, remediation, and reporting. There are additional reporting requirements for firms to report their results to the PCAOB, and so they need to be looking at: Do they have a structure in place to collect the data and do the reporting?” said Alison Stephens, Executive Editor of PPC products at Thomson Reuters.

“And I always want to emphasize training,” Stephens added. They need to make sure that it’s not just leadership and administration that know what’s going on. In the trenches…[firms] need to make sure that they’ve pushed out training to all of their professionals, and that professionals have the resources they need to ensure that the quality control system operates effectively.”

What is the primary objective of QC 1000?

The main goal of QC 1000 is to require firms to maintain a risk-based quality control system that provides reasonable assurance that audits are performed in accordance with PCAOB standards and applicable regulatory requirements.

Rather than relying on inspections after the fact, the standard mandates firms to proactively identify risks to audit quality and put controls in place to manage them. Key elements of a quality control system include:

• Governance and leadership accountability for quality
• Ethics and independence policies
• Client acceptance and continuance procedures
• Engagement performance and supervision
• Personnel, technology, and other resources
• Monitoring and remediation processes

QC 1000 also requires firms to perform an annual review of their quality control system, documenting its effectiveness and identifying areas for improvement.

How will QC 1000 impact auditors’ workflow?

Although QC 1000 primarily addresses firm-level governance and quality management, its impact will extend to engagement teams and individual auditors.

For many firms, the next stage of implementation will focus on PCAOB-specific requirements, particularly in areas such as monitoring, remediation, and reporting.

For example, QC 1000 adds new requirements for firms to report specific quality control findings to the PCAOB, meaning they must have systems in place to collect, track, and report relevant data.

Proper training is also essential. Since quality control policies often operate at the firm-management level, staff auditors may be less familiar with how these policies impact their daily responsibilities. Firms need to make sure that professionals throughout the organization understand escalation procedures, documentation expectations, and who must be notified when potential quality issues arise.

What is AS 2901?

Another significant update among the new PCAOB auditing standards is AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. It replaces and updates the earlier guidance known as “Consideration of Omitted Procedures After the Report Date.”

The standard is concise yet essential for effective monitoring and remediation processes. It expands the scope of the original guidance to address any engagement deficiency identified after an auditor’s report is issued, rather than only focusing on omitted audit procedures. It also aligns the standard with the broader quality management framework introduced by QC 1000, especially concerning monitoring and remediation.

“If you find a deficiency in your internal process — something comes to light that makes you aware of a deficiency or an inspection deficiency from the PCAOB — it just gives a very succinct framework for what you need to do with that,” Stephens said.

What is the primary objective of AS 2901?

The standard provides a clear framework for evaluating and addressing engagement deficiencies identified after a report is issued. It distinguishes between deficiencies where the auditor lacked sufficient appropriate audit evidence to support the opinion and other engagement deficiencies that still require action.

Under the revised AS 2901, the auditor must evaluate whether the deficiency indicates that sufficient appropriate audit evidence was obtained to support the auditor’s opinion. The response varies depending on the nature of the deficiency.

• Deficiencies involving insufficient audit evidence. If the auditor determines that sufficient appropriate evidence was not obtained, the auditor should perform additional procedures to obtain the necessary evidence. If sufficient evidence cannot be obtained, the auditor must take steps to prevent further reliance on the previously issued report.
• Other engagement deficiencies. For deficiencies that do not affect the sufficiency of evidence supporting the opinion, the auditor must still take appropriate corrective or preventive action, taking into account the nature and severity of the issue.

Why is AS 2901 significant for firms?

Although AS 2901 is concise, it is crucial in supporting the monitoring and remediation processes mandated by QC 1000. It not only offers a framework for evaluating and addressing engagement deficiencies but is also strengthened by AS-1000-related updates to AS 1215, Audit Documentation, which considerably decrease the time required to complete audit documentation.

AS 1215, as amended in conjunction with the issuance of AS 1000, shortens the deadline for completing audit workpapers from 45 days to 14 days after the report release date. It’s a major change that will broadly affect firms starting with the 2026 audit cycles.

This tighter deadline heightens the operational pressure on engagement teams. If deficiencies are found after the report is issued, auditors must respond swiftly, follow a structured evaluation process, and thoroughly document their actions.

“[AS 2901] reminds users about the documentation to make sure you comply with AS 1215, the documentation standard paragraph 16, specifically that talks about documentation after the report release date, and after that finalization date. You can never delete or remove finalized audit documentation. You can, however, add to it. But you need to make sure that you comply with standards in doing so, and that you’re very detailed in what you add, documenting how an issue came to light and the who, what, why, how of the resolution,” Stephens said. “So, it points that out, and then it also lines up with QC 1000, specifically paragraph 82, about when you’re documenting those actions taken as part of the monitoring and remediation.”

What are the conforming amendments to core PCAOB audit standards?

Alongside QC 1000 and AS 2901, the PCAOB also recently issued AS 1000, General Responsibilities of the Auditor in Conducting an Audit and Amendments to PCAOB Standards, and conforming amendments to several existing auditing standards. These updates aim to align legacy standards with the PCAOB’s modernized framework under AS 1000 and QC 1000, reinforcing expectations around audit evidence, documentation, supervision, and risk-based planning. These include:

• AS 1215, Audit Documentation. The amendments introduce one of the most significant practical changes: reducing the period for completing audit documentation from 45 days to 14 days after the report release date. Auditors must complete all audit procedures and supervisory reviews before issuing the report and assemble a final set of documentation within this shortened timeframe.
• AS 1220, Engagement Quality Review. Updates clarify the responsibilities of the engagement quality reviewer, emphasizing the need for an objective assessment of significant judgments and conclusions made by the engagement team before the auditor’s report is issued.
• AS 2101, Audit Planning. Amendments highlight the engagement partner’s responsibility for planning the audit and emphasize the importance of a risk-based approach that connects planning decisions to identified risks of material misstatement.
• AS 2110, Identifying and Assessing Risks of Material Misstatement. The updated standard strengthens requirements around risk identification and assessment, emphasizing a more thorough understanding of the company and its environment to support audit procedures.
• AS 2201, Internal Control Over Financial Reporting. Amendments clarify how auditors assess internal control as part of an integrated audit, strengthening the link between control testing and financial statement audit conclusions.
• AS 2315, Audit Sampling. Updates align sampling requirements with the broader focus on obtaining sufficient appropriate audit evidence and clearly documenting the basis for conclusions.
• AS 4105, Reviews of Interim Financial Information. Changes enhance consistency between interim review procedures and the updated audit framework, including expectations regarding evidence, documentation, and professional judgment.

How auditors can stay on top of new auditing standards

As several new audit standards take effect at the end of the year, thorough preparation will be crucial. Audit teams that start planning early and execute these standards effectively are most likely to turn the new requirements into practical planning steps, better workpaper practices, and consistent, defensible audit narratives throughout the engagement.

Stephens also cautioned firms not to disregard evaluation of standards from the past couple of years. “I would just encourage people to remember that the confirmation standard and supervision of other auditors standard are still fairly fresh, and so I think those will be areas of inspection focus. Firms just need to continue to think about those and evaluate those, maybe even include them in their QC risk assessment for things to watch for in their inspection and remediation processes internally.”

“Anytime there are new standards, the inspectors want to get a good feel around how people are responding to it,” Stephens continued. “Are [the standards] doing what was intended? Are there any unintended consequences?”

To help auditors stay current as standards evolve, Thomson Reuters AuditWatch Training Solutions offers expert-led learning built specifically for audit teams, including its Accounting and Auditing Update course. The course covers newly issued FASB and AICPA pronouncements and other developments affecting practitioners, with materials updated throughout the year and discussions tailored to each firm’s practice — making it a practical way to train staff, reinforce technical knowledge, and keep teams aligned on changing requirements.

For firms putting these standards into practice at the engagement level, Thomson Reuters Guided Assurance can help streamline execution with guided workflows, standardized templates, and practical practice aids designed to support consistent documentation and stronger audit quality.

Backed by Thomson Reuters PPC methodology and in-application guidance, it gives teams access to updated engagement tools and Checkpoint-connected resources that help them stay aligned with evolving professional standards while working more efficiently.