PCAOB Proposes Revised Audit Requirements for Non-Compliance with Laws and Regulations
June 6, 2023
The Public Company Accounting Oversight Board (PCAOB) on June 6, 2023, voted 3 to 2 to issue a proposal that aims to strengthen its standard to require auditors to more proactively identify, evaluate and communicate instances of a company’s non-compliance with laws and regulations (NOCLAR).
The board’s proposal comes as investor advocates for years have said that the old 1988 AICPA standard—renamed as the PCAOB’s Auditing Standards (AS) 2405, Illegal Acts by Clients, has not protected investors. The AICPA’s standard was adopted in an interim basis when the PCAOB was established by the Sarbanes-Oxley Act, which Congress passed into law in 2002 to prevent a recurrence of accounting scandals that toppled companies like Enron and WorldCom and put their auditor—then-Big Five Firm Arthur Andersen—out of business. Before the PCAOB was established, the auditing profession essentially regulated itself.
A focus on the auditor’s responsibilities regarding NOCLAR came amid a string of high-profile cases in the past several years. For example, Wells Fargo & Co. created more than 1.5 million unauthorized bank accounts and more than 560,000 credit card applications from 2011 to 2015, and investors asked where its auditor, KPMG LLP, was to prevent the fraud.
The audit firm denied any wrongdoing. At the time, KPGM told Senators that “the potential impact” of the “unethical and illegal conduct” would likely be insignificant.” Moreover, the firm said, “improper sales practices do not implicate the effectiveness of internal controls” as “not every illegal act has a meaningful impact on a company’s financial statements or its system of internal controls over financial reporting.”
But when the public found out about the scandal, Wells Fargo lost $7.8 billion in stock valuation. More recently, Wells Fargo agreed to pay $1 billion to settle a class-action suit from investors, alleging the bank misled them about compliance with consent orders imposed by regulators.
“Unfortunately, the current standard on illegal acts fails to meet” investors’ expectation “that all means all, including material respects impacted by noncompliance,” PCAOB Chair Erica Williams said. “In fact, it says an audit in accordance with PCAOB auditing standards does not include audit procedures specifically designed to detect all illegal acts that could have a material effect on the financial statements.”
It is time to heed to investor’s calls, she said.
Proposal in Detail
The PCAOB would change the name of the standard from illegal acts to NOCLAR. This would cover all ranges of non-compliance—intentional or unintentional—from outright financial statement fraud to non-compliance matters that may have a material effect on the financial statements. The new proposed standard thus would be called AS 2405, A Company’s Noncompliance with Laws and Regulations.
The proposal has three key elements.
Auditors would be required to identify NOCLARs that could reasonably have a material effect on the company’s financial statements during their initial risk assessment. For example, the auditor must ask management whether there is any correspondence with the company’s regulators about instances of fraud or other NOCLAR.
“While the current standard could be interpreted to understand that the auditor has limited responsibilities with respect to noncompliance with certain laws and regulations unless they happen to stumble across the information, the new standard makes clear what investors already expect — that it is the auditor’s responsibility to proactively be on guard for all noncompliance that may have a material impact on the financial statements,” Williams said.
She stressed that this proposed requirement does not mean that auditors must know every single rule and regulation. The proposal states: “These laws and regulations would necessarily be relevant to the company or its operations but would not represent every law or regulation to which the company is subject.”
Today, existing audit standards require auditors to have the technical expertise and proficiency to conduct an audit, and this includes an understanding of the company’s regulatory environment. And the companies know what laws and regulations they must follow, and which ones pose the greatest risks. Thus, a NOCLAR which could reasonably affect materially a company’s financial statements is readily available to the auditor.
After identifying a potential NOCLAR, the proposal would require auditors to evaluate it with enhanced procedures. For example, the proposed rule requires the auditor to consider whether a specialist is needed to help the auditor to do evaluate the potential NOCLAR.
Williams explained that the AICPA standard only requires the auditor to consult with legal counsel or other specialists if management does not give satisfactory information that there no illegal act took place.
“The proposal includes the requirement for the auditor to consider whether specialized skill or knowledge is needed because legal counsel or other specialists can provide valuable assistance to the auditor’s evaluation,” she said. “Requiring auditors to contemplate whether use of experts is needed is a common practice across PCAOB standards, including when performing risk assessments, planning or performing audit procedures, and when evaluating audit results. So, this proposal is not requiring anything out of the ordinary for auditors.”
The final proposed provision is about enhanced communication.
“Problems can’t be fixed unless they are known,” Williams said.
Today, the standard only requires the auditor to communicate illegal acts to the audit committee when it comes to the auditor’s attention as practicable and before issuing the auditor’s report.
The proposal would require the auditor to communicate to the audit committee in two instances. First, auditors must communicate when they become aware of information that indicates a NOCLAR. Then, they must again communicate after they have evaluated such information.
“This would provide greater interaction between the auditor and management and the audit committee, with the goal of encouraging companies to take quick action to come into compliance and reduce investor harm caused by legal and regulatory penalties,” she said.
Board member Kara Stein further explained that the proposal eliminates a somewhat arbitrary categorization of illegal acts into direct and indirect matters.
“Both auditors and investors agree that the current judgmental splitting of laws into categories of so-called ‘direct’ and ‘indirect’ effects on the financial statements is a source of confusion,” Stein said. “The primary purpose of this categorization was to bifurcate the auditor’s duty to identify and assess illegal acts, particularly rejecting any responsibility for the detection of so-called ‘indirect’ effect laws.”
She said that research has indicated that laws considered to have indirect effects on financial statements—such as evasion of anti-money laundering rules, false and misleading disclosures and environmental contamination, among others—can lead to substantial fines.
“And that may be part of the problem. The parsing of laws and regulations may have caused a lack of emphasis, or diminution of attention, to certain laws and regulations,” Stein said. “The current proposal simplifies the auditor’s work by removing this distinction: the auditor must do sufficient work to be reasonably assured against material errors of either commission or omission.”
To a staunch investor advocate, the proposal was rather lackluster, however. Instead of making significant changes, it makes some incremental improvements by providing some clarity around the current standards, but needed changes were not made.
For example, one of the most important things that the PCAOB could have done is to require auditors to communicate NOCLARs to investors. But the proposal, as with the existing standard, the communication is only with audit committees.
“This standard in this proposal will have minimal impact as it does not require auditors to inform investors when they suspect an illegal act has occurred,” said former SEC chief accountant Lynn Turner, who serves on the PCAOB’s advisory groups.
In certain cases, auditors could resign and avoid reporting to investors. But this would allow auditors to avoid accountability. But a critical aspect of such a standard is holding auditors accountable to promote investor confidence that they are playing a key gatekeeper role in the capital markets.
In the meantime, board members Duane DesParte and Christina Ho said the costs could outweigh the benefits.
“I am unable to support today’s proposal as I believe it unreasonably and at great cost expands the scope of the audit to incorporate extensive new compliance attestation procedures and will require legal acumen and expertise well beyond the auditor’s core competency,” said DesParte whose term ends in October. ,” said DesParte whose term ends in October.
He pointed to the staff’s economic analysis that highlights the significant harm that fraud and other non compliance has inflicted on companies, investors, employees and other others across society.
“The analysis also concludes …[that it] is likely to significantly increase audit effort and costs across virtually all firms and audits, and thus on preparers and investors,” he said. “What is less clear is whether certain of the increased requirements are appropriate for the auditor in the context of the auditor’s expertise and the objectives of a financial statement audit”
Similarly, Ho said the proposal contains “a breathtaking expansion of the auditors’ responsibilities, which I believe will hurt investors.”
“This expansion could cause considerable confusion on the appropriate role of auditors, undermine the time-tested accountability framework, and reduce the resilience of the already highly concentrated audit marketplace,” she said. “Ultimately, this could undermine trust in our capital markets, to the detriment of investors.”