Columbia Law School
Sky Blog
On June 6, 2023, the U.S. Public Company Accounting Oversight Board (the “PCAOB”) proposed amendments to its auditing standards that would increase auditor obligations in identifying, evaluating and communicating with respect to noncompliance with laws and regulations (“NOCLAR”).[1] If adopted as proposed, the amendments would significantly expand the auditors’ responsibility for identifying and evaluating legal matters, likely increasing audit costs and significantly changing the relationship between audit committees and company auditors.
BACKGROUND AND BOARD MEMBERS’ VIEWS
The PCAOB voted to issue the proposal in an unusual 3-2 split. Chair Erica Y. Williams and Board Members Kara M. Stein and Anthony C. Thompson voted in favor of the proposal. Their statements indicated that they supported the proposal because they believe the proposal, if adopted, would better protect investors and be more consistent with current investor expectations about audit scope. These Board Members also cited to recent corporate scandals that resulted in significant fines, reputational damage and a loss of equity value as evidence of the financial impacts of the indirect effects of NOCLAR.[2]
Board Members Duane M. DesParte and Christina Ho, the two certified public accountants on the PCAOB, dissented from the proposal. Their statements included serious concerns about how the proposal would affect audit scope and costs. Board Member DesParte stated that that the proposal “unreasonably and at great cost expands the scope of the audit” and that “the scope of the expanded auditor’s procedures cannot be underestimated”.[3] Board Member Ho expressed similar concerns, stating that the proposed standards “contain a breathtaking expansion of the auditors’ responsibilities” and that the expanded audit responsibilities outlined in the proposal could ultimately “undermine trust in our capital markets”.[4]
The proposed amendments to the current standards are consistent with statements by Chair Erica Y. Williams that the PCAOB is focused on updating standards adopted upon creation of the PCAOB and which have not been updated since adoption.[5]
NOCLAR PROPOSAL
The proposed amendments would significantly expand an auditor’s responsibility for identifying, assessing and communicating with respect to a company’s noncompliance, or potential noncompliance, with laws and regulations in the course of an audit. Among other things, the proposed amendments would replace existing AS 2405, Illegal Acts by Clients (“Current AS 2405”), with a new AS 2405, A Company’s Noncompliance with Laws and Regulations (“Proposed AS 2405”). Current AS 2405 largely mirrors the requirements in Section 10A of the Securities Exchange Act of 1934 (“Exchange Act”) which requires auditors to perform “procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts”.[6]
Proposed AS 2405 would significantly expand requirements for existing audit procedures by requiring auditors to take a number of proactive steps to identify and consider noncompliance with laws and regulations which could reasonably have a material effect on the financial statements. In practice, this could be nearly the entire universe of laws and regulations to which a company is subject. Additionally, auditors would be required to consider indirect, as well as direct, effects on the financial statements of any potential noncompliance in their evaluation of applicable laws and regulations.[7]
Once auditors have identified the universe of applicable laws and regulations with which noncompliance could reasonably have a material effect on the financial statements, auditors will need to perform a number of enhanced procedures to assess and respond to risks of material misstatement due to noncompliance, and identify whether there is information indicating noncompliance has or may have occurred, which will likely require auditors to make legal determinations traditionally outside the scope of their responsibilities and core competencies.[8] Auditors will also be required to take a number of additional steps to understand and assess a company’s compliance infrastructure. More specifically, the proposed amendments to AS 2110, Identifying and Assessing Risks of Material Misstatement, include new prescriptive requirements around reviewing and understanding management’s processes with respect to assessment and management of NOCLAR risks. Among other things, proposed AS 2110 would require the auditor to understand management’s process for preventing, identifying, investigating, evaluating, communicating and remediating instances or alleged instances of fraud or other noncompliance, as well as management’s process for evaluating potential accounting and disclosure implications for NOCLAR. In discussing the proposed amendments to AS 2110, the PCAOB noted that developing an understanding of management’s processes could include obtaining compliance-related reports from specialists or relevant regulators, as well as understanding how the company used those reports in its processes.
If in the course of these enhanced policies and procedures, the auditor becomes “aware of information indicating that noncompliance with laws and regulations (whether or not perceived to have a material effect on the financial statements)” has or may have occurred, the auditor must communicate that information to management and the audit committee (and in certain cases the entire board) as soon as practicable. Notably, the auditors need to communicate information regarding potential noncompliance to the audit committee before the auditors have evaluated the information, which will likely result in a significant increase in the information audit committees receive and process in the course of their duties.[9] If the auditor identifies likely noncompliance that has a material effect on the financial statements, Proposed AS 2405 would also require auditors to assess whether senior management has taken timely and appropriate remedial action with respect to any identified NOCLAR.[10]
We expect the proposed amendments to auditing standards regarding NOCLAR to be significant and to have a tremendous impact on public company audits if adopted as proposed. For example, if adopted as proposed, Proposed AS 2405 will likely require significant investments by audit firms in legal capabilities to analyze and evaluate legal matters, the costs of which are likely to ultimately be borne by public companies. Additionally, management and audit committees will need to expend time and resources to develop appropriate infrastructure to accept NOCLAR reports from auditors and to respond in appropriate ways.[11]
The PCAOB specifically sought public comment on the effective date of the proposed amendments if adopted by the PCAOB and approved by the SEC. The PCAOB noted it is currently considering whether compliance with any adopted amendments should be required for audits of fiscal years beginning in the year after approval by the SEC (or for audits of fiscal years beginning two years after the year of SEC approval, if SEC approval occurs in the fourth quarter of a calendar year).
UPDATED AUDIT COMMITTEE RESOURCE
On June 21, 2023, the PCAOB staff released the 2023 Audit Committee Resource (“2023 ACR”), the latest in a series of publications intended to help audit committees understand the PCAOB’s activities and observations.[12] The 2023 ACR provides questions for audit committee members to consider amongst themselves or in discussions with their independent auditors, taking into account the current economic and geopolitical landscape. Notably, this year’s document included the following question, not included in prior years, further highlighting the PCAOB’s interest in NOCLAR.
- Did the auditor’s inquiries of management include whether possible illegal acts, such as potential noncompliance with sanctions and other laws or regulations, have occurred? If any acts were identified, what was the impact on the audit?
We recommend audit committees (and their advisors) familiarize themselves with the 2023 ACR because it is a good indicator of current PCAOB staff priorities and areas of potential exam focus. The entire suite of the PCAOB’s audit committee resources can be found online at Resources for Audit Committees | PCAOB (pcaobus.org).
RECOMMENDATIONS
The proposed amendments to auditing standards regarding NOCLAR, if adopted as proposed, will significantly expand audit scopes and costs, and will require companies to establish enhanced procedures and controls around legal and regulatory compliance issues. We recommend companies closely follow the proposed amendments and related developments and work now to:
- evaluate and consider enhancing existing internal processes and procedures that they use to identify and monitor applicable laws and regulations and compliance thereunder;
- consider how the audit committee will evaluate information the auditors may provide to it regarding the new NOCLAR or potential NOCLAR, particularly if the company also has a risk or compliance committee to which certain similar responsibilities have previously been delegated; and
- determine how company personnel, particularly in-house counsel, will respond to auditor requests for information about NOCLAR or potential NOCLAR, particularly to the extent any such requests pertain to information that is covered by attorney-client privilege.
Additionally, given the PCAOB’s apparent focus on NOCLAR and related issues, companies’ management and audit committees should expect their auditors to be significantly more rigorous around NOCLAR matters, even under the current standard AS 2405.
The deadline for public comment on the proposal is August 7, 2023, so a couple of weeks remain for companies, investors and other interested market participants to submit comments with feedback on the proposal.
ENDNOTES
[1] Proposing Release: Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations And Other Related Amendments, PCAOB Release No. 2023-003 (June 6, 2023) (“Proposing Release”), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket-051/pcaob-release-no.-2023-003—noclar.pdf?sfvrsn=fe43e8a_2.
[2] Erica Y. Williams, Chair, Statement on Proposed New Standard Regarding Noncompliance With Laws and Regulations, available at https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposed-new-standard-regarding-noncompliance-with-laws-and-regulations; Kara M. Stein, Board Member, A Return to Roots: The Auditor’s Role in Uncovering and Reporting Illegal Acts, available at https://pcaobus.org/news-events/speeches/speech-detail/a-return-to-roots-the-auditor-s-role-in-uncovering-and-reporting-illegal-acts; Anthony C. Thompson, Board Member, Statement on Proposed Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations, available at https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposed-amendments-to-pcaob-auditing-standards-related-to-a-company-s-noncompliance-with-laws-and-regulations-thompson.
[3] Duane M. DesParte, Board Member, Statement on Proposal to Amend PCAOB Auditing Standards Related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments, available at https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposal-to-amend-pcaob-auditing-standards-related-to-a-company-s-noncompliance-with-laws-and-regulations-and-other-related-amendments.
[4] Christina Ho, Board Member, Statement on Proposed Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations (June 6, 2023), available at https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposed-amendments-to-pcaob-auditing-standards-related-to-a-company-s-noncompliance-with-laws-and-regulations.
[5] E.g., Erica Y. Williams, Chair, Getting It Right: Quality Control and Modernizing PCAOB Standards Effectively, available at https://pcaobus.org/news-events/speeches/speech-detail/getting-it-right-quality-control-and-modernizing-pcaob-standards-effectively (“Twenty years later, far too many … interim standards remain unchanged … To keep investors protected, our standards must keep up.”).
[6] 15 U.S.C. § 78j-1(a)(1).
[7] The indirect effects of NOCLAR referenced in the proposal that auditors will have to consider in their analyses include potential monetary sanctions, possible reputational harm, the possibility for an increased cost of capital and any potential restrictions upon business operations imposed as a result of any identified noncompliance.
[8] The Proposing Release acknowledges that auditors may need to retain attorneys or other legal experts from different disciplines to help with the relevant assessments they will be required to make under the proposed auditing standards, recognizing that “[t]hese specialists could be costly to retain”. Proposing Release at 79.
[9] Auditors would not be required to communicate matters that are “clearly inconsequential”.
[10] If the auditor determines timely and appropriate remedial action has not occurred and the failure to take such action is reasonably expected to warrant departure from an unqualified opinion or to warrant resignation from the audit engagement, the auditor would be required to promptly report its conclusion to the board of directors.
[11] This is particularly important in light of the monitoring and oversight duties directors have under Caremark and the potential for audit committees to become aware of a significant number of additional potential “red flags” if NOCLAR is adopted. See In re Caremark International Inc. Derivative Litigation, 698 A.2d 959, 971 (Del. Ch. 1996).
[12] PCAOB, Spotlight: Audit Committee Resource (June 2023), available at https://assets.pcaobus.org/pcaob-dev/docs/default-source/documents/2023-audit-committee-resource-spotlight.pdf?sfvrsn=ac07ea4c_2.
This post comes to us from Cravath, Swaine & Moore LLP. It is based on the firm’s memorandum, “PCAOB Proposes Significant Amendments to Auditing Standards to Strengthen Auditor Requirements Related to Noncompliance with Laws and Regulations,” dated July 2023.