On June 6, 2023, the Public Company Accounting Oversight Board (PCAOB), the nonprofit corporation established by Congress to oversee the audit of public companies, proposed new auditing standards designed to further its “investor-protection mandate.”[1]These standards, if adopted, would heighten requirements for auditors to identify, evaluate, and communicate regarding a company’s possible or actual noncompliance with laws and regulations, as described in more detail below.

This post examines the implications of the proposed standards for ESG and sustainability-related reporting, and how companies can act now to address the potential ESG-related impacts.

In proposing the standards, PCAOB Chair Erica Y. Williams cited a recent $1 billion class-action settlement for misleading corporate compliance statements. She noted the “devastating consequences” of corporate noncompliance, specifically the “sanctions, fines and civil settlements [that] directly affect a company’s bottom line” as well as the “reputational damage” that “causes a company’s stock value to decline.”[2] Williams stated that current auditing standards for illegal acts fail to meet investor expectations and do not include audit procedures specifically designed to detect all illegal acts that could materially affect a company’s financial statements. Williams maintained that the proposed standards are designed to remedy that. The proposed standards were released despite the unprecedented dissent from two PCAOB board members, Duane DesParte and Christina Ho.

So far, the nexus between the proposed standards and ESG may not be immediately apparent. However, ESG and sustainability-related regulation is poised to take off globally with, for example, the implementation of the EU Corporate Sustainability Reporting Directive starting in January 2024, the continued legislative progress of the proposed Corporate Sustainability Due Diligence Directive and other sustainability-related regulations in the EU, the issuance of disclosure-related standards from the International Sustainability Standards Board (ISSB) earlier this year, and other ESG developments in Asia, the UK, and elsewhere. The PCAOB’s proposed standards, if adopted, could therefore potentially pull a broad range of ESG and sustainability matters into audit processes, procedures, and expenses.

The Existing Rules

The existing rules implicated by the proposed standards include Auditing Standard (AS) 2405, Illegal Acts by Clients, and AS 2110, Identifying and Assessing Risks of Material Misstatement.[3]

AS 2405

• Outlines the nature and extent of the consideration an independent auditor should give to the possibility of illegal acts by a client in an audit of financial statements and auditor responsibilities when a possible illegal act is detected.[4]
• Distinguishes between laws and regulations that have a “direct and material” effect on the determination of financial statements, and laws or regulations that have an “indirect” effect and relate more to an entity’s operations rather than to its financial and accounting aspects.[5]
• Affirms the responsibility of auditors to actively detect and report misstatements resulting from illegal acts that have a direct and material effect on financial statements, and acknowledges that auditors “ordinarily do[] not have [a] sufficient basis for recognizing possible violations” of laws and regulations related to operations that have an indirect effect on financial statements.[6] Maintains that an auditor should be aware of the potential for indirect effects, but must actively identify direct effects.

AS 2110

• Requires the auditor to obtain an understanding of (i) relevant industry factors, including the company’s competitive environment and technological developments; (ii) the regulatory environment, including applicable financial reporting framework and legal/political environments; and (iii) external factors, including generic economic conditions.[7]
• Requires the auditor to ask management and the audit committee whether they received or are aware of tips or complaints regarding the company’s financial reporting and the company’s response to any such tips or complaints.[8]

The Proposal

The proposed standards seek to replace AS 2405 and retitle the standard A Company’s Noncompliance with Laws and Regulations. Specifically, the standards would:

• Replace “illegal acts” with “noncompliance with laws and regulations.”
• Abandon the distinction between direct and indirect effects on financial statements and establish an obligation for the auditor to plan and perform procedures to identify all laws and regulations if noncompliance “could reasonably” have a material effect on financial statements.[9]
• Require the incorporation of potential noncompliance with those laws and regulations in the auditor’s risk assessment.
• Require identification of whether noncompliance may have occurred through additional procedures and testing.

The proposed standards would also amend AS 2110 and related auditing and professional practice standards. Specifically, the standards would:

• Require, more expressly, that auditors assess the risks of material misstatement arising from a company’s noncompliance with laws and regulations.
• Require the performance of enhanced risk assessment procedures, such as obtaining an understanding of a company’s environment, including its regulatory requirements, and management’s processes related to:
• identifying laws and regulations with which noncompliance could reasonably have a material effect on financial statements;
• preventing, identifying, investigating, evaluating, communicating, and remediating instances of noncompliance;
• receiving and responding to tips and complaints from internal and external parties regarding noncompliance;
• evaluating potential accounting and disclosure implications of noncompliance; and
• making specific inquiries of management, the audit committee, and others regarding noncompliance.[10]

ESG Implications

The proposing release frequently identifies environmental laws, regulations, and potential violations as those that can have a lasting, albeit, indirect effect on a company’s financial statements and the importance of ensuring that auditors contemplate such violations in assessing material misstatements. Specifically, the proposal:

• Identifies, numerous times, environmental laws, regulations, and violations and the “significant reputational loss” that can result from publicity regarding such violations.[11]
• Explicitly recognizes the indirect effects of unrecorded environmental remediation liabilities and occupational health and safety violations with regard to corporate risks and misstatements.[12]
• Contemplates climate-related legislation, asserting that in assessing the business risk of new operations and its effect on material misstatements, the auditor’s “consideration would include the potential for contingencies or reserves associated with strict climate regulations.”[13]

The proposing release also mentions a company’s sustainability reporting and the potential implications on its financial statements. In particular, the proposal mentions whether sustainability reporting and climate-related pledges run counter to the types of business operations described in a company’s financial statements and the risk of material misstatement that can result. The proposed standards are therefore designed to ensure that, when appropriate, “[t]he auditor would also consider any contradictory audit evidence that the sustainability report and annual report might be presenting with respect to information supporting amounts in the financial statements.”[14]

The Reaction

The comment period closed on August 7, 2023, with more than 120 submissions from stakeholders. Compliance officers were among the many stakeholders that provided comments. Although not always explicitly in favor of the proposed standards, most compliance officers took the opportunity to reiterate the importance of consultations with corporate compliance officers as part of the auditing process. Others in the auditing community appeared to consistently reject the proposal, noting the broad reach of the standards and the PCAOB’s previous statements that auditors lack the requisite expertise to determine potential legal violations. Commenters were also concerned about whether the PCAOB has the requisite authority to expand auditor responsibilities. Finally, many stakeholders argued that the costs of implementing such standards would far exceed their value to investors.

Next Steps

With the comment period closed, it’s unclear when and if the PCAOB will attempt to finalize these proposed standards. For now, companies should work with their counsel and compliance officers to assess the potential implications of the proposed standards on their financial statements, audit processes and operations. Understanding the scope of an organization’s regulatory exposure, both as it exists today and as it is likely to exist in the not-too-distant future, is a critical first step in assessing the potential impact of the proposed standards.

Companies should also consider reviewing the internal reporting structures and controls around their legal compliance. These structures and controls will likely face increased pressure as the regulatory burden grows. Lastly, companies should remember that their “voluntary” ESG and sustainability-related reporting is rapidly moving into the scope of regulatory compliance and legal liability. Understanding how disclosures initially made voluntarily may implicate regulatory and auditing requirements in the future can give an organization a running start.

ENDNOTES

[1] https://pcaobus.org/news-events/speeches/speech-detail/statement-on-proposed-new-standard-regarding-noncompliance-with-laws-and-regulations.

[2] Id.

[3] https://assets.pcaobus.org/pcaob-dev/docs/default-source/rulemaking/docket-051/pcaob-release-no.-2023-003—noclar.pdf?sfvrsn=fe43e8a_4.

[4] See AS 2405.01.

[5] See AS 2405.05-06.

[6] See AS 2405.06.

[7] See AS 2110.09.

[8] See AS 2110.56.

[9] See PCAOB Release No. 2023-003 at 6-7 and 9-11.

[10] See PCAOB Release No. 2023-003 at 21-22.

[11] See PCAOB Release No. 2023-003 at 4, 10 and 36.

[12] See PCAOB Release No. 2023-003 at 90.

[13] See PCAOB Release No. 2023-003 at 37-38.

[14] See PCAOB Release No. 2023-003 at 37-38.

This post comes to us from Latham & Watkins. It is based on the firm’s memorandum, “The Proposed ESG Auditing Rule You Know Nothing About,” dated September 5, 2023, and available here.