PCAOB Closes Comment Period on Proposal to Expand Auditor Responsibility for Considering Noncompliance With Laws and Regulations

The Public Company Accounting Oversight Board (PCAOB or the Board) has closed the comment period for its proposal to amend the professional auditing standards that govern the auditor’s consideration of a company’s noncompliance with laws and regulations (the Proposal). Most of the over 130 comment letters — submitted by certified public accountant (CPA) societies, public accounting firms, lawmakers, industry groups, and nonprofit organizations — either echo or expand on the concerns raised in the dissenting remarks of the two Board members who voted against the Proposal. These concerns include, among others, the following:

• By expanding the scope of an independent financial statement audit to include any noncompliance with laws and regulations by a company, including noncompliance that does not have a direct impact on the company’s financial statements, the Proposal would require auditors to perform procedures far outside of their core area of competency.
• The Proposal’s significant expansion of the breadth and depth of procedures required by auditors and their specialists will impose substantial costs on public companies and investors that the Proposal has not attempted to quantify.
• The Proposal’s requirements disproportionately impact smaller companies and audit firms and reduce competition in the public company accounting industry.
• The Proposal effectively requires companies to provide their independent auditors with materials protected by the attorney-client privilege or attorney work product doctrine, exposing companies to significant litigation discovery risks.
• The Proposal significantly increases the scope and frequency of communication between independent auditors and audit committees to include matters that are immaterial to the financial statements and outside of the expertise of many audit committees.

In the coming months, the Board may choose to adopt a final rule to be filed with the Securities and Exchange Commission (SEC), issue a revised proposal, or withdraw the Proposal.

Background

On June 6, 2023, the PCAOB proposed amendments to its auditing standards that would replace AS 2405, Illegal Acts by Clients, the current standard that governs the auditor’s consideration of a company’s noncompliance with laws and regulations. The Proposal also includes substantive amendments to several existing standards, including those that govern the auditor’s identification and assessment of the risk of material misstatement in the financial statements. In sum, the proposed amendments would require independent auditors of public companies to plan and perform procedures to

• identify laws and regulations with which noncompliance could reasonably have a material impact — whether direct or indirect — on the issuer’s financial statements
• assess and respond to risks of material misstatement due to noncompliance with the identified laws and regulations, including understanding management’s processes for preventing, identifying, investigating, evaluating, communicating, and remediating noncompliance
• evaluate information indicating whether noncompliance with laws and regulations has or may have occurred, as well as the possible effects of such noncompliance on the financial statements and implications on other aspects of the audit
• communicate with management and the audit committee when the auditor becomes aware of information indicating noncompliance with laws and regulations has or may have occurred

The Board approved the proposed rule with a 3-2 vote, with the only accountants on the Board issuing separate dissenting remarks. Similar to the points raised in the comment letters, the dissenting Board members expressed concerns that the Proposal, among other things, (i) understates the costs to both auditors and issuers of implementing the proposed rule, (ii) would expand the auditor’s responsibility to areas outside of the auditor’s competency, and (iii) would reduce competition by creating additional barriers to entry for midsize and smaller accounting firms.

If adopted, the proposed rule would significantly expand the auditor’s objectives and responsibilities when auditing the financial statements of public companies and increase the role of specialists (including outside legal counsel) in the performance of financial statement audits, thereby resulting in sizeable additional costs for public companies. The proposed rule also would require the individuals in management, compliance, and legal functions of public companies to provide information to independent auditors far beyond what has traditionally been required in a financial statement audit, including information that may only indirectly relate to the financial statements.

Overview of Current Standard

The current standard, AS 2405, Illegal Acts by Clients, largely mirrors Section 10A of the Securities Exchange Act of 1934 (Section 10A), which requires that auditors perform “procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts.”¹ If an auditor becomes aware of a possible illegal act, the auditor is required to “obtain an understanding of the nature of the act, the circumstances under which it occurred, and sufficient other information to evaluate the effect on the financial statements.”² The auditor also is required to consider the implications of the possible illegal act in relation to other aspects of the audit and “assure that the company’s audit committee is adequately informed [with respect to the possible illegal act] as soon as practicable and prior to the issuance of the auditor’s report ….”³

Other illegal acts outside of the scope of the current standard may have material but indirect effects on a company’s financial statements because they can result in recording or disclosure obligations when a company does not comply, including penalties, fines, and loss contingencies. Such acts include violations of occupational safety, health, environmental, cybersecurity, data privacy, and antitrust laws. While the current standard requires financial statement auditors to be aware of the possibility of such illegal acts (and respond if any such acts come to the auditor’s attention), it does not require auditors to perform specific procedures designed to provide any assurance of detecting such acts.⁴ The auditor’s limited responsibility in this regard reflects the recognition that illegal acts stemming from a company’s operations are further removed from financial reporting and unlikely to come to an auditor’s attention in the course of its audit procedures or be identified by the auditor as “illegal.”⁵ The current standard, in fact, expressly presumes auditors “do[] not have sufficient basis for recognizing possible violations of such laws and regulations.”⁶

Proposed Amendments

Identification of All Laws and Regulations With Which Noncompliance Could Reasonably Have a Material Effect — Direct or Indirect — on the Financial Statements

The proposed rule would impose additional obligations on auditors beyond what the Board describes in its proposal as the “baseline” requirements of Section 10A.⁷ Specifically, auditors would be required to perform procedures to identify any laws and regulations with which noncompliance “could reasonably have a material effect on the company’s financial statements.”⁸

Most notably, the proposed rule eliminates the distinction between noncompliance that has a “direct” versus “indirect” effect on the financial statements. The Board has expressed that the categorization of illegal acts in the current standard has been “a source of confusion to investors” and that under the proposed rule, it would expect auditors to “focus on all types of noncompliance, whether the violations concern financial or operational issues or involve intentional or unintentional conduct.”⁹ The Proposal acknowledges that this would “encompass a wide variety of conduct” that includes not only financial crimes such as embezzlement and asset misappropriation but also “other conduct that has financial consequences to the company, such as violations of employment, occupational safety and health, antitrust, or privacy laws and regulations.”¹⁰ Such financial consequences include fines, penalties, costs associated with remediation, or other contingent monetary effects. 

The proposed rule would permit auditors to use the results of management’s own efforts to identify relevant laws and regulations. However, the auditor’s inquiry would not be limited to those laws and regulations identified by management.¹¹ In addition, whereas the existing standard only requires the auditor to consult with the company’s legal counsel if management does not provide satisfactory information that there has been no illegal act,¹² the proposed rule expressly requires the auditor to consider whether specialized skill or knowledge is needed to assist in the auditor’s evaluation.

Assessing the Risk of Material Misstatement Due to Noncompliance With Laws and Regulations

The Board also has proposed amending AS 2110, Identifying and Assessing Risks of Material Misstatement, which establishes requirements for auditors regarding the process of identifying and assessing risks of material misstatement in a company’s financial statements. These proposed amendments would require auditors to perform procedures to assess a company’s risk of material misstatement of the financial statements due to noncompliance with those laws and regulations the auditor determines “could reasonably have a material effect on the financial statements” if not complied with. Among other things, auditors would be required to understand management’s processes for

• identifying relevant laws and regulations with which noncompliance could reasonably have a material effect on the financial statements
• preventing, identifying, investigating, evaluating, communicating, and remediating instances or alleged or suspected instances of fraud and other noncompliance
• receiving and responding to tips and complaints from internal and external parties regarding noncompliance
• evaluating potential accounting and disclosure implications as a result of noncompliance¹³

The Board’s proposal provides a hypothetical illustration of how it envisions this risk assessment process to play out in practice, using an example involving laws and regulations that have an indirect effect on the financial statements:

[A]s a result of performing procedures, the auditor of a chemical company may identify information about environmental regulations related to chemical waste disposal that create a risk of material misstatement because the effect of violations of the regulations could result in material fines, penalties, or the obligation to perform environmental remediation.

The auditor would be required to obtain an understanding of management’s processes related to preventing, identifying, investigating, evaluating, communicating, and remediating noncompliance with such laws and regulations. Management’s processes could involve the company’s specialists who tested whether the company’s chemical waste disposal complied with regulatory requirements. Obtaining an understanding of management’s processes could also involve obtaining reports from the company’s specialist or reports from relevant regulators about the company and understanding how the company used those reports in their processes. Performing such a procedure could inform the auditor about whether noncompliance with any relevant environmental regulations has or may have occurred.¹⁴

In addition, the proposed amendments to AS 2110 would make mandatory several procedures the current auditing standard describes as discretionary — that is, procedures the auditor “should consider performing.”¹⁵ These include, among others, specific requirements for obtaining an understanding of a company’s regulatory environment, obtaining an understanding of compensation arrangements with senior management other than executive officers, and reading public information (such as the company’s and its officers’ social media accounts and other public statements).¹⁶ The Board expressed that reading such information “may bring to the auditor’s attention statements … [that] may be contradictory to other information obtained by the auditor or within the financial statements.”¹⁷

Evaluating Potential Noncompliance With Laws and Regulations

For all laws and regulations that could reasonably have a material effect on the financial statements, the proposed rule would require auditors to plan and perform procedures to determine whether there is information indicating noncompliance “has or may have occurred (regardless of whether the effect of such noncompliance is perceived to be material to the financial statements).”¹⁸ If the auditor determines there is information indicating noncompliance “has or may have occurred,” it would be required to perform additional procedures to understand the nature and circumstances of any such noncompliance and determine whether it is “likely” that any such noncompliance occurred.¹⁹

The proposed rule provides a non-exhaustive list of procedures the auditor may perform to obtain such an understanding, including several that contemplate a significant increase in the exchange of information between auditors and individuals who serve in in-house legal and compliance functions. Among other things, the auditors would be required to consider

• obtaining an understanding of the nature and status of any relevant investigations internal or external to the company
• confirming significant information concerning the events or transactions with other parties, intermediaries, financial institution, and legal counsel, among others
• discussing the facts and circumstances with the company’s legal counsel or others with specialized skill or knowledge about the application of relevant laws or regulations to the circumstances and the possible effects on the financial statements²⁰

The Board has made clear its expectation that auditors may need to engage legal counsel as specialists to (i) assist in understanding certain laws and regulations, (ii) assess and respond to the risk of material misstatement due to noncompliance, (iii) evaluate whether it is likely that noncompliance occurred, and (iv) develop more rigorous inquiries of management.

The Proposal illustrates how the auditor’s risk assessment might inform subsequent internal control testing and substantive audit procedures using a hypothetical situation involving the Foreign Corrupt Practices Act (FCPA):

[I]f an auditor identified the FCPA as a law that could reasonably have a material effect on the financial statements because the company’s operations are in a jurisdiction where bribery may be more common, or the company or its competitors have a history of FCPA violations, the auditor in planning and performing procedures would understand management’s processes around FCPA compliance, test relevant controls that were put in place to maintain compliance with the FCPA, or perform cash disbursement testing designed to identify potential bribes. These would be in addition to inquiring of management and other employees about whether any FCPA violations, or alleged or suspected violations, have been identified. These types of procedures could be performed on a standalone basis or simultaneously with other planned procedures (i.e., internal control testing of cash disbursements in an integrated audit or detail testing of cost of goods sold or other expenses).²¹

Lastly, the proposed rule would introduce a new requirement that the auditor determine whether senior management has taken timely and appropriate remedial action to address any noncompliance.²²

Communicating Noncompliance With Laws and Regulations to the Audit Committee

The Proposed Rule would require more frequent communication between auditors and the audit committee.²³ This aspect of the Proposal contemplates a two-step process that expressly expands on the requirements set forth in Section 10A by requiring additional, earlier communication between the auditor and those charged with governance.

First, except where the matter is “clearly inconsequential,” the auditor would be required to make an initial communication to management and the audit committee upon becoming aware of information indicating that noncompliance with laws and regulations “has or may have” occurred.²⁴ The Proposal expressly contemplates such communication before the auditor completes its evaluation of whether noncompliance has in fact occurred or whether any noncompliance has a material effect on the financial statements.²⁵

Second, auditors would be required to make an additional communication after completing the evaluation of whether the noncompliance has or may have occurred or if the auditor is unable to complete its evaluation. Specifically, the auditor would be required to communicate to management and the audit committee which matters previously identified reflect noncompliance and whether they result in a material misstatement in the financial statements.²⁶ Auditors would not be required to communicate to the audit committee regarding matters deemed to be “clearly inconsequential.”²⁷

In addition, consistent with Section 10A(b)(2) of the Exchange Act, the proposed rule would require auditors to make additional communications directly to the company’s board of directors if the auditor concludes that (1) the likely noncompliance has a material effect on the financial statements; (2) senior management has not taken, and the board of directors has not caused senior management to take, timely and appropriate remedial action with respect to the likely noncompliance, and (3) the failure to take remedial action is reasonably expected to cause the auditor to not issue an unqualified opinion or to resign from the audit.²⁸

Dissenting Remarks and Comment Letters

Board members Duane M. DesParte and Christina Ho — the only members who are accountants — voted against the proposed rule and issued separate dissenting remarks raising concerns regarding the scope, cost, practicability, and competitive impact of the proposed rule.²⁹

Board member DesParte remarked that while “many of [the Board’s] proposed enhancements are positive,” he could not support the proposal because it “unreasonably and at great cost expands the scope of the audit to incorporate extensive new compliance attestation procedures and will require legal acumen and expertise well beyond the auditor’s core competency.”³⁰ Among other things, Board member DesParte expressed concerns that the proposed rule’s “filtering threshold” — any laws or regulations that “could reasonably” have a material effect on the financial statements — is not adequately explained in the proposal or elsewhere in the PCAOB standards.³¹

Board member DesParte also voiced broader concerns regarding the implications of the current Board’s standard-setting agenda on the role of independent auditors:

I am increasingly concerned we are establishing new auditor obligations and incrementally imposing new auditor responsibilities in ways that will significantly expand the scope and cost of audits, and fundamentally alter the role of auditors without a full and transparent vetting of the implications, including a comprehensive understanding of the overall cost-benefit ramifications. I also wonder whether we are further contributing to the expectations gap by imposing responsibilities on auditors not aligned with their core competencies or the fundamental purpose of a financial statement audit.³²

Board member Ho also voiced concerns regarding key elements of the proposed rule, which she stated would mark a “breathtaking expansion of the auditor’s responsibilities.” Specifically, Board member Ho expressed that the Proposal (i) was not “fully transparent about the significant additional responsibilities it would impose on all public company auditors by eliminating the distinction between noncompliance that has a direct versus indirect effect” on the financial statements; (ii) “introduces ambiguities regarding auditor obligations to investors, by transforming the auditor’s role from one providing reasonable assurance to one of performing management functions”; and (iii) takes a “one-size-fits-all approach” that will create additional barriers for entry for midsize and smaller audit firms.³³

Numerous interested parties have submitted comment letters, many of which echo the concerns raised by the dissenting Board members. In addition, the comment letters noted that the proposed rule’s terminology concerning the probability of noncompliance — including “could reasonably,” “may,” “might,” and “likely” — lacks clarity and introduces confusion because it does not align with the operative terms applicable under Generally Accepted Accounting Principles (GAAP) that govern the recognition and disclosure of loss contingencies (“probable,” “reasonably possible,” “remote,” and “estimable”).³⁴ Commenters also expressed concern that the proposed rule would weaken attorney-client privilege protections by requiring companies to provide their auditors with privileged information, ultimately exposing issuers to significant litigation and discovery risks.³⁵ This includes the risk that companies will be deemed to have waived applicable privileges by disclosing otherwise privileged communications with their independent auditors.

In addition to raising concerns regarding the proposed rule’s substantive requirements, several interested parties expressed concern that the Board had not provided sufficient time for comment and urged the Board to engage in further dialogue with key stakeholders (including public companies, auditors, and outside counsel) before moving forward.³⁶

Practical Implications for Public Companies

If adopted in its current form, the proposed rule would have the following significant implications for public companies.

• Expanded Use of Nonauditor Third-Party Specialists in Financial Statement Audits. The proposed rule will significantly expand the use of lawyers and other subject matter experts as specialists in financial statement audits, which will increase the cost of an audit.

As Board member (and former auditor) Ho expressed in her dissenting remarks, for the auditor “[t]o identify the laws and regulations with which noncompliance could reasonably have a material effect on financial statements, an auditor must first identify all the laws and regulations applicable to the public company.”³⁷ Board member DesParte predicts that to accomplish this, “[l]awyers will be required across the wide array of disciplines and specializations to assist the auditor in identifying the population of relevant laws and regulations, assess the ‘could reasonably’ scoping filter, design and perform compliance attestation procedures to identify information that may indicate potential noncompliance, and evaluate whether such noncompliance has or has likely not occurred.”³⁸ The burden of complying with the proposed rule in this regard would be significantly greater in audits of public companies that are subject to laws in multiple jurisdictions, including, for example, companies with significant operations or subsidiaries abroad.³⁹

• Increased Role and Burdens of In-House Legal and Compliance Departments and Privilege Implications. The amendments will require in in-house legal and compliance personnel to play a substantially greater role in financial statement audits. This includes providing auditors with information — in the form of both responses to inquiries and documentation — regarding the company’s assessment of applicable laws and regulations and management’s process for “preventing, identifying, investigation, evaluating, communicating, and remediating instances of noncompliance ….” While the Proposal itself states that such “procedures are not tantamount to a compliance audit in their scoping and objectives,”⁴⁰ Board member DesParte has expressed concern that the proposed rule would require auditors to effectively “embed compliance attestation procedures” into financial statement audits.⁴¹

  Such requirements would impose additional burdens on companies’ legal or compliance functions and have significant implications for a company’s ability to subsequently protect from broader disclosure information and analyses that typically are protected by the attorney-client privilege.⁴²

• Increased Communication Between Auditors and Audit Committees. The proposed rule will substantially increase the scope and frequency of communication between auditors and the audit committee — requiring audit committees to engage with and respond to legal information pertaining to the company’s operations, including as to matters having no direct financial impact. This is because the proposed rule (i) encompasses noncompliance that does not have a direct impact on the financial statements and (ii) requires any potential noncompliance that is not “clearly inconsequential,” regardless of perceived materiality, to be communicated to the audit committee before the auditor performs its evaluation of whether noncompliance “has” or “has likely” occurred.
• Additional Costs. As the Board has acknowledged, the proposed rule and accompanying amendments would result in “additional, potentially substantial costs” for auditors and ultimately their public company clients.⁴³

Auditors will incur significant firmwide costs to implement the proposed amendments, update firm procedures, and develop and manage knowledge and training regarding its implementation. The Board also foresees audit firms incurring “engagement-level variable costs related to implementing the proposed amendments” that “could be substantial.”⁴⁴ While the proposal does attempt to quantify the estimated increase in audit fees, commentators have predicted the increase might be “a multiple of current audit fees.”⁴⁵

Companies also would face additional costs in the form of increased audit fees, which includes the costs associated with the work of specialists. Companies also will incur indirect costs in the form of additional burdens on its personnel, including costs associated with responding to auditors’ requests for information and supporting documentation, as well as the cost of enhancing processes and controls related to noncompliance with laws and regulations.

*          *          *

Sidley will continue to monitor developments related to this Proposal. However, we do not know whether the proposed rule will be adopted and, if so, whether the Board will modify it in any respect to address the dissenting Board members’ concerns and the concerns raised in various comment letters. While the PCAOB may modify the proposed rule to address some of the concerns described above, it appears likely the Board will expand the auditor’s responsibilities with respect to noncompliance with laws and regulations in some way. The proposed rule has support from a majority of the Board in its current form, and, notwithstanding their concerns, both dissenting Board members have expressed support for certain aspects of the Proposal.