PCAOB Proposes Massive Expansion of the Auditor's Role

Nicole Edmonds, Jason Langford, David Meyers, Regina Tisdale
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

On June 3, the Public Company Accounting Oversight Board (PCAOB) proposed sweeping new auditing standards ( PCAOB Release No. 2023-003) that would require auditors to consider a company's noncompliance with laws and regulations in the performance of an audit. Approved by a 3-2 vote, with both Certified Public Accountant (CPA) members of the PCAOB withholding their support, the new Noncompliance with Laws and Regulations proposal (the NOCLAR proposal) would significantly revise and amend several current auditing standards (AS) to identify laws and regulations with which noncompliance could reasonably have a material effect on the financial statements, as part of a company audit. The NOCLAR proposal would further require auditors to obtain an understanding of the nature of a company's operations, including the legal and regulatory environment and management's processes related to, among other things, identifying laws and regulations with which noncompliance could reasonably have a material effect on the financial statements.

The NOCLAR Proposal

The NOCLAR proposal would expand the auditor's role in three principal areas. First, the NOCLAR proposal would establish specific requirements for auditors to identify, through inquiry and other procedures, laws, and regulations applicable to a company with which noncompliance could have a material effect on the financial statements in the event of noncompliance. Second, the NOCLAR proposal would strengthen requirements related to the auditor's evaluation, assessment, and response regarding the risk of material misstatements arising from noncompliance and the financial statement effects. Third, the NOCLAR proposal would require the auditor to identify information indicating where noncompliance may have occurred. Finally, the NOCLAR proposal would require the auditor to communicate with company management and audit committees as soon as they become aware that noncompliance may have occurred, and to communicate the results of the information stemming from the auditor's evaluation.

PCAOB stated in the NOCLAR proposal that it believes that auditors should focus on those laws and regulations with which noncompliance could reasonably result in a material effect on a company's financial statements, and that this focus should include laws and regulations that have both a direct and an indirect effect on financial statements. The NOCLAR proposal notes that auditors have a fundamental obligation to protect investors through the preparation and issuance of informative, accurate, and independent auditor reports, and this includes a responsibility to identify and evaluate whether noncompliance with laws and regulations, including fraud, has or may have occurred.

In order to meet this goal, the NOCLAR proposal would replace existing Auditing Standard 2405, Illegal Acts by Clients (current AS 2405), which has long been criticized by investor advocates as providing inadequate investor protection. Current AS 2405 requires that audits include procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the financial statements. Notably, current AS 2405 distinguishes illegal acts with a direct or an indirect effect on the financial statements. For illegal acts that have an indirect effect on the financial statements, current AS 2405 requires the auditor to be aware of the possible occurrence of illegal acts, and when evidence of illegal acts comes to the auditor's attention that could have a material indirect effect on the financial statements, to apply audit procedures that may ascertain whether an illegal act did in fact occur. However, current AS 2405.07 explicitly states that the standard can provide no assurance that indirect illegal acts will be detected or that any contingent liabilities that may result will be disclosed.

In the NOCLAR proposal, PCAOB criticized current AS 2405 as being overly limiting of the auditor's role. PCAOB believes that laws and regulations with indirect effects on the financial statements, such as anti-money laundering or environmental laws, can nevertheless have substantial indirect effects on an individual company's financial statements, such as through fines, penalties, or reputational harm. The NOCLAR proposal therefore "does not carry forward" the distinction between laws and regulation with which noncompliance has a direct or indirect effect.

As such, the NOCLAR proposal would replace current AS 2405 in its entirety and expand the scope of the auditor's responsibilities by requiring auditors to focus on those laws and regulations with which noncompliance could reasonably result in a material effect on the financial statements by removing the distinction between direct and indirect material effect. The NOCLAR proposal would also require auditors to develop an understanding of management's processes regarding regulatory and legal compliance by identifying those laws and regulations applicable to the company with which noncompliance could reasonably have a material effect on the financial statements.

The NOCLAR proposal would also make several amendments to current Auditing Standard 2110 (current AS 2110) designed to complement and support the newly proposed AS 2405. Among these proposed revisions, proposed Auditing Standard 2110 (proposed AS 2110) more particularly describes the universe of information which auditors are required to evaluate to understand the nature of the company. Rather than stating that the auditor should consider reading publicly available information about the company relevant to audit, proposed AS 2110 will require the auditor to read a wide range of publicly available information, including company press releases, presentations, public statements, social media accounts (both of the company and its executives), and information from sources external to the company, such as media reporting and analyst reports.

Key to PCAOB's approach is replacing the term "illegal acts" in current AS 2405 with the broader "noncompliance with laws and regulations" (which expressly includes fraud, as defined in current PCAOB standards). PCAOB notes that this change in language is necessary because "illegal acts" is too limiting and may lead to the exclusion of instances of noncompliance perceived not to be significant enough to examine under current requirements.

After identifying a potential noncompliance, auditors would need to perform audit procedures to evaluate it and its possible effects on the financial statements. These enhanced procedures go beyond those required by current AS 2405 and AS 2110. For example, auditors may be required to retain attorneys and legal experts to assist them in identifying and evaluating the potential noncompliance. The auditor would also be required to use these procedures as a risk assessment tool, to obtain an understanding of a company's own management process in identifying, investigating, and remediating noncompliance with such laws and regulations. Proposed AS 2110 would also require companies to be more granular and detailed in assessing their own risk assessment process and introduces several inquiries that auditors will need to include when making inquiries of company management, the internal audit team, and the audit committee regarding possible fraud or noncompliance with laws and regulations.

Lastly, the NOCLAR proposal would require auditors to alert management and the audit committee as soon as practicable once they become aware that noncompliance "has or may have occurred," which deviates from the current responsibility of auditors to notify the audit committee as soon as practicable of illegal acts when they come to the auditor's attention. The enhanced communication under the NOCLAR proposal may occur in two stages: first, after the auditor learns of the potential noncompliance, and second after the auditor has evaluated the issue. In order to give effect to the expanded analysis required to identify and assess noncompliance with laws and regulations and to develop and implement necessary procedures, the NOCLAR proposal would also amend several additional auditing standards to carry out the NOCLAR proposal's intent.

Additional, Substantial Costs

With so many proposed changes, PCAOB acknowledges that the increased costs related to the NOCLAR proposal are "substantial," "sizable," and "significant." PCAOB recognizes that auditors will incur significant fixed costs relating to the NOCLAR proposal, including costs related to implementing the proposed amendments and updating firm procedures and engagement level costs, including identifying applicable laws and regulations and assessing and understanding the risks of material misstatements due to noncompliance with laws and regulations. Based on PCAOB's review of publicly available information, the board believes that all auditing firms will need to substantially modify their procedures and policies to comply with the NOCLAR proposal's mandates.

Specifically, PCAOB sees costs coming from three primary categories relating to the auditor's engagement with any particular company. First, are the "considerable additional audit effort" that would be necessary to identify the relevant laws and regulations under the NOCLAR proposal, which, given the elimination of the distinction between direct and indirect effects of noncompliance on the financial statements, will be significantly expanded under proposed AS 2405. PCAOB believes that auditors will need to retain attorneys and other legal experts to help them meet this task and that these specialists "could be costly to retain." Second, auditors will have to "expend additional audit effort to assess and respond to the risk of material misstatement" associated with the laws and regulations identified and the risks of material misstatements. Finally, the need to "plan and perform significant additional procedures to identify whether there is information indicating noncompliance with those laws or regulations has or may have occurred" and implementing those procedures "could add a significant amount of additional effort to each audit on the part of engagement team members." In seeking to understand the relevant laws and regulations as required, and to better understand the nature of the company as would be required by proposed AS 2110, PCAOB says that this effort "could be substantial if the company under audit releases a robust volume of information through its website or social media or if there is a robust volume of other publicly available information from sources external to the company for the auditor to read." All these requirements could lead to "potentially significant additional costs added to each engagement to comply with the revised standard."

Nevertheless, PCAOB believes these substantial costs are necessary as "current academic and other literature" shows that noncompliance may expose companies to legal and regulatory penalties that could lead to potentially significant investor harm. As such, PCAOB believes the auditor's expanded role in detecting noncompliance under the NOCLAR proposal will help preserve shareholder value and decrease damages caused by noncompliance.

The NOCLAR proposal has little in the way of discussion of the costs to public companies, which will bear the brunt of both the direct (increased auditor fees) and indirect costs (company costs of complying with the proposal and satisfying the auditor) of the expanded audit scope. Though PCAOB seems to believe that companies will respond to the increased costs by further enhancing internal audit, monitoring, and compliance functions, the NOCLAR proposal lacks a discussion of such costs.

Not a "Compliance Audit"?

Despite the NOCLAR proposal's expanded role for the auditor and the requirement that the auditor is to determine the laws applicable to a company; understand the company's compliance procedures and how any potential noncompliance could reasonably affect the financial statements; to evaluate the impact of any potential noncompliance on the financial statements; and to plan and perform procedures to identify whether there is information indicating noncompliance across operations, PCAOB states that the proposed procedures "are not tantamount to a compliance audit in their scoping or objectives."

In dissenting from the PCAOB's vote to put forth the NOCLAR proposal, the PCAOB's two CPA members Duane M. DesParte and Christina Ho both raised concerns with the scope of the NOCLAR proposal. DesParte stated that the NOCLAR proposal's wording "suggests the auditor would be expected and held accountable to identify any and all information that might indicate instances of noncompliance of any law or regulation across the company's entire operations, without regard to materiality." DesParte cautioned that the NOCLAR proposal's "filtering threshold of ‘reasonably could' is not adequately explained in the proposal and is not addressed elsewhere in the PCAOB standards." DesParte also noted that it was unclear whether the concept of reasonable assurance, rather than absolute assurance, would be applicable to the auditor's identification of noncompliance under the NOCLAR proposal.

Ho echoed these concerns about the "breathtaking expansion of the auditor's responsibilities" while also worrying that the proposal "could cause considerable confusion on the appropriate role of the auditors." As Ho noted, "To identify the laws and regulation with which noncompliance could reasonably have a material effect on the financial statement, an auditor must first identify all the laws and regulations applicable to the public company." Ho cautioned that to have the auditor identify all laws and regulations a company is subject to, would create ambiguities by transforming the auditor's role from one of providing assurance to a management function.

While the NOCLAR proposal states that it does not require the auditor to make legal determinations, PCAOB itself expects that some auditors will "overreact" in this regard as auditors may "err on the side of caution and retain counsel or other experts whenever they discover possible noncompliance." This concern receives little attention in the NOCLAR proposal, though it has the potential to further drive up costs for audited companies and create a host of issues. Under the NOCLAR proposal, the company's auditors will now be hunting for any potential noncompliance with laws, but will have no obligation to actually resolve any issues. Thus, companies will have to turn to their legal counsel to assuage auditor concerns, further driving up legal spending associated with the audit. Given the nature of a public company audit, it would seem reasonable to assume that most auditors would choose to "err on the side of caution" and retain additional legal counsel to assess any possible issues of noncompliance that may be uncovered, if for no other reason than to protect themselves from any litigation that may follow the discovery of any noncompliance. Additionally, with the proposed requirement that auditors review publicly available information, it is not hard to see auditors being buried under an ocean of information when reviewing very large, diversified, global companies with a host of products and services and complex operations.

Conclusion

The NOCLAR proposal represents a radical departure from the typical auditor role. If adopted as proposed, the NOCLAR proposal will impose significant costs on public companies. Fortunately, PCAOB is actively seeking comment and guidance on the NOCLAR proposal and has put forth 70 direct questions to interested parties as it seeks information to help guide it toward a final rulemaking. Comments to the NOCLAR proposal are due by August 7.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide