PCAOB Faces Competing Requests in Revising Audit Requirements for Non-Compliance with Laws and Regulations
August 11, 2023
Judging by the unusually high number of comment letters the Public Company Accounting Oversight Board (PCAOB) has received—121 as of Aug. 10, 2023—the board has a lot of work to do before it can finalize a proposal aimed at strengthening its standard to require public company auditors to more proactively identify, evaluate and communicate instances of a company’s non-compliance with laws and regulations (NOCLAR).
While Thomson Reuters has not done a complete comment letter tally of all standard-setting projects during the board’s 20-year history, the PCAOB has usually gotten much fewer than 100 comment letters, largely ranging from about 20 to 50. There have been a few exceptions, for example, when the board took seven years to write a rule that expanded the auditor’s report to go beyond the pass-fail model that had been in place for 70 years. Auditors today disclose critical audit matters.
But it is not just the sheer volume of comment letters that the board has received on NOCLAR, it is also the differences in views expressed by investors, auditors, company management and others that the PCAOB has to carefully consider and balance the costs and benefits before crafting any final rule. The comment period closed Aug. 7.
Contrasting Views
In most standard-setting projects, the PCAOB usually gets fairly predictable opposing views. On the one hand, investor advocates want strong standards so that people’s investments are protected. On the other hand, companies and their external auditors—while noting some broad support— emphasize concerns, citing costs or impracticability of proposed standards. And this is also the case for NOCLAR.
The PCAOB has a single mandate: investor protection. And its own Investor Advisory Group (IAG) submitted a comment letter on Aug. 10, saying that it supports the NOCLAR proposal but suggested improvements to make the standards even more robust.
By contrast, 20 organizations that represent businesses and the auditing profession, including the U.S. Chamber of Commerce and the Center for Audit Quality (CAQ), wrote a joint comment letter on Aug. 7, saying that the proposal “raises a series of significant concerns for the business community.”
The U.S. Chamber is a powerful business group whose office is located right across from the White House. The CAQ, an affiliate of the AICPA, represents accounting firms that audit public companies.
In addition, when the PCAOB voted to issue the proposal in June, two board members dissented.
The PCAOB’s proposed newly worded Auditing Standard (AS) 2405, A Company’s Noncompliance with Laws and Regulations, would cover all ranges of non-compliance—intentional or unintentional—from outright financial statement fraud to non-compliance matters that may have a material effect on the financial statements.
The proposal has three key elements. Auditors would be required to identify NOCLARs that could reasonably have a material effect on the company’s financial statements during their initial risk assessment. After identifying a potential NOCLAR, the proposal would require auditors to evaluate it with enhanced procedures. The final proposed provision would enhance communication.
To improve the proposed standards, the IAG said that it believes that a company’s compliance functions, including whistleblower programs, are important sources in identifying fraud. And the advisory panel asked the PCAOB to require more explicit auditor responsibilities related to ethics and compliance programs.
In particular, IAG said auditors should obtain an understanding of the audit committee’s and management’s policies, processes and procedures for the program. Auditors must test controls to determine if the process is operating as expected. Auditors must review and assess complaints that are reasonably likely to have a material effect on the financial statements. Moreover, when the auditor deems it necessary and is able to do so, the auditor should interview the whistleblower or complainant.
The IAG also asked the PCAOB to explicitly require documentation of the audit team members who performed procedures to identify and asses NOCLAR risks.
In addition, the group pointed out a flaw in the proposed communication requirement of potential NOCLAR because it has an exception—when the matters are “clearly inconsequential.”
The IAG is concerned with the proposal’s description of “clearly inconsequential” because it is “inconsistent with the long-understood meaning of the phrase and could result in the phrase being misinterpreted as creating a broad exception from the proposed communication requirements.”
Further, the IAG said that when the auditor has determined that it is reasonably likely that an instance of NOCLAR has occurred, but the company has failed to take appropriate actions to address the matter, then the auditor should report to the Securities and Exchange Commission, the PCAOB and to investors whether or not the auditor resigns from the engagement unless the communication is otherwise prohibited by federal or state law. The SEC, as the capital markets regulator, oversees the board.
“We believe expanding the auditor responsibility to communicate NOCLAR to the SEC, the PCAOB, and investors could increase audit quality and potentially function as a deterrent to issuer fraud and NOCLAR,” the comment letter states.
However, the coalition of businesses highlighted several problems. The group asked for precise terminology because as currently drafted, the proposal’s language would not provide auditors “with a practical filter or guide for which laws and regulations to evaluate.”
“The vague and intentionally expansive terminology used by the Exposure Draft would drive new liability concerns among auditors, creating a more unfocused and ineffective risk mitigation environment that would push legal, compliance, and audit costs even higher,” business associations noted.
The IAG noted in its comment letter that, at least for the proposal’s language that says “could reasonably have a material affect,” it recommended changing it to “reasonably likely to.” Such language has served for risk assessment for management’s discussion and analysis disclosures, for example.
In the meantime, another significant concern the business organizations noted is the transformation of the nature and scope of auditor responsibilities.
The proposal turns “financial statement audits into wide-ranging investigations of potential instances of NOCLAR. Auditors perform a vital function in U.S. markets, ensuring the integrity of financial statement information that ultimately facilitates effective capital deployment,” the joint letter states. “Changing the nature of the audit to serve as an examination of NOCLAR would add a host of new responsibilities and requirements for auditors, unnecessarily deviating from the purpose of an audit. These new auditor responsibilities would fundamentally alter the audit function and would insert auditors into core legal and management decisions.”
Moreover, “auditors may be put into a position to second-guess a company’s own legal counsel regarding whether noncompliance may have occurred,” the letter states. “The requirement that auditors perform ‘enhanced risk assessment procedures’ could result in auditors second-guessing how management allocates the company’s financial and human resources. This would not only blur responsibility between the legal, management, and audit functions, but also would divert auditors’ time, attention, and resources away from auditing financial statements.”
Reason for Proposed Changes
The board issued the proposal largely because some investor advocates for years have said that the old 1988 AICPA standard—renamed as the PCAOB’s AS 2405, Illegal Acts by Clients, has not protected investors. The AICPA’s standard was adopted in an interim basis when the PCAOB was established by the Sarbanes-Oxley Act, which Congress passed in 2002 to prevent a recurrence of accounting scandals that toppled companies like Enron and WorldCom and put their auditor—then-Big Five Firm Arthur Andersen—out of business. Before the PCAOB was established, the auditing profession essentially regulated itself.
A renewed focus on the auditor’s responsibilities regarding NOCLAR originally came amid a string of high-profile cases in the past several years.
For example, Wells Fargo & Co. created more than 1.5 million unauthorized bank accounts and more than 560,000 credit card applications from 2011 to 2015, and investors asked where its auditor, KPMG LLP, was to prevent the fraud. The audit firm denied any wrongdoing. But when the public found out about the scandal, Wells Fargo lost $7.8 billion in stock valuation. More recently, Wells Fargo agreed to pay $1 billion to settle a class-action suit from investors, alleging the bank misled them about compliance with consent orders imposed by regulators.
IAG pointed out that its members are worried that auditing standards have not changed even though the business and financial reporting environment has evolved.
“We are concerned that fraudulent behavior within companies can go undetected in periods of rapid change,” IAG’s letter noted.
The letter cites a research, estimating that only one-third of corporate frauds are detected, with an average of 10 percent of large public companies committing securities fraud every year.
“This means that the true extent of corporate fraud is much larger than what is currently being reported,” the IAG letter states. “The research also estimates that corporate fraud destroys 1.6% of equity value each year, which equals to $830 billion in 2021.”
[Thomson Reuters]