On June 6, 2023, the Public Company Accounting Oversight Board (“PCAOB”) proposed new auditing standards that would substantially broaden auditors’ responsibilities for considering an audit client’s noncompliance with laws and regulations, including fraud. If adopted, the proposal is likely to entangle auditors in complicated questions of legal and regulatory compliance.
PCAOB Release No. 2023-003 (the “Proposal”) heightens auditors’ responsibilities for detecting legal and regulatory noncompliance and alerting appropriate members of management and audit committees. The PCAOB’s stated objectives for the new standard are to (1) “protect investors from the resulting harm of noncompliance with laws and regulations when the effect of such noncompliance has a material effect on the financial statements” and (2) “improve audit quality through the auditor’s identification of noncompliance with laws and regulations that could reasonably result in a material effect on the financial statements. Proposal at 4-5.
The existing auditing standard AS 2405 (“Illegal Acts by Clients”) requires auditors to perform procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on a company’s financial statements. Audit procedures are designed to identify and respond to fraud risks and communicate with management and the audit committee about such risks. Under the current regime, illegal acts further removed from the company’s financial reporting and accounting functions, such as noncompliance with regulations related to the company’s operations, are less likely to fall within the scope of the audit.
The Proposal, which would replace AS 2405, would ostensibly require auditors to proactively identify all laws and regulations applicable to the company and determine whether violations of such laws and regulations could have a direct or indirect material effect on the company’s financial statements. It further requires auditors to determine whether noncompliance “has or may have occurred.” See id. at 4. This expanded scope would require auditors to (1) identify laws and regulations applicable to the company; (2) perform additional risk assessment procedures that address noncompliance; (3) perform procedures designed to identify whether noncompliance has or may have occurred; and (4) assess the nature of any noncompliance detected by the auditor.
While the Proposal expands the auditor’s role in assessing legal and regulatory noncompliance, it provides no guidance on how auditors should determine whether a law or regulation was violated and, if violated, whether the violation could have a material impact on a company’s financial statements. This type of analysis would present a daunting task for auditors, and is likely to raise wide-ranging and complex legal and regulatory issues requiring input from numerous subject-matter experts. Indeed, the PCAOB recognizes that the Proposal will require auditors to work extensively with experts and lawyers to satisfy their new obligations, including to understand laws and regulations, evaluate whether noncompliance has or may have occurred, and assess the risk of material misstatements of the financial statements due to noncompliance. Id. at 42-43.
The only two CPAs serving on the PCAOB strongly criticized the Proposal. One of these members, Christina Ho, warned that it would collapse the distinction between the auditor’s and management’s responsibilities, and “transform[] the auditor’s role from one of providing reasonable assurance to one of performing a management function.”
The PCAOB’s transformative proposal comes on the heels of a proposal by the Securities & Exchange Commission (“SEC”) also seeking to expand auditors’ responsibilities as they relate to companies’ disclosures regarding environmental, social, and governance (“ESG”) issues. One of those proposed rules requires public companies to disclose climate-related impacts to financial statement line items in the footnote disclosures, even where the impacts are not material to the financial statements as a whole. Auditors will have to consider those climate-related disclosures when conducting the financial statement audit, resulting in additional audit procedures. If one or both of these proposals are adopted, auditors will face increasingly onerous audit requirements and are likely to face heightened regulatory scrutiny as they adapt to markedly different standards.