Yesterday, the SEC held an open meeting to consider a number of PCAOB proposals addressing the “general responsibilities of an auditor conducting an audit as well as technology-assisted analysis and contributory liability rule for associated persons.” In his opening remarks, SEC Chair Gary Gensler put this initiative in the historic context of the adoption of SOX in 2002, which led to the establishment of the PCAOB as “an independent watchdog over the audits of public companies and registered broker-dealers and their auditors. The Enron crisis revealed a key problem: the quality of auditing standards. Candidly, the relationships between issuers and auditors, between standard-setters and auditing firms, were too clubby.”  Auditing standards were set by the AICPA, which meant that, in effect, the “profession was writing its own rules. That’s an inherent conflict. To correct course, the PCAOB was tasked with setting enhanced auditing standards. For practical purposes, Congress permitted the newly established PCAOB to carry over existing AICPA standards on an interim basis. The expectation was that the Board would produce a more appropriate set of standards going forward.” Although these standards “were already decades-old when the Board adopted them in 2003,” before now, the PCAOB had adopted only seven new standards—“42 of these 49 so-called ‘interim standards’ remained in public company audit practice.”  Yesterday, the SEC approved a proposed rule amendment and two proposals for new and updated audit standards adopted by the PCAOB:  an amendment to PCAOB Rule 3502 governing contributory liability (approved three to two); AS 1000, regarding the general responsibilities of the auditor in conducting an audit (approved unanimously), and AS 1105 and AS 2301, amendments related to aspects of designing and performing audit procedures that involve technology-assisted analysis of information in electronic form (approved unanimously). According to the press release, Gensler said that he was “pleased that the PCAOB is fulfilling its obligations under the Sarbanes-Oxley Act by updating its standards and rules regarding the practice of auditing….I’m proud to support the PCAOB’s proposed changes to instill greater trust among investors and issuers in our markets.”

Here are the three SEC orders:  SEC Order – Rule 3502;  SEC Order – AS 1000; and SEC Order – AS 1105 & 2301.

Rule 3502. First on the agenda yesterday was the amendment to Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations, the “ethics rule governing the liability of associated persons who directly and substantially contribute to a registered public accounting firm’s primary violation.”  Under the current rule, an associated person has potential secondary liability when that individual acts at least recklessly to directly and substantially contribute to a violation by the audit firm. Recklessness “requires ‘extreme departure from the standard of ordinary care’ that ‘presents a danger to investors or to the markets that is either known to the (actor) or is so obvious that the actor must have been aware of it.’” The audit firm, however, “which acts through its associated persons, can commit a primary violation of certain laws, rules, or standards by acting negligently,” that is, by failing “to exercise reasonable care or competence.”

The PCAOB determined that this misalignment meant “that associated persons may have weaker incentives to exercise the appropriate level of care in their audit work, and that the modification to Rule 3502’s liability standard from recklessness to negligence would incentivize associated persons to be more deliberate and careful in their actions.” The amendments to Rule 3502 “revise from recklessness to negligence the standard for an associated person’s contributory liability, while maintaining the requirement that to be held liable, an associated person must have contributed to the firm’s violation ‘directly and substantially.’” The PCAOB  determined that the amendment would assist the PCAOB in “executing its investor-protection mandate to the fullest extent that Congress authorized in SOX. According to the PCAOB, in the instances in which the Board has instituted proceedings against firms for negligence-based violations, the Board has not been able to charge individuals who negligently, directly, and substantially contributed to the firms’ violations. The Amendment would allow the Board to do so.” Notably, under the federal securities laws, the SEC does have enforcement authority to hold individual auditors responsible for contributing to audit firms’ violations under a negligence-based standard.  The amendment will be effective 60 days from the date of this order.

As stated in the press release, SEC Chief Accountant Paul Munter said that the “amendments to Rule 3502 are critical because moving the PCAOB contributory liability standard from recklessness to negligence aligns the rule with other negligence-based professional conduct standards, including the standard for sanctions by the Commission for individuals negligently contributing to firm violations as well as certain state professional licensing requirements, that have long governed the accounting profession, and aligns the rule with the same standard of reasonable care that auditors are required to exercise when executing their professional duties.”

According to Gensler’s statement, “accounting firms are just collections of people. It’s important to be consistent. When firms violate their obligations, the associated persons who directly and substantially contributed to such violations should be held to the same standards of accountability by the PCAOB.”

Both Commissioners Hester Peirce and Mark Uyeda dissented. In her statement (which addressed all three Orders), Peirce stated that she did “not support the proposed change in the contributory liability standard from recklessness to simple negligence. This change is neither consistent with the requirements of the securities laws, nor necessary or appropriate in the public interest or for the protection of investors. It could have the unintended consequence of lowering audit quality and could worsen the trend toward fewer talented individuals entering the auditing profession.” In particular, she noted the “PCAOB’s recent emphasis on aggressive enforcement.” In that context, “[w]hen paired with the PCAOB’s stated plan to ‘aggressively pursu[e] all statutory legal theories for charging respondents,’ assurances that it ‘intends to deploy its prosecutorial discretion responsibly’ provide little comfort. The PCAOB of course should enforce its rules, but bringing formal enforcement actions should not be the first tool a regulator grabs when deficiencies are identified—particularly when the conduct at issue is merely negligent.”  Given that the SEC has enforcement authority based on negligence, she wondered whether this change was really necessary—the costs of potential risk aversion and self-protective behaviors might be too high. As with the other two proposals considered at the meeting, Peirce had a number of questions (included in her statement).

In her statement, Commissioner Caroline Crenshaw reiterated the point made by some PCAOB members that “the amendments do not provide regulators with the ability to play ‘gotcha’ or to supplant the reasonable, if mistaken, judgment of the auditor. Rather, by employing a negligence standard, the PCAOB will be required to make a showing that an individual did not exercise reasonable care. An auditor would have to act unreasonably and then also directly and substantially contribute to the firm’s violation in order to be held liable under these standards. Junior professionals or other auditors who are executing their responsibilities in good faith and with due care would not incur liability under this amended rule and the PCAOB underscored this in its Adopting Release.”

Uyeda’s statement weighed the potential harms and benefits: “While the PCAOB should have the tools to hold persons accountable, would lowering the standard of conduct for liability do more harm than good to the auditing profession? As some commenters noted, a negligence standard could discourage auditors from taking on more advanced audit roles, have a chilling effect on collaboration among auditors within the same firm, and hinder efforts to reverse the decline in new accountants.” However, a negligence standard would be consistent with the SEC standard and the PCAOB’s standard for firm liability. In his view, “[w]hether a liability rule strikes the right balance between being prophylactic and having no bite will depend on how it is enforced. The PCAOB’s adopting release states that the Board ‘does not anticipate that [the rule change] will be used to sanction isolated, good-faith errors in professional judgment—let alone be wielded as a ‘blunt’ or ‘draconian’ instrument…including with respect to less senior engagement team members.’” While he hoped “that the Board and its staff acts in accordance with that intent in the future,” he had “not received sufficient assurances that the amendments will strike the right balance when it comes to holding people accountable for unreasonable conduct, as opposed to simply errors in judgment.” In the meeting, when he asked Munter if he could confirm that a restatement didn’t necessarily always involve negligence and Munter would not respond in the absence of a stated fact pattern, that was, he said, for him, cause for concern.   

In his statement, Commissioner Jaime Lizárraga pointed out that “[h]armonizing these differing liability standards would allow the Board to fulfill its congressional mandate more effectively. This is especially useful at a time when audit deficiencies and an overall drop in audit quality continue to persist. Data provided by the Board in its release show that since 2009, in over two-thirds of the cases in which a firm has been sanctioned, no individual was held accountable under the Board’s contributory liability rule. In the past five years, on average only 18 percent of all cases in which a firm has been sanctioned included individuals charged under this rule. This amendment will benefit investors by increasing the likelihood of misconduct being detected and sanctioned.”

AS 1000.   This proposal involved the adoption of the new standard AS 1000, General Responsibilities of the Auditor in Conducting an Audit, along with the rescission of or amendments to several existing standards, in essence, replacing several interim standards. The proposal was intended to “reaffirm, consolidate, and modernize the general principles and responsibilities of the auditor when conducting an audit.” The standards address foundational topics such as “the auditor’s duty to protect investors through the preparation and issuance of informative, accurate, and independent auditor’s reports; the exercise of due professional care, professional skepticism, and professional judgment when performing audits; and compliance with ethics and independence rules.”  The proposal was adopted unanimously.

In his statement, Gensler observed that these foundational standards “exist to protect investors. They are the building blocks of an independent audit and are central to investors’ trust in our markets. Forty years ago, Supreme Court Chief Justice Warren Burger noted the importance of the public’s confidence in the independent auditing process. In United States v. Arthur Young & Company, he wrote, it is ‘not enough that financial statements be accurate; the public must also perceive them as being accurate.’ Further, ‘public faith in the reliability of a corporation’s financial statements depends upon the public perception of the outside auditor as an independent professional.’”

Gensler’s statement provides a brief summary of the proposed standards: they would update the auditor’s objective to cover audits of both financial statements and internal control over financial reporting; tie the auditor’s independence obligations to PCAOB and SEC independence rules; clarify the engagement partner’s existing responsibilities for supervision and review of the engagement and clarify that the term “presents fairly” refers not just to preparing financial statements in accordance with GAAP, but rather to “the applicable financial reporting framework.” Gensler pointed out that this change “also emphasizes that the auditor’s evaluation of fair presentation extends beyond a technical compliance exercise and requires professional judgment.” The new standard will also “accelerate the deadline to assemble a complete and final set of audit documentation for retention from 45 days to 14 days,” a change that Munter viewed as one of the most significant.

The amendments will be effective for audits of financial statements for fiscal years beginning on or after December 15, 2024, except that, for firms that provide audit opinions for 100 or fewer issuers during the calendar year ending December 31, 2024, the amendment relating to the documentation completion date will be effective for audits of financial statements for fiscal years beginning on or after December 15, 2025. In addition, the SEC determined that these amendments will apply to audits of EGCs.

Peirce, while supporting the Order, explained that underlying her support was “an expectation that the PCAOB will stand ready to provide guidance, answer questions, monitor for issues during implementation, and conduct a post-implementation review.”

Crenshaw’s statement recognized that a “high-quality audit is the foundation upon which investor trust and flows of capital are built. And the requirements of AS 1000 form the building blocks of that foundation.” To ensure that the public “trust in and expectations of auditors, and actors like them, is not misplaced, it is necessary to have a meaningful baseline of professional standards that carry consequences for failing to meet them. These are the standards that AS 1000 requires.”

Uyeda’s statement noted that, in comments on the proposal for AS 1000, some had raised concerns about “whether the new standard imposed a new legal duty on auditors and whether statements in the proposal relating to the auditor’s judgment concerning fair presentation expanded an auditor’s responsibilities or created conflicts. The PCAOB appears to have addressed these concerns, as noted by some Board members when approving the standard and by market participants that submitted letters to the Commission in support of the standard. Because of the PCAOB’s efforts to address commenters’ concerns, as well as market participants’ general approval for AS 1000,” he supported the new standard. 

In his statement, Lizárraga indicated that the “new standard does not create new obligations for auditors. However, the auditing environment has evolved significantly since the Board first adopted interim standards in 2003. In the face of rapid change, investors are better protected with updated and modernized standards that can yield more informative, accurate, and independent financial reporting.”

AS 1105 and AS 2301.  The PCAOB’s amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Response to the Risks of Material Misstatement, and conforming amendments, were designed “to address the use of technology-assisted data analysis in audit procedures. The amendments specify and clarify auditors’ responsibilities when the auditor uses such analytical tools in conducting audits.” These amendments were also approved unanimously.

In his statement, Gensler observed that “the existing audit standards were written in an earlier technological era and have not been updated since 2010.” The new standards “address how auditors assess the quantity and quality of audit evidence when using technology-assisted analysis. Such updates are needed, given the rapid technological changes we’re seeing throughout finance and the economy. Today, computer data analysis plays a growing role in the audit process.”

As summarized by Gensler, “[f]irst, the proposed amendments would establish a risk-based framework for auditors to determine the reliability of information in the large data sets that companies provide. This would help auditors better ensure that they are obtaining quality audit evidence. Second, the proposed amendments provide a framework regarding the work auditors should do with respect to items that are flagged for further investigation by computer-analysis tools. These amendments would help auditors determine whether they have the quality and quantity of evidence to support their audit conclusions. Third, today’s amendments provide updates to the descriptions of the procedures auditors perform.”

The amendments are intended to be principles-based so as to enable future adaptation to “the evolving nature of the use of technology in the audit.” The amendments will be effective for audits of financial statements for fiscal years beginning on or after December 15, 2025 and will apply to EGCs.  

Peirce voiced her support, but with reservations. While these amendments “should help to guide auditors as they increase their use of technology-assisted analysis of information in electronic form” and to “alleviate the uncertainty that has led to different practices across firms and has kept some firms from using data analytics,” they are just a “good start.” She expected the PCAOB to provide further “regulatory clarity around how auditors can use—and respond to their clients’ use of—new technologies, including artificial intelligence and blockchain.”  She expressed concern regarding the lack of clarity around the “burden on auditors and their clients.” This standard, she said, “could be very expensive. The ambiguity around the cost of these amendments flows from how the standard was drafted coupled with questions about how it will be implemented. Our approval order addresses some of the concerns raised by commenters and ‘encourage[s] the PCAOB to provide further implementation guidance’ affirming the acceptability of a risk-based approach.”

In her statement, Crenshaw observed that the new standards are consistent with the “requirement that auditors must plan and perform audit procedures to obtain sufficient appropriate evidence to support their opinion on a company’s financial statements.”  That requirement “remains unchanged and holds true whether technology-assisted analysis is used or not. Today’s amendments advance that requirement by providing clarity on how to obtain relevant and reliable audit evidence if technology-assisted analysis is used.”

In his statement, Uyeda appreciated the PCAOB’s statement that amendments were principles-based, particularly in view of some commenters’ concerns about what appeared to them as a prescriptive rule “requiring the auditor to test all information in electronic form that the company provided to it, regardless of the auditor’s risk assessment.” In the adopting release, the SEC indicated that it did “not believe that the PCAOB intended for a prescriptive approach to testing external information provided in electronic form. However, given commenters’ concerns, the Commission encourages the PCAOB to provide implementation guidance on this issue.” In view of that acknowledgement and call for implementation guidance, he supported the proposal. He also noted that “several commenters called for the PCAOB to undertake a broader review of how technology, including artificial intelligence, affects audits,” and he looked forward to recommendations regarding the use of emerging technologies in the audit space.

In Lizárraga’s statement, he noted the recent expanded use by auditors of data analytics, a trend “driven both by advances in data analysis tools and increased access by auditors to large volumes of company- and third-party-generated data. Where existing auditing standards designed for another era fall short of their potential to help auditors improve audit quality, it makes sense to adapt them to current realities. Audit procedures that rely on data analytics but that are not appropriately designed or executed, may not yield the audit evidence required by current auditing standards.” In his view, the proposed updates “will assist auditors in better analyzing information in electronic form with technology-based tools. The amendments are designed to reduce the likelihood that an auditor will issue a report without obtaining sufficient audit evidence that provides a reasonable basis for its audit opinion.”

[View source.]