Another Step in Seeking to Broaden the Scope of Public Company Audits: The PCAOB Proposes an Expansive Non-Compliance Standard

June 12, 2023

On June 6, 2023, the Public Company Accounting Oversight Board (“PCAOB”) proposed for public comment a draft auditing standard, A Company’s Noncompliance with Laws and Regulations, PCAOB Release 2023-003, that could significantly expand the scope of audits and potentially alter the relationship between auditors and their SEC-registered clients. In a rare move, two PCAOB Board members—Duane DesParte and Christina Ho (the two accountants on the Board)—dissented from the proposal based on a range of concerns, including that it would unduly expand the scope of the public company audit.

This alert provides a high-level summary of the proposed standard, which runs more than 140 pages. We also review the objections articulated by Board Members DesParte and Ho.

Overview

The proposal issued by the PCAOB would replace existing AS 2405, Illegal Acts by Clients (“Current AS 2405”), with a new AS 2405, A Company’s Noncompliance with Laws and Regulations (“Proposed AS 2405”). The principal ways in which the Proposed AS 2405 would go beyond the Current AS 2405 include the following:

The Current AS 2405 mirrors in substantial part Section 10A of the Securities Exchange Act of 1934, which requires the auditor to perform “procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts,” 15 U.S.C. § 78j-1(a)(1) (emphasis added). The Proposed AS 2405 would go further and require the auditor to: (i) identify all laws and regulations “with which noncompliance could reasonably have a material effect on the financial statements” (emphasis added), (ii) incorporate potential noncompliance with those laws and regulations into the auditor’s risk assessment, and (iii) identify whether noncompliance may have occurred through enhanced procedures and testing. Proposed Standard ¶¶ 4-5. As part of these procedures, an auditor would be required, among other things, to obtain an understanding of management’s own processes to identify relevant legal obligations and investigate potential noncompliance. ¶ 6(a)(2).
Upon identifying an instance of potential noncompliance, the auditor must perform procedures to understand the nature of the matter, as well as to evaluate whether in fact noncompliance with a law or regulation has occurred. ¶¶ 7-11. These procedures go beyond those required by the Current AS 2405 and Section 10A. Importantly, the proposed procedures would appear to require the auditor to undertake significant steps even in cases where it appears unlikely that the identified conduct will have a material effect on the financial statements and even in cases where the noncompliance itself is still in question.
After identifying an instance of potential noncompliance, the auditor would communicate both with management, the audit committee (unless the matter is clearly inconsequential), and, in some cases, the board of directors as a whole. ¶¶ 12-15. The Proposed AS 2405 contemplates that this communication may occur in two stages, the first after the auditor learns of the matter and the second after the auditor has conducted an evaluation of the matter.

Objections of Board Members DesParte and Ho

Board Members DesParte and Ho each issued a statement explaining the basis for their dissent from the proposal. Some of the most significant concerns that they raised included:

That the requirement to understand all laws and regulations that potentially could materially affect the financial statements would likely impose an undue burden on auditors;
That, in Board Member DesParte’s words, the Proposed AS 2405 might require an auditor “to identify any and all information that might indicate instances of noncompliance [with] any law or regulation across the company’s entire operations, without regard to materiality,” a potentially significant expansion of responsibility that could require the auditor to rely increasingly on legal specialists;
That the requirement to consider management’s disclosure about a potential instance of noncompliance may exceed the requirements of AS 2710, Other Information in Documents Containing Audited Financial Statements; and
That the proposal does not adequately take smaller firms and smaller audit engagements into account.

Notably, Board Member DesParte concluded his remarks by expressing that, in light of the PCAOB’s aggressive standard-setting initiative overall,

I am increasingly concerned we are establishing new auditor obligations and incrementally imposing new auditor responsibilities in ways that will significantly expand the scope and cost of audits, and fundamentally alter the role of auditors without a full and transparent vetting of the implications, including a comprehensive understanding of the overall cost-benefit ramifications. I also wonder whether we are further contributing to the expectations gap by imposing responsibilities on auditors not aligned with their core competencies or the fundamental purpose of a financial statement audit.

The statements from Board Members DesParte and Ho underscore both the significance of this proposal and the range and magnitude of the concerns, for auditors and SEC registrants alike. Indeed, the procedures described above, as well as other aspects of the Proposed AS 2405 and other proposed amendments to PCAOB auditing standards, likely would substantially expand the scope of most audits in relation to identifying, assessing, and addressing potential noncompliance with laws and regulations, particularly for audits of complex, global organizations. Among other things, the proposal appears not to fully consider the consequences—either for the auditor or for the issuer—of expanding the role of the auditor to include responsibilities that might lie outside the auditor’s core competencies, such as legal analysis. The auditor’s increased responsibility to identify, evaluate, and report on legal compliance could alter what information the issuer may need to share with the auditor to help ensure that sufficient audit evidence is obtained, as well as the training and quality controls that might be necessary to achieve reasonable assurance that the auditor can evaluate and act on the information received. Notably, too, the increased sharing of information from the audit client to the auditor that is required under the Proposed AS 2405 would present significant increased risk to the audit client’s legal privileges. These are but a few of the significant issues that suggest that the Proposed AS 2405 would mean costlier and potentially more expansive audits, with the likely upshot that SEC registrants correspondingly also will need to undertake more expansive compliance initiatives (and share the results of such initiatives with the auditor) in order to satisfy the proposed audit requirements. Both companies and their auditors will want to follow these proposals carefully and many will likely want to comment on these issues after having reviewed the Board’s proposal.

Conclusion

We encourage interested parties to consider submitting comments concerning this proposal. Especially in light of the dissents by Board Members DesParte and Ho, the comment process should play an important role in shaping whether this proposal moves forward and in the Board’s consideration of this matter.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Accounting Firm Advisory and Defense practice group, or the following practice leaders and authors:

Accounting Firm Advisory and Defense Group:

James J. Farrell – New York (+1 212-351-5326, jfarrell@gibsondunn.com)

Ron Hauben – New York (+1 212-351-6293, rhauben@gibsondunn.com)

Monica K. Loseman – Denver (+1 303-298-5784, mloseman@gibsondunn.com)

Michael J. Scanlon – Washington, D.C. (+1 202-887-3668, mscanlon@gibsondunn.com)

David C. Ware – Washington, D.C. (+1 202-887-3652, dware@gibsondunn.com)

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.