Audit firms may soon be under more pressure to look for potential fraud and other legal or compliance violations at their client companies, and then to report any such findings to the company’s board and senior management promptly.
So says a new proposal unveiled today by the Public Company Accounting Oversight Board. Right now the proposal is only a proposal, out for public comment until Aug. 7. But if the PCAOB does adopt this proposed new auditing standard (and when might that happen? We don’t know) in substantially the same form, that could bring contentious and expensive new wrinkles to the annual audit, which would certainly affect internal audit and corporate compliance teams.
The PCAOB’s theory here is that by requiring auditors to identify and communicate incidents of non-compliance sooner, the proposed new standard would prod companies to take remedial actions more quickly. That, in turn, would also reduce investor harm from regulatory investigations and monetary penalties, and lower the chance that a company’s financial statements are materially misstated due to compliance and legal violations.
Or, as PCAOB chairman Erica Young put it, “By catching and communicating noncompliance sooner, auditors can help companies course correct and better protect investors from risk.”
For the audit diehards out there, this proposed standard would replace current Audit Standard 2405, Illegal Acts by Clients; and be renamed as AS 2405, Company’s Noncompliance with Laws and Regulations. It would also amend AS 2110, Identifying and Assessing Risks of Material Misstatement; and rescind several secondary pieces of PCAOB guidance.
For the vast majority of us who don’t have PCAOB audit standards committed to memory, the new standard would alter an auditor’s obligations related to a client’s noncompliance with laws and regulations in three key ways:
- Identify. The proposal would establish specific requirements for auditors to identify, through inquiry and other procedures, laws and regulations that are applicable to the company and where non-compliance could have a material effect on the financial statements.
- Evaluate. Auditors would have heightened duties to evaluate whether any non-compliance has happened. For example, auditors would be required to consider whether any specialized skill is needed to assist the auditor in evaluating information about possible non-compliance.
- Communicate. The proposed standard would make clear that auditors are required to communicate to the appropriate level of management and the audit committee as soon as they are made aware that noncompliance might have happened.
Quite a lot to unpack there. Let’s get to it.
Auditors’ Duties on Illegal Acts
We should first remember that audit firms already have a duty to report suspected illegal acts to the Securities and Exchange Commission, under Section 10A of the Exchange Act. Under that provision, when the auditor finds evidence of an illegal act, the auditor must first confirm whether it’s likely that the illegal act happened. If so, the auditor must then inform the company’s management immediately.
If management doesn’t then take any action, and the illegal act has a material effect on financial statements, then the auditor needs to inform the board directly. Boards then have one day to notify the SEC of the auditor’s finding, and to copy the audit firm on that communication. If the board doesn’t do those things, then the auditor must alert the SEC directly.
That’s a fairly high bar to meet before an auditor says, “Forget you, client; I’m going to the SEC” — but this new proposal will drive auditors to look more vigorously for potential illegal acts. If the absolute number of possible violations rises, it becomes more likely that the auditor will find incidents serious enough that boards and management must take the news seriously, or else the auditor will have to report to the SEC.
So that’s one question to ponder right away: how might this new standard force boards and senior management to take auditors’ non-compliance concerns more seriously?
Supporters of this proposal would say, “Duh, that’s the point.” I understand that. But internal audit and compliance executives need to consider all the implications of this change.
For example, this would likely mean that auditors look more closely at internal reporting hotlines and other parts of the compliance program, because that would give the auditor a better sense of potential compliance violations. (Also remember that last year the SEC’s chief accountant called for auditors to do better at assessing fraud risk among clients, and expressly said that the hotline program is one place where auditors should look.)
Internal auditors should also expect external auditors to ask them more questions, more directly, about possible non-compliance; the proposed standard specifically directs external auditors to do that. So what happens if the internal audit team says no, it doesn’t have any such suspicions, and the external auditor finds potential violations anyway? Potential violations which it will then be obligated to communicate to the audit committee, otherwise known as your boss.
All in all, this proposed standard would make the external auditor a more energetic participant in the search for legal and compliance violations. That’s not a bad thing, but the audit firm is only one of several participants doing this dance; the rest of you might get jostled as auditors pick up the pace.
Duelling PCAOB Views
Why is the PCAOB doing this, and should it be done at all? Not all the board is in agreement here.
On one side are voices such as PCAOB commissioner Kara Stein, who also served as an SEC commissioner during the Obama Administration. She gave the example of Wells Fargo, and its catastrophic fake accounts scandal in the 2010s:
The company’s auditor told U.S. senators who were questioning the accounting that “the potential impact” of the “unethical and illegal conduct” would likely be insignificant.” Moreover, the auditor noted, “improper sales practices do not implicate the effectiveness of internal controls” as “not every illegal act has a meaningful impact on a company’s financial statements or its system of internal controls over financial reporting.” However, the bank paid a high price, as did its investors.
Stein argued that the proposed standard is a “return to roots” (the actual title of her statement) for auditors, as allies and protectors of investors.
Stein has a point. The current AS 2405 standard was adopted in 2003, based on an earlier audit standard from 1988 — long before auditors’ duties were expanded under Section 10A (1995) or the Sarbanes-Oxley Act and its obligations for strong internal controls and compliance programs (2002).
On the other hand, we also have PCAOB commissioner Christina Ho, another journeyman from the Obama years who served in the Treasury Department. She voted against today’s proposal, describing it as “a breathtaking expansion of the auditors’ responsibilities, which I believe will hurt investors.”
“This expansion could cause considerable confusion on the appropriate role of auditors, undermine the time-tested accountability framework, and reduce the resilience of the already highly concentrated audit marketplace,” Ho said in her statement. “Ultimately, this could undermine trust in our capital markets, to the detriment of investors.”
Ho has a point too. A dramatic expansion of auditor duties typically leads to a dramatic expansion of audit fees, which are ultimately paid by investors. Will those costs truly be warranted, if most companies aren’t committing fraud and do have reasonably effective ethics and compliance programs? Plus, how will this work in practice, when large audit firms are likely to be much more sophisticated about these new duties than smaller firms? How are we going to assure quality audit work across such a wide range of firms?
Lots of questions here. Fire up your keyboards and start commenting to the PCAOB.