The Public Company Accounting Oversight Board (PCAOB) recently closed the comment period for its proposal (the Proposal) to significantly increase the responsibility of audit firms to evaluate and disclose a subject public company’s noncompliance with laws and regulations (commonly referred to as NOCLAR).
The PCAOB received 138 comment letters regarding the Proposal, and most echo the concerns of the two out of five PCAOB members who voted against the Proposal (notably, the two dissenters are the only two accountants on the PCAOB). These concerns include the complex legal analyses that the Proposal would require auditors to undertake and the costs that public companies would incur as a result.
Under the Proposal, which was issued on June 6th, the current PCAOB auditing standard AS 2405, Illegal Acts by Clients, would be replaced with a new standard, AS 2405, A Company’s Noncompliance with Laws and Regulations. Whereas the existing standard requires audit firms to identify and report a subject public company’s NOCLAR that has a direct and material effect on its financial statements, the Proposal would require auditors to plan and perform audit procedures to:
- Identify and consider any potential NOCLAR by the subject public company that could reasonably have a material effect on its financial statements.
- Assess and respond to risks of material misstatement of the financial statements due to NOCLAR.
- Identify whether there is information indicating NOCALR has or may have occurred.
If, as a result of the foregoing, auditors become aware of information indicating that NOCLAR has or may have occurred, the Proposal would require the auditors to communicate that information to management and the audit committee (and in certain cases, the entire board) as soon as practicable.
Notably, auditors would need to communicate information regarding potential NOCLAR to the audit committee before the auditors have fully evaluated the information. If auditors identify likely NOCLAR that has had a material effect on the financial statements, the Proposal would also require them to assess whether senior management has taken timely and appropriate remedial action.
Potential Impact of the Proposal
In order to comply with the Proposal, auditors would be required to undertake complex legal analyses on matters outside their area of expertise—or, more precisely, auditors would be required to hire specialists, in-house counsel and/or outside lawyers to undertake complex legal analyses on matters outside auditors’ area of expertise. Although the Proposal states that auditors would need to consider only laws and regulations potentially applicable to their public company clients, in practice, they would likely err on the side of being overly broad in their analyses in order to avoid potential liability. The costs of these efforts would invariably be passed along to clients and are likely to be substantial, especially for public companies in highly regulated industries such as healthcare or with operations in multiple states or countries (in which cases the universe of potentially applicable laws and regulations is expansive).
The Proposal is controversial even amongst the members of the PCAOB. When the Proposal was adopted, one dissenting member stated, “The securities laws and their implementing regulations do not require a public company’s management to identify all laws and regulations that the public company is subject to, and this proposal seeks to fill that void by requiring auditors to do so. This approach could undermine the long-established accountability framework whereby management prepares and discloses financial information, auditors provide an independent certification on the disclosures, and regulators provide oversight of the public companies and auditors.”
With respect to the Proposal’s audit committee communications requirements, the other dissenting PCAOB member likewise stated, “It is questionable whether it would be useful or a distraction to the Audit Committee for the auditor to communicate information indicating potential noncompliance prior to the auditor’s evaluation of whether the noncompliance has likely occurred or of any financial statement impacts (vs. only reporting matters deemed likely to have occurred and/or to have material financial statement implications).”
Looking Ahead and Key Takeaways
Now that the comment period has closed, the PCAOB will determine whether or not to adopt final rules and whether or not the final rules will make changes to the Proposal. Any final rules adopted will be submitted to the Securities and Exchange Commission (SEC) for approval. Pursuant to Section 107 of the Sarbanes-Oxley Act, proposed rules of the PCAOB do not take effect unless approved by the SEC.
Given that the Proposal has majority support at the PCAOB and that even the two dissenting members expressed support for certain aspects of the Proposal, we expect any final rules submitted to the SEC for approval to expand auditors’ responsibilities with respect to NOCLAR. In the meantime, the PCAOB’s clear focus on NOCLAR might cause auditors to be more demanding with respect to these matters, even under the current standard. Therefore, now would be a good time for public companies to:
- Reevaluate existing legal compliance policies and procedures.
- Consider how the audit committee will evaluate information that auditors may provide regarding NOCLAR or potential NOCLAR.
- Determine how the company will respond to auditor requests for information about NOCLAR or potential NOCLAR, particularly if the information is covered by attorney-client privilege.
If you have any questions not answered above, please email the authors directly or, if applicable, contact your primary Bass, Berry & Sims relationship attorney.