The PCAOB published Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations, a Proposing Release for public comment on June 6, 2023.1 Comments are due August 7, 2023. This proposed standard would replace the current audit requirements addressing “illegal acts by clients” and intentionally changes the focus to “noncompliance.” Although this is a proposal and the final amendments, if any, may change based on public comments, the document provides a road map to the PCAOB’s thinking on the topic and the likely direction of any amended final standard. Audit committees, internal auditors and financial reporting professionals, and other members of management should study the document and start planning now for changes that may be expected by their auditor.
Before delving into the changes, it is important to understand current PCAOB standards. First, the current standards refer to “illegal” acts and “fraud.” One of the key changes being proposed is a titular change to “noncompliance with laws and regulations.” The PCAOB is concerned that the historical use of the term “illegal acts” has unintentionally narrowed the auditor’s focus in performing procedures under the current standards.
Regardless of the nomenclature, the current standards focus on noncompliance with laws and regulations that have a direct and material effect on financial statements, such as tax and pension laws. However, current standards are generally limited in regard to the auditor’s responsibility with respect to identification of noncompliance with laws and regulations that have an indirect effect on the financial statements such as anti-money laundering and environmental regulations, even though noncompliance with these laws and regulations can lead to material financial impact from fines and penalties for noncompliance.
The proposed standards do away with the distinction between direct and indirect, based on the PCAOB’s position that the auditor should focus on all laws and regulations with which noncompliance could reasonably result in a material effect on the financial statements (regardless of whether that effect is direct or indirect). Accordingly, the proposed standards establish specific requirements for auditors to understand management’s processes regarding identification of, and compliance with, laws and regulations in a very broad sense. Under the proposal, auditors also would significantly expand those in the company with whom they need to inquire about relevant laws and regulations and associated noncompliance.
Companies’ management, including representatives from the general counsel’s office, will likely need to reassess their processes and documentation related to risks of noncompliance with laws and regulations that may have a material effect on their financial statements. This process may include identifying relevant laws and regulations, confirming each is addressed appropriately in their compliance program, and assessing the design and operation of their compliance program. Internal audit and the audit and other board committees also will play an important role in this process.2
The proposed standards note that while companies currently disclose material risks related to laws and regulations in their periodic filings, the auditor’s identification would not be limited to those disclosed laws and regulations. Identifying the full population of laws and regulations will require consideration of many company-specific factors such as industry, geographies in which the company operates, and historical experience.
For example, a manufacturer with global operations will likely need to consider anti-bribery and corruptions laws such as the Foreign Corrupt Practices Act and UK Bribery Act (which have a direct effect on the financial statements), as well as laws and regulations related to the environment, occupational safety and health, and other areas that have an indirect effect on the financial statements. Those areas also would need to be considered by geography, e.g., municipality, state, federal, and international. Auditors will make more inquiries of management and the board regarding compliance with laws and regulations that have an indirect effect on the financial statements than they have in the past. Evaluation of compliance may require specialist(s) to assist management and the auditor.
Assuming the final standards are similar to the current proposed standards, we recommend that companies form a working group with representatives from legal, financial reporting, compliance, internal audit, and other relevant groups to start evaluating their current formal legal risk assessment processes, inventory of relevant laws and regulations, and formal compliance programs in advance of the inevitable questions from their auditors and requests for related documentation. The working group should consider whether outside specialists such as risk professionals, outside general counsel, and/or other outside counsel, e.g., by specialized topic such as environmental law, or specific geographies, etc., are needed. The working group should report its findings and any remediation plans to the audit committee or the full board.
If you have any questions or need assistance, please reach out to a professional at FORVIS or use the Contact Us form below.
About the Author
Erik Lioy is a FORVIS, LLP partner and a member of FORVIS’ Forensic & Valuation Services practice. He is a forensic accountant with decades of experience conducting internal investigations of financial reporting fraud, regulatory matters, and other frauds on behalf of public and private companies. He also maintains a dispute consulting practice and provides expert testimony on the application of accounting standards, damages, and other topics. To learn more about Erik, visit his LinkedIn profile.
- 1See the full document at https://pcaobus.org/oversight/standards/standard-setting-research-projects/noncompliance-with-laws-regulations.
- 2Although the proposed standards simply refer to “management,” many employ a three line of defense (management, compliance, and internal audit) model. Each of the three lines will have a role to play.