December 6, 2023
Estimated reading time: 6 minutes
Compliance Confessionals – Can external auditors and compliance co-exist or is there only room for one sheriff in town?
In June 2023, the Public Company Accounting Oversight Board (PCAOB) quietly slipped out a request for public proposals that stopped me in my tracks.
The body is mulling ways to revise regulatory standards to cover the auditor’s responsibility when examining a company’s non-compliance with laws, including fraud.
If adopted, it means auditors would need to identify, evaluate, and communicate possible or actual non-compliance with laws and regulations, entering the realm of the compliance officer’s responsibilities.
The PCAOB chair believes that “by catching and communicating non-compliance sooner, auditors can help companies course correct and better protect investors from risk”.
I read this article not once, twice, but several times and have since been skimming the public comments submissions. The comment period ended in August 2023 so now we are awaiting the finalized legislation, should they decide to adopt the rule.
The PCAOB is a non-profit corporation established by Congress to oversee the audits of public companies. The Securities and Exchange Commission (SEC) has oversight authority over the PCAOB. The four primary duties listed on their website include:
- Register public accounting firms that prepare audit reports for issuers, and SEC-registered brokers and dealers.
- Establish or adopt auditing and related attestation, quality control, ethics, and independence standards.
- Inspect registered public accounting firms’ audits and quality control systems.
- Investigate and discipline registered public accounting firms and their associated persons for violations of specified laws, rules, or professional standards.
Key aspects from the AS 2405: Illegal acts by clients
The new proposed standard focuses on three key aspects of auditors’ responsibilities for a company’s non-compliance with laws and regulations:
Auditors would have to proactively identify laws and regulations that apply to the company and could have a material effect on financial statements. This would include financial statement fraud.
Auditors would have to evaluate if non-compliance with laws and regulations has occurred and if possible, the effects on the financial statements and other aspects of the audit.
Auditors are required to communicate to the appropriate level of management and the audit committee as soon as they are made aware that non-compliance with laws or regulations has or may have occurred and the possible effects on the financial statements.
The proposals encourage organizations to take more timely remediation actions. In turn, it believes this will reduce investor harm caused by legal and regulatory penalties. In addition, if adopted it may work to reduce the likelihood that financial statements are materially misstated due to non-compliance with laws and regulations.
The PCAOB’s intent to hold companies more accountable is admirable for transparency of non-compliance issues is a step forward. When major problems are discovered, if auditors are involved, it could drive more transparency by mandating firms to flag these problems in the official audits.
We have all seen financial services organizations endure serious major non-compliance issues after having published stellar audited financial statements, so we all can acknowledge the disconnect.
However, this proposal, by the PCAOB made me question whether they believe risk and compliance professionals (on the staff in every publicly traded company) are well enough equipped to identify risk and non-compliance if we need to hold every auditor accountable for carrying out this job.
Or could it be that the PCAOB does not believe that risk and compliance professionals within these organizations have enough clout to ensure that issues are being disclosed and incorporated in management discussions with the auditors?
Either way, it is troubling, not only to me but to most of the professional associations and major companies that have provided public comments. Most identified this as an overreach by the PCAOB – essentially forcing responsibilities that go beyond an auditor’s mandate and expertise.
Issues raised in the public comments include the following:
- Lack of knowledge of all laws and regulations (Federal, State, and local) that may apply to a company. This is an extension beyond the laws and requirements related to financial reporting.
- The definition and interpretation of the materiality of non-compliance to be captured in an auditor’s report can lead to subjectivity and inappropriate inclusion.
- Incorporation of non-compliance, if identified under generally accepted accounting principles (GAAP), requires the loss to be probable, estimable, and near-term before incorporation into financials. Often non-compliance when initially identified requires considerable work to estimate and most companies may not have any idea of the costs associated with fines and penalties.
- Placing responsibility on auditors to identify and disclose instead of the company’s management.
- Overlap with examinations that already exist from other regulatory bodies.
- Exuberant cost in conducting audits with such a broad scope and mandate and demotivating for companies to go public.
Although I did not identify any public comments from compliance associations, I believe most professionals would agree with all of the above.
In addition, I will stress the fact that within all public companies, there is a Chief Compliance Officer or General Counsel who, as part of their mandate, should have their hands on the pulse of compliance issues.
Rather than the PCAOB putting this burden on the auditors, they may want to consider having a requirement that auditors have independent meetings held with whoever manages compliance risk within a company. These meetings would incorporate discussions on risk assessments, known material compliance issues, and opinions on the compliance health of the organization.
The emphasis here is on ‘independent meetings’ separate from the rest of management. This approach may still not lead to information that would be incorporated into the financials. However, it may lead to insights into future issues and provide an opportunity to raise management items that may be recommended to be self-disclosed, where appropriate.
More importantly, it would bolster the importance of discussion around compliance risk as part of external audits, beyond Sarbanes-Oxley compliance. Audited financial statements are, of course, a necessary part of publicly traded company operations that affect their market value.
The PCAOB efforts are admirable in trying to bring compliance risk impact on financials more to the forefront. However, a different approach to integration is warranted where the existing compliance and risk expertise and knowledge within a company can be leveraged.
To all compliance professionals that are active in your associations: maybe you can inspire your associations to engage with the PCAOB to look at this proposal with a more practical perspective where we partner with external auditors to make the material non-compliance impact to financials more transparent.