The Public Company Accounting Oversight Board (PCAOB) on June 6 proposed new auditing standards designed to further its ‘investor-protection mandate’. These standards, if adopted, would heighten requirements for auditors to identify, evaluate and communicate regarding a company’s possible or actual non-compliance with laws and regulations.
In proposing the standards, PCAOB chair Erica Williams cited a recent $1 bn class-action settlement regarding alleged misleading corporate compliance statements. She noted the ‘devastating consequences’ of corporate non-compliance, specifically the ‘sanctions, fines and civil settlements [that] directly affect a company’s bottom line’ as well as the ‘reputational damage’ that ‘causes a company’s stock value to decline.’
Williams said current auditing standards for illegal acts fail to meet investor expectations and do not include audit procedures specifically designed to detect all illegal acts that could materially affect a company’s financial statements. She maintained that the proposed standards – released despite the unprecedented dissent from PCAOB board members Duane DesParte and Christina Ho – are designed to remedy that.
So far, the nexus between the proposed standards and ESG may not be immediately apparent. But ESG and sustainability-related regulation is poised to take off globally with, for example, the implementation of the EU Corporate Sustainability Reporting Directive starting in January 2024, the continued legislative progress of the proposed Corporate Sustainability Due Diligence Directive and other sustainability-related regulations in the EU, the issuance of disclosure-related standards from the International Sustainability Standards Board, the SEC’s climate risk disclosure proposal and other ESG developments in Asia, the UK and elsewhere.
The PCAOB’s proposed standards, if adopted, could therefore potentially pull a broad range of ESG and sustainability matters into audit processes, procedures and expenses.
THE EXISTING RULES
The existing rules implicated by the proposed standards include Auditing Standard (AS) 2405, Illegal Acts by Clients and AS 2110, Identifying and Assessing Risks of Material Misstatement.
In summary, AS 2405:
• Outlines the nature and extent of the consideration an independent auditor should give to the possibility of illegal acts by a client in an audit of financial statements and auditor responsibilities when a possible illegal act is detected
• Distinguishes between laws and regulations that have a ‘direct and material’ effect on the determination of financial statements and laws or regulations that have an ‘indirect’ effect and relate more to an entity’s operations than to its financial and accounting aspects
• Affirms the responsibility of auditors to actively detect and report misstatements resulting from illegal acts that have a direct and material effect on financial statements, and acknowledges that auditors ‘ordinarily do not have [a] sufficient basis for recognizing possible violations’ of laws and regulations related to operations that have an indirect effect on financial statements. Maintains that an auditor should be aware of the potential for indirect effects but must actively identify direct effects.
Meanwhile, AS 2110:
• Requires the auditor to obtain an understanding of: (i) relevant industry factors, including the company’s competitive environment and technological developments; (ii) the regulatory environment, including applicable financial reporting framework and legal/political environments; and (iii) external factors, including generic economic conditions
• Requires the auditor to ask management and the audit committee whether they received or are aware of tips or complaints regarding the company’s financial reporting and the company’s response to any such tips or complaints.
The proposed standards seek to replace AS 2405 and retitle the standard ‘A company’s non-compliance with laws and regulations’. Specifically, the standards would:
• Replace ‘illegal acts’ with ‘non-compliance with laws and regulations’
• Abandon the distinction between direct and indirect effects on financial statements and establish an obligation for the auditor to plan and perform procedures to identify all laws and regulations if non-compliance ‘could reasonably’ have a material effect on financial statements
• Require the incorporation of potential non-compliance with those laws and regulations in the auditor’s risk assessment
• Require identification of whether non-compliance may have occurred through additional procedures and testing.
The proposed standards would also amend AS 2110 and related auditing and professional practice standards. Specifically, the standards would:
• Require more expressly that auditors assess the risks of material misstatement arising from a company’s non-compliance with laws and regulations
• Require the performance of enhanced risk assessment procedures, such as obtaining an understanding of a company’s environment, including its regulatory requirements, and management’s processes related to:
– Identifying laws and regulations with which non-compliance could reasonably have a material effect on financial statements
– Preventing, identifying, investigating, evaluating, communicating and remediating instances of non-compliance
– Receiving and responding to tips and complaints from internal and external parties regarding non-compliance
– Evaluating potential accounting and disclosure implications of non-compliance
– Making specific inquiries of management, the audit committee and others regarding non-compliance.
The proposing release frequently identifies environmental laws, regulations and potential violations as those that can have a lasting, albeit indirect, effect on a company’s financial statements and the importance of ensuring that auditors contemplate such violations in assessing material misstatements. Specifically, the proposal:
• Identifies on numerous occasions environmental laws, regulations and violations and the ‘significant reputational loss’ that can result from publicity regarding such violations
• Explicitly recognizes the indirect effects of unrecorded environmental remediation liabilities and occupational health and safety violations relating to corporate risks and misstatements
• Contemplates climate-related legislation, asserting that in assessing the business risk of new operations and its effect on material misstatements, the auditor’s ‘consideration would include the potential for contingencies or reserves associated with strict climate regulations.’
The proposing release also mentions a company’s sustainability reporting and the potential implications for its financial statements. In particular, the proposal mentions whether sustainability reporting and climate-related pledges run counter to the types of business operations described in a company’s financial statements and the risk of material misstatement that can result.
The proposed standards are therefore designed to ensure that, when appropriate, ‘[t]he auditor would also consider any contradictory audit evidence that the sustainability report and annual report might be presenting with respect to information supporting amounts in the financial statements.’
The comment period on the proposal closed on August 7, 2023, with more than 120 submissions from stakeholders, including compliance officers. Although not always explicitly in favor of the proposed standards, most compliance officers took the opportunity to reiterate the importance of consultations with corporate compliance officers as part of the auditing process.
Others in the auditing community appeared to reject the proposal, noting the broad reach of the standards and the PCAOB’s previous statements that auditors lack the requisite expertise to determine potential legal violations. Commenters were also concerned about whether the PCAOB has the requisite authority to expand auditor responsibilities. Finally, many stakeholders argued that the costs of implementing such standards would far exceed their value to investors.
With the comment period closed, it’s unclear when and if the PCAOB will attempt to finalize the proposed standards. For now, companies should work with their counsel and compliance officers to assess the potential implications of the proposed standards on their financial statements, audit processes and operations. Understanding the scope of an organization’s regulatory exposure, both as it exists today and as it is likely to exist in the not-too-distant future, is a critical first step in assessing the potential impact of the proposed standards.
Companies should also consider reviewing the internal reporting structures and controls around their legal compliance. These structures and controls will likely face increased pressure as the regulatory burden grows.
Lastly, companies should remember that their voluntary ESG and sustainability-related reporting is rapidly moving into the scope of regulatory compliance and legal liability. Understanding how disclosures initially made voluntarily may implicate regulatory and auditing requirements in the future can give an organization a running start.
Sarah Fortt is a partner and global co-chair of the ESG practice with Latham & Watkins. Malorie Medellin is an associate with the firm