Last month, the PCAOB issued a proposal for public comment (Release No. 2023-003) to replace current AS 2405 (“Illegal Acts by Clients”), in its entirety with a new AS 2405 (“A Company’s Noncompliance with Laws and Regulations”). If adopted, the proposal would strengthen auditor requirements to identify, evaluate, and communicate possible or actual noncompliance with laws and regulations. The comment period is open through August 7th.
Here are five things to know:
1. New requirement to identify: The proposal would require auditors to proactively identify – through inquiry and additional procedures – laws and regulations that are applicable to the company and that could have a material effect on the financial statements, if not complied with.
This new requirement represents a significant change from the current standard that requires an auditor to obtain reasonable assurance that financial statements are free of material misstatements from illegal acts that would have a direct and material effect on financial statements. The current standard also calls for auditors to make more limited inquiries, and obtain written representations, concerning other violations or possible violations of law that have only an indirect effect on financial statements.
2. New requirement to evaluate: The proposal would require auditors to evaluate whether noncompliance with the identified laws and regulations has occurred, and if so, the possible effects on the financial statements and other aspects of the audit. The extent of audit procedures for this evaluation may be quite significant, including engaging legal counsel or other specialists to assist the auditor in the process of understanding the nature of potential noncompliance and determining whether it is likely that noncompliance occurred.
If likely noncompliance is identified, the auditor would be required to determine the possible effect on the financial statements and assess the implications on other aspects of the audit. In addition, the proposed standard would require an auditor to determine whether senior management has taken timely and appropriate remedial action to address the noncompliance.
3. New requirement to communicate: The proposal would require auditors to communicate to the appropriate level of management and the audit committee (i) as soon as they are made aware that noncompliance with laws or regulations has or may have occurred; and (ii) the results of the auditor’s evaluation of such noncompliance. Currently, the standard only requires the auditor to communicate illegal acts to the audit committee when it comes to the auditor’s attention as practicable and before issuing the auditor’s report.
4. Significant expansion of the role of the auditor: Two PCAOB Board members dissented from the rule proposal. Board Members DesParte and Ho – who are the only two Board Members who are CPAs – each issued a statement explaining their dissent. Among other concerns, both focused on the proposal’s significant expansion of auditor responsibilities and the substantial costs associated with this expansion. This concern is likely one shared by many public companies. Board Member Ho summarized her concerns:
Unfortunately, the proposed standards before the Board today contain a breathtaking expansion of the auditors’ responsibilities, which I believe will hurt investors. This expansion could cause considerable confusion on the appropriate role of auditors, undermine the time-tested accountability framework, and reduce the resilience of the already highly concentrated audit marketplace.
Board Member DesParte echoed these concerns, noting that the extensive new procedures “will require legal acumen and expertise well beyond the auditor’s core competency.”
5. Attorney-client privilege: Another area of concern for lawyers considering the rule proposal is the potential increased risk to maintaining attorney-client and work product privileges over materials related to internal company investigations. Privilege questions arise frequently in connection with internal investigations and related communications to the company’s auditor. Many companies and their counsel take careful and deliberate steps in deciding what information – and how – to share with auditors regarding internal investigations to ensure auditors obtain appropriate information while protecting the company’s attorney-client privilege.
The proposal has the potential to create new and increased risks of waiving privilege in these circumstances. In particular, the new evaluation requirement for the auditor would likely create increased pressure from auditors to provide even more information about the underlying investigation as opposed to a higher-level overview of the process, scope, and facts identified in an internal investigation.