On June 6, 2023, the Public Company Accounting Oversight Board (PCAOB) proposed amendments to its auditing standards related to an auditor’s consideration of a company’s noncompliance with laws and regulations (or NOCLAR) in the performance of an audit to establish and strengthen requirements for (i) identifying, through inquiry and other procedures, laws and regulations with which noncompliance could reasonably have a material effect on the financial statements; (ii) assessing and responding to the risks of material misstatement arising from noncompliance with laws and regulations; (iii) identifying whether there is information indicating noncompliance has or may have occurred; and (iv) evaluating and communicating when the auditor identifies or otherwise becomes aware of information indicating that noncompliance with laws and regulations, including fraud, has or may have occurred.
This has come with disagreement from the PCAOB’s board members and members of Congress. Board Member Duane DesParte and Christina Ho (each an accountant) dissented from the proposal. Board Member DesParte said that the proposal would require an auditor “to identify any and all information that might indicate instances of noncompliance [with] any law or regulation across the company’s entire operations, without regard to materiality.” In addition, on August 23, 2023, the Chairman of the House Financial Services Committee, Patrick McHenry (NC-10), and Chairman of the Capital Markets Subcommittee, Ann Wagner (MO-02), sent a letter to the PCAOB urging the Board to reevaluate the proposed changes in its Exposure Draft regarding NOCLAR standards.
The primary concern is that auditors will be required to (i) focus on immaterial violations of law, and (ii) become more familiar with all legal requirements, which could have the impact of causing auditors to be seen as engaging in the unlicensed practice of law in violation of state requirements that only licensed attorneys engage in the practice of law. Given the broad amount of analysis and reporting that would be needed, as well as the lack of clear guidance on penalties for auditor non-compliance (e.g., compensatory damages or some much higher threshold), it is likely that too many resources will be devoted to legal counsel reviews and reporting non-material noncompliance issues instead of focusing on addressing the root cause of material noncompliance issues. Auditors may end up in the position of forcing client companies to engage legal counsel to resolve several issues that the board of the company (including the audit committee) may have found non-material.
Under the proposed rule, when is an auditor required to consult with legal counsel?
Auditors would be required to consult with legal counsel during audits in certain circumstances. The proposed rules require the auditor to:
- Identify all laws and regulations “with which noncompliance could reasonably have a material effect on the financial statements,”
- Incorporate potential noncompliance with those laws and regulations into the auditor’s risk assessment, and
- Identify whether noncompliance may have occurred through enhanced procedures and testing.
The threshold that triggers the requirement to evaluate noncompliance with laws and regulations, which evaluation may need to be with the assistance of legal counsel, is when the auditor identifies or otherwise becomes aware of NOCLAR or information indicating that noncompliance with laws or regulations, including fraud, has or may have occurred.
For example, the auditor can identify or otherwise become aware of information indicating that noncompliance with laws or regulations has, or may have occurred, from ethics and compliance functions that address tips and complaints; notice from senior management; whistleblower reports; and board minutes. Practically speaking, this means auditors will need to assess most in-house ombudsmen activity to identify potential violations including evaluating the veracity of whistleblowers—of course, these are assessments that an auditor may not be particularly skilled at.
Auditors must consider whether specialized skill or knowledge is needed to assist the auditor in evaluating information indicating noncompliance has or may have occurred. Existing rules only require the auditor to consult with specialists (including legal counsel) if management does not provide satisfactory information that there has been no illegal act. This creates a significant additional burden on auditors.
An auditor may need to engage legal counsel or other specialists to assist the auditor in:
- Understanding certain laws and regulations;
- Assessing and responding to the risk of material misstatement of the financial statements due to noncompliance with those laws and regulations;
- Evaluating whether it is likely the noncompliance occurred; or
- Developing more rigorous inquiries of management or others to understand the circumstances in which the noncompliance occurred.
Because the proposed rules would require auditors to evaluate all noncompliance that comes to their attention, auditors may retain legal counsel or other specialists even when doing so is unnecessary to obtain sufficient appropriate audit evidence.
The proposed amendments do not require the auditor to make judgments outside their areas of expertise. They may retain counsel or other experts whenever they discover possible noncompliance to provide that they have the specialized skill or knowledge needed to assist in their evaluation of information indicating noncompliance.
If the auditor determines that specialized skill or knowledge outside of accounting and auditing is needed to assist the auditor in evaluating noncompliance with laws and regulations, the proposed standard will require the auditor to appoint and properly supervise legal counsel.
Auditors would need to supervise their specialists (including legal counsel) and may need to require additional procedures be followed by them to address performance-related issues.
Examples of situations in which additional procedures ordinarily are necessary include:
- The specialist’s work was not performed in accordance with the auditor’s instructions;
- The specialist’s report, or equivalent documentation, contains restrictions, disclaimers, or limitations that affect the auditor’s use of the report or work;
- The specialist’s findings and conclusions are inconsistent with (i) the results of the work performed by the specialist, (ii) other evidence obtained by the auditor, or (iii) the auditor’s understanding of the company and its environment;
- The specialist lacks a reasonable basis for data or significant assumptions the specialist used; or
- The methods used by the specialist were not appropriate.
To properly evaluate supervision of legal counsel, it is likely separate legal counsel will need to be appointed as oversight measure.
What should I do now?
The Securities and Exchange Commission (SEC) appears responsive to comments around the nexus of auditor and attorney duties, which may be part of the reason we have not seen a finalization of the rule yet.
Notably, on September 8, 2023, at the American Bar Association’s Business Law Section Fall Meeting in Chicago, Illinois, Erik Gerding, Director of the SEC Division of Corporation Finance, said that, “[T]he PCAOB is not primarily composed of lawyers and therefore certain issues that are the cornerstone of being legal counsel, such [as] attorney-client privilege, may not be fully understood by those setting auditing standards, so we will work on having rules that include a focus on key legal principles and issues.”
Assuming the SEC allows finalization of the new rules, the goal of most accounting firms will be to use legal counsel efficiently to allow auditors to charge a lower fee to auditor clients to gain a competitive advantage.
Given the infeasibility of providing an objective measurement for when specialized skill or knowledge is needed to assist the auditor in evaluating information indicating noncompliance has or may have occurred, auditors should take the approach of hiring legal counsel anytime there is an indication of noncompliance that has not been previously evaluated by the auditor and legal counsel.
This means that, after the finalization of the rule, before conducting any other audits, auditors should engage legal counsel to provide a checklist of the high-risk areas of non-compliance depending on the auditor’s client size, industry, and other factors. Auditors would then use the checklist to evaluate noncompliance based on numerical rankings of materiality—for example, the checklist will include several factors such as (i) amount of any claims against the client company, (ii) number of client company employees involved, and (iii) federal vs. local level issues. This will allow the auditor to determine what needs to be disclosed and reported, and what needs further review from legal counsel.
To ensure the audit partner knows everything that came to the firm’s attention and to cut back on the number of staff completing checklists, a project leader should be appointed to manage the checklist as well as the process of (a) ensuring the checklist questions are being asked of the auditor’s client with the auditor’s other standard audit questions, and (b) periodically throughout the audit, distributing the latest checklist to the auditor’s teams to solicit any updates based on new information gathered.
A checklist will allow auditors to evaluate a number of noncompliance issues on their own with the guidance of a legal work product developed by a lawyer, and flag for further review any issues that rise to the level of needing more review from legal counsel.
Upon the engagement of legal counsel for further review of a noncompliance issue, the auditor may leverage the results of such evaluation for further evaluations by the creation of a client-specific manual. This will allow auditors to save costs by addressing the same material issues multiple times with the use of legal counsel only in the first instance.
The auditor may also decide to involve specialists to assist in identifying other transactions that may follow the same pattern as the transaction being evaluated for noncompliance.
For example, with the help of legal counsel’s checklist, if an auditor identified the FCPA as a law that could reasonably have a material effect on the financial statements because the company’s operations are in a jurisdiction where bribery may be more common, or the company or its competitors have a history of FCPA violations, the auditor in planning and performing procedures would (1) obtain a company’s legal counsel report evaluating compliance, and (2) understand management’s processes around FCPA compliance, test relevant controls that were put in place to maintain compliance with the FCPA, or perform cash disbursement testing designed to identify potential bribes. Once the evaluation of noncompliance was complete, a client-specific manual would be created documenting all instances of legal counsel evaluations, their guidance, and outcomes for use during the next identified noncompliance event.
Auditors will find it difficult to assess when legal counsel’s performance requires additional corrective procedures (e.g., when their conclusions are based on inadequate evidence). In situations where it is not clear if an auditor can properly supervise legal counsel, it would be appropriate for such an auditor to engage a second legal counsel to review the opinions and work product of the first legal counsel, as needed, to act as a control over their supervision.
- “Noncompliance with laws and regulations” is defined as an act or omission, intentional or unintentional, by the company whose financial statements are under audit, or by the company’s management, its employees, or others that act in a company capacity or on the company’s behalf, that violates any law, or any rule or regulation having the force of law, including fraud but not including personal conduct by the company’s personnel unrelated to the business activities of the company. Fraud is a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. Fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit.
[back to reference ]