SUMMARY
On June 6, 2023, the Public Company Accounting Oversight Board (the Board or PCAOB) issued a request for comment on its Amendments to PCAOB Auditing Standards Related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments (Public Company Accounting Oversight Board (PCAOB) 2023b). This commentary summarizes the participating committee members’ views on the proposal. Based on our consideration of the issues, we do not support the proposal, due to a number of fundamental concerns.
I. INTRODUCTION
We are pleased to provide feedback on the PCAOB’s Amendments to PCAOB Auditing Standards Related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments (PCAOB 2023b). The scope and potential impact of this proposal are extremely significant. The Board itself was deeply divided about whether to advance this proposal, with two Board members voting against it (DesParte 2023; Ho 2023). The dissenting Board members cite a number of concerns with the proposal, including its scope and cost, as well as its extension of auditing beyond the typical auditor’s areas of expertise.
This commentary summarizes the participating committee members’ views of the proposal.1 Although we typically comment on proposal releases without opining on the overall proposal, in this case, we believe it is appropriate to offer an overall conclusion. Based on our consideration of the issues, we do not support the proposal, due to a number of fundamental concerns discussed in detail in Section II below.
Our fundamental concerns relate to three key areas:
The proposed scope of the auditor’s task—Major issues include:
the expansive definition of noncompliance with laws and regulations (NOCLAR), including the staggering number of U.S. laws and regulations, possible overlap between auditors and federal/state/local regulators, and testing and scoping issues;
significant opaqueness regarding NOCLAR that “could reasonably” have a material effect on the financial statements;
concerns about how auditors would evaluate actual or possible NOCLAR;
uncertain impacts on the scope of auditors’ internal control testing;
auditor communications issues;
time period (i.e., noncompliance events before the current audit period and subsequent events); and
the breadth of information auditors would be required to consider.
In short, we view the proposal as expanding the scope of the financial statement audit enormously, but with arguably little guidance to help the auditor meet the new responsibilities.
The proposed task relative to the auditor’s areas of expertise—The major concern is asking auditors, who are not legal experts (see Public Company Accounting Oversight Board (PCAOB) 2023a), to conduct or oversee what appear to be essentially full legal/compliance audits of public companies. We note that compliance testing has been successful in audits of governments that receive federal financial assistance, without requiring legal experts. However, the scope of the compliance component of a single audit government engagement is specifically outlined in Code of Federal Regulations 2 Part 200 Subpart F—Audit Requirements (National Archives 2023). Further, compliance testing is done in accordance with the Compliance Supplement (Office of Management and Budget (OMB) 2023), a 2,061 page document that specifically identifies what aspects of compliance have to be addressed by program type. The OMB has done the heavy lifting of compiling the compliance features of the law. Both the single audit laws and the Compliance Supplement help to specify exactly what the scope of an audit will be and exactly what audit steps have to be undertaken. The current proposal has no such tool to guide the auditor on scoping or testing, thus likely requiring the auditors to rely on legal experts to identify critical compliance areas.
The assessment of costs, benefits, and alternatives—The analysis of costs, benefits, and alternatives is incomplete and imprecise, and it appears to fall short of PCAOB policy (Public Company Accounting Oversight Board (PCAOB) 2023c). Noticeably absent from the analysis is any quantification of costs (i.e., there are no numbers). We expect direct costs to be extremely high relative to current audit costs. Depending on how audit firms approach this task, the cost of this proposal might be a multiple of current audit fees. Also missing is detailed consideration of indirect costs to be borne by companies to accommodate enhanced auditor procedures. We highlight several additional audit or audit-related costs. There may be other costs to society, such as companies choosing not to operate as publicly-traded entities. The benefits side is similarly underdeveloped. It is unclear whether the Board seeks to change the audit objective from protecting investors from financial misstatements to protecting them from stock price crash risk (“negative skewness in the distribution of returns for individual stocks” (Habib, Hasan, and Jiang 2018, 212)). Further, there is almost no consideration of other alternatives. PCAOB policy promises a very robust cost-benefit analysis; it is essential for a major proposal like this.
Overall, the scope of this proposal appears to go well beyond the auditor’s areas of expertise, potentially changing the purpose of the audit to expand beyond providing reasonable assurance that the financial statements are free of material misstatement. The omission of a detailed consideration of the costs and benefits of the proposal prevents drawing any conclusions as to whether it should be adopted. For these reasons, we do not support the proposal.
In Section II, we provide a detailed discussion of our fundamental concerns. We do not provide responses to the questions posed in the Release, either because (1) they are addressed in our discussion of fundamental concerns (Section II), or (2) they often ask only about the “clarity” of a requirement, not the substance or appropriateness of a requirement. Although we find many of the proposed requirements quite clear, we had fundamental issues with their substance or appropriateness. We encourage the PCAOB to ask stakeholders about both the substance and clarity of proposed requirements.
II. FUNDAMENTAL CONCERNS
In our view, this proposal reflects a major shift in the nature of auditing. Auditors would be required, presumably with the help of teams of attorneys, to gain assurance regarding clients’ actual or possible NOCLAR. The focal laws and regulations are any for which noncompliance “could reasonably” have a material effect on the financial statements, a very nebulous standard. It appears that the range of laws and regulations is nearly limitless. The proposed scope of the auditor’s task; the proposed task relative to the auditor’s areas of expertise; and the assessment of costs, benefits, and alternatives all present fundamental issues. We discuss our major concerns in the sections below.
The Proposed Scope of the Auditor’s Task
The Expansive Definition of NOCLAR
The Release defines NOCLAR as follows (PCAOB 2023b, 24):
An act or omission, intentional or unintentional, by the company whose financial statements are under audit, or by the company’s management, its employees, or others that act in a company capacity or on the company’s behalf, that violates any law, or any rule or regulation having the force of law. Noncompliance with laws and regulations includes fraud as described in paragraph .05 of AS 2401, Consideration of Fraud in a Financial Statement Audit. Noncompliance with laws and regulations does not include personal conduct by the company’s personnel unrelated to the business activities of the company.
This definition raises several major concerns. First, the definition of NOCLAR is essentially limitless, excluding only “personal conduct by the company’s personnel unrelated to the business activities of the company.” It could “encompass violations of any law or any regulation having the force of law…and all types of noncompliance” (24). Further, the Release notes:
The definition would encompass a wide variety of conduct, including embezzlement of company funds, misappropriation of assets, or payment of bribes, as well as other conduct that has financial consequences to the company, such as violations of employment, occupational safety and health, antitrust, or privacy laws and regulations.
It is not clear how any auditor could deal with the breadth of possible laws and regulations under this standard. Further, we have serious concerns about what constitutes “any rule or regulation having the force of law” (24). What does this term mean, and who would make this determination?
By contrast, International Standard on Auditing (ISA) 250 (International Auditing and Assurance Standards Board (IAASB) 2016a) has two categories of laws:
(a) Laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements; and (b) Other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements, but compliance with which may be fundamental to the operating aspects of the business, to an entity’s ability to continue its business, or to avoid material penalties; non-compliance with such laws and regulations may therefore have a material effect on the financial statements. (International Auditing and Assurance Standards Board (IAASB) 2016b, 4; emphasis added)
ISA 250 points auditors toward indirect effect laws that are “fundamental to” operations, going concern, and material penalties. The PCAOB Release seems to suggest that the focus (before considering materiality, discussed below) is any law, regulation, or rule, whether federal, state, or local. We strongly encourage the PCAOB to adopt a much narrower definition of NOCLAR.
Second, the staggering number of U.S. regulations adds to the scope issue. As noted by Sexton (2023):
More than 88,000 federal regulations were promulgated between 1995 and 2016…The Federal Register…totals nearly two million pages dating back to its inception in 1936. And the Code of Federal Regulations ran to 185,000 pages in 2020. In addition, state and local governments have their own laws and rules.
There is no way anyone can know enough to avoid inadvertently violating all the laws, rules and regulations. According to lawyer and author Harvey Silverglate, the average American unintentionally commits three felonies a day.
To have any hope of complying with the law and managing your life within the system, you need an army of specialized lawyers, accountants, tax preparers, consultants, advisers and advocates. (emphasis added)
Just at the federal level, the number of regulations is overwhelming, and noncompliance is virtually assured (“three felonies a day”). How can auditors possibly deal with this volume and complexity of regulations? Even a law firm might not have expertise across all legal and regulatory areas that could possibly relate to a single company’s NOCLAR.
Third, there seems to be great potential for overlap between financial statement auditors and federal/state/local regulators. For example, how would the auditor’s work interface with oversight by labor, occupational safety, antitrust, financial, nuclear, or insurance regulators? Will management and auditors be charged with repeating work already done by regulators?
Fourth, without additional guidance on testing and scoping, the potential for vastly different interpretations of what should be in scope would likely be substantial. As compliance testing would certainly drive fees, auditors may compete on how they scope these compliance tests. Would the PCAOB provide a Compliance Supplement (OMB 2023) to ensure uniformity in applying this standard? Could a scoping tool be used, similar to the Single Audit Act (CFR 2 Part 200 Subpart F, National Archives (2023))?
Overall, we find the definition of NOCLAR to be virtually unlimited and unworkable. Almost anything seems to qualify (see below for discussion of materiality).
Significant Opaqueness Regarding NOCLAR that “Could Reasonably” have a Material Effect on the Financial Statements
The one constraining factor that pulls the auditor back from considering essentially all laws and regulations in existence is the requirement to focus on identifying “laws and regulations with which noncompliance could reasonably have a material effect on the financial statements” (27). Further, the Release notes (29):
We believe the inclusion of the phrase “could reasonably have a material effect” would appropriately tailor the requirements to include those laws and regulations that relate to the way matters are presented (that is, recorded or disclosed) in the financial statements (for example, tax, pension, and certain securities laws) and other laws and regulations that may relate to the operations of a company with which the company’s noncompliance could reasonably result in material penalties, fines, or damages to the company (for example, for a chemical company, environmental protection regulations).
We respectfully disagree with the notion that the “could reasonably have a material effect” standard is appropriately tailored, as many questions remain. Perhaps of greatest concern, how would an auditor determine whether a specific instance of NOCLAR “could reasonably” have a material effect? This proposed standard would need a great deal of explanation, along with many illustrative examples.
The Financial Accounting Standards Board (FASB) already has in place language for reporting contingent liabilities. The Financial Accounting Standards Board (FASB) (1975) uses language such as “probable” or “reasonably possible” for reporting contingencies. The Board’s proposed language using the word “reasonably” could add confusion to interpreting the FASB standard. The Board might consider language that simply reminds the auditor to ensure the client is following current GAAP on contingencies when considering material misstatements regarding noncompliance.
Further, would auditors be expected to catch, for example, a technology company with an environmental issue or a chemical company with a data privacy issue (i.e., NOCLAR that is not typically expected in an industry)? Would auditors operating under this standard be expected to identify at an early stage issues like banks’ relationships with Jeffrey Epstein, a case that has resulted in significant bank fines/settlements and alleged bank noncompliance (Merle and Telford 2020; Atkins 2023; Javers and Mangan 2023)? Or would the Epstein case be outside the scope of the proposed standard? How would this proposed standard have operated to identify the Wells Fargo manipulations at an early stage (see Williams (2023) for a discussion of this case)? Would auditors need to consider whether possible litigation against the company might credibly allege NOCLAR (e.g., technology companies being pursued for harming teens with their algorithms, or fast-food companies being sued for serving coffee or food that is too hot)?
Overall, we cannot envision how auditors would operationalize the “could reasonably have a material effect” standard without a great deal of additional guidance. We also believe that there needs to be clarity about quantitative versus qualitative materiality, as well as differentiating between effects on the financial statements versus effects on the stock price (also see “The Assessment of Costs, Benefits, and Alternatives”). For example, a data breach could cause a significant stock price effect, but have a relatively small financial statement impact limited to the expenses for providing some type of monitoring for the people affected. One might argue that the stock price effect is qualitatively material even though the monitoring costs are immaterial. Is identifying the noncompliance in this data breach example envisioned by this standard? Securities and Exchange Commission (SEC) (1999) Staff Accounting Bulletin No. 99—Materiality notes: “When, however, management or the independent auditor expects (based, for example, on a pattern of market performance) that a known misstatement may result in a significant positive or negative market reaction, that expected reaction should be taken into account when considering whether a misstatement is material.” Noncompliance that might induce stock price volatility makes judging materiality considerably harder for the auditor; therefore, detailed guidance from regulators on how to evaluate materiality and report on noncompliance will be essential.
Concerns about How Auditors Would Evaluate Actual or Possible NOCLAR
The Release proposes that auditors “identify whether there are instances of noncompliance with laws and regulations that have or may have occurred” (27). In terms of noncompliance that has occurred, in the absence of legal expertise (see below, “The Proposed Task Relative to the Auditor’s Areas of Expertise”) and/or a trial, it is not clear how auditors are supposed to evaluate actual noncompliance since the proposal only outlines investigative procedures rather than a framework of exactly what areas require compliance. How can the auditor provide an opinion without a compendium of applicable laws and regulations (see “The Expansive Definition of NOCLAR” above and “Uncertain Impacts on the Scope of Auditors’ Internal Control Testing” below)?
Further, evaluating possible noncompliance seems to be extremely speculative, and it presents an additional issue. One could argue that noncompliance always “may have” occurred. Silverglate (2009) asserts that each of us likely breaks multiple federal laws each day. As a practical matter, what is the chance that any random audit client is in noncompliance with something that “could reasonably” be material? In our view, it is 100 percent.
Overall, given the auditor’s lack of legal expertise, as well as the challenges evaluating possible NOCLAR, we do not believe this requirement is clear or workable.
Uncertain Impacts on the Scope of Auditors’ Internal Control Testing
The Sarbanes-Oxley Act (Sarbanes-Oxley Act (SOX) 2002) expanded the auditor’s role to include testing of internal control over financial reporting (ICFR). This requirement turned out to be extremely costly, but it also has been associated with improvements in financial reporting (see Schneider, Gramling, Hermanson, and Ye (2009) for a review of ICFR research).
The proposed standard seems to move the financial statement audit closer to that for governments, where compliance with laws and regulations is tested as part of the Single Audit. The difference is that the Office of Management and Budget (OMB 2023) has created the Compliance Supplement which lists the areas of compliance for each type of grant. The auditor is also required to test and report on internal controls related to these programs.
Our concern with the present Release is whether the auditor’s requirement to focus on NOCLAR will have the effect of substantially broadening internal control testing. Presumably, auditors need to consider internal controls addressing compliance with laws and regulations in addition to ICFR, at least those areas that could result in a material misstatement. If so, what are the associated costs and benefits (see “The Assessment of Costs, Benefits, and Alternatives” below)? According to Committee of Sponsoring Organizations of the Treadway Commission (COSO) (2013, 3), “Internal control is a process…designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” The Securities and Exchange Commission was careful to define ICFR so that the auditor was only responsible for internal controls over reporting and not for testing compliance or operations (Securities and Exchange Commission (SEC) 2003). Does expanding auditor testing to include compliance with laws and regulations go beyond the intent of Congress to expand internal control testing to aspects of compliance? We believe it likely does.
Further, the Board may wish to consider adopting guidance similar to the Compliance Supplement published by the OMB (2023) to identify areas of compliance and what specifically would need to be tested. Such a Compliance Supplement would be quite an undertaking, as the 2023 document is 2,061 pages. If the audit scope is expanded to include all laws, the compliance guidance might exceed 10,000 pages. Given the Matrix of Compliance requirements of the 2023 Compliance Supplement for federal financial assistance programs, it is hard to envision what that matrix might look like for essentially the universe of laws and regulations.
Auditor Communications Issues
The Release raises issues regarding auditor communications with others, especially the audit committee and other parties, as well as concerns about the reporting of fraud. We discuss these concerns below.
Audit committee
The proposed standard would result in an increase in the scope of auditor communications with the audit committee that is inconsistent with other PCAOB standards, as well as international standards, and could have unintended impacts on the effectiveness of the audit committee.
The increase in the scope of communications is driven by the removal of materiality as a consideration in determining which matters to communicate, as well as a requirement to communicate noncompliance that “may have” occurred versus noncompliance that “likely” occurred. Additionally, the requirement to communicate prior to evaluating likelihood or the potential effect on the financial statements reinforces this increase in scope, as well as increasing the frequency of communications by establishing multiple instances of required communications.
The objective of the auditor’s communications with the audit committee per Auditing Standard (AS) 1301.03.d (Public Company Accounting Oversight Board (PCAOB) 2012; emphasis added) is to provide “timely observations arising from the audit that are significant to the financial reporting process.” This includes items such as difficult matters that require consultation that “are relevant to the audit committee’s oversight of the financial reporting process” (AS 1301.15; emphasis added) and deficiencies in ICFR after they have been evaluated and determined to rise to the level of a material weakness or significant deficiency (AS 1305 and 2201, Public Company Accounting Oversight Board (PCAOB) (2003a) and Public Company Accounting Oversight Board (PCAOB) (2007), respectively). The current proposal requires communications that go beyond the objective established by AS 1301 by requiring communications regardless of materiality and likelihood, as well as by requiring communications regarding potential noncompliance “as soon as practicable,” which could be prior to considering the effect on the financial statements. Additionally, the “as soon as practicable” requirement applies to all potential noncompliance, which is inconsistent with other standard setters. ISA 250 (IAASB 2016a) only requires communication with those charged with governance as soon as practicable in instances where the suspected noncompliance is intentional and material.
An increase in information required to be communicated to the audit committee could result in information overload and/or an increase in busyness that ultimately leads to less effective oversight of financial reporting. Audit committee expertise and involvement in various processes is associated with higher financial reporting quality (see Hermanson, Hurley, and Obermire (2023) for a recent summary). Providing audit committees appropriate information with which to apply their expertise should support them in fulfilling their monitoring role. However, information overload can dilute the effect of useful information and result in worse judgments. Significant increases in disclosures have been found to create information overload for investors (Impink, Paananen, and Renders 2022), suggesting the same phenomenon could affect audit committees. Further, effective monitoring takes time. Research suggests many audit committees are not prepared to expand the scope of their oversight responsibilities (Cunningham, Stein, Walker, and Wolfe 2023). In 2002, SOX increased audit committee responsibilities, and research finds audit committee members holding multiple directorships are associated with lower financial reporting quality post-SOX, suggesting negative effects of “busyness” (Sharma and Iselin 2012; Tanyi and Smith 2015). An increase in required communications to the audit committee could similarly result in information overload and/or an increase in responsibilities that detract from effective oversight, which is contrary to the goals of the proposal.
Narrowing the requirements for communications with the audit committee to those matters that are significant to the financial reporting process would bring the proposed standard more in line with other standards and avoid potential unintended consequences.
Other parties
Current requirements to communicate to others are sufficient, within the auditor’s domain, and covered elsewhere in the standards (e.g., communicate to the SEC if resigning in proposed AS 1310 (Public Company Accounting Oversight Board (PCAOB) 2022), to the successor auditor in AS 2610 (Public Company Accounting Oversight Board (PCAOB) 2003c), or in response to a subpoena). Including cross-references to these standards in the footnotes to proposed AS 2405 serves as a reminder without setting separate criteria. The auditor is not making a legal determination regarding noncompliance; therefore, communication to other regulatory bodies is likely inappropriate and inconsistent with the auditor’s confidentiality requirements (American Institute of Certified Public Accountants (AICPA) 2014, 1.700.001). Additionally, requiring the auditor to report to broader authorities could serve as an impediment to management transparency.
Fraud
Fraud is a type of NOCLAR, but it is unique in that it is intentional. Fraud includes both fraudulent financial reporting and misappropriation of assets. Fraudulent financial reporting suggests a failure in ICFR, which specifically falls within the audit committee’s oversight responsibilities. Misappropriation of assets, when it is immaterial, is currently not always required to be communicated to the audit committee. Incorporating the auditor’s consideration of fraud into the proposed standard on NOCLAR suggests that all instances of noncompliance will be treated as severely as fraudulent financial reporting. This appears to go beyond the auditor’s objective of providing reasonable assurance that the financial statements are free of material misstatement. The unique nature of fraud likely warrants full coverage in its own standard, AS 2401 (Public Company Accounting Oversight Board (PCAOB) 2003b), rather than equating it to all other potential noncompliance.
Time Period
Is the auditor focused on NOCLAR during the year, at year-end, and/or as a subsequent event? As a practical matter, would auditors need to do continuous NOCLAR testing? What responsibility does the auditor have for identifying past noncompliance? There could potentially be material consequences for previous, but not current, noncompliance.
The Breadth of Information Auditors Would Be Required to Consider
The Release suggests a variety of information sources for auditors to monitor, including “the company’s website, the company’s or its executive officers’ social media accounts, media reporting, and analyst reports” (emphasis added). Monitoring executives’ social media accounts, which could be private, seems to reflect a major expansion in the auditor’s information requirements.
The Proposed Task Relative to the Auditor’s Areas of Expertise
The recent PCAOB Release No. 2023-001, Proposed Auditing Standard—General Responsibilities of the Auditor in Conducting an Audit and Proposed Amendments to PCAOB Standards (PCAOB 2023a), reaffirmed the importance that auditor competence plays in conducting high-quality audits. The proposed standard defines competence as follows (paragraphs .07 and .08):
The audit must be performed by an auditor who has the competence to conduct an audit in accordance with applicable professional and legal requirements. Competence consists of having the knowledge, skill, and ability that enable an auditor to perform the assigned activities in accordance with applicable professional and legal requirements and the firm’s policies and procedures. The measure of competence is qualitative rather than quantitative because quantitative measurement may not accurately reflect the experience gained over time.
Note: Competence includes knowledge and expertise in accounting and auditing standards and SEC rules and regulations relevant to the company being audited and the related industry or industries in which it operates.
The auditor should develop and maintain competence through an appropriate combination of:
Academic education;
Professional experience in accounting and auditing, with proper supervision; and
Training, including accounting, auditing, independence, ethics, and other relevant continuing professional education. (emphasis added)
Notably, the discussion of auditor competence above focuses on being able to conduct an audit; having expertise in accounting and auditing standards and SEC rules; understanding the client’s industry; and having training in accounting, auditing, independence, ethics, and other relevant continuing professional education. The discussion above, however, is silent on the auditor having expertise in legal, regulatory, and compliance issues. Further, it is silent on the auditor having expertise in essentially all laws and regulations (see “The Proposed Scope of the Auditor’s Task”).
In our view, there is a profound mismatch between the accounting and auditing expertise described in PCAOB (2023a) and the current proposal on NOCLAR. Specifically, the NOCLAR proposal seems to suggest that auditors must also be legal and compliance experts, or hire such expertise. This raises a fundamental and important question, “Why require auditors to take on a task that is outside their stated areas of expertise?”
Audit firms’ response to this expertise gap would seem to be hiring or engaging teams of outside legal and compliance experts, who would play a key role in audits going forward. The proposal does not provide a rationale for such a profound shift in auditing (also see “The Assessment of Costs, Benefits, and Alternatives” below). In the extreme, could creating such prominent audit roles for nonauditors ultimately lead to opening up audit competition to nonlicensed professionals?
The Assessment of Costs, Benefits, and Alternatives
The PCAOB requires that economic analysis of regulations address four main elements: (1) the need for the rule, (2) the baseline for measuring the rule impacts, (3) the alternatives considered, and (4) the economic impacts of the rule (and alternatives), including the benefits and costs (PCAOB 2023c). Our most significant concerns relate to the discussion of costs, benefits, and other alternatives.
Costs
Overview of the cost analysis
The analysis of the proposal’s costs is incomplete and imprecise, and it appears to fall short of PCAOB policy (PCAOB 2023c, 76, 79). The Release recognizes that costs are likely to be “substantial”; however, the analysis does not reflect any effort to estimate the costs. In short, the cost analysis contains no numbers. For example, the Release states: “The Board recognizes that imposing new requirements would result in additional, potentially substantial costs to auditors and the companies they audit” (76), and “Auditors may need to retain attorneys or other legal experts, including attorneys from different legal disciplines or specializations…These specialists could be costly to retain” (79).
Among the important questions that are unaddressed are: Is there a ballpark sense of what this might cost? Could it be 5 percent of current audit fees? Or could it be 10 percent, 25 percent, 75 percent, 150 percent, 300 percent, or something else? Without even a ballpark estimate, it is impossible to weigh costs against benefits. It is clear that the costs will be “substantial,” but this term could have a very wide range of meanings. With costs likely to increase dramatically under the new standard, a more specific and detailed cost analysis is essential for the reasons described throughout our response and to comply with the PCAOB’s policy.
Increased costs of performing the audit
We believe identifying and analyzing all potential instances of noncompliance will substantially impact an engagement team’s budget, as it has effects throughout the audit, including during planning and understanding the client, performing risk assessment, employing new specialists and attorneys with expertise in areas that are beyond the scope of an auditor’s core knowledge base, communicating the new risks with the audit committee, and obtaining sufficient and appropriate audit evidence (e.g., new, previously untested controls related to compliance with laws and regulations).
We believe there will be substantial new costs because auditors will likely need to rely on new specialists and additional attorneys to properly evaluate NOCLAR based on the requirements in the Release. As the Release acknowledges (see page 79), it is likely that auditors will not have the expertise to properly evaluate all areas of noncompliance because often the effects will be outside their core areas of knowledge. Furthermore, because of the myriad of subject matters addressed in applicable laws and regulations for any given client, it is possible that auditors will need to engage multiple specialists for each engagement, increasing costs exponentially.
Because of the breadth of the proposed standard and the pervasive effects on the audit, specialists engaged to assist with identifying noncompliance risk may need to be engaged earlier in the audit than other specialists, thus increasing costs. Recent research examined when during an audit specialists became involved. The four phases of an audit considered were (1) acceptance/retention, (2) planning and risk assessment, (3) execution, and (4) review. Specialists were most often found to become involved in the planning and risk assessment phase, with few playing a role in acceptance/retention (Boritz, Kochetova, Robinson, and Wong 2020). However, noncompliance specialists may need to be engaged during the acceptance/retention phase due to the impact of their work on the audit firm’s engagement risk. Earlier and ongoing involvement of these specialists will also increase cost (see Hux (2017) for a review of literature on auditors’ use of specialists).
Academic research finds that integrating the work of any type of specialist into the engagement team is challenging based on cost and its influence on audit quality (Hux 2017; Boritz et al. 2020; Zimmerman, Barr-Pulliam, Lee, and Minutti-Meza 2023). Boritz et al. (2020) find that auditors feel regulatory pressure to use specialists, which is likely to be exacerbated with this Release. The researchers then find that auditors will attempt to minimize the specialists’ work (to the potential detriment to audit quality) to meet their budgets, minimize delays, and maintain a strong client relationship. Hux (2017, 32) notes, “Because specialists tend to carry higher fees, their use can quickly erode the overall audit budget.” Relatedly, Zimmerman et al. (2023) find that the increased use of in-house specialists grows audit team hours and negatively influences realization rates on the audit (i.e., audit fees divided by audit hours). The latter finding is important because it suggests that there is no conclusive evidence that auditors pass on the cost of the specialists to their clients in the form of increased audit fees. As a result, audit teams must decide how to complete their audits within budget and meet deadlines despite a larger engagement team and more specialized work.
Cumulatively, we believe budget, deadline, and audit fee pressures are likely to further exacerbate audit quality concerns with the increase in specialists and attorneys needed to appropriately identify and evaluate potential areas of noncompliance. For smaller firms that do not have in-house specialists and attorneys, this also means that they will carry an even greater burden. With the pressures identified by the above academic studies coupled with the greater costs for new specialists and attorneys, small firms’ competitiveness will be more at risk within the audit market. Because we believe the proposed standard would be unreasonably onerous to auditors of filers that are Emerging Growth Companies (EGCs), we also do not support the application to EGCs.
Further (see above, “Uncertain Impacts on the Scope of Auditors’ Internal Control Testing”), companies are likely to also incur incremental costs related to internal controls. When SOX mandated ICFR audits, the costs to companies were substantial. Alexander, Bauguess, Bernile, Lee, and Marietta-Westberg (2013) estimated that companies’ average cost of compliance with SOX 404 for 2007/2008 was $1.2 million, composed primarily of audit fees (35 percent of total audit fees), internal labor costs, and outside consultant fees. Given the breadth and scale of the present proposal, it is possible that increased costs of internal control testing also could be substantial.
Increases in other related costs
Beyond the substantial new costs required throughout the audit process, four particular costs that should be considered further are (1) increased risks of auditor liability and effects on market concentration, (2) audit firms’ reputational losses based on the new requirements, (3) likely increased effects of staff shortages on audit quality, and (4) possible impacts on companies going private.
First, with the increased requirement to consider all NOCLAR, regardless of the direct or indirect effect on the financial statements, auditors will now be open to liability risk for effects that are not within their areas of expertise (see “The Proposed Task Relative to the Auditor’s Areas of Expertise”). Therefore, auditors will likely need to incur additional costs upfront by increasing their use of attorneys during the audit, as well as subsequent to the issuance of the audit report if an issue of noncompliance arises.
Faced with the immeasurable liability this proposal would create, many audit firms may choose to divest themselves of all covered clients, thus further concentrating the market for audit services for public companies and broker-dealers. The audit industry’s market concentration increased after the passage of SOX (2002). Specifically, research indicates that the number of audit firms with less than 100 clients fell by approximately one half (Liu and Simunic 2005; DeFond and Lennox 2011; Christensen, Smith, Wang, and Williams 2023). Former PCAOB board member, Steven Harris (2017), discussed implications of audit industry concentration, stating that the Big 4 audit firms “collectively audit approximately 97 percent of the total U.S. market capitalization” with specialization further exacerbating that concentration in certain industries. Although focused mainly on the Big 4, Mr. Harris discussed risks to audit quality and the financial markets if further concentration were to occur. We believe it is probable that audit firms with few public audit clients will choose to leave the industry rather than incur additional liability, increasing the market concentration concern.
Second, Alderman (2021) discusses the heightened risk of reputational loss in the current era of mass dissemination of negative information whenever there is an audit-related scandal or litigation. Any new regulation can increase the risk of liability or reputational loss; however, we believe this Release uniquely increases both of these potential risks to the audit firms because auditors will now be responsible for all NOCLAR even if the noncompliance is outside their core competencies. Cumulatively, the totality of additional costs will also likely create a burden that will require significantly increased audit fees, which then presents a new cost to the clients and public.
Third, with the well documented staffing shortages and pipeline issues in accounting (e.g., American Institute of Certified Public Accountants (AICPA) 2022; Foley 2022), we believe that the new costs and increased workload requirements resulting from this Release could carry extensive, unintended costs beyond the intended benefits. With an already stressed workforce, fewer auditors entering the field, and significant new and increased work based on this Release, audit quality may be at risk. For example, Persellin, Schmidt, Vandervelde, and Wilkins (2019) find in a survey of 700 auditors that auditors believe they are already working beyond reasonable thresholds required to maintain audit quality due to staffing shortages and deadlines, among other reasons. We believe the new requirements from this Release may exacerbate the concerns identified in this study by increasing workloads and the size of the audit team to include new specialists and attorneys.2
Fourth, the cost of regulation could increase the likelihood that some companies would go private. Engel, Hayes, and Wang (2007) found that going-private decisions after the passage of SOX were affected by relative difference of SOX benefits versus costs. New requirements of the magnitude considered in this proposal could significantly increase the cost of regulation for public companies.
Benefits
The Release discusses multiple potential benefits for auditors, including greater incentives (or, in our opinion, more likely penalties) for auditors to detect a company’s NOCLAR and a reduction in information asymmetries via greater communication with the audit committee and specialists. We appreciate that these types of benefits are very difficult to quantify. However, we believe that it is important to clearly state, from an investor perspective, exactly what problem the PCAOB is trying to solve, and why having auditors oversee legal and compliance audits is the best solution to that problem. Certainly, the costs of NOCLAR can be high. But is there evidence that investors are seeking a huge expansion of the scope and cost of audits in order to address NOCLAR? For example, how would investors respond if the NOCLAR proposal resulted in audit fees that are double current levels? What if fees were triple current levels? These important questions have not been addressed in the proposal, making it impossible to evaluate the economics of the proposed standard.
Further, is investor concern with NOCLAR related more to financial misstatements or to stock price crash risk (“adverse consequences” for investors)? If the main concern is stock price crash risk, is it appropriate for the auditor to play any role in mitigating that risk?
Other Alternatives
The discussion in the Release surrounding other alternatives is generally procedural. We do not understand how the Release supports the goal of modernizing and clarifying existing standards or improving investor protection without considering credible alternatives to the proposal. We address the last two concepts in the Release that consider (1) whether auditors should be responsible for both indirect and direct acts of noncompliance and (2) whether auditors’ responsibilities should be limited by their skillsets (also see “The Proposed Task Relative to the Auditor’s Areas of Expertise”).
First, we agree that indirect acts of noncompliance with laws, rules, and regulations can have significant impacts on a company and its investors, even equal to direct acts of noncompliance. However, the significant impacts seem to address stock price volatility, not the reporting of the financial position of the company. Thus, the fundamental question is whether financial statement auditors should be responsible for identifying and reporting on such indirect acts of noncompliance. We submit that addressing potential noncompliance that indirectly impacts the financial statements, as required by the proposed standard, would be vastly more difficult to apply than the current standards because the universe of applicable offenses is both vague and staggering. Also, under current standards, auditors have some responsibilities related to indirect acts of noncompliance. Any such act that comes to the auditor’s attention must be addressed. Therefore, we believe the current standard is much more reasonable and feasible to apply than the proposed standard.
Second, we believe the Release changes the scope of an audit to purposefully attach responsibilities to auditors for which they reasonably possess no related expertise. The Release argues that “the proposed amendments do not state that the auditor is required to make a definitive legal determination about whether noncompliance has occurred. Instead, the proposed amendments would also require the auditor to determine if it is likely that noncompliance has or may have occurred” (91; emphasis added). We believe this is a distinction without a difference; to determine whether indirect noncompliance may have occurred would also require legal expertise not reasonably possessed by financial statement auditors (see “Concerns About How Auditors Would Evaluate Actual or Possible NOCLAR” and “The Proposed Task Relative to the Auditor’s Areas of Expertise”).
The Release discusses that changing the audit standards will “protect investors from the resulting harm of noncompliance with laws and regulations when the effect of such noncompliance has a material effect on the financial statements” (4). First, we believe such a high level of protection for investors is unreasonable because all investments carry risk. Second, to the degree that investor protection is desirable and reasonable, that burden should be shared among many participants in the financial markets, including federal and state regulators, such as the SEC, EPA, FTC, etc., and their related auditors. These respective compliance auditors would be much more capable of identifying and reporting on instances where it is likely that noncompliance has or may have occurred. Therefore, we do not believe that financial statement auditors should bear this responsibility for the universe of laws, rules, and regulations outside of their areas of expertise.
If adopted, we believe this Release would change the definition, function, and purpose of a financial statement audit. Comparatively, within SOX, Congress expanded the audit of a public company by adding the requirement of opining on a client’s ICFR. Although this change significantly reshaped the landscape of the audit world, it introduced new auditor responsibilities that were properly aligned with an auditor’s specific areas of expertise. We believe this current Release seeks to introduce new responsibilities that are not reasonably aligned with an auditor’s skillset.
Overall, we do not believe that the analysis of costs and benefits provides a basis for drawing conclusions about the value proposition of the proposed standard. However, it is clear that the costs will be “substantial.” Further, there is almost no consideration of other alternatives.
If failure to report on material instances of noncompliance is considered a significant societal problem, the Board might consider working with the FASB to request a review of the current rules to determine whether they are sufficient for addressing how material instances of noncompliance should be quantified and disclosed in the financial statements. Are these noncompliance items to be treated just as any other contingencies for financial statement purposes? Are there special issues for this category of contingencies not envisioned by the current rules? Would the client, for example, need to give specific, detailed disclosures about material noncompliance?
III. CONCLUSION
As discussed above, we have fundamental concerns with the proposed scope of the auditor’s task; the proposed task relative to the auditor’s areas of expertise; and the assessment of costs, benefits, and alternatives. We believe that each area is fundamental and would require significant reconsideration of the proposal.
More broadly, it seems that the PCAOB may be trying to reduce investor stock price risk by redefining the very nature and purpose of a financial statement audit, and at almost any cost. We believe this is a significant overreach that was not the intent of Congress when creating the PCAOB in SOX (2002). If Congress intended to further expand the role of an audit to provide assurance on compliance with essentially all laws, rules, and regulations with the “force of law,” both direct and indirect, Congress should have done so in SOX, and still may do so through the legislative process.
We appreciate the opportunity to comment on the proposal, and we commend the PCAOB for its continuing efforts to enhance audit quality and protect investors.
REFERENCES
We use or adapt certain language from the PCAOB (2023b) proposal and other PCAOB materials throughout our response.
Another significant cost could be contentious negotiations between management and auditors about actual or possible NOCLAR.