NOCLAR: THE PCAOB PROPOSES TO BROADEN THE AUDITOR’S ROLE
By Dan Goelzer
On June 6, the Public Company Accounting Oversight Board issued for public comment a proposed new standard related to the auditor’s responsibility to uncover instances of company noncompliance with laws and regulations (NOCLAR) as part of an audit of the company’s financial statements. In her public statement explaining the proposal, PCAOB Chair Erica Williams observed that legal violations “can have devastating consequences for investors” and that “we’ve seen far too many examples of investors getting hurt due to noncompliance with laws and regulations.” However, the two CPA members of the five-person Board dissented from the issuance of the NOCLAR proposal — something that has not previously occurred in the 20-plus year history of PCAOB standard-setting. In voting against the proposal, Board Member Christina Ho characterized it as “a breathtaking expansion of the auditors’ responsibilities, which I believe will hurt investors.”
In concept, the idea of enlarging the scope of the auditor’s obligation to unearth illegal acts that may have a material effect on the financial statements makes sense. The existing auditing standard in this area — AS 2405 — only requires auditors to detect and report misstatements resulting from illegal acts that have a direct effect on the determination of financial statement amounts, e.g., violations of laws and regulations that relate to financial statement content and presentation or tax liabilities. As Chair Williams noted, many other types of illegal corporate behavior can end up having a material impact on the financial statements, and a case can certainly be made that current AS 2405 is too narrow.
But the Board may have taken a reasonable idea and turned it into a proposal that would be impractical, if not impossible, for auditors to implement. The new version of AS 2405, if adopted, would require the auditor to plan and perform procedures to identify all laws and regulations as to which noncompliance “could reasonably have a material effect on the financial statements” and to identify whether there is information indicating noncompliance with those laws and regulations “has or may have occurred.” Proposed AS 2405.05 (emphasis added). “Could reasonably have a material effect” is a standard that would sweep in a wide array of laws and regulations for any company. Performing procedures to determine whether noncompliance with any of those laws and regulations “may have occurred”, without regard to whether noncompliance was material to the financial statements, would be a formidable undertaking, far beyond the scope of current financial statement and ICFR audits.
The Board’s economic analysis concedes that the “cost of the additional procedures to be performed could be sizeable,” and that is undoubtedly an understatement. If, as the economic analysis implicitly suggests, the benefits (e.g., providing investors with more accurate information about the impact of illegal conduct and reducing the frequency of noncompliance) would outweigh the added costs, arguably the proposal is justified, despite the high cost. However, the effect could be to reduce the utility and credibility of auditing. Auditors would be forced to divert a large chunk of their time and attention into chasing possible instances of noncompliance, regardless of relevance to the financial statements. I fear that this would inevitably come at the expense of the attention devoted to traditional audit responsibilities and to obtaining reasonable assurance that the financial statements are free of material misstatement.
Further, given the time and resource constraints of an audit, it is questionable how successful auditors would be in detecting and evaluating noncompliance in complex and nuanced areas like environmental regulation, fair competition, OSHA, or product safety that are not related to financial reporting. And, whenever it is alleged, after the fact, that a company engaged in a violation not detected by its auditor, the profession’s credibility will suffer. The auditor may also find itself as a defendant in a class action and/or regulatory enforcement proceeding.
This is not to say that U.S. auditing standards cannot or should not be tightened with respect to NOCLAR. Several years ago, the International Auditing and Assurance Standards Board, which writes the auditing standards that apply in most of the world outside the U.S., addressed this issue. International Standards on Auditing №250 distinguishes between laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements and other laws and regulations that may have a material effect on financial statements because of their relationship to the company’s business. These other laws and regulations are those that “may be fundamental to the operating aspects of the business, to the entity’s ability to continue its business, or to its ability to avoid material penalties.” ISA 250, para. 6(b).
As to the first category — laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements — the auditor must obtain sufficient appropriate audit evidence regarding compliance. This is essentially the same responsibility as imposed by current AS 2405. As to other laws and regulations that, in the context of the company’s business, are fundamental to its operations, existence, or avoidance of material liabilities, the auditor must perform specific procedures set forth in ISA 250 to help identify instances of non-compliance. Those specific procedures include inquiries of management and the board and review of correspondence with regulators.
By somewhat limiting the scope of the laws that the auditor needs to consider and by specifying the procedures that the auditor should follow in identifying possible noncompliance with laws that do not directly affect financial reporting, ISA 250 appears to keep the focal point of the audit on financial reporting, rather than converting audits into wide-ranging investigations of legal compliance. The PCAOB’s NOCLAR release makes only passing reference to ISA 250, so it is not clear how or to what extent the Board envisions that its proposal would go beyond the international auditing standards.
The fact that the PCAOB apparently did not consider how the IAASB dealt with NOCLAR suggests a larger point. The auditor’s responsibility for detecting illegal acts is a challenging issue, and the Board could have benefitted from input from a variety of sources on how to address it before putting a proposal out for comment. For example, the Board has two advisory committees — the Standards and Emerging Issues Advisory Group (SEIAG) and the Investor Advisory Group (IAG), both composed of distinguished individuals with a range of views and experiences related to the PCAOB’s work. One benefit of maintaining advisory committees like the SEIAG and the IAG is that they can serve as sounding boards for complex issues like NOCLAR before the Board turns them into proposals. Alternatively, for something of this potential magnitude and impact on auditing and its stakeholders, it might have been useful to have held a public roundtable at which a range of views could have been expressed and considered. This kind of pre-standard-setting input can also help to build support for the PCAOB’s work.
The public comment period on the NOCLAR proposal runs until August 5, and it will be interesting to see how commentors react. It is certainly possible that the Board majority did not intend the proposal to be interpreted as broadly as some of the language seems to suggest. Hopefully, the comment process will result in a final standard that expands the auditor’s responsibilities for NOCLAR in a measured and practical way that provides investors with more information without imposing broad new duties that auditors are ill-equipped to perform successfully.
