Noncompliance with Laws and Regulations, Including Fraud: PCAOB Proposed Amendments

Consider ‘noncompliance with laws and regulations,’ including fraud, instead of ‘illegal acts’.

Change in definition alone may not significantly affect practice.

Identify the laws and regulations with which noncompliance could reasonably have a material effect on the financial statements.

Incorporates a significant change from the current requirements, which focus audit efforts on those laws and regulations that have a direct and material effect on the financial statements.

Under the current standard, the auditor is not required to identify those laws and regulations that may indirectly affect the financial statements until they are determined to have a direct effect (e.g., through a material fine that needs to be recorded or a contingent obligation that needs to be disclosed). The proposal would require auditors to consider laws and regulations with which noncompliance could reasonably have either a direct or indirect material effect on the financial statements. The proposal uses noncompliance with environmental regulations that may result in material fines and penalties as an example with an indirect effect on the financial statements.

This change appears to require auditors to determine a complete population of laws and regulations to identify those that ‘could reasonably have a material effect on the financial statements’; however, the meaning of this phrase is not defined in the proposal. Instead, the proposal provides examples of laws and regulations that may be relevant because of potentially significant fines, penalties, or other damages to a company in the event of noncompliance. This may include laws and regulations in the areas of securities, environmental, privacy, and occupational health and safety, among others, and auditors and issuers would likely need to involve additional specialists with expertise in these areas.

Assess and respond to risks of material misstatement of the financial statements due to noncompliance with the identified laws and regulations.

Includes more explicit, unconditional requirements for assessing and responding to risks related to noncompliance compared to the current AS 2405 and ties the auditors’ responsibilities related to NOCLAR to the risk assessment concepts elsewhere in the auditing standards.

While current auditing standards encompass risks of material misstatement due to error or fraud, the current standards do not explicitly address risk of material misstatement due to NOCLAR. Also, the proposal would require the auditor to perform certain enhanced risk assessment procedures.

Plan and perform procedures to identify whether there is information indicating noncompliance with the identified laws and regulations has or may have occurred.

Incorporates a significant change from the current requirements, which require the auditor to plan and perform procedures responsive to those laws that have a direct and material effect and includes explicit procedures over the potentially large population of laws and regulations. The proposal would also remove existing language making it clear that currently auditors do not make legal judgments and often are not able to determine definitively that noncompliance has occurred. This change combined with the increase in the number of laws and regulations that are in scope for the audit could create an expectation that the audit will be providing some degree of assurance regarding the company’s compliance with laws and regulations.

Adds to the procedures in the current AS 2405, including more specific consideration of involving specialists, evaluating the impact of likely NOCLAR on other information in documents containing audited financial statements (e.g., risk factors, MD&A and other sections of a 10-K), and assessing management’s remedial actions.

Incorporates management and audit committee communication requirements in Section 10A of the Securities Exchange Act of 1934 and would require communication at multiple points after a likely instance of NOCLAR has been identified.

The proposal would require initial communication to management and the audit committee when the auditor identifies or otherwise becomes aware of information indicating that noncompliance with laws and regulations has or may have occurred. It also would require a subsequent communication of whether an act was likely to be noncompliant after the auditor has evaluated whether it is likely noncompliance has occurred.

Provides more specific requirements for the auditor to obtain an understanding of management’s process to:

• Identify laws and regulations with which noncompliance could reasonably have a material effect on the financial statements.
• Prevent, identify, investigate, evaluate, communicate, and remediate potential noncompliance.
• Receive and respond to tips and complaints.
• Evaluate potential accounting and disclosure implications.

Expands the specific sources of information used in risk assessment, including executive officers’ social media accounts.

Interim reviews (AS 4105: Reviews of Interim Financial Information): Clarifying the required interim procedures, including when likely NOCLAR may have occurred.

Unclear as to extent of evaluation needed, which could impact timing of completing an interim review.