CCR Responds to PCAOB Proposal to Amend the Auditing Standards related to a Company’s Noncompliance with Laws and Regulations

A PDF of the below Comment Letter can be downloaded here »

Phoebe W. Brown
Office of the Secretary
Public Company Accounting Oversight Board
1666 K Street NW
Washington, DC 20006-2803

Re: PCAOB Rulemaking Docket Matter No. 051, Amendments to PCAOB Auditing Standards related to a Company’s Noncompliance with Laws and Regulations

Dear Ms. Brown,

This letter is submitted by Financial Executives International’s (FEI) Committee on Corporate Reporting (CCR) in response to the Public Company Accounting Oversight Board’s (PCAOB or Board) Proposal to Amend the Auditing Standards related to a Company’s Noncompliance with Laws and Regulations (Proposal).

FEI is a leading international organization comprised of members who hold positions as Chief Financial Officers, Chief Accounting Officers, Controllers, Treasurers, and Tax Executives at companies in every major industry. CCR is FEI’s technical committee of approximately 50 Chief Accounting Officers and Corporate Controllers from Fortune 100 and other large public companies, representing more than $13 trillion in market capitalization. CCR reviews and responds to pronouncements, proposed rules and regulations, pending legislation, and other documents issued by domestic and international regulators and organizations such as the U.S. SEC, PCAOB, FASB, and IASB.

This letter represents the views of CCR and not necessarily the views of FEI or its members individually.

Executive Summary

As preparers, CCR shares the PCAOB’s commitment to serve the needs of investors and other users of financial reports in the public interest and appreciates the opportunity to provide feedback on the Board’s Proposal. We support the Board’s intent to protect investors and are open to measured changes to the existing standard related to the auditor’s consideration of possible noncompliance with laws and regulations; however, we believe the Proposal expands the scope of the audit in ways that pose significant challenges for preparers and auditors. In our letter, we provide our perspectives on the challenges and costs preparers would face under the proposed scope of changes to public company audits, scoping alternatives for the Board to consider, and foreseen communication challenges between preparers, auditors, and audit committees under the Proposal. We suggest the PCAOB seek additional feedback from stakeholders to ensure operability specifically for preparers and the audit profession. CCR is willing to participate in any further forums to reach enhancements in the audit standards that meet the Board’s objectives without introducing excessive costs or unintended consequences. We have found immense value in the discussions organized by the PCAOB where preparers, users, and auditors meet, in the same room, to hear each other’s views on standard-setting and research projects. We encourage the Board to continue this practice as such discussions yield the best results.

Challenges with Scoping and Changes to the Audit

We agree it is important the Board sufficiently and clearly address the auditor’s responsibilities regarding noncompliance, as noncompliance with laws or regulations or the existence of fraud may impact amounts and disclosures, if material, in the financial statements subject to audit. However, we are concerned the Proposal will place significant additional burden on management and audit teams which will significantly outweigh any improvement in the quality of financial reporting, the audits of financial statements, and the communications with the audit committee.

The Proposal broadens the scope of laws and regulations for which the auditor will be responsible for performing audit procedures. This enhanced scope is likely to require auditors to perform far more extensive procedures over a company’s compliance programs, including a review of management’s legal analyses of various laws, regulations, and incidents. For an auditor to understand whether noncompliance could have a material impact on the financial statements, the auditor will first need to undertake a complete inventory of laws and regulations applicable to the company’s operations globally, which can be extensive depending on the number of state, country, and regulatory jurisdictions and frameworks to which a company may be subject, and for most companies will be constantly expanding and evolving. Then, an auditor must actively translate the list of compliance items to those that could reasonably be material and continuously maintain this list for completeness. Finally, the auditor must monitor this list of potentially material items for instances of noncompliance. This approach could vastly increase the scope of an audit, as an area of the audit previously deemed to be insignificant could be brought into scope due only to an unlikely possibility of noncompliance.

The auditor will be required to have expertise in identifying whether actions are compliant with laws and regulations which may require significant judgment, application of legal precedent, and understanding of evolving regulatory interpretations. Given the breadth and depth of regulation across the industry landscape that an auditor may serve, it is likely not practicable for an auditor to maintain in-house expertise in all the legal and regulatory environments to which their current clients are subject. Further, it is unclear how the auditor’s active monitoring for noncompliance rather than the current process of evaluating management’s system of controls to monitor for compliance would change the relationships between companies and their auditors and potentially challenge the existing accountability framework between auditors and preparers. It is also not clear that such efforts would be more successful in identifying noncompliance earlier than under current standards. Compliance information is already required and included in other sections of a Company’s Form 10-K, including within Item 1. Business, Item 1A. Risk Factors, and Item 3. Legal Proceedings. We encourage the Board to holistically consider the alignment of the Proposal and auditor responsibility with existing SEC reporting requirements, management responsibilities, and compliance audit requirements for specific industries and jurisdictions.

Furthermore, while many companies have teams of experts trained specifically for legal compliance functions and management of related programs, the Proposal will require a significant effort from companies to centralize the various programs for audit processes, procedures, and documentation. Especially for large, multinational companies, or companies in highly regulated industries, the process of creating a centralized repository of these laws and regulations would be extremely burdensome. This task may involve the implementation of new technology and significant controls and processes. Management teams will be required to reevaluate the design, implementation, and operating effectiveness of controls over compliance. Resources will be needed for auditor walkthroughs over the identification and investigation of a company’s noncompliance with laws and regulations. As these procedures drastically increase the scope of the financial statement audit and are beyond the auditor’s core competencies, we expect a significant increase in the use of lawyers and other specialists. Much of the incremental effort and cost to redesign and integrate compliance programs with the processes, documentation, and data sharing practices necessary for the audit will be incurred on an ongoing basis and will primarily be documentational efforts by management and audit teams rather than true enhancements or improvements of management’s compliance monitoring. We suggest the Board further explore, refine, and quantify the general acknowledgment in the Proposal of potentially significant incremental costs to auditors and preparers, to ensure the Board has a complete understanding of the costs the Proposal will impose.

Additionally, we believe the proposed changes would not be practicable using management’s and the audit team’s current resource allocations through the audit period. The additional audit procedures outlined in the Proposal are likely to require a significant allocation of time from more experienced audit resources and a significant investment in legal and regulatory specialists. This reallocation or reprioritization could be detrimental to the quality of other complex reporting matters with a material impact on the financial statements. Such complex reporting matters often require the audit team’s most experienced team members working closely with management to ensure investors and other users of financial reports receive accurate and decision-useful information.

Lastly, we are concerned the Proposal will impact companies’ ability to meet existing filing timelines and requirements. The broadened scope of laws and regulations subject to audit procedures increases the likelihood potential noncompliance is identified towards the end of audit completion and near filing deadlines. This will lead to additional required audit procedures and communications to audit committees, potentially for noncompliance items that are immaterial to the financial statements. We believe this will jeopardize the ability of companies to comply with filing requirements, which could be more detrimental to the capital markets than any benefit of earlier disclosure of a material noncompliance event as a result of the proposed changes.

Scoping Alternatives

The Proposal requires procedures to identify whether there is information indicating noncompliance, which will result in a significant scope expansion of auditor responsibilities beyond simply enhancements to require auditor evaluation of compliance programs. The expansion implies an auditor would be held accountable to identify any and all information that might indicate instances of noncompliance with all laws and regulations a company is subject to, without regard to materiality. We believe in many situations that it will be challenging for the auditor, even with the assistance of specialists, to conclude whether there has been noncompliance by the company. This determination may be more complex in circumstances whereby matters are litigated, settled, or eventually determined by court proceedings (e.g., a settlement may be reached with no admission of wrongdoing or noncompliance in order to avoid future costly litigation). Many evolving areas of law contain ambiguous requirements that hinge on regulators’ subjective interpretations of the law. Auditors would therefore need to maintain not only a knowledge of existing and new laws and regulations, but also a knowledge of how such legal standards are being applied in practice. In addition, the Proposal states an auditor must identify laws and regulations with which noncompliance “could reasonably have a material effect” on the financial statements. The process of identifying all laws and regulations that could reasonably have a material effect would be difficult, time consuming, and costly, particularly for multinational companies with operations in various legal jurisdictions, entity levels, and industries or business lines.

We recommend the Board holistically reconsider the scope of the Proposal based on feedback from various stakeholders on potential alternatives to enhance auditor procedures over companies’ compliance environments. To address the scoping challenges described above, we recommend the Board focus the proposed requirements on the auditor’s assessment of noncompliance through evaluation of a company’s existing compliance program environment and provide illustrative examples of how and to what extent preparers and auditors are required to identify audit evidence. We additionally recommend the Board clarify how auditors should define noncompliance as the timing, extent, nature, etc. of such noncompliance will have a direct impact on whether they could reasonably have a material effect on the financial statements. Lastly, we suggest the Board consider defining “could reasonably have a material effect” using the existing reasonably possible threshold in financial reporting,[1] as such definition is already well understood and aligns with the need to monitor and review items for accounting recognition or disclosure under ASC 450, Contingencies, and other applicable accounting topics.

Communication Challenges

We appreciate the Board’s intent and effort to reduce duplicative communications by establishing an exception regarding management’s previously communicated noncompliance. However, we believe the implementation of the Proposal will result in some communication challenges between auditors and preparers. The Proposal may require management to provide significantly more legal interpretation and assessment to auditors. This raises substantial concerns about the ability to protect attorney-client relationships and privileges, particularly in scenarios beyond preparers’ historical need to navigate such tensions to ensure sufficient audit evidence supporting recognition or disclosure requirements under ASC 450. Under the Proposal, companies will have to navigate and balance tensions of privilege with audit evidence for areas of compliance that are unlikely to impact the financial statements.

Many companies’ compliance investigation functions are attorney driven. Investigation strategies, interviews of whistleblowers and witnesses, and reports are all executed by or at the direction of attorneys, both internal and external to the organization, so that the company can obtain and act on candid advice. A requirement that an auditor make a determination as to whether an act constitutes “noncompliance” would necessitate the auditors’ access to and understanding of the facts and materials developed during an investigation, or even prior to the launch of an investigation. This material would otherwise be protected by the attorney-client privilege or work product privileges. Auditors’ access would not only serve to interfere with these privileges but would also place materials into their work papers, potentially exposing them to access by regulators and litigators. We believe this may weaken a company’s corporate compliance programs, undermine their ability to uncover misconduct, undermine protections for whistleblowers, and compromise the integrity and availability of personal data and other confidential data the company has an obligation to maintain. Furthermore, in many jurisdictions, judicial review by a court would determine whether noncompliance has occurred. Thus, auditors may not be able to make this determination even if they receive full access to the information.

In addition, we believe the proposed auditor communications should be narrowed. Given the requirement to communicate potential noncompliance prior to the auditor’s evaluation of the likelihood of occurrence and related financial statement impacts, communications between the auditor and the audit committee would likely be significantly expanded by the Proposal. This expanded communication may distract from more significant topics the auditor emphasizes to the audit committee. It may also result in the audit committee needing to retain its own independent counsel in circumstances where company counsel and the auditor have reached different conclusions. Additionally, communication to the audit committee “as soon as practicable” and before the completion of the auditor’s evaluation of materiality or significance may be disruptive to the typical cadence and governance structure, especially for items which, once they are fully evaluated, ultimately do not rise to a level of importance to justify the initial communication. We request the Board consider allowing for more auditor judgment as to what should be communicated to the audit committee, and especially the timing of such communication, and continue existing practice whereby management discusses relevant noncompliance with the audit committee.


We appreciate this opportunity to provide feedback on the Board’s Proposal to Amend the Auditing Standards related to a Company’s Noncompliance with Laws and Regulations. We stand ready to participate in the outreach process and provide preparer perspectives as appropriate. Should the Board’s process result in a final standard that expands the auditor’s responsibilities for noncompliance with laws and regulations, we hope it is done in a measured and practical way that provides investors with more information without imposing broad new duties that auditors are ill-equipped to successfully perform and without resulting in systemic costs well in excess of the benefits. We thank the Board for its consideration of our comments and welcome further discussion with the PCAOB or staff at your convenience.


Alice L. Jolla
Chair, Committee on Corporate Reporting
Financial Executives International

[1] See A7 in AS 2201 Appendix A.